Tuesday, August 30, 2005

The Invasion of the Chinese Cyberspies

WHO'LL STOP THE RAIN: Shawn Carpenter at his Maryland home

The Invasion of the Chinese Cyberspies
(And the Man Who Tried to Stop Them)

An exclusive look at how the hackers called TITAN RAIN are stealing U.S. secrets
Monday, Aug. 29, 2005

It was another routine night for Shawn Carpenter. After a long day analyzing computer-network security for Sandia National Laboratories, where much of the U.S. nuclear arsenal is designed, Carpenter, 36, retreated to his ranch house in the hills overlooking Albuquerque, N.M., for a quick dinner and an early bedtime. He set his alarm for 2 a.m. Waking in the dark, he took a thermos of coffee and a pack of Nicorette gum to the cluster of computer terminals in his home office. As he had almost every night for the previous four months, he worked at his secret volunteer job until dawn, not as Shawn Carpenter, mid-level analyst, but as Spiderman--the apt nickname his military-intelligence handlers gave him--tirelessly pursuing a group of suspected Chinese cyberspies all over the world. Inside the machines, on a mission he believed the U.S. government supported, he clung unseen to the walls of their chat rooms and servers, secretly recording every move the snoopers made, passing the information to the Army and later to the FBI.

The hackers he was stalking, part of a cyberespionage ring that federal investigators code-named Titan Rain, first caught Carpenter's eye a year earlier when he helped investigate a network break-in at Lockheed Martin in September 2003. A strikingly similar attack hit Sandia several months later, but it wasn't until Carpenter compared notes with a counterpart in Army cyberintelligence that he suspected the scope of the threat. Methodical and voracious, these hackers wanted all the files they could find, and they were getting them by penetrating secure computer networks at the country's most sensitive military bases, defense contractors and aerospace companies.

Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes. "Most hackers, if they actually get into a government network, get excited and make mistakes," says Carpenter. "Not these guys. They never hit a wrong key."

Goaded by curiosity and a sense that he could help the U.S. defend itself against a new breed of enemy, Carpenter gave chase to the attackers. He hopped just as stealthily from computer to computer across the globe, chasing the spies as they hijacked a web of far-flung computers. Eventually he followed the trail to its apparent end, in the southern Chinese province of Guangdong. He found that the attacks emanated from just three Chinese routers that acted as the first connection point from a local network to the Internet.

It was a stunning breakthrough. In the world of cyberspying, locating the attackers' country of origin is rare. China, in particular, is known for having poorly defended servers that outsiders from around the world commandeer as their unwitting launchpads. Now Chinese computers appeared to be the aggressors.

If so, the implications for U.S. security are disturbing. In recent years, the counterintelligence community has grown increasingly anxious that Chinese spies are poking into all sorts of American technology to compete with the U.S. But tracking virtual enemies presents a different kind of challenge to U.S. spy hunters. Foreign hackers invade a secure network with a flick of a wrist, but if the feds want to track them back and shut them down, they have to go through a cumbersome authorization process that can be as tough as sending covert agents into foreign lands. Adding in extreme sensitivity to anything involving possible Chinese espionage--remember the debacle over alleged Los Alamos spy Wen Ho Lee?--and the fear of igniting an international incident, it's not surprising the U.S. has found it difficult and delicate to crack these cases.

In Washington, officials are tight-lipped about Titan Rain, insisting all details of the case are classified. But high-level officials at three agencies told TIME the penetration is considered serious. A federal law-enforcement official familiar with the investigation says the FBI is "aggressively" pursuing the possibility that the Chinese government is behind the attacks. Yet they all caution that they don't yet know whether the spying is official, a private-sector job or the work of many independent, unrelated hands. The law-enforcement source says China has not been cooperating with U.S. investigations of Titan Rain. China's State Council Information Office, speaking for the government, told TIME the charges about cyberspying and Titan Rain are "totally groundless, irresponsible and unworthy of refute."

Despite the official U.S. silence, several government analysts who protect the networks at military, nuclear-lab and defense- contractor facilities tell TIME that Titan Rain is thought to rank among the most pervasive cyberespionage threats that U.S. computer networks have ever faced. TIME has obtained documents showing that since 2003, the hackers, eager to access American know-how, have compromised secure networks ranging from the Redstone Arsenal military base to NASA to the World Bank. In one case, the hackers stole flight-planning software from the Army. So far, the files they have vacuumed up are not classified secrets, but many are sensitive and subject to strict export-control laws, which means they are strategically important enough to require U.S. government licenses for foreign use.

