encrypting data. What it's really ideal for, though, is encrypting a virus.”
“Cryptovirology,” Sarah said, looking at him.
Alex nodded, pleased that she understood right away. “Exactly. Malicious cryptography.”
“Sorry, guys,” Ben said, “you're getting a little ahead of me here.”
“Okay,” Alex said. “You know what a computer virus is, right?”
“Sure. A piece of code that someone sneaks into a system to mess things up.”
“Yeah, pretty much. Now, there are typically two ways viruses get detected and blocked-signatures and heuristics. Signatures basically means the antivirus software has a list of known viruses with instructions to block or isolate them. It's like the name of a suspected terrorist. It goes on a no-fly list, and if the name comes up, the guy can't get on the plane. It's the name you're keying on, or in the case of viruses, a kind of digital fingerprint.”
“Okay…”
“The second method is heuristics. Here, the virus is unknown, and you try to spot it by analyzing typical virus behaviors. To stay with the airplane analogy, this would be like passenger profiling. The guy's name doesn't trigger any alarms, but is he doing things we associate with terrorist behavior. If so, he can't get on the plane.”
“Okay, I get it.”
“So the biggest problem for the virus writer is avoiding detection. If it's a new virus, you don't have to worry about its signature being detected, only viruslike behaviors. But if you eliminate all the viruslike behaviors, you're left with something that's no longer functional as a virus. Undetectable, maybe, but also useless.”
“So we're talking about concealment,” Ben said.
“Exactly. That's where the encryption comes in. You use the encryption to create a polymorphic virus.”
Ben raised his eyebrows, and Alex realized he didn't understand. He paused for a minute, trying to think of a way to explain.
“‘Polymorphic’ means constantly changing,” Sarah said. “We're talking about code that mutates while keeping the original algorithm intact. Which is, generally speaking, how encryption works. If you encrypt the virus, the viruslike behavior is hidden beneath a constantly shifting cloak. Antivirus software doesn't know what to look for.”
“Why hasn't anyone done this before?” Ben said.
“They have,” Alex said. “A Bulgarian virus writer who went by the name Dark Avenger created a polymorphic engine years ago. And a couple of guys-Adam Young and Moti Yung-wrote a whole book on it. But there's always been a built-in limitation.”
“You can't encrypt the whole virus,” Sarah said. “If you do, it's unusable. You have to leave an unencrypted portion that will decrypt and execute the encrypted portion. And it's that unencrypted tail the antivirus software tries to target.”
Alex smiled, glad at her interruption. She'd been awfully quiet for a while. It wasn't like her.
“Obsidian encrypts the whole thing?” Ben asked. “How?”
“Maybe it won't work for all malicious applications,” Alex said. “I haven't had time to test it adequately. But what it does work for-and brilliantly-is a virus that's instructed to carry out malicious encryption.”
“I don't get it,” Ben said. “An encrypted virus for encrypting? Why would someone want to do that? I mean, isn't the ostensible purpose of Obsidian encryption?”
To Alex, it was so obvious that he was momentarily stuck for an answer. “Well, yes,” he said, “but the ostensible purpose is to encrypt your data voluntarily-and with your own key for decrypting it. Look at it this way. Imagine if this happened to you: you couldn't access your data. It would be like coming home to your house one day, and finding that someone had installed extra locks on all the doors-locks that you don't have a key for. Even if the perpetrator hadn't managed to defeat your locks and steal your stuff, he's prevented you from getting into your own house. You're locked out. Which means, effectively, your whole house has been stolen. You're homeless.”
“So you would use this for what, extortion?” Ben asked.
“That's one possibility,” Sarah said. “Or it could be pure destruction. Imagine if you locked up all the data at a major bank. Or the New York Stock Exchange. Or the Department of Defense. Or-”
“Don't those kind of institutions have their data backed up?”
“Sure,” Alex said. “But you can create a virus that lies dormant for long enough to infect the backed-up data, too. And even if someone had backup, think of the disruption that would be caused if you could freeze their primary.”
“Okay, I get it,” Ben said. “I get it. Damn. Does it have other applications?”
“I'm trying to find out. I mean, locking up a computer network is bad enough, but if you could install an Obsidian virus and have it clandestinely transmit data, undetectable by anti-intrusion systems? Man.”
They were quiet for a moment. Alex said, “So what does this tell us? I mean about who's behind this.”
“It's someone with a lot of reach, I'll tell you that,” Ben said. “Someone with a network capable of spotting Obsidian, assessing its hidden potential, and acting on a broad geographical scale to acquire it. If I had to guess, I'd guess the Chinese.”
“Why?” Sarah said.
“Because in addition to their overall reach, they're so active in cyberwarfare initiatives. They managed to get some spyware onto the German chancellor's computer that was siphoning off something like a hundred and sixty gigabytes of information a day before anyone knew better. And not long ago, someone penetrated the office computer of the secretary of defense. The Pentagon thinks it was the People's Liberation Army. They've run war games in which they launch a first-strike attack on American computers, the objective being elecromagnetic dominance-crippling our military operations and disrupting civilian life.”
“Come on, Ben,” Sarah said. “You sound like a Pentagon PowerPoint briefing.”
“Trust me, this is real. The State Department's computers are probed two million times a day. Two million. For the Pentagon, it's worse.”
Wow, they were sure being congenial. Yesterday, when they argued about this kind of stuff, it had practically been a death match.
“I'm just saying we don't want to rule out the United States,” Sarah said. “The government has an interest in this area, too.”
Alex said, “Well, what's our next move?”
Sarah shrugged. “Why not publish it? Publish the executable, Hilzoy's notes, your conclusions.”
“Are you crazy?” Ben said. “You just said yourself, anyone who knows how to use this thing could cause extreme destruction.”
“We don't really know that. Alex has found some malicious applications, yes, but as far as we know it's never been field-tested.”
Ben shook his head. “Absolutely not. All you're saying is that we know Obsidian could be destructive, but we don't know how destructive.”
“Information wants to be free,” Sarah said.
Ben laughed. “Come on, that's like saying a chair wants to be free. Information doesn't want anything.”
“What I mean is-”
“I know what you mean,” Alex said, “but viruses want to be free, too. That's not a reason not to contain them. We can't publish this. I mean, imagine the harm it could do. We can't take that chance.”
“Fine,” Sarah said. “But there's no way the people who are after this are going to just walk away if they think we know about Obsidian, or that maybe we have an extra copy. No way.”
Ben looked at Alex. “No, they're not walking away. I went to the house last night. Someone was waiting there.”
Alex felt a sick lurch in his gut, the memory of that night in the bathtub blooming darkly to life. “What happened?”
“I thought there was a chance someone might try to ambush you there, so I laid a counterambush. The problem was, there was an ambush-but it wasn't for you, it was for me. Or someone like me. I should have seen that coming. With what happened outside the Four Seasons, they knew you had some kind of professional help-a bodyguard, something like that. They outthought me. I was lucky to get away.”
