Short Fiction: CVE-2029-78385

By Lynn Gazis

Photo by Samuele Errico Piccarini via Upsplash.

Each generation has that earth-shaking political event that we'll never forget. The one that changes the axis of your world. The one where you know exactly where you were the moment you heard. For my grandparents, it was the assassination of John F. Kennedy. For my parents, 9/11. And for us, it's October 29, 2029, the day the president's self-driving car turned and drove straight into a wall at top speed.

You all remember it, if you're my age or older. But no one else experienced that event as Joshua Wang did.

That's where I come in. I was the one to pick up Chris's cellphone after the cops showed up at my brother-in-law Josh's door. It was my mother-in-law. Josh had made her his one phone call from jail.

“Hello, can I speak to Christie?”

To my mother-in-law, my non-binary spouse Chris was still her daughter.

“Chris is in the shower. I can have them call you back. What's this about?”

“I was thinking she might know a good lawyer.”

Chris is an estate lawyer. I, Nadia Ivanova, the private investigator in the family, have more criminal law contacts than they do. But my mother-in-law thinks Chris knows every lawyer in Irvine.

For Josh, the story had started well before my mother-in-law knew anything was afoot. It started the day he got word of a zero-day vulnerability called CVE-2029-78385, but now popularly known to all of us as Crash.

Josh always insisted he learned of the vulnerability the same day I did, October 27, when it was published on a popular security blog. I've never been sure whether he was telling the truth. Possibly he'd gotten a few days’ advance warning, but hadn't managed to patch it in time. Advance warning would have been the right thing for the blogger to do. But people don't always do the right thing.

I, of course, learned because of my job. In our private investigator team of McCullough and Ivanova, I am the expert in computer forensics, while Brad McCullough is the guy with the skills at analyzing physical evidence. My friends are surprised when they learn that I, a member of a small Quaker meeting, am in business with an ex-Marine whose “You Matter to God” license plate proclaims his membership in Orange County's megachurch, Saddleback Church. But our professional skills complement each other, and our different backgrounds let us divide which of our human sources of information will welcome which one of us. Because of my specialty, I keep up with the best known computer security blogs. And CVE-2029-78385 was the biggest InfoSec news in years.

You may be surprised to learn that I had no idea that Josh had anything to do with the story. You have to understand how jury-rigged the Internet of Things is. Drill down through the layers and you'll find that everything depends on some open source project maintained by some guy in Nebraska. Or, in Josh's case, in Irvine. And no one pays attention to who that guy is, until things go wrong. I'm sorry to say I didn't keep enough track of my brother-in-law to know what open source project he worked on.

The thing that you need to know about Josh is this. Chris once bought him a dog to get him to tear his attention away from the screen. It worked, sort of. He did take the dog for walks, and the dog insisted on five walks each day, any day that Josh worked from home. But when Josh wasn't walking or playing with the dog, he was always on his laptop. Or his tablet. Or his cellphone. That was Josh, and that was what Josh had been ever since he was thirteen years old.

In 2029, Josh was living his dream. He had just gotten his anniversary sword from Blizzard. When not at his day (and sometimes evening) job, he was either playing computer games (there was a reason Blizzard was his dream company), advising people on Stack Overflow, or volunteering in the open source world. Then everything fell apart.

The world first got word of CVE-2029-78385 on October 27, two days before the president's car crashed. The announcement came early in the morning, West Coast time, and in Josh's daily stand up meeting, his boss told him to take the day off. Josh's boss kept better track of Josh's open source work than I did, and Blizzard, too, relied on Josh's open source library, for their new drone game.

I myself attended the online meeting, the next day, where a software vulnerability monitoring company discussed how to address remediation for CVE-2029-78385. By that time, Josh had already put out a patch, and 20% of downloads of the library, by the account of the software vulnerability monitoring company, used the new patched library.

Inevitably, computer security professionals found a vulnerability in the patch, and by October 29, the day the president's car crashed, we were on the second patched version of the library, with most downloads still using the old version, the one from before Josh's first patch.

On the evening of October 30, Josh was arrested. Late Friday morning, October 31, we visited him in jail. Happy Halloween!

Beyond a chain link fence rise the gray walls of the Los Angeles County Men's Central Jail. It was not my first visit. As a private investigator, I often work with defense attorneys. Once, in the days before self-driving cars, an attorney and I had parked in a free lot blocks away from the jail, and forgotten which lot. As we walked block after block searching for our car, I talked to Chris on my cellphone, assuring them that we'd hit a traffic jam on the freeway and were running just a bit behind schedule.

