Homeland (15 page)

Read Homeland Online

Authors: Cory Doctorow

Tags: #Novel, #Science Fiction, #Fiction, #Dystopian

BOOK: Homeland
6.05Mb size Format: txt, pdf, ePub

Then she'd ended up at FOB Grizzly, working as an "intelligence officer" alongside the military police. She'd been reprimanded for unauthorized "stress interrogations" of suspected terrorists, and had overseen an arrest sweep that brought in more than five hundred suspects, all of whom had been released over the coming months as it emerged that they had nothing to do with terrorism.

It was around then that she left the military, and though she'd written a letter of resignation, there was also a memo from a commanding officer to Army Human Resources Command saying that she'd been "shown the door" after an "incident" involving "materiel." Another memo was more explicit -- she'd been involved in a plan that delivered American guns and ammo to private mercenaries working for a military contractor, and those guns and that ammo had been part of a massacre that killed over a hundred people.

From there, she'd gone private, working for the military "contractor" -- hired killers, according to a quick search -- and had distinguished herself with a very lucrative bid to take over the management contract for the FOB she'd been fired from.

It was ugly.

As I lay in bed with my thoughts swirling, I wondered if Carrie Johnstone had snatched Masha because the leaks file had so much embarrassing material about her, personally, or whether she'd been hired to retrieve them for the U.S. government. How could the Army fire her one day and then re-hire her to do the same job at ten times her old salary a month later? Were they on crazy pills?

I couldn't afford to drag my ass around work the next day, so I didn't. I pounded the Turk's coffee and munched chocolate espresso beans and finished my inventory and network map. Joe surprised me by scheduling me for lunch. The first I heard of it was when he showed up at my desk at 12:30 and stood over it, smiling expectantly at me.

"Hi, Joe," I said.

"Lunchtime, Marcus?"

We went to a nice veggie place where they knew him by name and seated us right away. He knew their names, too, and greeted everyone from the waiter to the guy who filled up our water glasses personally, switching to Spanish as necessary and asking sincere, friendly questions about their wives and husbands and kids and health.

The sincere part was the weirdest thing. When I was really on fire and feeling very, very sociable, I might remember half of the names of the people I saw. I just sucked at names. And when people told me about their kids or parents or siblings or whatever, I tried to be interested, but I mean, how interested can you really be in the lives of people you barely know or have never met at all?

But Joe had the uncanny ability to seem really, genuinely interested in people. When he talked to you, you felt like he was also
listening
to you, carefully, thoughtfully, and not waiting for you to finish talking so that he could say whatever he was going to say next. It made him seem, I don't know,
holy
or something, like one of those people out of a religious story who overflows with love for his fellow man.

And the weirdest part? He didn't make me feel like a dick for not being that interested myself. Instead, he made me want to try to be more like him, more caring.

After our water glasses were full and we'd put in our orders, he said, "Thank you for making the time to see me today. I know you must be busy."

If it was anyone else, I'd have thought he was blowing smoke up my ass, but he really sounded like he thought being the webmaster/sysadmin/net guy was the hardest job in the world and he felt lucky that all he had to do was run around and try to get elected.

"You're welcome -- I mean, it's a pleasure. I mean, it's wonderful. I'm so glad to have a job, and it's such a cool job, too. Everyone's really nice and interesting and I really believe in your platform, so, well, it's just great." I was babbling like an idiot and I couldn't seem to stop -- and he didn't seem to notice.

"You remember when I spoke to you on the phone the other night, I mentioned how my campaign would need great technology to be successful. And I'm sure that when you and Flor chatted she had some pointed opinions about that and what her side of the campaign needed from you. You might be wondering who wins in a little struggle like that. I wanted to give you some context to help you resolve that.

"Flor is your boss -- and she's my boss, too. She's in charge of the campaign from top to bottom, and I'm familiar with her ideas about what campaigns need vis-a-vis boots on the ground, knocking on doors, and raising money. She's right as far as she goes, and that's why I let her be my boss.

"But I'm the candidate, and I have some additional priorities. I say 'additional' -- not 'different.' Flor is right about needing money, boots and door-knocking. But once you've got all that running to the best of your ability, there's more that I want you to get thinking about. I want you to tell me how technology can help me reach people who would otherwise be beyond my reach. I want you to tell me how technology can transform the way that voters and their representatives collaborate to produce good, accountable government. Every wave of technology, from newspapers to radio to TV, has transformed politics, and not always for the better. Some people think that the Internet is a tool for politicians to raise money or coordinate volunteers, but I don't think that's even one percent of what technology can do for politics. I want you to help me figure out the other ninety-nine percent."

