Kill Process
Page 4
CHAPTER 5
* * *
I OWN A thirty-year-old VW bus. Well, own is a strong word, since it’s not registered to me. I paid cash in a private sale twelve months ago in Idaho. I have a fake driver’s license corresponding to an actual New Yorker who doesn’t own a car, and a real vehicle registration in their name. It was a complicated bit of work, but it will cover me in the event of a routine traffic stop. The final touch was installing flowery curtains. Now it’s the mobile office I use when I need the highest level of security.
I wrote a script to pick a random place to park the van, usually in the parts of Portland where you find the most hippies. The VW blends in well.
Today I’m a quarter of a block down from a coffee shop with a good wi-fi signal. I aim the directional antenna at the coffee shop until I maximize the signal strength.
From there, the direction my packets take is very, very complicated.
The Raspberry Pi, a tiny computer smaller than a credit card, is dirt cheap and can do anything a regular computer can do. Each iteration gets smaller, more powerful, and less battery-hungry. I paid cash for a thousand units direct from a distributor.
In my own version of a clean-room, dressed in a biohazard suit so I wouldn’t leave DNA on them, I embedded the tiny computers inside weatherproof cases, marrying each to tiny solar panels and a rechargeable battery. Each component was chosen because they were cheap Chinese parts manufactured by the millions.
The little computers run a secure variant of Linux, with a single open port, protected with heavy encryption. Part of the computer board contains a sensitive accelerometer, which means I can detect when the computer is moved.
When I travel, I find coffee shops and homes with wi-fi signals and flat roofs, and I toss one of these onto the roof.
If you were to find one, pick it up, and look at it, you might not be sure what it was. If you plug a headphone into the jack, it plays pirate music stations.
Of course, that’s what it does only if it’s been moved or if the battery level drops too low. Because when the accelerometer detects motion, the code I wrote replaces my extensive software with a simple dummy music app and erases the remaining storage a hundred times over.
If it hasn’t been moved, and the battery level has never dropped too low, then it does what it’s supposed to do: operate as part of my private onion routing network with hundreds of nodes to disguise my digital trail so others can’t trace my location.
This secure private network is what I’m using right now to research Erik Copley, my packets bouncing back and forth in encrypted channels. I haven’t trusted TOR since the government took down Silk Road. I don’t buy the explanation that they used unrelated weaknesses. The government isn’t going to let on that TOR is broken, any more than we let the Germans know we’d broken Enigma.
Erik Copley, forty-nine, is married to Jessica. They live in Tucson, Arizona. Jessica is his third wife. The first two managed to escape him and move far, far away. Jessica, however, is in a downward spiral.
Tomo embedded NFC payments into the latest version of its mobile app, so you could pay for things in person without using a credit card. Jessica was an enthusiastic user, until shortly after she married Erik. Now there are extended periods when she doesn’t leave the house.
We share purchasing data with a major online retailer so we can improve advertisement targeting. Jessica buys things online during these at-home spans: bandages, pain relievers, an arm sling, even crutches. The purchases are consistent with someone who plays hockey or football, an interest Jessica does not possess. She’s regularly getting the kinds of injuries you’d associate with dangerous sports despite never going out of the house.
Unfortunately, Tucson is a little too far for me to drive without anyone being aware of my being gone, and I can’t come up with a good excuse to fly there. If there had been a good database conference in Phoenix, or even San Diego, it might be feasible.
I need a remote hack. Something I can do from here, with an eighty percent or greater chance of killing Erik that will appear to be an accident.
I run through my gamut of options. I can’t count on getting Jessica out of their home, which rules out several simple and reliable house attacks. He doesn’t work in construction or a manufacturing facility, unfortunately, because lovely and dangerous things happen around heavy machinery. I could compromise his car’s brakes, or maybe lock him inside on a sunny day until he dies of heatstroke, except I used a vehicle attack on the banker in Beaverton, and I’m hesitant to create a pattern by employing anything similar.
I scan his Tomo messages, searching for anything I could use. He’s having an affair. He goes to strip clubs with his coworker. He likes Japanese anime. Ugh. I’m about ready to give up.
I could kill him with an elevator at his job if I must. I could stop the thing about eighteen inches off the ground, open the doors a foot. He’d hesitate but eventually try to go through, and when he did, I’d raise the elevator the rest of the way, crushing him between the floor of elevator and the top of the opening. I bought a suite of elevator exploits from a Chinese kid for a thousand bucks that I’ve been saving for a rainy day.
I probably spend a quarter of my disposable income on zero day attacks. The really good ones, the exploits in operating systems and browsers that can be used for almost anything, are usually too expensive for me to afford, in part because I’m bidding against the NSA, the Russian mob, and the Chinese government, who have big-time budgets for this sort of stuff. Besides, I have my purpose-built backdoors in Tomo to take care of most of those needs. No, I tend to spend my limited cash on vulnerabilities in embedded systems like elevators, cars, and household appliances. They’re more obscure, and at least so far, no nation-states have shown interest in taking people out with their refrigerators.
The problem with the elevator exploit is that I’m worried about detection. There’d be a thorough investigation, right down to the firmware on the embedded computers, and there’s no way for me to mask my changes.
