Month: June 2023

Posted on

The Client Calls Again

Res and Sheepdog took a brief lunch in a neighboring building that served dim sum and Thai food at very reasonable prices. It didn’t hurt that they both loved Asian food, which sometimes made Sheepdog homesick, being so far away from his native Singapore for work. To Res, these dishes might as well have been apple pie, because, growing up in her area, it was as ubiquitous and American as a hotdog or a hamburger. Also, it was fast, nearby, and top quality, flying in ingredients daily as needed, according to rumors. Res glanced at her watch and realized she only had a few minutes before the next client call. She snatched up her purse, left a few credits for a tip, and told Sheepdog she would talk to him later, as he was still working on a plate of Pad See Eew. With a flip of her hair, she headed towards the skybridge that connected the buildings, the low heels of her shoes pounding out a hurried rhythm of clock-clock-clock across the tile floor.

Rather than taking the call at her desk, she reserved a private room and booked it for an hour. She could log in via the terminal there and bring all her personal data and notes up without hassling with a laptop, but she still brought her physical notepad for assistance. A few moments after she settled, she reached out to the client who answered immediately. While his voice was clear, no background noise, she could hear some form of audio manipulation on his end of the line, probably the same anonymizer he used before, which would shift between low and high tones of voice. And on his end, he was seeing her old-school video game avatar again, only this time, Res was using her real voice. Risky, but just a little. He already knew who she worked for and the nature of the business, so it seemed a more personal touch. “Hello, can you hear me ok?”, he asked. “Loud and clear, but can we back off on the voice hilo? Let’s pretend we trust each other a little this time”, Res replied, and the client agreed. The voice now sounded natural from his side. This was a little more intimate in the digital age, like a second date where some of the pretense and peacocking is dropped.

After a few light greetings were exchanged, the client got to the point. “As I’ve said before, I take my privacy and safety very seriously, which brings me to your organization. I’ve heard nothing but good things from a few people I rub shoulders with, who are also shielded. I think I may have a secret that needs to remain guarded at any cost, therefore I must be shielded at any cost. If what I know and what I have done can be connected, it would have devastating global consequences and cause irreparable damage. To me, and to your organization, among many others.”

Res didn’t like the tone here, because even if it was true, it sounded like borderline blackmail. Like if we don’t protect him and bring him on board, things could get unimaginably bad. Inflated sense of self-worth, narcissism, delusions of grandeur, or the real deal? A few indirect questions could fill in the gaps.

Res lightened her tone to be a little more disarming (and corporate neutral), then began questioning the client. “We get approached by a lot of very important people harboring secrets. After all, it’s in our DNA to protect high visibility and elite clientele with total airtight discretion. What separates you from the others that didn’t pass our standards?”

The client replied, “I seriously doubt the secrets the others keep are this potentially dangerous. I’m not some kind of serial killer with a list that needs legal protection. I’m in possession of information that I discovered, decided to act upon, and my reach is absolutely beyond global. My secret transcends this planet, no joke. But I can’t say more without acceptance and ironclad nondisclosure agreements on your organization’s behalf. Think of me as a wizard with the only key to Pandora’s Box.”

Res briefly scribbled in her notepad the last sentence. It seemed to carry a great deal of weight and would make a strong justification for admitting the client to the program, if it was true. There was an urgency to his voice, an almost pleading tone; clearly, time was a factor here. He needed in quick.

Res then asked, “Are these state secrets? Are you in possession of secret knowledge about this organization, the governing bodies, other individuals within this organization, or information that could impact national security?” Without hesitation the client answered “yes” with no further clarification. This would not be a standard client engagement, were she to accept him.

Res opened a new client form marked Top Secret – ASE and direct management only, the highest tier of discretion available, and began asking him for personal details. A wire transfer of 5 million credits was required up front to process the client form, and the last piece of information she needed (as she waved her manager over for secondary approval) was the client’s legal name. The engagement had begun. There were three signatures required with today’s date. Resonant Frequency, the manager, and the client…

Rex Tarkington

The rest of the details would take a few weeks to process, but everything said thus far was entered into the record for legal to fall back on if Mr. Tarkington mislead them during the process. An AI would have to be chosen and assigned to assist with training, surveillance, and stitching. He would be issued a closed-channel secure communication device. Res finished up with “many of our clients choose to get an Angel tattoo which is publicly visible and a warning to others. Would you like to schedule an appointment with one of our in-house artists to choose the design and apply it?” Rex declined and simply stated, “that won’t be necessary at this time, although I may propose an alternative in the future.” Farewells were then exchanged and Res told Rex, “Welcome aboard, and thank you for choosing the Splicer organization. Your secrets, and your self, will be safe with us.”