Beyond worries about the sheer quantity of stolen data, a Department of Defense (DOD) alert obtained by TIME raises the concern that Titan Rain could be a point patrol for more serious assaults that could shut down or even take over a number of U.S. military networks. Although he would not comment on Titan Rain specifically, Pentagon spokesman Bryan Whitman says any attacks on military computers are a concern. "When we have breaches of our networks, it puts lives at stake," he says. "We take it very seriously."

As cyberspying metastasizes, frustrated network protectors say that the FBI in particular doesn't have enough top-notch computer gumshoes to track down the foreign rings and that their hands are often tied by the strict rules of engagement. That's where independents--some call them vigilantes--like Carpenter come in. After he made his first discoveries about Titan Rain in March 2004, he began taking the information to unofficial contacts he had in Army intelligence. Federal rules prohibit military-intelligence officers from working with U.S. civilians, however, and by October, the Army passed Carpenter and his late-night operation to the FBI. He says he was a confidential informant for the FBI for the next five months. Reports from his cybersurveillance eventually reached the highest levels of the bureau's counterintelligence division, which says his work was folded into an existing task force on the attacks. But his FBI connection didn't help when his employers at Sandia found out what he was doing. They fired him and stripped him of his Q clearance, the Department of Energy equivalent of top-secret clearance. Carpenter's after-hours sleuthing, they said, was an inappropriate use of confidential information he had gathered at his day job. Under U.S. law, it is illegal for Americans to hack into foreign computers.

Carpenter is speaking out about his case, he says, not just because he feels personally maligned--although he filed suit in New Mexico last week for defamation and wrongful termination. The FBI has acknowledged working with him: evidence collected by TIME shows that FBI agents repeatedly assured him he was providing important information to them. Less clear is whether he was sleuthing with the tacit consent of the government or operating as a rogue hacker. At the same time, the bureau was also investigating his actions before ultimately deciding not to prosecute him. The FBI would not tell TIME exactly what, if anything, it thought Carpenter had done wrong. Federal cyberintelligence agents use information from freelance sources like Carpenter at times but are also extremely leery about doing so, afraid that the independent trackers may jeopardize investigations by trailing foes too noisily or, even worse, may be bad guys themselves. When Carpenter deputized himself to delve into the Titan Rain group, he put his career in jeopardy. But he remains defiant, saying he's a whistle-blower whose case demonstrates the need for reforms that would enable the U.S. to respond more effectively and forcefully against the gathering storm of cyberthreats.

A TIME investigation into the case reveals how the Titan Rain attacks were uncovered, why they are considered a significant threat now under investigation by the Pentagon, the FBI and the Department of Homeland Security and why the U.S. government has yet to stop them.

Carpenter thought he was making progress. When he uncovered the Titan Rain routers in Guangdong, he carefully installed a homemade bugging code in the primary router's software. It sent him an e-mail alert at an anonymous Yahoo! account every time the gang made a move on the Net. Within two weeks, his Yahoo! account was filled with almost 23,000 messages, one for each connection the Titan Rain router made in its quest for files. He estimates there were six to 10 workstations behind each of the three routers, staffed around the clock. The gang stashed its stolen files in zombie servers in South Korea, for example, before sending them back to Guangdong. In one, Carpenter found a stockpile of aerospace documents with hundreds of detailed schematics about propulsion systems, solar paneling and fuel tanks for the Mars Reconnaissance Orbiter, the NASA probe launched in August. On the night he woke at 2, Carpenter copied a huge collection of files that had been stolen from Redstone Arsenal, home to the Army Aviation and Missile Command. The attackers had grabbed specs for the aviation-mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force.

Even if official Washington is not certain, Carpenter and other network-security analysts believe that the attacks are Chinese government spying. "It's a hard thing to prove," says a network-intrusion-detection analyst at a major U.S. defense contractor who has been studying Titan Rain since 2003, "but this has been going on so long and it's so well organized that the whole thing is state sponsored, I think." When it comes to advancing their military by stealing data, "the Chinese are more aggressive" than anyone else, David Szady, head of the FBI's counterintelligence unit, told TIME earlier this year. "If they can steal it and do it in five years, why [take longer] to develop it?"

