<< BACK TO RS001 LOG

From: Soloviev, Nikolaos <nikolaos.soloviev@voortrekker.com>
To: Koenraad Gertodtenhaupt <kgertodtenhaupt@ross128-ventures.com>
Cc: Voortrekker Mission Support <voortrekker@expeditionsupport.gov>
Delivered-To: Koenraad Gertodtenhaupt <kgertodtenhaupt@ross128-ventures.com>
Received: from relay7.local.rs001.l4.earthsys.gov
    by inbound-1.exclusiveservices.net
    with ESMTPSA id 772525wpro10k1ex10d5
    for <kgertodtenhaupt@ross128-ventures.com>
Received: from relay4.qec8.ganymede.earthsys.gov
    by relay1.qec2.rs001.l4.earthsys.gov
Received: from qec5.helio.earthsys.gov
    by relay4.qec8.ganymede.earthsys.gov
Received: from qec.sv14417
    by qec5.helio.earthsys.gov
Date: 06 Sep 2421 07:21:11 +0000
Date-Local: 23 Mar 2419 10:45:11 +0000
Content-Type: multipart-alternative;
 boundary="__4gngb4li5euq647g0t9x_15486932_"
MIME-Version: 1.0
Subject: Key compromise

--__4gngb4li5euq647g0t9x_15486932_
Content-Type: text/plain; charset="utf8"

Koenraad: I've attached a new public key from my new keypair,
replacing the one which was leaked.

As to how that happened: Late yesterday I found out one of our
systems engineers did in fact survive, and I asked her to look into
it. Her report, her précis of which I've attached, indicates that
the commands to retrieve my private key from my secure storage came
to Voortrekker via QEC. She couldn't tell where they originated,
other than somewhere in Sol, but she's very definite that they did
come from Sol.

I've included Expedition Support on this message, to the attention
of their analysts. Combining their efforts with those of your own
people, I hope you'll quickly identify the source of this troubling
leak, and I look forward confidently to receiving your confirmation
that no such breach of security can recur.

In the meantime, you understand that I must protect the interests
of the Ross 128 Ventures board and shareholders, as well as my own
people here, and there is no telling what mischief might befall us
next if I do nothing. Accordingly, I've asked my engineer to have
our systems reject commands received via QEC for now. We've kept
read access enabled, so you can still request and receive data from
our systems, but no commands sent from home will be carried out at
this time.

This is a short-term measure only, to be reversed once confidence
in security back home has been restored. As I said before, I look
forward confidently to receiving such confirmation from you soon.

Nikolaos Soloviev
Director of the Board, Voortrekker GmbH
(a wholly owned subsidiary of Ross 128 Ventures, LLC)
nikolaos.soloviev@voortrekker.com

-------------------------------------------------------------------
From: Jennifer Story <jennifer.story@voortrekker.com>
To: Nikolaos Soloviev <nikolaos.soloviev@voortrekker.com>
Date: 23 Mar 2419 06:31:19 +0000
Subject: Re: Private key breach

Short version: It wasn't anyone here. The commands came in via QEC.

Long version:

Our network isn't in great shape since the crash. That's on me -
I've been mostly looking after the sick and injured, not the
systems, and with most of our department gone I guess there wasn't
anyone else doing that either. I should've checked closer.

Anyway. Great shape or no, I didn't think Jim would've left things
in a state where just anybody could get into your account. I
checked anyway, but I didn't find anything suggestive in command
history or logon records. Not even in the audit logs, and as far as
I know, the only one with enough access left to tamper with those
would be me.

Not saying I didn't, boss. I won't ask you to trust me blindly on
something this big. But ask around - I've spent almost all my time
working in the infirmaries we've set up, you'll find plenty of
people who can vouch for my whereabouts almost all the time since
the crash. Five minutes here and there in the head isn't enough
time to do the kind of work it'd take to invisibly tamper with
those logs. So either I'm telling you the truth, or I'm so
implausibly skillful at blackhat stuff that I'm an idiot to be out
here at all instead of back home living large on the billions I
could've stolen without half trying.

