Breaking and Entering
Page 31
Alien shifted the interns to her old office, so Luke had his own. Then she held an “Ethernet crimping party” during which everyone cut and crimped one thousand feet of cabling into the dozens of new cables necessary for the expanded office network, centered on a new modem, switch, and firewall in the closet of the Playlab, TSC’s experimental hacking space.
It was an imperfect, even precarious setup. Each time she entered one of the offices, Alien saw the rough holes in the walls and exposed wiring. Use the microwave and space heater simultaneously and the power flickered out.
And “You’re the Best Around” still blasted at any hour.
In the middle of one such serenade, Luke knocked on her new office door. “Gus and Cheryl are graduating in May,” he reminded Alien.
“What you’re really saying is that you want to hire them full-time, right?”
“Yep!”
Alien let the steam rise from a freshly nuked frozen veggie burrito—today’s breakfast, lunch, and, in all likelihood, dinner. Meanwhile, numbers filled her head. She’d just raised Luke’s salary by twenty thousand dollars. Add about another forty thousand each for Gus and Cheryl—plus health insurance, company credit cards for them, and other benefits—and she’d need more than one hundred grand in new business per year just to maintain her current income.
In spite of this, Luke’s suggestion made sense. Her due date was virtually simultaneous with Parkmont College graduation. If she wanted to keep TSC going while she was off the phone and away from the keyboard, she needed a team.
“You said you could run things,” Alien said. “Can you manage everyone, too? Because I won’t have the time.”
“Sure,” Luke said.
“It’s a lot of responsibility.”
Luke grinned. “I’m on it,” he said.
Alien nodded. “Glad to hear it.”
Luke returned to his office. Alien sat thinking for a minute until she noticed the burrito still in her hand. Her pregnancy already made her constantly queasy, and now the rice, cheese, and broccoli bits had congealed into a solid mass that was unappetizing under any circumstances. She put it down.
Alien opened her laptop to try and make the numbers work.
A week later, Alien invited Gus and Cheryl one at a time to her office, where she offered them full-time jobs.
Gus asked for the same position Luke had started with—security consultant. Cheryl, however, said that she wasn’t sure if she had enough experience.
“Why not?” Alien asked her. “You’ve been doing fantastic work. Your report reviews are wonderful. Your scans are perfect. You have an amazing attention to detail.”
Cheryl shrugged. “But I’m not as technical as Gus is,” she said finally.
Alien pushed back. “You do the same work he does,” she said. “You read up after hours. Everything else you learn by doing. And he has a lot to learn from you in communicating with clients. I know you can handle this.”
It was the truth. Plus, the alternative was a self-perpetuating cycle. Gus would have more experience earlier, which would lead to better opportunities later. And Cheryl would be stuck doing report reviews—at best.
“Well, I am really interested,” said Cheryl. “If you think I can do it . . .”
Alien was emphatic. “You’ve got this. And we’re here to support you.”
Cheryl raised her chin. “Okay.”
The following week started with two subcontracts for the same client, a Denver hospital. It needed a remote pentest, assessing its network security, and an on-site consultant to check its compliance with federal rules specific to health information privacy.
Alien sat Luke down and went over both subcontracts, line by line, to show him how it was done.
“This is the most important part of the job,” she said. “It’s not the hacking. It’s designing and planning the engagement, and making sure that everybody”—TSC, Antidote, the client—“knows what to expect. Engagements succeed or fail before they ever start.”
A social engineering assessment probed human vulnerabilities, for example. If automated spam filters had blocked the phishing emails, there was no way to know if employees would have fallen for them. For that reason, Alien explained, “the statement of work should require whitelisting”—specifically allowing TSC’s emails.
“Criminals can spend all day trying to beat spam blockers,” she told him. “We don’t have time for that, and clients won’t want to spend the money to hire us to do it.”
Likewise, for the pentest of the hospital, TSC required written permission to hack. They needed to know exactly what systems and Internet addresses they were authorized to probe. And, even after authorization, they had to verify that the hospital actually owned those systems and addresses.
“It’s fine to be a little flexible—for instance, testing one hundred and fifty-five Internet addresses instead of one hundred and fifty,” Alien said. “But you may only conduct the tests included in the statement of work, and you can never test other clients or systems. And remember: sometimes clients get their own addresses wrong.”
What had happened in person with Jim, when Castle Bank gave them an incorrect location for its data backup and disaster recovery center in Chicago, was even more likely to occur when they were dealing with the all-number locaters—172.217.11.174, for example, or 91.198.174.192—that made up an online address. More than once, Alien had caught typos in the information clients provided her that would have had TSC unintentionally attacking someone else.
“If we break into the wrong computer system, whose liability is that?” she warned Luke. “I don’t want to find out.”
Luke completed the hospital contract reviews with Alien and coordinated with the client. Under his direction, Cheryl took the on-site assignment and Gus the remote one. That day, Gus ran into Alien’s office at noon.
“Hey! Hey!” he said excitedly. “I see Cheryl!”
