They rolled off, trailing dust, and onto the open road.
08 / /
A Hackable Heart Transplant
Alien returned to Cambridge in September 2003 and rejoined the MIT network security team. After Jake’s tutelage at Los Alamos and months of work on her project there, she could match UNIX skills and computer programming chops with anyone. Working in MIT’s IT department was no longer a temporary gig, a way to cover expenses and complete an interesting research project en route to graduation. Alien now had the authority and responsibility to safeguard one of the world’s foremost computing environments.
When she arrived, the Institute was still dealing with the fallout of Blaster and related worms that took advantage of similar vulnerabilities. The expense of cleaning up affected machines and recovering data ran about a million dollars, not counting the collateral costs of computer downtime during the crisis and the irrecoverable loss of many files. As soon as possible, Alien rewrote NetVision so she could see even more with it. Then she reviewed what had happened and began formulating a strategic plan for how the network security team should respond to large-scale emergencies in the future.
As this planning was taking place, new leaders with their own ideas took over Information Services. They merged it with other organizational units at MIT, renamed the new entity Information Systems and Technology, and installed a corporate culture, including a nine-to-five workday and dress code. A rumor spread that soon employees would have to wear branded baseball caps, like fast food workers. Several of the colleagues Alien respected most, people who had worked there for decades, specifically because they wanted to be at MIT instead of a place like IBM, were pushed out or quit. These were people who had constructed extraordinary systems like Athena.
Marie left in 2004. Alien stayed on several more months, until a meeting with her new boss. Success, going forward, would be measured by counting the number of closed CaseTracker cases, he said.
“That’s not a real security improvement,” Alien objected. “Most of our open cases come from automated warnings—they might be nothing. A better metric would be the number of active cases, and then what’s a priority among them.”
The man’s face turned red. “If you keep interrupting people, one day somebody’s going to slap you!” he said.
Alien felt personally threatened—and by the man she was supposed to go to for help if she was harassed. She was sure he would never have said that to someone older than her, or to a male employee of any age.
She quit.
Alien started scanning postings for technical jobs. Security-specific listings were rare, but in May 2005 a want ad from the IT department at Mayflower Hospital, building its information security team, caught her eye. Alien applied. When they called for an interview, she was taking no chances. She put on her most professional outfit, a fitted suit and black heels, and prepped by reading a book called 60 Seconds & You’re Hired.
That afternoon, she steered Pepper through Boston city traffic, the tips of her heels barely touching the ground when she drew to a stop in a free space between a couple of parked cars. Alien dismounted, removed her silver helmet, and straightened the suit jacket. Before she crossed the street to her appointment, she touched her index finger to an embossed metal charm tied by its chain to the bike’s dashboard, between the ignition switch and the speedometer. It had been given to her by her Santa Fe housemate and fellow circus performer, the fire artist.
BELIEVE, the charm said, below a bald, bug-eyed ovoid figure of—what else—an alien.
An hour later, she had the job.
Mayflower was huge—a vast interconnected complex, like a college campus, built up steadily over a century, and now taking up most of three city blocks. In its annual report, the hospital noted that it served more than 300,000 people a year. Yet the entire six-story building in which Alien worked housed no medical equipment, no doctors, no nurses, and no patients.
This was the hospital’s IT center, responsible for all its computers and computer networks.
At first, Alien was surprised that a hospital could be as reliant on fiber optic networks as on intravenous tubing. But hospitals, behind their human dramas, ran on data, she came to recognize. One critical computer system, for example, registered patients for admission, discharge, and transfer. Another stored medical records, clinician notes, and prescriptions. A third kept all the imaging: X-rays, MRIs, ultrasounds, you name it.
There were billing systems with patient payment and insurance information. Clinical systems specific to allergy or urology, cardiothoracic surgery or pediatric dentistry. The hospital’s internal email system, its remote login system, and shared workstations, just like at MIT.
Alien’s position was in information security—often shortened to InfoSec. Their job was not to run any of these systems, each of which was managed by its own team, but to protect them all.
There was pushback, however. As at MIT, people saw security measures as nuisances. Until they needed them.
The first Monday in November, five months into the job, Alien entered through a side door, said hi to the guard, and placed the lanyard holding her employee badge around her neck. Across the street a food truck pulled up, as it did every weekday at nine a.m., emitting the strange fluttering horn that let her know she was late.
When the elevator to the second floor opened, Chris, the leader of the hospital UNIX team, was standing right there, obviously waiting for her. Thirty-two years old, balding but not yet committed to a shaved head, he wore a comb-over and brown plastic-framed glasses, a beige sweater, and wrinkled corduroys.
“You took my servers down this weekend with your AutoAudit script,” he said, referring to a program she had written to scan his systems for thousands of known security holes.
Alien pinched her eyes shut in exhaustion. Her natural bedtime was still what others would call the middle of the night. She would never be good at mornings.
“The AutoAudit script wasn’t even running this weekend, Chris,” Alien said.
Chris glowered. “This isn’t over,” he said.