Anyway. Nothing I could find to suggest it was any of us, so the
next place to check was QEC logs. Here's what I found:

2419-03-22T21:19:08.119+0000 info [qec:recv]
  New message 1a04892cf9: received from qec1.helio.earthsys.gov
2419-03-22T21:19:08.121+0000 info [qec:recv]
  message 1a04892cf9: encrypted compressed data, 1204 bytes
  message 1a04892cf9: origin header: undefined
  message 1a04892cf9: envelope type header: command script
2419-03-22T21:19:08.124+0000 info [qec:recv]
  message 1a04892cf9: handing off to remote command shell (pid 330918)
2419-03-22T21:19:09.089+0000 audit [fs:enc]
  private store unlocked: nikolaos.soloviev (pid 330918)
2419-03-22T21:19:10.042+0000 audit [fs:enc]
  private store locked: nikolaos.soloviev (pid 330918)
2419-03-22T21:19:13.988+0000 info [qec:send]
  New message 1a04892cfa: from pid 330198
2419-03-22T21:19:13.989+0000 info [qec:send]
  message 1a04892cfa: encrypted compressed data, 2847 bytes
  message 1a04892cfa: destination header: undefined
2419-03-22T21:19:13.994+0000 info [qec:send]
  message 1a04892cfa: sent to qec1.helio.earthsys.gov

(I stripped out the headers where they didn't change.) I know you
don't read computer, boss - this is here for you to send back home.
Because, in people, it means that's where whoever hacked us did it
from Sol. I can't tell who it was - that "origin header: undefined"
means whoever did it didn't identify themselves, which - well, I
won't say it's impossible, obviously it happened. But I don't know
how to do it and, as far as I know, I don't know anyone who does.

Anyway, whoever it was, the commands they sent must've included a
key in your signing chain, because look at those audits from the
encrypted filesystem around 21:19:10. It unlocked your private
filestore and left it that way for almost a second. That's when it
pulled out your key, and who knows what else - we don't normally
run in debug mode because it takes a lot of storage and exposes
PII, so we don't know what other files might've been accessed. I
checked the access times, but didn't see anything from that time
span, because of course I didn't: whoever did this would know we'd
be checking, so they tampered with those too.

I'm about out of ideas, but they've got a lot more engineers who
can look at this back home than we have here. I saw a few people
from my department in the infirmary, but they're all still out, so
for right now all you've got to work with here is me, and I'm just
a junior engineer. Send this stuff home, boss. Maybe they can
figure it out.

If you or they have any more questions I might be able to answer,
you know where to find me - right now, that'll be in the infirmary,
sacked out for a few hours, and then I'm back to looking after the
ill. There's nothing else I can do with this anyway.

Sorry, boss. I'd give you more if I had it. But you need somebody
better than me on this.

Jennifer Story
Support Engineer I, Information Systems Department
SV 14417 Voortrekker
jennifer.story@voortrekker.com / x10219

--__4gngb4li5euq647g0t9x_15486932_
Content-Type: text/plain; charset="utf8"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=nikolaos-soloviev.asc

