Kill Process (31 page)

Read Kill Process Online

Authors: William Hertling

Tags: #Computers, #abuse victims, #William Hertling, #Science Fiction

BOOK: Kill Process
4.8Mb size Format: txt, pdf, ePub

If they’ve taken it this far, they will never leave her alone, not until they run out of ways to torture her (unlikely) or become bored of her (somewhat likely) or she kills herself. It’s not going to help to tell Igloo this.

“Why are you here,” I ask, “and not with her?”

“I thought I could find them, figure out who’s doing this. She sent me their messages. They’re coming from an IP address range in Sweden that belongs to a VPN provider.”

“You’re not going to be able to trace them.” In fact, it’s more likely they’ll find Igloo and threaten her too.

“No, but they’re using a tool called Mole to take over her phone. Because they know things she’s only talked about, like they’re listening to her all the time, even when she’s not on the phone. I found a darknet forum where Mole was created and I’m pretending to be a teenage guy.”

“She should turn her phone off,” I say. “Not give them anything else to use against her.”

Igloo shakes her head. “They told her she’s not allowed to turn her phone off, or they’ll share the photos.” Her voice catches. “They created a whole website under her name, password protected. They keep threatening to turn off the password.”

“Is she likely to hurt herself?”

Igloo wipes her face on her sleeve. “I don’t know.”

“You should go home right away, be with her.”

“I’m going to find the assholes who are doing this and fucking kill them.”

“I will take care of it,” I say, my voice firm.

Igloo looks up at me.

“I have contacts from when I used to work in security, white hats. They’ll find these guys quickly, faster than you. They can take care of the website, and destroy all the photographs.”

Igloo stares. I’m not sure if she’s even seeing me.

“What did I tell you your first day at Tapestry?”

“Never get coffee or fix the copier for a man.”

I come over and sit next to her. “True, but not what I was thinking. I also said I would take care of my employees, and I will. Go pack right now. I’ll drive you to the airport. Whatever’s the next flight home, take it. Be with your sister. She needs you in person. I’ll take care of these scum.”

*     *     *

It’s almost one in the morning by the time I see Igloo off at the airport. I solve one small mystery when I watch her pack. I often wondered how her sweatshirt stays clean, given she never takes it off. Half of her closet was white hoodies, one after another hanging in a row.

I’ve been up since five, and I’m exhausted after fourteen hours of work and tonight’s drama. Still, there’s no way I can sleep. Every hour that passes increases the chance of irreparable harm. If the scum post photos or videos publicly, there will be no way to scrub them from the Internet, despite Tomo’s pretend version of privacy. Whether anything is released anything or not, the odds are high Igloo’s sister may harm herself.

I need my tools and a place to work.

There’s a storage facility off I-84 I chose specifically for its location and 24-hour access. I drive there now, park in a corner out of range of the security camera. With my laptop bag over my shoulder, I skirt the parking lot to enter through a side door, my hand over my eyes as if to shield them from the light. I have a soft RFID transmitter that can mimic different RFID keys, and in this case, I have the codes of several different tenants I stole over the course of a few months after I got my own storage room. The reader rejects the first code, accepts the second, and the door unlocks with a click.

I make my way to my storage room, an eight-by-ten cinderblock box at the back of the building. I enter the room and switch on the single fluorescent tube that spans the ceiling. It blinks and buzzes, and then settles into an uneasy light. The room is half full of furniture, with a stack of cardboard boxes along one wall. I pull out a folding chair and card table, set both up, and start my laptop.

In the 1800s, railroad companies criss-crossed the United States in unbroken lines spanning thousands of miles.

In 1865, the Southern Pacific Railroad formed and, over time, acquired other companies, peaking at 14,000 miles. Their right-of-way encompassed the railroad line and a swath on either side of the tracks. Southern Pacific built a nation-spanning communications network along those tracks using microwave transmitters run by a division of the company called Southern Pacific Communications.

In 1972, Southern Pacific Communications began leasing extra capacity on their network to large companies as private long-distance phone lines, skirting the existing telephone monopoly. Then in ’78, MCI won the right to provide switched-telephony services to compete with AT&T. Southern Pacific also sued, and, in the Execunet II decision, was granted the right to offer their own switched telephone network. They needed a new name and chose SPRINT, an acronym for Southern Pacific Railroad Internal Networking Telephony.

