28 Oct LabMD in THE NEW YORKER
A Cybersecurity Firm’s Sharp Rise and Stunning Collapse
Tiversa dominated an emerging online market—before it was accused of fraud, extortion, and manipulating the federal government.
Originally published by Raffi Khatchadourian in The New Yorker
Before Robert Boback got into the field of cybersecurity, he was a practicing chiropractor in the town of Sewickley, Pennsylvania, twelve miles northwest of Pittsburgh. He was also selling used cars on eBay and flipping houses purchased at police auctions. The decision to branch out into computers came in 2003, after he watched a “60 Minutes” report by Lesley Stahl about pirated movies. For years, while digital piracy was devastating the music industry, Hollywood had largely been spared; limitations on bandwidth curtailed the online trade in movies. But this was changing, Stahl noted: “The people running America’s movie studios know that if they don’t do something, fast, they could be in the same boat as the record companies.”
Boback was thirty-two years old, with a Norman Rockwell haircut and a quick, smooth, entrepreneurial manner. Growing up amid the collapsing steel industry, he had dreamed of making it big, hanging posters of high-priced cars—a Lamborghini, a Porsche—on his bedroom wall and telling himself that they would one day be his. After high school, he trained to be a commercial pilot, imagining a secure, even glamorous, life style—but then the airline industry began laying off pilots, and he switched to chiropractic, inspired by a well-off practitioner his family knew.
Watching “60 Minutes,” Boback saw a remarkable new business angle. Here was a multibillion-dollar industry with a near-existential problem and no clear solution. He did not know it then, but, as he turned the opportunity over in his mind, he was setting in motion a sequence of events that would earn him millions of dollars, friendships with business élites, prime-time media attention, and respect in Congress. It would also place him at the center of one of the strangest stories in the brief history of cybersecurity; he would be mired in lawsuits, countersuits, and counter-countersuits, which would gather into a vortex of litigation so ominous that one friend compared it to the Bermuda Triangle. He would be accused of fraud, of extortion, and of manipulating the federal government into harming companies that did not do business with him. Congress would investigate him. So would the F.B.I.
But as Boback was watching “60 Minutes” all he saw was a horizon of possibility. Stahl pointed out that pirated music and movies were spreading primarily on peer-to-peer networks—an obscure precinct of the Internet that was sometimes called the Deep Web. The networks were made up of hundreds of thousands of decentralized connections, in which one computer was linked to no more than five others, and then through those five computers to many more, expanding exponentially like the branches of a large tree. These connections were invisible to search engines like Google. Even the software that allowed users to browse them had only a limited field of vision—glimpsing just random fragments of the tree at a time. Boback wondered if it was possible to design a system that could scan the whole tree at once, then block people from sharing files on it. Certainly, this capability would be worth a lot.
Boback had no idea how to build such a thing, but he knew someone who might: a patient of his, Sam Hopkins, whose girlfriend had persuaded him to pursue chiropractic treatment after a car crash. Hopkins was in his thirties, too. He was soft-spoken, with a childlike disposition, a wispy physique, and a goatee. He had grown up in inner-city Pittsburgh, in a home where money was scarce. As a boy, he had taught himself how to program on a Commodore 64 that was on display at Sears. Bored with school, he dropped out, and built an Internet-service provider, which was sold to a local telecom company. By the time of his car accident, he was designing high-speed computer networks for Marconi Communications.
When Hopkins came in for treatment, Boback explained his idea, and after some thought Hopkins said that it could be done. At that time, the most popular peer-to-peer software was a free application called LimeWire. When a user searched for a file—say, an MP3 of “Hey Ya!”—LimeWire sent a query to other users asking for it. If the file turned up, this meant that someone had designated it for sharing. The main peer-to-peer network limited the number of computers a person could search. But Hopkins told Boback that the limitation could be overcome with a system that scattered virtual users, or “nodes,” throughout the network—in effect emulating many, many copies of LimeWire running simultaneously. With enough nodes, the whole network could be seen.
That Christmas holiday, Hopkins locked himself in a room to program, and in a couple of weeks built a rough prototype. Even though it could maintain only a small number of nodes, data flowed through it in a torrent. The system could track the search terms that thousands of users were entering—offering unique insight into what was in demand, half clandestinely, on the Deep Web. The terms filled the screen so rapidly that Hopkins had to program a “decelerator” to slow them down. Watching the words race by, the two men began to suspect that they had genuinely struck it big.
By the end of the year, Boback and Hopkins were sitting in the well-appointed offices of a Pittsburgh law firm that specialized in intellectual property. The attorneys were optimistic. Rather than charge billable hours, they offered to work for ten per cent of the proceeds when the system sold. One said that the deal could be worth fifty million dollars. With the firm’s help, Boback and Hopkins formed a corporation. Hopkins came up with its name, Tiversa, a portmanteau of “time” and “universe.” It was also an anagram of veritas: Latin for “truth,” but scrambled.
Boback is a storyteller. Words pour out of him in cascades that, depending on the listener, can register as beguiling, slick, questionable, or bullshit. One colleague described him as “very confident, sometimes bordering on cocky.” Another told me, “He was a master manipulator. Watching him was like watching van Gogh use oils.”
As Boback began marketing his system, he landed a big meeting with lawyers representing the Recording Industry Association of America, but the lawyers said they already had a strategy to combat file sharing: sue the problem into oblivion. Undeterred, he and Hopkins flew to Los Angeles, where they met with Darcy Antonellis, the head of anti-piracy efforts at Warner Bros. The studio was gearing up to release a summer blockbuster, “Troy,” an epic in the mold of “Ben Hur,” rumored to have cost almost two hundred million dollars. A screener had already leaked, and, during the meeting, Boback strove to convey how much money Warner Bros. was losing: in his hotel room beforehand, Hopkins had added to the software a digital counter that appeared to track downloads of “Troy,” tabulating a fifteen-dollar loss with each one. Boback explained that the system, which he was calling Media Spy, could be designed to jam the activity. Antonellis listened patiently, and then said that it seemed too good to be true. She meant it literally. Such an intrusion would require Warner Bros. to block people from posting files at the point of their computers, which she suspected was legally impossible.
After the meeting, Boback’s lawyer mentioned that a partner in his firm knew Orrin Hatch, the chairman of the Senate Judiciary Committee, who had spoken out against pirated music and movies. Perhaps, if Hatch gave his imprimatur to the system, the concern about its legality could be overcome. That May, Boback and Hopkins drove to Washington with another lawyer in the firm, to meet with Hatch in a conference room in the Hart Senate Office Building. They brought a laptop and made their pitch, as Hatch listened with polite interest. While wrapping up, they explained that their system could track not only music and movies (the vast bulk of the content on peer-to-peer networks) but anything else that people were sharing: documents, spreadsheets, PowerPoint decks. Some of those items appeared to have national-security implications, so Hopkins had created a second user interface for the software, called Patriot Spy. Boback shared a few examples of what the system had found, including files belonging to a person in Australia who had jihadi literature and bomb-making manuals.
“Stop what you’re doing,” Hatch said. He led his guests to his office, seated them in faux-leather chairs, and commanded an assistant, “Get me George Tenet.” Within a few minutes, the director of the C.I.A. was on speakerphone, and Hatch was telling him that, if the agency did not have the capability he had just witnessed, then it should. Boback and his colleagues looked at one another in disbelief. By the end of the call, Tenet had invited them to visit the C.I.A.’s headquarters, in Langley, Virginia, first thing the next morning.
Unprepared to spend the night, Boback and the others bought clean underwear and toothbrushes, then tried to find a hotel in D.C. They were laughed out of a downtown Marriott, and eventually landed in a tumbledown joint on the city’s outskirts. Still, they were giddy. If the C.I.A. wanted to buy their system, then Hollywood could wait.
In the morning, they pulled up at the front gate of Langley and explained that they had an appointment with the head of the Directorate of Science and Technology. They were sent to the Original Headquarters Building, but Boback made a wrong turn and the car was soon surrounded by security personnel, their weapons drawn. A guard warned them to leave immediately. “Do you understand?” he screamed. Boback, unsure whether the guard meant the road they were on or the entire property, rolled down the window. “No,” he said. “Can you explain it to us?” The other passengers were terrified, but Boback was unfazed. As he turned the car around, he said, “We got to get in here. It’s the meeting of a lifetime! ”
Inside, the head of the Directorate of Science and Technology was joined by an official representing In-Q-Tel, a corporation that the C.I.A. had set up to fund new technologies. (The “Q” refers to the technician in James Bond films.) A follow-up call from one of the participants led to more trips to D.C., and suddenly Boback and Hopkins were journeying through the shadow world of the post-9/11 national-security establishment.