“So?” she asked. The two of them shared an office, didn’t they?
“She’s in Denver, at the hospital. I’m watching her from the DVR system I hacked,” Gus said.
Alien followed him as fast as she could. On Gus’s monitor was a live video feed from the hospital security system.
“All the controls are online,” he said. “I had the password in ten minutes. And look.” He pointed to a slim young woman with long red hair, dressed in a gray skirt and matching suit jacket buttoned over a black blouse. She was talking to a middle-aged man in a white coat at a desk behind a pharmacy counter.
The woman turned, as if to face the cameras. Cheryl.
“Oh my God—you’re right!” said Alien. “Take a screenshot!”
He did, and then they watched together, rewinding back and forth for another minute.
“Tilt and zoom,” Alien suggested. “Can you see patients getting their medicine?”
“Yeah . . . I think so.” Gus tried it. “There.”
They watched as a woman in her thirties, wearing a black nylon jacket, received a little pill bottle.
Gus zoomed out. A long line of other patients waited their turn at the counter.
Their privacy wasn’t safe at an online pharmacy. And it wasn’t safe in person either.
While Gus continued his investigations, Alien called Antidote, which would follow up with the hospital once her team had written up their findings.
“It can probably wait until you see the report,” she told Rogers, “but I wanted to give you the heads-up.”
“Thanks,” said Rogers. Then he lowered his voice. “By the way, did you hear the news?” he asked.
Alien sat up. “What news?” she asked.
“They’re selling Antidote.”
In the 1980s, computer giants warred over operating systems and office software packages. In the 1990s, it was Web browsers and the onetime fringe business of e-commerce. Then came social platforms, smartphones, and cloud computing. Now the hot new turf was information security. As much as possible, Rogers explained, Antidote
’s new owners wanted to move everything they did in-house.
“So what’s going to happen to subcontractors like us?” said Alien.
“I don’t know,” he offered glumly. “But all of us here are polishing up our résumés.”
Alien felt nauseous, and this time it wasn’t the baby. After hanging up, she opened the project management software that had replaced her orange binders.
In the last six months, Tessman Security Consulting had had contracts for close to 120 jobs, with ten more yet to be completed, and five on tap next week. Every single one was from Antidote.
Alien winced. For two and a half years—almost twice her tenure at Elite Defense—Antidote had found the clients, TSC had hacked them, and they had split the fee. It had all been to everyone’s satisfaction and profit. But just at the moment when TSC needed more work to stay afloat, there was the distinct prospect of less.
Alien considered her situation. She was six months pregnant. If she dissolved the company and started looking for a job, it would be very hard to find an employer ready to take on a woman about to give birth, let alone at the salary she needed to pay her bills and her mortgage. Besides, she felt an obligation to her employees, who depended on her. And a pride in owning and running her own business.
Alien thought of learning how to ride a motorcycle. And the exhilaration once she had done so.
The key, Piñon had taught her, was not to let fear slow you down, but to lean into the curve and accelerate.
It was time for TSC to make its own name in the security industry.
Get bigger. Go faster. Or crash.
Alien called a meeting with the whole staff right after Cheryl’s return.
“We need to market,” she said.
The Antidote sale closed in February. By March 1, Rogers had left Antidote. The company still provided TSC some subcontract work, but Alien had to go through a cumbersome new billing system. The first invoices got gummed up, so they weren’t paid for a long time, which created a cash flow crisis. And everything could dry up completely at any moment. Even if her staff did most of the actual hacking work without Alien, there was more pressure than ever on her to find work for them to do.
That month, in stolen moments between gigs, Alien built a company website accessible to the public. Elliot and the employees designed a professional logo: the initials TSC reflected in a shimmering alpine lake.
Alien, now eight months pregnant and almost thirty-five pounds over her usual weight, stuffed brochures and business cards into promotional folders for Elliot to hand out at SCAN classes.
Alien’s due date was the last Wednesday in April. In the week before, she pulled three all-nighters, trying to wrap up different projects before the baby arrived. Her plan was to have a water birth, delivering in a big spa-style tub of warm water at the Parkmont Natural Birth Center, attended only by a doula and certified nurse midwife on staff. On her actual due date, with no contractions yet, Alien arranged a four p.m. checkup with the midwife.
In the hours before the appointment, she started debugging her team’s latest phishing site. The contract was with another huge law firm, one of Antidote’s VIP clients, and her new handler was tracking it closely. TSC couldn’t afford any delays or mistakes.
The poll wasn’t working. The client site they had copied had some fancy JavaScript on its Web pages that was interfering with TSC’s submission form. But if they cut out the JavaScript, the page didn’t look right.
As much as she had tried to prepare her staff for any challenge, Alien was the only one with the technical know-how to fix the code.
“Almost finished,” she emailed Luke before rushing to her checkup. At first her midwife was less concerned with the missed due date—nothing uncommon—than with the bags under Alien’s eyes.
“You need to take better care of yourself,” she told the mother-to-be.
