This chapter is dedicated to the University Bookstore at the University of Washington, whose science fiction section rivals many specialty stores, thanks to the sharp-eyed, dedicated science fiction buyer, Duane Wilkins. Duane's a real science fiction fan -- I first met him at the World Science Fiction Convention in Toronto in 2003 -- and it shows in the eclectic and informed choices on display at the store. One great predictor of a great bookstore is the quality of the "shelf review" -- the little bits of cardboard stuck to the shelves with (generally hand-lettered) staff-reviews extolling the virtues of books you might otherwise miss. The staff at the University Bookstore have clearly benefited from Duane's tutelage, as the shelf reviews at the University Bookstore are second to none.

University Bookstore: 4326 University Way NE, Seattle, WA 98105 USA +1 800 335 REA

-------------------------------

Once upon a time, terrorists blew up a bridge in my city and killed over four thousand people. They told me everything changed. They told me that we didn't have the same rights we used to, because catching terrorists was more important than our little freedoms.

They say they caught the terrorists. One of the guys, who had been killed by a drone in Yemen supposedly thought the whole thing up. I guess I'm okay with him being dead if that's the case. I hope it's the case. No one would show us the proof, of course, because of "national security."

But "everything is different" turned out to be a demand and not a description. It pretended to describe what the new reality was, but instead it demanded that everyone accept a new reality, one where we could be spied on and arrested and even tortured.

A few years later, everything changed again. It seemed like overnight, no one had jobs anymore, no one had money anymore, and people started to lose their houses. It was weird, because now that it was obvious that everything had changed, no one wanted to talk about how everything had changed.

When the streets are full of armed cops and soldiers telling you that everything is different, everyone can point at one thing, a thing with a human face, and agree, "It's different, it's different."

But when some mysterious social/financial/political force upends the world and changes everything -- when "everything is different now" is a description and not a demand -- somehow, it gets much harder to agree on whether things were different and what we needed to do about it.

It was one thing to demand that the armed guards leave our streets. It was another to figure out how to demand that the silent red overdue bills and sneaky process servers with their eviction notices go away.

I was nearly late getting to work the next day, but I just squeaked in. I'd stolen back one of my T-shirts from Ange's laundry pile (she liked to steal mine and sleep in them), and it smelled wonderfully of her, and put me in a good mood as I came through the door and made a beeline for my desk.

"Dude!" Liam said, practically bouncing in place by my chair. "Can you believe it?"

"What?" I said.

"You know! The darknet stuff!"

All the blood rushed out of my head and into my gut and swirled there like a stormy ocean. My ears throbbed with my pulse. "What?" I said.

"You didn't see?"

He leaned over me and moused to my browser, went to the front page of Reddit, a site where you could submit and vote on news stories. Every item on the front page talked about "darknet leaks." Feeling like I was in a horror movie, I clicked one of them. It was a story on wired.com, about a file that had been anonymously dumped into pastebin.com, instructions for using a lawful intercept appliance to take over Android phones and work their cameras. Whoever had dumped the file had sent an email to a reporter at wired.com saying that there were more than 800,000 documents like it on a darknet site that volunteers were combing through them, and there was a lot more to come. It didn't say where they'd come from or who the volunteers were.

I went back to Reddit and checked the others. How many darknet docs had leaked? It seemed like everyone had the same story, in different variants -- 800,000 docs, darknet, more to come, but nothing more. I started to calm down.

"You've got an Android phone, right?" Liam said.

"Yeah," I said. "I do. But I run ParanoidAndroid -- it's an alternate OS that resists that kind of spyware."

"Really?" Joe said. He'd walked up on us on cats-paw feet while we were talking, and I jumped in my seat. "Woah, sorry, calm down there, Marcus. I've got an Android phone, too. Tell you what, I'll order in pizza for lunch if you'll give us a workshop on keeping our phones secure. Sounds like the kind of thing we should all know about."

"Yeah, sure," I said. "Of course." Though as soon as I saw the Wired story, I'd started scheming to take lunch off and find a WiFi network with weak, crackable WEP security so that I could hop on, tunnel into the darknet, and try to figure out what had just happened. I mean, I knew better than anyone that there was no such thing as perfect security, and I understood that it was likely that someone, someday, would get a look at the darknet docs who we hadn't invited in. But I didn't think that day would be the day after we set up the darknet!

But I couldn't screw up my job. I'd been desperate for work for so long, and it was such a cool job. The fact that I might now be the target of a ruthless mercenary army didn't mean that I didn't have to help Joe get elected.

So I did my job, and when the pizza came, I stood with a slice in one hand and a white-board pen in the other and sketched out a little flowchart of how your phone could be taken over, and what could be done with your phone after it was pwned.

Joe munched thoughtfully at a slice, wiped his fingers and his mouth, and put up his hand. "So you're saying that the police could take over our phones?"

"No!" Liam said, vibrating in his chair. "He's saying anyone could --"

I put up my hands and Liam calmed down. "What I mean is, once the intercept appliance is installed at the phone company's data center, anyone who has a login and password for it could use it."

"But who has that login and password? The police, yes?"

