Avogadro Corp
Page 11
The man shrugged. “It’s pretty dark, that’s all I remember,” he said as he walked away.
“All basements are dark,” David complained.
“No, really dark!” he called back.
“He’s got to mean one of the original buildings, not the new ones,” Mike said. “The new buildings have daylighting built into the basement levels. This is useful.”
Fifteen minutes and three basements later, they descended to the bottom level of one of the converted trucking company offices. After passing down a dingy concrete hallway, the space opened up into a common area surrounded by a perimeter of cinder blocks and old metal doors. A plastic sign hanging from the ceiling declared “Internal Tools Information Technology Department.” Another sign, printed on smaller paper, hung below that one, saying “Welcome to Infernal Tools.” A hand-drawn picture of flames decorated the border.
“Hello?” David called.
A pale, gray-haired head peeked out of an office. David explained their problem, but the person they found refused to help at all, on the grounds that if their access was gone, removal had to be legitimate and should be brought up with security. They argued with such vehemence they attracted the attention of another engineer who came over to listen.
“I’m Pete Wong,” he said, shaking their hands. “I overheard your discussion. I work on the Control Access and Permissions application. On the chance we’ve got a problem, I’d love to help.”
He led them to his office, a cramped space lit by overhead fluorescent lights behind yellowed plastic. David stared at the dismal working conditions.
“Let me check who revoked your access,” Pete said, taking a seat behind his desk. “The only way any changes can be made is using CAP. If someone removed your access, I can find out who and we can contact them.”
David glanced at Mike in relief, glad to find someone helpful and knowledgeable. They took side-by-side chairs in front of Pete’s desk.
“This is odd,” Pete said, after working on his computer for a few minutes. “CAP should log information for two users. The first user would be the real person who logged on and used CAP, and the second user is the person who authorized the work. We need the two because sometimes a manager delegates their authority to someone else, like their admin, who actually makes the changes for them. We track both the active user, as well as the authorizers. According to this, Gary Mitchell authorized the removal of your access rights to the ELOPe, but we have no record of the active user.” Pete poked at his mouse for a few more minutes, his movements growing faster as he got visibly frustrated, before he stopped and looked up.
“I think another application made the change, not a person. But that’s not possible.” Pete said.
“We’re software engineers,” David said. “Can you explain what’s going on?”
“Well, I was going to say CAP was called by another web app, rather than used by a person. Most of the apps we write have service level interfaces so one application can interact with another.”
“Makes sense. A RESTful service API?” Mike said.
“Exactly, but CAP is, for obvious reasons, a sensitive application from a security perspective. We didn’t write a service level interface.” Pete thumped his fingers on his desk, and stared off into the distance. “Now that I think about, I received a request to write a REST interface for CAP before the holiday break, but I denied the change req.”
“Who asked for the interface?” Mike asked.
“Let me check. The request is logged in the database.” Pete typed for a minute. “Huh. Gary Mitchell. What is Gary up to?”
“I’m not a fan of Gary and I don’t always trust him,” David said, “but in this case, I don’t think he’s up to anything.” He paused, uncertain of how much to admit and scared of what he might learn. “Is there any way someone could email in an access change? Or email in a request to change CAP to accept email inputs?”
“By email? No, of course not. They would have to submit requests via the appropriate web application...” Pete trailed off. “Hmm. It’s funny you asked that.”
“Why?” Mike glanced sideways at David.
“A couple of weeks before the Christmas break I had an odd request from a guy named John Anderson in Procurement. He asked for an email-to-web bridge so people could submit Procurement requests by mail. The feature turned out to be easy to implement, less than two days of work.”
The room started to spin, and David grabbed hold of the desk to steady himself. All their fears were coming true.
“Would that allow someone to make unauthorized changes?” Mike asked. “They’d still have to provide a login name and password to a secure system, right.”
“Not exactly.” Pete said. “The Procurement system needs to know the authorized user, and normally pops up a standard OpenAuth login. But AvoMail is one of our most secure apps. I mean, you interact with AvoMail over a secure HTTP connection, so nobody can sniff your password or pretend to be you. When the web bridge is challenged with a login, it uses the identity of the email sender for authorization.”
David’s stomach clenched. On the one hand, this might be the explanation of how ELOPe accomplished so much, taking the events of the past few weeks out of the realm of the supernatural and back into the realm of the technical. Technical problems could be solved. On the other hand, this was a wide-open door for ELOPe to do almost anything in the company.
“So you’re saying someone who has access to email can hit pretty much any web page inside Avogadro?” Mike said, raising his voice. “If they hacked the email system, they’d get uncontrolled access to any web application. Seems risky to me. Didn’t your change have to go through a security review?”
Pete visibly wilted.
“Sorry, dude,” Mike said. “I’m trying to understand. I’m not judging.”
Pete nodded and continued in a quiet voice. “Sean Leonov asked for the feature. I figured if it was for Sean, I should pull out all the stops. I mean, I’m stuck down here in Infernal Tools.” He gestured at the cinder block basement walls and rusted metal door, a stark contrast to Mike and David’s windowed, modern offices. “How often do I get to impress someone?” Pete shook his head. “So, no, I didn’t get my code reviewed. Everything I did was totally off the radar.”
“Sean Leonov asked you, in person?” Mike said.
“Well, not exactly,” Pete said. “John, from Procurement, said in his email Sean had asked.”
“Yeah, well I got an email saying my father was in the hospital. Don’t believe everything you read.” Mike jumped up, pushed his seat away, and tried to stalk back and forth in the tiny office. “ELOPe is playing us all for fools.” He stared at David, his gaze blaming David, even if he didn’t say a word to that effect.
“Let’s stay calm and focus on what’s important.” David tried to keep his voice reasonable. Mike was never this angry, and at least one of them had to remain levelheaded. He turned to Pete. “This is going to sound strange, but we believe email is no longer secure. Someone, or something, has hacked AvoMail. Can you shut down this email-to-web bridge?”
Pete leaned back, an uncomfortable expression on his face. He clearly wanted to say no.
“I know this is a big ask,” David said. “We need you to trust us on this for a few days. If we’re wrong, you’ve inconvenienced a couple of guys in Procurement for a little bit. It’s not the end of the world. But if we’re right, you’re going to help save the company from a major security breach.”
Pete stared at them, alternating from David to Mike, then nodded. “Sure, that’s easy. The bridge app is running on our Internal Tools servers,” he said. “I can stop the process from my console.”
Pete turned to his computer and swung the display sideways so Mike and David could watch. He ran through command line tools to log into the servers, query the status of running processes, and then kill the relevant program. “OK, I stopped the bridge. I’m also changing the permissions on the directory, so it can’t run aga
in until we’ve gotten to the bottom of this.”
“OK, now please do me one more favor,” David said. “Can you verify the bridge is off?”
Pete sighed. “It’s shut down, okay?”
“One quick check.”
He grumbled under his breath. “The test suite I wrote will send an email to generate a procurement order, then check whether the request shows up. Since the bridge is off, the database shouldn’t change.”
Pete worked his keyboard and mouse for another minute, then paused, a puzzled look on his face. He typed again, faster and more furiously.
“What?” Mike asked, moving to sit on Pete’s desk for a better view.
“This is odd. I ran the test and even though the bridge is down, the request got inserted in the database. The bridge is definitely not running. But something routed the email to the procurement app, where it was accepted as a legitimate entry. That can only mean there’s another email-to-web bridge in the company.”
David glanced at Mike. More puzzles.
Pete raised one finger. “Wait! There were subcontractors in here over the holidays. I thought they were here doing routine maintenance, but I don’t know for sure what they touched. Maybe they mistakenly propagated the bridge onto some other servers.”
“We need to figure out which ones and get them shut down,” David said. “Pete, you’re the only one with access right now. Can you write a program to check every server to see which ones are running the email bridge?”
“The IT servers?”
“No, the whole company.”
“Holy cow. We have over a million servers. That’s one heck of a search you want.”
“Do you have the access? Administrative rights on those machines?” asked Mike.
“Sure,” said Pete, “as part of Internal Tools, we can use administrative accounts with full root access for maintenance checks. But still, that’s a lot of servers.”
“All right,” Mike said, ignoring Pete’s protest, “then we have one other thing for you to check for at the same time, a program called ELOPe we developed as an add-on to the AvoMail servers. We need a list of machines it’s running on.” Mike gave Pete a USB drive. “Here are the file checksums, so you know what to look for. I know this sounds crazy, but we think ELOPe is acting independently.”
“Independently?” Pete asked, his voice cracking.
“Yes, an AI acting on its own volition. Making decisions, buying things and manipulating people.”
Pete looked doubtful, but he stuck his hand out and took the USB drive.
“Now just one thing,” Mike said. “Whatever you do, don’t email anyone about this and don’t trust any suspicious emails. We’ll check in with you in person.”
Pete’s eyes went wide. “But...”
“Can you do it?” David asked, drawing himself upright, forestalling Pete’s objections.
“I’ll do it,” Pete said, gripping the USB drive tightly in his fist.
Gene tucked his briefcase tighter under his arm and knocked twice on Brett Grove’s door. The pipsqueak had better be in.
“Come,” Brett’s voice called.
Gene entered, swallowed a bit of pride, and said, “Boss, can I get a few minutes of your time?”
Brett nodded, and Gene took a seat in front of his desk. The corner office had wide windows, a spotless desk, and a large screen monitor. Cabinets along one wall held artsy knickknacks at precise two-foot intervals. A Mont Blanc pen stood in the center of the desk, an obvious showpiece, since not a single sheet of paper, not even a sticky note, was to be seen anywhere in the office.
After explaining what he’d found, Gene expected Brett to understand and endorse the investigation. A word or two of praise would not have been out of order, either. Instead, his arguments were met with disbelief, even mockery.
“Gene, you think you found something here, but you’re not coherent. You’ve been raving for years about how we shouldn’t trust computers, and now you come to me with some story about an artificial intelligence. Do you expect me to believe you? Do you know how ridiculous this sounds?”