There were visits with the F.B.I. and the military. They returned to Langley, to meet with another enthusiastic official, who introduced himself only as Bad Bob. The agency also instructed them to go to a Starbucks in Reston, Virginia, from which a C.I.A. officer would convey them to a secret facility. The officer drove them for several minutes before arriving at a large building, where they gave a presentation in a packed room. One audience member asked if they were prepared to sell, and, as they headed back to the car, the officer pressed them to name a price. Hopkins said, “I’m thinking two billion dollars,” which prompted laughter, and some advice: sell your technology to a large contractor, like Raytheon; don’t deal with the government yourself.
On the drive back to the Starbucks, Boback asked what prevented the C.I.A. from simply stealing their technology. The officer told them, “If you weren’t an American citizen, I would have already stolen it—and, oh, you have a connection to Senator Hatch.” The offhand comment sent a jolt of paranoia through Boback and Hopkins, who began to refer to their laptop as “the football”—the White House term for the briefcase that allows the President to access the nuclear codes. They decided to secure the software. At the time, Hopkins lived on thirty-eight acres that he had converted into a makeshift wildlife sanctuary. He burned the code to a DVD, and then walked out and buried it.
The more that intelligence operatives expressed an interest in the technology, the more Boback sought to prove its value. He and Hopkins renamed the system EagleVision X1—a reference to the “X1” markings on some classified files. When Boback saw an apparent spike in searches containing “Chechnya” and “jihad,” he let Bad Bob know. When he saw a file suggesting that an attack might be imminent in Egypt, he told a congressman.
EagleVision X1 had been designed to comb the peer-to-peer networks using search terms that Hopkins set for it. But, as Boback tried to market the software, Hopkins worked to improve the system, so that if it had a hit on a search term then it would automatically pull down everything else that was being shared on that computer. New material flooded in. EagleVision X1 found a document in China belonging to the F-35 Joint Strike Fighter program. It also pinpointed a man, about an hour from President George W. Bush’s Texas ranch, who was sharing files about sniper rifles and photos of the President’s daughter. Boback notified the Secret Service, and early the next morning agents turned up at Boback’s home.
At first, Boback assumed that anyone who willingly shared this kind of information must be engaged in some kind of illicit trade. But, as Tiversa’s system vacuumed up more examples, he learned that there was a surprisingly benign reason. LimeWire and its competitors were confusingly designed, causing people hunting for music to open up their hard drives—inadvertently designating sensitive files for sharing on peer-to-peer. In pursuit of a free MP3, jihadis and federal contractors, soldiers and diplomats, executives and celebrities were doxxing themselves. Because the people who used LimeWire were looking almost exclusively for music, this mass exposure had gone largely unnoticed.
Despite Boback’s hustle—or perhaps because of it—he struggled to sell EagleVision X1 to the C.I.A. With the chance of a big payout receding, Boback thought that perhaps the technology would be easier to sell if he built a business around it. So, in 2005, he met with a Pittsburgh financier, who agreed to invest seed money to elevate Tiversa from some lines of code into a startup. The investor recommended that Tiversa focus on corporate clients; they could bring in agencies like the C.I.A. later.
Boback rented office space in a Pittsburgh suburb, and took on his first full-time employee, a Wharton graduate, who started trying to bring order to his vision. The two clashed. In 2005, no one at Tiversa was taking a salary, and, to stay afloat, Boback spent much of his time at his chiropractic practice. (In addition to seeing patients, he had to fight to keep his license: the Pennsylvania Board of Chiropractic briefly suspended it, because he was unable to prove that he had completed an education requirement.) When Boback was in the office, his freewheeling style was often at odds with normal business practice. He admitted to me that, early on, Tiversa installed phony computer towers—plastic shells with blue lights “that literally did nothing”—to give visitors the impression that his software required more powerful hardware than it did. Sometimes he inflated the number of his employees, by having friends occupy desks in the office. Tiversa’s early literature referred to its Pennsylvania office as its “World Headquarters.” (The company had no other facilities.) “We had no credibility in the space,” Boback told me. “We wanted to make it look as good as we could.”
In 2006, a more significant investor signed on: Adams Capital Management, named for its founder Joel Adams, a Pittsburgh venture capitalist. Several years earlier, Adams had put his money into a scrappy startup that marketed laser technology, and later it sold for more than a billion dollars—a “unicorn,” in investor parlance.
Adams Capital invested more than four million in Tiversa, and helped secure an all-star board of advisers. Maynard Webb, the former eBay executive and chairman of Yahoo!, joined, and he brought on other executives from Silicon Valley. Howard Schmidt became an adviser, and soon afterward was appointed the cybersecurity czar for the Obama Administration. General Wesley Clark, the former Supreme Allied Commander of NATO, came on, and developed a good rapport with Boback, who sold his practice to devote himself to Tiversa full time.
Tiversa’s prominent supporters quickly helped Boback assemble an impressive client list: Capital One, Lehman Brothers, Goldman Sachs, American Express. The companies were paying for a monthly monitoring service, in which Tiversa scanned for breached corporate information, or the personal data of top executives. By this time, EagleVision X1 could access more than a million users, and its capabilities were expanding. Because peer-to-peer networks were constantly in flux, as people turned their computers on and off, Hopkins had designed a stable repository for the system, which became known as the Data Store. EagleVision X1, programmed with search terms that were set for clients (for instance, “Lloyd Blankfein,” for Goldman Sachs), would scour the networks, then deposit what it found in the Data Store. Each file was labelled to indicate when it was downloaded and what I.P. address it came from, so that its behavior could be tracked—if it remained in the same location, or if it was being shared, or if it suddenly vanished.
As the company matured, Boback created an “ops room,” where Tiversa analysts probed the Data Store for files related to clients. Over time, the room evolved to resemble a set from “The Bourne Identity”—a darkened space with electric-blue lighting, a window that could be triggered to go opaque, and a retinal scanner at the entrance. Tiversa’s analysts took special care to see if any files appeared to be “spreading”—passing from user to user, out of the company’s control.
American Express had the largest contract, paying a monthly fee of about seventy-five thousand dollars. Once the money began to flow, Adams Capital valued Tiversa at seventy million dollars. Along with the revenue, the company began to gain attention. In 2007, the House Committee on Oversight and Government Reform scheduled a hearing on inadvertent file sharing; it invited Boback to testify, and he asked Wesley Clark to join him.
To prepare, Clark asked if there were classified documents on the Deep Web. Boback pulled up two hundred marked “SECRET,” including information about lifesaving technology to neutralize radio-controlled bombs. Clark notified an intelligence official in the White House, who noted, with alarm, “They’re in full color!” A week before the hearing, Boback contacted Clark to report that Tiversa had located records pertaining to the Defense Department’s network for handling classified material. They were on the home computer of a contractor who was using LimeWire.
At the congressional hearing, Clark brought up the tranche of records, calling it “sort of a hacker’s dream,” though no one, of course, had hacked them; they were just sitting there in public view. He also emphasized that potential victims often had trouble understanding the issue. EagleVision X1 had found a contractor’s threat assessment of American cities—a catalogue of weak points that an enemy might attack. “We immediately contacted the contractor, and the city,” he said. “They denied the problem. They don’t understand what has been leaked.”
Seated beside Clark, Boback gave an expansive list of what a motivated searcher might find: “Federal and state identification, including passports, driver’s licenses, Social Security cards, dispute letters with banks, credit-card companies, insurance companies, copies of credit reports.” The documents, he alleged, had been harvested in Pakistan, Africa, and Eastern Europe, from foreigners who were “grabbing this information.” Only a few years earlier, he was fixing lumbar problems and selling cars on eBay. Now he was explaining to the country’s top lawmakers, “This is the new threat to information security.”
At about the time that Boback and Hopkins realized that governments and businesses were hemorrhaging information on the Deep Web, so had another man, living thousands of miles away. Richard Wallace grew up in rural Idaho, among family members who struggled with addiction. His mother’s life was consumed by pills, and two siblings would eventually die from overdoses. In a chaotic home, he developed the habit of helping people around him. After high school, he moved to Spokane, to train as a firefighter. There, he met Amy Speelmon, an R.O.T.C. student at Gonzaga University, and they were soon married. After 9/11, Amy deployed to a garrison in Germany. Wallace put firefighting on hold and joined her.
In Germany, Wallace strove to find his place. He was too independent-minded, too odd, to thrive as a military employee. But he was inclined to serve, and when his skills were acknowledged—particularly by people with authority—he was eager to please. Wallace volunteered to oversee the personal effects of soldiers killed in Iraq and Afghanistan. It was grim work that no one else was enthusiastic about doing, and he was commended for it.
To relax, Wallace often turned to his computer. Before moving, he and Amy had been watching “The Sopranos,” and at the garrison he began to hunt for pirated episodes. Exploring the Deep Web, he found that many members of the armed forces had downloaded peer-to-peer file-sharing programs, and were inadvertently exposing files: records of troop movements, accounts of I.E.D. attacks, and intelligence summaries. He helped the military identify which computers were leaking.
In 2004, the Wallaces relocated to western Illinois, where Amy worked as an R.O.T.C. instructor. Rick stayed home with their children (they eventually had five), and farmed, a little. He also kept his head in his computer. He had exploited a loophole in LimeWire that allowed him to crawl across the network, a solitary digital explorer. He sent the military more tips, and began to warn civilians about breached files, too. A neighbor suggested that he channel his expertise into a business, but entrepreneurship wasn’t in his nature; he was a volunteer. When Hurricane Katrina hit Louisiana, he drove down to assist FEMA and spent weeks helping to sort out the wreckage.
Wallace never asked for payment from the people he warned, and, perhaps as a result, they were often suspicious of his motives. To give his efforts legitimacy, he created a Web site, seewhatyoushare.com, where he blogged about his work. He sent some items to Matt Drudge and Michelle Malkin, conservative pundits he admired, and he says that they responded gratefully. Eventually, he caught the attention of Thomas Sydnor II, a former Senate staffer who had sat in on Boback’s meeting with Hatch. Sydnor had gone on to work at the Patent and Trademark Office, but he remained interested in inadvertent file sharing, and began checking in with Wallace, whom he considered one of the few people who understood the dangers.
Peer-to-peer networks were awash in child pornography, and Wallace had been issuing warnings on his Web site. Sydnor told him to stop trying to track such images, because possessing them is a crime, no matter what the reason. Sensing that Wallace could use a more structured outlet for his work, he mentioned him to Boback. Annoyed, Boback told Hopkins, “He is ruining our credibility by just being out there winging it with these calls.” The two men considered hiring Wallace, merely to eliminate competition, but on reflection wondered whether he might also have something productive to add. Tiversa had only one full-time analyst, and though he had conventional skills—he had worked at Microsoft—he lacked deep experience with peer-to-peer networks. Boback flew Wallace in for an interview, and was struck by his offbeat manner, but he reasoned that this was common in cybersecurity. Two weeks before the congressional hearing, Wallace moved his family to Pennsylvania and started work, racing to dig up material that Boback could use in his testimony.
Tiversa’s office culture, Wallace quickly discovered, was anything but formal. Early on, Boback had instituted a rule: new hires were bestowed a sword representing their character. Tiversa’s chief technology officer was given a samurai’s katana. Another employee got Gandalf’s sword, from “The Lord of the Rings.” Boback planned outings to a shooting range and sometimes came in with a pistol. Once, he displayed his gun to an executive who had challenged him. As the executive later recalled, Boback “sat at a desk in front of me and reached into his sock holster and pulled out a revolver and showed me its features.”
Wallace quickly adapted to the unconstrained atmosphere. Hired as an analyst, he helped comb the Data Store for client information, but he also commandeered an independent DSL line to run manual searches in his old way. He was often able to find files that EagleVision X1 could not, and the company’s software developers began studying his methods to improve the system’s code.
Soon after the congressional hearing, Wallace made a discovery that captivated Boback’s imagination: someone was sharing suspicious financial documents, along with images of gold bars and passports. The I.P. address belonged to a lawyer in California, who was touting investments that could return forty per cent a week. Boback, who suspected that the investments were a fraud, had the files printed; then he and Wallace, like detectives, spread the pages out on a table to study them. They spent weeks on the project, hoping to somehow earn money from the discovery.
Ultimately, there was no way to gain from it, but for Wallace the episode demonstrated the value of his idiosyncratic skills. For Boback, the puzzle was thrilling. He was an avid gambler. Often, he would stride past Wallace’s desk and summon him to leave, saying, “Waldo, you’re with me.” Wallace typically didn’t know where they were headed, but often the destination involved bets. An employee who worked closely with Boback later told the F.B.I. that she thought he was a gambling addict. (Boback denies this.)
A strange intimacy grew between the two men. There were flurries of texts at all hours, games of Halo past midnight. To others, they seemed to inhabit an atmosphere of semi-continuous scheming. The office had a window overlooking a parking lot near a Red Roof Inn. Wallace noticed a woman who often turned up to wait for a man—another puzzle that became the topic of speculation, jokes, even a mock stakeout.
At times, Boback had conflicts with peers. As a former Tiversa employee told me, “The Bob that he presents to people he just meets—that Bob is very charming, very likable, very engaging. Then, there is the person behind the mask, who is a little bit paranoid, angry, untrustworthy, greedy, generally not a nice person. If you got on his bad side, you stayed on his bad side.” Wallace began supporting Boback in conflicts. After an employee argued with him, colleagues say, Wallace designed a simulated F.B.I. arrest report, indicating that he had groped someone on a flight, and circulated it within the company. (Wallace denies this.) “Rick became Bob’s puppet,” another former employee told me. “Bob completely controlled him.”
Boback also clashed with Hopkins’s wife; she had helped start the company, but then became openly distrustful of Boback. Wallace found a clip of a porn actress who resembled her and joked with Boback about adding her name and phone number and sharing it on peer-to-peer.
Wallace says that he and Boback also purchased a G.P.S. tracker to surveil her. “We snuck over to her car, stuck it on, and watched her go to a place in Indiana,” he recalls. “She had a boyfriend there. So then Bob pulled Sam into the office, and goes, ‘Well, I hired this private investigator to see what’s going on. I just wanted to let you know.’ Of course, Sam reacts terribly, goes home, has a big fight. Sure enough, they get a divorce. Bob takes credit for it.”
Boback now tends to claim that any bad behavior at Tiversa was caused by Wallace going rogue. He told me that he ordered the G.P.S. device because he suspected that members of his sales team were defrauding Tiversa. “They were charging mileage on everything, and I was, like, come on, you’re getting paid a commission!” he said. “So I was, like, I’m going to get a G.P.S. I want to see how far these people are driving. I ordered it, got it. Wallace saw the G.P.S. sitting there, and then, without any knowledge of mine, when Sam was going through his divorce, Wallace put it on her vehicle. Now, I did know that he put it on that vehicle—after—because he had told me, and I was, like, ‘You shouldn’t be doing this, get it off.’ Which he did.”
Within a year at Tiversa, Wallace had taken on a new title, director of special operations. He continued to work as an analyst, but also spent hours on the DSL line searching for government files, or for documents with criminal implications. This work had no immediate business value, but Boback hoped that it could serve as a proof of concept, to help secure a federal contract.
Most people in the office knew little about how Wallace spent his time, but he was quietly achieving something remarkable. He passed on tips to the C.I.A., the Secret Service, the Treasury Department, the military, and the F.B.I.’s Pittsburgh field office, which began sending a special agent to Tiversa almost weekly to coördinate with him on child-pornography research. Wallace also sent the Bureau evidence of online identity theft: I.P. addresses that seemed to be harvesting Social Security numbers or credit-card information.
Sometimes, frustrated by the slow pace of federal law enforcement, Wallace fed his tips directly to police departments. In 2013, the Law Enforcement Executive Development Association, a national training organization, presented him with an award for assisting in hundreds of cases. (The F.B.I. recognized his efforts, too, in a ceremony conducted by Robert Mueller, near the end of his term as director.) Steven Pickett, who worked a dozen cases with Wallace as a deputy sheriff in Mississippi, told me, “He is a real unsung hero from another world.”
Wallace’s research opened doors into law enforcement for Boback, but it became clear that the men had different ideas about it. Once, Wallace discovered child pornography on a computer at a Catholic seminary, and told the F.B.I. Boback, he says, saw a business opportunity, and called the seminary’s director to pitch Tiversa. (Boback disputed this, saying, “I reached out and told him the problem, and he immediately said, ‘Oh, my gosh, we are going to address it immediately.’ There was never a ‘Here’s how much it’s going to cost.’ No contract discussed!”) The director notified the F.B.I., too, and Wallace soon got a call from the special agent he worked with in Pittsburgh, angrily warning him that Tiversa should never pull a stunt like that again.
For most of us, computers are effectively magic. When they work, we don’t know how. When they break, we don’t know why. For all but the most rarefied experts, sitting at a keyboard is an act of trust.