Rex wryly ended the call with “they damn well better be. I look forward to working with you.” He unceremoniously disconnected the call, and Res’s manager high-fived her on the spot.

Posted on

Selfish Generosity

Rex Tarkington was a genius. A certified, bona fide, Mensa-verified egghead. He was also extremely paranoid, and very indignant about that character trait. He believed, strongly, that anyone living in a surveillance state has an absolute right to privacy, and if there was anything he could do to advance the right to privacy, he would do it without a second thought. He spent decades in IT Security, where his mindset and perseverance made him very successful. Enough success that he could retire at age 27 and pursue his real goals. He sunk countless hours into studying, then breaking, security protocols and very high-level encryption. But at this point, he wasn’t doing it for any particular company or vendor, he was doing it to try and reset his own comfort level. Being behind the scenes, watching and fighting off digital attacks, it was old hat by now, especially since his crowning achievement was a defensive AI he programmed himself over a few years. He proudly named it T-Rex, which was also the laziest name anyone could have imagined, based on his own name. 

The funny thing about defense is that it’s just offense in reverse. You have to know certain things about the attackers, attack patterns, weaknesses, etc. in order to shore them up. You must know all your soft spots to harden them. By that same token, it’s not difficult to turn a defense into an offense. Attack others where you are weak, assuming a certain amount of commonality across organizations is in place.

For example, regardless of how big or wealthy a corporation becomes, they are often stuck with very outdated servers and hardware somewhere in the network that are easily exploited. Legacy systems, custom programming, vestigial limbs that nobody ever spent money to rebuild and replace. Every company has these “legacy assets” that they can’t do without, and someone in the organization is aware of it. As time goes by and these legacy assets accumulate and remain unpatched, they represent a challenge for the attacker, because no matter how old an attack vector becomes, it has to stay in the toolkit just in case it’s found. This swells the toolkit over time, to the point where nothing can be discarded and you have an enormous, unwieldy bag of tricks. It just comes with the territory.

Years after T-Rex was released, security researchers had turned it inside out and made it an attacker. It wasn’t perfect, but it was a major blow to Rex’s organization in particular. Despite how paranoid and careful he had been, he had left the door to the toolkit open for expansion for licensed owners, which malicious actors used to add their own bag of tricks to what they called Xer-T, the inverted version of T-Rex. Security organizations would sometimes stage virtual battles between T-Rex and Xer-T to essentially watch the AI battle itself, to look for flaws or improvements. That was actually beneficial in testing, and some would sell improvements back to Rex himself. But honestly, none of this interested Rex at this point. He had gone off on another tangent entirely. Let the product managers and coders worry about all this.

In the information technology field, and security, there’s a term known as RCA, or root cause analysis. The concept is simple. When there’s a problem, keep digging even after it has been solved to determine the root cause and apply your permanent fix at that level. Rex had been doing RCA’s his entire life in one way or another, and was particularly skilled at it. Which, inevitably, led to him creating a root cause of his own, solving a lot of problems he had with the state of the world.

He got an idea after watching a documentary about zebras in the wild. Their stripes were a natural camouflage, although appearing fairly uniform and almost copied and pasted to the casual observer. It was discovered that the stripes short circuited the visual processing part of predator’s brains, namely, big cats. Something about the way cheetahs, lions, etc. see the world and process that world was truly confused by the stripes, essentially making the zebras invisible to them. Rex wondered if there wasn’t something similar in technology; after all, technology is based on human perception, so cameras and microphones are generally designed to only capture what people can see or hear.

