By John Fleck
Journal Staff Writer
In the Internet's dark alleys, shadowy hackers slip down the wires, jiggling computer door handles, looking for a way in.
For more than three years, Shawn Carpenter sat behind those computer doors at Sandia National Laboratories. A member of Sandia's "protect and defend" computer security team, he listened for the characteristic jiggle of a hacker trying to find an opening.
He does it no longer.
According to a lawsuit filed last month, Sandia fired Carpenter in January in a dispute over his pursuit of foreign hackers.
In the Jan. 19 notice of termination, Carpenter's Sandia manager charged him with "being insubordinate, violation of the law, and utilization of Sandia information outside of Sandia."
Carpenter had followed the hackers out into the Net's online alleys, trying to understand what they were doing and how.
After one such foray, Carpenter found what looked like evidence of widespread break-ins at U.S. military sites. But when he told his boss, Carpenter was told to ignore it, according to the lawsuit, filed last month in Bernalillo County District Court.
"We don't care about any of this," the suit says his superior told him. "We only care about Sandia's computers. Stop whatever you are doing immediately."
Carpenter's story has made national news, with Time magazine writing a lengthy story on him and his chase of foreign hackers.
On his own time, Carpenter tracked the hackers from home with his own computers.
Carpenter shared what he learned with federal computer security officials and the FBI.
"I'm really passionate about what I do," Carpenter said in an interview.
The lawsuit against Sandia claims wrongful termination and defamation.
Sandia officials would not comment beyond a statement: "Sandia does its work in the national interest lawfully," the statement said. "When people step beyond clear boundaries in a national security setting, there are consequences. The threat of legal action, privacy issues, and national security concerns associated with Mr. Carpenter's case limit our response. We stand by our decisions in this case."
Carpenter said Sandia officials never told him what law he is alleged to have broken. Federal investigators with whom he was working provided him a letter saying nothing he had done while snooping the Internet was a prosecutable offense.
The New Mexico Department of Labor investigated the firing and found insufficient evidence to support Sandia's claim of misconduct on Carpenter's part.
On the trail
The encounter with hackers that eventually led to Carpenter's firing began in September 2003, when defense contractor Lockheed Martin came to Sandia looking for help dealing with a computer break-in.
According to court documents, Carpenter helped the defense giant plug holes through which "foreign hackers" had gotten in.
Lockheed Martin manages Sandia for the federal government, but these were break-ins on Lockheed Martin's corporate network, not at Sandia.
Early in 2004, hackers broke into Sandia computers, stealing some "sensitive but unclassified data," according to the lawsuit. They appeared to come from the same foreign computer that in 2003 had been used to launch the assault on the Lockheed Martin network.
Tracking computer break-ins is made more difficult by hackers' practice of breaking into one computer, then using that machine to launch an attack against another.
In this case, Carpenter was able to trace the hackers to overseas computers they were using to stash pilfered computer documents. He also saw a connection between the Sandia and Lockheed break-ins and others reported by a U.S. military computer security team.
Looking over the data stashed on the foreign server, Carpenter realized, according to his lawsuit, that "a large number of U.S. secure computer systems— military, government and private sector ... were being compromised."
It was when he reported the discovery to his bosses that he was told to do nothing.
Working off the clock
Concerned that national security was at stake, Carpenter last August approached "a reliable government contact, outside of Sandia" with the information.
In an interview and in court documents, Carpenter did not name the country involved. But Time magazine reported the hackers were coming from China.
To track hackers, computer security professionals often adopt what they call "white hat" tactics— using the same techniques and tools the hackers use.
According to his lawsuit, Carpenter had previously been authorized by Sandia management to use methods similar to the hackers to retrieve stolen Sandia files from the foreign computers where the information was being stashed.
It was "in keeping with his prior work" chasing the hackers onto their own turf that Carpenter pursued the new case, working on his own time with the FBI, according to the lawsuit.
Carpenter's lawsuit says he told his managers in the fall of 2004 that he was doing it, and they did not press him for details.
But last winter, according to the lawsuit, things began falling apart. Managers began quizzing him about his pursuit of hackers and on Jan. 6 demanded that he sign a memorandum stating that he would not work for any outside agencies on his own time.
In defense of his actions, Carpenter complained during a heated January meeting that lab officials had been unwilling to act on security problems he had found that "threatened national security," Carpenter's lawsuit states.
Realizing his work situation had deteriorated, Carpenter drafted a resignation letter on Jan. 11. His managers refused to accept it, but then fired him on Jan. 17, according to the lawsuit.
In the months since, Carpenter has found a new job in computer security on the East Coast, he said in an interview. He would not name his new employer.
Carpenter said his actions were driven by his desire to do what he believes was Sandia's primary mission: protect national security. "I felt really strongly," he said, "that I was doing the right thing."