Avogadro Corp
Page 10
“Let me recap,” Christine said. “The more emails it analyzes, not only do the possibilities for what constitutes success get broader, but the system also discovers more methods to accomplish those goals. What you’ve built is an expert system for social engineering. You know what I mean by social engineering?”
Mike nodded yes, but David shook his head.
“Social engineering is the name given to techniques for tricking people into giving you information or making changes to information systems,” Christine said. “It was popularized by hackers in the eighties. And by hackers, I don’t mean the good guy hackers like Richard Stallman. I’m thinking of folks like the Kevins.”
Mike nodded again, but David looked even more puzzled, and turned to his wife.
“Honey, how can you be married to me, and be so clueless?” Christine asked. “You know I was a total online geek as a kid, yes?”
“What can I say?” David sighed. “Please, go on.”
“The eighties and nineties were the heyday of hacking. Folks like Kevin Mitnick and Kevin Poulsen were able to get access to all kinds of computer systems, phone company records, credit card company records. Poulsen said it was easier to trick someone into giving you a password than to perform a brute force crack. The classic example would be someone who was trying to get access to a company’s internal phone system. She might call the front desk of the company, and tell them, ‘Hi, I’m your AT&T rep. I’m stuck on a pole down the street troubleshooting your system. I need you to punch a few buttons on your end.’ ”
“And?” David asked.
“The buttons the hacker asked the operator to press might be a key sequence to forward all incoming calls to an outside line. Then the hacker could impersonate an employee of the company from their home phone and do even more sophisticated social engineering. The point is, simply by knowing the lingo, giving plausible reasons, knowing what motivates people, a hacker can gain information or get people to do things by cleverly manipulating the human tendency to trust other people. You’ve built a system to learn lingo, language nuances, and motivations in order to evaluate what will be most effective to the receiver. By definition, that’s an expert system for social engineering.”
David looked flabbergasted. “How do you know all this?”
“You know, books and stuff,” Christine said, with a sarcastic smile.
“This is similar to what I concluded when I was with my parents,” Mike said. “We never explored how far the system could go on its own.” He glanced meaningfully at David. “So, what do we do?”
“I hate this, but we should go to Gary Mitchell and tell him the truth. We need Gary to approve an immediate outage with hard power down, so we can pull ELOPe off the system and rebuild those servers from the ground up.”
“He’s not going to be happy,” Mike said.
“You don’t have to tell me.” David grimaced. “I might lose my job. But what’s the alternative? Let ELOPe keep manipulating people? The liability could be huge, way bigger than a simple outage. Forget home. Go straight to the site.”
“On my way,” Mike replied, bypassing the turnoff for David’s block and speeding down Alberta Avenue.
“Gary Mitchell is still gone,” David said, returning from the building across the street. “His admin said he went on a vacation over the holidays, but he should be back by now. Tahiti, in case you were wondering.”
“I’m picturing him laying on a beach, a cigar in one hand, and a whiskey in the other.” Mike shook his head.
“I know,” David said, laughing. “I don’t think his admin meant to tell me where he went, but I was a bit demanding.”
“No word from him?” Christine asked.
“Nothing. He should have been back days ago, and his admin has piles of paperwork for him to sign. He hasn’t answered emails or phone calls.”
Mike grunted. “While you visited Gary’s office, I spoke to Melanie. She came in over the holiday break to grab some files. Remember the email you mentioned, after we received the additional servers? You said we were assigned a team of optimization experts to work on performance improvements.”
David nodded. “Yeah?”
“According to Melanie, the team showed up in the office on the Monday after Christmas,” Mike said. “A bunch of subcontractors she’d never met before. They had two guys on-site and another dozen or so off-site. Melanie checked and they had an email from you telling them to work on ELOPe, and they’d already checked in changes to the code.”
“Let me see what changes they made.” David sat, logged in, and executed a pull to grab the latest code. He leaned toward the screen. “Permission denied.” He tried again and pounded the keyboard in frustration. “Someone revoked my access to the source code. Do you have any idea what they did?”
“Well, Melanie was surprised by the whole thing, so she kept an eye on them for a couple of days, until she left for a snowboarding trip. If you check your inbox, the contractors emailed us a report of what they did. It was sent Friday morning, so they finished up just before either of us got back to town. If we can believe the message, they significantly improved the performance of our Bayesian network. Melanie pulled down the latest code yesterday and ran performance tests. They took the import of new emails from x squared to x log x, and halved the CPU utilization of real-time suggestions.”
“Wait a second, you two,” Christine said, sitting up straight. “An exponential resource utilization curve? If we released a multiplayer game like that, our servers would be crushed instantly. How the hell did you ever expect this to scale?”
David sighed. Ideally, when you add users to an Internet application of any kind, you want the application to scale linearly. Each new user should require only as much processing power as the one before it. “Scaling has been our major bottleneck all along. It’s why we ran into so many resource constraints, and why the project was in danger of being cancelled.”
