But lately, computer manufacturers have been figuring out how to design chips to run VMs more efficiently, so the gap between a VM and the real computer it runs on keeps shrinking. This means that it's easier than ever to try out new operating systems and new programs. If there's something you're
really
paranoid about, you can just run a free VM program, install a free OS on it, and run anything you want in that little sandbox. Nothing that happens in that VM can affect your real computer -- not unless you give it privileges to see your real hard drive and real files. The VM is like a head in a jar, and you can tell it anything you want about what's going on in the world and it'll have to believe you.
You can download hundreds -- thousands! -- of VMs from the Internet and just fire them up as you need them. Want to turn an old computer into a router or a file server for an hour or a day or a year? Various sysadmins have bottled up perfectly tuned VMs that run any specialized function like that out of the box. There are even user-reviews to help you figure out which ones are the good ones. And since it's all built on open, free code like Linux, anyone can modify, improve, and redistribute them.
I went hunting for an extra paranoid VM, and I found one. It started with a copy of ParanoidLinux, my own favorite distro, and nuked any programs and services you didn't need, to make it all the more bulletproof. ParanoidVM also stored its user files in TrueCrypt plausible deniability chunks, so there was no way to tell from the forensic examination of the disk how many users there were and how many files they had.
That was good for starters, but I wanted a dead man's switch: something that would cause the whole thing to lock itself and shut down if I didn't do something every fifteen minutes. So I wrote a little script that hit me up for a password every quarter hour. If I didn't enter it, it would issue a system-wide command to kill any VMs that were running, then erase itself. So if a snatch squad
were
to nab me, all the work I'd done on the files would disappear unless they could torture the password out of me in a quarter of an hour.
They'd still have the key and the torrent file, but they wouldn't know whom I'd shown anything to or what we'd talked about. All I'd have to do is key in my password every fifteen minutes, and not go off to the toilet or forget and go to dinner, or I'd lose everything I'd worked on up to the last save-point.
There's a technical term for this kind of security work: yak-shaving -- wasting time doing silly chores to avoid something harder and more important. There was an old essay I liked about working for Google by a hacker called Dhanji Prasanna, which talked about "shaving the entire yak pen at the zoo, and pretty soon traveling to Tibet to shave foreign yaks you've never seen before and whose barbering you know little about."
That's the territory I was heading into. It was time to decrypt the file.
It had been a while since I'd decrypted an encrypted ZIP file with a very long password. There was a specialized command you could use to specify that the password was in a file, and I couldn't remember it at first. I looked up how to do it. I did it. The list of files scrolled past faster than my eye could follow. Lots of files.
LOTS AND LOTS
of files.
810,097 files.
What had Masha said?
Eventually, you come across something so terrible, you can't look yourself in the mirror anymore unless you do something about it.
That was a lot of dirty laundry, yo.
I could tell at a glance that they had human-generated file names -- weird punctuation, weird capitalization, and both were all over the place. Computers might do weird capitalization, but every file would have been weird in the same way. Some had pretty descriptive names like "bribes paid to senate Def Cttee.doc" and others were more cryptic, like HumIntAfgh32533. There was a file called WATERBOARDING.PPT, a set of PowerPoint slides. My stomach curdled into a hard ball just looking at it.
I double clicked it. The first slide was just a title: "STRESS INTERROGATION SEMINAR 4320." The next slide was a long confidentiality notice, naming a bunch of private military contractors who, apparently, had been involved in producing this presentation. And the next slide --
-- showed a boy, about my age, restrained in padded cuffs at the ankles, wrists and chest, strapped to an angled wooden board that held his head lower than his feet, mouth covered tightly in saran-wrap, having water poured down his nose in a splashing stream out of a bucket with a spout, held by two large, clean, white hands. The boy's body was arched up like a bow, straining against his restraints, pulling so hard that every muscle in his body stood out. He looked like an anatomical illustration.
No.
He looked like a torture victim.
The saran wrap was an evil touch. The water is poured down the nose, but it can't go into the lungs, because the body is tilted backwards.
His
body is tilted backwards. The body --
his body
-- knows that there's water going into the windpipe and it's desperate for air. His mouth gasps, but the saran wrap only lets the air go out, because every time he tries to suck air
in
, the plastic makes a tight seal. The only place air could enter is his nose, and the water is pouring into his nose and so he can't breathe that way.
Eventually, his lungs empty out entirely, collapse like spent balloons, shrivel like raisins. His brain, starved of oxygen, begins to die. He may pull his bonds so hard he breaks his bones.
The government likes to call waterboarding a "simulated execution." It's not a simulation, though. They nearly kill you. If they don't stop, they will kill you.
One of the men at Guantanamo Bay, America's secret prison, was waterboarded more than 180 times. Nearly died 180 times. They say he planned 9/11. Maybe he did. But whatever he told them, they'd be crazy to trust it. When you're being slowly murdered, you will say anything and everything to get loose.
But I wasn't thinking about that. I was hypnotized by that boy, by the expression on his face, the veins standing out in his forehead, the terror in his eyes. I'd been there. I'd had that look in my eyes.
Time stopped.
And then, the image disappeared. The window it was in disappeared. The VM that was in disappeared. My dead man's switch had been prompting me for a password, had run out of time, and had killed the VM and deleted itself like a good boy. I hadn't even noticed the password prompt. I'd been staring at that picture.
That picture was only one slide, from one file, out of more than 800,000 files. This was going to take a while.
Ange rang the bell around dinner time, and my mom sent her up to my room. She let herself in and snuck up on me and put her arms around my neck and kissed the top of my head. I pretended I didn't hear her or see her reflection in my screen. It was a game we played. We were adorable.
