Yours for the Hacking
Computer programmer Byron Jones knew big trouble was looming before he arrived at work on Wednesday, August 25. Earlier that morning he'd received a call from a co-worker at the Miami-Dade satellite courthouse in Coral Gables: Jones's computer and several others had just been removed from their workstations and locked away.
Walking into the courthouse on Ponce de Leon Boulevard a short time later, Jones noticed none of the usual friendly smiles. "Basically the security guards swarmed around me," recalls the stocky 34-year-old. The guards informed him they'd just received a memo from the Miami-Dade Clerk of Courts office. They were not to allow him into the building.
Sure, the computer program Jones had been troubleshooting for the past four years had major flaws, some of which had been documented a decade earlier. And yes, he and six of his colleagues had finally grown so anxious about a potential security breach that they'd gone public with their concerns. But Jones never thought he'd be labeled a security risk and purged from the project for doing so. As it turned out, he wasn't alone. Three of his co-workers, as well as their team leader, since then have been reassigned to other computer projects.
The soft-spoken Jones is among the legion of computer nerds who risk eye and wrist week after week to make sure the county's aging computer systems continue to run smoothly. In 2000, after a three-and-a-half year gig at the Miami-Dade State Attorney's Office, he'd joined the Miami-Dade Enterprise Technology Services Department, which provides tech support and services for all the county's departments and agencies. From there he was assigned to a group of eight other programmers charged with running SPIRIT, an eleven-year-old system that Miami-Dade Clerk of the Courts Harvey Ruvin hopes will one day contain all the county's court records.
Created exclusively for the clerk of the courts in 1993 by Andersen Consulting, SPIRIT is still confined to the traffic division of the Miami-Dade court system. It transforms paper citations and other court documents into digital images, making them instantly retrievable by judges, their clerks, police officers, public defenders, and state prosecutors. Thanks to SPIRIT, traffic court trial dates are set more efficiently and judges and their assistants can pull up case files on their virtual desktops, enter rulings into user-friendly documents, and move cases along -- quickly.
Normally the technology department programmers walk through the Gables branch courthouse in relative anonymity, but not the morning of Jones's security swarm. After detaining him, the security guards summoned a police officer, who in turn contacted one of Jones's supervisors, Adrienne DiPrima. She escorted him to her office and passed along a message from the department director: His work on SPIRIT was finished. He was being transferred off the project.
Over the next week DiPrima phoned two more of Jones's programming colleagues, Johnny Hoben and Juan Galego, each of whom had 22 years' experience on county computer systems. They too were kicked off the project. All three men had warned that because of a flawed security mechanism, including the way the user ID and password system was set up, the SPIRIT database was far too vulnerable to mischievous programmers or malicious hackers. All three also had questioned the need for highly paid private consultants on the project and suspected that profit motives had taken priority over sound judgment. And all three had recently expressed their concerns to the media.
In fact one of those outside consultants, Tom James, had issued the order to seize Jones's computer. Jones phoned him that morning to demand an explanation: "What Tom James told me that morning was that because we went to the press, we were a security risk."
Call them security risks or whistleblowers, but months before contacting the press, Byron Jones, Johnny Hoben, Juan Galego, and four other senior programmers on the SPIRIT team had sent an unnerving e-mail to three Miami-Dade judges, county mayor Alex Penelas, and county manager George Burgess.
"The SPIRIT system," they wrote on May 28, "is not adequately secured or protected to ensure the reliability and accuracy of record keeping and judges' rulings. It is fully vulnerable in many ways -- records can be easily tampered with by practically anyone working in this system without any reliable audit trail."
For four years the programmers had tried to resolve the matter. "Unfortunately," they concluded, "this has not been the SPIRIT Project Manager [Tom McGovern]'s priority."