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tClZlcnNpb246IGVhc3lTZWN1cml0
ZSB2MTE2LjQuODkyMDEgKGVudGVycHJpc2UsIGluIGxlZ2FjeSBtb2RlKQoKbVFFTkJGd0laYXNC
Q0FEZHhSNjJUaHhIamJNSUF3a2FHL3doUEtOOEtZSmQ5Q1R3QzZWZEZVWmtqOEtIOW5LUgpJKzI2
Q1VlMHNiVWJiZ09hcDBXbkFhdE9yRkpIdHlYN0VaRE5vN3hNVytVRStic29kcTZOY3MvRFl1OHo1
UVlnCjdvaHRsZ3FZM05INExoTEtrMVFHQk9kQWpoOTdsbTNoK0lFVU5MM28xcDZSQVYvalRzRlNp
bkRoVjVYM3NwTXkKUzRZazJVM1JlbXV4ejNIUGg0dDdFbUt0dEYydGE5bkdFQStSNFJvd0IyR1c3
Z0dwbnpDT1oxTW5GQnBaZVdvcAoxN3dUUmJ3OW55V1A2U3d2OGdtaXRWWVM1Yy9mTDJEemgyWWJz
SWFXeU1ycEliMFhjZStNR2crZlM5VTByWkVyCmVDUDA3c0JMNUpDcmowM1N2UDl1amZDUWVqZ1RP
WHRkSHVxWEFCRUJBQUcwTlU1cGEyOXNZVzl6SUZOdmJHOTIKYVdWMklEeHVhV3R2YkdGdmN5NXpi
Mnh2ZG1sbGRrQjJiMjl5ZEhKbGEydGxjaTVqYjIwK2lRRk9CQk1CQ0FBNApGaUVFM2lQZWc0NUNx
TysrR1dvWG5nbEJQdFZxQ0ZRRkFsd0laYXNDR3dNRkN3a0lCd0lHRlFvSkNBc0NCQllDCkF3RUNI
Z0VDRjRBQUNna1FuZ2xCUHRWcUNGUWoxd2Y5RVNFWjgxTk9mVFAvNzJZZHRsL1BCVUVEWEtYMEpt
K3IKb0pDaERYYUh3Vml2Yk0ycEdCbmcwUGNQNFFmUDBsSHdydzBicnR3OHJnOFU3UEdWVzk5bkd4
NkhRZkN5YnBTWQpOWkcxNXBJQ0VkTFNtMU9nMU1vTS9FS1BNZ3FabWJhNUJFT3Y4MUdqOW5IMW0x
cWhFUURqNk8wK0g5WTBiWUZsCnBTeUdPQ3FUT0RuNjhrMmlpbWtpZWlNVk5qblZ3NU5OcWl2em5l
cEJVYTRrdDQyN0NoT0VkbTlVa3BicWJRUXEKbHpBRnZmd2NwM1RBdmhSY2djK0hMc3F2ek1DKzBO
dm5jc0hkVzhVUkNwV3l4S0o0clpHRzBERUNuTW53T1BqTAo0eTVhR1o0cldvZWJwcGxpV1NSc3M3
Y3hmdThaMjJocE94elBOMSthMWpRVzIvRVhweHo1SjdrQkRRUmNDR1dyCkFRZ0E0U0svMktGUFZV
SWhYYytMYkFxWGZXMHM3UE1DK2V2Y2kvYmhuc283OUZSMDdDMDRKK2E0UkU4ZFIrZWYKbGN1c0da
T01wam9ITkZBV3BwVG10VkF2RVYyeVk5N29yOEZpS0FsR1dHT1VRa3JWTk5PaXBzZjZhdWNjT01G
OQo1aWFoNlVFYllaUEM2djhlUjlIZkYwR1ovQVBWYkFUUVh0MkhZQmQ3dm9mUy9UY2FVeWhoM042
dysvVDN6WDRMCmdkakJCK0RNM1pvSmMxVzBjSFFZUlZ2TW5tcmJueHJjWUNrcXFzbStCTjdSQ1ZT
SWsweHBWQ21wQ0VOR1c0QlYKLzBqQ3NYaWoxd00zSnkzaVBjNVV6T1N1VklwWUgvczdSZzVLaVcy
UjZsaHRERWhWWDVtYVh1a0V1L0dLK0Vkcwp4NHZuZDdDdjdWdkkrODNRckZNZlFydTdiUUFSQVFB
QmlRRTJCQmdCQ0FBZ0ZpRUUzaVBlZzQ1Q3FPKytHV29YCm5nbEJQdFZxQ0ZRRkFsd0laYXNDR3d3
QUNna1FuZ2xCUHRWcUNGUXBCUWYvVjV3ZUtMTEFuV09sVWJnT1pXbWsKM05HbFVjaXpoQ0hra3ZW
S3RrNlNaVzE4cDdrVjFlUUs0RmlVTzQ3SjA2U2FsYy9wTXR2Z0Nrakcwdm1GeUEvSgo2dTEwZ1dQ
K1ZXMVVtUXkrdlZuVkZKZXRwaTlUd1Bta2dIc1dweFdLTCtWa2k0MzF6OTJHRlFsSmxFNzdsSHlX
Cld3QkV6UUxxM2gxajVKYmd0OXJqdkNIOTkranRKdmZFQ0ltaGUwM2hDaDZZemtoU0VsRXdrcVFy
enJHQi9xdlgKcEtwV0dUR00vRVpzUGY5cnZLYktLdU9lUHdCV01iOUxmK0ZxYXdmSTJVVkVZWEFE
NXNxUE00eGFLMDVMSVZEUApkREZ5a2ZyTno3SWZRY3hGT1N3SWM2SFg1VmlNYlJ6a01ZUU9RVUVZ
RXRQd0o1YkRBUjdmSXpiL3FMakJyZEFnCldRPT0KPTVwa0EKLS0tLS1FTkQgUEdQIFBVQkxJQyBL
RVkgQkxPQ0stLS0tLQo=

--__4gngb4li5euq647g0t9x_15486932_--