* * *
Then he caught a break. A break that changed his life even more than the night he’d walked into that bar in Charlottesville and met Becks.
The NSA did everything from operating spy satellites to protecting the fiber-optic cables that connected the White House with the Pentagon. It made the CIA look small.
But at the agency’s heart was a group called Tailored Access Operations—the government’s hackers. TAO was the computer equivalent of the military’s Special Ops units. Its coders inserted malware into North Korean nuclear plants, hacked the phone of Iran’s supreme leader. The Tailored Access guys could write code which would have gotten anyone else arrested. One famously nasty TAO bug called Carrie caused laptops to overheat and burn, even on sleep mode. The agency had used Carrie only twice, both times against North Korean nuclear scientists.
Tailored Access had barely two hundred coders, the elite of the elite. Brian’s résumé was far too thin for the agency even to consider him as a hire. But the NSA knew that many of its engineers considered the chance to work for TAO a major job perk. Once a year, it offered an open competition, a twenty-four-hour chance to solve what the agency called a “theoretical targeting opportunity.” Anyone who did was given the chance to join.
The official name for the challenge was the Annual Special Entry Program. It was more popularly known as “Ender’s Game,” from the famous Orson Scott Card novel. Despite the agency’s insistence that the puzzles were theoretical, everyone assumed they were related to actual Tailored Access operations. They were next to impossible. One week after the contest, the agency announced how many winners it had had. The coders joked that in most years the number was binary—either 0 or 1.
Brian’s first Ender’s Game had come five months after he joined the NSA full-time. He was still learning the quirks of the place. But any coder could sign up, even one as new as he was. To avoid interfering with regular work, Tailored Access dropped the challenge at midnight on a Friday. Employees worked at their desks. They had access to their regular computers and the NSA’s usual non-TAO software tools and databases. They had to work alone; teaming up resulted in immediate disqualification. Each year’s instructions opened with a single line: This is a problem, not a puzzle; answer accordingly. The challenge followed.
Brian feared entering might annoy his new boss, a rickety NSA lifer named Jeff McNeil. What, Mobile Support isn’t good enough for you? But McNeil encouraged him. “Rite of passage,” he said. “The Coder Olympics. Sponsored by Red Bull.”
Even then, Brian wasn’t sure. Why waste a Saturday?
The entry deadline came two days before the contest. With a few hours still left to decide, he told Kira and Tony about it over breakfast. Nothing classified, just the outlines. Tony shoveled Raisin Bran in his mouth like an escaped prisoner. Kira picked at a clementine, one tiny slice at a time. Having a teenage girl meant never, never talking about food. At the counter, Becks was making coffee. Of course, she’d just bought a three-hundred-dollar brewer despite their financial crisis.
She really should have married some rich guy from law school.
“Sounds cool,” Tony said. “You should do it.”
“Not sure cool is exactly the word,” Kira said. “But yeah.”
“All right, maybe I will.”
Becks grunted. He knew what that grunt meant.
“Doesn’t Tony have a game Saturday?” she said. Without turning around, still fiddling with the Nespresso machine, like she was asking the air.
As if Tony was going to get off the bench for more than the league-required five-minute minimum. “You can take him. He’d like that.” For once you can be the parent who shows up.
“If you think you have a chance, you should do it.” Which we both know you don’t.
At that moment he decided that nothing in the world would keep him from signing up.
* * *
So it was that at midnight Friday, he found himself staring at his computer. No surprise, the challenge looked impossible. It involved a messaging system that an unnamed “Hostile Foreign Entity” used to communicate with its agents through the Internet. The encryption that protected the system was defined as a 1024-bit asymmetric key. A hundred messages were provided, strings of characters and numbers that the NSA had captured.
In theory, a chain of powerful computers working together for months might break the encryption. But Brian had no chance of writing the code necessary to attack the key directly. He had a basic understanding of encryption. He knew how the first cryptographers had developed public keys. He could explain the relative strength of asymmetric and symmetric systems. But he couldn’t pretend to be an expert. Not at an agency that had PhDs who had literally written textbooks on the subject.
Anyway, he was sure that going straight at the problem would get him nowhere. The Tailored Access coders had no doubt tried that approach. Brian needed something else. If he couldn’t decrypt the messages themselves, maybe he could find a pattern in the metadata, the headers and footers that surrounded them. Find a clue that the TAO guys could pursue, evidence he could think creatively.
Not the greatest idea, but it was all he had. Either that or go home, and he wasn’t ready to go home. No way. He could already see the smirk Rebecca would give him.
He popped open a Red Bull and reconsidered the problem. The messages had been presented in apparently random order. He started by sorting them from oldest to newest, looking for a call-response pattern. Maybe they represented a single intelligence controller communicating with many agents at once. But he soon saw the messages had not been sent in any pattern, at least not one he could understand. Assuming the time stamps were accurate, they spanned almost two years.
Assuming… assuming. So much he didn’t know. Like everyone else in the contest, he was operating with only a fraction of the information he would have had if he actually worked for Tailored Access. For example, the agency might have captured a hundred thousand suspicious messages and only provided these. Or these might be the entire data set.