That brings us to the modern day, and the fiber optic switch station located on the other side of this cinderblock wall.

A couple of years ago, I broke into a Sprint supply truck and replaced a stock blade server with a customized version. I was back in touch with Nathan9 by then. Still the master, compared to me, he connected to the Sprint network switch station and faked imminent failure messages from a blade server. The monitoring team received the messages and routed the truck to the station, where the blade was replaced with my compromised version.

Now I enjoy direct access to Sprint’s Internet backbone through my blade server plugged into their slot.

Years ago I compromised a server cluster in Germany, and it, along with a few other servers around the world, have been unwittingly hosting backups of all my tools for years. I download a compressed virtual machine, or VM, image from the server. The VM runs on my Mac, insulating the host operating system by running a simulated computer within the real one. If someone tries to attack or profile me, they’ll only penetrate as far as the virtual machine. The VM is preconfigured with all the tools I don’t want found on my computer because merely possessing them is a crime.

It’s not as perfect as my preferred setup, which would require completely scrubbed physical hardware, but then I’m deeply paranoid. No matter how good you are, someone else out there is better, and playing in this space is as likely to attract unwanted attention as it is to achieve the goals you want in the first place. When camping, you need twice the warmth under you as you do above you. In hacking, you should spend twice the energy on avoiding being detected or traced as you do on the hacking.

Well, enough foreplay. Time to get to work.

Ratters use remote access tools, originally designed for sysadmin-type work, to remotely install software, monitor computers, and fix problems. That same set of tools, applied to more evil purposes, can be used to watch your every keystroke, record your webcam or phone camera, or change what you see on your screen. Since the ratters are behind a virtual private network, as Igloo said, I won’t be able to trace their IP packets directly back to them, which would be the easiest and most direct way to identify them.

Nathan could probably do it, because he’d possess the tools to intercept all the traffic going to and from the VPN data center. I’m dead set against asking. If he does all my work for me, I’m no longer an equal trading favors, but a supplicant begging indulgence. We have a long history, and he wouldn’t turn me down, but I’m afraid of changing the nature of our relationship.

I consider the tools to hide my point of origin. Do I still trust my own backdoors into Tomo? How about my onion network? The last time I used it, I lost a few nodes. I can use a VPN, but that only goes so far. I could compromise a few systems and set up a temporary routing network, but my tools are a year out of date, which means I won’t have as many zero day exploits. I decide to VPN first, then take my chances with my old Raspberry Pi network. Either the nodes will be up or they won’t.

A few minutes later, I’m reconnecting to the old network, the nodes coming online one by one. Each node reports a last use date consistent with my previous usage. Some of the nodes chosen at random don’t respond, about par for the course, given that those rooftop boxes are two years old now. Surely some were discovered and thrown away, had their solar panels covered with leaves or other debris, or otherwise failed due to exposure. Soon enough my packets are routed through eight nodes.

A custom search tool connects in parallel to all the darknet forums I have access to. There’s a bit of sadness when I see two of my old favorites are gone. The search tool scans the ones left to find any mentions of Mole, the RAT software Igloo detected. A few minutes of reading uncovers that Mole is newish, about four months old, based on an older RAT. The source code is available.

I think of three basic strategies I can exploit: I can try to reverse engineer Mole, looking for undiscovered exploits that would let me tunnel back into the hackers’ computer from code I’d run on their victim’s phone. It would be powerful because it would allow me to identify them and counter-attack in one. Unfortunately, it requires finding and using an exploit in software that’s been presumably been peer-reviewed. If there is a weakness, it could take days to find. Backtracing their VPN connection is another option, though perhaps beyond my abilities.

Lastly, I can search the forums themselves for something to identify the hackers: a brag mentioning the victim’s name or an image file matching a known photo from the phone. This is the simplest approach, and costs me very little. I configure my spidering search tool to find the closest matches to the messages I received from Igloo. Then I sit back to wait, because the process isn’t fast.