I’d eventually like to build a drone for these distant targets. A video made the rounds a while back of a handgun mounted to a quadcopter. The range on a quadcopter is awful, a few miles at best. New, long range, fixed-wing drones under development have solar panels and can stay aloft indefinitely. Combine one of those with a gun, and automated cellphone tracking, and you could kill a person anywhere in the world, fully autonomously, with no way to track back to the originator. The tech is almost there. For now, it’s still a pipe dream.
I keep reading, working my way backwards chronologically, hoping I’ll know what I’m looking for when I see it.
Boom.
He used to play racquetball with a friend, although he stopped for a while after his pacemaker was implanted four years ago. His pacemaker . . .
I switch computers. I’ve got another machine, connected via another onion route entirely, running a VPN to an exit node in Brazil. I connect to Tuned to a Dead Channel, the latest incarnation of a community so old it dates back to the pre-Internet BBS community. There isn’t a group much more exclusive than this. Even among these select few, I’ve got something they don’t: a page sysop link rendered in green monospaced type, PR Number 3 for the font geeks out there.
Nathan9 is online.
SysOp> What’s up?
Angel> Pacemaker attacks still viable?
SysOp> Not really. You can’t sniff the data anymore. Although...if you have the device ID, anything is possible. Unfortunately, it’s only stored in PMA.
Damn. Permanent Medical Archive, the centralized medical data store, was one of the few systems with legitimately strong protection.
Angel> Known PMA exploits?
SysOp> BWB claims access. Data for 50K, changes for 100K.
Nobody knows if Beef with Broccoli intends to insult the Chinese or if he’s actually Chinese. Since he tends toward Chinese tools, Nathan9 and I suspect the latter. I can’t afford five thousand, let alone fifty thousand,
and BWB isn’t known for exchanging favors.
I disconnect from Dead Channel, shut down my connection, and start a new one. No point in letting anyone watching connect the dots. I spend the next hour researching pacemaker manufacturers. There are a dozen manufacturers, four of which are common in the United States. I know who Erik Copley works for, and a bit of searching turns up their healthcare plan. From there I find eligible cardiologists in Tucson.
I search Erik’s Tomo geolocation data from four years ago to find a time when he would have spent most of a week in his home recovering from surgery. Once I’ve found that, I examine the location log from the days prior to his homestay. There! He was in Southern Medical Center for twenty-four hours. I visit each of the eligible doctors’ websites to find out who would perform surgery at SMC. There are three and they’re all part of the same practice.
I’m going to need access to their email. Not their personal email, which would be easy to read using the extensive permissions the Tomo app demands on installation, but their work email, which may be harder to obtain. I send a message to a non-existent email address at their domain, receive a bounce message, and examine it to see who their provider is. Armed with that, I look up all the doctors, nurses, medical clerks, and receptionists, and grab their Tomo passwords.
We don’t store passwords in the raw. We use a salted hash, among the best possible ways to safely store a password. Of course, most attackers don’t possess an army of half a million high performance servers and inside knowledge on how the salt is generated.
A few minutes later, I’ve obtained the passwords for all twelve employees, and I try them on the email server. I’m counting on someone foolish enough to use the same password on multiple accounts. Sure enough, one of the medical clerks has. I breathe a small sigh of relief. Legitimate password access beats having to backdoor my way in.
Even with all this work done, I don’t know exactly what I’m looking for. I’m still phishing for some weakness I can exploit.
I wedge my thermos between my knees and twist off the cap to pour myself another cup of coffee. I’ve been in the van for hours. My vertebrae pop as I stretch. I take a sip of coffee, stretch again, and then do my business.
That means pulling out a five-gallon bucket from Home Depot, prying the lid off, and perching on the rim while my urine splatters off the bottom of the bucket. Primitive yet functional. I usually go out if it’s more than pee, which is a huge process, because then I’ve got to disconnect all my network connections, move the van to some place without security cameras, use a coffee shop or restaurant bathroom, then move the van again, find new wi-fi connections, and reconnect to the onion network. Better to hold it in that case.
Once I’m done, I return to reading the clerk’s email. It takes a while before I finally find a weakness. One of the three doctors doesn’t officially work on Fridays, but he apparently handles patient calls on his day off, because he occasionally emails in a request for patient data. Which the clerk sends him via his personal email account in clear violation of the PMA policy. Lovely.
Today’s Wednesday. It’s two days to Friday and his day off.
I shut down my computers and pack them away, start up the van, and drive east to a new part of town. I leave it parked between a commercial and residential neighborhood where it won’t attract attention. I put on my prosthetic arm and don my bike gear and a backpack.
With a bulky rain coat, helmet, bike shoes, wrap-around sunglasses, and second arm, I’ve changed my profile and gait. I return to my bike left outside a coffee shop, clamp the prosthetic onto the right handlebar, and ride back to the apartment building where I keep my bike locked up alongside dozens of others belonging to the residents. I shrug off my prosthetic, and slip it into the backpack with a practiced move. From there, it’s a quick walk back to my place.