“Fine.” Alien walked down the hall to her cubicle and logged in to her computer, using her hospital-assigned username, “gk229120.” Although she was only twenty-four years old, she already had two stints on the MIT network security team and her period in the nuclear nonproliferation and international security division at Los Alamos behind her. At the same time, the hospital was her first job independent of any MIT connection, and, in that sense, her first in the “real world.”
“Eleven years, two months, a week, and four days.” Harry, the silver-haired data center manager, stood behind her, offering his daily update of how much time remained until his retirement. He paused for effect before continuing. “And seven hours, forty-four minutes, and eleven seconds.”
Alien let herself laugh, as Harry intended. It was a joke between them. Beigeworld, they called the office.
“Lunch?” Harry whispered.
She nodded.
Alien typed, toggling back and forth between emailed problem reports and more proactive measures like AutoAudit.
At noon, she saw Harry stand, carrying a heavy winter coat under one arm out the door. As he looked back, Alien nodded, indicating she’d meet him in a few minutes at the end of the employee parking lot. She was just wrapping things up on her computer when she heard her desk phone ring.
I’m going to kill Chris, Alien thought.
The caller wasn’t Chris, though. It was another colleague, Amy, from the network team.
“We’re having a bandwidth issue,” she said. “It’s completely clogging the network. And we can’t isolate the source.”
Alien heard the urgency in Amy’s voice. “Be right there,” she said.
“Rain check,” she texted Harry as her pulse took a pleasing jump.
Amy was a lanky brunette, twenty-seven or twenty-eight, dressed in jeans and a teal pullover. Alien knelt beside her in her cubicle as they studied network tra
ffic information from Internet addresses across the hospital.
“We started getting calls two to three hours ago saying the Internet was slow,” Amy told her. “I checked it out, and they’re right: some internal address is just spewing traffic.”
“It’s got to be a worm,” Alien said. “Can you shut off the port?”
“I could, but I don’t know what’s plugged into it,” Amy said. “What if it’s an important machine? I don’t want to just cut it off.”
“Let me see,” Alien said. She stepped up to the keyboard and scrolled back through Amy’s command history, double-checking her investigation. Amy was a pro, though: on the basis of the Internet address alone, the closest they could do was trace the worm’s origin point to a third-floor hallway in the same building that held the Mayflower ER.
Alien’s eyes narrowed. The fatigue was gone.
“Stay here—I’ll find it,” she said.
Alien ran to the elevator, popped outside, and cut diagonally across the Mayflower campus. Seven minutes later, wide sliding doors separated for her at the entrance to the ER.
Alien passed the sick and injured, spread across three large first-floor waiting rooms. She flashed her badge and entered a room of curtained individual treatment areas. Inside, she focused not on the patients but on the array of blinking and humming devices everywhere around them.
A beefy middle-aged construction worker, accompanied by two others in his crew, one still in his hard hat, was hooked to an infusion pump while he waited for someone to stitch his bloodied forehead. A little girl with a swollen arm, her hand on her chest, and a frightened look in her eyes as she was comforted by her mother, was having her heart examined with an electrocardiograph. An electronic respirator delivered oxygen to the mask over the mouth of an elderly man who lay unconscious, as his desolate wife sat beside him. And wired to a vital signs machine measuring body temperature, blood pressure, heart rate, and blood oxygen saturation was a young pregnant woman.
Alien grimaced. Each patient bed had multiple devices beside it. Anything with a plug probably included a computer chip—and almost as likely, Alien thought, a network card. For maintenance, maybe. Or data sharing. Or as an untapped, even unnecessary “feature” about which the sales rep could still boast. If she didn’t identify the culprit for the worm quickly, any of these devices could become infected.
Alien rushed forward, past an anesthesiology machine (a computer), two nurses’ stations (twelve computers), and around a thick-walled glassed-off area holding a CT scanner (yet another computer). Ideally the hospital would have a complete map of Internet addresses by room and specific port on the wall as well as floor of the building. But that level of coordination was a fantasy even at a technical university like MIT or a military and scientific research site like Los Alamos. Instead, people went online as they could, installing equipment as they went, and IT discovered unregistered machines only when they presented problems.
The one way Alien could hope to track down the infected machine was to head upstairs to the hall she and Amy had identified, check the closet there that held a network switch, and hope the equipment was well labeled.
Amy had called ahead for backup. An IT staffer assigned to this building met Alien at the third-floor elevator and showed her to the right switch. It serviced a long, quiet hallway. By now, Alien had burned almost half an hour. But she was getting closer.
Back out on the hallway, Alien stopped in front of the only door in sight. Doctors and nurses swished past. Alien stepped back, feeling out of place without a white coat or scrubs. When a nurse slowed before the door, however, Alien flagged her down.
“Hi, I’m from IT security,” she said, and showed her badge. “I need to get in here.”
“Oh.” The nurse swiped her own badge and the door clicked open. “I’ll have to accompany you,” she warned. “This is a restricted area.”
The room was warm and dark. Alien could make out a few rows of what appeared to be high, narrow carts on wheels, each with a monitor nearby. It was vaguely reminiscent of a server room. But her entire concern was with the network ports located close to the floor. Alien dropped to a crawl. Using the same Maglite she’d had since her freshman year at MIT, she swept the walls, looking for the guilty port.
Twenty seconds passed. Forty. Sixty. Finally, Alien’s beam illuminated a yellow plastic port cover to which someone with a label maker had attached the alphanumeric name of the infected machine.
Alien smiled in triumph and relief. She used the Maglite to trace the black Ethernet cord coming out of the port. It led to a profusion of other plugs and cables entering the back of the machine closest to her.
She’d page Amy, and Amy would alert both their bosses. They’d get the problem diagnosed as soon as possible—before the machine infected anything again.
Alien stood up. She felt the nurse touching her back gently, to get her attention without speaking.
“Turn that flashlight off, please,” she asked in a low but firm whisper. It was more a command than a request.
Alien obeyed. She felt a sense of alarm, even dread. Had she done something wrong? Where were they? There weren’t any patients in this room, she had thought; it had no beds, only more machines like this one. Her senses suddenly heightened, however, she now heard the sound of slow breathing all around her.
For the first time since her eyes became accustomed to the dark, Alien took a look around the room. On each of the wheeled stands was a tiny pallet enclosed by clear plastic.
The pallets, she saw now, held tiny blankets. And under each blanket was a baby. A tiny one, sprawled out on its back and head turned to one side, all wired up. These newborns were essentially on life support, and fast asleep.
The room might resemble a server room, Alien realized. But it wasn’t. It was the NICU—the neonatal intensive care unit.
“Babies,” she said to herself.
Alien walked slowly back to Beigeworld, having remembered why she was here.
About the same time she started work at the hospital, Alien had moved into a large three-story Victorian house turned commune in western Cambridge called Fireberry Manor, shared by a dozen people, all MIT graduates and their friends. The Sunday night after tracing the worm to the NICU, she led a new boyfriend to her room on the top floor.
At three a.m., just as the two of them were settling into bed, a friend and Warehouse resident called her.
“Did you hear about Frostbyte?” he said.
Alien went straight to the Warehouse after work on Tuesday. She ducked yellow police tape over the big metal door and walked through familiar, once enchanting rooms, suddenly empty except for broken glass, splintered wood, and scattered clothes. It felt so surreal, and so sad. The light walls and sculptures, custom turntables and speakers, secret freezer and one-of-a-kind furniture—all were gone.
One man called to another on the street below. Alien froze in front of a huge freight elevator, painted in slashing black and bright yellow stripes, ready to run if she heard footsteps. Less than seventy-two hours ago, while she snuggled in bed with her boyfriend, Frostbyte had collapsed during sex. His boyfriend called 911 while roommates contacted friends. Already, though, Frostbyte was dead and the police, who saw the entire site as an underground designer drug lab, had seized or destroyed almost everything. Violently.
The voices passed. Alien walked slowly through the empty halls, hearing only the sound of her footsteps crushing broken glass. All along, the Warehouse had been a squat. After the police raid, anyone who’d lived there risked arrest. Not just a life, but also a community, had been annihilated.
At the open door to the room of the friend who’d called her, she smelled dusty flaking paint. On the floor was the body of an orchid, its green leaves limply spread across broken glass and packed soil.
Alien scooped it up, cradled it in a scarf, and carried it home.
Eight weeks later, early January 2006, Grant, the InfoSec team leader, surveyed the room at an informati
on security team morning meeting. Five ten, trim, in his late thirties, he wore a black suit and a yellow-and-black-gridded tie. His staff was a short, plump fifty-something woman from South Boston, responsible for all user account setup; a buzz-cut army reserve officer in his mid-thirties, who worked with Alien on UNIX security issues; their skinny Windows security lead, only a year or two older than Alien; and Alien herself.
“In February, the entire hospital is switching from traditional phone service to VoIP”—Voice over Internet Protocol—Grant said. “What’s the potential impact?”
The Windows security lead spoke up first. “What isn’t?” he said drily.
Because medical equipment was so expensive, hospitals expected devices to last fifteen to twenty years. What was brand-new in 2006 would still be in service in 2021. Once VoIP became the standard office phone setup, they’d have to make sure it didn’t break anything else, now and for at least the next two decades.
“Be specific,” Grant prodded.
“They fax prescriptions, don’t they?” the guy said. “We need to keep those protected.”
“Docs use the phones to make transplant orders,” said the woman responsible for user accounts. In her Southie accent, “orders” was “awdahs.”
“In the wards, the phones are like walkie-talkies,” said Alien’s colleague on the UNIX side. “Lose them and no one could communicate.”
Grant nodded. “And that’s just for starters. Well, who wants to look into it?” he asked.
Alien had her hand up for a few seconds before she realized that she was the only one.
Alien threw herself into the research. Ensuring higher-level security at the hospital meant more than cleaning up messes, or vetting existing systems with AutoAudit. Ideally, InfoSec would test new technology before it was put in place. To do that, you had to hack.
Breaking and Entering Page 15