Rex built up a very secretive research team, hand-picked and fully vetted, to dive into camera technology of all kinds. Cell phone cameras, CCTV cameras, traffic cameras, the hardware and software that drove them. What he initially discovered was not that interesting: they were almost all built upon the same core libraries, which meant at the lowest hardware level, they all behaved nearly identically. At some point during the early development of these devices, there must have been a competition between different technologies, and a single standard emerged. Or, as Rex saw it, a single point of failure…a single point of weakness. He poured millions into the team, moving the project goalposts regularly over the span of three years. He kept getting results, and eventually his company became the dominant player in the imaging device technology sector. How? By giving away upgrades for free.

Nations, states, and cities all took the bait, making TIDE, or Tarkington Imaging Design Engineering, the single largest supplier of hardware and software imaging solutions worldwide. His solutions were truly ingenious and easy to operate, simple to keep updated, and had the best price of them all. His tech was so good, it was being applied to satellites and space-based hardware platforms as well, because, again, the cost was too good to be true.

On more than one occasion, the press asked the main question. “Why is something this good, free?” And every time, Rex insisted that something that good must remain free, and he would be doing humanity a disservice by charging money for those products. That wasn’t a good enough answer for some people and rightfully so. It reeked of corporate diversion, but nobody could really find a problem with what he was giving away, and over time, people asked less and less to the point where TIDE solutions were the global standard. It’s just what you used, anywhere you needed surveillance solutions or cheap imaging for portable devices. He included premium features others charged millions for, like chip sensors that could detect light across the visible and invisible spectrum. The full spectrum sensor was a huge hit in the scientific community, and some labs were using it to explore black holes via space-based telescopes which had been upgraded with TIDE sensors. Spy satellites weren’t late to the party either, incorporating his upgrades as fast as they could launch space missions to retrofit the hardware.

One man, in one company, had essentially taken over the world of digital imaging in a few short years. Rex intended it. Because once Rex had ensured that his TIDE sensors were everywhere, in everything, he could finally relax.

Posted on

Beat, Cops and Robbers Part 5

I suggest you refresh your memory with the middle of Beat’s saga here first to maintain the flow.

Beat had a head full of new facts and a major puzzle to solve. He sat down at his terminal and opened some security tools, hoping to get lucky. He started encoding and decoding the name “robber” every which way. To start, he tried text to hexadecimal code.

726f62626572

He saved that for later.

Next, he tried converting that hex string to binary.

011100100110111101100010011000100110010101110010

Still nothing popped out.

He tried a childishly simple ROT-13 replacement algorithm on robber.

eboore

Nothing was clicking. Nothing made sense. He intuitively just tried looking up the website domain for robber.com. Registration was private. He bypassed the privacy setting and found the website was registered to the following:

Bulletproof Manufacturing and Aerospace Corporation (BMAC)
6572 Mockingbird Blvd Suite F
Omaha, AR 72662

Now some numbers started lining up; he couldn’t believe his luck. Not only that but the abuse contact was even better:

For abuse complaints, contact: Edward Boore – eboore@robber.bmac.com

In a few easy keystrokes, almost too easy, as if someone left breadcrumbs intended to be collected, Beat was one step closer to solving the puzzle. He did another few lookups from some other security tools to gather information on the company and the domain. The corporate website was nothing out of the ordinary, but they weren’t a publicly traded company so no deep digging there. The bottom of the page contained the typical array of quick links. Contact Us, History, Help, FAQ, Demo and Return to Top.

He took a peek under the hood with the HTML inspector built into his browser and started reading through the code. Yet another fingerprint became apparent; a snippet of Javascript was attached to the Demo link. The URL didn’t make the typical call to an internal function of the site and it wasn’t some early HTML 1.0 link either. In fact, it was a total anomaly. It was an encrypted link function which triggered a decryption after the button was clicked to provide the accurate URL to the user’s web browser without revealing the actual site URL. It was split into three parts to further obscure what it would take as input and pass on to the server. Beat grabbed the code snippet and transferred it to his sandbox server. As he watched the server logs, he saw the Demo URL transformed to this string:

60rk2c9g60rk0c1h64r32c9h64r32c9g60r32c1g64rk0c1g64r30c9h60r32c1h60rk2c9g60rk0

More simple encryption. The repeating characters “rk” signified paired numbers or letters. Feeding that string into a Base32 decoder, there was the detonation:

011100100110111101100010011000100110010101110010

Converting that binary back into text: robber. Beat slammed his hand down on the desk and started gaining steam. Either he was misled into a honeypot, or he was right over the target. Going back to the original page, he clicked on Demo to see what would happen. Immediately, he got a connection refused error. Reloading more times, more connections refused. The easy part was starting to fade a tiny bit, but being an ASE, he was nowhere near running out of options. He launched PRISM, the global website penetration tool that had federally mandated backdoors built into all US-based websites. He entered the full URL for the Demo link into PRISM, and something curious happened next.