"Hey there, workin' man, how was your first big day at the office?"
"Pretty much like I said in my texts; I'm mostly trying to figure out what the job will entail, trying to get a handle on everything. I told you about that Liam guy, too, right?"
"Yeah, how weird is that? Small world, but I wouldn't want to paint it."
"Well, he got less sweaty about things by the end of the day, came by for a real chat, and it turns out he knows his stuff pretty well and had lots of good ideas for me, some authentication ideas I hadn't thought of for managing guest laptops."
"I think it's adorable that you've got a little groupie," she said, pulling up my spare chair and transferring the clutter of MakerBot parts to my bed before sitting down.
"It's embarrassing," I said. "How was class?"
She crossed her eyes. "I thought that after high school I'd get to start learning like an
adult
, without everything being about how many factoids I can regurgitate on cue during exams. But pretty much all of my courses give seventy-five percent of the grade based on exams."
"Well, you could always leak the exams," I said, and her hands were over my mouth before I'd gotten the words out.
"Don't. Even. Joke," she said.
Ange's deep, dark secret is that she stole and published the No Child Left Behind tests when she was in the eleventh grade, along with the answer-sheets. The school board never figured out who was responsible for it, and they claimed that the stunt had cost millions. Served 'em right.
"Sorry," I said. "But there's worse ideas. And who better to do it?"
"Tell you what, let's figure out what to do about Masha's little bombshell first. We can recycle anything we come up with for any final exams I should happen to find myself in possession of."
"That's why I love you; you're always thinking."
We joked a lot about love, but the truth was, I
did
love her, with a weird, scary kind of intensity. It probably had to do with drifting away from my gang of friends and dropping out of school -- Ange was pretty much the only person I saw on a regular basis who wasn't a parent of mine. Every now and then, this freaked me out a little. I think it freaked her out, too -- I was looking forward to getting a little more balance in my life from having a job with co-workers.
"So, what have you got?"
I felt that little paranoid shiver. You could eavesdrop on a room by bouncing a laser off the glass. The sound waves from the voices in the room made the glass vibrate, and the laser picked up the vibrations. I'd seen a demo of this in a YouTube video of a presentation from DEFCON, the big hacker conference in Vegas. The sound wasn't perfect, but it was pretty good. Good enough to pick out every word and recognize the speakers' voices.
"Um," I said. "Give me a sec, okay?"
I plugged a set of speakers into my laptop and then stretched out their wires until I could press them on the window-glass. Then I used my computer's random-number generator, /dev/random and requested some random white noise. The speakers began to hiss with staticky sound. I cranked them up to the point where I couldn't stand it, then turned them down a notch or two. I made sure the blinds were seated over the speakers again. Maybe a laser could pick up on the sound in the room, but I couldn't think of any way to subtract random noise from the audio signal. That didn't mean it was impossible, but at least we couldn't be eavesdropped on by anyone stupider than me.
"Huh," Ange said, observing this ritual. "Well, that's pretty intense."
"Yeah," I said. "It sure is." We moved the chairs so we could both see my laptop and I showed her my VM and the dead man's switch.
"Not bad," she said. "Okay, you've convinced me that you're worried about this stuff. Which, I suppose, means that you're sure that you saw Masha and Zeb get taken off the playa, and that means you think the explosion was deliberate." She closed her eyes and took a deep breath. "Back down the rabbit hole, here we go."
"Wait till you see." I brought up the VM, brought up the directory listing. Sat back.
"What is this I don't even," she said, staring wide-eyed at the listing. I handed her the mouse. She started clicking, beginning from the top. The first item was budget_8B5S.xls. It turned out to be a spreadsheet listing income and outgo. The titles down the left side were peoples' names. Across the top was a list of companies with bland names like "Holdings import/export" and "Property Management Ltd" and in the middle were dollar figures. None of them were very big -- $1,001, $5,100 -- the biggest was $7,111.
"A lot of ones in those figures," I said.
Ange nodded. "Yeah. That's interesting, isn't it?" She stared at them for a while longer and got out her laptop. "You still like IPredator for anonymity?"
"Generally. But why don't you run it through Tor after IPredator." Tor -- The Onion Router -- would bounce the browser requests through a bunch of random computers, and none of those computers would know where the request came from and where it was going. It was slow -- slower than IPredator, which was slower than the raw network connection. But there's a time to be paranoid, and this was it.
I stared at the mysterious spreadsheet for a while. The dead man's switch asked for a password and I entered it.
"There you go. I knew I'd read about this. The number one appears more frequently than other numbers in financial data."
"What? Why?"
She showed me the article, a summary of a paper at a security conference. "A lot more stuff costs between $10 and $19 or $100 and $199 than $20 and up, or $200 and up. Retail psychology: people are more likely to buy stuff that costs $9 than $10; it's a big jump. Ninety-nine dollars has less psychological weight than $100, but $999 is a lot less crazy than $1,000. So you get a lot of clusters of numbers with ones in them. But when people make up numbers, faking their finances or cheating on their taxes, you get a much more even distribution of numbers. It's one of the ways the IRS looks for tax cheats. I read about it in a book on data-journalism -- tried to get my section's TA to read it last year but she said she had to get us ready for the exams and to show it to her again afterward.
"So all these ones, they're inserted by someone who knows he's making up numbers and wants to be sure that there's plenty of extra ones to make the statistical distribution look right. Someone who doesn't expect a human being to look at these numbers closely, but worried that a computer might spot them."
She peered at my spreadsheet and started to type again, but the dead man's switch wanted a password again and I didn't grab the computer in time to enter it. The VM disappeared.