They asked for an investigation of the project's consultants, including 56-year-old Tom James, whose private company is Syzygy Consulting; 80-year-old McGovern, a retired Air Force colonel and former director of the county's Information Technology Department; and Accenture, a firm created out of a division of Andersen Consulting after Andersen's involvement in the Enron accounting scandal. The programmers accused James of promoting his company at government expense. They found it "bizarre" that a private consultant was also serving as the clerk of courts' chief information officer. Moreover, they alleged, James had engaged in "verbal abuse, harassment, and intimidation" of county employees.
Of Tom McGovern they wrote: "There have been absolutely no legitimate reasons for having this contractor aboard for all these years....There is an undeniable history of this consultant's vigorous efforts to keep Accenture's contract extended at any cost." Accenture itself, they claimed, was a "high-priced and low-quality contractor" that had "never even gone through rudimentary, fair, and competitive procurement practices." (Accenture made news in July for having developed the flawed computer program used to create a list of convicted Florida felons who were to be removed from voter rolls. The list was scrapped when it was discovered there were virtually no Hispanics on it. Because a majority of Hispanics in Florida have tended to vote Republican, and Accenture's Tallahassee lobbyists have GOP ties, the debacle prompted cries of election-rigging. In August Florida's State Technology Office terminated a separate $86.7 million contract with Accenture for computer services after an audit determined officials ignored bid procedures when they awarded the contract.)
Word of the whistleblowing e-mail spread like a virus. The programmers' message had gone out on a Friday afternoon. The next morning Masood Hussaini, head of the SPIRIT team, received an angry call from Ruben Lopez, his boss. Lopez, director of the technology department, "had gotten a call from the county manager, who was furious," remembers Byron Jones. "And the county manager had gotten a call from Harvey Ruvin, who was furious."By Monday morning Lopez ordered the renegade SPIRIT programmers into his office and excoriated them for their action. "He said, öYou're on your own,' and he stormed out," Jones recalls.
Over the next several days, Lopez began laying plans to remove the troublemakers from the SPIRIT project. Mary Fuentes, the technology department's assistant director, summoned Jones to her office and advised him to consider moving to a different job. "They made it sound like it was an opportunity," he scoffs. "I asked them, öWhat are my choices? Is one of them to stay on the SPIRIT project?' And they said no."
Angela Lesage, another SPIRIT programmer who had signed the May 28 e-mail, wasn't even afforded the opportunity to consider changing jobs. "They told her she'd be working in the elections department immediately, and the next day she was gone," Jones recalls. (Lesage declined comment.)
Fuentes then took aim at team leader Masood Hussaini, a 53-year-old programmer with 28 years' experience in software development, seventeen of them as a systems manager for the county. Eventually he too would be taken off the SPIRIT project, even though he hadn't been a party to the e-mail.
It wasn't until July 21 that the programmers were able to arrange a meeting with the three judges who'd received their e-mail and serve on a committee that oversees the clerk's office. The group met in the chambers of Miami-Dade Circuit Court Judge Samuel Slom. "They struck me as people who had a genuine concern for the security of the system," Judge Slom says of the encounter. Afterward he contacted Ruvin, who assured him that James, McGovern, and the tech department had already begun addressing the security flaws.
On July 28, in fact, Ruben Lopez sent a memo to his boss, county manager Burgess, revealing that he and other administrators in charge of SPIRIT seemed to be taking the whistleblowers' warnings to heart, even while yanking them off the project. "The security problem within the SPIRIT application is the result of a poor fundamental design which has existed since its inception," he wrote. "This of course is a concern that requires immediate attention." (Lopez, who does not work for Ruvin, apparently saw more problems than Tom James, who does work for Ruvin. James earlier had sent Lopez this message: "[Ruvin] recognizes that it might be possible to compromise some individual cases with the security afforded by the SPIRIT system, but this is a risk he is willing to accept.")
Lopez, in his memo to Burgess, also tried to explain the rift between his tech department employees and the clerk's consultants. "Members of the Accenture team would like their engagement extended and other consultants would also like to keep their jobs," he noted, whereas county programmers feel "a sense of ownership over the system and its integrity." Why? Because they had taken over operational responsibility for it in 2001.