WARNING: PRISM ENHANCED MODE REQUIRED. ENTER PKI3 AUTHENTICATION TO CONTINUE.

Beat plugged his PKI3 card into the terminal and the dialog box on screen filled up with X’s in the blanks reserved for the password.

PRISM ENHANCED PKI3 BYPASS DETECTED. ELEVATING RIGHTS TO PRISM SILENT CIRCLE.

Beat paused. PRISM asked to elevate a single authorization level and somehow skipped to a mode that he didn’t even know existed. He then remembered having the same card in the Cerberus terminal. Did Cerberus modify the card? It was the only explanation, and he was hot on the trail of what Cerberus was after. PRISM then prompted him:

PRISM SILENT CIRCLE – WEBSITE DEMO ACCESS (Y/n)?

Again, Beat paused, feeling like he was at a point of no return. He hesitated to hit enter. This was about to take a hard left turn and he wanted to be prepared. He closed his eyes, leaned back in his chair and jammed his knuckles into his eyelids and twisted until he saw stars that quickly faded away. Cracking his knuckles, he took a deep breath and hit enter.

THANK YOU FOR USING PRISM SILENT CIRCLE. DEMO LOADING, PLEASE WAIT.

His terminal faded to a totally white screen, then to a black screen, then back to a gray screen somewhere in between. One by one, the letters from the PRISM prompt flew off the screen, in every direction, accompanied by old cartoon sound effects. Next, a black mask came into view with artificial glass eyes staring blankly towards Beat. No face, no body, just a bandit mask with 3d eyes.

He heard a voice coming from his speakers. “Welcome, PRISM SC user. I am Robert. I have stolen your letters as payment. What I steal next is up to you. Choose your desire:”

Another prompt came up on screen:

DO YOU DESIRE FAME, FORTUNE, OR POWER (Fa, Fo, Po)?

This was a game, and Beat wanted to bend the rules. He typed in MORE and hit enter.

YOU DESIRE MORE THAN FAME, FORTUNE AND POWER. IF THIS IS CORRECT, STANDBY FOR 5 SECONDS. TO ABORT, PRESS ANY KEY.

Beat simply waited.

MORE DATA IS REQUESTED. DO YOU HUNGER FOR KNOWLEDGE? (Y/n)

He hit enter again.

KNOWLEDGE TARGET NUMBER REQUIRED TO CONTINUE. TO LIST KT’S, ENTER L. OTHERWISE ENTER THE KT NUMBER.

More puzzles to solve. He hit L and started grinning ear to ear at the results.

KT TARGETS AVAILABLE:

  1. DENNIS – 6581
  2. CHARLES – 8580
  3. FRANKFORD – 68001
  4. NEWTON – A01
  5. CERBERUS – CRB3
  6. AGNES – ARM1
  7. BLACKWATER – DEEP-C
  8. COPERNICUS – COPER
  9. ROBBER – EBOORE8F

Beat’s mind went into fast forward mode wondering what he’d discover. These were all named AI and he was dying to know what this system knew about them. But he had to stay on track. 15 minutes remained. Beat hit 8, for Copernicus, and watched the output.

Posted on

Thee Unseen

Continued from the last Res snippet

The next morning, Res awoke with the gentle morning sunlight streaming in through her window for once. She stretched like a cat, yawned, got out of bed, got ready and headed to the office. As she arrived at her desk and logged into her terminal, she had a message waiting. It wasn’t any special priority but she opened it immediately. It was her manager, wanting to talk in his office “at her earliest convenience”. That was his way of saying now.

