by John Scalzi
Then the beatdown truly began. By this time one of the threeps hit by the cocktail had made it over to the car. It began kicking the bomb thrower, legs still aflame.
“It would be funny if the entire Mall and Capitol Hill area weren’t now on lockdown,” Vann said.
“You can’t say the dudes didn’t deserve it,” I said.
“No, they deserved it, all right,” Vann said. “It’s still a pain in the ass for everybody else.”
“Do we need to go in?”
“No,” Vann said. “In fact I just got a phone call telling me that you and I are on medical leave until Monday. We’re supposed to let Jenkins and Zee follow up on all our stuff.”
“Who are Jenkins and Zee?” I asked.
“You haven’t met them yet,” Vann said. “They’re goddamned idiots.” She pointed to the screen. “The good news is they’ll handle this and all the other penny-ante crap we had to deal with this week so we can focus on the important stuff.”
“So we’re not doing medical leave after all,” I said.
“You can,” Vann said. “Personally, I’m kind of pissed off about being shot. I want to take the people who made it happen and screw them right into the wall. And while you were sleeping, Shane, the other shoe dropped.”
“What do you mean?” I asked.
Vann turned to Tayla and the twins. “May I?” she asked, and reached up to signal the monitor to switch stories. She flipped through several until she pulled one up, full screen. The image with the story was of the Accelerant logo.
“It’s that asshole Hubbard,” she said. “He’s buying the Agora from the government. The servers, the building, and everything else. He’s taking Haden space private.”
I was about to respond when a call window opened up in my field of view. It was Tony.
I connected. “Where are you?” I asked.
“I’m at the FBI building,” Tony said. “Where are you?”
“I’m at home,” I said. “Medical leave.”
“Fine,” Tony said. “I’m coming to you, then.”
“What’s up?”
“I’d actually prefer to speak to you about it someplace private,” Tony said.
“How private?”
“However private we can make it.”
“What is it?” I asked.
“You were right,” Tony said. “About me being wrong. But it’s a lot worse than that. A lot worse.”
* * *
“Glasses on,” I told Vann.
She put on her monitor glasses. “Hit me,” she said.
I pinged her and let her into my liminal space. Then I entered it myself.
There was a threep standing on my platform. It was Vann.
She held out her hands, looking at her representation. “So this is what that’s like,” she said. Then she looked over to me. “And that’s what you look like.”
“Surprised?” I asked.
“I hadn’t actually thought of you having a face before, so, no, not exactly,” she said.
I smiled at this, and realized that it was the first time that Vann had ever seen me smile.
She looked around. “It’s the goddamned Batcave,” she said.
I laughed.
“What?” she said.
“You reminded me of someone just there,” I said. “Hold on, I need to bring Tony in.” I pinged Tony a door.
He stepped through and looked around. “Spacious,” he said, finally.
“Thank you.”
“Kind of looks like the Bat—”
“Tell us the bad news,” I prompted.
“Right.” A neural network popped up above us. “This is Brenda Rees’s neural network,” he said. “It’s a Lucturn model, the Ovid 6.4 specifically. It was a fairly common model from eight years ago, and it’s running—well, was running—the most up-to-date software for its model. I’ve done patches for this network a few times, so I’m pretty familiar with its design and capabilities.”
Tony pointed to Vann. “You asked me if I thought it would be possible to lock in an Integrator with a commercially available network.”
“You said no,” Vann said.
“I said I didn’t think so,” Tony said. “I didn’t think so because the code that allowed it to happen in Sani’s brain was optimized for a network that was itself optimized for locking in Integrators while giving the client control. Purpose-built software for purpose-built hardware.”
“But you were wrong,” I said.
“I was wrong,” Tony said.
“Why were you wrong?”
“Because I was thinking about Johnny Sani’s network incorrectly,” Tony said. “I told you that it wasn’t a prototype. That it was a release-level brain. Well, it is. But it’s also a proof of concept, the concept being that if you knew the hardware and the software really well, you could have the client take total control of the Integrator’s body. It’s not something anyone tried to do—well, that we know about. There’s probably some asshole NSA initiative to do just that.”
“Focus,” Vann said.
“Sorry,” Tony said. “Sani showed that it could be done. Now all anyone needed to do was translate that proof of concept into existing, general networks. And to do that you would have to do a couple of things. One, you’d have a deep understanding of the networks you were using. You’d have to know the hardware really well. Two, you’d have to be a complete fucking wizard at programming.”
“Hubbard,” I said.
Tony touched his finger to his nose. “Lucturn is the second-largest manufacturer of Haden neural networks, after Santa Ana, and Hubbard is famously involved in the design process. The programming forums are full of horror stories about him coming in and tearing up his engineers’ early designs for being inelegant.”
“And how is he as a programmer?” Vann asked.
“It’s how he got into the field,” Tony said. “He founded Hubbard Systems to manage corporate legacy computer systems, and then after he got Haden’s he started focusing on programming for threeps and networks that were orphaned when their manufacturers got out of the field. He did a lot of that programming himself back in the day. The programming system networks use is called Chomsky. Hubbard didn’t invent it, but he did write most of the 2.0 version, and he’s on the board of the Haden Consortium, which approves new versions of the code.”