SPIRIT, which stands for Simultaneous Paperless Image Retrieval Information Technology, grew out of an extensive analysis of the Miami-Dade Clerk of the Courts office by Andersen Consulting. The seven-volume study, commissioned under former clerk of the courts Marshall Ader, contained a plan for replacing the court system's paper-based records with optical images. It was the first batch of reading material that awaited former Miami-Dade County Commissioner Harvey Ruvin when he defeated Ader in 1992 and assumed the clerk's post. (See sidebar describing the clerk of courts office.)
"About a week after I was elected I had a visit from the State Attorney's Office, advising me that there was an investigation under way that could involve as many as a dozen employees in the traffic division," Ruvin recalls during an interview in his office on the second floor of the historic Miami-Dade courthouse in downtown Miami. "They were tampering, they were selling information, they were changing records. I quickly learned that any paper-based system is a security nightmare." Moreover the Andersen study had discovered that thousands of traffic cases had never been set for hearings.
Ruvin renewed Andersen's consulting contract, but with a far more ambitious goal than mere analysis. Without bothering to request proposals from other companies, Ruvin sought to have Andersen actually create the system that would move the clerk's office solidly into the computer age. Furthermore Ruvin persuaded Andersen to share ownership of the patented new system with the clerk's office. They would then jointly market it, which could mean big bucks if SPIRIT were a success and others wanted to purchase it. Ruvin saw himself on the leading edge of a digital revolution that would one day spread to court systems across the nation.
The Executive Policy Committee -- an oversight panel of judges, court administrators, and county information technology managers that meets about twice a year -- chose the circuit court's Traffic Information System to be the first to receive SPIRIT. "Traffic court was the way to go because it's the place the majority of citizens interface with the court system," Ruvin explains. His long-term plan was to extend SPIRIT to all other judicial realms, including the family, probate, juvenile, and criminal courts.
Although it has cost approximately $36 million to create and operate SPIRIT, Ruvin claims that the system will eventually save money through the elimination of clerical jobs. Right now, he says, SPIRIT saves an estimated million dollars a year, money that otherwise would have gone to employee salaries. And while he concedes it isn't perfectly secure, it represents a "warp-speed jump" from the paper-based system it has begun to replace. "This is light-years ahead of any traffic system in the country," he boasts.
But optical imaging systems come with their own evils. They slow down, they freeze, they crash. They need upgrading every few years as the computer industry rolls out new versions of software and operating systems (the SPIRIT application relies on Oracle, FileNet, Windows, and IBM's AIX to function). And in some cases, their databases can be penetrated.
County programmers found problems with SPIRIT soon after Andersen Consulting began developing the application in 1993. Many of those problems, including the vulnerable security mechanism, had not been resolved by 1997, when conversion of the traffic-court system to SPIRIT was completed. At that time Andersen Consulting was still managing the project but preparing to turn it over to county programmers. Ruvin hired Tom James in 1998 and Tom McGovern in 1999 as private consultants to manage the handover. As Ruvin's chief information officer, James had ultimate supervisory control over Andersen's employees and the county's tech department programmers assigned to SPIRIT.
Still the security problems remained. Entry to the database -- which stores DUI, speeding, and other citations, as well as trial records and judgments -- requires just one shared user ID and password. This ID and password are hard-coded into the application, which means they haven't been changed since the program was written and can't be altered without extensive reworking of the code. Thus about 50 current and former programmers possess that crucial security information. In addition the clerk's office employs some 200 people involved in the processing of traffic citations, all of whom could enter the database if they obtained the ID and password and gained sufficient programming knowledge. If SPIRIT were expanded to the entire court system, the number of support staff would likely double, plus twenty additional programmers would be given the ID and password, or could easily find them.
In 2000 Randy Feigenbaum, a senior county programmer who had joined the SPIRIT team a year earlier, analyzed the security problem. "Providing adequately sophisticated security was beyond the resources of the development team," he wrote in a memo. He offered a proposal for rewriting the application so a security administrator could more tightly control database access through the use of IDs and passwords the administrator could cancel at will. Feigenbaum, who retired this past January at age 61 after 30 years with the county, says Tom James and Tom McGovern ignored his proposal. "If the information in the SPIRIT database represents something of value and is therefore a target for criminal activity, then there are more than enough people with the capability of attacking that database," Feigenbaum warns. "No program is perfect, but it all comes down to money. This problem can be solved by the appropriate expenditure of money."
Feigenbaum, Byron Jones, and several other programmers with extensive SPIRIT experience maintain that altering court records without a trace is child's play. For someone with access to the computer system, it would be this simple: Click open the Windows 2000 menu in the lower left-hand corner of the screen, select the Programs folder, open the program called SPIRIT. In the window that pops open, type in the same user ID and password that has been used since 1993, and enter a database called FileNet. Scroll through the columns and rows of data until the one containing the record to be altered appears. Click on the row to highlight it. Then hit the delete key. Finito. And there's no way to trace the culprit. That row of data was the only link to the scanned citation image burned onto an optical disk (like a big CD) housed at tech department headquarters. Theoretically someone could find the citation image again, but he'd have to know it was missing in the first place and then search through millions of other image files on the disk.
Instead of permanently losing your right to drive because of one too many DUI or speeding convictions, why not bribe someone to tamper your citations into oblivion? A devious programmer or hacker could alter citation scans and pretrial documents, and modify judgments, say the programmers. It's even possible to move a case through SPIRIT's automated court calendar without it ever coming before a judge: Type in the server address for the county courthouse where the case is to be heard. Find the window pertaining to the case. Change one field from "00," which means case pending, to "05," case heard. It's unlikely anyone will notice and very likely the case will simply disappear. And because of the database design, there's no way to determine who made the changes.
Want to steal some money? Easy. Just enter the fines paid by several different traffic violators into one individual's file. The system will recognize that the person had overpaid and the clerk's office will send out a refund.
Feigenbaum and other county programmers also warned that an intruder with an inexpensive flash drive -- a high-capacity memory chip the size of a cigarette lighter that plugs into a computer -- could even copy the entire SPIRIT program code in about two minutes, then eventually locate the database user ID and password in the code and proceed to hack the system from a remote computer. Though it would be more difficult to access the database from outside the county's network, it wouldn't be impossible. "Hackers wouldn't even consider it hacking," programmer Johnny Hoben says dismissively.
In January 2001, Accenture (the Andersen spin-off) finally turned over daily responsibilities for SPIRIT to the county's tech department programmers. Much of the county team's work consisted of upgrading the program so it would run properly with newer versions of FileNet and Oracle. Consultants Tom James and Tom McGovern remained on as project managers, while Ruvin again extended Accenture's contract (the eighth extension since 1993) with the mandate to expand SPIRIT to include misdemeanor criminal records, which are still paper-based. But there was no mention of the database security issue or Feigenbaum's proposed solution from the year before.
As Ruvin continued to renew the contracts of James, McGovern, and Accenture, the county programmers began to wonder if the consultants were actually tails wagging the clerk. It was in the consultants' interest, they reasoned, to ignore the security problems; acknowledging them could jeopardize their contracts and hurt efforts to market the application outside of Miami-Dade.
Ruvin readily acknowledges he has a contract with Accenture to sell SPIRIT to other U.S. court systems. "Accenture owns the code, but we [the clerk of courts office] own the application," he explains. "My thought was that we would earn royalties, that we would be the flagship for this. That we would earn a royalty of a quarter of a million dollars for every clerk's office or court system that would adopt it. And that I would take that money and put it in a revolving fund for the next technology application so that we'd be able to do similar projects in, say, the family court or the juvenile court."
The programmers, however, believe that Ruvin's plan to generate income by marketing SPIRIT is at the crux of the seeming reluctance to remedy the security problems. In addition to resale potential being damaged by news of a flawed product, so much rewriting of the code would be required to fix the problems that the county tech department could claim partial ownership. That would cut into Accenture's and the clerk's share of proceeds from future sales. Ruvin dismisses the notion that his ability to assess the project objectively could be compromised by his financial interest in it. "We really think this is the most secure system," he says, insisting that he and James are not downplaying the security flaws.
Frustrated that Ruvin and James were not committed to addressing the most serious security issue -- the vulnerable database -- the alarmed programmers decided to go public. They contacted New Times. The resulting story, "Tamper Tantrum" (August 19), quoted Byron Jones and Johnny Hoben describing how it was possible to delete a traffic case or change a serious DUI citation to a minor infraction -- and do so without detection.
Fallout came fast and hard. On August 23, just two business days after the article appeared, tech department director Ruben Lopez kicked SPIRIT team leader Masood Hussaini off the project. He then moved to intimidate and silence the outspoken programmers who worked for Hussaini. One by one, Jones, Hoben, and Galego (and a fourth programmer who was not quoted in the article) were presented with a memo from the county manager's office that forbade anyone but department directors and public-information officers to speak to the media on behalf of the county. They were ordered to sign the document.
Although the programmers had spoken out as concerned employees and taxpayers, not "on behalf of the county," the chilling intent of the memo took effect. Tech department employees who had previously been willing to talk with New Times are now reluctant to do so. "There's an effort to cover up wrongdoing here," says one staffer who requested anonymity for fear of reprisal. "I don't think they should be able to use those policy rules to aid that coverup."
Part of the alleged coverup includes portraying the county programmers as potential criminals, and their leader, Masood Hussaini, as a bad manager. Hussaini rejects the mismanagement charge. "That's not true," he says. "I have a perfect performance record as a manager."
Because the clerk of the courts is an elected position, the office is independent from the rest of county government. The clerk manages his office's budget with oversight from the judges and administrators on the Executive Policy Committee. Since 1998 Harvey Ruvin has renewed Tom James's annual contract seven times. According to records, James billed about $91,000 from late 1998 through 1999; that figure swelled to about $160,000 over the past year (from July 2003 to July 2004).
Throughout his contract, one of James's responsibilities as the clerk's chief information officer has been to approve invoices from Accenture. From August 2003 to August 2004, Accenture billed about $1.7 million, a rate of about $20,000 per month per programmer. (Six Accenture employees remain on the project as consultants.)
Consultant Tom McGovern has had his initial six-month SPIRIT contract renewed by Ruvin ten times since mid-1999. Over the past twelve months, his work for the clerk has brought him a salary of $96,000 plus $1000 to $3000 per month in expenses. The expenses have been mostly for mileage incurred in the round-trip drive from his home in Melbourne to the Coral Gables courthouse once a week to attend meetings, and one night of lodging. (McGovern declined to speak with New Times.)
Ruvin says both consultants are highly qualified and argues there are good reasons for using private contractors as project managers. "The advantage you have with a contract employee is that you don't have to pay benefits and you don't have to concern yourself if you're going to fire them," he says. Moreover, he notes, it's been necessary to keep them on the project until a "knowledge transfer" to the county's tech department has been completed.
And who will tell Ruvin when that transfer is complete? Consultants James and McGovern. (Byron Jones and his fellow programmers maintain that the knowledge transfer was completed in 2002, about a year after they assumed responsibility for operating SPIRIT.)
On August 27, two days after the courthouse guards detained Jones, the Executive Policy Committee held one of its semiannual meetings. Judge Slom had asked that the programmers' security complaints be placed on the agenda. Consultant McGovern summarized a July 8 meeting between administrators from the county tech department and the clerk's office regarding security. "They agreed, yeah, that there are some risks here," McGovern began, "but those risks are not catastrophic. One of the things that is probably the most important aspect of any security system you put in place is you must be able to trust the people who are doing the work. I've had probably 50 years' experience in security systems, some of them the most sensitive in the nation, and the weakest link in any security system is the people. You can put into place all kinds of procedures, you can do all kinds of things to assure security -- and we're addressing those. But if one of these trusted agents who is responsible for some of the very, very sensitive things determines they want to do harm, it is extremely difficult to prevent them."