Nor did he have any idea how the NSA had found the messages. They might have come off of the agency’s standard Internet surveillance—which captured more or less all the data that came over the public Internet—and popped up as worth another look. On the other hand, the agency might have targeted a specific network. Or these messages might even have come off the hard drive of a single laptop that soldiers had captured in Afghanistan.
But in that case, Brian would have expected the messages to be roughly the same length. Working on corporate email systems had taught him that once people had a writing style, they stuck to it. Not these. Some were just a few characters or words. Others went on for several paragraphs. Brian decided it was more likely that they weren’t from or to a single user, that the “Hostile Foreign Entity” the challenge referred to was an actual intelligence agency, not just a handful of terrorists.
A guess, but he had to start somewhere.
He tried again, dividing the messages by hours of the day. Maybe they were routed through specific Internet nodes at specific times. Again, he couldn’t see any pattern. The drop points—the router addresses through which the messages had entered the Internet—had come from all over Central Asia and the Middle East.
Of course, skilled users could try to hide the real locations where they were connecting. But those methods left clues, such as transmission lags lasting a fraction of a second, that the NSA should have found. Brian saw no hints of those. He didn’t understand. The obviousness of the drops cut against his first guess, that he was looking at an intelligence agency. If an agency was using this system to connect officers with frontline operatives, he would have expected security that extended past encryption, including falsified entry points.
Then again, maybe he just wasn’t good enough to spot them. He put aside the messages and spent a couple of hours reading manuals on the agency’s technical tricks for tracing message traffic. Nothing jumped out. By the time the s
un rose he was exhausted. Though he was increasingly sure the message system wasn’t particularly sophisticated. It looked like a commercial-grade instant messenger with encryption layered on top. But would a serious intelligence agency rely on an outside vendor for its messaging system?
Brian pulled papers from the agency’s library about the potential holes created when encryption was added to preexisting message services. Software engineers called fixes like these bolt-ons. They were notoriously vulnerable to outside attack.
After some searching, he found a paper—Secondary Encryption: Strengths and Vulnerabilities—that addressed the issue. He downloaded it, promising on pain of his life, or at least the next five years, not to remove it from the agency in any form. It turned out to be thirty-three pages long, each paragraph more gruesomely difficult than the next: “Assuming finite algorithmic variability, we find that random errors will rise at the square of…” After two hours and three more Red Bulls, he had read twelve pages and understood maybe half.
He simply didn’t have the training in core computational theory he needed to follow the logic here. He never would. The guys who wrote these papers were off the charts, and they’d spent their lives learning to think like computers and to make computers think like them.
Brian was just a mechanic.
He was also exhausted. He could have used a pick-me-up. Too bad he’d left his stash of Addys way back in the nineties.
He put his head on the desk and closed his eyes.
* * *
He wasn’t sure how long he was out, but he woke up to a monsoon. He jumped out of his chair to find McNeil dumping a bottle of Poland Spring on his head.
“Dude.”
“Lucky it’s not Gatorade.”
“Lucky I didn’t deck you.”
McNeil cackled. The guy was six feet tall, one hundred forty pounds, with a widow’s peak that guaranteed him a spot as an extra in the next Addams Family movie. “How’s it going?”
Brian shook his head, feeling the water drip down his back.
“I hear this one is even more impossible than usual. Half the guys have quit already. I’d offer you advice but I’m not allowed and it wouldn’t help anyway.” McNeil scooped up the paper that Brian had printed out. “This is some high-level shit. If I were you, I’d focus on beating the password protection, 1Gojihad1. ’Cause you’ve got about as much chance of figuring this out by midnight as learning Japanese.”
“You’re taking a little too much pleasure in this.”
“We also serve who remotely shut down our masters’ lost Crackberries. I’ll be glad to have you back on Monday.” McNeil ostentatiously checked his watch. “Anyway, you have another eight hours and fifty-four minutes, so make me proud, son.”
“Thanks. Don’t you need to get back to your coffin and wait for dark?”
“Sick burn, Bri.” McNeil saluted and left.
Brian gave him a minute before going to the bathroom to mop himself up. Staring at himself in the mirror he wondered what had happened to his life. He loved Kira and Tony, wouldn’t have traded them for anything. Otherwise what else did he have? He still liked to think of himself as the cool rebel, the guy he’d been back in the nineties, the guy who’d once shared a bottle of Jack with Kurt Cobain.
In reality he was a tiny cog in the world’s largest bureaucracy. He monitored software downloads for a living.
Oh well, whatever, never mind…
Might as well just go home. No shame in joining the quitters. Stop at a titty bar on the way, find a stripper willing to get up close and personal. He had a few more hours of furlough.
But he couldn’t. Some part of him knew he was on the right track, that the mismatch of strong encryption and obvious entry points meant something. He also thought of something McNeil had said, We also serve who remotely shut down…
Despite its culture of secrecy, its internal surveillance, its constant reminders to be careful, the NSA faced a constant drip of lost phones and security breaches. After all, the agency’s employees were only human. And sometimes they cut corners.