“The Haden Consortium,” I said.
“What about it,” Tony said.
“Hold on,” I said. I fished through my e-mail and pulled up one for Tony and Vann to look at. “L.A. finally got back to me about the ninja threep,” I said.
“Ninja threep?” Tony looked puzzled.
“I’ll explain later,” I said. “The point is the threep’s design wasn’t a commercial design—it was a low-fee license version that the Haden Consortium offers potential manufacturers in developing countries for use in their countries. You can’t buy them or sell them in North America, Europe, or developed Asia.”
“So you were attacked by an imported threep,” Vann said.
“It could be made here as a one-off,” I said. “All you’d need was an industrial 3-D printer and an assembly robot.”
“Who has a setup that could handle that?” Vann asked.
“Pretty much any design shop or manufacturer who does full-scale modeling,” I said. “L.A. said they would look into it but it would take some time. My point here is that Hubbard’s involved with both Chomsky and the threep design that went ninja on me.”
“Which could be coincidental,” Vann said.
I opened my mouth to respond but Tony butted in. “Hold that thought,” he said. “I’m going to tell you why Hubbard’s your guy, but I have a couple more things to walk you through.”
“All right,” Vann said. “Take us to the next thing.”
Tony turned to me. “You remember me telling you that early on the network manufacturers had problems with people hacking into the networks.” I nodded. “So they made it harder to do. One, they made the network arch
itecture more complex so it was more difficult to program for and to casually hack. But that’s a very low-level measure. Ambitious hackers tend to be top-flight programmers. So another way it’s done is that all software updates and patches have to be from approved vendors, who are identified by a hash they put in the header of the patch. A patch is downloaded and the hash is checked. If the patch is verified, then it downloads and installs. If it’s not, then it’s purged and a report is made.”
“And that’s impossible to get around,” Vann said.
“Not impossible,” Tony said. “But it’s difficult. In order to work they have to be stolen and they have to still be active. When I do white-hat hacking of these systems, half my job is getting a verifiable code. That’s a lot of psychological spoofing. Making people think I’m their boss and need their hash, finding ways to look over their shoulder while they’re writing code, shit like that.”
“How would you do that?” I asked.
“Lots of different ways,” Tony said. “One of my favorites was the time I put a basket on a remote-controlled toy quadcopter, filled the basket with candy, and then flew the candy into the programmer wing of Santa Ana’s headquarters. The quadcopter went from pod to pod, and while the programmers were grabbing at candy, I was grabbing shots of their work screens. I got eight programmer hashes that day.”
“Nice,” I said.
“Everyone likes candy,” Tony said.
“So someone could steal a hash and get into someone else’s network,” Vann said, dragging us back on point.
“Right,” Tony said. “The problem for the hacker is that even when they’ve got the hash, they’re still coming through the front door. Everyone’s looking for the stolen or spoofed hash and the malicious code. Which is why every patch is first unpacked and executed in a sandbox—a secure virtual machine. If something malign is in the code, it’ll execute there and get caught. And there are other security measures as well.
“The story here is that it’s very difficult to get any suspect code into the network in the established route. Even for a brilliant hacker, it’s a long walk to a dry well.” He turned to Vann. “Which is why I told you that it was very unlikely.”
“But then Rees tried to kill me,” Vann said.
“Actually that’s not the part that convinced me I was wrong,” Tony said. “It was the part where Chris said Rees tried to get away from the grenade after intentionally pulling it to avoid being caught. It’s possible control was taken by the front door, but if it was there’d be a record of it—patches installed when they shouldn’t have been, sandboxes launched to test the patches, a record of the acceptance of the validation of the patch and the hashes of the programmer and company who sent it along. There was nothing out of the ordinary.”
“So there’s another way in,” I said.
“There is,” Tony said. “Think about it.”
It was Vann who got it. “Fucker did it when he integrated,” she said.
“Yes,” Tony said. “When a client connects with the Integrator, there’s a handshake of information, and then a two-way data stream opens up. This aspect of the network is meant to be a totally separate process from the internal operation of the network, and it is … but the code isn’t perfect. If you know where to look you can find places to access the network’s software. And that’s what happened.”
Tony zoomed into the network to focus on the nodule that included the receiver for the client data stream. He pointed to a structure. “That’s an interpolator,” he said. “If there’s any short disruption of the data stream, a millisecond or less, the interpolator polls data on either side of the gap and fills in the gap with averaged data. But to do it, the interpolator has to access processing from the network. It’s a break in the firewall. And that’s what Hubbard exploited.”
The image changed to a schematic. “Here’s what I think he did,” Tony said. “First, he handshakes a data feed with the Integrator. Then he intentionally introduces gaps into the data stream, long enough to activate the interpolator. Then he uses the interpolator’s channel to the processor to feed it an executable file. It does this as long as needed in order to download the file. Then it unpacks and rewrites the network’s software.
