Authors: William Hertling
Tags: #Computers, #abuse victims, #William Hertling, #Science Fiction
“Give him a better way,” Thomas says, grabbing a skewer of meat off the serving plate. “Design a real set of privacy enhancing features.”
“What?” I’m too deep in my thoughts and I’ve lost the thread of the conversation.
“Carl wants to make money with a privacy product. You should design a real privacy product.”
“He’s not going to care about the technical details of privacy.” I take the other skewer. Beef grilled over sumibi charcoal, with a smoky flavor. My mouth wakes up and I realize I’m starving.
“Give him a whole product, not only technical details. Describe the experience of using the product, and how they’ll make revenue, and why this is better than the alternative.”
“I want to write SQL queries, not make slides.” This is one way of saying I want to sit alone by myself and not interact with anyone.
“Do you? Or do you want to change the world?”
I set aside my food and stare at Thomas, his soft brown eyes, the little crinkles at the corners, the sideburns peppered with gray. This is why I love him. Not because he sees infinite possibility in every situation, but because he senses some deeper truth about me that even I lose track of. Unbelievably, he likes what he sees.
I
OWN A
thirty-year-old VW bus. Well, own is a strong word, since it’s not registered to me. I paid cash in a private sale twelve months ago in Idaho. I have a fake driver’s license corresponding to an actual New Yorker who doesn’t own a car, and a real vehicle registration in their name. It was a complicated bit of work, but it will cover me in the event of a routine traffic stop. The final touch was installing flowery curtains. Now it’s the mobile office I use when I need the highest level of security.
I wrote a script to pick a random place to park the van, usually in the parts of Portland where you find the most hippies. The VW blends in well.
Today I’m a quarter of a block down from a coffee shop with a good wi-fi signal. I aim the directional antenna at the coffee shop until I maximize the signal strength.
From there, the direction my packets take is very, very complicated.
The Raspberry Pi, a tiny computer smaller than a credit card, is dirt cheap and can do anything a regular computer can do. Each iteration gets smaller, more powerful, and less battery-hungry. I paid cash for a thousand units direct from a distributor.
In my own version of a clean-room, dressed in a biohazard suit so I wouldn’t leave DNA on them, I embedded the tiny computers inside weatherproof cases, marrying each to tiny solar panels and a rechargeable battery. Each component was chosen because they were cheap Chinese parts manufactured by the millions.
The little computers run a secure variant of Linux, with a single open port, protected with heavy encryption. Part of the computer board contains a sensitive accelerometer, which means I can detect when the computer is moved.
When I travel, I find coffee shops and homes with wi-fi signals and flat roofs, and I toss one of these onto the roof.
If you were to find one, pick it up, and look at it, you might not be sure what it was. If you plug a headphone into the jack, it plays pirate music stations.
Of course, that’s what it does only if it’s been moved or if the battery level drops too low. Because when the accelerometer detects motion, the code I wrote replaces my extensive software with a simple dummy music app and erases the remaining storage a hundred times over.
If it hasn’t been moved, and the battery level has never dropped too low, then it does what it’s supposed to do: operate as part of my private onion routing network with hundreds of nodes to disguise my digital trail so others can’t trace my location.
This secure private network is what I’m using right now to research Erik Copley, my packets bouncing back and forth in encrypted channels. I haven’t trusted TOR since the government took down Silk Road. I don’t buy the explanation that they used unrelated weaknesses. The government isn’t going to let on that TOR is broken, any more than we let the Germans know we’d broken Enigma.
Erik Copley, forty-nine, is married to Jessica. They live in Tucson, Arizona. Jessica is his third wife. The first two managed to escape him and move far, far away. Jessica, however, is in a downward spiral.
Tomo embedded NFC payments into the latest version of its mobile app, so you could pay for things in person without using a credit card. Jessica was an enthusiastic user, until shortly after she married Erik. Now there are extended periods when she doesn’t leave the house.
We share purchasing data with a major online retailer so we can improve advertisement targeting. Jessica buys things online during these at-home spans: bandages, pain relievers, an arm sling, even crutches. The purchases are consistent with someone who plays hockey or football, an interest Jessica does not possess. She’s regularly getting the kinds of injuries you’d associate with dangerous sports despite never going out of the house.
