Payne, who had been Fibernet’s chief technical officer, certainly had the knowledge necessary to pull off the assault. And after his messy departure, he might have had a motive: revenge. Some other details also seemed to point in Payne’s direction: Among the several accounts utilized in the hack was one called “carl,”which presumably belonged to him, an account called “dbowling,” which belonged to one of his
friends, and one called “usenet.” Sometime prior to the attack, somebody had modified the “usenet” account and given it full system privileges, creating-to use the lingo of computer security-a “back door.”
But perhaps the most damning document in the package was the report of the police officer who had gone to Payne’s house following the attack. When the officer arrived, he found that Payne had reformatted his home computer’s hard drive and was reinstalling the operating system. In the trash can next to the computer was
a pile of floppy disks. The officer neither impounded Payne’s computer nor seized the floppies-he later testified in court that he had assumed any potentially useful evidence was already destroyed.
It all looked suspicious. But another call to Payne produced a different perspective. The last week he was at Fibernet, Payne told me, he had turned over all the company’s administrative passwords to the new president. The next day, Payne discovered that his password had been changed. On the morning of the attack, Payne said, he had tried dialing Fibernet on his modem several times, on the remote chance that his account had been somehow re-enabled, but he had never successfully logged in. In fact, he was reformatting
his home computer because it crashed every time Fibernet rejected his password. All those disks in the trash, he said, were old files he was getting rid of in preparation for a move to California.
I wasn’t sure whom I should believe, but I was starting to like Carl Payne. He could have been me 10 years ago-a technically savvy geek who had gotten himself in trouble with a bunch of suits who were more comfortable with spreadsheets than C compilers. Perhaps he did it, perhaps he didn’t. But a closer inspection of the computer printouts that made up the heart of the prosecution’s case convinced me that,
no matter who the culprit was, there wasn’t enough evidence to convict anybody.
For one thing, none of the printouts allowed me to pinpoint a phone number or computer from which the attack had been launched, let alone the identity of the perpetrator. And something else called the
evidence into even greater question: It appeared somebody had tampered with some of the files before printing them out. The log had small typographical errors-a few extra spaces inserted on one line, a
letter dropped on another-as if somebody had taken the original log files into a word processor and cut and pasted text before printing. This meant that the information on those pages was suspect. And why did all of this evidence come to me in printed form? Where were the original electronic records? Guilty or not, I
thought, no one should be convicted on the basis of tampered evidence.
I sent a six-page report to Payne, and continued to follow the case. In December, I boarded a plane for Utah. When I arrived at the Utah County Courthouse in Provo, the opening arguments had just concluded. The prosecution’s theory was simple: Carl Payne was a technically brilliant but hard-to-handle employee.When
Fibernet gave him notice that he was going to be terminated, Payne installed a back door that would allow him to wipe out the company’s computers after he left.
It turned out that in ousting Payne, Fibernet had fired the only employee capable of repairing the damage from the attack. So in addition to calling the police after the incident, they had called a computer consultant to come in and try to get the system back up and running. The consultant, Stacey Son, became the lead expert witness for the prosecution.
Son’s testimony explained why there were only 200 pages of printouts in evidence-Fibernet had hired him to get the system working quickly, not to document the damage for an investigation, so he hadn’t attempted to preserve potentially incriminating or exonerating files. Neither had the police, it turned out: The officer
who visited Fibernet and then searched Payne’s house testified that he had no experience with the UNIX operating system that Fibernet and Payne used. Instead of impounding computers and disks, the officer had simply accepted the paper printouts Fibernet had handed over.
On the stand, Son admitted that there was no way for him to tell the identity of the perpetrator. But the biggest hole in the prosecution’s theory became apparent when the defense questioned Son about the attack itself. It was poorly done, Son explained: Not enough information was wiped out. It seemed to me to be the work
of an amateur with only rudimentary knowledge of UNIX systems, not that of somebody of Payne’s admitted prowess.
The prosecution rested on Thursday, the third day of the trial. That night in my hotel room, I looked again over those critical printouts. The prosecution’s most important exhibits were pages 151 and 152, which showed each account’s name, user-identification number, group number, encrypted password, and a third number
for accounting purposes. The useridentification number had been the subject of much testimony, since its
manipulation was a critical step in creating the back door. Nobody had discussed the significance of the accounting number.