“It’s going directly into the processor, so no sandbox. It’s avoiding the verification process, so no need for a hash. It’s a small file, so the Integrator’s network doesn’t have to close the session to execute it. The Integrator never even knows they’ve been compromised.”
“Why the hell hasn’t something like this been fixed already?” Vann asked. I could tell she was seriously creeped out by what Tony was telling us.
“Well, think about it,” Tony said. “This is a pretty damn big bug, but it’s a bug that has a very narrow pathway to it. First someone has to know about it. Then they have to have the technical ability to exploit it. Then they need the technical means to exploit it—by which I mean that the ability to introduce intentional disruptions into the data stream isn’t something your average Haden is going to be able to do in their own head. This needs a specialized instrument between the client and the Integrator. And by ‘specialized,’ I mean that as far as I know it doesn’t actually exist. It would have to be created.
“No one’s patched this bug because up until now it wasn’t actually a bug. It was a benign quirk at best. Basically you would have to be a Lucas Hubbard to exploit this.”
“But Brenda Rees never integrated with Hubbard,” I said. “She integrated with Sam Schwartz.”
“Hubbard created the process and tools,” Tony said. “Once they existed, they could be used by someone else.”
“Sam Schwartz is Hubbard’s lawyer,” Vann said. “He’s in the perfect position to assist him.”
“Not a very ethical lawyer,” Tony said. “But, yeah. There’s no reason Hubbard couldn’t hook Schwartz up to his machine and let him have a go at it.”
“You seem pretty sure that it’s Hubbard,” I said.
“You seem pretty sure about it, too, Chris,” Tony said.
“I know, but what I want to know is whether you think that because I do, or whether you think it because you have another reason to.”
“I believe it because you believe it,” Tony said. “I also believe it because the scope of what we’re talking about here—both for this and for what happened with Johnny Sani—requires resources of either a small country or a very wealthy person. But most of all I believe it because of the code.”
“The code,” Vann said.
“Yes,” Tony said. The schematic disappeared, replaced by lines of code. “How much do you know about Chomsky?” he asked. “The programming language, not the man.”
“I don’t know anything about either,” Vann said.
“Chris?”
“I got nothing,” I said.
Tony nodded. “The programming language was called Chomsky because it was designed to talk to the deep structures in the brain. It’s a ‘deep language’ pun. The great thing about Chomsky as a programming language is that it’s amazingly flexible. Once you know it—once you really know it—you find out there are all sorts of ways to address any problem, or issue, or goal. This is essential for neural networks. They have to be flexible because every brain is different. So the language you program them in has to have the same sort of flexibility. You’re keeping up with me so far?”
“It’s a little esoteric,” I said.
“Which is my point,” Tony said. “Chomsky is a language that has to be esoteric, because it’s interfacing directly with the brain.
“Now, a side effect of this is, because Chomsky allows so many different ways to tackle any one specific problem, programmers who are truly fluent in Chomsky end up developing their own voice. By which I mean they address goals and parameters in a way that’s idiosyncratic to them. If you spend any real time looking at the code, eventually you can tell who wrote it.”
“Like someone who writes novels.”
“Yeah, precisely,�
� Tony said. “Like one novelist puts in a lot of description while another one is all dialogue. Same thing. And like novelists, some Chomsky programmers are good, some are competent, and some suck. And if you’ve seen their code before, you can tell which programmer it is from the first line of code.”
He pointed to the code on display. “This is the code in Brenda Rees’s brain that’s variant from the latest point release and patching for the Ovid 6.4,” he said. He pulled up some more code. “Here’s the code of the software in Johnny Sani’s head. It reads the same. Whoever wrote Sani’s code wrote Rees’s code.”
He pulled up a third column of code. “This is code Hubbard wrote back in the day, when he was still pushing out patches and updates at Hubbard Systems,” he said. “Believe me when I say that if you ran all of this through the Chomsky equivalent of a semantic and grammatical analyzer, it would light up across the board. All of this was written by the same person. All of it was written by Lucas Hubbard.”
“Is that something we can use in a court of law?” Vann asked.
“You’d need a lawyer to tell you that,” Tony said. “But if you put me on the stand I would tell you, hell yeah, this is all the same guy.”
“Is that enough?” I asked Vann.
“To bring him in?” Vann asked. I nodded. “For what?”
“For killing Brenda Rees, for one,” I said. “For Johnny Sani, for another.”
“We don’t think he killed Rees,” Vann said. “We think Schwartz did. We still don’t have anything court-worthy connecting him to Sani, either.”
“Come on, Vann,” I said. “We know this is our guy.”
“We go in with what we have and Hubbard’s lawyers from Schwartz on down are going to blow our heads off,” Vann said. “And I know you don’t really need this job, Shane, but I kind of do. So, yes. Hubbard’s our man. Let’s make absolutely sure we can get him.” She turned to Tony. “What else you got.”
“Two more things,” Tony said. “The first is about Rees’s code.”
“What about it?” Vann said.
“It doesn’t bypass her long-term memory,” Tony said. “Either Hubbard couldn’t find a way to make it work, which is possible because the neural network layout is non-trivially different, or he decided not to waste his time because—” He paused.