BOFH: Psst! Wanna buy an encryption device?
Easy money the BOFH way
Episode 17 BOFH 2004
So I’m tootling through the crowd at a security conference, minding my own business and getting down as many lagers as I can before the end-of-night gong sounds. It’s an impressive turnout, with stacks of the industry represented, and, more importantly, lots of those mini-kebabs on a stick.
I cruise past some ubergeeks talking about something or the other as I head to the stand that’s captured my interest
“And so we looked into to,” Ubergeek#001 says, “and you wouldn’t believe it, but he’d only configured the proxy with –d –d –d and put the WHOLE THING INTO DEBUG MODE WITH NO ACCESS CHECKING!!!”
The assembled ubergeeks laugh hilariously at this as if it were the greatest joke in the world (you know, the one about the three guys and the dead turkey).
The things you see when you don’t have your overvoltage cattle prod, a shovel and a sack of lime…
I get to the stand I’m after only to find it’s been abandoned by it’s stallholder for now - which really annoys me as they had some really great pens earlier and I was more than prepared to feign interest (and possibly even lie about buying their product) in order to get one.
. . .
“So what’s your product do?” a half-trolleyed IT Manager type demands, mistaking me for someone from the stand just because I’m standing behind it stuffing pens into my jacket. “What’s a… hardware encryption device when it’s at home?”
What the hell..
“Well.. er.. John,” I say, popping out from behind the stand. “How’s your data currently encrypted and transferred around your company LAN?”
“Buggered if I know!” he bubbles. “TCPIP?”
“Ok, TCPIP – but what about encryption?”
“DES?” he asks, remembering that from somewhere, and establishing his technical knowledge firmly in the upper IT Management scale (Which corresponds to would-even-get-an-interview level on most other scales).
Time to lay it on thick.
“DES, right, good answer. Now did you know that over half the CPU in your organization’s computing is wasted simply converting data into encrypted form, and decrypting it at the other end?”
“As sure as I’m working here! AND, did you know that this encryption/decryption process causes a delay which can critically affect anything which has synchronisation dependencies – database logging and locking, disk IO, etc, so that the operational delays are magnified to such an extent that the performance of your organization will suffer – SILENTLY – for years.”
“You’d think so wouldn’t you?” I say, technically not actually telling a lie. “So what a… hardware encryption device does, it does all that encryption decryption stuff for you on-the-fly, freeing up CPU, which will in turn will be used to free up logging, locking and disk io operations.”
“If it was that bloody good, they’d be built into machines already!” John responds, dubiously.
“That’s what everyone today’s been asking me,” I burble, to kill time while I think of a response. “But until now, the NSAs been keeping a tight lid on these babies.”
“So the NSA made these – is that what you’re saying?” John asks, even more dubiously.
“Absolutely not!” I respond rapidly and emphatically, “And the company adamantly denies that. They don’t even USE our devices, anywhere.”
“Ah-HA!” John snaps, convinced he’s caught me out in a lie. “I didn’t ask whether they used them, I just asked if they made them.”
“They didn’t, we did. And I also said they didn’t use them.”
“I think you’re lying,” John says. “I think the NSA does use them, but you’re not allowed to say!”
“That’s preposterous!” I bluster, seeing an opportunity and going for it. “Anyway, we’re not selling these any more – I’m just packing the stand away.”
“You’re not selling them?” John asks. “But you were a moment ago!”
“No. There’s a…. …. …. a firmware problem… yes, a firmware problem.”
“I don’t believe you.” John smirks, knowing he has me in a corner. “And I want to buy one. How much are they?”
“The list price is seven thousand pounds,” I say, faking defeat.
“But there’s a show special, isn’t there?”
“What’s the show special?”
“Two thousand quid.”
“I’ll take one.”
“We haven’t got any.”
“What about that one?”
“It’s a demo, we’re not allowed to sell it,” I say, playing my hand very, very carefully.
“Well take my order!”
“I can’t,” I say. “I…. … don’t have an order pad – you’ll have to call us after the show.”
“When you don’t have a special price and probably won’t be selling the product any more because the NSA will stop you! I’ll give you a cheque as a deposit.”
“We don’t take cheques. And I don’t have a receipt book!”
“I’ve got cash – say 100 quid. And I’ll write a receipt on the back of one of my business cards.”
“I don’t think the NSA would like it if I made a big fuss here, with all these people around – do you?”
“Ok, quickly then.”
2 minutes later I’m 100 quid richer, and John’s wandering around believing that he’s going to get some hardware encryption device the NSA doesn’t want him to have.
Half an hour later, I’m several thousand pounds richer, and there’s a lot of booze and rumour enhanced people wandering about the place. I’m going to have to make a break for it soon before the whole thing turns pear shaped…
“Excuse me,” another potential customer says from behind me.
I turn around and smell the pears, so to speak. It’s the bloke from the hardware encryption box stand.
“I understand you’re selling ‘Hardware Encryption Boxes’ that the… NSA use?”
“No,” I respond.
“I was told you did”
“No,” I repeat.
“Whether you do or not is irrelevant. I was wanting to know if you’d allow me to access the firmware code of your device – for… peer review purposes.”
“So you want to look at my – I mean my company’s - code.”
“Of my COMPANY’S hardware encryption device.”
“Not ask to see my box, my stand, my business card or anything?”
“I know how these things work. You probably don’t even HAVE a business card. Or a real company address.”
I feel a little like I’m sitting in front of a one-armed bandit with three jackpot symbols showing and the final wheel still spinning.
“I see. And how much cash have you got on you?”
“A substantial amount. 20K, in non sequential small denomination bills.”
“I…” I say, now that the 4th wheel has stopped spinning. “Where?”
”In this case,” he says, handing it over.
“Right well, I’ll just go and pop this in my car. Where can I meet you in 10 minutes?”
10 minutes later he’s waiting patiently in his room and I’m waiting impatiently at some traffic lights 8 miles away.
The life of a geeky secret agent just doesn’t get any better than this… ®