Within the U.S. military, Titan Rain is raising alarms. A November 2003 government alert obtained by TIME details what a source close to the investigation says was an early indication of Titan Rain's ability to cause widespread havoc. Hundreds of Defense Department computer systems had been penetrated by an insidious program known as a "trojan," the alert warned. "These compromises ... allow an unknown adversary not only control over the DOD hosts, but also the capability to use the DOD hosts in malicious activity. The potential also exists for the perpetrator to potentially shut down each host." The attacks were also stinging allies, including Britain, Canada, Australia and New Zealand, where an unprecedented string of public alerts issued in June 2005, two U.S. network-intrusion analysts tell TIME, also referred to Titan Rain--related activity. "These electronic attacks have been under way for a significant period of time, with a recent increase in sophistication," warned Britain's National Infrastructure Security Co-Ordination Center.

Titan Rain presents a severe test for the patchwork of agencies digging into the problem. Both the cybercrime and counterintelligence divisions of the FBI are investigating, the law-enforcement source tells TIME. But while the FBI has a solid track record cajoling foreign governments into cooperating in catching garden-variety hackers, the source says that China is not cooperating with the U.S. on Titan Rain. The FBI would need high-level diplomatic and Department of Justice authorization to do what Carpenter did in sneaking into foreign computers. The military would have more flexibility in hacking back against the Chinese, says a former high-ranking Administration official, under a protocol called "preparation of the battlefield." But if any U.S. agency got caught, it could spark an international incident.

That's why Carpenter felt he could be useful to the FBI. Frustrated in gathering cyberinfo, some agencies have in the past turned a blind eye to free-lancers--or even encouraged them--to do the job. After he hooked up with the FBI, Carpenter was assured by the agents assigned to him that he had done important and justified work in tracking Titan Rain attackers. Within a couple of weeks, FBI agents asked him to stop sleuthing while they got more authorization, but they still showered him with praise over the next four months as he fed them technical analyses of what he had found earlier. "This could very well impact national security at the highest levels," Albuquerque field agent Christine Paz told him during one of their many information-gathering sessions in Carpenter's home. His other main FBI contact, special agent David Raymond, chimed in: "You're very important to us," Raymond said. "I've got eight open cases throughout the United States that your information is going to. And that's a lot." And in a letter obtained by TIME, the FBI's Szady responded to a Senate investigator's inquiry about Carpenter, saying, "The [FBI] is aggressively pursuing the investigative leads provided by Mr. Carpenter."

Given such assurances, Carpenter was surprised when, in March 2005, his FBI handlers stopped communicating with him altogether. Now the federal law-enforcement source tells TIME that the bureau was actually investigating Carpenter while it was working with him. Agents are supposed to check out their informants, and intruding into foreign computers is illegal, regardless of intent. But two sources familiar with Carpenter's story say there is a gray area in cybersecurity, and Carpenter apparently felt he had been unofficially encouraged by the military and, at least initially, by the FBI. Although the U.S. Attorney declined to pursue charges against him, Carpenter feels betrayed. "It's just ridiculous. I was tracking real bad guys," he says. "But they are so afraid of taking risks that they wasted all this time investigating me instead of going after Titan Rain." Worse, he adds, they never asked for the passwords and other tools that could enable them to pick up the investigative trail at the Guangdong router.

Carpenter was even more dismayed to find that his work with the FBI had got him in trouble at Sandia. He says that when he first started tracking Titan Rain to chase down Sandia's attackers, he told his superiors that he thought he should share his findings with the Army, since it had been repeatedly hit by Titan Rain as well. A March 2004 Sandia memo that Carpenter gave TIME shows that he and his colleagues had been told to think like "World Class Hackers" and to retrieve tools that other attackers had used against Sandia. That's why Carpenter did not expect the answer he claims he got from his bosses in response to Titan Rain: Not only should he not be trailing Titan Rain but he was also expressly forbidden to share what he had learned with anyone.