Woah. "Okay," I said. "Do you want, what, an essay or a website or something?"

He smiled. "Let's start with a chat, like this one, tomorrow at the end of the day. I'll have Flor put it in both of our schedules."

It made me feel good and a little scared -- I really didn't want to let him down, but all I could think of was darknet sites and leaked docs. I wondered what he would say if I told him that I was sitting on more than 800,000 confidential, compromising government memos. But I also remembered what Flor had said:
The first time I catch so much as a whiff of anything illegal, immoral, dangerous or 'leet' I will personally bounce your ass to the curb before you have a chance to zip your fly.

I went over to Ange's after work. Jolu had already set up our darknet site and grabbed a copy of the docs off BitTorrent. I'd handed him a USB stick with the key on it, and by the time I got my computer up into a secure mode with a dead man's switch and an anonymized, private network connection, the site was ready to go.

In fact, it was already going. Jolu had met with Van on his lunch break, and she'd plowed through more than fifty docs while I'd been bringing the Joe for Senate servers' patch levels up to date. I wondered whether Van had had a chance to talk to Darryl. He'd been my best friend, as tight as a brother, but I hadn't seen him in months. It was all too weird between us -- the fact that he was with Van and that Van had confessed that she'd once had a crush on me; the unwordly fragility of his mind after his time in Gitmo-by-the-Bay; his constant struggle to keep up with even a half-time courseload at Berkeley. I thought of what seeing that nasty little waterboarding PowerPoint would do to Darryl.

It wasn't just Van working on the docs, either. Jolu had enlisted some of his other trusted friends, people with cryptic handles like Left-Handed Mutant and Endless Vegetables. I hoped Jolu was right to trust them. I hoped he'd been cagey about where the docs had actually come from. Out of curiosity, I googled the strangers' handles and confirmed to my satisfaction that they didn't appear to have been used before. It would have been such a basic mistake to recycle a nickname that you'd already used someplace that could be linked to your real identity.

Endless Vegetables was working his (or her) way through a gigantic pile of documents on student loans, judging from the tags and summaries. I vaguely knew that the government guaranteed student loans made by universities, which were sold to banks that collected on them. The darknet docs went into disgusting details -- like a series of jokey emails between a congressman who'd gotten a tearful letter from a constituent who'd been hit with crazy penalties that turned her $20,000 loan into a $180,000 loan and an executive at the bank who'd assessed the penalties. The congressman sounded like he was pretty good friends with the banker, and they made it sound like this girl's problem was hilarious.

Jolu had added an "I'm feeling lucky" button to the spreadsheet that would bring up a random, uncataloged doc. I hit it and found myself looking at a cryptic set of numbers and acronyms. I tried to google the search terms but found myself getting nowhere, so I grabbed another, and then another. It was mesmerizing, like channel surfing on a massive cable network that only got heavy, strange programs about corruption, murder, and sleaze.

"Jeebus H Christmas," Ange said. "Have a look at the doc I just checked in."

I resorted the spreadsheet by author and found Ange's latest contribution, loaded it up. It was an instruction manual for a "lawful intercept" network appliance sold to cops and governments for installation at an Internet Service Provider. The appliance monitored all incoming requests for updates to Android phones, and checked to see if the phone's owner was on a list of targets. If they were, the appliance took over the network session and sent a fake update to the phone that gave spies and spooks the power to secretly turn on the phone's GPS, camera, and mic. I stared in mounting horror at the phone on the bed next to me, then flipped it over and took out the battery.

"Keep reading," Ange said. She'd been following the auto-linked documents and found a bunch of captured emails and phone sessions. One was a complaint from a DHS field operative about a target who'd installed "ParanoidAndroid" on his phone and couldn't be gotten at.

"What's ParanoidAndroid?" I asked.

"I'm reading up on that now," Ange said. "Looks like it's a fork from the CyanogenMod." I knew about Cyanogen, of course -- hackers had taken the source code for Google's Android operating system and made a fully free and open version that could do all kinds of cool tricks. "It doesn't accept updates unless their checksums match with other users and the official releases. Lets you tell whether an update is real or a spoof."

"Well, what are we waiting for? Let's install it!"

Ange pointed at her phone, which was already cabled to her laptop. "What do you think I'm doing?"

"Do mine next?"

"Duh."

There was more. Other lawful intercept appliances would disguise themselves as iTunes updates for Macs and PCs, and another one worked by sending fake updates to your browser. Then there were the saved emails between a senior DHS IT manager who'd worked at one of these companies before going to Homeland Security. His old boss was explaining how they were using a shell company in Equatorial Guinea -- a country I'd never even heard of! -- to market their products in China, Iran, and other countries.