“I know . . . ,” said Alien. “I will.”
The woman checked her with a portable ultrasound. She frowned and turned to Alien. “You have really low levels of amniotic fluid.”
“Oh,” said Alien. “I guess I haven’t been drinking enough water. Too preoccupied by the computer. But I can drink more now. That’ll take care of it, won’t it?”
“I’m afraid not. We have to get you to Parkmont Hospital. Right now.”
“The hospital?” Alien gulped anxiously. But what about her birth plan? “No, no, no . . . I’ll drink a bunch of water. Let’s check again in an hour.”
Her midwife touched Alien’s arm consolingly.
“I’m sorry,” she said, “but you need to go.”
Alien slowly paced the halls of the hospital maternity ward in a flimsy gown, shackled to a wheeled IV. The doctor on call had given her until early evening to see if she would naturally go into labor without being medically induced. When a pretty brunette nurse in blue scrubs beckoned her back to her assigned room, Alien knew that she had timed out.
“Do you want an epidural?” the nurse asked.
“No!” Alien answered unhappily, asserting what control she could.
“Okay. We’re going to get started.”
The woman rolled over monitoring equipment. As she did, Alien couldn’t help herself. She checked the screen and identified the operating system.
“Is that Windows 2000?” she said.
The nurse paused. “I don’t know,” she answered slowly.
“It is,” Alien said. “Wow.” Unbidden, the names of major Windows 2000 worms—Blaster, Code Red, Nimda, Slammer, Sobig, Zotob—invaded her imagination. And the complete list of security vulnerabilities could fill a phone book.
“It’s probably infected,” she told the nurse.
The nurse’s face indicated her confusion. “Everything is sterile,” she reassured Alien.
The doctor—a blond and fit fifty-year-old man—arrived. “Hey,” he said in a gentle voice. “We’re going to need to induce you now.”
After another brief back-and-forth, Alien gave up arguing, allowed them to add Pitocin to her wheeled IV, and resumed walking. Soon, the contractions began in full force. With every one, the body-wrenching pain surged from her abdomen to her back.
Eyes closed, Alien held on to the metal bars along the walls of the hospital corridor. When each contraction subsided, she went back to walking, until the same pain forced her to hold on again. Each time her body seized, she felt like vomiting.
Twenty-eight hours later, the baby was still not ready to emerge. Alien collapsed into the hospital bed, shaking with a 103-degree fever. She heard the doctor say, “We’ve got to get this baby out.”
The monitor beeped. Panting and soaked in sweat, Alien surrendered herself to medical science, computer technology, and fate.
At midnight Thursday, Alien turned to the sight of her daughter—Adrienne—stirring beside her. Elliot slouched in a corner chair, gently snoring, but Alien had yet to sleep herself.
The baby woke. She stared at Alien with clear gray eyes. Alien held out her hand and Adrienne took it. Her tiny fist curled around Alien’s index finger. Adrienne squeezed.
We did it.
Alien rose gingerly, picked up the baby, and placed her on her chest. Adrienne latched easily. She suckled. Alien felt warm milk flow naturally from her body, no hacks necessary.
“I love you,” she whispered to her daughter.
Half a minute went by. Alien hesitated, but then stretched her arms to reach her laptop on the tray in front of her, scooting aside an untouched cup of peaches.
Using a VPN—virtual private network—to secure the patchy Wi-Fi available in the maternity ward, Alien logged in to the TSC server.
“We’re all set for Friday,” their client on the phishing engagement had emailed her. “I just need to see a copy of the email.”
“No problem,” Alien wrote back. “I will have a copy of the test email to you in your inbox first thing in the morning, so we can kick things off at eleven a.m. as planned.”
Adrienne murmured cont
entedly as Alien pulled up the phishing site code and continued debugging.
Their first all-nighter together had begun.
The sun rose before Alien finally fixed the phishing site from the hospital and emailed the client.
It felt as if she had given birth twice.
“What happened? How do we do better?” she asked herself and her employees about her emergency debugging. They had to get past the point of relying on her programming skills to save them in a pinch.
Alien returned to the office five days later, with Adrienne. She bought TSC’s second fifteen-hundred-dollar professional software license for Nessus, an automated vulnerability scanner. Together with Metasploit, an all-purpose penetration testing tool, this supplemented many of her custom computer scripts.
Now the others could work with or without her, both here and on-site.
While they did, Alien pored over the books. She tallied close to fifteen thousand dollars a month in rent, salaries, and other expenses. And no new work had come yet from the promotional folders or the website.
Adrienne cried.
Alien looked out the window, imagining the wilderness just beyond the mountains, and lifted her daughter to her breast.
Alien felt like she spent the entire summer with her fingers crossed, hoping TSC would drum up enough business to make payroll. She wasn’t going to short her employees, or make them front their own expenses, as she’d had to do at Elite Defense. But the thirty-day gap between submitting a new invoice and getting paid by Antidote was more anxiety-inducing than her climb up the abandoned elevator shaft at MIT.