As a Navy veteran whose wife is a major in the Army Reserve, Carpenter felt he could not accept that injunction. After several weeks of angry meetings--including one in which Carpenter says Sandia counterintelligence chief Bruce Held fumed that Carpenter should have been "decapitated" or "at least left my office bloody" for having disobeyed his bosses--he was fired. Citing Carpenter's civil lawsuit, Sandia was reluctant to discuss specifics but responded to TIME with a statement: "Sandia does its work in the national interest lawfully. When people step beyond clear boundaries in a national security setting, there are consequences."

Carpenter says he has honored the FBI's request to stop following the attackers. But he can't get Titan Rain out of his mind. Although he was recently hired as a network-security analyst for another federal contractor and his security clearance has been restored, "I'm not sleeping well," he says. "I know the Titan Rain group is out there working, now more than ever."

--With reporting by Matthew Forney/Beijing and Brian Bennett, Timothy J. Burger and Elaine Shannon/Washington

Sunday, August 21, 2005

Bow Down Your Head In Shame... Tom Dooley

Debtors in Rush to Bankruptcy as Change Nears
Published: August 21, 2005

BOISE, Idaho - Rushing to beat an October deadline when the biggest overhaul of the bankruptcy law in a quarter century goes into effect, rising numbers of Americans have filed for protection in the four months since the law was changed, seeking to have their debts erased.

Delores Hawks, 56, of Ontario, Ore., went into debt to learn new skills.

Escaping Debt

Since President Bush signed the new law in April, bankruptcy filings have jumped, particularly in the heartland. Filings in the four months through July are up 17 percent this year over last in Cleveland, 14 percent in Milwaukee and 22 percent in northern Iowa, according to court filings, matching similar patterns in the Midwest and parts of the South and rural West.

Nationwide, bankruptcy filings for April, May and June were up by 12 percent over the same period last year, according to LexisNexis, the data collection service, which tracks filings ahead of the quarterly reporting done by the federal courts. The rise is coming after bankruptcy had leveled off and even started a slight decline last year.

Under the revised law, debtors who earn more than the median income in their state and who can repay at least $6,000 of their debt over five years will no longer be able to have their debts wiped out for a fresh start under the more generous provisions of Chapter 7 of the bankruptcy code. Instead, they will have to seek protection under Chapter 13, which requires a repayment schedule. In addition, under the new provisions, they will have to enroll in a court-supervised financial counseling program.

The rise, which lawyers and bankruptcy experts say is driven in large part by people who say they fear that it will become much more difficult to escape debt and seek a clean slate under the new law, appears to have caught some bankers and lawyers by surprise.

When the new bankruptcy bill was passed by Congress last spring, bankers predicted it would turn many people away from the protection of the courts by making it harder to extinguish debt. That may still turn out to be the case. But thus far, it has been a rush to the courts in many places.

Here in Idaho, the soundless wave of Americans going broke washes up at the clerk's office in bankruptcy court, with nearly 20 fresh declarations of desperation every working day.

There is the Moore family of Boise, Kevin and Linda, listing a $10 cat and a $5 toaster among their meager assets against a medical bill of more than $18,000. There is Delores Hawks, going into debt to learn a skill, and never getting out because of endless credit card interest on the self-loan that once looked so manageable.

"Someday, I think we'll eventually get ahead," said Linda Moore, a 41-year-old part-time school bus driver who said she did not know of her husband's medical bills when she married him. "I don't know when that day will be."

Bankruptcy filings rose eightfold over the last 30 years, from 200,000 in 1978 to 1.6 million last year. Although filings vary from month to month, the pace for this year, if it holds up, projects to about 1.8 million bankruptcies. The overwhelming majority of them are personal, not business.

Economists say bankruptcy has become more likely as household debt has continued to rise while the savings rate has fallen precipitously. The Federal Reserve reported that household debt hit a record high last year, relative to disposable income.

"Bankruptcies historically have risen with debt, and a lot more people are now living near the edge," said Henry J. Sommer, president of the National Association of Consumer Bankruptcy Attorneys. "What we're seeing now is a rush to get in before October. After that, a certain amount of people will be priced out of bankruptcy."

Courts in Indiana, Nebraska, Ohio, Tennessee, Texas and Wisconsin, among other places, report that people are hurrying into bankruptcy in numbers rarely seen.

