Tuesday, September 13, 2016

The IBMer Who Decoded Bernie Madoff's RPG

The IBMer Who Decoded Bernie Madoff's RPG
Published: September 12, 2016
by Alex Woodie
When Bernie Madoff's massive Ponzi scheme collapsed in 2008, erasing $65 billion in supposed wealth, the midrange community was somewhat surprised to learn that an AS/400 was at the heart of the operation. Soon thereafter, FBI agents called Rochester, Minnesota, with a request for IBM: Give us an expert witness who can untangle the ancient RPG II code and explain how it works to a jury. That job eventually fell to longtime IBMer Rich Diedrich.
Diedrich had worked in Lab Services since the early 1990s, back when it was called the Custom Technology Center. While Diedrich has expertise in many areas, including cryptography, it was his knowledge of System/36-era code that got the 29-year IBM veteran the job as the federal prosecutor's expert witness in the trial of Madoff employees Jerry O'Hara and George Perez.
"I have enough gray hair that I could understand the old RPG II code," Diedrich tells IT Jungle. "I was the highest-level application person in Lab Services that did AS/400 kinds of things, as it was referred to throughout the trial."
In August 2010, federal prosecutors working in U.S. Attorney Preet Bharara's office asked Diedrich to fly to New York for a meeting. "I met with the FBI and DOJ lawyers, and basically they showed me some of the code, ask me to look at it, tell them what I saw, and if I wanted to be the witness," Diedrich says.
Diedrich had never been an expert witness in any trial, and wasn't sure what it would entail. Working in Lab Services, he was used to dealing with clients who were clear in what they wanted. The federal attorneys, on the other hand, were cryptic about what they wanted from Diedrich, who had to remain unbiased and objective.
"The DOJ attorneys and FBI didn't tell me what to look for," he says. "They just said, here's the case, you tell us what you want."
Despite the open nature of the request, he agreed to take the job. While Diedrich would spend months deciphering the RPG and OCL code that ran Madoff's Ponzi scheme, he would not receive any additional compensation for the work. The contract between the federal lawyers and IBM gave Diedrich a degree of independence, which the task required.
Random Number Generators
The first time Diedrich took a look at the code for the feds, a few things immediately stood out. For starters, the RPG II code, which dates back to the 1970s, was in surprisingly good shape.
"It really wasn't badly structured, given what it was," Diedrich says. "There were a few things that caught my eye when I was glancing through it, like random number generators in the code that looked a little suspicious."
As Diedrich dug deeper into the RPG II and OCL code, he realized he would need some assistance to reverse engineer two key the programs, which totaled about 2,000 lines of code. "I looked at some of the normal code analysis tools, but none of them did exactly what I wanted them to do," he says. "Given that it was RPG II, OCL stuff, it made it a little trickier to use any of the standard tooling to do the reverse engineering that we needed done."
Finding nothing on the open market suitable for the 40-year-old syntax, he did what any normal IBM i programmer would do: he built the tools himself. "I actually wrote code that parsed the OCL to figure out what was called from where," he says. Then he built a slew of static Web pages that he could use to show the jury how the programs worked.
At the end of the day, he documented how the Madoff code worked using about 20,000 HTML pages. He would eventually use a fraction of these when he testified on the stand in late 2013, when the trial finally began.
A House Divided
As the DOJ's expert witness, Diedrich was asked to understand everything there was to know about the programs Madoff ran on the AS/400. (It's unclear what actual models Madoff used at the time of his arrest in 2008, but it's generally accepted that they were vintage, AS/400-era machines running OS/400 version 5.)
Diedrich was actually asked to analyze programs running on two separate AS/400 used at Bernard Madoff Investment Securities: One from "House 17," which generated reports for the fake trades involved in the Ponzi scheme, and another from "House 5," which did legitimate trading activities.
"House 17 was a fully separate system and it didn't talk to any other computer. It didn't do trades. It just printed out reports that looked like it was doing trading," Diedrich says. "They had written code that basically back-generated the trade. You could end a trade up to two years before whatever the current date was, which makes it much easier to have profits on paper."
When Diedrich used his tools to analyze the House 5 system, he didn't find anything suspicious. The programmers involved in running that system were never charged.
Code Was 'Nicely Commented'
While the reports generated by the House 17 system fooled Madoff's clients for years, it would take a little more work to pull the wool over the Securities and Exchange Commission (SEC). As Diedrich discovered, Madoff's programmers spent a lot of time preparing the House 17 operation to pass SEC audits.
"For the audit, they needed to have counter-trade trades. You needed to have who you were buying from, who you were selling from, the blocks you were buying and selling," he explains. "They had to essentially create all the documentation for the trades. So they had a program that would go out and essentially take a trade and then split it into sub-trades, and then it would go through and generate all the reports of all the trading tickets. They could print them all out."