* * *
On Friday, early in the morning, I email work and tell them I’ll be working from home again. In reality, I already finished today’s work. I slaved away sixteen hours yesterday and left half my work sitting on my computer, with scripts standing by to check in code and send emails at predetermined times. I won’t reply to any emails, but I can claim to have been buried in code changes.
I head back to the van, reversing my steps from two days before. I check the bike and van for radio emissions to ensure my equipment hasn’t been hit with a GPS transponder. Someone would need to suspect me to do that, and to date my perfect record stands: everyone I’ve eliminated has been classified as some form of natural or accidental death, never murder, so it’s unlikely anyone is onto me. I play it safe, nevertheless.
I flip a hidden switch in the Tomo mobile app for both the clerk and the doctor. Well, technically, I flip a debug switch on their accounts, and the next time their Tomo mobile app checks for updates, it sees the change, and begins broadcasting continuous telemetry data, including their GPS location, to our servers, where it goes into a log file associated with their account. Later, when I turn the debug switch off, the log file will be deleted. This clever little feature, ostensibly to help the software engineers troubleshoot bugs, perfectly fits my needs without requiring security exploits on my part. Which is why I indirectly requested the implementation in the first place.
I know from previous emails the doctor golfs in the early morning, does a light workout at the gym, and then swims with his wife in the afternoon. Sounds like a lot of activity to me, but then I’m not a cardiologist. I guess if you spend your whole day surrounded by unhealthy people, you’re going to overcompensate.
I need to create an email appearing to be from the doctor, wait around for the clerk to reply, and then receive the reply. This has to happen while the clerk is in the office. I’m worried she might call him for clarification (his phone log suggests this sometimes happens), and I can’t take the chance he’ll answer the call, so I need to time it for when he’s away from his phone. The doctor starts golfing before his office even opens, which makes sense, considering summer temperatures in Tucson. I take a deep breath. So many complications.
I switch over to the clerk’s email account, and compare the inbox to the sent folder to see how long it usually takes between the time he emails her and the time she normally replies with the patient data. It’s anywhere between five and thirty minutes.
I track the doctor’s location on a map, his geocoordinates still streaming in every fifteen seconds over the connection. He’s on the ninth hole when the receptionist gets into work. When he gets to the sixteenth hole, I upload a server-side rule for the receptionist’s email, temporarily shunting all incoming emails except the ones from the good doctor into a folder. I want to make sure that when his email arrives, it’s the only one she’s looking at.
When he gets to the eighteenth hole, I turn on his microphone, and listen to him talking to someone, I assume his golf partner. The sound is muted, as you’d expect from someone carrying their phone in their pants pocket. I happen to know it’s his left-front pocket.
It sounds crazy I can ascertain this from the motion data of a phone, but I’ve got acceleration details from one billion people, 365 days a year, for dozens of sit/stand events per day, and from this mass of data points I can tell you with 90 percent reliability whether a person keeps their phone in a pant pocket, jacket pocket, or purse, and if it’s a pocket, whether it’s the left or right, front or back.
I had to be sure of my accuracy, so I wrote a predictive algorithm, and tested it by turning on the camera, so I could capture video of the phone being extracted. From these videos, I figured out how often the algorithm was correct.
I didn’t do this research because I suffer from an OCD disorder when it comes to analyzing data, although that helps. This was an actual client request from advertisers who wanted to target ads based on where a woman carried her cell phone. I won’t go into the research I did to segment users based on bathroom paint color.
If this sounds intrusive, you’re right. If you think Tomo users should cancel the
ir account, you’re also right. They won’t, because for many of them, we hold hostage their primary, or perhaps only, connection to their friends.
More and more, I see parallels between Tomo and the assholes I choose to eliminate. Abusers remove any sense of self-control from their victims by wielding absolute power over their lives, removing any privacy or ability to have a life apart. Every user of Tomo experiences same situation, albeit to a different degree: no privacy, no life apart from Tomo, and no ability to leave without forfeiting their social connections. Few recognize the parallels, but I do, and it makes me increasingly ill.
The dot on the screen moves. Focus, Angie.
The doctor approaches the club house, my cue to act. I use my backdoor into the Tomo app to send a personal email from his phone to the medical clerk. The messages requests the pacemaker model, device ID, install date, and date of last checkup for Erik Copley. All I really need is the device ID. The rest is there to lend credibility.
I bite my fingernails when the doc stops to talk to someone. I’m counting on him heading into what I assume to be the locker room. My geospatial data is less accurate once he’s inside. Historically there’s a stationary period of thirty to forty minutes after he finishes golf. My guess is he leaves the phone in his locker while he works out, and that’s ideal in case the receptionist calls for more information.
The delay is only a minute or two. In another window, I’m tracking the clerk’s inbox. She’s opened the email.
Finally the doctor gets back in motion, and a minute later the accelerometer records the sharp impact of a hard surface. He’s laid the phone down. I listen through the microphone and hear only muted sounds. I jump out of my seat when the phone rings, even though I was half expecting it. Channeling through my backdoor in the Tomo app, I check the phone status, and see he’s receiving a call from his office. I cross my fingers and offer a small prayer to universe he’s not within distance of the phone.