Unfortunately, Tucson is a little too far for me to drive without anyone being aware of my being gone, and I can’t come up with a good excuse to fly there. If there had been a good database conference in Phoenix, or even San Diego, it might be feasible.
I need a remote hack. Something I can do from here, with an eighty percent or greater chance of killing Erik that will appear to be an accident.
I run through my gamut of options. I can’t count on getting Jessica out of their home, which rules out several simple and reliable house attacks. He doesn’t work in construction or a manufacturing facility, unfortunately, because lovely and dangerous things happen around heavy machinery. I could compromise his car’s brakes, or maybe lock him inside on a sunny day until he dies of heatstroke, except I used a vehicle attack on the banker in Beaverton, and I’m hesitant to create a pattern by employing anything similar.
I scan his Tomo messages, searching for anything I could use. He’s having an affair. He goes to strip clubs with his coworker. He likes Japanese anime. Ugh. I’m about ready to give up.
I could kill him with an elevator at his job if I must. I could stop the thing about eighteen inches off the ground, open the doors a foot. He’d hesitate but eventually try to go through, and when he did, I’d raise the elevator the rest of the way, crushing him between the floor of elevator and the top of the opening. I bought a suite of elevator exploits from a Chinese kid for a thousand bucks that I’ve been saving for a rainy day.
I probably spend a quarter of my disposable income on zero day attacks. The really good ones, the exploits in operating systems and browsers that can be used for almost anything, are usually too expensive for me to afford, in part because I’m bidding against the NSA, the Russian mob, and the Chinese government, who have big-time budgets for this sort of stuff. Besides, I have my purpose-built backdoors in Tomo to take care of most of those needs. No, I tend to spend my limited cash on vulnerabilities in embedded systems like elevators, cars, and household appliances. They’re more obscure, and at least so far, no nation-states have shown interest in taking people out with their refrigerators.
The problem with the elevator exploit is that I’m worried about detection. There’d be a thorough investigation, right down to the firmware on the embedded computers, and there’s no way for me to mask my changes.
I’d eventually like to build a drone for these distant targets. A video made the rounds a while back of a handgun mounted to a quadcopter. The range on a quadcopter is awful, a few miles at best. New, long range, fixed-wing drones under development have solar panels and can stay aloft indefinitely. Combine one of those with a gun, and automated cellphone tracking, and you could kill a person anywhere in the world, fully autonomously, with no way to track back to the originator. The tech is almost there. For now, it’s still a pipe dream.
I keep reading, working my way backwards chronologically, hoping I’ll know what I’m looking for when I see it.
Boom.
He used to play racquetball with a friend, although he stopped for a while after his pacemaker was implanted four years ago. His pacemaker . . .
I switch computers. I’ve got another machine, connected via another onion route entirely, running a VPN to an exit node in Brazil. I connect to Tuned to a Dead Channel, the latest incarnation of a community so old it dates back to the pre-Internet BBS community. There isn’t a group much more exclusive than this. Even among these select few, I’ve got something they don’t: a
page sysop
link rendered in green monospaced type, PR Number 3 for the font geeks out there.
Nathan9 is online.
SysOp> What’s up?
Angel> Pacemaker attacks still viable?
SysOp> Not really. You can’t sniff the data anymore. Although...if you have the device ID, anything is possible. Unfortunately, it’s only stored in PMA.
Damn. Permanent Medical Archive, the centralized medical data store, was one of the few systems with legitimately strong protection.
Angel> Known PMA exploits?
SysOp> BWB claims access. Data for 50K, changes for 100K.
Nobody knows if Beef with Broccoli intends to insult the Chinese or if he’s actually Chinese. Since he tends toward Chinese tools, Nathan9 and I suspect the latter. I can’t afford five thousand, let alone fifty thousand, and BWB isn’t known for exchanging favors.
I disconnect from Dead Channel, shut down my connection, and start a new one. No point in letting anyone watching connect the dots. I spend the next hour researching pacemaker manufacturers. There are a dozen manufacturers, four of which are common in the United States. I know who Erik Copley works for, and a bit of searching turns up their healthcare plan. From there I find eligible cardiologists in Tucson.
