From: Soloviev, Nikolaos To: Koenraad Gertodtenhaupt Cc: Voortrekker Mission Support Delivered-To: Koenraad Gertodtenhaupt Received: from relay7.local.rs001.l4.earthsys.gov by inbound-1.exclusiveservices.net with ESMTPSA id 772525wpro10k1ex10d5 for Received: from relay4.qec8.ganymede.earthsys.gov by relay1.qec2.rs001.l4.earthsys.gov Received: from qec5.helio.earthsys.gov by relay4.qec8.ganymede.earthsys.gov Received: from qec.sv14417 by qec5.helio.earthsys.gov Date: 06 Sep 2421 07:21:11 +0000 Date-Local: 23 Mar 2419 10:45:11 +0000 Content-Type: multipart-alternative; boundary="__4gngb4li5euq647g0t9x_15486932_" MIME-Version: 1.0 Subject: Key compromise --__4gngb4li5euq647g0t9x_15486932_ Content-Type: text/plain; charset="utf8" Koenraad: I've attached a new public key from my new keypair, replacing the one which was leaked. As to how that happened: Late yesterday I found out one of our systems engineers did in fact survive, and I asked her to look into it. Her report, her précis of which I've attached, indicates that the commands to retrieve my private key from my secure storage came to Voortrekker via QEC. She couldn't tell where they originated, other than somewhere in Sol, but she's very definite that they did come from Sol. I've included Expedition Support on this message, to the attention of their analysts. Combining their efforts with those of your own people, I hope you'll quickly identify the source of this troubling leak, and I look forward confidently to receiving your confirmation that no such breach of security can recur. In the meantime, you understand that I must protect the interests of the Ross 128 Ventures board and shareholders, as well as my own people here, and there is no telling what mischief might befall us next if I do nothing. Accordingly, I've asked my engineer to have our systems reject commands received via QEC for now. We've kept read access enabled, so you can still request and receive data from our systems, but no commands sent from home will be carried out at this time. This is a short-term measure only, to be reversed once confidence in security back home has been restored. As I said before, I look forward confidently to receiving such confirmation from you soon. Nikolaos Soloviev Director of the Board, Voortrekker GmbH (a wholly owned subsidiary of Ross 128 Ventures, LLC) nikolaos.soloviev@voortrekker.com ------------------------------------------------------------------- From: Jennifer Story To: Nikolaos Soloviev Date: 23 Mar 2419 06:31:19 +0000 Subject: Re: Private key breach Short version: It wasn't anyone here. The commands came in via QEC. Long version: Our network isn't in great shape since the crash. That's on me - I've been mostly looking after the sick and injured, not the systems, and with most of our department gone I guess there wasn't anyone else doing that either. I should've checked closer. Anyway. Great shape or no, I didn't think Jim would've left things in a state where just anybody could get into your account. I checked anyway, but I didn't find anything suggestive in command history or logon records. Not even in the audit logs, and as far as I know, the only one