These days, I pay a subscription to parking garages throughout Los Angeles, Orange, and San Diego Counties. Late in the morning on October 31, my car dropped me and Chris off outside the jail, and headed off to park itself.

“It's my fault,” said Josh to me and Chris.

“What are you saying?” said Chris, “Did you try to kill the president?”

“What? No? Why would you say that?” said Josh.

“Then don't say it was your fault! Anything you say can and will be used against you,” said Chris.

“But it was my fault,” said Josh, “Sunil is just a bright high school student. I should have reviewed his pull request better. How could I have missed a SQL injection vulnerability!”

“The president's alive,” I said, “and out of critical condition. We'll come through this.”

“If you keep your mouth zipped around the police,” said Chris.

“And tell your defense attorney everything she needs to know,” I said. “Why do they think you did it? It's not usually the open source maintainer we suspect of doing the exploit.”

“They have reasons,” said Josh, “Something about Chris's car.”

You might think we'd already have suspected CVE-2029-78385 in Chris's car accident. You'd think wrong. Chris's accident had come on Tuesday, October 20, nearly a week before the vulnerability was revealed. Their car failed to brake as a truck came to a halt in front of them on the freeway. We suspected the brakes. They called AAA and got a tow home. Since then, the car had sat in our garage, while we both used mine and failed to get around to calling a mechanic. You can take that as a sign that, now that our cars drove themselves and could shuttle between us, we had only really needed one car.

A community altar decorated with photos, food, candles, and marigolds greeted us as my car turned onto Olvera Street on the way to the apartment of Josh's girlfriend, Allegra. The Dia de los Muertas festivities had already begun. Signs advertised a performance of Danza de la Muerta by Teatro del Barrio and an upcoming race. A man in a skeleton costume painted faces. Allegra's apartment, when we arrived, boasted its own ofrenda, dominated by a large portrait of her abuela.

“Josh? Enemies?” Allegra waved a hand to dismiss the idea, “No one hated Josh.”

“Exactly my thought about Chris,” I said.

“Oh,” said Chris, “I've had a couple of exes who might disagree with you.”

“Exes?” said Allegra, “Don't get me started on exes. My ex-husband could charm even my abuela, but once you got past that charm he had the meanest heart you'll ever find. It wouldn't surprise me one bit if someone tried to frame George Winston for something. For him, it would be revenge for something he did do. But Josh? The sweetest guy in the world. Everyone who knows him loves him.”

Nevertheless, I collected, from her and from Chris, names of everyone who knew Josh, so that my partner and I could do background checks.

“How did the police even know about the car crash? You didn't report it,” my mother-in-law asked, when we told her about our visit.

“There's a national GPS system tracking all fully self-driving cars,” I said, “that cops can access at any time.”

“Isn't that some kind of privacy violation?” asked my mother-in-law.

“You would think,” said Chris, “and there was a big controversy when it passed, and I donated to the ACLU to stop it. But our side lost.”

“Are you sure Nadia's car is safe?”

We had called on the road home, Chris's cellphone on speakerphone. My car expertly navigated the traffic, switching freeways to route around a traffic jam. If Chris's car crash had really been an accident, we had no reason to worry.

But had it been an accident? As if inspired by my mother-in-law's question, my car swerved toward the lane to the left. I grabbed the steering wheel. Unlike Chris's newer fully self-driving car, mine still had a manual override. Switching off the automatic driving system, I swerved just in time to miss a large truck.

“Stop the car! Stop the car!” Chris shouted.

The truck honked loudly, and the driver cursed. I continued to drive.

“We have an upgraded AAA membership for heaven's sake,” said Chris, “They'll tow us all the way home even from here.”

The automatic driving system turned on again. This should never happen. I switched it off, shifted lanes to the shoulder as quickly as I safely could, stopped the car and shut the engine off. Time to take Chris's advice.

“That's the assassin's first mistake,” I told Chris, “How could Josh try to crash a car when he's in jail? We're dealing with a criminal too impulsive to think straight.”

“Or,” said Chris, “We're dealing with a criminal who tracked our car in real time all morning. One who thinks we just bailed Josh out and deposited him at Allegra's apartment.”

Once home, I needed to get more information about the connection between CVE-2029-78385 and the president's car crash. Josh had given me the URL of the GitHub project, so I looked it over.

“Who has access?” asked Chris, from the other room.

“To see the code and find the vulnerability? Anyone. That's the nature of open source.”

“Right, but who worked on the code?”

“Josh, Sunil, another programmer named Jamie. Many more people belong to the open source project Slack, but the number of people actively maintaining any of the code is small. On this class, just three.”