What if Brian was right? What if he was looking at a publicly available instant messaging system, nothing proprietary? Like AOL Instant Messenger but developed for a language other than English. Not many people knew how many different messaging systems had been developed over the years—maybe not even inside the agency. They sat on top of browsers, so coding them was straightforward, at least the ones that didn’t have video. They could be optimized for different languages, different levels of user authentication and secrecy.
But the second- and third-tier systems faded away fast. If they didn’t quickly build a big enough installed base to attract advertisers and sponsors, the developers stopped supporting them and they turned into relics. The tech industry had no place for losers, whether the TRS-80, the floppy disk, or AOL Instant Messenger.
Maybe the “Foreign Hostile Entity” had gone after one of those dying systems, repurposed it for its own use. After all, desktop computers were still the main way people outside the West connected to the Web. In developed countries, Internet connections were mostly mobile. Poorer countries still depended on hard lines.
Only a theory, but it made sense. And if it turned out to be right—
He might be able to figure out which system it was.
Back at his desk, he looked up the agency’s files on instant messaging applications. They were solid on mobile messenger apps, thin otherwise. The agency had become so obsessed with smartphones that it no longer spent much time on browser-based services. A classic example of focusing on what was important to you rather than your enemy, Brian thought.
But as a matter of course, the agency did log every messenger application it found. The list totaled more than one hundred. Not good enough. To impress the guys at TAO, he needed more. They might like his theory. They might even use it. But they wouldn’t hire him for coming up with it, not unless he figured out the specific app that the foreign entity had used.
Time for another guess. He eliminated all the apps from in the United States or Western Europe, or any that were too new. He focused on seven systems that dated from the early aughts, four in Russia and Eastern Europe, one in Turkey, one in Pakistan, and one in India. None had caught on.
He pulled the documentation the agency had recorded on the systems. Unfortunately, it was minimal. They had all been built off GPL or Freeware licenses, but the agency had spent almost no time looking at them. As far as Brian could tell, no one had even bothered to download copies of the original system software. A mistake. He wasted a few minutes throwing the names of the messengers at the agency’s database querying system. But each request came back with tens of thousands of answers. He couldn’t figure out a useful way to sort them. He tried to ignore the little digital clock on his computer, but he couldn’t help himself; it was now 8:02 p.m. Less than four hours left.
He tried to find the apps on the Internet to install them on his computer, but they were all gone. The original websites for the developers were gone too. No surprise. Americans thought of technology companies as profitable giants like Apple. In reality, most tech companies, especially in places like India, were often not much more than a few twentysomethings in a room. They alternated between writing semi-legit code, dubious pop-up ads for penis enlargement pills, and outright hacks.
Even with the deadline looming, Brian decided to spend an hour documenting what he’d done. At least if he found something in the last few minutes, he could prove it hadn’t been luck. The contest famously ended exactly on time. Coders had to file their work by midnight; TAO would not accept late submissions. The rules don’t have to be fair, they just have to be the rules, the final paragraph of the challenge warned. We don’t want you wasting more than one day a year on this. (If you could have figured it out you’d already work for us.)
But as Brian explained his steps, he couldn’t help feeling like a fraud. Really all he’d done was guess, because he didn’t have the skills
to code a direct attack on the encryption—
Wait.
He’d looked for the companies. And they were gone. But he hadn’t chased down the developers themselves. He’d forgotten—as the NSA sometimes seemed to—that programs didn’t fall from the sky, that people had to write them. Maybe he could find traces of the coders.
Wasn’t much, but he’d spent more than twenty-one hours on this stupid contest. Might as well finish strong. For once in his life he’d go to the limit.
He went back to the cached pages of the now-defunct developers, plugged the names on them he found into both the public Internet and the agency’s database.
The name searches led everywhere and nowhere. The common ones pulled up hundreds of thousands of results, mostly in foreign languages. When Brian translated them, they were useless, random web pages for Moscow car dealerships or Bulgarian dating sites. The torrent of information on the Internet was its own best defense. He tried again, this time adding corporate names.
Again the results overwhelmed him. He could have wasted days looking through them. In pure desperation, he started to add search terms almost at random: spying, espionage, secret, agency, encryption—
There. The conference was called “Better Than Pretty Good Encryption.” It had taken place at a Radisson in Jaipur, India, two years before.
“This two-day event will get you up to speed on the newest public key software!” A list of presentations was included. And—at the bottom, the lousy end-of-second-day slot—Brian found Vijay Patel, director of engineering at IRGG Services Limited, speaking about “Adding Public Encryption Layers to Instant Messaging Services.”
Brian hadn’t heard of IRGG Services. He searched for it along with Mumbai Communications Pvt Ltd, the company that had created the Indian instant messenger. Lucky him, the Indian software industry ran mostly in English. He found a two-line announcement on an Indian software blog: IRGG Services has purchased Mumbai Communications, terms undisclosed.
The Power Couple Page 23
