No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • JOE VS. THE SYSTEM By Triple-H

    By Triple-H

    "The sad thing isn't that Google abandoned ‘don't be evil,' because that's what big companies do. What's sad is watching decent engineers put those plans into practice, while pretending they don't know what's happening." – Professor Matthew Green, Twitter, May 30, 2019


    Joe was up at 5:20 AM. Someone was DDoSing one of the IRC servers with a high-bandwidth attack using SSDP. He had no choice but black hole traffic to this server.

    As for why this would happen – probably someone in IRC got pissed off at what someone else was saying and decided to try and kick everyone off of the server.

    Mitigating DDoS attacks isn't something that can be done at the server. By their very nature, DDoS attacks are not filterable by source. For most attacks over the years, Joe's company had been able to live with the increased utilization in their Internet connections. With sufficient bandwidth, this was normally not a problem. But this one was particularly bad on one of the peerings. So, the only choice was to blackhole traffic to the destination of the attack and wait for it to subside.

    When a coworker asked Joe why he was up so early working on the issue, Joe replied in his usual fashion, "Meh...part of the job."

    That was typical Joe. Always figuring out what needed to be done and doing it, while taking scant credit.

    But something would soon happen that would stretch Joe's networking, computing, and hacking skills to the limit, while challenging his core concept of ethics.


    Joe got a call around 10 AM from the company vice president of all people. Joe hated talking on the phone. Why couldn't they just send an email?

    Joe was summoned to a meeting with Mr. Jefferson.

    "We want to develop a software program to automate tracking of the call center, but we really don't want to make a big deal out of it," Jefferson began.

    "We know that you have the ability to write this whole thing on your own, so that's what we want you to do. Because of the sensitive nature of the project, we're not going to go through normal process of QA reviews and so forth. Basically, you are going to have free rein on the project from start to finish.

    "Here's the gist: we want it to control everything. We need this to be a ‘life-cycle' program for employees. The issue is, we're just not getting the productivity we need to out of our call center. So, we need this system to keep track of all the agents who take frequent breaks and root out those who are, shall we say, taking advantage of the system.

    "Basically, the program should let the call center agents bid on restroom break time slots. It will reward those with higher performance (i.e., taking fewer breaks) and punish those who are breaking the rules. It will be a points-based system. Completely fair and honest. Oh, and if an agent doesn't come back from their break in a timely manner, the system should automatically dispatch a security guard to go find them.

    "Furthermore, we need to cull through the ranks of the call center agents in a more efficient manner, so we just need you to automate the layoff/termination process based on agents' points. The system should contact the security office with orders to have people escorted out. In fact, we need it to have a double verification process to check whether the agent was actually fired, or else the responsible security guard should be punished via the same point system.

    "I suppose employees could stave off automated termination if they choose to work unpaid overtime, which can reduce their negative point values per unit of overtime worked.

    "We can do everything via email. Just label the messages as coming from ‘The System' and use some fancy company HTML email templates to make it look official. You can also embed in each e-mail was a countdown timer to sort of create a sense of urgency for the agent to do whatever is being asked of him or her before a punishment is applied.

    "Oh, and finally, after an agent has been terminated, just have their punishment points decay over time until such a time as they reach zero (or some configurable threshold if we need more butts in seats). Then, send them an email to their home account, which we will have from their initial application process, inviting them to re-apply. I suppose we can also send them a robo-call with the ‘good news.'

    "Everything needs to be tracked with down-to-the-second granularity through integration with the PBX switches and Asterisk CTI. I think it can be designed modularly as a plug-in architecture, so we can add in additional features, orders, and punishment types.

    "What we're trying to do here is maximize our Key Process Indicators (KPIs). All of the punishments and rewards should be applied fairly and be completely data-driven. We are taking the bias and human factor out of decisions and implementing performance management in a predictable, deterministic, and transparent way. I think it's going to be a great system.

    "OK, big guy? You got this, right?"

    Joe was flummoxed. Surely, he could create such a system, but he immediately began to imagine the terror it would create. He pictured people talking with a chill in their voice about how they received a "System email." He would be sitting at lunch with coworkers hearing about the new Big Brother system and knowing he was the one who created it.

    "Umm, sure," Joe said. "I'll get right on it."


    Joe envisioned what Mr. Jefferson could do with such a system. The same controls and abilities used to instill "equity" and "fairness" in the platform could equally enable wide scale exploitation. Want more profit? Just change a single variable, and that digit would cause tremendous stress and anxiety for many people, while producing the desired KPI result.

    Just like government taxes that are difficult to repeal once implemented, The System's goals and metrics would always appear reasonable at first, but would eventually would cross a certain threshold. Once they did, there would be no going back to the way things were.

    Joe couldn't sleep that night. He tossed and turned, ruminating on various things he had read.

    He had often puzzled over a quote by Henry David Thoreau: "Do not be too moral. You may cheat yourself out of much life so. Aim above morality. Be not simply good; be good for something."

    What did Thoreau mean not to be "too moral" and "aim above morality"? Maybe it was that the world's definition of right, wrong, justice, punishment, and so forth were too rigid. Too...confining.

    Joe also remembered reading a C.S. Lewis quote: "We know that men find themselves under a moral law, which they did not make, and cannot quite forget even when they try, and which they know they ought to obey."

    That is the true morality. Not what a boss wants you to do, but what you *know* is right. Joe recalled reading Paul's first epistle to the Corinthian church, verses 23-24: "'I have the right to do anything,' you say—but not everything is beneficial. 'I have the right to do anything'—but not everything is constructive. No one should seek their own good, but the good of others.'"

    Joe knew what he had to do. He needed to be "good for something."


    Over the next few months, people didn't see much of Joe. Just like Tom West in Tracy Kidder's "The Soul of a New Machine", who spent every waking moment creating the 32-bit MV/7800 minicomputer, Joe was burrowed in his office with the door shut. Actually, he moved his office to a remote part of an unused property bay in the warehouse just so he would be harder to find.

    When people asked about what he was so furiously working on, he would side skirt the issue or change the subject quickly to avoid further questions. Sometimes, he would have to pause momentarily to solve their mundane problem and dispatch them quickly, so he could get back to work on "The System."

    After much testing and debugging over nights and weekends, deployment day arrived, and The System was ready for primetime. A cold, automated email propagated to all employees alerted them to the new way of doing business.


    During the first few days, The System was humming along flawlessly, dispatching security guards to the smoking areas, providing ominous countdown warnings, and scaring the bejesus out of all the employees.

    Mr. Jefferson could not have been happier. He was getting daily reports with numbers -- wonderful numbers! The call agents were responding too. Fewer breaks. More calls handled. It seemed The System was a big success. "Joe," he said. "You've outdone yourself. Fantastic job!"

    But after a few weeks, little things began to happen that gave Jefferson pause.

    He began to get metrics reports more frequently. Daily at first, then hourly; and then, it seemed, every five minutes, something would pop up in his email. Suddenly, he was getting inundated with metrics. And these were metrics he had not requested.

    Sure, he was getting the usual call center metrics -- call completion rate, agent utilization, answer seizure ratio, first call resolution rate, speed of answer, call handling time, call drop rate, sales per agent, lead conversion rate, etc.

    But he was also getting metrics analyzing the average number of sheets of toilet paper employees were using in the bathroom. Metrics on the employees' drink preferences from the soda machine. Metrics on air quality, temperature, humidity, headcount, and every other possible statistic in the plant.

    Meanwhile, it appeared the The System rewards were far outstripping its punishments. Employees started getting unexpected paycheck bonuses, gift cards, paid time off, and other perks. Also, there hadn't been a firing in weeks.

    When Finance called Mr. Jefferson to inquire about the unexpected payroll surge, Jefferson quickly reached for his phone. But all he got was an answering system message: "I'm sorry, but Joe is taking his eight weeks of accumulated PTO, and will not be back until August. If you have any questions about The System, please speak to Mr. Jefferson."


    Joe was an avid trail biker. He and his wife loved to throw their bikes in the back of the truck and get out to remote places. This time, they were out near Moab, Utah, where there were unfortunately no nearby cell towers. But there are many arches, balancing rocks, and kivas to see along the trails.

    In fact, Joe had just plumb forgotten to bring his phone with him at all. So, Jefferson's dozens of calls, messages, and emails would not be seen for a long, long time.


    This story is written in honor of Joe Rogers, network god extraordinaire and friend of the USF Whitehatters Computer Security Club ( since its inception in 2005. It borrows from some some real-life threads of the Whitehatters email list and a post by iamleppert in Hacker News. Joe Rogers is a two-time Defcon CTF Black badge winner, and also ran the networks for LegitBS and wrote several challenges for Defcon CTFs 21 through 25. At this writing, Joe has not recovered from terminal cancer and is in hospice care. Thank you Joe, for who you are and all you've done. I would like to believe the real Joe Rogers would have done exactly the same thing as the Joe in this story.
    PGP Key: