El Servicio de Alfabetización Informacional desde la Biblioteca: El

The car pulled up to the building, with Bob, Reuben and MadFast inside. They calmly exited the vehicle into an unusually chilly morning for that time of year.

Reuben rubbed his arms, wishing he’d dug out a warmer jacket. “What happened to the weather today?”

MadFast smiled. “Feels fine to me.”

Reuben smirked back at him as they started walking towards the building. “That’s because it’s not raining!”

Bob just smiled at the banter back and forth. “Alright, you guys ready?” “We sure are,” responded Reuben. “Right, Frank?”

“Booyah.”

They walked into the building’s lobby, and found a dour-faced security guard sitting behind a sorry-looking excuse for a desk. Reuben wondered for the second time if there was bulletproof material built into it.They went through the same routine as the previous week, producing their drivers licenses to sign in, filling in the blanks on the sign-in sheet, including the one marked “U.S. Citizen?”They were each issued visitor badges, and sat down to wait to be called in.

A blank, windowless door opened, and Vince appeared. “Come on in, gentlemen.” He seemed cheery, and quite curious as to what could poten- tially come from the meeting.

Reuben, Bob and MadFast walked through the open door as Vince held it for them. “The same place as last time?” Bob inquired.

“Yes, sir, the conference room,” replied Vince.They filed in and each took a seat, finding two other people from DoJ already there. “I have to go finish something up really quickly, so I’ll let the five of you get started. I’ll be in shortly to catch up.” He walked back out and down the hall.

The three of them sat down, getting comfortable in their seats, and for a moment everyone looked at everyone else, wondering where to start.

Bob spoke up first. “I guess I’ll start us off.Thanks for meeting with us on such short notice. We asked for this meeting because we have some preliminary findings to share with you, and felt we should discuss them before we went any further.”

The two DoJ representatives leaned forward in their seats a bit. “What kind of findings?”

Bob smiled slightly, looking first at MadFast, then at Reuben. “Which one of you wants to tell them?” he asked.

Reuben sat forward and folded his hands on the table. “I’ll take this one. We’ve found two vulnerabilities thus far, one of which we believe could potentially lead to a root compromise, and the other which defi-

nitely produces a denial of service on the system. Both vulnerabilities, when exploited, lead to total failure of the VPN until it is restarted.”

Eyebrows were raised around the table. “You’ve only been working at it since…Friday?”

“That’s right, and that’s why we wanted this meeting. We’ve barely done anything in our testing, and have already found these problems.You might want to reconsider use of this project.”

The two representatives must have feared something like this hap- pening and exchanged worried glances; but they quickly composed them- selves and leaned back into their seats. One of them responded. “Well, we’ll have to consider what you’ve found so far and determine if it warrants any change in the scheduled deployment…”

MadFast stopped the man in mid-hedge. “What? We just told you that there are, at the minimum,two ways to knock this thing down. One of them might also give an attacker control over the system. And the crypto uses keys that can be retroactively recreated. What consideration is there? It’s broken! You can’t seriously be considering implementing it as-is? What is there to determine? This VPN is garbage, and if you rely on it you will be hacked.”

The man who had been silent for the past few minutes slowly sat for- ward, placing his own hands on the table. “There are other aspects to this decision that you are not aware of.Trust that we’ll be keeping your recom- mendations in mind, but that we must consider many factors in this.This is a large implementation, and in the current environm…”

The door opened, and everyone suddenly turned to see Vince calmly step in, a smile on his face, and take his seat at the head of the table. “So, gentleman, what did I miss?”

Everyone looked at each other, not sure how to bring him up to speed without further igniting the discussion. Reuben spoke up. “Well, we’ve found two vulnerabilities as of today; one cranks the processor up to one- hundred percent utilization and makes the box useless, while the other crashes the VPN Listener process.The second vulnerability is most likely exploitable to gain root access on the box, but we haven’t been able to determine that yet.”

The DoJ rep who had been speaking until Vince entered looked shocked. “What?”

“Well, obviously we can’t use it like this.They’ve only been working at it a couple of days at most and already found these problems. Don’t you think anyone else could too? We need to figure out a plan for dealing with this, and hopefully get things sorted out soon enough so we don’t end up being too far off of our project timeline.”

Reuben and MadFast both relaxed. Here was someone who at least knew what needed to be done, and who understood the importance of the issues found so far. Reuben continued, “We’re obviously really concerned about the overall quality of the software. We found this without even trying, and the really frightening thing is that since the cryptographic keys are deliberately designed so that they can be re-created at a later date, compromise of the server can result in compromise of all present, past, and future communications. We think the worst-case scenario isn’t if someone was to take and keep control of the server, but rather if they were to simply inject a process into memory to have the basis used for all keys sent to the attacker.Then the attacker could decrypt any and all traffic they intercepted.

“To be fair, I should say that they would have to do a few other things first. As you’re probably aware, ZFon has a utility for re-creation of session keys.There are a few safeguards against abuse of the utility, including a two-factor authentication method. But the attacker could merely reverse- engineer the utility to get to the component that actually does the work, and build their own.This isn’t a hard thing to do; teenagers do it every day to overcome copy-protection mechanisms on games and other pirated software.”

Vince nodded. “I’m aware of that. And clearly such methods are not beyond the kinds of threats we worry about. What does your team advise?”

Reuben smiled.The sense of panic he had been feeling just two min- utes ago entirely evaporated now. “Well, the ease with which we found these problems tells me there are larger issues with the code. I think DoJ should go back to the vendor and talk to them.They deserve a chance to fix things, obviously. But by the same token, unless we got very,very lucky

and found the only two problems inside of the first day we tried, this soft- ware is full of holes. Perhaps they could do code review and straighten it all out in time, but I have to doubt it.”

Vince nodded. “Alright then, we’ll do that. While we are in touch with the vendor, it doesn’t make much sense for you to keep poking around at the software. If they do code review, they’ll probably end up fixing lots of the things you find, and might introduce some new issues.”

Reuben thought about that for a minute. “Hmm. Frank,” he asked, turning to MadFast, “How likely do you think it is that we might miss something if it’s in an area we’ve already covered in the software?”

MadFast got the point of this. “I see where you’re going. We could find things that are broken now, but won’t be in the next build of the software. And there may be things that are only broken in the new build, but that we might miss because we already checked for them. Ah, that’s a hard thing to be sure about. On one hand, we’ve been documenting everything pretty well, but this work can get a bit repetitive and I can see that hap- pening. But at the same time, we should go over the software more to be familiar with it. Perhaps we can refine our methods a bit, and save time down the road when the new build comes out. I’m only going to be here for so long.”

Reuben nodded. “Got it.That makes sense to me too.” He turned back to Vince. “Okay, we’ll develop our methodology a bit more, but stop testing per se while the vendor decides what they want to do. I trust you won’t accept the software in its current state?”

Vince shook his head. “Absolutely not! We’re as eager as you are to have a secure implementation here. Oh, and the boys at ZFon will prob- ably want to have a look at what you’ve found. I’d like it if you set up a meeting so they could drop in and see it first-hand.

“Okay. Let’s handle it like this. I’ll call ZFon personally and talk to them. Write up exactly what you’ve found so far, and send it to me.They may want to see it themselves first, but I’ll make it clear to them that they have to fix it.You don’t mind them coming by and taking a look, do you?”

Bob answered this one. “That won’t be a problem. I understand that software vendors can sometimes suffer from a case of denial about prob- lems in their work.”

Vince nodded. “Exactly. Just be nice to them, and try to remember that we’re all on the same team here.They’ll fix the problems; they won’t have a choice. We absolutely cannot use ZFon’s product as it stands today.”

Reuben nodded enthusiastically back. “Of course.”

The meeting concluded after a few other points, and the same repeti- tion took place as they all turned their badges in, and went back to the parking lot to get in the car.

“I think that went pretty well,” offered Reuben once they pulled out of the parking lot.

Bob responded first. “What just happened?”

Reuben smiled. “Well, apparently the two guys without names didn’t want to make a decision one way or another. I can’t guess why. But thank God Vince came in and spoke his mind. Otherwise, they might be setting the damned thing up no matter how awful it might be.”

MadFast exhaled sharply. “Yeah, no shit! I almost lost it. I mean hon- estly, just what the hell would need to be wrong with it for them to do something? What’s the point of even testing the software if they won’t care?”

“Maybe they didn’t quite understand what we were talking about?” Reuben suggested.

“Or more likely they’re on the hook for a deadline that they’re going to miss because of this,” said Bob.

“Hm. I hadn’t thought of that,” Reuben considered. “That might make things a bit tricky. It puts the objectives of ZFon in line with that of the client, potentially. How bad could it be if they miss a deadline or project milestone?”

Bob thought about it. “That depends. It could be that this is part of…what I mean is, from the way they were speaking, it sounded like the VPN was part of some bigger project. And it sounds like they need the VPN to finish the project, if I understand everything correctly. A lot of their traffic would be carried by this thing?”

Reuben responded, “Oh, I think that all traffic between remote sites would be on it. So all the field offices, including anything overseas, would depend on it for communications. But isn’t that all the more reason to do it right? I mean, if all their traffic between dispersed geographic locations

would pass through the VPN they implement, why use an insecure one? Why put all of your eggs in the wrong basket?”

“That all depends on whether or not you realize just how wrong the basket is or isn’t. We don’t know what their backgrounds are. Maybe they don’t understand.” Bob was very good at pointing out that not everyone in the world was a computer geek. It was a very necessary thing from time to time.

“Well, whatever the reason, I’m just really glad that Vince showed up, and that he was able to set the tone differently. When do you think ZFon will want to come by?” Reuben was eager to move forward again.

“We’ll see. I don’t think they’ll wait too long,” Bob predicted. Reuben suddenly realized something. “Hey man,” he said as he

prodded MadFast from the backseat. “You’d better come up with a slightly different version of the tool you wrote. We should use something that doesn’t seem so sardonic.”