with enough access left to tamper with those would be me. Not saying I didn't, boss. I won't ask you to trust me blindly on something this big. But ask around - I've spent almost all my time working in the infirmaries we've set up, you'll find plenty of people who can vouch for my whereabouts almost all the time since the crash. Five minutes here and there in the head isn't enough time to do the kind of work it'd take to invisibly tamper with those logs. So either I'm telling you the truth, or I'm so implausibly skillful at blackhat stuff that I'm an idiot to be out here at all instead of back home living large on the billions I could've stolen without half trying. Anyway. Nothing I could find to suggest it was any of us, so the next place to check was QEC logs. Here's what I found: 2419-03-22T21:19:08.119+0000 info [qec:recv] New message 1a04892cf9: received from qec1.helio.earthsys.gov 2419-03-22T21:19:08.121+0000 info [qec:recv] message 1a04892cf9: encrypted compressed data, 1204 bytes message 1a04892cf9: origin header: undefined message 1a04892cf9: envelope type header: command script 2419-03-22T21:19:08.124+0000 info [qec:recv] message 1a04892cf9: handing off to remote command shell (pid 330918) 2419-03-22T21:19:09.089+0000 audit [fs:enc] private store unlocked: nikolaos.soloviev (pid 330918) 2419-03-22T21:19:10.042+0000 audit [fs:enc] private store locked: nikolaos.soloviev (pid 330918) 2419-03-22T21:19:13.988+0000 info [qec:send] New message 1a04892cfa: from pid 330198 2419-03-22T21:19:13.989+0000 info [qec:send] message 1a04892cfa: encrypted compressed data, 2847 bytes message 1a04892cfa: destination header: undefined 2419-03-22T21:19:13.994+0000 info [qec:send] message 1a04892cfa: sent to qec1.helio.earthsys.gov (I stripped out the headers where they didn't change.) I know you don't read computer, boss - this is here for you to send back home. Because, in people, it means that's where whoever hacked us did it from Sol. I can't tell who it was - that "origin header: undefined" means whoever did it didn't identify themselves, which - well, I won't say it's impossible, obviously it happened. But I don't know how to do it and, as far as I know, I don't know anyone who does. Anyway, whoever it was, the commands they sent must've included a key in your signing chain, because look at those audits from the encrypted filesystem around 21:19:10. It unlocked your private filestore and left it that way for almost a second. That's when it pulled out your key, and who knows what else - we don't normally run in debug mode because it takes a lot of storage and exposes PII, so we don't know what other files might've been accessed. I checked the access times, but didn't see anything from that time span, because of course I didn't: whoever did this would know we'd be checking, so they tampered with those too. I'm about out of ideas, but they've got a lot more engineers who can look at this back home than we have here. I saw a few people from my department in the infirmary, but they're all still out, so for right now all you've got to work with here is me, and I'm just a junior engineer. Send this stuff home, boss. Maybe they