It just got worse. Logs of law enforcement requests to install spyware bugs on people involved in peaceful protest groups. Reports of break-ins by suspected criminals who'd used the systems to spy on their victims.

I was trying to figure out how all this stuff could possibly work. After all, software updates usually went over SSL, which used cryptographic certificates to verify the identity of the sender. How were they spoofing connections from Apple and Google and Microsoft and Mozilla?

Oh, that's how. A search on "certificates lawful intercept" brought up another email exchange, this one with a huge American security company that had one of the "signing certificates" that were trusted by all browsers and operating systems. They'd been supplying blank certificates to the DHS for years, it seemed -- certificates that would give the government the power to undetectably impersonate your bank or your company, or Apple, Microsoft, and Google.

Ange and I split up the remaining lawful intercept docs, getting deeper and deeper into the terrifying secrets of snoops and spies. Before I knew it, it was 2 A.M. and I could barely keep my eyes open.

"Want to stay over?" Ange said as I yawned for the tenth time in five minutes.

"I think I already have," I said. We'd started staying over at each other's houses that summer, and while it had been weird at first (especially over breakfast with the parents!), everyone had gotten used to it. My parents had more important stuff to worry about, and Ange's mom was just one of those cool grownups who seemed to have an instinctive grasp of what mattered and what didn't.

University Bookstore: Seattle, WA

This chapter is dedicated to the University Bookstore at the University of Washington, whose science fiction section rivals many specialty stores, thanks to the sharp-eyed, dedicated science fiction buyer, Duane Wilkins. Duane's a real science fiction fan -- I first met him at the World Science Fiction Convention in Toronto in 2003 -- and it shows in the eclectic and informed choices on display at the store. One great predictor of a great bookstore is the quality of the "shelf review" -- the little bits of cardboard stuck to the shelves with (generally hand-lettered) staff-reviews extolling the virtues of books you might otherwise miss. The staff at the University Bookstore have clearly benefited from Duane's tutelage, as the shelf reviews at the University Bookstore are second to none.

Chapter 8.

Once upon a time, terrorists blew up a bridge in my city and killed over four thousand people. They told me everything changed. They told me that we didn't have the same rights we used to, because catching terrorists was more important than our little freedoms.

They say they caught the terrorists. One of the guys, who had been killed by a drone in Yemen, supposedly thought the whole thing up. I guess I'm okay with him being dead if that's the case. I hope it's the case. No one would show us the proof, of course, because of "national security."

But "everything is different" turned out to be a demand and not a description. It pretended to describe what the new reality was, but instead it demanded that everyone accept a new reality, one where we could be spied on and arrested and even tortured.

A few years later, everything changed again. It seemed like overnight, no one had jobs anymore, no one had money anymore, and people started to lose their houses. It was weird, because now that it was
obvious
that everything had changed, no one wanted to talk about how everything had changed.

When the streets are full of armed cops and soldiers telling you that everything is different, everyone can point at one thing, a thing with a human face, and agree, "It's different, it's different."

But when some mysterious social/financial/political
force
upends the world and changes everything -- when "everything is different now" is a description and not a demand -- somehow, it gets much harder to agree on whether things are different and what we need to do about it.

It was one thing to demand that the armed guards leave our streets. It was another to figure out how to demand that the silent red overdue bills and sneaky process servers with their eviction notices go away.

I was nearly late getting to work the next day, but I just squeaked in. I'd stolen back one of my T-shirts from Ange's laundry pile (she liked to steal mine and sleep in them), and it smelled wonderfully of her, and put me in a good mood as I came through the door and made a beeline for my desk.

"Dude!" Liam said, practically bouncing in place by my chair. "Can you believe it?"

"What?" I said.

"You know! The darknet stuff!"

All the blood rushed out of my head and into my gut and swirled there like a stormy ocean. My ears throbbed with my pulse. "What?" I said.

"You didn't see?"

He leaned over me and moused to my browser, went to the front page of Reddit, a site where you could submit and vote on news stories. Every item on the front page talked about "darknet leaks." Feeling like I was in a horror movie, I clicked one of them. It was a story on wired.com, about a file that had been anonymously dumped into pastebin.com, instructions for using a lawful intercept appliance to take over Android phones and work their cameras. Whoever had dumped the file had sent an email to a reporter at wired.com saying that there were more than 800,000 documents like it on a darknet site, that volunteers were combing through them, and there was a lot more to come. It didn't say where they'd come from or who the volunteers were.