Madoff not only fooled the SEC this way, but he fooled other banks that invested into his Ponzi scheme. In fact, the programmers used the same code for all audits, but changed the names of trading partners depending on who was doing the audit.
The Madoff programmers, Perez and O'Hara, were tasked with keeping track of all these changes and keeping everything straight, lest the whole house of cards come falling down. So the pair resorted to what any normal RPG programmers would do: They added comments to the code.
"The programmers nicely commented the code, which made explaining some things easier, because they said this is what they're doing," Diedrich says. "The jury didn't have to try to read the code. They said 'This is how we're generating these numbers.'"
Perez and O'Hara also added comments to ensure their audit preparation was up to snuff. "There were comments in the code hat indicated, for this kind of audit we need this kind of information," Diedrich says. "The code would say, 'We don't need this for this audit,' so they commented it out from the code at times, then they would put it back in for the other audits."
Fabricating transaction IDs posed a bit of a problem for the programmers, but they eventually rose to the challenge. As Diedrich explains, they came up with a creative method that was never spotted by auditors.
"One trick they used was they took the hundredth and the tenth digits from the transaction number, moved it over one spot, and subtracted it from the transaction number to get an earlier transaction number," Diedrich says. "That was one of the techniques they used to make up transaction numbers."
But how did Diedrich discover this method? "It was commented in the code!" he says. "Then they gave a simple example in the comment."
Growing Sophistication
As the Ponzi scheme wore on, and with more time on the saddle, Madoff's programmers got better at their jobs of fabricating an actual trading system, according to Diedrich.
"Over the years I could actually see how they had improved some of the random number generators," he says. "At first they used really simple ones. Then I could see where both programmers--in the same month actually--started using a more standard linear congruential random number generator. You could see the code being added. They got more sophisticated over the years."
Like most AS/400 shops, Madoff Securities protected its business by backing up data to tape. The FBI brought the backup tapes to Rochester for Diedrich to inspect, which gave him another view on how the code changed over the years.
"In April of 2006, they went through and deleted the special programs," including many starting with the letters SPCL. "They essentially wiped them all off the system. Something caused them to essentially delete all the special programs and some other programs on the system."
While it's not clear what caused somebody to delete the programs, that mere act actually helped Diedrich zero in on SPCL1K, which was the latest version of a key program used to perpetrate the massive fraud (the letter "K" represented the 11th version of that program). "It actually made it easier for me to figure out which programs to focus on," he says. "I'm going to be more interested in the ones that were deleted."
Conviction and Sentencing
In late 2013, after years of delays, the trial of Perez, O'Hara, and three other Madoff associates, including Daniel Bonventr, Anette Bongiorno, and Joann Crupi, finally began. Diedrich spent two-and-a-half days on the stand, including two days under direct examination by Bharara's prosecutors, and a half-day under cross examination by the defendant's attorneys. His testimony was limited to his analysis of the code maintained by the RPG programmers, Perez and O'Hara.
During cross examination, the defendant's attorneys asked Diedrich whether the programmers were just following orders, and if it was possible they didn't understand the scope of their actions.
"The impression I got was that the programmers understood the code, and that this is what it was doing, and what it was written to do," Diedrich says. "Random number generators and SEC audits indicate you're probably doing something wrong. You can be prosecuted for that, and these guys were."
Perez and O'Hara were found guilty for their role in the fraud, and were sentenced by U.S. District Judge Laura Taylor Swain to two-and-a-half years in prison, which was the minimum sentence. The prosecutors expressed dissatisfaction with the light sentence--it was even lighter than some defendant's attorneys had requested--but the judge was clearly swayed by defendants' position that they didn't understand the scope of what Madoff the mastermind was doing.
In any event, Diedrich found the experience worthwhile. "The whole thing was very interesting," says Diedrich, who has since retired from IBM. "It was a brand new experience for me. It was fun."
Diedrich is now working as an independent consultant with his company, Rich Diedrich Consulting, in Rochester. He's focusing a lot on application modernization, but don't ask him for help with System 36-era code. "I don't want to do RPG II anymore," he says. "I'm into the latest RPG and how do you use it effectively."
Diedrich will be sharing his experience as the DOJ's expert witness in the Madoff trial this fall at the COMMON Fall Conference scheduled to take place next month in Columbus, Ohio. His session, "RPG Programs Used by Madoff," will take place at 8 o'clock on the morning of Wednesday, October 26--the same day that O'Hara and Perez become eligible for early release.

RELATED STORIES

http://www.itjungle.com/tfh/tfh091216-story01.html

No comments:

Post a Comment