Homeland
Page 10
“No way,” Liam said. “How could you be out of work? I assumed they’d poached you from some rad start-up or Google or something.”
Now it was my turn to shrug. It seemed like unemployment talk always involved a fair bit of shrugging and looking away. “Dunno,” I said. “I dropped out of school months ago, couldn’t afford it anymore, and I’ve been looking ever since.”
“Man,” Nate said. “That’s crazy. If you couldn’t find work, what hope do I have?”
I didn’t have an answer for him. I was starting to actually feel guilty about having a job, and I’d been employed for less than a day.
We finished our awkward lunch and went back to work, and I went back to mapping out the network and figuring out what needed fixing and what didn’t, and I didn’t even think about the torrent I’d downloaded the night before until I got home and rebooted my computer into my secret partition and the machine reconnected to IPredator and started seeding the file again.
* * *
The torrent contained a huge—HUGE—zip file that was encrypted. Of course, I had the key. And somewhere out there, Masha was being held captive—or worse—and I was pretty sure that she wanted me to dump the file and the key now.
I really wanted to talk this over with someone. Ange, of course. But she was still in class and wouldn’t be out for hours. And this wasn’t the kind of subject I wanted to talk about over the phone or email or IM or—well, I kind of felt like we should talk about it in a soundproofed room at the bottom of a mineshaft, but I didn’t have either of those things.
I had been avoiding thinking about this for nearly thirty-six hours now. I’d had good excuses: I’d been blown up. I’d been doped up. I’d been asleep. I’d gotten a job. I’d had my first day at work. But I’d run out of excuses for inaction.
But wait! I just thought of a new excuse: it would be insane to have the decrypted file sitting on my drive, even on a secret partition. I couldn’t get over the thought that a snatch team could break down my door at any time and haul me away. If I was loaded up on my “secret” partition at that point, it’d be easy for them to see what I was up to.
I decided I needed to build a few more layers of security into the system before I started to handle this info-plutonium.
First things first: go shopping for a virtual machine. Let me explain that, because VMs had become my best friends lately.
You can write a program that works just like your computer’s microprocessor. You designate a file to act as your virtual computer’s hard drive, and then you load it up with an operating system and any programs you want to run. When you “turn on the computer”—that is, when you run the program—it looks at the virtual drive and loads in the virtual operating system and follows all the instructions it finds there, passing them on to your real computer, which is running underneath all this.
It used to be that the main use for VMs was to simulate old computers on new ones—so you could simulate some ancient game console, an old Game Boy or whatever, and play all the vintage games. There’s a megahuge games VM called MAME, the Multiple Arcade Machine Emulator, that can play pretty much every old game, ever.
The key word here is “old.” That’s because running a pretend computer inside a real computer is slow. But computers double in speed every eighteen months or so—this is called Moore’s Law, for Gordon Moore, who helped start Intel. That means a brand-new computer will be about sixty-four times faster than a computer you could buy for the same money six years ago, which means that so long as you’re working with old VMs, you probably won’t even notice the speed lag.
But lately, computer manufacturers have been figuring out how to design chips to run VMs more efficiently, so the gap between a VM and the real computer it runs on keeps shrinking. This means that it’s easier than ever to try out new operating systems and new programs. If there’s something you’re really paranoid about, you can just run a free VM program, install a free OS on it, and run anything you want in that little sandbox. Nothing that happens in that VM can affect your real computer—not unless you give it privileges to see your real hard drive and real files. The VM is like a head in a jar, and you can tell it anything you want about what’s going on in the world and it’ll have to believe you.
You can download hundreds—thousands!—of VMs from the Internet and just fire them up as you need them. Want to turn an old computer into a router or a file server for an hour or a day or a year? Various sysadmins have bottled up perfectly tuned VMs that run any specialized function like that out of the box. There are even user reviews to help you figure out which ones are the good ones. And since it’s all built on open, free code like Linux, anyone can modify, improve, and redistribute them.
I went hunting for an extra paranoid VM, and I found one. It started with a copy of ParanoidLinux, my own favorite distro, and nuked any programs and services you didn’t need, to make it all the more bulletproof. ParanoidVM also stored its user files in TrueCrypt plausible deniability chunks, so there was no way to tell from the forensic examination of the disk how many users there were and how many files they had.
That was good for starters, but I wanted a dead man’s switch: something that would cause the whole thing to lock itself and shut down if I didn’t do something every fifteen minutes. So I wrote a little script that hit me up for a password every quarter hour. If I didn’t enter it, it would issue a system-wide command to kill any VMs that were running, then erase itself. So if a snatch squad were to nab me, all the work I’d done on the files would disappear unless they could torture the password out of me in a quarter of an hour.
They’d still have the key and the torrent file, but they wouldn’t know whom I’d shown anything to or what we’d talked about. All I’d have to do is key in my password every fifteen minutes, and not go off to the toilet or forget and go to dinner, or I’d lose everything I’d worked on up to the last save point.
There’s a technical term for this kind of security work: yak-shaving—wasting time doing silly chores to avoid something harder and more important. There was an old essay I liked about working for Google by a hacker called Dhanji Prasanna, which talked about “shaving the entire yak pen at the zoo, and pretty soon traveling to Tibet to shave foreign yaks you’ve never seen before and whose barbering you know little about.”