I went back to Reddit and checked the others. How many darknet docs had leaked? It seemed like everyone had the same story, in different variants -- 800,000 docs, darknet, more to come, but nothing more. I started to calm down.

"You've got an Android phone, right?" Liam said.

"Yeah," I said. "I do. But I run ParanoidAndroid -- it's an alternate OS that resists that kind of spyware."

"Really?" Joe said. He'd walked up on us on cats-paw feet while we were talking, and I jumped in my seat. "Woah, sorry, calm down there, Marcus. I've got an Android phone, too. Tell you what, I'll order in pizza for lunch if you'll give us a workshop on keeping our phones secure. Sounds like the kind of thing we should all know about."

"Yeah, sure," I said. "Of course." Though as soon as I saw the Wired story, I'd started scheming to take lunch off and find a WiFi network with weak, crackable WEP security so that I could hop on, tunnel into the darknet, and try to figure out what had just happened. I mean, I knew better than anyone that there was no such thing as perfect security, and I understood that it was likely that someone, someday, would get a look at the darknet docs who we hadn't invited in. But I didn't think that day would be the day after we set up the darknet!

But I couldn't screw up my job. I'd been desperate for work for so long, and it was such a cool job. The fact that I might now be the target of a ruthless mercenary army didn't mean that I didn't have to help Joe get elected.

So I did my job, and when the pizza came, I stood with a slice in one hand and a white-board pen in the other and sketched out a little flowchart of how your phone could be taken over, and what could be done with your phone after it was pwned.

Joe munched thoughtfully at a slice, wiped his fingers and his mouth, and put up his hand. "So you're saying that the police could take over our phones?"

"No!" Liam said, vibrating in his chair. "He's saying
anyone
could --"

I put up my hands and Liam calmed down. "What I mean is, once the intercept appliance is installed at the phone company's data center, anyone who has a login and password for it could use it."

"But who has that login and password? The police, yes?"

"Probably not, actually. The leaks suggested that these appliances were managed by the phone company or ISP. So a police officer calls up the lawful intercept technicians and they set it up for him. So the list of anyone who could break into the ISP's network, anyone who could bribe or blackmail someone at the ISP, anyone who can convincingly pretend to be a police officer to the ISP, anyone who can get a
real
police officer to give him access, or anyone who can pay someone to do any of the above."

"So you're saying that turning anyone's phone into a superbug is as easy as fixing a parking ticket?"

"I've never fixed a parking ticket," I said. "I don't drive. Is it hard to fix a parking ticket?"

Joe drummed his fingers on the table. "Not if you're rich or well connected. Or so I'm told."

"Yeah," I said, "rich or well-connected people could turn any phone into a mobile bug. In theory there's no reason this is limited to Android phones. It could work by pushing out updates to iTunes, or Firefox, or any app. They'd just need a signing certificate and --" I stopped talking, because I'd just remembered that there hadn't been anything about the signing certificates in the leak. "And things like that. So theoretically, any computer, any phone, anything that updates itself automatically could be turned into a bug once these things are installed."

My hands were sweating. Joe and the rest of the office might not know what a "signing certificate" was, but Liam did, and he looked like he was committing every word I uttered to memory. "Uh," I said. "Also, once your computer is infected with this stuff, it's possible that people other than the police or whoever bugged you will start to watch what you do."

Joe put his hand up again. "Explain?" he said.

"Oh, well, here's how it would work. Say I pay someone to bug your computer. Now your computer has some malicious software on it that can, I don't know, look out your camera, listen to your mic, watch your keystrokes, snatch files off your hard drive, the whole thing. The bug will have some kind of control software, a program that I run to access your computer. Maybe that program lives on a server somewhere else, in which case anyone who breaks into that server can then break into all the infected computers and phones and stuff. Or maybe it lives on your computer, so if I take over your computer, I can jump from it to all the infected computers. But also, if someone figures out that your computer is running the bug, maybe they can connect directly to your computer -- like they could hang around outside your house and crack your WiFi password and wait for your computer to log on, and then snag it, or maybe they don't know who you are and they just sit at Starbucks all day waiting for
anyone
with the bug to join the network and then they grab the computer's controls."

Paranoid commercial interlude

This is the part that always freaks people out, me included. The idea that there's someone inside your phone, listening, watching. Gives me the creeps just looking at it. There are a lot of libraries that won't stock ebooks at all because they refuse to give in to the publishers' demands to use DRM, so they rely on print copies,
like the ones you can donate here
). This has the side effect of reducing their patrons' reliance of spyware-vulnerable machines designed to accommodate the DRM.

