![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
captcha the flag
Jan. 8th, 2015 05:06 pmBreaking in is a relatively simple matter: his personal network has, as usual, far fewer protections than the corporate network, and what would've taken a team, a couple of six-figure exploits, and three months takes me just over twenty minutes. With a port scanner, three programs, and a nice zero-day that I got as a favor, I'm root on his network, with more access than I would if I had the master key to his house.
Without further ado, I start downloading everything that's on his personal machine. The client requested a general dump, and a general dump is what they'll get. There's a promise of a bonus if there's specific information in the dump, and I could certainly use one — it would mean not having to worry about rent for the next four months, as well as some fun upgrades here and there for my rig.
It tells me it's going to take seven minutes, so I figure I might as well indulge my curiosity and browse around his network. The client didn't say I couldn't, after all, and it's always interesting seeing what kind of things people keep on their computers. Some people are impossible — I'm sure everyone has a friend or coworker that has a million files on their desktops, enough that you can't even see what their wallpaper is. Other people are organized to the point that you have to go five folders deep before you see any files at all, and each folder only has one file in it. What's the point in that?
This guy seems to be relatively normal, though, with some files on his desktop and some organization, but nothing too anal-retentive. I browse, looking at stock agreements and merger and acquisition docs and my eyes almost glaze over until I open a 'scratchpad.txt' file, the kind of thing that people put reminders in because they don't understand that to-do software exists. This one that starts with a reminder about Jessica's birthday and then has a schedule for wine tasting classes and turns into something that looks like twenty drafts of a letter asking for forgiveness.
It's only on the fifth letter attempt that I realize what I'm reading, and I almost fall out of my chair as I stare at the screen, now, everything else forgotten.
Sixteen minutes later, I very carefully jack out and try and figure out what the hell I'm supposed to do with what I know: one of the most trusted companies in America is hiding one of the biggest data breaches that the world has ever known. Selling information not just to a company but to the enemy. Do I give the data over to the client? I have to, I think — they'll know that I tried. And besides, maybe they won't notice the little throwaway document.
Before I sleep that night, I take a few precautions that I never thought I'd have to. I hope, more than anything, it'll just blow over, but I also realize that I have knowledge that has been very carefully hidden away, and I remember what my father the spymaster said about those that knew too much.
The first indication that there's trouble is from my contact who sought me out — and paid me — for the job.
Artsada, he starts, pinging me by handle on the darknet forum where job offers are made and taken. Question from the top.
Shoot, I write back. Top, in this case, would be the client, nameless for security reasons.
Top wants to know if you checked the dump.
I pause for a second. It's not a question you get very often — the job is the job, and anything I do outside of it is irrelevant.
I was waiting for dump to finish uploading and played around on his network, as usual. Didn't see everything in the dump, though. Problem?
K, he responds, and then goes silent, which doesn't quite answer my question. He doesn't disconnect, though, so I wait, curious to see what the next message is. Finally, he comes back:
Do you have a copy of the dump, outside of what you provided? he writes, and I'm starting to realize that the correct answer is 'no' — even if the truth is 'yes'.
No, I type. And then I delete it, hesitate, and type it again, and press enter.
You sure? he asks, and I frown. He shouldn't be doubting me; he never has before. Here, I get the inclination that he's not fully in control of the situation anymore.
Check my references, I offer, with more bravado than I feel.
Top says they will, he finishes and then signs off, before I can say anything else.
I get a letter, a day later, but instead of through the forum, it comes to my personal email.
Dear Artsada,
We believe that you may have read something that was not meant for your eyes. We apologize for the oversight on our part. We request that you delete it, if it is present on your computer. Unfortunately, it will be necessary to confirm that you will not disseminate this information. Please respond within twenty-four hours with assurances.
I get about three lines in before I realize that something's very, very wrong — they've cracked my security and know who I am, which should never, ever happen. Whoever this is wasn't playing, and I didn't have delusions that they would be willing to take any steps they found necessary to safeguard the secret I had in my head. The best way to handle it, I think, is to downplay it: I respond immediately with an assurance that I would simply like to live my life and would never speak of it, upon my reputation.
They respond, just as immediately.
Thank you for your cooperation. We unfortunately need to take steps to confirm that you will not disseminate the information, the next email reads, and as I'm reading it, my computer starts to whine, a noise that I've never heard it done. As I bring up the diagnostics, I realize that it's doing something I didn't tell it to: it's purging all information on the hard drive. It's deleting itself.
They're not just on to me, I realize with growing horror, they can see everything that I've done. Which means that they know everything. But maybe, maybe if they didn't in until now, they won't have seen the failsafe I set up, the night that I found out about it all.
Which means—there's a knock at the door.
It doesn't surprise me, nor does the increasing insistence of the knocks, nor the sound of it being blown off its hinges. I hear footsteps down the hallway, and I know why they're here.
There's nothing left for me to do now. But I smile, spinning my chair around to meet them, as I realize this: there doesn't have to be.
If you're reading this, I'm dead. This is probably less exciting because you've never known me, but you'll want to see what I have. I set up a dead man's switch a week ago, because I figured what I was sitting on was going to get me killed, and it turns out, I was right. I wouldn't worry about avenging me, though; just get the truth out to the public, so they understand how deeply that they've been betrayed. Here are the documents that I have — you'll see how I got it, and the forensics to prove that it's been unedited.
And to quote a famous reporter, one that I hope would look upon what I've done here and approve: good night, and good luck.
Without further ado, I start downloading everything that's on his personal machine. The client requested a general dump, and a general dump is what they'll get. There's a promise of a bonus if there's specific information in the dump, and I could certainly use one — it would mean not having to worry about rent for the next four months, as well as some fun upgrades here and there for my rig.
It tells me it's going to take seven minutes, so I figure I might as well indulge my curiosity and browse around his network. The client didn't say I couldn't, after all, and it's always interesting seeing what kind of things people keep on their computers. Some people are impossible — I'm sure everyone has a friend or coworker that has a million files on their desktops, enough that you can't even see what their wallpaper is. Other people are organized to the point that you have to go five folders deep before you see any files at all, and each folder only has one file in it. What's the point in that?
This guy seems to be relatively normal, though, with some files on his desktop and some organization, but nothing too anal-retentive. I browse, looking at stock agreements and merger and acquisition docs and my eyes almost glaze over until I open a 'scratchpad.txt' file, the kind of thing that people put reminders in because they don't understand that to-do software exists. This one that starts with a reminder about Jessica's birthday and then has a schedule for wine tasting classes and turns into something that looks like twenty drafts of a letter asking for forgiveness.
It's only on the fifth letter attempt that I realize what I'm reading, and I almost fall out of my chair as I stare at the screen, now, everything else forgotten.
Sixteen minutes later, I very carefully jack out and try and figure out what the hell I'm supposed to do with what I know: one of the most trusted companies in America is hiding one of the biggest data breaches that the world has ever known. Selling information not just to a company but to the enemy. Do I give the data over to the client? I have to, I think — they'll know that I tried. And besides, maybe they won't notice the little throwaway document.
Before I sleep that night, I take a few precautions that I never thought I'd have to. I hope, more than anything, it'll just blow over, but I also realize that I have knowledge that has been very carefully hidden away, and I remember what my father the spymaster said about those that knew too much.
-
The first indication that there's trouble is from my contact who sought me out — and paid me — for the job.
Artsada, he starts, pinging me by handle on the darknet forum where job offers are made and taken. Question from the top.
Shoot, I write back. Top, in this case, would be the client, nameless for security reasons.
Top wants to know if you checked the dump.
I pause for a second. It's not a question you get very often — the job is the job, and anything I do outside of it is irrelevant.
I was waiting for dump to finish uploading and played around on his network, as usual. Didn't see everything in the dump, though. Problem?
K, he responds, and then goes silent, which doesn't quite answer my question. He doesn't disconnect, though, so I wait, curious to see what the next message is. Finally, he comes back:
Do you have a copy of the dump, outside of what you provided? he writes, and I'm starting to realize that the correct answer is 'no' — even if the truth is 'yes'.
No, I type. And then I delete it, hesitate, and type it again, and press enter.
You sure? he asks, and I frown. He shouldn't be doubting me; he never has before. Here, I get the inclination that he's not fully in control of the situation anymore.
Check my references, I offer, with more bravado than I feel.
Top says they will, he finishes and then signs off, before I can say anything else.
-
I get a letter, a day later, but instead of through the forum, it comes to my personal email.
Dear Artsada,
We believe that you may have read something that was not meant for your eyes. We apologize for the oversight on our part. We request that you delete it, if it is present on your computer. Unfortunately, it will be necessary to confirm that you will not disseminate this information. Please respond within twenty-four hours with assurances.
I get about three lines in before I realize that something's very, very wrong — they've cracked my security and know who I am, which should never, ever happen. Whoever this is wasn't playing, and I didn't have delusions that they would be willing to take any steps they found necessary to safeguard the secret I had in my head. The best way to handle it, I think, is to downplay it: I respond immediately with an assurance that I would simply like to live my life and would never speak of it, upon my reputation.
They respond, just as immediately.
Thank you for your cooperation. We unfortunately need to take steps to confirm that you will not disseminate the information, the next email reads, and as I'm reading it, my computer starts to whine, a noise that I've never heard it done. As I bring up the diagnostics, I realize that it's doing something I didn't tell it to: it's purging all information on the hard drive. It's deleting itself.
They're not just on to me, I realize with growing horror, they can see everything that I've done. Which means that they know everything. But maybe, maybe if they didn't in until now, they won't have seen the failsafe I set up, the night that I found out about it all.
Which means—there's a knock at the door.
It doesn't surprise me, nor does the increasing insistence of the knocks, nor the sound of it being blown off its hinges. I hear footsteps down the hallway, and I know why they're here.
There's nothing left for me to do now. But I smile, spinning my chair around to meet them, as I realize this: there doesn't have to be.
-
From: Artsada <Artsada@hushmail.com>
Date: Fri, 09 Jan 2015 00:16:17 +0000
Message-ID: <CAHkKY2cvBCvs-Mpt24Zd6r=3-3MPbcFev8N5QY9Cf=vCiEpxaQ@mail.hushmail.com>
Subject: Re: Franconia
To: The Intercept <y6xjgkgwj47us5ca.onion>
If you're reading this, I'm dead. This is probably less exciting because you've never known me, but you'll want to see what I have. I set up a dead man's switch a week ago, because I figured what I was sitting on was going to get me killed, and it turns out, I was right. I wouldn't worry about avenging me, though; just get the truth out to the public, so they understand how deeply that they've been betrayed. Here are the documents that I have — you'll see how I got it, and the forensics to prove that it's been unedited.
And to quote a famous reporter, one that I hope would look upon what I've done here and approve: good night, and good luck.