"I'm probably about four times more busy than normal," said Merv Waage, a bankruptcy lawyer in Denton, Tex. "People are saying, 'Honey, we can't pay our bill. We have no choice. We can't live under the stringent new rules. Let's file now before it's too late.' "

Idaho, a state with an otherwise prosperous sheen to its economy, is among the per capita leaders in a category that no state will brag about. Filings were up 11 percent for July over the same period last year - on a record pace for the year.

Escaping Debt

Gordon Barry, a bankruptcy lawyer in Toledo, Ohio, where filings are up 21 percent this year, said: "We've been busier than ever. People are running in, trying to beat the deadline."

The new requirements are an incentive to seek protection now, perhaps the last chance for a relatively hassle-free bankruptcy, some of the newly bankrupt say.

Certainly that was case of Ms. Hawks, who is 56, and lives in Ontario, Ore., just over the Idaho state line. After years of odd jobs, she took out loans on credit cards to go to business school and learn office skills. Once out of school, she found she had a rare nerve disease that she said kept her from holding a job. The debts piled up, even after she got rid of her credit cards.

She paid just enough to satisfy the credit card minimum payment, she said, but never advanced out of the loop of perennial debt on the interest.

"I was paying interest on the interest," Ms. Hawks said, "it was $5,000, and I never got ahead of it. Month after month after month. Finally, I just got tired of it. I said, 'I've had enough.' "

She had heard enough about the changes in the bankruptcy law to feel that it was important to file this summer rather than wait until all provisions of the new law took effect in October, she said. "I had to do something," said Ms. Hawks, who now lives on $656 a month in Social Security disability. "I decided to do it now rather than later."

Families with children are three times more likely to file as those without, according to studies done by Elizabeth Warren of Harvard Law School and others, and more than 80 percent of them cite job loss, medical problems or family breakup as the reason.

Ms. Moore, an Air Force veteran of the Persian Gulf war who married a carpenter and inherited his outstanding medical bills, said those old debts forced the couple into bankruptcy. Both Ms. Moore and her husband had been divorced before.

But she admits that they brought on some of the problem themselves.

"My husband, he's the kind of guy who when he gets a bill that he can't pay, he just puts it aside," Ms. Moore said.

The monthly math of the Moore family budget leaves little room for unplanned events. Mr. Moore makes about $1,200 a month as a carpenter. Ms. Moore, a mother of three children, drives a school bus part time, and makes $11 an hour. She also receives $300 a month in alimony. Their rent is $700 a month. Their food costs are $400 a month. Their cars, insurance and upkeep are $200 more.

Most months, they barely break even, she said. But what pushed them into bankruptcy were bills from the past, which kept growing with interest - a mountain that finally turned into an avalanche. They detailed the bills in their court filings.

The biggest was an $18,000 medical bill, for Mr. Moore, from a severe knee injury. He also owed $2,469 to a hospital where he went for care during a bout of depression. There was a $205 bill to DirecTV, and a $600 bill to Money Tree and a $615 debt to Capitol One - both lending services. And he owed child support, for $542.

Ms. Moore said she did not know about most of her new husband's debts until she started getting her wages garnished from her bus-driving job. She has health insurance from her Air Force days, but it has not been enough to keep them out of bankruptcy.

"My husband's old medical bills - that's what killed us," she said. Bankruptcy was a chance to start clean, she said. Bankers say the surge in filings is driven in part by misinformation about how the new law will work. They say it will force only the small percentage of people who abuse the system into regular payment schedules, while keeping an open door of debt forgiveness to the vast majority of bankruptcy filers, who are individuals rather than businesses.

"I would hope that consumers are not getting the rush-rush because they're afraid they won't have the same protection in a few months," said Wayne Abernathy, an executive at the American Bankers Association, which lobbied heavily for the new law.

Consumer groups say the law will only make matters worse for the large number of families who are not abusing the system. They say families will be stuck in "debtor's prison without walls," as the Consumer Federation of America, which fought the new bill, calls it.

Many economists and legal experts say that once all provisions of the law take effect in October, bankruptcies should fall again. And some experts say people will be caught in an endless cycle of debt repayment.

Ms. Hawks, who said that she declared Chapter 7 bankruptcy last month to get out of the endless interest payments on credit cards she had long given up, is puzzled by the financial industry's continued interest in her.

"Couple of times a week, I get a phone call or something in the mail trying to get me to accept a new credit card," she said. "I don't get it - because I'm broke."

Maureen Balleza contributed reporting for this article from Houston.