A human-to-machine relationship defined by estrangement offers a unique sales opportunity: fomenting anxiety turns out to be an excellent way to draw in clients. One of the first people to identify the tactic was the director of I.B.M.’s Advanced Computing Systems Laboratory, Gene Amdahl, who left his job in 1970 to build machines that could run I.B.M. software more cheaply. As Amdahl went to market, he learned that his former employer was warning potential customers that any hardware not made by I.B.M. was fraught with risk. The feeling that I.B.M. was hoping to inspire, Amdahl noted wryly, was “FUD”—fear, uncertainty, and doubt. The name stuck. In the nineties, Microsoft pursued a canonical FUD strategy, creating phony error messages to make consumers wary of using Windows on a competitor’s operating system—a tactic that resulted in a legal settlement exceeding two hundred million dollars.
In cybersecurity, where ordinary digital anxiety is compounded by esoteric threats, the use of FUD to generate business is especially notable. Misleading tactics—dubious assessments and glossy graphics supported by underwhelming data—have become so common that one researcher recently went online to chide colleagues to “cut the FUD.” The practice thrives because a small system failure can carry tremendous financial risk, and the immediate customers of cybersecurity services are often corporate executives, not technical experts. Given that a publicized breach can damage both a corporate brand and a career, it is safer to pay a security firm and tell no one outside the company.
“If you’re told that cyber security attacks are purported by winged ninja cyber monkeys who sit in a foreign country who can compromise your machine just by thinking about it you’re going to have a fear response,” the technical director of the British National Cyber Security Center recently noted. “The security companies are incentivized to make it sound as scary as possible because they want you to buy their magic amulets.” Among firms that occupy the gray zone between outright hacking and responsible behavior, FUD can drift into criminality: threats by innuendo, extortion.
Boback quickly intuited the possibilities that FUD could offer a skilled sales force. He pushed his staff to emphasize to potential clients that their businesses were inextricably linked to venders and customers, which meant there was no way they could close all their points of exposure. He encouraged dire warnings of “file spread,” even though it was rare for users to pass around anything but music. At Tiversa, file spread was sometimes called “digital wind,” as if it were a natural phenomenon that could not be controlled. Key to Boback’s pitch was that Tiversa had a singular ability to track the wind across millions of computers. That was true—but this unique capability meant that almost no one outside his company could verify his claims.
In early 2008, Boback called Wallace into his office, shut the door, and told him that the American Express account was in jeopardy. With Tiversa’s help, Amex had eliminated the significant data breaches on its network, and now it wanted to drastically reduce its fee. If this happened, Boback might not be able to make payroll.
Wallace later told the F.B.I. that the two men devised a strategy to convince Amex that the threat remained urgent: they would make it seem as though Tiversa had detected Amex files involving hundreds of invitation-only credit cards being shared overseas and among suspected criminals. To make this believable, Wallace secretly altered the Data Store, to give the appearance that the files had spread. In some cases, he used “burnt” I.P. addresses, from computers shut down by law enforcement because they had been involved in scams or in child pornography. Once they were taken offline, there was no way to confirm what was attributed to them. Amex ended up replacing the cards, at the cost of a million dollars, but it did not renew its contract.
Boback denies conspiring with Wallace, and claims that there was never any fraud at Tiversa. But Wallace says that in 2008 he began to systematically plant false spread in the Data Store to inspire FUD among prospective clients and to promote Tiversa’s technology. That summer, Wallace was given a performance review, praising his work: “Rick always seems to be able to find a hard hitting file or P2P situation to accelerate our client acquisition.”
Around that time, Wallace stumbled on an I.P. address in Virginia that was sharing a file with hundreds of Social Security numbers belonging to prominent people around Washington, D.C., including Stephen Breyer, the Supreme Court Justice. Immediately, Wallace pulled down everything that the address was sharing. The tranche included documents on letterhead from the Wagner Resource Group, an investment firm in McLean—clearly the source of the breach. “Bob was standing right behind me,” he recalled. “He said, ‘Don’t tell anyone.’ ” Boback’s plan, Wallace told the F.B.I., was to call the Wagner clients whose information had leaked, pretending to be investigating the breach. After angry clients began putting pressure on the firm, Tiversa could make a sales pitch.
Midway through the effort, the company’s founder, Phylyp Wagner, phoned the Tiversa offices, eager to talk, but Boback refused to take his call until more of his clients were reached. (Boback told me that he was earnestly trying to locate the source of the leaked files.) When the two men eventually spoke, Wagner later recalled, Boback told him that his files had spread to Asia, suggesting that criminals there were using them to manufacture credit cards. After the call, Wallace manipulated the Data Store to support the story, and the fraudulent data were written up in a report. The following day, Wagner, desperate to protect his clients, agreed to engage Tiversa. “These are people I’ve known for years,” he told me. “So exchanging money for their well-being—I’m willing to do that.”
For Tiversa, this was an extraordinary promotional opportunity: a Supreme Court Justice had just had his Social Security number exposed by the very problem that Boback’s business was set up to fight. But Tiversa had signed confidentiality agreements with Wagner, and so there was little it could reveal openly. Wallace says that he and Boback concocted a new plan, to use a false persona to tip off the press. Wallace had just the thing: an alias, Glen Breakwater, that he had briefly used on his old Web site. (Later, he created a Facebook profile for Breakwater, casting him as an African-American fan of Michael Jackson and Tyler Perry. The profile was a barely coherent pastiche of stereotypes, but it attracted friends, some of whom still send birthday greetings.)
Wallace, using a burner phone and masquerading as Breakwater, called the Washington Post to leak the story. The resulting article, which ran under the headline “Justice Breyer Is Among Victims in Data Breach Caused by File Sharing,” noted that the files were downloaded as far away as Colombia and Sri Lanka. Wagner told the Post that this news was “devastating.” The story pointed out that Tiversa had been brought in to remediate, and quoted Boback, saying that Wagner’s clients had been “at a very high risk, almost imminent, of identity theft.”
Wagner’s files were like a briefcase forgotten on a train but recovered moments later. The company had failed to secure its clients’ data, but there was no apparent harm: no one outside of Tiversa seemed to have noticed the slip. Later, a Tiversa employee on the Wagner account conceded, “I don’t think we ever saw the files reappear” on the Deep Web. But, by signalling that the files had spread, Boback had concocted a potent marketing parable: inadvertent file sharing could have dire consequences.
After the Post story ran, Boback and Wallace drove to Fairfax, Virginia, to meet Wagner at a bar. Wallace later recalled that he was so preoccupied by the lie he had helped engineer that, as he crossed the street from their parking spot, “I damn near got hit by a bus.” While the men talked at the bar, he said, he fantasized about what might happen if Boback were called away for a moment: “I would have slid right over to Phylyp, and said, ‘This is the biggest sham ever.’ But I never got the opportunity. Then I thought that I was glad I didn’t do that. I would have been fired on the spot.” Boback denies any wrongdoing concerning the account. Wallace told the F.B.I. that, on the drive back to Pittsburgh, Boback joked about how Wagner had been “fucked.”
With Amex withdrawing, Tiversa scrambled to sign up new customers. But, Boback told me, “we were exhausting the contacts who were helping us get to clients, the economy was starting to get a little dicey, and budgets were tightening up.” He was convinced that the problem was communication. Boback’s sales technique often involved hinting at an ominous data breach, then withholding details until potential clients paid, and on a number of occasions the approach had backfired. G.E.’s information-security team felt it was being extorted. PNC Bank contacted the authorities. Boback believed that these reactions were misdirected animus: companies were blaming Tiversa for their own security failings. He began to wonder, “How do you deliver a message without having a shoot-the-messenger-type response?” That February, a Tiversa analyst unwittingly provided an answer—a clandestine way to publicize data breaches. In an e-mail, he told Boback about a Web site called WikiLeaks, which had launched two years earlier and was attracting attention. “It claims that postings are untraceable,” the analyst explained.
Several weeks later, Wallace says, Boback told him on short notice to prepare for an overnight trip: they would fly to Atlanta and pick up a Mercedes. He added, incongruously, that Wallace should make sure to bring his computer. They retrieved the car, and on the drive back to Pennsylvania Boback asked if it was possible to use a Wi-Fi router that someone had left unprotected to submit files culled from peer-to-peer to WikiLeaks; if it was, then Tiversa could use the uploads to illustrate the need for its protection.
In Charleston, Wallace later told federal investigators, Boback pulled off the highway to look for an open router, and found one near a suburban development that was under construction. Both men were spooked and exhilarated. Boback told Wallace that he needed to use a nearby Port-a-Potty, while Wallace started his laptop and began the transfer. When a police car drove by, Wallace threw a blanket over the laptop and continued working beneath it.
Wallace uploaded to WikiLeaks an Airbus business agreement; a spreadsheet of Chevron’s assets in Canada; Dyncorp schematics for a military camp in Afghanistan; a Defense Department manual on data protection; and other documents from a folder he had named “Files for the bus”—indicating that any company with records inside could get thrown under one. On a later trip, Wallace uploaded more files to WikiLeaks, from a Starbucks in Indianapolis.
Among the most sensitive files that Wallace says he submitted were two classified technical studies of a jammer that the Army had used in Iraq to disrupt radio-controlled bombs—evidently drawn from the same tranche of documents that had alarmed Wesley Clark. Their publication triggered some of the first real criticism of WikiLeaks. Even though the jammers had largely been replaced by a newer model, there was no obvious point to revealing the way they worked, no wrongdoing exposed. As the Washington editor for Ars Technica wrote, “The decision to run with this one is just utterly baffling.”
Wallace later said that submitting documents to WikiLeaks was a low point in his life. Boback spoke about the uploads in the same gleeful way that he had spoken about other escapades. “I remember him talking about how they were going to be rich after all this broke,” one person recalled. As WikiLeaks began publishing the documents, Boback sent an e-mail to Tiversa executives, urging them to pitch the affected companies, “before some IT goon in the organization tries to convince them that they have it covered.”
Boback disputes just about everything in Wallace’s account of the trip. The first time that I discussed WikiLeaks with him, he told me, “We had no interaction with them.” Then he paused, and added, “Directly.” After another pause, he said, “That we know of.” Later, when I pressed him about the uploads, he offered a confused set of denials, saying flatly that they did not happen, but also that Wallace may have performed them without his knowledge. I told him that I intended to gather more information, and his voice sharpened. “Check it!” he demanded. “You will see it was not from a Tiversa I.P. address.”
IV. MARINE ONE
In the summer of 2008, Boback got an unexpected break, when an intermediary connected Tiversa with LifeLock, the identity-theft-protection service. The match was logical. Tiversa had patented technology but limited sales. LifeLock was adept at marketing but had no intellectual property.
Boback flew to LifeLock’s headquarters, in Arizona, and the executives he met were so enthusiastic that they called in the C.E.O., Todd Davis. Boback’s pitch, Davis told me, had “great sizzle.” Soon, a trial arrangement was negotiated. LifeLock turned over private information belonging to thirty thousand clients, so that Boback’s team could demonstrate how Tiversa would protect them. Wallace later told the F.B.I. that, on Boback’s instructions, he created about a hundred cases of false spread for those clients—manufacturing threats for people who had apparently experienced no data breaches whatsoever. According to Wallace, Boback used the LifeLock information to fill out passport applications and other official documents, which were uploaded to the Data Store, to give the impression that criminals had been circling Davis’s customers. (Boback denies doing this.)
In January, 2009, Davis flew Boback to a desert resort in Phoenix, where he indicated over a long breakfast that he was ready to work together more closely. Boback returned home energized, and in the coming months he urged Davis to buy Tiversa. He proposed a price of more than a hundred million dollars, and then worked to demonstrate his company’s value. “Every time we talked to him, he mentioned this unbelievable discovery that they had made,” Davis recalled. “He was basically saving the world every few weeks.”
A month after Boback’s breakfast with Davis, an NBC affiliate in Pittsburgh aired an explosive story: it reported that Tiversa, surveilling a computer in Iran, had discovered records involving one of the President’s helicopters—part of a squadron known as Marine One. The origins of the story went back two years, to when Wallace joined the company. During one of his open-ended searches, he discovered files belonging to Vyalex Management Solutions, an avionics firm in Maryland, which served as a contractor for Naval Air Systems Command. Concerned that the breach might harm the military, he notified an Army officer who specialized in computer crime.
In February, 2008, the officer reached out to Vyalex’s founder, an engineer named Al Leandre, to say that his company was exposing more than two hundred files. Leandre was horrified. When he was a boy, his family had fled Haiti’s dictatorship for the U.S. As a young man, he had joined the Army, out of gratitude to his adopted home, and had worked on the electronic-warfare systems of the F-18. Although Vyalex was a private company, he regarded it as an extension of his service.
Leandre quickly discovered the source of the leak: a disused Vyalex laptop that his daughter had borrowed and used to run LimeWire. None of the files were classified, but he made a risk assessment of each one, and his team tried to determine whether the files had spread. Based on information that the officer provided, they found that three inconsequential business records, including one with “Amex” in its name, had ended up at an I.P. address in Tehran. But the address had no history of espionage; it apparently belonged to a civilian trawling for financial data.
Leandre purged the old laptop and provided the military with two detailed reports. He believed that the matter was resolved. But, several months later, Boback reached out, claiming that Tiversa was still detecting “very sensitive information from Vyalex.” Rather than specify what kind of information, Boback directed Leandre to the Post story about Stephen Breyer, and warned that the reporter was “actively scouring the file-sharing networks to find any information relevant to ‘DC-area businesses.’ ” He added, “For clarity, we would never provide any information or files to any reporter whether you decided to work with our firm or not, however he will probably find them.”
Leandre politely told Boback that he had taken care of the breach, and could not afford the service. The next day, Boback wrote again, claiming that malicious people were scouring peer-to-peer networks explicitly for Vyalex records. “A great cause for concern,” he said—adding that Tiversa could reduce its fee. “We can begin right away,” he said. “Timing is critical to avoid the additional spread of the files.”
Leandre told himself, “It sounds like blackmail.” Again, he declined.
Half a year passed. Then, shortly after Boback had breakfast with Todd Davis, Tiversa began to advertise the Vyalex leak—in particular, a cost assessment that the Navy had given contractors, seeking bids to upgrade the electronic defenses of one of the President’s helicopters. In a presentation to a firm that conducts business research, Tiversa noted that the file had been downloaded in Tehran. Wallace says that the claim sent him racing to the Data Store, where he appended the file about the helicopter to the same Iranian I.P. address that had downloaded the inconsequential Vyalex files.
Boback had assured Leandre that he would never publicize his misfortune, but two days later he gave an interview to NBC, noting that a defense contractor in Bethesda had exposed “highly sensitive blueprints for Marine One” that were later downloaded in Iran. (There were no blueprints.) Wesley Clark also spoke to NBC about the file. Trusting Boback’s information—he says he knew of no impropriety at the company—he declared, “We know where it came from, and we know where it went.”
Rachel Maddow and Wolf Blitzer quickly followed with their own segments. On CNN, an analyst speculated that Iranian cyber warriors were waiting for the file, ready to pounce. (Why? “We have no idea.”) Lawmakers clamored for action. As Leandre watched the story on CNN, he began to understand that the media storm was about him. “I was scratching my head, and I was, like, Wow, Tiversa is making up this story,” he told me.
Within days, his office was packed with federal agents. “There was F.B.I., Secret Service, Naval Criminal Investigative Service, and they were all interviewing me, so stern,” he told me. “They were saying, ‘Do you have any reason to harm the President?’ And I’m, like, ‘What are you talking about?’ They thought this could have been some kind of espionage!” The investigation lasted for weeks, before the military exonerated Leandre. “I lost weight, I vomited for so many days,” he said. “I mean, I thought I was getting shipped to Guantánamo.”
After his NBC interview, Boback and several Tiversa employees had dinner at a family restaurant north of Pittsburgh. An attendee later told the F.B.I. that Boback laughed about how he had got away with the story, while one of his tablemates plugged his ears and said that he didn’t want to hear it.
When I pressed Boback about his media blitz, he told me, “I have often wondered if Wallace did, in fact, find the file in Iran. To this day, I have no idea.” N.C.I.S. never verified that the file was in Iran, either. But, in the course of the inquiry, two agents paid a call on Tiversa. They interviewed Wallace, who, fearful of losing his job—Boback had just dramatically fired an executive—confirmed Tiversa’s account of the file. Boback, meanwhile, found a way to turn the inquiry to his advantage. That March, a LifeLock executive wrote, asking, “Did you get a ride on the President’s copter for saving the day on that one?” Boback replied, “No ride on the helo yet but I have had meetings with NCIS on Thursday. I already met with DoD, USSS, FBI, and Defense Security Service over the breach. I am trying to set up a broader deal with military on ID theft as well using our access now. Do you see what we bring to the table????? :-)”
The following month, LifeLock agreed to incorporate Tiversa into its premium service. That summer, Todd Davis invited Boback to a Nascar event that LifeLock was sponsoring at the Chicagoland Raceway. “I remember walking in with Todd, and there were these pictures of him there that were fifty feet tall—tons of them in the grandstand,” Boback told me. Davis let him ride in the pace car with the event’s grand marshal, Jimmy Fallon. Later in the trip, Boback impulsively bought a Lamborghini, his boyhood dream car, and shipped it home to Pittsburgh.