can figure it out. If you or they have any more questions I might be able to answer, you know where to find me - right now, that'll be in the infirmary, sacked out for a few hours, and then I'm back to looking after the ill. There's nothing else I can do with this anyway. Sorry, boss. I'd give you more if I had it. But you need somebody better than me on this. Jennifer Story Support Engineer I, Information Systems Department SV 14417 Voortrekker jennifer.story@voortrekker.com / x10219 --__4gngb4li5euq647g0t9x_15486932_ Content-Type: text/plain; charset="utf8" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=nikolaos-soloviev.asc LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tClZlcnNpb246IGVhc3lTZWN1cml0 ZSB2MTE2LjQuODkyMDEgKGVudGVycHJpc2UsIGluIGxlZ2FjeSBtb2RlKQoKbVFFTkJGd0laYXNC Q0FEZHhSNjJUaHhIamJNSUF3a2FHL3doUEtOOEtZSmQ5Q1R3QzZWZEZVWmtqOEtIOW5LUgpJKzI2 Q1VlMHNiVWJiZ09hcDBXbkFhdE9yRkpIdHlYN0VaRE5vN3hNVytVRStic29kcTZOY3MvRFl1OHo1 UVlnCjdvaHRsZ3FZM05INExoTEtrMVFHQk9kQWpoOTdsbTNoK0lFVU5MM28xcDZSQVYvalRzRlNp bkRoVjVYM3NwTXkKUzRZazJVM1JlbXV4ejNIUGg0dDdFbUt0dEYydGE5bkdFQStSNFJvd0IyR1c3 Z0dwbnpDT1oxTW5GQnBaZVdvcAoxN3dUUmJ3OW55V1A2U3d2OGdtaXRWWVM1Yy9mTDJEemgyWWJz SWFXeU1ycEliMFhjZStNR2crZlM5VTByWkVyCmVDUDA3c0JMNUpDcmowM1N2UDl1amZDUWVqZ1RP WHRkSHVxWEFCRUJBQUcwTlU1cGEyOXNZVzl6SUZOdmJHOTIKYVdWMklEeHVhV3R2YkdGdmN5NXpi Mnh2ZG1sbGRrQjJiMjl5ZEhKbGEydGxjaTVqYjIwK2lRRk9CQk1CQ0FBNApGaUVFM2lQZWc0NUNx TysrR1dvWG5nbEJQdFZxQ0ZRRkFsd0laYXNDR3dNRkN3a0lCd0lHRlFvSkNBc0NCQllDCkF3RUNI Z0VDRjRBQUNna1FuZ2xCUHRWcUNGUWoxd2Y5RVNFWjgxTk9mVFAvNzJZZHRsL1BCVUVEWEtYMEpt K3IKb0pDaERYYUh3Vml2Yk0ycEdCbmcwUGNQNFFmUDBsSHdydzBicnR3OHJnOFU3UEdWVzk5bkd4 NkhRZkN5YnBTWQpOWkcxNXBJQ0VkTFNtMU9nMU1vTS9FS1BNZ3FabWJhNUJFT3Y4MUdqOW5IMW0x cWhFUURqNk8wK0g5WTBiWUZsCnBTeUdPQ3FUT0RuNjhrMmlpbWtpZWlNVk5qblZ3NU5OcWl2em5l cEJVYTRrdDQyN0NoT0VkbTlVa3BicWJRUXEKbHpBRnZmd2NwM1RBdmhSY2djK0hMc3F2ek1DKzBO dm5jc0hkVzhVUkNwV3l4S0o0clpHRzBERUNuTW53T1BqTAo0eTVhR1o0cldvZWJwcGxpV1NSc3M3 Y3hmdThaMjJocE94elBOMSthMWpRVzIvRVhweHo1SjdrQkRRUmNDR1dyCkFRZ0E0U0svMktGUFZV SWhYYytMYkFxWGZXMHM3UE1DK2V2Y2kvYmhuc283OUZSMDdDMDRKK2E0UkU4ZFIrZWYKbGN1c0da T01wam9ITkZBV3BwVG10VkF2RVYyeVk5N29yOEZpS0FsR1dHT1VRa3JWTk5PaXBzZjZhdWNjT01G OQo1aWFoNlVFYllaUEM2djhlUjlIZkYwR1ovQVBWYkFUUVh0MkhZQmQ3dm9mUy9UY2FVeWhoM042 dysvVDN6WDRMCmdkakJCK0RNM1pvSmMxVzBjSFFZUlZ2TW5tcmJueHJjWUNrcXFzbStCTjdSQ1ZT SWsweHBWQ21wQ0VOR1c0QlYKLzBqQ3NYaWoxd00zSnkzaVBjNVV6T1N1VklwWUgvczdSZzVLaVcy UjZsaHRERWhWWDVtYVh1a0V1L0dLK0Vkcwp4NHZuZDdDdjdWdkkrODNRckZNZlFydTdiUUFSQVFB QmlRRTJCQmdCQ0FBZ0ZpRUUzaVBlZzQ1Q3FPKytHV29YCm5nbEJQdFZxQ0ZRRkFsd0laYXNDR3d3 QUNna1FuZ2xCUHRWcUNGUXBCUWYvVjV3ZUtMTEFuV09sVWJnT1pXbWsKM05HbFVjaXpoQ0hra3ZW S3RrNlNaVzE4cDdrVjFlUUs0RmlVTzQ3SjA2U2FsYy9wTXR2Z0Nrakcwdm1GeUEvSgo2dTEwZ1dQ K1ZXMVVtUXkrdlZuVkZKZXRwaTlUd1Bta2dIc1dweFdLTCtWa2k0MzF6OTJHRlFsSmxFNzdsSHlX Cld3QkV6UUxxM2gxajVKYmd0OXJqdkNIOTkranRKdmZFQ0ltaGUwM2hDaDZZemtoU0VsRXdrcVFy enJHQi9xdlgKcEtwV0dUR00vRVpzUGY5cnZLYktLdU9lUHdCV01iOUxmK0ZxYXdmSTJVVkVZWEFE NXNxUE00eGFLMDVMSVZEUApkREZ5a2ZyTno3SWZRY3hGT1N3SWM2SFg1VmlNYlJ6a01ZUU9RVUVZ RXRQd0o1YkRBUjdmSXpiL3FMakJyZEFnCldRPT0KPTVwa0EKLS0tLS1FTkQgUEdQIFBVQkxJQyBL RVkgQkxPQ0stLS0tLQo= --__4gngb4li5euq647g0t9x_15486932_--