Chris brought me a cup of green tea, and looked over my shoulder as I did a web search and background check on the software maintainers.

“Hey, you never told me that Josh had an arrest record!”

“For drinking and driving when he was seventeen. Part of why he's a big fan of self-driving cars.”

Sunil lived in Texas, and Jamie in Boston. Sunil had just been accepted to MIT. Jamie wrote folk songs. Both of them, and Josh, had active Twitter accounts, and no one's Twitter account had much politics. Open source Twitter expressed outrage about Josh's arrest, while white supremacist Twitter had already connected him to Communist China. Never mind that his and Chris's ancestors had come to California in the nineteenth century to work on the railroads.

“Yes, the GPS tracking network for self-driving cars uses our open source library,” Jamie told me when I got her in an online meeting, “And yes, that SQL injection bug could let an unauthorized user locate a car. But that doesn't get an assassin to the controls of the car. Self-driving car controls don't use our library. And no one needed that bug to locate the president's car. The president was on national TV at the time of the accident.”

“Doesn't let me entirely off the hook,” said Sunil, “Those GPS coordinates could have helped them fine tune their steering of the car.”

“Wouldn't the president's car be opted out of the system for national security reasons?” I asked.

“You'd think it would,” said Jamie, “but remember when someone mapped US military sites by tracking the step trackers that soldiers used? Maybe the president's OPSEC isn't what we'd like.”

“I think we can take it as given that the president's OPSEC isn't what we'd like,” said Gary, an IT professional whom Jamie had invited to the call, “But CVE-2029-78385 isn't the main security hole here.”

“Gary worked on self-driving cars at his last job,” Jamie interjected.

“Someone needed physical access to that car to set up the crash,” said Gary, “Someone chose to drive that car into exactly that wall at exactly that time. That navigation isn't controlled from the cloud.”

The assassin, then, had to be someone with physical access to the president's car. But, other than suggesting that Josh let his defense attorney know who could alibi him at the time that someone would have had to access the president's car, I didn't see how we could do much with the president's car. It would be up to the FBI to check who had access. It would likewise be up to the FBI to judge who had a motive to try to kill the president.

The killer had made one mistake. We didn't have access to the president's car. But we had Chris's car and mine. Time to get them checked out, without tipping the would be killer off as to our whereabouts. Conveniently, fully self-driving cars don't need anyone in them in order to drive. I sent Chris's car on a little trip to the grocery store. Fifteen minutes after her car had left, I sent mine to Cook's Corner, the motorcycle bar just down the street from Saddleback Church. Meanwhile, Chris and I, not trusting my car, took a short walk from our house to the UC Irvine campus, where a member of my Quaker meeting sent a car to pick me up. Jan and Jack had a room to spare, now that their children had left for college. Along the way to their house, we picked up Josh's dog Max from my mother-in-law, who had cared for him for the first day of his imprisonment, and dropped off the key fobs for both our cars at Brad's house.

The moon shone three quarters full over Jan's cactus garden, as her car dropped us off in front of her house, before entering her garage. In the garden stood a sign: “Love Your Neighbor: No Exceptions.” A skeleton sang to us when we reached the door, “I've been dead for so long.” Jan and Jack greeted us in costume, her a vampire and him a zombie, ready for their young visitors. Max bounded into the living room and took a prime spot on their couch. I swooped in to rescue the Halloween candy and put it out of his reach before he poisoned himself. As we ate salad and chicken and homemade bread, Jan and Jack kept hopping up to answer a ringing doorbell.

“How do they know that Chris's car accident has anything to do with the assassination attempt?” asked Jack, when Chris had finished telling the story.

“Same mode of attack, close to the same time,” I said, “Maybe, if we establish that someone tampered with both cars. But opposite ends of the country, and two people who have no common acquaintances.”

“Except for my cousin who took classes from some of the same professors that the president had,” said Chris, “years later.”

“OK, so you're three degrees of separation from the president. Not much of a link,” said Jan.

“Maybe there's a reason two different people committed a similar crime at nearly the same time?” I suggested.

“Or maybe,” said Jack, “It's the same person, but you haven't found the connection yet.”

On Saturday morning, November 1, Brad's car picked me and Chris up and brought us to his house.

“This,” said Brad, “is how they got into your car.”

He directed his explanation at Chris, the less technical of the two of us. We sat on a couch in his living room, facing photos of his teenage son and daughter, a copy of “The Purpose-Filled Life” on the table in front of us.