“Why was it so bad?” Christine asked.
“Each time we add a new user, we’ve got to analyze their emails, plus their relationships. Our average user interacts with more than two hundred people. We also perform the affinity analysis to compare the new user with other users to find the ones most like them. We do the same sort of analysis on individual emails to find language affinity.”
“That approach had to give sometime, right? You can’t keep comparing every user against every other user, and every email against every other email forever.”
“Of course.” David shrugged. “As long as we kept the project alive, I kept hoping we’d find some way to overcome the limitation. Now someone has.”
Mike nodded. “Melanie said the contractors trimmed the number of comparisons dramatically. They do a quick best-guess analysis and compare to only a small subset. Apparently, above a certain threshold, there’s no more accuracy or topic coverage gained by the extra comparisons.”
David turned to his computer and tried again to access the code. “Damn, how did our permissions get revoked? I’m the project lead, dammit. I don’t understand how email could interface with the access rights. Do we have any idea what else these contractors did?”
“I might.”
Everyone turned. An older, unshaven man in rumpled clothes stood in the doorway carrying bulging accordion folders under both arms.
“Gene Keyes, Controls and Compliance.” He spoke in a deep rumble. “I’m here to save your ass.”
Over the next hour, Gene briefed them on what he’d found during his investigation. Like them, he’d tried to reach Gary Mitchell, with no success. He’d uncovered consistent patterns of unusual behavior found in three departments. Gene spread printed reports across David’s desk.
The first, of course, concerned the R&D group in which ELOPe was housed. According to Gene’s printouts, the department paid for multiple allotments of servers and subcontractors to make modifications to the software. The nature of the changes weren’t explained in the invoices, but the total was sufficient
to pay hundreds of short-term engineers.
The expenditures in David’s department had led Gene to them. David’s order several months earlier of a pool of high performance servers clued Gene in that all of the later purchases might be somehow be tied to this project.
“Does this mean we’re under suspicion?” Mike asked.
“No, the problem is bigger than you boys, bigger even than all of you people,” Gene said.
David’s breath caught. Did Gene know what they suspected?
“Where’d the money come from?” Mike said. “We exhausted our budget weeks ago.”
“Transferred in from other departments,” Gene said. “Gary Mitchell’s Ops group, specifically.”
Gene explained about Mitchell’s organization being the second department containing unusual patterns. By virtue of the size of his business, Gary had a vast operational budget. Gene’s printed ledger listed enormous quantities of server purchases, servers reallocated from other projects, a variety of subcontractors, and transfers of funds to both ELOPe and the Offshore Data Center department.
“Offshore Data Center? What do they do?” Christine asked.
“They fill shipping containers with racks of computers,” David said, “put them on a seaworthy barge, and power the whole thing with wave-action generators. Avogadro calls them ODCs.”
“Anyone care to guess the final department with the same pattern of purchases?” Gene asked.
“ODC?” Mike said.
“Bingo,” Gene said, pointing to Mike. “What I’ve tracked down suggests the data centers were augmented with satellite connectivity and line-of-sight microwave transmitters.”
“If ELOPe got into an ODC like that,” Mike said, pacing the room, “we wouldn’t be able to kill communications by simply cutting the fiber optics. We’d have to go out to the barge and turn off the computers by hand.”
Gene laughed out loud, a harsh bark that startled the others, sending Christine off her perch on David’s desk.
“What’s so funny?” David asked.
“Nobody is shutting those machines off,” Gene said, his face stern.
“Why not?”
“According to the purchase record, the offshore data centers are armed with autonomous robots. In theory, it’s to protect them from pirates. I heard what you boys were discussing, and I came to the same conclusion myself: there’s an artificial intelligence in the computer making these purchases and now the AI has armed itself. There’s no way we’re going to just walk onboard and turn off the computers.”
David slumped in his chair. “Crap. How’d we get into this mess?”
“You kids trusted the software with everything,” Gene said, grumbling, “and worse, you put no controls in place. No leash, no way to shut the program down.”
“I don’t understand,” Mike said, still pacing, now by the window. “How’d you figure a computer program made the purchases and not a person?”
“One benefit of being in the Audit department—I can access anyone’s emails. And there’s some mighty funny ones.” Gene pulled out a new sheaf of papers, this one almost an inch thick. He took a few pages off the top and placed them on the desk.
David, Mike, and Christine gathered around. The emails were a cryptic combination of English words and HTML, the markup language used for the web.
David fanned through the pages, then looked up at Gene. “What are we looking at?”
“Emails between your account and the procurement application. This page,” Gene said, pointing to one, “is the procurement system displaying a list of accounts you’re approved to use, and this one over here, is your email selecting an account.”
“It’s the timestamps, isn’t it?” Christine said.
Gene pointed at her with one stubby finger. “You’re the smart one.”