The headquarters of the Federal Trade Commission occupy a monumental building on Pennsylvania Avenue, in Washington. When the structure was erected, during the Great Depression, Franklin Delano Roosevelt heralded the commission’s mandate to apply “the golden rule” to the conduct of business. Originally founded to protect consumers from monopolistic behavior, the F.T.C. was by then working to guard against false advertising and other unfair practices. At the headquarters, a granite sculpture—a man taming a wild horse—acknowledges the difficulty of that task.
As the F.T.C. began to explore its role in the digital marketplace, it had no technologists on staff, and no court had affirmed its authority in cybersecurity. But it was clear that the reason for concern was growing. Among the problems were peer-to-peer networks. By 2004, consumers had downloaded file-sharing programs more than six hundred and forty million times. When Boback testified before Congress in 2007, he framed the concern in a way that fit with the F.T.C.’s mission of protecting consumers: file-sharing programs could cause corporations to expose clients’ private data. If such a security failure amounted to an “unfair act” against consumers, the commission reasoned, then it could intervene.
After Boback’s testimony, lawyers with the F.T.C. reached out to him, requesting that Tiversa turn over information on companies that had exposed private customer information, so that it could investigate. The lawyers explained that they were prepared to issue Tiversa a legal demand for the information. (Companies often turn over privileged customer data only if compelled.) Tiversa asked that it be sent instead to a shell company that would serve as a conduit—the Privacy Institute, which listed an address at Boback’s uncle’s house, in New Jersey. This would neuter the demand, but the F.T.C. agreed. Tiversa’s Data Store by then contained more than five million breached documents, and the lawyers wanted access.
When the demand arrived, Boback asked his staff to draw up a list of companies that fit the criteria. (He claims that this was the extent of his involvement.) The job fell to Wallace, who says that Boback helped him compile a kind of roster of retribution. In August, the Privacy Institute sent the F.T.C. a spreadsheet of eighty-four companies that had suffered security failures. None were Tiversa clients; eleven had worked with Tiversa for a time and then stopped.
Boback understood that he could exploit this information. As the list was being drafted, he sent a note to Todd Davis, marked “keep this confidential.” In it, he boasted that he had an inside tip: the F.T.C. was investigating about a hundred companies that had exposed private consumer data. (He neglected to mention Tiversa’s role in the inquiry.) That autumn, Boback plotted with LifeLock to pitch the affected businesses. He claimed that the companies collectively had exposed information for as many as seven hundred thousand people, each one a potential customer, and he promised Davis “a huge upswing in members.”
One of the companies on the list was an AIDS clinic in Illinois, the Open Door Clinic, which had declined to hire Tiversa to fix a data breach. Three days after Boback promised Davis a surge in membership, he and Wallace began calling Open Door patients whose information had been exposed. “One guy I talked to said, ‘How did you know I was H.I.V.-positive? I haven’t even told my family yet!’ ” Wallace recalled. “And it was, like, ‘Sorry, bud, you probably should talk to Open Door.’ ” (Boback told me that Tiversa never made the calls. When I noted that phone records unearthed by Congress indicated otherwise, he said that they were likely faked.) Tiversa’s lawyer also reached out to the patients, and filed a class-action suit against the clinic, which was eventually settled.
After the F.T.C. made its investigation public, in February, 2010, Boback triumphantly declared that fourteen of the companies on the list had contacted him for help. Davis told me that his own company didn’t sign up any clients. But by then Tiversa’s deal with LifeLock was bringing in so much business that Boback mounted an L.E.D. ticker on a wall to track the gains. Joel Adams decided to buy five million dollars’ worth of shares. Although none of the money went into the company, Boback assured his employees they were millionaires who just didn’t know it yet.
Despite this windfall, Tiversa was facing a growing problem. The F.T.C., in its effort to protect consumer privacy, had been pressuring the designers of peer-to-peer applications to make their software less confusing. Newer iterations of LimeWire effectively shut down the mechanisms causing accidental breaches; then, in 2010, LimeWire itself was shut down by a court injunction, for mass copyright infringement. At the same time, Spotify and other streaming services were causing people to stop sharing files entirely. EagleVision X1 was pulling in less and less. By the end of 2010, Todd Davis was noticing. Eventually, after paying Tiversa about forty million dollars, LifeLock cut all its ties.
To compensate for the diminishing flow of files, Tiversa’s developers recalibrated the software to pull down virtually everything it encountered. Meanwhile, Boback tried to devise malware that would trick people into exposing files; he told his reluctant developers that it was for the intelligence community. Wallace, according to his F.B.I. testimony, hunted for material in hacked records from Sony, Stratfor, and Adobe and uploaded it to the Data Store.
Sam Hopkins cashed out and left. Increasingly, Boback told people that he had little interest in running the company. Amid the crisis, his behavior seemed scattershot. In 2012, Tiversa bought a seven-story landmark building in downtown Pittsburgh: a grand headquarters, plus extra floors that could be rented out for income. Boback created a spinoff, Tiversa Media, hoping to somehow monetize pirated MP3s that the system pulled in. In an upbeat note to Wesley Clark, he wrote, “We have now acquired the largest music repository in the world. We have roughly 4x the music content of Apple’s iTunes.” Clark remembers telling him, “What are you going to do with that? Is it legal?”
Boback was also working with MetLife on an I.D.-protection deal, resembling the one with LifeLock. For the pitch, he had devised a dramatic flourish. He purchased the Social Security numbers of several MetLife executives, from a service that private investigators use, then flashed them on a slide during a presentation, implying that Tiversa had found them on peer-to-peer. Bill Wheeler, who was MetLife’s president of the Americas, saw through the stunt, but decided to sign on anyway. Once under contract, Boback began urging MetLife executives to buy his company.
Tiversa’s undoing began in the summer of 2013, with a YouTube video. Michael Daugherty, the owner of a cancer-screening lab in Atlanta, had posted it to publicize his memoir, “The Devil Inside the Beltway”—a reference to the F.T.C., which Daugherty believed was destroying his company, in a conspiracy that included Tiversa. The video had an urban-doom aesthetic, reminiscent of “Batman.” Over a soundtrack of percussion and agitato strings, it opened with three title cards: “Government Funded Data Mining and Surveillance,” “Psychological Warfare,” and “Abusive Government Shakedown.” The sequence ended with an explosion and a pair of eyes glaring through a draped American flag—the book’s cover art.
In the video, Daugherty appeared beside a mural-size painting of George Washington, wearing a white oxford shirt and a dark blazer. In a flat Michigan accent, he asked, “What am I doing here?” Then he put a red plastic whistle in his mouth and blew. He explained that he had built his company, LabMD, into a successful business, until “suddenly one day the phone rings, and it’s a guy named Robert Boback.”
The call came in 2008, after a computer in Daugherty’s billing department exposed documents through LimeWire. Rick Wallace downloaded one of them—a file containing the private information of more than nine thousand patients—and a Tiversa sales executive made an initial pitch. Then Boback took over, pursuing a FUD-centered strategy. He declined to provide details about the source of the breach unless Tiversa was hired, while suggesting that the risk was growing because people were “searching precisely for the exact file name.” This struck Daugherty as preposterous: the file’s name was “insuranceaging_6.05.071.pdf.” Offended by Boback’s manipulations, he told Tiversa to direct all further communications to his lawyer, and put the matter out of his mind.
Then, in January, 2010, an attorney with the F.T.C. sent a letter, announcing that LabMD was under investigation for breaching federal data-security law. “The letter’s immensity shocked me,” Daugherty wrote in his memoir. In eleven pages of legalistic prose, the F.T.C. demanded proof of compliance. Daugherty sent over thousands of pages of records, noting that he had obeyed medical-privacy laws and had closed the breach the moment he learned of it. “The F.T.C. was on my mind at all hours of the day,” he wrote. “If I was up in the middle of the night to use the restroom, I thought of the F.T.C. If I drove down the road to work, I thought of the F.T.C.”
Almost as soon as the investigation began, Daugherty wondered if Tiversa had been involved: the LabMD file at the center of the inquiry was the same one that Boback had obtained. Haunted by the idea of a connection, Daugherty began researching. Both of his parents had been police officers, and, he told me, “my whole life was marinated in investigators and prosecutors and lawyers.” He found that Tiversa had provided LabMD’s breached documents to an academic at Dartmouth, and that Boback had cited them in congressional testimony, in 2009. The idea that Boback was publicizing his misfortune ate at him. He told himself, “This means war.”