“Once you activate your key fob, it's a tiny radio transmitter. It's always transmitting, even when it's in your house. This device here captures the key fob signal from your house. It relays the signal to this second device, held by a second thief near your car,” and he tossed the second device to me. “The only question is, who has access to your garage?”

“Not needed,” I said, “We parked my car in the garage, and Chris's in the driveway, until Chris's accident, when we put their car in the garage and mine in the driveway. But what did they do with that access?”

“That's where this third device comes in,” said Brad, “It overrides the controls of the car, if you can plant it inside. This device, you can use to drive the car anywhere you please.”

“So a thief can drive the car away, and have an alibi at the time when it departs,” I said. “And I'm betting that's the most common use case. More thieves in the world than murderers.”

“Where does someone buy that thing?” Chris asked.

“A good question,” said Brad, “and one for Nadia to answer.”

“Right,” I said, “They'll be for sale on the Dark Web, and I can find out where. Anything else?”

“Still combing the cars for DNA evidence.”

We split and arranged to meet later that afternoon.

Blizzard's campus in Irvine boasts a large statue of a troll, an axe in his upraised arm, subduing a wolf. There I met Josh's Scrum Master, Vuong. With Josh out of the office and a big release coming up, Vuong chose to work on the weekend. And given how much time Josh spent at work, I hoped Vuong could alibi him for the time that Josh needed to be in DC if he had hacked the president's car.

“Josh worked those days,” said Vuong, “from home.”

“He could have flown to DC?”

“Not a chance,” said Vuong, “Josh is no assassin.”

“I know,” I said, “but if I can't prove that from his work schedule, I'll have to find another way.”

Brad's car returned to fetch me. Chris, already in the car, handed me some background check results, the kind that you get from a standard subscription.

Saddleback Church, at the top of its hill, sports a campus that resembles a shopping center with a rock band. But I suppose my small silent Quaker meeting looks as foreign to the religious sensibilities of someone accustomed to Saddleback Church as Saddleback does to me. I used to think that people must get lost in such a large church. Since I started working with my partner Brad, I have learned that it makes up for its overwhelming size with a devotion to small groups. Brad, besides worshiping on Sundays and spending time with his small group, teaches a class on LinkedIn for the church's group for job seekers.

This Saturday, the church still sported its Blocktober decorations. The petting zoo and ponies were gone, but an arch of yellow, orange, and purple balloons greeted us, surrounded by inflatable toys. Further away, I could hear a praise band practicing for the Sunday service. We joined Brad by the Ferris wheel.

“There's hair in your car that doesn't match your hair or Chris's,” Brad told me, He showed us a photo of a couple of strands of dishwater blond hair. “Anyone you know?”

“Several people we know,” I said, “but no one who has been in my car.”

Chris shuffled her stack of background check results.

“Check for a social media photo of George Winston,” she said.

I checked my cellphone, and turned up a Facebook photo. “It's a match. The meanest heart you'll ever find?”

“And two domestic violence arrests for attacking Allegra,” said Chris, handing over the background check. “The kind of guy who could turn stalker once she left him.”

“Is the hair good enough for DNA evidence?” I asked.

“Possibly,” said Brad, “We'd need to let the cops look over the car, both the cars, as they're the ones who can make the comparison.”

“If it's someone in their database,” said Chris, “And isn't there another option?”

“GEDmatch,” I said, “Will make a match if there's a close relative in their database, and by now nearly everyone has at least a third cousin in GEDmatch. But again, the upload will need to be done by the police. Josh's lawyer can get the evidence in discovery.”

While we waited, I decided two could play at the game of cracking the GPS tracking system. Maybe. If they hadn't patched the vulnerability. But they had. Three days from a deadly exploit to a patch wouldn't win them any awards, but on the other hand you had to give them credit for working the weekend on security patching.

We got the DNA testing report on Tuesday. By that time, we had supplied Josh's defense attorney with the names of two sites on the Dark Web that sold the device used on our cars. We also had a thorough list of relatives and genealogies of everyone who knew Josh, Chris, or Allegra and had dirty blond hair. And the GEDmatch search turned up a second cousin.

“Denise Pemberton,” I said, “Isn't Pemberton George Winston's mother's maiden name?”

Half an hour's work on the web, and I proved that Denise was indeed George's second cousin.

“My ex tried to assassinate the president just to stalk me and frame my new boyfriend?” Allegra asked, when we told her, “I didn't think even he was that evil.”

“It wouldn't be the first time a man tried to kill a president because he was stalking a woman who had nothing to do with the president,” I said.

“We can leave that to the FBI,” said Chris, “Our part is done. Josh is coming home.”