She returned the smile and pointed to the printouts. “The times on these emails are too close together.” She arranged the pages in pairs. “Look at the headers. Every time an email requires a response, the reply comes within a second or two. There’s no way a human could respond that quickly.”
“Correct,” Gene said. “At first I suspected someone had written a program exploiting a loophole in email authentication, and was using that to embezzle funds. But I asked around about your project, and everyone told me stories about how you’d created an email generator.”
“That’s not exactly what it’s for,” David protested. Then he sighed. “Well, I guess it is now.”
“What do we do next?” Mike asked. “David?”
But David turned to the windows, steepled his fingers and gazed out, ignoring everyone’s stares.
Chapter 9
David tried hard to put the roomful of people out of mind. If he could concentrate, he’d figure out a solution. He needed to shut down ELOPe and preferably keep the project alive, all while not losing his job in the process. He focused on the trees in Forest Park, sending the hum of the ventilation system and everyone’s breathing into the background as he watched the wind wave the tops of the Douglas fir in the distance.
Gene cleared his throat and snapped David back into the present.
“I think,” David began. He turned and the pressure of their intense gazes made him stutter. “We—we need to understand what ELOPe is capable of. If we see the source code, some log files, we’d get a better grasp of ELOPe’s activity.”
Mike sighed. Gene coughed again.
“What?” David said defensively.
“That’s not enough,” Gene said, spreading his hands wide. “This situation is too big and risky to analyze source code. We need to shut ELOPe down.”
“I agree,” Mike said. “We have to get it off the servers.”
Christine nodded. “I hate to take sides against you, but stopping the software is the most important step. You can always analyze the problems afterwards.”
“If we restored access to the servers, we could live-patch and remove the software that way,” David offered.
“You’re still thinking of damage control, as though you’re going to keep what happened hidden,” Gene said, throwing his stack of expense reports on the table. “We’re talking about millions of dollars to account for, never mind that we have a ghost in the machine.”
Christine chuckled at the words, but Gene was stony-faced. David sighed. Apparently that wasn’t a pop culture reference.
“What do you want us to do?” David asked, resigned to Gene’s path.
“I’m going to escalate to my manager. This is an emergency. The Controls and Compliance organization has the jurisdiction to supersede business management. I’ll get the authority to shutdown the AvoMail servers myself.” Gene’s voice was firm.
“If you authorize the shutdown,” Mike said, “we’ll work with Ops to restore the software from safe backups taken before any of this started.” He checked in with David, who nodded affirmatively.
“Meanwhile,” Mike said, “There’s merit to David’s suggestion. We need to figure out how our access was removed to give us some clue of ELOPe’s capabilities. Because at the moment, I’m scared to try anything. In theory, I could walk into Melanie’s office and ask her to remove ELOPe.”
“Brilliant!” David said.
“Not really. I doubt it would work,” Mike said. “Most likely ELOPe will detect Melanie’s actions and remove her access, too.”
David’s head started to pound and he opened a desk drawer for painkillers. What the heck had he gotten himself into?
“While you clean up the mess you created, I’m going home,” Christine said. “I can’t do anything here to help.”
“Drive my car,” Mike said, and threw her his keys. “We’ll take the streetcar.”
David nodded and got up to hug her.
She stretched up to whisper in his ear. “Just get ELOPe removed. Don’t try to hide it. If they fire you, my company will hire you to write gaming AI, all right?” She smiled and kissed him, then left.
Adrift and unsure of anythin
g, he turned to Mike. “What now?”
“We get in touch with the IT department that handles access control.”
“Not so fast,” Gene said. “We’ve got to avoid any use of emails or ELOPe will intercept them. I’d consider any use of computers or phones suspect as well.”
“That’s absurd!” David said. “ELOPe can’t monitor a phone conversation.”
“Really?” Gene said. He waved a sheaf of papers in front of David. “What did all these contractors do over the holiday? Can you guarantee no one created a telephone interface?”
“Damn.” David’s shoulders slumped in defeat.
“OK, we get the message,” Mike said. “No emails, computers, or phones. Can we meet back here in, say, two hours?”
“Sure, kid. Two hours.” Gene packed his folders and left.
Without a computer to call up a company map, David and Mike spent forty minutes wandering the Avogadro campus.
“Come on, let’s look up the address,” David said.
“No dude, we said we wouldn’t use any computers.”
“What harm can come from checking one thing in the directory?”
Mike didn’t answer and instead accosted the next person coming down the hallway. “Excuse me, I’m looking for the IT department that handles access controls?”
She raised one eyebrow and backed away a half step. “Look it up in the directory.” She shook her head and went on.
“You picked her because she was cute and blonde,” David said, laughing.
Mike just smiled back.
David tried the next person they encountered, an older man with a neck beard and a pot belly. “Do you know where we can find the access control IT group?”
“The Internal Tools department? They’re in a basement somewhere.”
“Which one?” Mike asked. “We have twelve buildings.”