I search Erik’s Tomo geolocation data from four years ago to find a time when he would have spent most of a week in his home recovering from surgery. Once I’ve found that, I examine the location log from the days prior to his homestay. There! He was in Southern Medical Center for twenty-four hours. I visit each of the eligible doctors’ websites to find out who would perform surgery at SMC. There are three and they’re all part of the same practice.
I’m going to need access to their email. Not their personal email, which would be easy to read using the extensive permissions the Tomo app demands on installation, but their work email, which may be harder to obtain. I send a message to a non-existent email address at their domain, receive a bounce message, and examine it to see who their provider is. Armed with that, I look up all the doctors, nurses, medical clerks, and receptionists, and grab their Tomo passwords.
We don’t store passwords in the raw. We use a salted hash, among the best possible ways to safely store a password. Of course, most attackers don’t possess an army of half a million high performance servers and inside knowledge on how the salt is generated.
A few minutes later, I’ve obtained the passwords for all twelve employees, and I try them on the email server. I’m counting on someone foolish enough to use the same password on multiple accounts. Sure enough, one of the medical clerks has. I breathe a small sigh of relief. Legitimate password access beats having to backdoor my way in.
Even with all this work done, I don’t know exactly what I’m looking for. I’m still phishing for some weakness I can exploit.
I wedge my thermos between my knees and twist off the cap to pour myself another cup of coffee. I’ve been in the van for hours. My vertebrae pop as I stretch. I take a sip of coffee, stretch again, and then do my business.
That means pulling out a five-gallon bucket from Home Depot, prying the lid off, and perching on the rim while my urine splatters off the bottom of the bucket. Primitive yet functional. I usually go out if it’s more than pee, which is a huge process, because then I’ve got to disconnect all my network connections, move the van to some place without security cameras, use a coffee shop or restaurant bathroom, then move the van again, find new wi-fi connections, and reconnect to the onion network. Better to hold it in that case.
Once I’m done, I return to reading the clerk’s email. It takes a while before I finally find a weakness. One of the three doctors doesn’t officially work on Fridays, but he apparently handles patient calls on his day off, because he occasionally emails in a request for patient data. Which the clerk sends him via his personal email account in clear violation of the PMA policy. Lovely.
Today’s Wednesday. It’s two days to Friday and his day off.
I shut down my computers and pack them away, start up the van, and drive east to a new part of town. I leave it parked between a commercial and residential neighborhood where it won’t attract attention. I put on my prosthetic arm and don my bike gear and a backpack.
With a bulky rain coat, helmet, bike shoes, wrap-around sunglasses, and second arm, I’ve changed my profile and gait. I return to my bike left outside a coffee shop, clamp the prosthetic onto the right handlebar, and ride back to the apartment building where I keep my bike locked up alongside dozens of others belonging to the residents. I shrug off my prosthetic, and slip it into the backpack with a practiced move. From there, it’s a quick walk back to my place.
* * *
On Friday, early in the morning, I email work and tell them I’ll be working from home again. In reality, I already finished today’s work. I slaved away sixteen hours yesterday and left half my work sitting on my computer, with scripts standing by to check in code and send emails at predetermined times. I won’t reply to any emails, but I can claim to have been buried in code changes.
I head back to the van, reversing my steps from two days before. I check the bike and van for radio emissions to ensure my equipment hasn’t been hit with a GPS transponder. Someone would need to suspect me to do that, and to date my perfect record stands: everyone I’ve eliminated has been classified as some form of natural or accidental death, never murder, so it’s unlikely anyone is onto me. I play it safe, nevertheless.
I flip a hidden switch in the Tomo mobile app for both the clerk and the doctor. Well, technically, I flip a debug switch on their accounts, and the next time their Tomo mobile app checks for updates, it sees the change, and begins broadcasting continuous telemetry data, including their GPS location, to our servers, where it goes into a log file associated with their account. Later, when I turn the debug switch off, the log file will be deleted. This clever little feature, ostensibly to help the software engineers troubleshoot bugs, perfectly fits my needs without requiring security exploits on my part. Which is why I indirectly requested the implementation in the first place.