Mick left LeydenTech early the next afternoon to take a break and clear his thoughts.
His private key compromise had left him feeling off balance, and he felt strangely vulnerable, as if anything might happen to him at any time.
He recognized the feeling as illogical, as he had already changed all his passwords and was using a new private key, but the feeling remained.
With his trip to Hiroshima fresh in his mind, Mick visited the Los Alamos Museum to learn more about the Manhattan project.
The museum was housed in a building from the Los Alamos Ranch School, which the government acquired to establish the laboratory in 1942.
It seemed amazing to Mick that the bomb that devastated Hiroshima was designed and built in this beautiful place.
The museum had a small exhibit about the work and the workers who lived there up to 1945.
The grandmother of one of Mick's friends from Columbia had grown up in Los Alamos during this period, and he recalled her stories of life in a town that didn't officially exist.
Mick really wanted to visit the White Sands Missile Range, a few hundred kilometers away, where the first atomic device was detonated.
He really wanted to see the desert sand fused into glass stones by the detonation (named "trinitite” after the code name for the first bomb – Trinity).
However, he knew the site was still an active military base and test site, and it was only open a few times each year.
The device tested there was a plutonium device, the prototype of the bomb detonated over Nagasaki.
The one dropped on Hiroshima used uranium instead, despite some claims that both were uranium.
The uranium device was not tested before Hiroshima as there was not enough processed uranium for a test detonation.
Mick read that some of the uranium was processed in New York, but most of it was produced and refined in Oak Ridge, Tennessee.
At peak production during the Manhattan project, Oak Ridge was using about 15% of all the electricity produced in the United States – more than all of New York City!
Mick felt amazed at the amount of work and planning that led up to the detonation.
So much design and engineering of the various components: the fission fuel, the detonator,
the
delivery vehicle.
So many parts of the project worked on by different teams in different parts of the country, culminating in one history-changing day 6
ØØ
m above Hiroshima.
Later back at LeydenTech, Mick came to a disturbing conclusion: the compromised server was definitely part of a botnet.
This was surprising because all the behaviors seemed wrong; the compromised server was not trying to act stealthily at all.
A computer that was a member of a botnet normally would try hard not to give away this fact until it was ready to be used – otherwise, the computer would be disconnected, cleaned, and would be lost to the botnet.
Usually, this meant keeping a low profile with Internet activity.
This software seemed to be using a different approach – a hiding-in-plain-sight approach, where it
pretended
to be spamware.
He was sure that the spamware wasn't the main purpose of the compromise, but that it served as cover for the real activity of the botnet.
One possible reason – and this thought really bounced around in his brain – was to hide with whom the malware was communicating.
This was called communication ‘obfuscation’ in the industry, and was one security property that was usually difficult to achieve.
There were common approaches for encrypting traffic to make it private, and signing communication so you could prove who sent it, but all these approaches did nothing to hide the fact that two computers on the Internet were exchanging packets and messages.
In telephone network surveillance, a so-called ‘pen tap’ gives law enforcement information about who called whom and for how long, but tells nothing about the contents of the communication; a ‘wiretap’ is needed to listen in and record the conversations.
Pen tap data in the hands of a good investigator can often be used to deduce all kinds of useful information, especially when coupled with other observations and facts that can be correlated with it.
Without obfuscation, the Internet equivalent of pen tap calling information – which computer is sending messages to other computers – is not difficult to collect.
Mick’s
own calling patterns – who he communicates with and for how long could be determined despite his use of voice and video encryption software.
In this case, Mick determined that the malware was sending out large amounts of traffic in the form of meaningless spam.
Buried somewhere in the spam was actual botnet communication, he believed.
He hadn't found it yet, but was convinced he would.
Looking at the time, Mick summarized his findings so far and prepared for an interim briefing of Vince and his managers.
After the briefing, Mick went back to work.
Vince was extremely pleased with his progress.
Vince had let slip that it was Mick’s colleague and speaking rival Miles who had taken this job the week before the conference in Hiroshima.
Miles had concluded that the compromised server was just a spambot, but Vince was not happy with that conclusion, and had sought Mick out hoping he could do better.
He was happy that Vince supported his pursuing the hypothesis and continuing the investigation.
If he could prove it, he was sure that it was an entirely unknown type of botnet.
Could generate a paper or two, and some interesting presentations… not to mention the satisfaction of solving a good puzzle.
He was now viewing the LeydenTech spambot and the ‘Carbon is Poison’ zero day as related.
He had also made contact, albeit anonymously, with two other system administrators who had also been targeted in a similar way to LeydenTech on an anonymous IRC (Internet Relay Chat) channel or chatroom for Security Administrators.
They had exchanged some of the spam emails that their servers had been sending out.
Mick added them to the messages he had logged on his own server, and the messages sent by the LeydenTech server.
