The Documents in the Case

Continued from page 2

Friday morning I woke up in my hotel room at 5 a.m. I had a hunch about the elusive last number. I needed to check the documentation for the version of UNIX that Fibernet had been using. I didn't have the manual with me, but I booted up my laptop and found it on the Internet; it explained that the number was used to warn people when it was time to change their passwords-it indicated the number of days between January 1, 1970, and the last time the password was changed.

I felt stupid. Here was possibly the most important piece of evidence in the entire trial, and I had not even realized it until the morning I was supposed to testify! Encoded in the record of each account's password was the date the password had last been changed-by decoding the number, I could establish precisely when the "back door" was created. In the hours before the trial, I wrote a small program to translate the numbers.

What my homemade program showed me clinched the case. The back door had been installed on October 31st, the day after Payne's last day of work-and after his access to the Fibernet system had already been cut off. Payne couldn't have created it. What's more, another account's password change dated to more than two weeks after the attack, a detail that would be impossible if the printout was really the same one Son had made that day. This showed irrefutably that the chain of evidence had been broken.

At 10 a.m. I took the stand. I described my credentials, the proper handling of security incidents, the paucity of evidence, and the telltale indications that the printouts had been altered. Finally, I testified about what I had learned that morning. From that point, everything moved quickly. Payne and his wife testified, the attorneys gave closing arguments, and the jury began deliberations around dinnertime. In the late evening, they came back with the only verdict I thought they could reasonably reach: not guilty on all counts.

Today, Carl Payne oversees a large computer network in California. Fibernet, meanwhile, is thriving. In the course of the trial I came to believe in Payne's innocence, but never felt that I had learned the real story. In closing arguments, the defense suggested a few possibilities: Somebody at Fibernet could have carried out the attack. An employee whom Payne fired in July of 1996 might have done it. Or perhaps the
crime was committed by some unknown hacker on the Internet, an unfortunate coincidence with Payne's dismissal.

Fibernet, for its part, declined to comment for this article.

There's really no way to know what happened, because the Utah police did not do a meaningful investigation. They simply asked the victim, "Who did it?" and Fibernet answered: "Carl Payne."The company then provided all of the evidence used in the prosecution. The police never
would have followed such haphazard procedures in the wake of a physical breakin-they would have done their own detective work, carefully collecting and preserving the evidence. As more and more crimes occur in the neighborhood we call "cyberspace," police need better tools and training. Without it, we risk bungled investigations and the very real possibility that innocent people will be found guilty for the hacks of others.