Gene held up his accordion folder. “Are you going to look at these reports?” He’d come carefully prepared with the same meticulous collection of data he’d used to present his evidence to Maggie in Finance, and then later to Mike and David.
“No, I’m not going to spend hours wading through hundreds of pages of printouts.” Brett sat back, waving his hand at Gene’s folder. “If you want to convince me, summarize what you’ve got in a slide deck, and present in the staff meeting on Friday. That’s the way we do things here.”
“Damn you, Brett. Listen to me, son, there is a damn monster in the machine!” Gene snarled, leaping to his feet. “This thing is buying guns and torpedoes and robots. There’s no time to put together a PowerPoint presentation. We’ll be lucky to be alive on Friday!” He held himself back, but he wanted to reach across the desk and grab the kid by the shirt collar.
“No, you listen. This is typical of you. You think because I’m thirty years old that makes me an idiot. You’re the incompetent fool.” Brett stood on his own side of the desk, punctuating his every point with a jab of his finger. “You ignore your emails. You don’t use the processes you’re supposed to follow. We’re the number one Internet company in the world, and the only thing you use a computer for is to print stuff out. My grandmother is more computer literate and has more credibility around here than you.”
Brett came around the desk and stood face-to-face with Gene, his voice pitched low and angry. “You would’ve been gone a long time ago, but my predecessor made me swear I’d keep you on my staff before he would give me this job. I don’t know what the hell he saw in you, but I don’t get it. Go take a shower, shave yourself, put on some clean clothes for God’s sake, and put together a damn PowerPoint presentation if you have to buy a book to learn how to use it!”
Standing there, Brett’s face red and flushed and inches away from his own, it all crystallized. He’d been gradually marginalized within his own department by the worthless scum in front of him, and now when he most needed management support, he wasn’t going to get it. Gene blinked once or twice and realized he was wasting him time here. No data or logic would change Brett’s mind.
Later, in his own office, Gene replayed the scene over and over in his head, and thought back to the countless little things that hadn’t gone his way the last year. His pulse sounded in his ears, and he felt almost sick. He opened the bottom desk drawer, and poured himself an inch of bourbon. On second thought, he added another inch. He swigged the whole mess, the burn descending his throat and settling in his stomach. Jesus, he was going to give himself a heart attack if he replayed that conversation again.
He looked down at his rumpled, slept-in clothes and rubbed a hand over the multiple-day stubble on his face. He was a mess, that was true. But competence wasn’t a matter of clothes and fancy presentation. Competence was looking at data, whether out there in the real world or on his sheets of paper, and drawing insights. Damnitall, he was still relevant.
Gene slouched in despair before forcing himself up. He had to focus on something productive. It was time to meet with Mike and David. He dragged himself out of his office and began the journey back to the R&D building.
Bill Larry climbed into the back of the AStar, where he’d have a little more room to work. He buckled in and put on his headset. The pilot throttled up, and they were in the air.
Bill pulled out his tablet to review emails and try to salvage a little productivity out of the morning. He was taking an unexpected helicopter ride, the first of the new year, out to the ODC. He’d gotten a very unusual call from Maggie Reynolds in Finance, asking him to verify delivery of purchases. Bill scanned messages, but couldn’t put the confusing exchange out of mind.
Maggie hadn’t been able to grasp that Facility location code ODC0004 was not a mere walk down the hallway for Bill, but a floating platform ten miles off the shore of California, requ
iring Bill to make a helicopter reservation and two hours to get to, by the time you counted driving and flying.
If the call had confused Maggie, it was twice as puzzling for Bill, because Maggie went through a litany of impossible purchases attributed to his department. He had not ordered backup satellite hardware or microwave communication gear. Yes, they’d ordered equipment from iRobot, but that was before the holiday break, and no, there shouldn’t have been a second round of deliveries to all the ODCs from iRobot.
In any case, no one could visit or install anything on the ODCs without approval from Bill. It simply wasn’t possible to have installed the equipment Maggie described. Only Bill, Jake, and a handful of employees in day-to-day contact with Bill had the authority to stand down the robotic defenses. Bill was personally advised anytime the robots were brought offline. Maggie’s inventory of purchase orders made the ODCs sound like beehives of activity. Impossible.
However, the shit had hit the fan back in the main office, because Maggie had folks from Controls and Compliance investigating their purchases. She sounded worried but trying to hide it, and in the end, Bill felt sorry for her and reluctantly agreed to investigate in person. He reserved a helicopter, packed a bag and his satellite phone, and headed for the heliport.
That’s how Bill ended up thirty minutes out from ODC 4 on one of the company’s Eurocopter helicopters to do this hands-on inspection. He would lay to rest the question of exactly what equipment was present. With a sudden jolt, he realized he’d made a drastic mistake. In his rush, he’d forgotten to schedule the deactivation for the defense robots.
He fingered the headset switch to talk to the pilot. “Hey, George. Whatever you do, don’t approach the barge. Keep at least half a mile distant. I’ve got to get them to shut down the robots.”
Bill struggled to plug his satellite phone into the noise-isolating headset, a clumsy, insulated thing. Jesus, he could have gotten them both killed. He placed the call to the robot system administrators.