Res walked across the office floor to his office, peeked in and saw he wasn’t talking to anyone. She did the two knocks at the door frame, saw him nod, and entered his office, closing the door behind her. “So, how did the client call go yesterday? Everything lined up?”, he queried. “I’m not sure. The client seems pretty serious but I’d like to feel him out a little more before we commit to anything. I know, I know, growth is important, but you know how careful I am”, Res said. “Well, the client called this morning, the second I sat down at my desk, and wanted to speak to you again. When you’re ready for round two, say the word”, he said. Res thought for a moment. Why shouldn’t another ASE or even her manager do this round two interview stuff? But she was still curious from the previous day, and didn’t want to slide it across the table to someone else just yet. “I have some busy work to do this morning. If he can meet with me after lunch, I’ll be prepared”, Res said, buying time to line up some questions for the client. “Fair enough. I’ll let the client know you’ll contact him after lunch”, replied the manager. With that, Res cracked a smile and went back to her desk.

She opened a physical notepad she kept in the top drawer for client leads and thumbed through it, getting ideas for what sorts of things to ask the client on the next call. She absent-mindedly twirled the long side of her hair with her right hand, then a piece of crumpled up paper came flying over her workstation wall and skittered across her desk. She stood up and looked over at Sheepdog, who was already grinning ear to ear, not even trying to hide his guilt. “Do you need something”, Res said sarcastically, and Sheepdog replied, “Well, actually, I could use another pair of eyes on this weird stitch I’ve been reviewing. Got a few minutes?”

Res sauntered over to his desk and pulled up an extra chair, dropping his paper wad onto his desk as she rolled forward and looked at his main screen. “What are we looking at here?”, asked Res. Sheepdog began another one of his long-winded explanations, which was his trademark, but then got to the point. “Well, ok, so see this timestamp here? This is about 5 minutes before the…uhh…anomaly. I keep having different AI check it for missing frames or missing data but they all say it’s normal and complete. But see what happens when a few minutes go by, watch the car.” Sheepdog advanced the video a few minutes at a time, skipping dead spots. The scene was taken from a busy street corner, mainly high-resolution traffic cameras. Buses, cars, and people were going every which way, nothing unusual, but the car Sheepdog wanted to focus on was a Limousine. It pulled up to the corner, the driver got out, walked around to the passenger side, opened the door facing the sidewalk, and a man with a Bowler hat stepped out. He reached forward as if shaking hands with a familiar acquaintance, but nobody was there. Something was, because others on the sidewalk were splitting to walk around the Bowler man and “the nobody”. After a few moments, the Bowler man got back into the car, the driver walked back around to the driver’s side, and the car pulled away.

Res was starting to get the heebie-jeebies. “Is this all of the footage?”, she asked. “Yep. One of the linears passed this on to me and like I said, the stitch is confirmed complete. There’s no data missing”, Sheepdog said, “and I even asked the linear for more angles of this event. It was all redundant, the other cameras are showing the same thing from different vantage points.” Res replied, “Well, clearly, we’ve got faulty hardware”, and Sheepdog parried her reply with, “Nope, the linear ran a full hardware diagnostic on all those TIDE cameras. They’re practically brand new and checked out. Something else is happening here.”

“What’s the relevance of this guy in the limo to start with, are the linears getting bored?”, Res asked. Sheep said, “Well, I’ve seen it before, when the project was early. It was probably the same guy. Maybe this is testing footage for the linears, something obviously weird to get their attention, to make sure they are scrutinizing the feed. At the time I just assumed it was a glitch, but I always remembered it. This time the linear thought it was weird enough to open a case on it, at the risk of triggering a false positive, and I agreed it should have a case. To that end, we have already identified the man in the Bowler, and confirmed it with the license plate of that car. It’s a personal limo, belonging to Frank Schultz, of FS GMBh, a huge industrial manufacturer out of Germany. He’s shielded, we’ve worked for him for a long time.”

“Who is his dedicated AI? Don’t tell me it’s Strix, it would have sounded the alarm a long time ago when you first saw it. Beat told me how thorough Strix can be…”, mused Res. “It’s not Strix. It looks like—”, Sheepdog typed in a quick query, and they both read it aloud as the result came back. “Genesis?”