Q&A: Reverse hacker describes ordeal
You claimed you never were given an opportunity to get the information you uncovered to the proper authorities at the other organizations. Why was that? I attempted several times to find a Sandia channel to get the information to the organizations that were impacted. At the first meeting with my supervisor and the Sandia information security manager, [the supervisor] stated "we don't care about any of this. We only care about Sandia computers."
After I insisted that there must be a way to throw the information "over the fence" to Sandia's counterintelligence organization or other federal and military authorities, he said that I was forbidden from doing this, and that it "wasn't my job." A Sandia counterintelligence manager and my immediate supervisor recanted pages of their previously sworn deposition testimony and conceded that a meeting that they allegedly had with me to provide me with a channel to get the information to the proper authorities never happened.
Why do you think Sandia acted the way it did? This was the first time that my activities uncovered evidence that entities outside Sandia were compromised, and data was being stolen. They were not willing to contact the proper authorities because outside law enforcement would certainly inquire about how the data was obtained -- bringing unwelcome scrutiny upon Sandia. It was a case of putting the interests of the corporation over those of the country.
What happened then? During my last meeting with Sandia management, a semicircle of management was positioned in chairs around me and Bruce Held [Sandia's chief of counterintelligence]. Mr. Held arrived about five minutes late to the meeting and positioned his chair inches directly in front of mine. Mr. Held is a retired CIA officer, who evidently ran paramilitary operations in Africa, according to his deposition testimony.
At one point, Mr. Held yelled, "You're lucky you have such understanding management& if you worked for me, I would decapitate you! There would at least be blood all over the office!" During the entire meeting, the other managers just sat there and watched. At the conclusion of the meeting, Mr. Held said, "Your wife works here, doesn't she? I might need to talk to her." [Editor's note: In court testimony, Held admitted using the word "decapitated" and that he wouldn't contest using the word "blood" although he didn't recall saying it. He also apologized for using those terms.]
Indeed, my wife did work there -- in Sandia's International Programs section, working on nuclear counter-proliferation, port and border security issues. In the context of that meeting, it was a chilling comment. Shortly after the meeting, which management described at trial as "a fact-finding session with Mr. Carpenter," my director showed up at my office, escorted me to the gate and stripped me of my badge. That was the last time I was ever at Sandia. [Carpenter's wife resigned and is now a White House fellow working as a special assistant to top-ranking government officials.]
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts