How a fraudster uncovered Stingrays for the first time.

[Z]

http://www.theverge.com/2016/1/13/10758380/stingray-surveillance-device-daniel-rigmaiden-case

(note: It might be easier to read on the original page considering the single paragraph formatting that somehow came across.  It is an interesting story and worth the click and the read. -z)

How a man accused of million-dollar fraud uncovered a never before seen, secret surveillance deviceBy Russell Brandom | Illustrations by Cam Floyd
On May 6th, 2008, a package containing $68,000 in cash arrived at a FedEx store in Palo Alto, California. The bills had been washed in lantern fuel, as per instruction, then double-vacuum-sealed and placed inside the cavity of a stuffed animal, which was then gift wrapped. The store had been chosen carefully: it was open all night, and located just 500 feet from a Caltrain station. The package was general delivery, to be picked up at the store by a man named Patrick Stout.
The money was being closely watched. The package had been prepared by a criminal informant, working in cooperation with a joint task force of agents from the FBI, IRS, and US Postal Service, who were investigating a tax fraud scheme. The informant had been arrested and flipped months earlier, betrayed by yet another informant. Now they were after the mastermind.
Around 5 o’clock the next morning, the target appeared. A wiry white man in a dark hoodie came in through the back entrance, presented a driver’s license in the name of Patrick Stout, picked up the package, and left the same way he came in. He tore open the package near a dumpster behind the store, pocketing the stuffed animal, and headed toward the train. Two officers tried to follow, but he recognized the tail and slipped away. Agents rushed to the station but couldn’t find him among the early morning commuters. The trains could have taken him anywhere from San Francisco to San Jose, with connections to each city’s airport.Just a few minutes after the pickup, Stout was gone. It was as close as the cops would get for months.From there, every lead seemed to dry up. Stout’s driver’s license was fake: the address didn’t exist and the ID number belonged to a woman in Bakersfield. Stout kept talking to the informant, joking that he was becoming paranoid. He didn’t know who he’d spotted following him at the FedEx store, but he was shy about setting up another cash drop. A few weeks later, Stout had $18,000 in gold bars mailed to the same FedEx office, but by the time investigators found out, the pickup had come and gone.The informant led the task force to a nest of bank accounts where he’d been instructed to deposit money, but they were all in false names — Sam Blat, Benjamin Cohan, Aaron Johnson. There was more than $400,000 spread across the accounts, all of which could have been shuttered and seized using evidence the task force already had — but that would just have spooked the target. They wanted to catch him, not to scare him off.Their best lead was the IP address Stout used to file the fraudulent returns, which traced back to a Verizon Wireless AirCard registered under the name Travis Rupard. Rupard — or were Rupard and Stout the same person? — had bought it through another post office box with another fake ID, kept active just long enough to receive the device. The whole point of an AirCard is to provide internet access that’s not tied down to a fixed address, which made tracking down the owner tricky. When Rupard used the card, Verizon knew which cell tower he connected to — usually somewhere around San Jose — but they couldn’t tell much more than that.Three months after the FedEx episode, on August 3rd, the task force descended on an apartment complex near the San Jose airport, rented in the name Steven Travis Brawner. Agents caught Rupard outside the complex, and served a search warrant on his apartment and storage unit later that day. They found $117,000 in US currency, 230 ounces of gold, and 588 ounces of silver, along with the dark gray hoodie tying him to the drop at the train station and a Verizon AirCard tying him to the bank accounts. By the time the case was over, the agents would recover more than $1.4 million.The suspect was charged with 35 counts of wire fraud, 35 counts of aggravated identity theft, and three other miscellaneous charges — enough to keep him in jail for the rest of his life. Taking his fingerprints three days later, the police finally worked back to his name — not Rupard, or Stout, or Brawner, or Aldrich, or any of the others. His name was Daniel Rigmaiden.But there was something else, something that wasn’t reported on the seizure affidavit, the complaint, or any of the documents that followed. To track Rigmaiden down, the investigators had used a secret device, one that allowed them to pinpoint their target with far more accuracy than Verizon could. They called it a cell-site simulator, or by its trade name, Stingray. Neither term was found in the court order that authorized its use. The device had to be kept secret, even from the courts.The Stingray had worked perfectly. Agents traced the suspect’s AirCard back to his apartment and now had more than enough evidence for a conviction. But in the years that followed, that open-and-shut case would turn into something far more complex. Working from prison, Rigmaiden would unravel decades of secrecy, becoming the world’s foremost authority on the device that sent him to jail. By the time he was finished, a covert surveillance device and the system that kept it secret would be exposed to the public for the very first time.This past October, I met with Rigmaiden in Phoenix, where he’s lived since he was released from a nearby federal prison in 2014. In person, he looks like a scrappier J.J. Abrams, with thick, black glasses and spiky, black hair. Intensely private, he declined to meet at his home, preferring a shopping center some blocks away. It was a mild day and the sun was low, so we decided to go on a hike in an expansive park south of town where the flat plain of the city rises into rocky hills. He doesn’t get out much these days, but the trail brought out his old outdoors instincts. As we climbed, he guided me away from brittle rock faces and possible snake pits. "Normally I wouldn’t even come out without a full pack," he told me. "You’re not really supposed to."These days Rigmaiden is primarily concerned with the typical worries of a newly released prisoner — finding a good job and an apartment willing to rent to an ex-con. He likes his probation officer and seems to be adjusting well to life on the outside.But the world has lots of ways of reminding Rigmaiden of his time locked up. As we came down from the hills, a City of Phoenix maintenance truck rolled toward us, the driver wearing a uniform we couldn’t quite place. When we crossed in front of the truck, the driver rolled down the window and pulled out a camera, training it up the mountain and above it, to the sky. Were we accidentally trespassing? Neither of us was sure. Rigmaiden has to make an official report for every interaction he has with the police, so even minor mistakes can become dangerous. But the official didn’t seem to care about us, and we walked past without being stopped.It was a tense, awkward moment, but Rigmaiden is used to the feeling. A natural outsider, he has spent much of his life coming to terms with authority, legal and otherwise. "I tried the non-participation way for 10 years, then I spent five years in jail," he told me. "Now I’ve made the transition to try to change things for the better."Born in Seaside, California, Rigmaiden left home just after high school, living in a string of college towns up and down the coast. He became an expert at forging fake IDs and did a good business selling them to beer-happy college kids online.Eventually, he decided to get off the grid entirely. "I just didn’t want to be attached to the whole society system," he recalls. "I needed to take a step back and take a break from it all." He traded the college towns for seaside motels, or a tent and remote campsites. "It was peaceful. What I liked about it was, you had to do everything yourself," he says.He spent one summer in Big Sur, an isolated stretch of the California coast famous for its massive redwoods and dramatic precipices. He set up camp deep in the forest and developed a taste for free-climbing, scrambling over the area’s boulders and cliffs. He liked the exertion, the independence, but most of all the heightened sensitivity that came with danger. "It’s not panic," he told me. "It’s almost like you’re glued to the side of the rock. It’s that calculated. Because you know if you fall off you’re going to die."Once, looking out over a 60-foot dropoff, the ground gave way beneath him. He found himself sliding down the face of a cliff. "I was grabbing saplings to slow myself down but I ended up just pulling them out. It was this burnt stump that saved me," he told me. "Eventually, I got back by swinging sapling to sapling."Those adventures cost more money than he could make from selling fake IDs, so he hit on another scheme, filing tax returns for the recently deceased. He liked the scam, he told me, because he saw it as relatively victimless. He didn’t have to steal from anyone who was still alive. All he got was whatever refund money would be coming back to the deceased, often thousands of dollars for a single return. It proved incredibly lucrative, pulling in far more than he needed to survive. Rigmaiden developed a rhythm: working his ID and tax return businesses for six months, squirreling away the extra money, then taking the rest of the year off.He was meticulous about hiding his identity. His name changed constantly, with a new driver’s license for each new storage unit or post office box. Each step of his scheme was painstakingly arranged: from the computers that filed the returns to the post office boxes where the refunds were delivered, to the couriers that picked them up and the bank accounts where they were deposited. He approached it like a mental puzzle. As far as he could tell, there were no links that could trace the money back to him.Except for that AirCard. He didn’t think police had the expertise to trace it, but he knew enough about the physics of wireless signals to be sure it could be done. In radio terms, the AirCard was noisy, blasting out data in all directions like a barking dog on a busy street. By the time the signal reached the cell tower, it was mixed in with noise from thousands of other sources — but in theory, a person with the right equipment could always trace the bark back to the dog.For years, the weakness of the AirCard was a hypothesis — but the moment federal agents arrived at his apartment in the summer of 2008, he knew it was real. When he was arrested, Rigmaiden’s first thought was that the AirCard had given him away. The task force had used some device, some device no one knew about. His second thought was that he didn’t want to take on all the work that would be necessary to prove it. But even then, he knew there was no other way. "I knew I was going to have to learn the legal system to get out of this," he told me.It was two months into his stay at the Florence Correctional Center that Rigmaiden discovered the law library. Since his arrest, he had been trying to plead his case while scrambling from prison to prison — first a local penitentiary in California, then to Florence in Arizona where the case was being tried. He did his best to keep a low profile at Florence, steering clear of mentally ill inmates and making do through random shortages of staples like toilet paper. He wrote note after note to his lawyer, scribbling on the back of Prisoner Request Forms with the 3-inch golf pencils issued by the prison, but it didn’t seem to change anything. He was facing a federal case, represented by a public defender. Making noise about invisible signals and secret surveillance devices was only going to get him in trouble.Still, he knew the government was hiding something. He had seen the warrant for the raid on his apartment, but it gave no sense of how they had tracked him, attributing the information to "historical cell tower information and other investigative techniques." But a single cell tower serves thousands of phones at once. Even detailed records couldn’t have been enough to pinpoint a single apartment complex. There had to be something else.If he was right, it meant the agents had lied to the judge, which could be enough to get the case dismissed. But the key to his argument was buried in murky technical details that only he understood. His lawyer didn’t know the first thing about cell tower data. Neither did the judge. He found himself drawn to the prison library’s open hours, the three hours a week when he could actually get answers.[size=2.5rem !important]HE FIRED HIS FIRST LAWYER, THEN A SECOND, THEN FINALLY GOT PERMISSION TO REPRESENT HIMSELF[/size]He made a valuable new friend at the library, a disbarred lawyer who was serving time for fraud. Rigmaiden learned about the rhythms of a trial, the motions and requests each side uses to stake out territory. Eventually, Rigmaiden opted for a strategy of total legal war, flooding the court with motions and proposals. "When you hire an attorney," he says, "they have to pick and choose the things they’re going to challenge because of time and resources. But I just challenged everything."He fired his first lawyer, then a second, then finally got permission to represent himself, which let him bump up his library time to five hours a day. He worked six days a week, sometimes 15 hours a day. When he couldn’t print the motions, he wrote them out by hand, using the same nubby half-pencil.Meanwhile, he was also poring through records for any evidence of the mysterious device that had caught him. In October, the court gave him access to his discovery file, 14,000 pages of documents that laid the groundwork for the prosecution’s case. In the second to last box, he saw the word "Stingray," scribbled in one investigator’s notes. He thought it sounded like a brand name.The prison library didn’t have internet access, but the prison’s case managers would Google Search for you if you asked them. Eventually, Rigmaiden found a Stingray brochure from Harris Corporation, advertising exactly the capabilities he’d suspected. Now he just needed to prove police were using it. He found what he was looking for in the minutes of a Maricopa County board meeting: a unanimous vote to buy police equipment paid for by a federal grant. Because there hadn’t been an open bidding process, the department had been required to submit its invoice for public consideration. The invoice was for a cell-site simulator device, built by the Harris Corporation.In 1995, a hacker named Kevin Mitnick broke into a software company called Netcom, stealing email archives and security programs. He concealed his location with a modem-connected cell phone, a hacked-together version of Rigmaiden’s AirCard. To zero in on Mitnick’s cell phone, police used a passive cell-site simulator combined with a silent SMS from the phone company that forced Mitnick’s device to check in. It was primitive, but they were employing the same technique that would catch Rigmaiden more than a decade later.In 1996, Rohde & Schwarz created a device called the GA 090, which bundled the ping and capture functions together, effectively masquerading as a cell tower. Driving through a neighborhood with your GA 090, you could see the unique subscriber ID for everyone within range, akin to seeing everyone’s cell phone number. If one number was particularly interesting, you could drive around the corner and take another reading to triangulate exactly which house or car it came from.The device exploited a fundamental part of how cell networks are built. Mobile phones rely on constant communication with nearby cell towers, always listening for signals from a tower that might be closer or less congested than the current connection. As soon as the phone hears a signal, it spits back an identification number. But crucially, the signal doesn’t have to prove it’s coming from a tower. There’s no authentication for the first stage of the process, so a device like the GA 090 could slip right in.Security researchers have been concerned about that flaw since the ‘90s, some even accusing phone companies of keeping it open just to allow law enforcement to exploit it. But by the time those flaws were being used against Rigmaiden, the topic had largely faded from view. Researchers knew the system was broken, but everybody else counted it as a theoretical attack and moved on.Meanwhile, devices like the GA 090 were gaining popularity in the law enforcement community. In 2003, Harris Corporation unveiled the Stingray, a sleeker, smaller version of Rohde & Schwarz’s earlier model, and it came with an aggressive push into the US market. Intelligence agencies began using them overseas to surveil targets or identify their devices. US Marshals put Stingrays in planes and flew them over cities, collecting tens of thousands of phone numbers in search of a single fugitive’s phone. Over time, the devices trickled down to local police departments, where they could be used to track down anyone from murderers to purse-snatchers.But purchasing the device came with a catch. Every time an agency bought a device from Harris, they signed an agreement to keep it out of public court records. If Stingray methods were ever entered into evidence, Harris argued, criminals would catch on, rendering the device useless. Agencies still got court orders to use the devices, but they usually looked like a vaguely worded request for phone records. In most cases, the judges never knew what they were signing and defendants never knew how they’d been caught.[size=2.5rem !important]HE WAS A SELF-REPRESENTED PRISONER CHASING A MYTHICAL SURVEILLANCE DEVICE — SURE SIGNS OF A CRANK[/size]But they couldn’t hide every trace. Rigmaiden found signs of Harris’ Stingray device in random corners of the web. He searched through Harris’ patent filings, which gave him far more insight into how the devices worked. He filed requests for information on the devices under the Freedom of Information Act, but departments locked up, citing confidential methods. He studied The Fugitive Game, a 400-page study of the Mitnick case, scouring for clues on exactly how police had tracked the rogue hacker. There was no public evidence of the device at the federal level, no documents or statements indicating it was in use. He turned his attention to local departments, hoping they would be less careful. When his library time was up, he would take the documents back, poring over them in his cell. Over more than two years, he built a file that sprawled to hundreds of pages, including every last trace of the Stingray he could find.Rigmaiden needed allies, so he sent his file to half a dozen different privacy organizations, but never got back more than a form letter. Not only was Rigmaiden a self-represented prisoner chasing a mythical surveillance device, but he had filed hundreds of motions — these were sure signs of a crank. A normal person would take the plea deal and resign himself to his sentence. Rigmaiden’s phonebook-sized file was testament to how unusual he really was.Eventually, Rigmaiden sent his file to Christopher Soghoian, then a PhD student who had published work on wireless spectrum surveillance. There was something unhinged about the file, to be sure, but Soghoian knew that what Rigmaiden was proposing could very well exist. "My reaction wasn’t, what is this strange device. It was, oh I read about this in graduate school. But I read about it as a thing that was possible, not a thing that the police in Baltimore were using," Soghoian says. He became convinced Rigmaiden was right.Soghoian passed Rigmaiden’s file along to privacy groups like the ACLU and EFF, many of the same groups who had ignored the package the first time around. But the breakthrough came when he sent Rigmaiden’s sprawling file to Jennifer Valentino-Devries, a reporter for The Wall Street Journal’s Digits blog. The next month, her story hit the front page of the paper, revealing Stingrays to the public for the first time and presenting the unchecked, widespread adoption of the technology as a direct challenge to constitutional rights. When a copy of the paper made it to his cell, Rigmaiden was surprised. For the first time, he had reason to think his discovery would matter for more cases than just his own. "I knew that it wouldn’t be a front page story if it wasn’t such a big deal," he told me.Rigmaiden’s legal situation, however, hadn’t changed. Arizona prosecutors wouldn’t drop his case just because of a fudged warrant, and while the Stingray news weakened their case, they were determined to see it through. He kept up his barrage of motions: he filed 22 different motions to "continue trial," forcing the prosecution to adapt to his unusual speed. One filing was entirely concerned with the use of the word "preliminary" in testimony describing a handwriting analysis. After the FBI started ignoring his FOIA requests, Rigmaiden launched a civil suit against the bureau, eventually filing almost two dozen motions on that case before it was dismissed. The criminal docket sprawled to more than 1,100 entries.In 2013, prosecutors finally offered a plea deal on his criminal charges. Rigmaiden believes the deal had more to do with his persistence than the merits of the case. "The reason they wanted to get rid of the case wasn’t because they were worried the Stingray was going to get exposed more, because at that point it was pretty much already out there," he says. "The reason they wanted to get rid of me was because I was doing all that work. I was giving them so much work to do and it was pushing their resource limit." He was still reticent to take the plea — which waived his right to appeal — but prison was wearing him down, and he ultimately decided he could do more on the outside. In April of 2014, after nine months of deliberation, he took the deal and walked out of Florence a free man.In the four years since the first Journal article, Stingrays have turned up everywhere. They’ve been documented at 53 agencies spread across 21 states, used in major cities like New York and Chicago as well as smaller departments in Memphis, Durham, and San Jose. In a 2015 review, Baltimore police admitted using the device more than 4,300 times, sometimes for crimes as minor as a stolen cell phone. The US Marshals have even lent the devices out to Mexican officials hunting down cartels. In each case, the departments had been using the devices for years, long before Rigmaiden came onto the scene.Meanwhile, an informal network of defense attorneys has cropped up, with public defenders sharing notes on how to spot and deal with Stingray cases. Because of the intense non-disclosure agreements around the Stingray, most prosecutors will drop cases rather than defend the use of the device in the face of a well-versed lawyer. Rigmaiden has become a kind of in-house expert for those lawyers, tracking surveillance issues on Twitter and consulting behind the scenes. When Washington state started drafting a law to limit use of Stingray devices in late 2014, someone passed the bill along to Rigmaiden. For a month and a half, he spent each morning going over a draft of the legislation, demonstrating the same obsession to detail he’d shown in planning his tax fraud scheme and criminal defense. Working with a local ACLU chapter, he recommended tweaks to the bill, specifying the language and expanding the rules to cover passive surveillance devices and other variants that are still secret.In September, the Justice Department issued a new policy on cell-site simulators, instructing all federal agencies to get warrants before using the devices. For a lot of privacy groups, it was a victory — the first clear federal policy on Stingray use, openly instructing agents to play straight with courts. Rigmaiden was less optimistic. "A lot of it is just putting a new face on what they’ve been doing all along," he told me. "In my case, they had a warrant. The problem was the information on the warrant."Rigmaiden now lives a modest life. He gets no money from his legal work, and when I visited, he had just quit a telemarketing job in favor of a slightly friendlier web development gig. He has no car (his record also makes auto loans difficult), so the telemarketing job meant a long walk to a bus to a train. Last year, he spoke at a defense attorney conference at the University of Arizona, an experience he’d like to repeat if he can. For now, the terms of his probation stop him from leaving the Phoenix area.After climbing down from the hills, we drove to another park, this one a flat stretch of lawn closer to the center of Phoenix. It was quiet, empty except for a few couples and about a dozen people gathered near a stage for a benefit event. It was, as Rigmaiden pointed out, exactly the kind of crowd where you might want to use a Stingray. He had an app on his phone called SnoopSnitch, which looks for telltale disturbances in the network, one of the open-source Stingray-hunting projects that’s sprung up since the device became common knowledge. That day, the data showed two disturbances, both silent pings from the phone company. Neither was necessarily suspicious, although we’ll never know why they went out.Rigmaiden suspects police have moved on from Stingrays to passive receivers, which sniff signals out of the air without disrupting the network at all. It’s the kind of thing you could build yourself with open software and no FCC violations at all, although you’d need the phone company’s help to connect the signals to actual cell numbers.Cell-site simulators are now at least 20 years old, a long time for any one trick to stay secret. Police had been using the devices in secret for 12 years by the time they were trained on Rigmaiden. From there, it took another eight years to drag them into the light. Even that was only possible because of the chance alignment of a stubborn defendant, a legal shortcut, and a sympathetic judge. "If we hadn’t picked up the scent on this, they could have gotten another five or 10 years out of it," Soghoian says.This is the logic of surveillance, an arms race between police and criminals, but also between police and the legal systems meant to keep them in check. After 10 years off the grid and five years in jail, Rigmaiden is now on the side of those systems — privacy groups, lawyers, judges. It’s a strange place to find himself. How did he make the turn from dodging surveillance to actually fighting it? He’s still not sure, although it probably has something to do with getting older."You have to realize when you’re in a situation where you can make a difference, and grab onto it," he told me. "I don’t think those opportunities arise very often."* *Edited by Michael Zelenko[/size][size=4.75em !important]

[Z]

When Your Conspiracy Theory Is True podcast on this topic.  I haven't listened to it all, but the start was great. I will finish listening on the way home from work probably.


http://www.wnyc.org/story/stingray-conspiracy-theory-daniel-rigmaiden-radiolab/


Direct link to the podcast: https://www.wnyc.org/radio/#/ondemand/511502

[smalls]

Excellent read! And the illustrations are sick, too. Thanks for posting this. I'm now following the author and artist on twitter and already found other engrossing long reads via their tweets. Love it when that happens. Rather than the internet wormhole of memes and cat videos, to find myself sucked into the wormhole of one high quality read after another.

_{(Not that there's anything wrong with cat videos.)}