That’s the territory I was heading into. It was time to decrypt the file.
* * *
It had been a while since I’d decrypted an encrypted ZIP file with a very long password. There was a specialized command you could use to specify that the password was in a file, and I couldn’t remember it at first. I looked up how to do it. I did it. The list of files scrolled past faster than my eye could follow. Lots of files. LOTS AND LOTS of files.
810,097 files.
What had Masha said? Eventually, you come across something so terrible, you can’t look yourself in the mirror anymore unless you do something about it.
That was a lot of dirty laundry, yo.
I could tell at a glance that they had human-generated file names—weird punctuation, weird capitalization, and both were all over the place. Computers might do weird capitalization, but every file would have been weird in the same way. Some had pretty descriptive names like “bribes paid to senate Def Cttee.doc” and others were more cryptic, like HumIntAfgh32533. There was a file called WATERBOARDING.PPT, a set of PowerPoint slides. My stomach curdled into a hard ball just looking at it.
I double clicked it. The first slide was just a title: “STRESS INTERROGATION SEMINAR 4320.” The next slide was a long confidentiality notice, naming a bunch of private military contractors who, apparently, had been involved in producing this presentation. And the next slide—
—showed a boy, about my age, restrained in padded cuffs at the ankles, wrists, and chest, strapped to an angled wooden board that held his head lower than his feet, mouth covered tightly in Saran Wrap, having water poured down his nose in a splashing stream out of a bucket with a spout, hel
d by two large, clean, white hands. The boy’s body was arched up like a bow, straining against his restraints, pulling so hard that every muscle in his body stood out. He looked like an anatomical illustration.
No.
He looked like a torture victim.
The Saran Wrap was an evil touch. The water is poured down the nose, but it can’t go into the lungs, because the body is tilted backwards. His body is tilted backwards. The body—his body—knows that there’s water going into the windpipe and it’s desperate for air. His mouth gasps, but the Saran Wrap only lets the air go out, because every time he tries to suck air in, the plastic makes a tight seal. The only place air could enter is his nose, and the water is pouring into his nose and so he can’t breathe that way.
Eventually, his lungs empty out entirely, collapse like spent balloons, shrivel like raisins. His brain, starved of oxygen, begins to die. He may pull his bonds so hard he breaks his bones.
The government likes to call waterboarding a “simulated execution.” It’s not a simulation, though. They nearly kill you. If they don’t stop, they will kill you.
One of the men at Guantánamo Bay, America’s secret prison, was waterboarded more than 180 times. Nearly died 180 times. They say he planned 9/11. Maybe he did. But whatever he told them, they’d be crazy to trust it. When you’re being slowly murdered, you will say anything and everything to get loose.
But I wasn’t thinking about that. I was hypnotized by that boy, by the expression on his face, the veins standing out in his forehead, the terror in his eyes. I’d been there. I’d had that look in my eyes.
Time stopped.
And then the image disappeared. The window it was in disappeared. The VM that was in disappeared. My dead man’s switch had been prompting me for a password, had run out of time, and had killed the VM and deleted itself like a good boy. I hadn’t even noticed the password prompt. I’d been staring at that picture.
That picture was only one slide, from one file, out of more than 800,000 files. This was going to take a while.
* * *
Ange rang the bell around dinner time, and my mom sent her up to my room. She let herself in and snuck up on me and put her arms around my neck and kissed the top of my head. I pretended I didn’t hear her or see her reflection in my screen. It was a game we played. We were adorable.
“Hey there, workin’ man, how was your first big day at the office?”
“Pretty much like I said in my texts; I’m mostly trying to figure out what the job will entail, trying to get a handle on everything. I told you about that Liam guy, too, right?”
“Yeah, how weird is that? Small world, but I wouldn’t want to paint it.”
“Well, he got less sweaty about things by the end of the day, came by for a real chat, and it turns out he knows his stuff pretty well and had lots of good ideas for me, some authentication ideas I hadn’t thought of for managing guest laptops.”
“I think it’s adorable that you’ve got a little groupie,” she said, pulling up my spare chair and transferring the clutter of MakerBot parts to my bed before sitting down.
“It’s embarrassing,” I said. “How was class?”
She crossed her eyes. “I thought that after high school I’d get to start learning like an adult, without everything being about how many factoids I can regurgitate on cue during exams. But pretty much all of my courses give seventy-five percent of the grade based on exams.”
“Well, you could always leak the exams,” I said, and her hands were over my mouth before I’d gotten the words out.
“Don’t. Even. Joke,” she said.
Ange’s deep, dark secret is that she stole and published the No Child Left Behind tests when she was in the eleventh grade, along with the answer sheets. The school board never figured out who was responsible for it, and they claimed that the stunt had cost millions. Served ’em right.
“Sorry,” I said. “But there’s worse ideas. And who better to do it?”
“Tell you what, let’s figure out what to do about Masha’s little bombshell first. We can recycle anything we come up with for any final exams I should happen to find myself in possession of.”
