CTE SI SEGURIDAD EN CASO DE INCENDIO

“Okay, so now that’s out of the way, let’s tell you guys what you’re going to be doing for the next two weeks!” Vince said. Vince was the busi- nesslike but quite amenable point of contact now, as Pam had gone away in some fashion. Sitting in his hands were the NDAs signed by Bob, MadFast and Reuben, basically stating that they wouldn’t tell anyone any- thing about their work or findings unless they got permission from the Department of Justice first.The contractual details had been worked out, the price and costs agreed upon, and now it was up to MadFast and Reuben.

“We are at the start of a significant rollout of a software-based VPN product by the ZFon company. Are either of you familiar with their soft- ware?”

MadFast and Reuben looked at each other quizzically. Reuben spoke first. “No, I’m not, I don’t think either of us is.”

Vince didn’t seem to mind. “No matter, you’ll be familiar with it soon enough. As you may know, there’s a new requirement that things like this be checked by an outside party prior to implementation, and this is why we need you.Your job will be to go over the software and make sure that it’s secure.”

Reuben had a question. “What kind of a configuration will you be using? Will it just be between networks, or will remote users have it installed on laptops or home computers?”

“Ah, excellent question. It will be used both as a gateway for net-to- net encryption and tunneling, and for remote users. And we do want you to go over both of them fully.”

Reuben smiled.This is what he was hoping for; there’d be more opportunities to look for problems this way. He wanted to be thorough.

Vince continued, “We’ll contact the vendor after this meeting, and they’ll be providing you with the software. In fact, I wouldn’t be surprised if they brought it by this afternoon. ZFon is based in Germantown, so they’re local to the DC area. Contact them directly if you need them for anything.They’ve been asked to give their full cooperation.”

Reuben responded, “That’s good, we might need that. I have another question, though. If we find any vulnerabilities, what option will we have to disclose them, after the vendor addresses them of course.”

“I don’t think that’ll be a problem. We understand completely that you’d like to take credit for anything you find, and the value of that to you. As long as you let the vendor respond, and give us a chance to patch, we won’t have any issue with that. I’m guessing that you expect to find some vulnerabilities?”

“Well, that’s what we’re hoping, in truth. Nothing against you or the vendor, but to be honest, most software is vulnerable. And yes, it’d be better for our resumes if we found problems, rather than if none existed. The standards for disclosure you mentioned are perfectly reasonable, I think that’ll be just fine. I wouldn’t want to do it differently myself, really. There’s no point in causing insecurity for people here, the whole point is to do the opposite. But what if the vendor doesn’t respond to the issues found?”

“Well, in that case they’ll lose a lot of money. We can’t deploy without your blessing, gentlemen, and if they don’t fix anything you find, they won’t be able to keep the money they’ve been paid.The sale is contingent upon adherence to necessary standards, and your examination is one of those standards. So I think they’ll be very responsive.”

Reuben and MadFast smiled together at this. “Nice,” MadFast inter- jected. He seemed as hungry as Reuben was to make an impact with this work. And everyone knew how many vendors hated to own up to flaws in their software, much less fix them in any timely fashion. Having this sort of leverage was a welcome twist to the situation.

Vince continued, “Okay, with that out of the way, let’s take care of some minor annoying details. We’re looking for a deliverable with the fol- lowing parts…”

Forty-five minutes later, Vince walked out of the room together with Bob, Reuben and MadFast to see them out, reminding them to turn their visitor passes back over to security before leaving. “Gentlemen, I’m looking forward to seeing what you will do for us. I have a good feeling about this. There’s one thing I want to tell you before you go. I don’t know if I’m supposed to let you know this or not, but the NSA has already looked the ZFon software over and given its blessing. So I’m curious to see if you find anything. I know I’ll be impressed if you do.”

Reuben and MadFast looked at each other, not sure what to make of this bit of information. Neither knew exactly how talented the NSA was or wasn’t at such things, but all indications they’d seen showed that NSA did know what they were doing. “Ah, I didn’t know that,” Reuben volun- teered, not knowing what else to say. “Well, we’ll probably be using a dif- ferent methodology, so we’ll see what happens. Did the NSA do source code review?”

“No, I don’t believe they did.That would be for a system that’s certi- fied to a much higher standard than anything that would be connected to the Internet, so I doubt they did it. So it’s entirely possible that they missed something.”

“Well, it helps to know that.” Reuben felt a bit of relief. Whatever he did or didn’t know about the NSA, he doubted they followed unorthodox methods like he and MadFast would. He doubted there was much origi-

nality in the NSA playbook for something like this. “Maybe we can really show off, eh?” He grinned to Vince and Bob.

“Have a good afternoon, gentlemen, and I’ll be looking forward to hearing from you shortly.” Vince went back into the building.

Bob had only spoken up in the meeting to deal with administrative matters and fend off potential problems, leaving Reuben and MadFast to do most of the talking. Now he opened up to the two. “This is gonna be great, if you two can pull it off. I mean, I don’t know, but from what I’ve read, everything has vulnerabilities in it, right? You just have to find them?”

MadFast looked like he wanted to answer this one. “Oh God yes, yeah. I mean, there are a few programs out there that are secure, but for the most part there’s problems lurking in everything.”

“So all you have to do is find it. Now, how hard is that?” he asked gen- uinely.

“Well, not everyone can do it. But I think we will.”

Reuben didn’t know why, but he felt the same.There was no logical basis for it, no factual foundation, but he just knew that the two of them would rock this project.

It wasn’t long before they were back in the office, and sure enough, the vendor had called Reuben’s cell phone to ask if they could drop off the software that afternoon.

Washington, DC: