Black Hat Blues (22 page)
“I’m not sure,” said Chloe, picking her mousy-brown wig off the
table. “But you guys might want to start packing shit up, just in case
we need to leave here really fast.” Hopefully they wouldn’t have to lower
the rope they’d brought out the window, but it was nice to know the
option was there. “I’m going downstairs.”
Oliver
• now
Oliver wasn’t entirely satisfied with how the con was going so far.
There was a hell of a lot of stuff to do, but he wasn’t quite sure
what the point of it all was anymore. He’d gone through much of Fri-
day evening grumpy because work was making him put in a full day’s
worth of work even though he was supposedly here at the convention on
their dime and for his job. Stupid job. And so he’d been stuck up in his
room VPNing into the office for the first half of Friday and then by the
time he got downstairs everyone he knew had already gone to dinner
somewhere and there was just a hotel bar full of hackers he didn’t know
and he just didn’t have the mental energy to try introducing himself
to people. He idly sat at one of the pay-to-surf internet kiosks in the
lobby and hacked it so it would be free, wondering what to do with the
rest of his evening.
In the end he’d done what people often do in this situation: he hung
around the outskirts of other people’s conversations and waited for a
chance to insert himself into one of them. After a few failed attempts it
even worked, and he ended up talking Linux kernel stuff with a group
of guys for a while, which was fine, but nothing he couldn’t have done
on a forum or listserv from home. Saturday he decided to throw him-
self into the talks, and that had proved a mixed bag as well. Everyone
seemed stupid and boring and he wasn’t learning anything. At least a
couple of them were funny, like Johnny Long’s talk which he’d seen
a version of before but went to anyway knowing he’d at least have a
good time. Coming out of it late Saturday afternoon he was seriously
Rick Dakan
113
thinking about starting drinking. OK, not too seriously. Instead he
decided to go up to his room and chill out for a little while, relieve some
stress. Then maybe he’d buy a hundred dollars worth of shmoo balls
and just hurl them at everyone who pissed him off.
As he stood waiting for the elevator in the lobby, the real reason for
his discontent, the person who’d made it impossible for him to actually
enjoy a hacker con ever since, came striding in through the side door as if
she didn’t have a care in the world. Ollie’s eye’s widened in surprise. She
was dressed much more conservatively this time, in a suit/skirt outfit and
with her hair tied back, but there was no mistaking her face, one that was
locked tight in his imagination and which he kept coming back to again
and again, sometimes at the most awkward moments. It was Toni.
He started to move towards her but then didn’t know what to say.
He wanted to confront her of course, make her admit what she’d done
and tell him who she really was, but that wasn’t going to happen. Even
as he failed to take that step after her as she walked down the hall away
from him, he knew he was scared to actually face her. She’d just deny
everything, or pretend not to know who he was, or somehow humiliate
him. Ollie had seen how she could cut a man down with her words, and
see right through to their weaknesses and insecurities. He just couldn’t
face that, not on his own.
Only once she’d disappeared around the corner did his logical brain
kick into gear again and start focusing on something besides his gut
emotional response. If she was here at Shmoocon, it was probably for
the very same reason she’d been at Toor Con—not to learn or network,
but to recruit people for whatever sinister plan she had going this time.
Ollie realized at once what he had to do. He had to warn someone.
He spun around and not-quite-jogged towards the escalators up to
the convention area, making a bee-line straight for the front registra-
tion desk. With the con well under way, only late comers and people
buying t-shirts needed the desk attendant’s attention, so he was able to
rush right up to the counter and say (not shout like he almost did), “I
need to talk to Heidi!”
The guy behind the counter said, “She’s around here somewhere.
What do you need?”
“It’s kind of… a security issue maybe,” Ollie said, looking around
behind the counter to make sure Heidi wasn’t there.
“Should I call security then?” the guy asked, starting to sound
anxious.
“No, it’s not an emergency exactly. It’s just there’s this woman…
Listen, I think I need to explain it to her myself.”
114
Geek Mafia: Black Hat Blues
“OK, OK, lemme get on the radio and see where she is.” He produced
a radio headset and said into it, “Does anyone have eyes on Heidi?”
Ollie couldn’t hear the responses, but after asking two more times, he
finally got a response. “Could you send her to registration? Someone
needs to see her about something. OK. Yeah, thanks.” He turned to
Ollie. “You’re sure this is important right, she’s really busy and you do
not want to piss her off right now.”
Ollie just nodded. He was sure it was important, but he was less sure
of his ability to convince anyone else of that fact. Heidi, as everyone who
knew anything about Shmoocon knew, was in charge of Shmoocon,
and the wife of renowned security expert Bruce Potter. The fact that
she not only managed Shmoocon and was super cool but was also a
half-Norwegian, half-Fillipina MILF only made her more intimidat-
ing as far as Ollie was concerned. He’d seen her around of course,
mostly on stage during events or prowling the halls putting out fires,
but he’d never actually talked to her. Hopefully she would understand
how important what he had to tell her was. What was he going to tell
her exactly? He knew he wanted to warn everyone about Toni, but he
hadn’t quite thought through the details of how to make that warn-
ing make sense without making him look like an idiot or a sucker. He
certainly wasn’t going to tell anyone the whole story.
That night at Toor Con they’d gone back to his hotel room. Because
he was never sure of these kinds of things, he wasn’t at all sure he was
going to get lucky, but he had his hopes. She’d admired the view of the
stadium below and asked for one of the mini-vodkas from the mini-bar.