“That’s why I love you; you’re always thinking.”
We joked a lot about love, but the truth was, I did love her, with a weird, scary kind of intensity. It probably had to do with drifting away from my gang of friends and dropping out of school—Ange was pretty much the only person I saw on a regular basis who wasn’t a parent of mine. Every now and then, this freaked me out a little. I think it freaked her out, too—I was looking forward to getting a little more balance in my life from having a job with coworkers.
“So, what have you got?”
I felt that little paranoid shiver. You could eavesdrop on a room by bouncing a laser off the glass. The sound waves from the voices in the room made the glass vibrate, and the laser picked up the vibrations. I’d seen a demo of this in a YouTube video of a presentation from DEFCON, the big hacker conference in Vegas. The sound wasn’t perfect, but it was pretty good. Good enough to pick out every word and recognize the speakers’ voices.
“Um,” I said. “Give me a sec, okay?”
I plugged a set of speakers into my laptop and then stretched out their wires until I could press them on the window glass. Then I used my computer’s random-number generator, /dev/random, and requested some random white noise. The speakers began to hiss with staticky sound. I cranked them up to the point where I couldn’t stand it, then turned them down a notch or two. I made sure the blinds were seated over the speakers again. Maybe a laser could pick up on the sound in the room, but I couldn’t think of any way to subtract random noise from the audio signal. That didn’t mean it was impossible, but at least we couldn’t be eavesdropped on by anyone stupider than me.
“Huh,” Ange said, observing this ritual. “Well, that’s pretty intense.”
“Yeah,” I said. “It sure is.” We moved the chairs so we could both see my laptop and I showed her my VM and the dead man’s switch.
“Not bad,” she said. “Okay, you’ve convinced me that you’re worried about this stuff. Which, I suppose, means that you’re sure that you saw Masha and Zeb get taken off the playa, and that means you think the explosion was deliberate.” She closed her eyes and took a deep breath. “Back down the rabbit hole, here we go.”
“Wait til you see.” I brought up the VM, brought up the directory listing. Sat back.
“What is this? I don’t even…” she said, staring wide-eyed at the listing. I handed her the mouse. She started clicking, beginning from the top. The first item was budget_8B5S.xls. It turned out to be a spreadsheet listing income and outgo. The titles down the left side were peoples’ names. Across the top was a list of companies with bland names like “Holdings import/export” and “Property Management Ltd” and in the middle were dollar figures. None of them were very big—$1,001, $5,100—the biggest was $7,111.
“A lot of ones in those figures,” I said.
Ange nodded. “Yeah. That’s interesting, isn’t it?” She stared at them for a while longer and got out her laptop. “You still like IPredator for anonymity?”
“Generally. But why don’t you run it through Tor after IPredator.” Tor—The Onion Router—would bounce the browser requests through a bunch of random computers, and none of those computers would know where the request came from and where it was going. It was slow—slower than IPredator, which was slower than the raw network connection. But there’s a time to be paranoid, and this was it.
I stared at the mysterious spreadsheet for a while. The dead man’s switch asked for a password and I entered it.
“There you go. I knew I’d read about this. The number one appears more frequently than other numbers in financial data.”
“What? Why?”
She showed me the article, a summary of a paper at a security conference. “A lot more stuff costs between $10 and $19 or $100 and $199 than $20 and up, or $200 and up. Retail psycho
logy: people are more likely to buy stuff that costs $9 than $10; it’s a big jump. Ninety-nine dollars has less psychological weight than $100, but $999 is a lot less crazy than $1,000. So you get a lot of clusters of numbers with ones in them. But when people make up numbers, faking their finances or cheating on their taxes, you get a much more even distribution of numbers. It’s one of the ways the IRS looks for tax cheats. I read about it in a book on data-journalism—tried to get my section’s TA to read it last year but she said she had to get us ready for the exams and to show it to her again afterward.
“So all these ones, they’re inserted by someone who knows he’s making up numbers and wants to be sure that there’s plenty of extra ones to make the statistical distribution look right. Someone who doesn’t expect a human being to look at these numbers closely, but worried that a computer might spot them.”
She peered at my spreadsheet and started to type again, but the dead man’s switch wanted a password again and I didn’t grab the computer in time to enter it. The VM disappeared.
“That’s frustrating,” she said.
“I’ll teach you the password.”
“What if you set the timeout to longer? Thirty minutes?”
I shook my head. “I think I could probably hold out against someone who wanted my password for fifteen minutes, especially if they were on a snatch team that broke the door down and didn’t have any time to prepare. Thirty minutes, though…”
“Oh,” she said.
“There’s a presentation in there on how to do waterboarding. A PowerPoint. It’s got bar graphs showing the time to brain damage based on age and general health.”
“Oh,” she said again. She knew that there were times when showering would give me uncontrollable shakes. Being executed will do that to you.
I brought up the VM and opened the spreadsheet again. Ange started to enter the names.
“They’re all staffers for Illinois State Assemblyman Bedfellow. The logical next step is to look up which committees that Assemblyman is on, and what all he voted on. Data Journalism 101—or it would be, if there was a Data Journalism course in my program.”