"Probably not, actually. The leaks suggested that these appliances were managed by the phone company or ISP. So a police officer calls up the lawful intercept technicians and they set it up for him. So the list of anyone who could break into the ISP's network, anyone who could bribe or blackmail someone at the ISP, anyone who can convincingly pretend to be a police officer to the ISP, anyone who can get a real police officer to give him access, or anyone who can pay someone to do any of the above."

"So you're saying that turning anyone's phone into a superbug is as easy as fixing a parking ticket?"

"I've never fixed a parking ticket," I said. "I don't drive. Is it hard to fix a parking ticket?"

Joe drummed his fingers on the table. "Not if you're rich or well connected. Or so I'm told."

"Yeah," I said, "rich or well-connected people could turn any phone into a mobile bug. In theory there's no reason this is limited to Android phones. It could work by pushing out updates to iTunes, or Firefox, or any app. They'd just need a signing certificate and --" I stopped talking, because I'd just remembered that there hadn't been anything about the signing certificates in the leak. "And things like that. So theoretically, any computer, any phone, anything that updates itself automatically could be turned into a bug once these things are installed."

My hands were sweating. Joe and the rest of the office may not know what a "signing certificate" was, but Liam did, and he looked like he was committing every word I uttered to memory. "Uh," I said. "Also, once your computer is infected with this stuff, it's possible that people other than the police or whoever bugged you will start to watch what you do."

Joe put his hand up again. "Explain?" he said.

"Oh, well, here's how it would work. Say I pay someone to bug your computer. Now your computer has some malicious software on it that can, I don't know, look out your camera, listen to your mic, watch your keystrokes, snatch files off your hard drive, the whole thing. The bug will have some kind of control software, a program that I run to access your computer. Maybe that program lives on a server somewhere else, in which case anyone who breaks into that server can then break into all the infected computers and phones and stuff. Or maybe it lives on your computer, so if I take over your computer, I can jump from it to all the infected computers. But also, if someone figures out that your computer is running the bug, maybe they can connect directly to your computer -- like they could hang around outside your house and crack your WiFi password and wait for your computer to log on, and then snag it, or maybe they don't know who you are and they just sit at Starbucks all day waiting for anyone with the bug to join the network and then they grab the computer's controls."

Paranoid commercial interlude

This is the part that always freaks people out, me included. The idea that there's someone inside your phone, listening, watching. Gives me the creeps just looking at it. There are a lot of libraries that won't stock ebooks at all because they refuse to give in to the publishers' demands to use DRM, so they rely on print copies, like the ones you can donate here ). This has the side effect of reducing their patrons' reliance of spyware-vulnerable machines designed to accommodate the DRM.

When it comes to the commercial editions of my books, you can always be sure that they're DRM-free. I wouldn't have it any other way. Lucky for me, my publisher Tor agrees: All of its ebooks are DRM free, always. But when I love a book, I want a hardcopy, something I can shove in a friend's hand and say, "here, you have to read this." Either way, I hope you'll consider buying a copy of this book.

-------------------------------

Flor put up her hand. "How realistic is this? I mean, this all sounds pretty scary, but can you give me an idea of how many computers have been infected this way? In the real world, is this something I need to worry about? Or is it like being struck by lightning?"

I shrugged. "I guess I'm the wrong guy to ask about that. I've never used this stuff, never shelled out a hundred grand for one of these boxes. I'm guessing if the police buy them, they must use them. I mean, you could think of this as HIV. Your computer has an immune system, all the passwords and so forth that stop it from being taken over by parasites. Once it's bugged, it's got a compromised immune system. So parasites can come in and infect it." I thought a moment. I was calming down. No, that's not right, I was just excited now, and not scared, because it was kind of cool that everyone in the office was hanging on my every word. It made me feel important and smart. "Actually, it's like the network has an immune system, including things like Internet Service Providers who don't conspire to trick your computer into downloading malicious software. When your ISP's router tells you a file is coming from Google or Apple or Mozilla, your computer assumes that that's where the packets are coming from. But once you start monkeying with that, once you create a procedure that tells ISPs to start secretly lying to their customers, well, it seems to me like you can expect that to start happening."

"So what do we do?"

"Oh," I said. "Well, for Android, that's easy. It's open and free, which means Google has to publish the source code for the operating system. A group of privacy hackers have created an alternate version called ParanoidAndroid that checks a bunch of places every time it gets an update and tries to figure out how trustworthy it is. It used to be really hard to install, but it keeps on getting easier. I've made up a little installer script that you can download from the intranet that makes it even simpler. Just plug in your Android phone and run the script and it should just work. Let me know if it doesn't."

"But how do we know we can trust your script?" Flor said. "Maybe you're bugging us all."

Liam practically leapt to his feet: "Marcus would never do that --"

I had to laugh. "No, she's right. You're right, Flor. You've got no reason to trust me. I've only been here a couple of days. I mean, you guys asked me to work here, so it's not likely that I'd have planned to take over this place with malicious software, but maybe I'm the kind of guy who goes around doing it all the time." I thought about it. "So, you could google everything I just told you and download ParanoidAndroid yourself -- but maybe I planted all that information there for Google to find. I guess it all depends on how paranoid you're feeling."