Daugherty’s lawyer sent Tiversa a list of questions, which Boback ignored. Getting answers from the F.T.C. was no easier, and Daugherty began to vent his frustration. He claimed, publicly, that Tiversa had engaged in “property theft” when it took the file. Tiversa’s lawyers responded with a cease-and-desist letter, which argued that the file had spread on peer-to-peer and was available for anyone to take. “Tiversa is not a ‘thief,’ ” they insisted, adding, “The F.T.C. investigation is a direct result of LabMD’s security failings, and nothing more.”
The legal warning did not deter Daugherty from writing his book, which accused Boback of being a con artist and his company of “mental abuse.” Boback, irritated, wrote to an associate, “The problem is that he needs a face to his ‘villain’ and unfortunately (and incorrectly) chose me.” Soon after Daugherty posted the promotional video, Tiversa sued him for defamation. At almost the same time, the F.T.C.—nearly four years after it launched its inquiry—sued Daugherty’s company for failing to safeguard its data. Tiversa became involved in both cases, maintaining that it had originally downloaded the LabMD file from a computer, in San Diego, that appeared to belong to an identity thief.
At Tiversa, a former employee told me, Boback seemed intent on pursuing Daugherty, even though it brought no obvious benefit to the company: “It got very cultish. We had this very charismatic leader, who would call these meetings for the entire company and start rambling about how he was being persecuted, how he was going to win, how crazy Daugherty was.”
As the fight intensified, Rick Wallace was spending less and less time in the ops room. Once Tiversa signed up companies like LifeLock and MetLife, his skills at uncovering eye-catching records were less relevant. Boback, instead, pushed him into the role of part-time superintendent—dealing with elevator breakdowns, burst pipes, and broken light bulbs. Eventually, Boback hired Wallace and his wife, Amy, to clean up a house that he was flipping: a ramshackle place occupied by feral cats, which had left it in a toxic, stomach-turning condition. They called it Catmandoo.
Wallace began drinking heavily and talking less to Boback. Nonetheless, he says, Boback called him in just before Tiversa issued Daugherty the cease-and-desist letter, asking him to make it appear as if the LabMD file had spread across the peer-to-peer network. Wallace was reluctant: he was conscious that he had pulled down the file from Daugherty’s company, and had noted his findings in writing. Still, he complied, linking the file in the Data Store to several burnt I.P. addresses. In 2013, as Tiversa pressed Daugherty to settle, he did so again, making it appear as if the file had spread to six locations, including a computer in San Diego.
Recognizing that his fabrications were becoming legally significant, Wallace began to come apart. “I was already stressed,” he recalls—suffering, he says, from P.T.S.D., caused by his online research into child exploitation. On New Year’s Eve, 2013, he got drunk and ended up in a physical altercation with his wife and daughter, and the police arrested him—the first of several arrests tied to drinking. “No one was even trying to understand what was happening to me,” he told me. “I drank too much alcohol—always beer—and got in trouble.”
In January, 2014, Wallace received a subpoena from Daugherty’s lawyers, who were seeking to understand how the LabMD file had been exposed. He worried that he would have to either lie under oath or implicate himself and risk retaliation. After he expressed his fears to Boback, he says, Boback summoned him to his office, where he was toying with a pistol: “He’s, like, ‘Well, Waldo, if you fuck with the bull, you get the horn.’ ” (Boback says that he had no weapon, and that he simply directed Wallace to tell the truth—which, he maintains, is that he never ordered anyone to create false spread.)
On February 4th, Tiversa’s lawyers agreed to have Wallace deposed. Soon afterward, Wallace says, he got a prescription for Ambien, which he took after drinking, then got into his car and totalled it. The following day, he drove the family’s other car to Tiversa, where he and Boback had another standoff over the deposition. (Boback says they never met at the office.) As Wallace left, he says, Boback followed him into the elevator. “We were on the seventh floor, and he pushed the sixth-floor button, and as soon as the elevator doors closed he slammed me against the wall,” Wallace recalled. Boback commanded him, again, to lie in order to corroborate the company’s version of events. When the elevator arrived at the sixth floor, he got off.
Afterward, Wallace sat in his car and drank beer for a while, trying to calm down. Finally, he started the engine. “I just went around the corner from Tiversa and sped as fast as I could into a light pole,” he says. “I just wanted to end it.”
He was arrested. Boback picked him up and drove him home, warning that if he didn’t get treatment for his drinking he would be fired. Days later, Wallace checked himself into a facility, which Boback had chosen. Whatever the benefits of rehab, it would also serve to isolate Wallace—perhaps even make his deposition impossible. (Boback told his executive assistant to avoid contact, explaining, “He needs treatment, not friends right now.”) When Daugherty’s lawyers tried to contact him, they were told that he was inaccessible for medical reasons.
Almost as soon as Wallace started rehab, Boback fired him. He then hired a private-investigation company, Inpax GPS, to dig into the Wallaces’ background, and brought security professionals to Tiversa to conduct “self-defense training.” Inpax GPS produced a threat assessment that blended verifiable facts with assertions that seemed to originate from Boback, for instance that Wallace exhibited “extreme jealousy and threatening behavior directed toward Tiversa’s CEO.” It described Wallace’s run-ins with the law, including one from 2013. The previous summer, the Wallaces had hosted an eight-year-old girl from New York, through the Fresh Air Fund, and the girl’s mother complained that Wallace had behaved inappropriately. Wallace strenuously denied the accusation. Following an investigation, the authorities declined to pursue a case, and an administrative judge who reviewed the evidence recommended that the complaint be expunged. But Boback knew of the inquiry, and details about it turned up in the Inpax GPS assessment. He then cited the report to associates, giving the impression that Wallace was a molester.
When Wallace came home from rehab, some of his law-enforcement contacts would no longer return his calls. He had no obvious way to turn his career around, and felt increasingly isolated. On the evening of April 2, 2014, he was sitting in front of his computer at home. On impulse, he began searching for Mike Daugherty’s number. A few months earlier, Daugherty had announced that he could no longer stay in business; in a melancholy note to employees, he had written, “Our futures are full of unknown waters.” Suddenly, Wallace felt compelled to confess.
That evening, Daugherty was at a Thai restaurant in Atlanta. He had arrived early, and was waiting for some friends, when his phone rang. He answered, and a man’s voice he didn’t recognize said, “Is this Mike Daugherty?”
“Yeah,” Daugherty said.
“Do you know the name Tiversa?”
“Yeah,” Daugherty said.
“Well, I know a guy who would be willing to talk to you about what really happened. Can you talk to him? Would you retaliate?”
“Can you tell me who the guy is?”
“It’s Rick Wallace,” the man said.
Daugherty said that he wanted to get his lawyer’s advice, and hung up. The lawyer told him to call back immediately, but Daugherty didn’t have the number: the caller’s I.D. was masked. Twenty minutes later, the man phoned again. Daugherty ran to the parking lot to take the call. “O.K., yes,” he said, hurriedly. “I can talk to him.”
There was a pause. “Well,” the man said, “I’m Rick.” Wallace almost immediately started to cry. “I destroyed your company,” he told Daugherty. “I did terrible things.” He spoke a little about what he had done at Tiversa; LabMD, he explained, had been on the list that went to the F.T.C. Then he passed the phone to his wife, and to one of their daughters. “Everyone was wanting to apologize,” Daugherty recalled. He assured Wallace that redemption was possible. He said, “Let’s focus on fixing this.”
Daugherty strove to help Wallace obtain legal immunity to testify in his F.T.C. hearing, and he put Wallace in touch with the House Committee on Oversight and Government Reform. Darrell Issa, the committee’s chairman, believed that LabMD’s case raised questions about the scope of the F.T.C.’s authority. Moreover, Boback had twice testified before his committee. If he had not been truthful, Issa wanted to know. The committee launched an investigation.
Wallace was suddenly poised to be a star witness in two significant Washington inquiries. But he was drinking again, and still terrified of retaliation. In April, a congressional staffer reached out, to inform him that his testimony was required. Days later, he walked into the local police department in a panic, fearing that a scheduled call with Congress was a ruse orchestrated by Boback to intimidate him, or to find out what he planned to say. Wallace told the police that he had been receiving threatening phone calls and death threats posted on his car. His preoccupation with being harassed often interfered with his ability to testify. He later told congressional investigators that he found a Tiversa envelope in a shed behind his house, with a note scrawled on it: “I.C.U.” He took a photo—evidence, he said, that Boback was monitoring him and his family.
That spring, Boback travelled with his family to the Yemeni island of Socotra, and in the summer they went to Namibia. At home, though, he resembled a man at war. He hired the former White House press secretary Ari Fleischer to advise him in Washington, and he worked to assail Wallace’s credibility with Congress and the F.T.C. Tiversa also passed the Inpax GPS threat assessment to David Sitler, the police chief in Wallace’s community, who initiated a “force protection” measure. As summer gave way to fall, Wallace says, Sitler became a near-constant presence at his home. (Sitler, who was later fired for police brutality, denies this, saying, “We only monitored him if we came into contact with him.”)