She sat on the bed, curled up against the headboard with her shoes off
while he sat in a chair and talked about penetration testing and hacking
and all the other things he spent most of his waking hours thinking
about. She wanted to know every detail of how his job worked, which
was normal for someone who didn’t know the details of his rather exotic
line of work. He’d told versions (usually shorter versions) of all these
stories before. But Toni had pressed into unusual territory, asking him
not just about the things he did but the reasons he did them and what
he found satisfying about them. And from the topic of satisfaction
they turned to the topic of dissatisfaction, and why he was looking for
a new job (short answer, he was bored with his current one because all
his friends were gone and the bosses sucked since the buyout last year).
Toni had a few more mini-bottles and he even had the two Heinekens
that’d been in there for Lord only knows how long.
Rick Dakan
115
By 4 AM he was talked hoarse and she’d passed out on the bed. He
tucked her in beneath the covers and slept beside her with his clothes
on above the covers. Well, he tried to sleep, but mostly he just lay
there willing her to wake up and turn towards him and put her arms
around him. He’d passed out at some point and woke up to the sounds
of her in the bathroom. She came out still wearing her dress from the
night before, smiling and chipper. She’d apologized for nodding off and
thanked him for his hospitality. She had a plane to catch, but wanted
to stay in touch. She gave him her private phone and personal e-mail
and told him to contact her on Monday so they could talk more. He
fumbled about, rubbing the sleep from his eyes and swallowing again
and again to lubricate his mouth, which was desert dry, indicating he’d
been doing some serious snoring. He was, of course, mortified.
He e-mailed her the next day, not expecting a reply. But one came
within an hour, and the two started a lovely little e-mail correspon-
dence. Then after a few weeks, Toni sent him a job reference. She said
a company she did some consulting for was looking to hire an outside
pen tester for some insurance compliance and she thought he might
be interested. Technically Ollie wasn’t supposed to do that kind of
moonlighting, but Toni said she could work things so the billing went
through her company and she could pay him as a consultant to her and
no one would ever know he’d gotten paid to do pen testing. They’d
think he was just giving his expertise on general security matters for a
court case, working as a kind of expert witness, which was fine under
his contract.
Although he didn’t see himself as ever working freelance on a regular
basis—he much preferred the stability of a regular paycheck and some-
one else finding jobs for him to do—he saw no harm in doing it once in
a while. Plus, he was happy to do a favor for Toni. He called the number
she’d given him and talked to a guy named Steven from a construction
company in Miami. He’d looked at Sun State Construction’s website
before calling, and wasn’t too impressed. It was pretty simple and bare
bones. A little googling and he started to see that there was more to the
company than its off the shelf site. They were a big company, doing a lot
of retail and industrial jobs all over South Florida. Family owned and
operated with hundreds of employees and dozens of jobs going at once.
Why they cared so much about network security that they needed an
outside pen tester was unclear to him, but Steven answered that ques-
tion on the phone.
“It’s an insurance thing. My wife’s cousin, Emmanuel, he says he
can save us a bunch on premiums and he knows this techno junk so he
116
Geek Mafia: Black Hat Blues
convinced my wife we need it. So that’s why I’m talking to you.” He
sounded tired and uninterested, although Ollie thought he had an odd
voice that didn’t quite match his picture on the website. “But are you
saying maybe I don’t need this testing thing you do?”
“I’m not saying that at all, no sir,” Ollie replied, scared his questions
had somehow screwed up the job. “No, no, not at all. I’m just trying
to get an idea what kind of vulnerabilities you’re looking for me to test
for.”
“The whole package I guess, top to bottom inspection. Whatever’s
your top of the line.”
This was obviously a man more used to buying heavy equipment than
computer security services. “Um, OK. Sure. I’ll run a full test then.”
“Sounds good, sounds good. How much is that going to run me?”
“I was told that the billing will be through…”
“Oh yeah, my cousin’s little consultant friend. Right, right.” Ollie
heard yelling with a thick Spanish accent in the background. “My wife
just reminded me.” More yelling, although Ollie couldn’t quite make
out any of the actual words.
“I just need you to sign the waiver I e-mailed giving me…”
“My wife’s putting it in the fax machine right now. Do whatever you
need to do, but don’t screw up the e-mail alright? She’ll have my balls
and yours if she can’t get her e-mail from her sister in Caracas, and we
don’t want that.” More yelling.
“No problem, sir. Hopefully you’ll never know I was there until you
get my report.”
“If I never know you’re there, how will I know you did any damned
work at all?” The man sounded genuinely annoyed, although Ollie
wasn’t sure if it was at him or the world in general.
“Oh, don’t you worry about that. I think when you see my report
you’ll know for sure.” He’d already done some passive snooping and he
didn’t think he’d have much trouble at all penetrating right on through
the company’s network, and the waiver Toni had written up for him
gave him all the carte blanche of a real Red Team to do whatever he
needed to.
He got started the next day, but soon found that it was more of a chal-
lenge than he’d at first suspected. Compromising their company website
was dirt simple, but also largely pointless. The site was obviously an
afterthought for them and had no connections to their larger network
or any interesting or sensitive data. So Ollie had to work through other
channels and started poking around at the company’s actual e-mail
server. Here the number of employees worked in his favor, especially
Rick Dakan
117
those who checked corporate e-mail through personal, less than fully-
patched and secured machines. He found his hook and pried open an
entry for himself. Within a week he’d compromised the entire system