With these messages, he was starting to build a decent data set.
Today he planned to combine the packet flows from these four compromises into a single database for searching and number crunching.
First he looked for traffic patterns between the servers.
He wrote a
script,
a mini computer program, to search and analyze the messages exchanged overnight, and left for the day.
Mick stayed up late that night, coding to relax.
He still felt off balance, as if he were recovering from a particularly nasty illness.
It reminded him of how he felt as a kid after being in a schoolyard fight.
Wednesday morning found Mick engaged in his weekly password change ritual at the keyboard.
He typed:
Eh
,quid
_facis,doc?
He read that it just kept on raining on Lars in Helsinki.
Kateryna was looking forward to visiting a new Thai restaurant in the evening, although she didn't say with whom.
Gunter was suffering writer’s block as he approached a deadline for a whitepaper.
Mick sent some encouraging comments to
Gunter
as he knew what it was like, and how good it felt when one finally reached that desired word count.
Back at LeydenTech, he almost choked on his espresso as he looked over the results of the script.
His script had found a number of communication exchanges, known as flows, and had created a chronology of communication in a 2D graphical representation.
He was amazed to see a pattern of communication emerge out of the seemingly random spam sent between the four computers.
The information flow looked familiar to him but he couldn't quite put his finger on it.
His script had organized the information in a so-called ‘ladder diagram’ where each computer was represented as a column and the messages between them arranged like rungs on a ladder.
With a flash of insight that made the hair on his neck stand up, he rearranged the four servers as nodes on a line and redrew the messages as semi-circular arcs.
Now, it was clear to him: the servers were definitely running some kind of peer-to-peer protocol.
He sat back in his chair, realizing the botnet used P2P routing protocols...
a staggering implication for combating the botnet.
Mick found himself staring into space as he contemplated the consequences of this discovery.
P2P networks were extremely difficult to shut down.
And an obfuscated P2P network that hid behind volumes of spam would be difficult even to detect, let alone shut down.
This was some sophisticated programming, not your usual malware composed of scripts and borrowed code.
He forced his mind to focus again with the thought that he still hadn't found the communication messages that he
conjectured
were being distributed using P2P technology.
Until he found and deciphered them, he didn't have a complete picture.
He set about analyzing the suspicious packets between the servers.
But by the end of the day, Mick felt more confused than ever.
Every message he examined was, in fact, just spam.
He had expected to find some encrypted payload or messages that he then could analyze to try to determine the kind of encryption algorithm used, and get one of his crypto friends to break them.
Instead, he found only spam email messages.
He stared at one particular message about a one million pound lottery the recipient had apparently won.
Did people really enter so many lotteries that they honestly could not remember which ones they had entered, and hence could fall for this kind of spam?
He was left with that most puzzling fact about spam: some people actually read spam, some actually call or click on it, and some, amazing as it sounds, hand money over to the spammers.
If they didn't, if spam ads didn't generate revenue for someone, it would end overnight, and the industry would collapse.
Mick was about to head home for the day when Vince called him over.
He sat down in Vince’s office, looking around the room.
Vince opened his desk and passed him something.
Mick turned it over in his hand and examined it.
It was about the size and shape of a small bookmark: thin, but astoundingly heavy for its size, as if it were made of something much more dense than lead.
Seeing two small wire terminals on one side, Mick figured it out.
“Is it –” he asked.
“Yes, this is what we make,” Vince interrupted him.
“Would you believe 2Ø Amp-hours at 48 Volts?” he said, giving the storage capacity of the device.
“But that's much more energy than the battery in my motorcycle!” Mick exclaimed.
“Very true.”
“It is so thin!” Mick commented.
“Actually, this one is quite thick.
The capacity of this device is not about the volume, it is about the
surface area
.
It can be much thinner without the protective coverings.”
“Wow!” Mick replied.
“Yes, wow!”
Vince echoed.
“So, let’s get this break-in resolved so we can concentrate on developing these babies.”
“Understood,” Mick responded, handing it back to Vince, but Vince stopped him.
“Keep this one – just don’t go flashing it around, OK?”
He placed it in Mick’s hand.
“Really?
No way!
This would make an awesome battery for a computer.
I’ll just need to build a charger.”
“No problems – I’ll send you the specs.
I really like the work you’re doing for us.
Just get to the bottom of it, Mick.”
“Will do!”
Mick remembered he had planned a video call with Kateryna for the evening.
She said she had some information she didn't want to share over mail.
He finished up a little earlier, took the direct route back to the inn, making a quick dinner of ramen and various vegetables and tofu he had picked up earlier in the week.
For this call, he got out his best high definition camera and actually used headphones instead of his implant.
The high quality of the sound was his favorite aspect of HD video calls; it made you feel as if you were there with the other person.