Thirty minutes later I’m regretting I stopped for that coffee on the way back from the airport and don’t have a bucket in my cinderblock box. I make a mental note to never again own a villainous lair without a toilet. I’m older and richer, and frankly, too tired and grumpy to rough it. On top of that, I wonder if I’m starting menopause. I’m forty-five. Could it be happening?

With a sigh, I turn to the stack of boxes. I have no idea what’s in most of them. I acquired them at an auction at another storage facility, and moved them in here for show. The second box I open has a men’s felt cowboy hat. I turn it over in my hand. What the hell, it’ll hold liquid for a little while, at least.

The search returns, and I’m staring at the phrase Hitler’s Mustache. What the hell? Am I dealing with a neo-Nazi group? It’s bad enough I have to handle misogynists, now I’m getting into Nazis? Frak me. I shouldn’t have this much responsibility.

A few minutes and web searches later, and I laugh in relief. Apparently a Hitler’s Mustache is the Brazilian term for sculpted pubic hair, or what the rest of the world would call a Brazilian wax job. My attacker is merely Brazilian, not a Nazi.

I spend the next couple of hours researching different Brazilian underground forums, and getting access to them. I pass their quizzes to keep out the riffraff, and know the right names to throw around. Although it’s four in the morning here, it’s mid-morning in Brazil. By the time I should be heading into work, I’ve gotten accounts on four of the biggest Brazilian hacker boards. I reconfigure my spider search tool to use my new forum accounts, and redo my earlier search.

It’s going to take a while, so I use the opportunity to decamp the storage facility, walk a dozen blocks away, and leave a message for Amber, asking her to take over my meetings. My throat is hoarse from the all-nighter which adds legitimacy to my “I’m sick and can’t come in” plea.

I stop at another coffee shop, which has just opened for the day, and buy pastries and coffee and use the restroom. There’s a little hardware store down the block, so I purchase a bucket and a padded furniture blanket.

Back at the storage facility, my search results have returned, and I’ve received several matches on Claire’s photos. The downside is her photos are leaking into the wild, the upside is now I have a line on the person who’s doing this: a user named Titereiro.

Things become a little tricky, because the posts are in Portuguese, which I don’t speak. Online translate is my friend, but I must keep it on a separate network connection from my other work. I take the necessary precautions, and cut and paste forum posts, beginning with the ones surrounding Claire’s photos, and expanding to everything posted by Titereiro.

His profile photo is a football club logo of a team in São Paolo. Occam’s Razor says he lives in São Paolo. The forum posts from Titereiro came in from various hours of the day, not an isolated few, which suggests he’s not doing this from an Internet cafe but has steady net access, probably from home. I spend the next hour scanning forum posts, trying to discern patterns. He’s been online for a year. Longer posts and photos are posted at night and on weekends. There are no photos or long posts between 8 A.M. and 4 P.M. In fact, those daytime posts are short, with even more text-speak. So he’s posting by phone during the day. He’s at work, or more likely, school.

Even if I could compromise the message board and either find a log of IP addresses or start monitoring every connection, there would be no point. If he’s smart enough to disguise himself behind a VPN when he’s attacking these girls, he’ll do the same when visiting the message board.

Instead, I download all his posts in raw Portuguese and connect to Tomo’s network. Access to my backdoors at Tomo was part of my ongoing exchanges with Nathan9, and even though I left the company, he would’ve kept them open. He’s not half the coder I am, but maintaining an existing exploit is easier than engineering it in the first place. Most of my changes were not obvious, and only Nathan and I use them, which means the chance of discovery is exceedingly low. If something breaks, it’s more likely to be a random side effect of code changes.

I write a quick Ruby script to break Titereiro’s posts into individual sentences. The script then takes each sentence and searches Tomo’s database of message posts, filtering by those messages posted in San Paolo, by someone of high school age, and ordering by closeness of match. There’s more than five thousand sentences, and what I’m hoping will happen is one user will bubble up, one person in San Paolo who talks about the same sorts of topics, with the same patterns of language usage.

Other books

Passion Killers by Linda Regan
Three by Jay Posey
Paradise Red by K. M. Grant
Borderline by Mishell Baker
The Forsaken Love of a Lord by Kristin Vayden
Shifu, You'll Do Anything For a Laugh by Yan,Mo, Goldblatt,Howard
The Good Provider by Jessica Stirling