"I'm feeling moderately paranoid, with a side of prudence and common sense," Joe announced, getting a laugh. "I'll install it. Then what do I do?"

"Nothing, unless your phone throws a warning about an update. Then you can google it or ask me, or rely on your own judgment. There's a paranoia flag for Ubuntu Linux, too, if any of you are running that -- it'll tell you if an update doesn't match up with the fingerprints on the public servers. Sorry, but I don't know about anything comparable for Mac or Windows." I stood with my hands folded again. "Is there any more pizza?"

Jolu threw a little instant browser chat app up on darknet for us, and started it off with

> ALL RIGHT, WHO SPILLED THE BEANS? FIRST RULE OF DARKNET IS NO ONE TALKS ABOUT DARKNET -Swollen Rabbit

"Swollen Rabbit" was the handle he'd chosen for himself -- he'd also put up a nickname generator to help us all choose random, single-use, cool-sounding handles for the system.

I felt like he wasn't taking this very seriously -- all those caps and the jokey tone. We were dealing with a plutonium spill and he was treating it like a minor nuisance.

> This is serious folks. Swollen Rabbit, are you sure it was a leak from one of us and not a break-in? -Nasty Locomotive

> it's impossible to be sure but yeah. I've been over the logs and I don't see anyone except us. Maybe someone's got a screenlogger infection or something? -Swollen Rabbit

Oh yeah, of course. Maybe we were bugged. That'd be a weird form of humor: to use a bug to spy on someone who'd found a leak about bugs and then leak the leak to the press using the bug... It was weird enough that it made me feel dizzy if I thought about it enough. I decided to fall back on Occam's Razor. The idea that someone blabbed was a lot simpler.

> I know I can trust you and the rest of our crew and Tasty Ducks

-- that was Ange --

> but what about all your friends? -Nasty Locomotive

> Wait why should we trust YOUR crew? Who died and made you infallible? -Restless Agent

That was one of the people Jolu had brought in, though I didn't know anything else about him (or her). Jolu and I had decided it'd be better if we kept everything on a need-to-know basis. I didn't need to know who Restless Agent was, just that the handle represented someone Jolu trusted utterly.

But Jolu or no, I found myself getting ready to clobber this Restless Agent person. How dare anyone call Darryl and Van and Ange and me into question? Ange, meanwhile, had already read the message on her screen. She was sitting cross-legged on my bed, hair in her eyes, bent over her laptop. As soon as my fingers began to pound angrily on the keyboard, she said, "Woah there, hoss. Calm down."

"But --" I said.

"I know, I know. Someone is wrong on the Internet. Count to ten. In ternary."

"But --"

"Do it."

"One. Two. Ten. Eleven. Twelve. Twenty. Twenty one. Twenty two. One hundred. One oh one. One oh two." I stopped. "Wait, I lost count. Is one-oh-two ten or eleven?" I could count in binary when I was angry, but counting in ternary -- base three -- took too much concentration. "Fine, you win. I'm calm."

> You're right, you can't. -Tasty Ducks

> You don't know us and we don't know you. And we can't keep this up if someone here is showing off by letting blabby writers into the darknet. So what do we do? Shut it down? -Tasty Ducks

> I could turn on logging and make it visible to everyone. Then we'd know who got to see every document. If a doc leaked we'd have the list of everyone who saw it. If enough docs leaked we'll be able to narrow down the list and find the one person who saw everything -Swollen Rabbit

> Assuming only one person is blabbing -Nasty Locomotive

> Yeah maybe we're all running our mouths -Poseidon Snake

That was another of Jolu's buddies.

> Logging sounds like a good plan. If we can all see what everyone's done, it'll keep us all honest -Nasty Locomotive

> Unless I'm the rat in which case I could be editing the logs and you suckers would never know -Swollen Rabbit

> Ell Oh Ell. You're such a comedian. If you're the rat we're all dead meat. Don't be the rat, dude -Tasty Ducks

"All right, fine, that's settled for now," I said. "Thanks for keeping me from turning into Angry Internet Man."

"Any time. It was kind of weak for you to just say 'how can we trust your friends' where everyone could see it."

I wanted to argue, but it wasn't really an arguable point. After all, I'd lost my cool when Restless Agent did exactly the same thing.

"Yeah, okay, fine." I paged up and down through the monster spreadsheet with its 800,000-plus rows. "So what are we going to read through today, anyway?"

"More of the lawful intercept stuff, I guess. There's hundreds more suggested docs. Since the story's out there, it'd make sense to find out more."

"Okay," I said. "You take suggested docs from the first half, I'll take the ones from 400,000 onward. My mom says you're welcome to stay for dinner, by the way."

"Deal," she said, and we got to work.

One thing about the darknet docs I should probably mention: they were mostly unbelievably boring. Rows of numbers. Indecipherable memos written in bureaucratic jargon, laden with acronyms and names of people and agencies I'd never heard of. It was tempting to skip over these and look for juicy ones -- or at least ones I could understand -- but every so often I'd find something that made some other doc make sense, a piece of the puzzle falling into place, and I'd be glad I'd read it.