Original URL: http://www.theregister.co.uk/2004/03/25/interview_with_the_keystroke_caperist/

Interview with the keystroke caperist

Bugged bosses' PC to 'expose improper practices'

By Kevin Poulsen

Posted in Security, 25th March 2004 10:32 GMT

A former claims adjuster for a US insurance company is the first to be charged under federal wiretap law for the covert use of a hardware keystroke logger, after he was caught using the device while secretly helping consumer attorneys gather information to use against his own company.

Larry Ropp, 46, was indicted Tuesday by a federal grand jury in Los Angeles on a single count of endeavouring to intercept electronic communications. Ropp is accused of installing a "KEYKatcher" keystroke logger on the PC of a secretary to a vice president at the Bristol West Insurance Group where he worked. The KEYKatcher attaches inline with a keyboard connector, and stores every keystroke in an internal memory for later retrieval.

In an interview with SecurityFocus, Ropp admitted to using the device, which he says he ordered off the Internet. But he defended his office skullduggery as a necessary evil to expose improper anti-consumer practices at the company. "The FBI themselves use key loggers quite a bit," he said. "Here, I'm a whistleblower, and I'm getting the shaft."

Ropp was working at Bristol West's Anaheim, California office last year when a state appeals court ruled that the company had been illegally cancelling the policies of customers who were a single day late with their payments. Under California law, an insurance company must give 10 days notice before cancelling a delinquent customer's automobile liability policy. Bristol West had been circumventing that requirement by issuing "cancellation notices" with every bill, before payment was due, so that by the due date the 10 days had already passed.

"If it was due Tuesday, and you had an accident on Wednesday, you didn't have any insurance," says Ropp. "It was out-and-out a wrongful, illegal denial."

A California appellate court ruled against Bristol West in January, in a lawsuit filed by a customer, Curtis Mackey, who'd been involved in an auto accident two weeks after missing a payment, and was consequently denied a claim. Without admitting wrongdoing, the company subsequently agreed to pay six million dollars to settle a separate class action lawsuit filed on behalf of customers whose policy was cancelled without proper notice.

Office Intrigue

As he tells it, the affair left Ropp with a bad taste in his mouth, and ultimately turned him against his employer. "I just felt there were a lot of people getting screwed," he says. By his account, which meshes with an affidavit filed by an FBI agent in his case, Ropp began secretly copying internal company documents about the cancelled policies, then passing them on to two lawyers representing plaintiffs in the lawsuit.

Then, late last year, Ropp, the attorneys, another Bristol employee and a private investigator all met with investigators with California's Department of Insurance, which is charged with enforcing insurance laws in the state. There, Ropp offered what the FBI describes as "information concerning Bristol's handling of certain claims".

What happened next depends on who you ask. Ropp says the Department was interested, and wanted Ropp get more documentation. "They told us to gather all the information we can," he recalls. The Department remembers it differently. "It's a very strange situation," says spokesperson Carrie Beckstein. The meeting took place at Ropp's request, Beckstein said, and the investigators were not persuaded to probe Bristol's practices. "The only information that we wanted was, what, exactly [Ropp] was up to... We have not requested his services. We did not ask him to go out and elicit information."

Regardless, Ropp says he set his sights on a company database of every customer who might qualify as a member of the class in the lawsuit. "What I was trying to do is get the current list of those claims, and what they did or didn't do with them, and I wanted to get that for the Department of Insurance," says Ropp.

That's where the FBI and federal prosecutors say Ropp crossed the line. The database was password protected, and Ropp decided to crack the system. After some Googling, he settled on the KEYKatcher as the best tool for the job. "Basically all it does its capture every stroke that you type into the computer, like passwords and stuff." He ordered it online, and secretly installed it on the secretary's machine.

The plan began to unravel on 3 September, when the company fired Ropp for, as the FBI puts it, "not adhering to its time-keeping policies." (Ropp says he failed to report the time he spent in the office secretly gathering documents). Suddenly barred from the building, Ropp phoned former co-worker Karen Kaiser the next day, and asked her to discreetly retrieve the KEYKatcher from the bugged computer - he suggested she pretend to tie her shoe next to the secretary's desk, then unplug the keyboard cable from the PC and remove the device. Instead, Kaiser snitched on Ropp, and the company brought in forensic investigators who recovered the device and found files of intercepted keystrokes on Ropp's old office computer, demonstrating that he'd already harvested the KEYKatcher at least once.

"If I had never called, they would have never known," he says.

The company called in the FBI, and Ropp quickly admitted the caper. But he told agents that he'd been working for the Department of Insurance. The Department distanced itself from Ropp's adventuring, assuring the FBI that it "had never directed Ropp to collect any evidence that he would not be able to obtain in the normal course of business," according to the affidavit. For his part, Ropp admits the Department never told him to crack passwords or tap keystrokes, but he claims he was under the impression that he had their blessing to investigate his employer. Today, he says he feels burned. "All of a sudden when everything blew up, I'm out there hanging by myself," he says.

The US Attorney's office in Los Angeles says Ropp is the first defendant in the U.S. to be charged for illegally using a hardware keystroke logger. The indictment charges a violation of the federal wiretap statute, which criminalizes the covert interception of electronic communication - in this case several e-mail messages that had been typed in by the tapped secretary, and were therefore stored in the device.

Citing the ongoing nature of the case, Craig Eisenacher, spokesman for Bristol West, declined to comment on Ropp's indictment, or on Ropp's claim that he was working to expose company wrongdoing. Ropp is free on a $15,000 signature bond, and is scheduled to be arraigned on 5 April.

Copyright © 2004, 0

Related story

Disgruntled ex-employee arrested for keystroke caper