The story of Mr. Blast Radius
This story that happened IRL. The names of the innocent have been removed for their protection. The names evil corporations have been kept because I hate them.
Prologue
One day the sysadmin at the bank I worked at came to my desk to help me with something and had to open a root shell on a production server in a terminal. After he did whatever he had come to do he just walked away, forgetting to close the root shell.
A few minutes later my boss and a few other people came and I started showing them something on one of my monitors. There were total of four people staring at that monitor; the root shell was open on the monitor right next to it. I decided to see if anyone was actually paying any attention to the world around them and context-switched to the root shell. Nobody noticed. So I got more brazen and copied the /etc/shadow file in my home directory. Out of the fourpeople staring at the neighboring monitor only one noticed. He looked at me in the eyes and smiled. At that point I realized the world had lost all hope and smiled back.
Few minutes after everyone had left to go back to their desks I walked over to the sysadmin and told him what had happened. Naturally he freaked out and closed the root shell. No official incident was raised, probably because everyone was too embarrassed by the whole thing.
Background
The year was 2012 and December 21st was approaching fast. Wikileaks and Occupy Wallstreet were all over the news. I was bored out of my mind at my day job at Barclays Capital PLC so I decided it was time to have some fun.
I started tweeting things against banks, visiting Occupy events, and most importantly emailing friends from my personal Gmail account saying things like “5000 years is enough”. At work I kept a Guy Fawkes mask in my desk drawer and was generally outspoken about the dysfunction pervasive in the financial system.
Build-up
Over a period offew weeks I noticed several new employees take seats near the trading desk I worked for. The building was open-plan and there were no cubicles, so everyone could see everything really. Something was off with those new joiners though — they were suspiciously focused on their work.
Now, when you work in an investment bank unless you’re in the top 1% of the money-makers you generally don’t care what’s going on. It’s all the same to you if the bank makes or loses money; its bottom line is so far removed from your compensation that you could care less. That’s why those new people immediately looked out-of-place.
Confrontation
One day my boss called me in one of the offices. Sitting behind the desk in that office was someone I will never forget — easily 350lbs pure muscle, crew cut, ice cold eyes. There is nobody in the financial industry that looks that way. At the same time my boss who is usually a tough guy looked suspiciously subdued. I immediately sensed something wasn’t right.
The stranger introduced himself as so-and-so formerly infrastructure director at Deutsche Bank. He said that our team was “doing too much” and that they were here to help. He even brought up an incident related to a leap second that had caused us some recent downtime. Then he started talking about how their team is going to be weighing the fiber-optic cables to make sure they haven’t been “shaved” by a “sophisticated hacker”.
So I put 2+2 together
I smiled and said:
“It would be great if we had more people like you here. Especially if you happen to know people with military background!”
The stranger got startled, as did my boss. All of a sudden I was in charge of the conversation, so I asked “What is the worst that could happen?”, He started talking about how in case of a bomb their team will calculate the “blast radius” of the explosion and that traders will evacuate to nearby locations BUT will continue to trade from their laptops.
When he said that it crossed my threshold of ridiculousness so I walked over to his desk and told him about the root shell incident in the prologue of this story. Mr. Blast Radius said he gets the joke, and lost all of his attitude. The rest of the conversation was uninteresting.
Moral of the story
Since this incident I don’t believe for one second that anyone bothers with warrants or subpoenas anymore when it comes to accessing your stuff online. Or if they bother, some secret court rubber-stamps their request without asking any questions.