“Hubbard,” I said.
Tony touched his finger to his nose. “Lucturn is the second-largest manufacturer of Haden neural networks, after Santa Ana, and Hubbard is famously involved in the design process. The programming forums are full of horror stories about him coming in and tearing up his engineers’ early designs for being inelegant.”
“And how is he as a programmer?” Vann asked.
“It’s how he got into the field,” Tony said. “He founded Hubbard Systems to manage corporate legacy computer systems, and then after he got Haden’s he started focusing on programming for threeps and networks that were orphaned when their manufacturers got out of the field. He did a lot of that programming himself back in the day. The programming system networks use is called Chomsky. Hubbard didn’t invent it, but he did write most of the 2.0 version, and he’s on the board of the Haden Consortium, which approves new versions of the code.”
“The Haden Consortium,” I said.
“What about it,” Tony said.
“Hold on,” I said. I fished through my e-mail and pulled up one for Tony and Vann to look at. “L.A. finally got back to me about the ninja threep,” I said.
“Ninja threep?” Tony looked puzzled.
“I’ll explain later,” I said. “The point is the threep’s design wasn’t a commercial design—it was a low-fee license version that the Haden Consortium offers potential manufacturers in developing countries for use in their countries. You can’t buy them or sell them in North America, Europe, or developed Asia.”
“So you were attacked by an imported threep,” Vann said.
“It could be made here as a one-off,” I said. “All you’d need was an industrial 3-D printer and an assembly robot.”
“Who has a setup that could handle that?” Vann asked.
“Pretty much any design shop or manufacturer who does full-scale modeling,” I said. “L.A. said they would look into it but it would take some time. My point here is that Hubbard’s involved with both Chomsky and the threep design that went ninja on me.”
“Which could be coincidental,” Vann said.
I opened my mouth to respond but Tony butted in. “Hold that thought,” he said. “I’m going to tell you why Hubbard’s your guy, but I have a couple more things to walk you through.”
“All right,” Vann said. “Take us to the next thing.”
Tony turned to me. “You remember me telling you that early on the network manufacturers had problems with people hacking into the networks.” I nodded. “So they made it harder to do. One, they made the network architecture more complex so it was more difficult to program for and to casually hack. But that’s a very low-level measure. Ambitious hackers tend to be top-flight programmers. So another way it’s done is that all software updates and patches have to be from approved vendors, who are identified by a hash they put in the header of the patch. A patch is downloaded and the hash is checked. If the patch is verified, then it downloads and installs. If it’s not, then it’s purged and a report is made.”
“And that’s impossible to get around,” Vann said.
“Not impossible,” Tony said. “But it’s difficult. In order to work they have to be stolen and they have to still be active. When I do white-hat hacking of these systems, half my job is getting a verifiable code. That’s a lot of psychological spoofing. Making people think I’m their boss and need their hash, finding ways to look over their shoulder while they’re writing code, shit like that.”
“How would you do that?” I asked.
“Lots of different ways,” Tony said. “One of my favorites was the time I put a basket on a remote-controlled toy quadcopter, filled the basket with candy, and then flew the candy into the programmer wing of Santa Ana’s headquarters. The quadcopter went from pod to pod, and while the programmers were grabbing at candy, I was grabbing shots of their work screens. I got eight programmer hashes that day.”
“Nice,” I said.
“Everyone likes candy,” Tony said.
“So someone could steal a hash and get into someone else’s network,” Vann said, dragging us back on point.
“Right,” Tony said. “The problem for the hacker is that even when they’ve got the hash, they’re still coming through the front door. Everyone’s looking for the stolen or spoofed hash and the malicious code. Which is why every patch is first unpacked and executed in a sandbox—a secure virtual machine. If something malign is in the code, it’ll execute there and get caught. And there are other security measures as well.
“The story here is that it’s very difficult to get any suspect code into the network in the established route. Even for a brilliant hacker, it’s a long walk to a dry well.” He turned to Vann. “Which is why I told you that it was very unlikely.”
“But then Rees tried to kill me,” Vann said.
“Actually that’s not the part that convinced me I was wrong,” Tony said. “It was the part where Chris said Rees tried to get away from the grenade after intentionally pulling it to avoid being caught. It’s possible control was taken by the front door, but if it was there’d be a record of it—patches installed when they shouldn’t have been, sandboxes launched to test the patches, a record of the acceptance of the validation of the patch and the hashes of the programmer and company who sent it along. There was nothing out of the ordinary.”
“So there’s another way in,” I said.
“There is,” Tony said. “Think about it.”
It was Vann who got it. “Fucker did it when he integrated,” she said.
“Yes,” Tony said. “When a client connects with the Integrator, there’s a handshake of information, and then a two-way data stream opens up. This aspect of the network is meant to be a totally separate process from the internal operation of the network, and it is … but the code isn’t perfect. If you know where to look you can find places to access the network’s software. And that’s what happened.”
Tony zoomed into the network to focus on the nodule that included the receiver for the client data stream. He pointed to a structure. “That’s an interpolator,” he said. “If there’s any short disruption of the data stream, a millisecond or less, the interpolator polls data on either side of the gap and fills in the gap with averaged data. But to do it, the interpolator has to access processing from the network. It’s a break in the firewall. And that’s what Hubbard exploited.”
The image changed to a schematic. “Here’s what I think he did,” Tony said. “First, he handshakes a data feed with the Integrator. Then he intentionally introduces gaps into the data stream, long enough to activate the interpolator. Then he uses the interpolator’s channel to the processor to feed it an executable file. It does this as long as needed in order to download the file. Then it unpacks and rewrites the network’s software.
“It’s going directly into the processor, so no sandbox. It’s avoiding the verification process, so no need for a hash. It’s a small file, so the Integrator’s network doesn’t have to close the session to execute it. The Integrator never even knows they’ve been compromised.”
“Why the hell hasn’t something like this been fixed already?” Vann asked. I could tell she was seriously creeped out by what Tony was telling us.
“Well, think about it,” Tony said. “This is a pretty damn big bug, but it’s a bug that has a very narrow pathway to it. First someone has to know about it. Then they have to have the technical ability to exploit it. Then they need the technical means to exploit it—by which I mean that the ability to introduce intentional disruptions into the data stream isn’t something your average Haden is going to be able to do in their own head. This needs a specialized instrument between the client and the Integrator. And by ‘specialized,’ I mean that as far as I know it doesn’t actually exist. It would have to be created.