Inpax GPS also increased its efforts, assigning two investigators to track Wallace’s movements. Under Boback’s direct guidance, they coördinated with the police to place a hidden camera in a traffic cone outside Wallace’s home. The footage was unremarkable—the mailman, Wallace’s children—and after three days the investigators suggested that the surveillance be discontinued. An employee at Tiversa learned about the camera and secretly sent word to Wallace to be careful.
In November, 2014, the Department of Justice finally granted Wallace immunity to testify. Boback passed the news to one of his private investigators, striking a cool tone. “It will work out for the best,” he told him. “Even though he will say ridiculous lies about Tiversa, he will get exposed.” But, at the office, he seemed far from calm. Two former employees say that they witnessed Boback trying to manipulate Daugherty’s file in the Data Store—making further changes to metadata that might figure in Wallace’s testimony. In April, 2015, a month before the F.T.C. hearing, Wallace says, he found a warning chalked on his driveway: “U R DEAD.”
Wallace was a quiet presence in court. Sitting before an administrative-law judge, he described systematically creating fraudulent file spread in the Data Store at Boback’s direction. When asked how many Tiversa clients had been given false information, he said, “Probably every company that we’ve ever done business with.” During testimony about Daugherty’s company, the judge asked, “Did Mr. Boback have any reaction to LabMD’s decision not to do business with Tiversa?”
“Yes,” Wallace said.
“And what was that reaction?”
Wallace glanced at his lawyer, who instructed him to answer. “He basically said, Fuck him,” he said. “Make sure he’s at the top of the list.”
The hearing triggered a storm of coverage—as Ari Fleischer informed Boback, “one story after another with similar bad headlines.” CNN went with “Whistleblower accuses cybersecurity company of extorting clients.” The bad press worsened after Darrell Issa’s committee released a long report that asked whether Tiversa was a “hi-tech protection racket.”
Joel Adams wrote to Boback, “F these guys Bob. We are the winners here.” Boback responded, “They’ll get theirs.” With Fleischer, he drafted a letter to the Wall Street Journal saying that his company was a “good Samaritan.” He argued that if Tiversa had never contacted LabMD its internal records would still be online, exposing the private information of thousands of patients. And he asserted that “the suggestion that Tiversa provided information on exposed files to the Federal Trade Commission as a means of retribution because LabMD didn’t hire Tiversa is 100% false.” Wallace, Boback said, “is an individual with a history of not telling the truth, and the information he testified about is demonstrably false.” But he refrained from demonstrating how any of the allegations were false.
By this time, the Department of Justice had launched a criminal probe into Tiversa, and on March 1, 2016, a convoy of black vehicles filled with armed federal agents pulled up to the company’s headquarters. They stormed the building and also interviewed employees at their homes, including one executive who was so nervous that he kept trying to drink from an empty water glass; eventually, he confessed to knowing that Wallace had added false metadata to the Data Store. The agents also commandeered records and seized the Data Store. The archive—a room filled with servers, stacked in racks seven feet tall—by then contained an estimated billion files, a trove measurable in petabytes. The federal agents sought to copy just a fraction of it; the process took so long that they needed a second search warrant.
Law-enforcement officers strive to keep such investigations secret. But, during the raid, a mysterious Twitter account made this impossible. By then, Tiversa’s employees were in open revolt. (Several had left the company, while others had written to Adams, begging him to take action against Boback: “He risks everything for his own personal gain, and will lie to anyone to maintain his status.”) The Twitter account posted a dramatic photo of the F.B.I. convoy, copying it to the Pittsburgh Post-Gazette, with a note indicating that Tiversa was being raided. The news was a deathblow. The board, driven by Adams, installed a new C.E.O., but there was very little that he could do. The company’s brand was demolished. Tiversa would soon have to be sold.
The judge in Daugherty’s case found Wallace credible, and he ruled against the F.T.C. (Based on a videotaped deposition, he deemed Boback evasive and untrustworthy.) His ruling was validated last year by an appellate-court judge, who noted, with unusual indignation, that the “aroma that comes out of the investigation of this case is that Tiversa was shaking down private industry with the help of the F.T.C.” The commission’s lawyer conceded, “Tiversa engaged in serious, serious misconduct.” Before he could argue that the F.T.C. was untouched by that conduct, the judge cut him off, insisting that the commission should have let the matter go “after the evidence collapsed.”
By then, Tiversa had been dismantled. It had too many liabilities to be sold outright, so the board had decided to carve out its assets. Still, no sale could be undertaken without ethical complications. The Data Store was the cybersecurity equivalent of nuclear waste—a vast repository of personal, financial, and corporate information, sensitive government records, and whatever else had been exposed on the Deep Web. Was it moral to put a price tag on it—to profit from, say, Justice Breyer’s Social Security number? Was it even legal? Would there be an audit to insure that the deal contained none of the hacked content that Wallace had uploaded, none of the pirated music, no child pornography? The sale included health-care information protected by strict privacy laws. Was that a crime?
In February, 2017, Tiversa’s primary shareholders began negotiations with Kroll, the corporate-intelligence firm, to sell off the company’s core assets for several million dollars. The deal, closed within four months, was kept quiet. Earlier this year, a spokesperson for Kroll agreed to make an executive available to discuss the acquisition, if I provided a list of questions in advance. After I sent the list, the discussion was abruptly cancelled. Kroll instead offered a brief statement. It said that Tiversa’s technology strengthens its “existing business offerings,” and that Kroll is not pursuing the company’s former “business operations.” One person involved told me that Kroll wanted the assets for corporate-intelligence purposes. It hired a handful of Tiversa employees to maintain the system. This January, someone in England detected it working and wrote on Twitter, “Care to tell me why you are snooping my I.P. address?”
After the raid on Tiversa, Boback moved his family to a waterfront compound in Florida, with a tennis court, a pool, a pier. He bought a construction company in Tampa Bay. Its Facebook page posted a photo of him, standing on a yellow Komatsu truck, wearing jeans and a safety vest and grinning.
At the time of the photo, Boback was still under federal criminal investigation. A year after the raid, though, the Department of Justice decided to drop its inquiry. Prosecutors typically do not comment on such matters, but it is possible to speculate on the reasoning. For one thing, the Data Store was a forensic hall of mirrors. For another, not all forms of FUD are criminal. Tiversa’s actions never seemed to achieve the sharp edges of extortion. As for fraud, while some potential clients appear to have been fed entirely fabricated information, the tactic, as Wallace described it, was more often to exaggerate real breaches. It wouldn’t be easy for a jury to delineate where Tiversa profited from fiction and where from fact. And, even though there were at least three other witnesses to the creation of false spread, the prosecution would have to build its case around the testimony of a man with a drinking problem and a record of arrests.
In March, 2017, two weeks before the Department of Justice closed its Tiversa case, Wallace fell from a tree while helping a neighbor do some pruning. He smashed his spine, and, paralyzed from the waist down, was unlikely to be able to testify for many months. Confined to a wheelchair, he now works as a security consultant. Daugherty is trying to return to health care. In the meantime, he promotes himself as an expert in “cybersecurity response,” and focusses on litigation. He recently sent me a pie chart demonstrating the many cases he had initiated.
Boback, despite his efforts to project the image of a carefree construction magnate, remains mired in the legal fights over Tiversa, and is still sensitive to accusations about how he ran the company. Shortly after Joel Adams forced him out, he wrote a post on LinkedIn promoting a memoir. When I asked about the book, Boback told me that it existed only in his mind—a fiction to communicate to business associates that he had a story to tell. In any case, he said, an imaginary memoir is the best kind to have when you can still be deposed.
The LinkedIn post described the book as the tale of a heroic businessman, fighting to overcome small-minded enemies—particularly Adams, whom Boback now likes to depict as the cause of Tiversa’s problems. Titled “Politics of Greed,” it would contain supportive forewords by Wesley Clark and Ari Fleischer. Although the book was still unwritten, Boback offered a sample of the advance buzz: a blurb from a reader who called his story a “travesty of justice,” and one from another who asked, presumably of Adams, “Is this Pittsburgh’s Bernie Madoff?” The description suggested that Boback was a whistle-blower, sacrificing everything to expose wrongdoing. “The entrepreneur was terminated, investigated, and ‘scape-goated’ in his effort to bring this information,” it read. “However, he overcame these attacks to build a new multi-million dollar firm to provide the resources to bring this forward.” Boback assured readers that he would ultimately triumph over his foes: “You’ll be cheering in the end!” ♦
Article reposted with permission