When it comes to the commercial editions of my books, you can always be sure that they're DRM-free. I wouldn't have it any other way. Lucky for me, my publisher Tor agrees:
All
of its ebooks are DRM free, always. But when I love a book, I want a hardcopy, something I can shove in a friend's hand and say, "here, you have to read this." Either way, I hope you'll consider buying a copy of this book:

USA:

Amazon Kindle
(DRM-free)
Barnes and Noble Nook
(DRM-free)
Google Books
(DRM-free)
Kobo
Apple iBooks
(DRM-free)
Amazon
Indiebound
(will locate an independent store near you!)
Barnes and Noble
Powells
Booksamillion

Canada:

Flor put up her hand. "How realistic is this? I mean, this all sounds pretty scary, but can you give me an idea of how many computers have been infected this way? In the real world, is this something I need to worry about? Or is it like being struck by lightning?"

I shrugged. "I guess I'm the wrong guy to ask about that. I've never used this stuff, never shelled out a hundred grand for one of these boxes. I'm guessing if the police buy them, they must use them. I mean, you could think of this as HIV. Your computer has an immune system, all the passwords and so forth that stop it from being taken over by parasites. Once it's bugged, it's got a compromised immune system. So parasites can come in and infect it." I thought a moment. I was calming down. No, that's not right, I was just excited now, and not scared, because it was kind of cool that everyone in the office was hanging on my every word. It made me feel important and smart. "Actually, it's like the
network
has an immune system, including things like Internet Service Providers who don't conspire to trick your computer into downloading malicious software. When your ISP's router tells you a file is coming from Google or Apple or Mozilla, your computer assumes that that's where the packets are coming from. But once you start monkeying with that, once you create a procedure that tells ISPs to start secretly lying to their customers, well, it seems to me like you can expect that to start happening."

"So what do we do?"

"Oh," I said. "Well, for Android, that's easy. It's open and free, which means Google has to publish the source code for the operating system. A group of privacy hackers have created an alternate version called ParanoidAndroid that checks a bunch of places every time it gets an update and tries to figure out how trustworthy it is. It used to be really hard to install, but it keeps on getting easier. I've made up a little installer script that you can download from the intranet that makes it even simpler. Just plug in your Android phone and run the script and it should just work. Let me know if it doesn't."

"But how do we know we can trust your script?" Flor said. "Maybe you're bugging us all."

Liam practically leapt to his feet: "Marcus would
never
do that --"

I had to laugh. "No, she's right. You're right, Flor. You've got no reason to trust me. I've only been here a couple of days. I mean, you guys asked me to work here, so it's not likely that I'd have planned to take over this place with malicious software, but maybe I'm the kind of guy who goes around doing it all the time." I thought about it. "So, you could google everything I just told you and download ParanoidAndroid yourself -- but maybe I planted all that information there for Google to find. I guess it all depends on how paranoid you're feeling."

"I'm feeling moderately paranoid, with a side of prudence and common sense," Joe announced, getting a laugh. "I'll install it. Then what do I do?"

"Nothing, unless your phone throws a warning about an update. Then you can google it or ask me, or rely on your own judgment. There's a paranoia flag for Ubuntu Linux, too, if any of you are running that -- it'll tell you if an update doesn't match up with the fingerprints on the public servers. Sorry, but I don't know about anything comparable for Mac or Windows." I stood with my hands folded again. "Is there any more pizza?"

Jolu threw a little instant browser chat app up on darknet for us, and started it off with

> ALL RIGHT, WHO SPILLED THE BEANS? FIRST RULE OF DARKNET IS NO ONE TALKS ABOUT DARKNET -Swollen Rabbit

"Swollen Rabbit" was the handle he'd chosen for himself -- he'd also put up a nickname generator to help us all choose random, single-use, cool-sounding handles for the system.

I felt like he wasn't taking this very seriously -- all those caps and the jokey tone. We were dealing with a plutonium spill and he was treating it like a minor nuisance.

> This is serious folks. Swollen Rabbit, are you sure it was a leak from one of us and not a break-in? -Nasty Locomotive

> it's impossible to be sure but yeah. I've been over the logs and I don't see anyone except us. Maybe someone's got a screenlogger infection or something? -Swollen Rabbit

Other books

Searching for Sky by Jillian Cantor
Cometas en el cielo by Khaled Hosseini
Enchanted and Desired by Eva Simone
Deadly Assets by W.E.B. Griffin
1975 - Night of the Juggler by William P. McGivern
Isaac's Storm by Erik Larson
Brother West by Cornel West
Who'll Kill Agnes? by Lea Chan