From: Soloviev, Nikolaos <nikolaos.soloviev@voortrekker.com>
To: Koenraad Gertodtenhaupt <kgertodtenhaupt@ross128-ventures.com>
Cc: Voortrekker Mission Support <voortrekker@expeditionsupport.gov>
Delivered-To: Koenraad Gertodtenhaupt <kgertodtenhaupt@ross128-ventures.com>
Received: from relay7.local.rs001.l4.earthsys.gov
    by inbound-1.exclusiveservices.net
    with ESMTPSA id 772525wpro10k1ex10d5
    for <kgertodtenhaupt@ross128-ventures.com>
Received: from relay4.qec8.ganymede.earthsys.gov
    by relay1.qec2.rs001.l4.earthsys.gov
Received: from qec5.helio.earthsys.gov
    by relay4.qec8.ganymede.earthsys.gov
Received: from qec.sv14417
    by qec5.helio.earthsys.gov
Date: 06 Sep 2421 07:21:11 +0000
Date-Local: 23 Mar 2419 10:45:11 +0000
Content-Type: multipart-alternative;
MIME-Version: 1.0
Subject: Key compromise

Content-Type: text/plain; charset="utf8"

Koenraad: I've attached a new public key from my new keypair,
replacing the one which was leaked.

As to how that happened: Late yesterday I found out one of our
systems engineers did in fact survive, and I asked her to look into
it. Her report, her précis of which I've attached, indicates that
the commands to retrieve my private key from my secure storage came
to Voortrekker via QEC. She couldn't tell where they originated,
other than somewhere in Sol, but she's very definite that they did
come from Sol.

I've included Expedition Support on this message, to the attention
of their analysts. Combining their efforts with those of your own
people, I hope you'll quickly identify the source of this troubling
leak, and I look forward confidently to receiving your confirmation
that no such breach of security can recur.

In the meantime, you understand that I must protect the interests
of the Ross 128 Ventures board and shareholders, as well as my own
people here, and there is no telling what mischief might befall us
next if I do nothing. Accordingly, I've asked my engineer to have
our systems reject commands received via QEC for now. We've kept
read access enabled, so you can still request and receive data from
our systems, but no commands sent from home will be carried out at
this time.

This is a short-term measure only, to be reversed once confidence
in security back home has been restored. As I said before, I look
forward confidently to receiving such confirmation from you soon.

Nikolaos Soloviev
Director of the Board, Voortrekker GmbH
(a wholly owned subsidiary of Ross 128 Ventures, LLC)

From: Jennifer Story <jennifer.story@voortrekker.com>
To: Nikolaos Soloviev <nikolaos.soloviev@voortrekker.com>
Date: 23 Mar 2419 06:31:19 +0000
Subject: Re: Private key breach

Short version: It wasn't anyone here. The commands came in via QEC.

Long version:

Our network isn't in great shape since the crash. That's on me -
I've been mostly looking after the sick and injured, not the
systems, and with most of our department gone I guess there wasn't
anyone else doing that either. I should've checked closer.

Anyway. Great shape or no, I didn't think Jim would've left things
in a state where just anybody could get into your account. I
checked anyway, but I didn't find anything suggestive in command
history or logon records. Not even in the audit logs, and as far as
I know, the only one with enough access left to tamper with those
would be me.

Not saying I didn't, boss. I won't ask you to trust me blindly on
something this big. But ask around - I've spent almost all my time
working in the infirmaries we've set up, you'll find plenty of
people who can vouch for my whereabouts almost all the time since
the crash. Five minutes here and there in the head isn't enough
time to do the kind of work it'd take to invisibly tamper with
those logs. So either I'm telling you the truth, or I'm so
implausibly skillful at blackhat stuff that I'm an idiot to be out
here at all instead of back home living large on the billions I
could've stolen without half trying.

Anyway. Nothing I could find to suggest it was any of us, so the
next place to check was QEC logs. Here's what I found:

2419-03-22T21:19:08.119+0000 info [qec:recv]
  New message 1a04892cf9: received from qec1.helio.earthsys.gov
2419-03-22T21:19:08.121+0000 info [qec:recv]
  message 1a04892cf9: encrypted compressed data, 1204 bytes
  message 1a04892cf9: origin header: undefined
  message 1a04892cf9: envelope type header: command script
2419-03-22T21:19:08.124+0000 info [qec:recv]
  message 1a04892cf9: handing off to remote command shell (pid 330918)
2419-03-22T21:19:09.089+0000 audit [fs:enc]
  private store unlocked: nikolaos.soloviev (pid 330918)
2419-03-22T21:19:10.042+0000 audit [fs:enc]
  private store locked: nikolaos.soloviev (pid 330918)
2419-03-22T21:19:13.988+0000 info [qec:send]
  New message 1a04892cfa: from pid 330198
2419-03-22T21:19:13.989+0000 info [qec:send]
  message 1a04892cfa: encrypted compressed data, 2847 bytes
  message 1a04892cfa: destination header: undefined
2419-03-22T21:19:13.994+0000 info [qec:send]
  message 1a04892cfa: sent to qec1.helio.earthsys.gov

(I stripped out the headers where they didn't change.) I know you
don't read computer, boss - this is here for you to send back home.
Because, in people, it means that's where whoever hacked us did it
from Sol. I can't tell who it was - that "origin header: undefined"
means whoever did it didn't identify themselves, which - well, I
won't say it's impossible, obviously it happened. But I don't know
how to do it and, as far as I know, I don't know anyone who does.

Anyway, whoever it was, the commands they sent must've included a
key in your signing chain, because look at those audits from the
encrypted filesystem around 21:19:10. It unlocked your private
filestore and left it that way for almost a second. That's when it
pulled out your key, and who knows what else - we don't normally
run in debug mode because it takes a lot of storage and exposes
PII, so we don't know what other files might've been accessed. I
checked the access times, but didn't see anything from that time
span, because of course I didn't: whoever did this would know we'd
be checking, so they tampered with those too.

I'm about out of ideas, but they've got a lot more engineers who
can look at this back home than we have here. I saw a few people
from my department in the infirmary, but they're all still out, so
for right now all you've got to work with here is me, and I'm just
a junior engineer. Send this stuff home, boss. Maybe they can
figure it out.

If you or they have any more questions I might be able to answer,
you know where to find me - right now, that'll be in the infirmary,
sacked out for a few hours, and then I'm back to looking after the
ill. There's nothing else I can do with this anyway.

Sorry, boss. I'd give you more if I had it. But you need somebody
better than me on this.

Jennifer Story
Support Engineer I, Information Systems Department
SV 14417 Voortrekker
jennifer.story@voortrekker.com / x10219

Content-Type: text/plain; charset="utf8"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=nikolaos-soloviev.asc