Consultant Tom James, who earlier had characterized the database security threat as "minimal," claimed after the meeting he had programmers taking such extensive action to rectify the security problem that judges and other users would soon find SPIRIT to be much slower. "We're doing more things and making the systems work a little bit harder to make sure we can protect ourselves from programmer malfeasance," he said. "As a matter of fact, [the programmers'] lives will probably be miserable because of it."
Still, James made sure to cast the programmers themselves as the real threat: "We didn't think that, in all the priorities of things that we had to do, protecting ourselves from the people who worked for us was that important. But now we do."
In response to their reassignments, several of the whistleblowers say they are considering filing lawsuits against Tom James, Tom McGovern, and various county officials, accusing them of retaliation, harassment, and defamation.
"I didn't take them off the project," Ruvin protests. "They work for [the county tech department]. Ruben Lopez made the decisions to do whatever was done personnel-wise." Lopez, through a county spokeswoman, said the reassignments of Jones, Hoben, Galego, and others on the SPIRIT team were the result of budget cuts.
Ruvin's and Lopez's explanations don't hold up, the programmers say. No one mentioned budget problems when they were removed from SPIRIT. Besides, why transfer the programmers who were most experienced on the system? In a September 15 memo to her decimated staff, the new SPIRIT team supervisor confirmed the severity of the brain drain and requested that any "knowledge gaps" be brought to her attention immediately.
The whistleblowers, meanwhile, have taken their concerns about SPIRIT's consultants and contracts to Miami-Dade's Office of the Inspector General.
Clerk of Courts Clarified
If you live in Miami-Dade County, chances are some of your money has gone to Harvey Ruvin. Under the state constitution, each Florida county must have an elected clerk of courts, which means Ruvin enjoys a unique form of power along with his substantial responsibilities. He is the custodian of court records generated in the Eleventh Judicial Circuit of Florida, which serves Miami-Dade County. He is also custodian of records related to the work of the county commission. In addition all of the countys banking contracts are awarded through Ruvins office. Most of the offices power, however, stems from the money streaming into it.
With the help of 1300 employees and a $57 million budget, Ruvin collects tens of millions of dollars in revenues each year from parking and traffic fines, court-ordered forfeitures, and fees for marriage licenses, real estate documents, and other legal papers filed with Miami-Dade County. In 2003, for example, Ruvin's office collected $45 million from traffic cases alone; total revenues last year were about $69 million.
Until this year, those revenues went into the Miami-Dade County general fund and covered about two-thirds of Ruvin's budget. The county and state picked up the other third. A state constitutional amendment approved by voters has now changed that arrangement. Today Ruvin and all other court clerks send fines, fees, and forfeitures to the Florida Department of Financial Services. In exchange the legislature pays the operating costs of the state's court system, including State Attorneys, public defenders, and clerks' offices. Counties, however, must still maintain courthouses and construct new ones as needed.
Court-related technology spending also remains a county responsibility. The amendment authorizes clerks to tack on a new four-dollar filing fee for documents relating to property ownership. The state takes half the fee, the county receives ten cents of it, and Ruvin's office keeps the remaining $1.90 for technology projects. This year the fees will bring some four million dollars to the clerk's office. But even with another two million more provided by the county commission, there will not be enough to expand SPIRIT into misdemeanor criminal cases. "I'm going to have to find another source of funding for the aggressive plan I had to move technologies forward," Ruvin says. "If I could sell SPIRIT to twenty jurisdictions, I'd have five million dollars for technology."
Ultimately the SPIRIT project's direction will be determined by a panel of judges and county administrators known as the Executive Policy Committee. "Every major decision goes to them," Ruvin says. But the SPIRIT whistleblowers and other skeptics say the committee, which meets twice per year, functions as little more than a rubber stamp on Ruvin's agenda.
Get the Weekly Newsletter
Our weekly feature stories, movie reviews, calendar picks and more - minus the newsprint and sent directly to your inbox.