Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« On London's Surveillance Cameras | Main | Hacking Swine Flu »

September 1, 2009

Matthew Weigman

Fascinating story of a 16-year-old blind phone phreaker.

One afternoon, not long after Proulx was swatted, Weigman came home to find his mother talking to what sounded like a middle-aged male. The man introduced himself as Special Agent Allyn Lynd of the FBI's cyber squad in Dallas, which investigates hacking and other computer crimes. A West Point grad, Lynd had spent 10 years combating phreaks and hackers. Now, with Proulx's cooperation, he was aiming to take down Stuart Rosoff and the Wrecking Crew — and he wanted Weigman's help.

Lynd explained that Rosoff, Roberson and other party-liners were being investigated in a swatting conspiracy. Because Weigman was a minor, however, he would not be charged -- as long as he cooperated with the authorities. Realizing that this was a chance to turn his life around, Weigman confessed his role in the phone assaults.

Weigman's auditory skills had always been central to his exploits, the means by which he manipulated the phone system. Now he gave Lynd a first-hand display of his powers. At one point during the visit, Lynd's cellphone rang. "I can't talk to you right now," the agent told the caller. "I'm out doing something." When he hung up, Weigman turned to him from across the room. "Oh," the kid asked, "is that Billy Smith from Verizon?"

Lynd was stunned. William Smith was a fraud investigator with Verizon who had been working with him on the swatting case. Weigman not only knew all about the man and his role in the investigation, but he had identified Smith simply by hearing his Southern-accented voice on the cellphone -- a sound which would have been inaudible to anyone else in the room. Weigman then shocked Lynd again, rattling off the names of a host of investigators working for other phone companies. Matt, it turned out, had spent weeks identifying phone-company employees, gaining their trust and obtaining confidential information about the FBI investigation against him. Even the phone account in his house, he revealed to Lynd, had been opened under the name of a telephone-company investigator. Lynd had rarely seen anything like it -- even from cyber gangs who tried to hack into systems at the White House and the FBI. "Weigman flabbergasted me," he later testified.

Posted on September 1, 2009 at 6:21 AM29 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

BF SkinnerSeptember 1, 2009 6:47 AM

A parabola of small causes.

Ciaran LyonsSeptember 1, 2009 7:27 AM

Here's an artiicle on Weigman from a while back. Goes into quite a bit of detail:

http://www.wired.com/politics/law/news/2008/02/...

HarrySeptember 1, 2009 7:54 AM

Read the whole article. By accident or design, Bruce's excerpt is the most sympathetic part of the article.

ZithSeptember 1, 2009 8:38 AM

I didn't read it as sympathetic. Neutral, perhaps, but just from this he obviously played a role in setting up the whole thing that I assumed he knew was illegal, then found himself a good route to get out of punishment for it. It's no more sympathetic a tale than stories of once-criminal informants.

BF SkinnerSeptember 1, 2009 10:23 AM

@Harry

I agree with Zith. I don't read Bruce's excerpt so much as sympathetic as fascinated.

And this kid is facinating (a bit on the sociopathic side but then what adolescent from the wrong side of the tracks isn't?)

This kid HEARD the touch tone on a YouTube clip and skulled out Mitt Romney's phone number? Look forward to his recruitment by well funded semi-official collectors of information.

(Why am I thinking about Sneakers?)

wiredogSeptember 1, 2009 11:35 AM

@BF Skinner,
"This kid HEARD the touch tone on a YouTube clip and skulled out Mitt Romney's phone number?"

Back in the mid-90's a woman who worked at a company I was at could listen to a modem sync-ing up and determine what speed it was trying to sync at, what speed it did sync at, and if there were any errors. She could probably map the DTMF tones, too. There're only (AFAIK) 12 of them.

uk visaSeptember 1, 2009 11:35 AM

What a waste of talent... a sad waste of talent... In times past people like him would have been picked up by the intelligence community before he managed to get himself incarcerated for 11 years.

havvokSeptember 1, 2009 11:54 AM

@uk_visa
"In times past people like him would have been picked up by the intelligence community before he managed to get himself incarcerated for 11 years."

With everything that is going on in the intelligence community right now, I think we are reaping the rewards of shuffling those with sociopathic tendancies into organizations with awesome legal superpowers to avoid accountability for the ugly things they do.

RoySeptember 1, 2009 12:19 PM

It isn't hard to imagine 'swatting' to catch on with criminals as a way of hurting their business rivals. Emergency services have no defense against false calls. This vulnerability is inherent in our current system.

BF SkinnerSeptember 1, 2009 12:25 PM

@wiredog I was once sync'd a modem by whistling in the phone at it...ah the heady days of 75 baud.

SWAT must be darn well trained that they haven't gunned anyone down by mistake during these calls.

Harrassment probably not a criminal motivation (professional I'm thinking, not the psychos).

Easier and more certain to fink out a business rival to LEO

Deros68September 1, 2009 12:30 PM

@BF Skinner

"And this kid is facinating (SIC) (a bit on the sociopathic (SIC) side but then what adolescent from the wrong side of the tracks isn't?)"

No excuses - I grew up on the wrong side of tracks (no electricity - no running water) alcoholic father, drafted into the US armed forces and sent to Vietnam. Yet I managed to gain my MS degree and to live a good life with only 4 traffic tickets being my worst offense. See the book by Ezell Ware if you want to read an account of someone who overcame a lot more abuse, poverty and prejudice than I can imagine -yet- he and many others did not commit crimes like these. I am not blind but I do not vision in one eye. I have some sympathy for the kid - but at some point he must redeem himself from his own effort.

StacySeptember 1, 2009 12:49 PM

Ancillary point:

No need to introduce him as being blind: The whole "losing one sense makes the other senses keener" notion is a fallacy.

Bryan FeirSeptember 1, 2009 12:52 PM

@wiredog:

There are 16 DTMF tones, actually, composed from the combination of one each of four high frequencies and four low frequencies. The fourth high frequency (the A, B, C, and D keys) isn't used in normal phones, though it exists in some amateur radio phone patch equipment for repeater control.

I'm both an amateur radio op, and used to work for Bell-Northern Research.

DareverinearsSeptember 1, 2009 2:07 PM

Really, the "keener sense" thing is a fallacy? Is there research that indicates a person with only 4 senses does not more heavily rely on those 4 than a person with all 5 would rely on the same 4? It seems intuitive that the person with fewer senses would develop them more acutely, just like exercising specific muscles develops them. I can't quote academia to support my intuition, but would be interested in opposing research.

The blindness and absent father thing is clearly meant to sow sympathy. The FBI seems to have been kind to him, seemingly a mix of sensitivity to his background and personal challenges, his age, and use as an informant.

Reminded me of this story about the recently indicted hacker with Asberger's Syndrome:
http://www.wired.com/threatlevel/2009/08/...


When Mr. Weigman gets out of jail he'll probably make millions, just like Mitnick (referenced in Ciaran Lyons' Wired post) and Abagnale. I have trouble supporting their fortunes, but their methods are certainly effective and worth understanding.

Doesn't this boil down to the need for better authentication, as usual?

JasonSeptember 1, 2009 3:24 PM

I'm a little confused about the caller ID portion. I know you can fake your "surface" caller id (what would show up on someone else's phone), but I was under the impression that there was no way to fake the internal phone company caller id. Your phone is ultimately hardwired into the network....

RealistSeptember 1, 2009 4:59 PM

@Stacy
"No need to introduce him as being blind: The whole "losing one sense makes the other senses keener" notion is a fallacy.

True, it doesn't make the other sense keener, but it does increase your awareness and reliance on them, and thus your ability to draw on them. What becomes "keener" is one's USE of those other sense.

RealistSeptember 1, 2009 5:04 PM

@BF Skinner
"This kid HEARD the touch tone on a YouTube clip and skulled out Mitt Romney's phone number?"

Don't get overly impressed by something that is not really that hard or uncommon.

It's not like such a talent is uncommon. Plenty of musicians have the same capabilities -- think of people who can play a tune after hearing it only once. And its not as if touch tone codes are that hard to determine.

CareySeptember 1, 2009 6:44 PM

Jason: You can’t change your real caller information with normal equipment. It sounds like he had gained direct control of (some of?) the phone network via security flaws and social engineering, though.

BaylinkSeptember 1, 2009 9:15 PM

Jason is correct, although not complete.

I read this piece linked from a couple of places, and as soon as I got to "he spoofed his caller id, called 911, and sent emergency help to the wrong address", I wrote the entire piece off as incompletely researched.

The technology used to identify calls sent to a Public Safety Answering Point -- a 911 dispatching center -- is called ALI (automatic line identification); it's a first cousin to ANI (automatic number identification), which has been used to deliver billing information to INWATS subscribers for years.

Unlike CLID (calling line identification, or 'caller ID'), which can be originated by ISDN PRI subscribers to say anything the {caller wants,carrier will accept}, ANI/ALI is generated by the end office to which the station line is connected, and the only way to fiddle with it is to *break into the switch*... which is, unsurprisingly, much more difficult than you'd think... or than spoofing caller ID is.

Had the kid actually managed that, I'm sure the piece would mention it in sufficient detail that we'd be able to tell that was what happened, even after being filtered through a reporter with no clue... and I didn't see any such tracks.

In lieu of anything reasonable that would justify that part of the story, I'm forced to conclude that someone blew blue smoke up the reporter's ass, and if on that part, why not on the entire story.

If anyone has any actual data to the contrary, I'll be happy to modify or retract, but I see no reason to do so now. "Rigging his caller ID" simply doesn't make the grade.

JasonSeptember 2, 2009 2:56 AM

@Baylink
Thanks for the detail - ANI was what I was thinking of.

http://en.wikipedia.org/wiki/Swatting

The Swatting Wikipedia entry talks about using VOIP and the victim's address to run the scam, which would clearly bypass any phone company security measures.

RyanSeptember 2, 2009 4:40 AM

The article mentions FBI agent Allyn Lynd several times. He is also the agent behind the recent raids on data centers in Texas, which took possession of several companies' colocated servers. He probably bankrupted a few innocents in the quest to take down the scammers he was after. See http://www.wired.com/threatlevel/2009/04/...

It makes me sad to think about how much collateral damage there is in modern law enforcement.

BF SkinnerSeptember 2, 2009 6:35 AM

@Ryan - 'Probably' ?

Even if true isn't that what the colo's liability insurance is for? Or didn't the companies affected have contingency plans.

@Deros68 - Good on you.
The point of this article was that all these element's produced someone willing to use their skill and knowledge to satisfy their pique and frustration.
The kid sees himself as victim. Worms turning are a heart warming tale everyone loves. Right? He had a break, a humongous break. The FBI is not usually so lenient. He passed on it.

Power and a grudge; not a good combination.

We tend to spend little of our time in risk management reducing the threat variable. By incarcerating this one the threat is on ice; for a time.
Our prisons are crime universities whose students have nothing to do but swap scams. They know there is power in information networks if only they can crack it. We've done a favor for the criminal class by putting this broken tool into their world for lenghty indoctrination. What are the odds that a long stretch is going to show him the error of his ways. I think it is more likely to reinforce his self image as victim. He's ripe for recruitment.


@Realist - Can you do it? How many musicians can hear the other side of a cell phone conversation and recognize the voice from across the room? With all the video collecting on the net there is likely to be much harvestable material.

RonKSeptember 2, 2009 7:03 AM

The thing which has struck me the most out of this whole thread is "never trust the man". 11 years instead of (promised) immunity? I guess he missed Bruce's post (@ http://www.schneier.com/blog/archives/2008/07/... ).

MisterfixitSeptember 2, 2009 7:09 AM

He'll be on early release and working full time a "S" Group, NSA. He'll have a LOT of phone lines to work with there. Lucky Boy.

Jonadab the Unsightly OneSeptember 2, 2009 7:46 AM

> Had the kid actually managed [to gain control
> of phone company switching equipment], I'm
> sure the piece would mention it

It does. Go back and read the article.

I don't recall whether it ever uses the word "switch" or the phrase "routing equipment", but it does say, repeatedly, that he gained control of phone company equipment or their "network". It even tells you (in general terms) how he did it: not by hardware hacking, but rather by social engineering, in conjunction with mimicking voices of phone company personnel.

> in sufficient detail

Granted, there's not much technical detail, but I am pretty sure that's because the piece was written by and for the laity.

And I think that's also why they said he spoofed "Caller ID", because that's something regular people are familiar with. And if you don't know the implementation details, the caller-identification technology that he presumably manipulated is conceptually very similar to Caller ID. The article's target audience (regular people) don't know that Caller ID is easily spoofed, or that 911 uses a different and much older identification technology.

Andrew DuffinSeptember 2, 2009 10:37 AM

The boy's abilities are remarkable, but not unprecedented.

When I was younger I could tell my father which jacket pocket his car keys were in just by giving it a shake - the jingling noise was quite distinctive, I found.

More recently, I used to dumbfound my colleagues by telling them the approximate temperature of water by pouring it onto a tiled floor and listening to the noise: higher temperature lowers the viscosity, and hot water makes quite a different sound to cold water - if your ears are good enough.

JWalkerSeptember 2, 2009 12:59 PM

@RonK

He was granted immunity while he was a minor. Once he became an adult and continued to break the law, they had to prosecute him. It wasnt the "man" breaking the deal, it was Weigman.

BF SkinneSeptember 3, 2009 6:33 AM

@JWalker "they had to prosecute him"

While I concur it was Weigman who screwed up and continued to commit felonies they didn't _have_ to prosecute him. Lots of crime brought to law enforcement are at the discretion of a range of people from the LEO to the prosecutor to the courts.

I would have prosecuted. A villian shows up at your house, where your family lives, with two buddies. That's a not subtle threat. He changed the threat dynamic and made controlling him a greater priority.

I still find it odd the FBIees didn't try co-opting him. There was an unsupported reference here to "he'll probably make millions, just like Mitnick ...and Abagnale".

Neither are making millions. And Abagnale was under direct FBI supervision and control for decades before they felt they could trust him as a collaborator rather than just use him as a convienent asset.

If Weigman would take the time in stir to study Farsi and the dialects of Arabic he might someday become useful.

AlexSeptember 8, 2009 8:46 AM

My grandfather was a valve-era radio technician, and the City & Guilds examination of 1949 included a practical test in which he had to diagnose a deliberately faulted radio by ear, in an exam hall full of other people with other radios doing the same thing...

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Subscribe
Atom Feed Facebook Twitter E-Mail Newsletter (Crypto-Gram)
Subscribe via Kindle
Blog Menu

Search

Powered by DuckDuckGo


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Tags

more tags

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier