Gemini Bridge

From: Soloviev, Nikolaos

To: Koenraad Gertodtenhaupt

Cc: Voortrekker Mission Support

Delivered-To: Koenraad Gertodtenhaupt

Received: from relay7.local.rs001.l4.earthsys.gov

by inbound-1.exclusiveservices.net

with ESMTPSA id 772525wpro10k1ex10d5

for

Received: from relay4.qec8.ganymede.earthsys.gov

by relay1.qec2.rs001.l4.earthsys.gov

Received: from qec5.helio.earthsys.gov

by relay4.qec8.ganymede.earthsys.gov

Received: from qec.sv14417

by qec5.helio.earthsys.gov

Date: 06 Sep 2421 07:21:11 +0000

Date-Local: 23 Mar 2419 10:45:11 +0000

Content-Type: multipart-alternative;

boundary="__4gngb4li5euq647g0t9x_15486932_"

MIME-Version: 1.0

Subject: Key compromise

--__4gngb4li5euq647g0t9x_15486932_

Content-Type: text/plain; charset="utf8"

Koenraad: I've attached a new public key from my new keypair,

replacing the one which was leaked.

As to how that happened: Late yesterday I found out one of our

systems engineers did in fact survive, and I asked her to look into

it. Her report, her précis of which I've attached, indicates that

the commands to retrieve my private key from my secure storage came

to Voortrekker via QEC. She couldn't tell where they originated,

other than somewhere in Sol, but she's very definite that they did

come from Sol.

I've included Expedition Support on this message, to the attention

of their analysts. Combining their efforts with those of your own

people, I hope you'll quickly identify the source of this troubling

leak, and I look forward confidently to receiving your confirmation

that no such breach of security can recur.

In the meantime, you understand that I must protect the interests

of the Ross 128 Ventures board and shareholders, as well as my own

people here, and there is no telling what mischief might befall us

next if I do nothing. Accordingly, I've asked my engineer to have

our systems reject commands received via QEC for now. We've kept

read access enabled, so you can still request and receive data from

our systems, but no commands sent from home will be carried out at

this time.

This is a short-term measure only, to be reversed once confidence

in security back home has been restored. As I said before, I look

forward confidently to receiving such confirmation from you soon.

Nikolaos Soloviev

Director of the Board, Voortrekker GmbH

(a wholly owned subsidiary of Ross 128 Ventures, LLC)

nikolaos.soloviev@voortrekker.com

-------------------------------------------------------------------

From: Jennifer Story

To: Nikolaos Soloviev

Date: 23 Mar 2419 06:31:19 +0000

Subject: Re: Private key breach

Short version: It wasn't anyone here. The commands came in via QEC.

Long version:

Our network isn't in great shape since the crash. That's on me -

I've been mostly looking after the sick and injured, not the

systems, and with most of our department gone I guess there wasn't

anyone else doing that either. I should've checked closer.

Anyway. Great shape or no, I didn't think Jim would've left things

in a state where just anybody could get into your account. I

checked anyway, but I didn't find anything suggestive in command

history or logon records. Not even in the audit logs, and as far as

I know, the only one with enough access left to tamper with those

would be me.

Not saying I didn't, boss. I won't ask you to trust me blindly on

something this big. But ask around - I've spent almost all my time

working in the infirmaries we've set up, you'll find plenty of

people who can vouch for my whereabouts almost all the time since

the crash. Five minutes here and there in the head isn't enough

time to do the kind of work it'd take to invisibly tamper with

those logs. So either I'm telling you the truth, or I'm so

implausibly skillful at blackhat stuff that I'm an idiot to be out

here at all instead of back home living large on the billions I

could've stolen without half trying.

Anyway. Nothing I could find to suggest it was any of us, so the

next place to check was QEC logs. Here's what I found:

2419-03-22T21:19:08.119+0000 info [qec:recv]

New message 1a04892cf9: received from qec1.helio.earthsys.gov

2419-03-22T21:19:08.121+0000 info [qec:recv]

message 1a04892cf9: encrypted compressed data, 1204 bytes

message 1a04892cf9: origin header: undefined

message 1a04892cf9: envelope type header: command script

2419-03-22T21:19:08.124+0000 info [qec:recv]

message 1a04892cf9: handing off to remote command shell (pid 330918)

2419-03-22T21:19:09.089+0000 audit [fs:enc]

private store unlocked: nikolaos.soloviev (pid 330918)

2419-03-22T21:19:10.042+0000 audit [fs:enc]

private store locked: nikolaos.soloviev (pid 330918)

2419-03-22T21:19:13.988+0000 info [qec:send]

New message 1a04892cfa: from pid 330198

2419-03-22T21:19:13.989+0000 info [qec:send]

message 1a04892cfa: encrypted compressed data, 2847 bytes

message 1a04892cfa: destination header: undefined

2419-03-22T21:19:13.994+0000 info [qec:send]

message 1a04892cfa: sent to qec1.helio.earthsys.gov

(I stripped out the headers where they didn't change.) I know you

don't read computer, boss - this is here for you to send back home.

Because, in people, it means that's where whoever hacked us did it

from Sol. I can't tell who it was - that "origin header: undefined"

means whoever did it didn't identify themselves, which - well, I

won't say it's impossible, obviously it happened. But I don't know

how to do it and, as far as I know, I don't know anyone who does.

Anyway, whoever it was, the commands they sent must've included a

key in your signing chain, because look at those audits from the

encrypted filesystem around 21:19:10. It unlocked your private

filestore and left it that way for almost a second. That's when it

pulled out your key, and who knows what else - we don't normally

run in debug mode because it takes a lot of storage and exposes

PII, so we don't know what other files might've been accessed. I

checked the access times, but didn't see anything from that time

span, because of course I didn't: whoever did this would know we'd

be checking, so they tampered with those too.

I'm about out of ideas, but they've got a lot more engineers who

can look at this back home than we have here. I saw a few people

from my department in the infirmary, but they're all still out, so

for right now all you've got to work with here is me, and I'm just

a junior engineer. Send this stuff home, boss. Maybe they can

figure it out.

If you or they have any more questions I might be able to answer,

you know where to find me - right now, that'll be in the infirmary,

sacked out for a few hours, and then I'm back to looking after the

ill. There's nothing else I can do with this anyway.

Sorry, boss. I'd give you more if I had it. But you need somebody

better than me on this.

Jennifer Story

Support Engineer I, Information Systems Department

SV 14417 Voortrekker

jennifer.story@voortrekker.com / x10219

--__4gngb4li5euq647g0t9x_15486932_

Content-Type: text/plain; charset="utf8"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename=nikolaos-soloviev.asc

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tClZlcnNpb246IGVhc3lTZWN1cml0

ZSB2MTE2LjQuODkyMDEgKGVudGVycHJpc2UsIGluIGxlZ2FjeSBtb2RlKQoKbVFFTkJGd0laYXNC

Q0FEZHhSNjJUaHhIamJNSUF3a2FHL3doUEtOOEtZSmQ5Q1R3QzZWZEZVWmtqOEtIOW5LUgpJKzI2

Q1VlMHNiVWJiZ09hcDBXbkFhdE9yRkpIdHlYN0VaRE5vN3hNVytVRStic29kcTZOY3MvRFl1OHo1

UVlnCjdvaHRsZ3FZM05INExoTEtrMVFHQk9kQWpoOTdsbTNoK0lFVU5MM28xcDZSQVYvalRzRlNp

bkRoVjVYM3NwTXkKUzRZazJVM1JlbXV4ejNIUGg0dDdFbUt0dEYydGE5bkdFQStSNFJvd0IyR1c3

Z0dwbnpDT1oxTW5GQnBaZVdvcAoxN3dUUmJ3OW55V1A2U3d2OGdtaXRWWVM1Yy9mTDJEemgyWWJz

SWFXeU1ycEliMFhjZStNR2crZlM5VTByWkVyCmVDUDA3c0JMNUpDcmowM1N2UDl1amZDUWVqZ1RP

WHRkSHVxWEFCRUJBQUcwTlU1cGEyOXNZVzl6SUZOdmJHOTIKYVdWMklEeHVhV3R2YkdGdmN5NXpi

Mnh2ZG1sbGRrQjJiMjl5ZEhKbGEydGxjaTVqYjIwK2lRRk9CQk1CQ0FBNApGaUVFM2lQZWc0NUNx

TysrR1dvWG5nbEJQdFZxQ0ZRRkFsd0laYXNDR3dNRkN3a0lCd0lHRlFvSkNBc0NCQllDCkF3RUNI

Z0VDRjRBQUNna1FuZ2xCUHRWcUNGUWoxd2Y5RVNFWjgxTk9mVFAvNzJZZHRsL1BCVUVEWEtYMEpt

K3IKb0pDaERYYUh3Vml2Yk0ycEdCbmcwUGNQNFFmUDBsSHdydzBicnR3OHJnOFU3UEdWVzk5bkd4

NkhRZkN5YnBTWQpOWkcxNXBJQ0VkTFNtMU9nMU1vTS9FS1BNZ3FabWJhNUJFT3Y4MUdqOW5IMW0x

cWhFUURqNk8wK0g5WTBiWUZsCnBTeUdPQ3FUT0RuNjhrMmlpbWtpZWlNVk5qblZ3NU5OcWl2em5l

cEJVYTRrdDQyN0NoT0VkbTlVa3BicWJRUXEKbHpBRnZmd2NwM1RBdmhSY2djK0hMc3F2ek1DKzBO

dm5jc0hkVzhVUkNwV3l4S0o0clpHRzBERUNuTW53T1BqTAo0eTVhR1o0cldvZWJwcGxpV1NSc3M3

Y3hmdThaMjJocE94elBOMSthMWpRVzIvRVhweHo1SjdrQkRRUmNDR1dyCkFRZ0E0U0svMktGUFZV

SWhYYytMYkFxWGZXMHM3UE1DK2V2Y2kvYmhuc283OUZSMDdDMDRKK2E0UkU4ZFIrZWYKbGN1c0da

T01wam9ITkZBV3BwVG10VkF2RVYyeVk5N29yOEZpS0FsR1dHT1VRa3JWTk5PaXBzZjZhdWNjT01G

OQo1aWFoNlVFYllaUEM2djhlUjlIZkYwR1ovQVBWYkFUUVh0MkhZQmQ3dm9mUy9UY2FVeWhoM042

dysvVDN6WDRMCmdkakJCK0RNM1pvSmMxVzBjSFFZUlZ2TW5tcmJueHJjWUNrcXFzbStCTjdSQ1ZT

SWsweHBWQ21wQ0VOR1c0QlYKLzBqQ3NYaWoxd00zSnkzaVBjNVV6T1N1VklwWUgvczdSZzVLaVcy

UjZsaHRERWhWWDVtYVh1a0V1L0dLK0Vkcwp4NHZuZDdDdjdWdkkrODNRckZNZlFydTdiUUFSQVFB

QmlRRTJCQmdCQ0FBZ0ZpRUUzaVBlZzQ1Q3FPKytHV29YCm5nbEJQdFZxQ0ZRRkFsd0laYXNDR3d3

QUNna1FuZ2xCUHRWcUNGUXBCUWYvVjV3ZUtMTEFuV09sVWJnT1pXbWsKM05HbFVjaXpoQ0hra3ZW

S3RrNlNaVzE4cDdrVjFlUUs0RmlVTzQ3SjA2U2FsYy9wTXR2Z0Nrakcwdm1GeUEvSgo2dTEwZ1dQ

K1ZXMVVtUXkrdlZuVkZKZXRwaTlUd1Bta2dIc1dweFdLTCtWa2k0MzF6OTJHRlFsSmxFNzdsSHlX

Cld3QkV6UUxxM2gxajVKYmd0OXJqdkNIOTkranRKdmZFQ0ltaGUwM2hDaDZZemtoU0VsRXdrcVFy

enJHQi9xdlgKcEtwV0dUR00vRVpzUGY5cnZLYktLdU9lUHdCV01iOUxmK0ZxYXdmSTJVVkVZWEFE

NXNxUE00eGFLMDVMSVZEUApkREZ5a2ZyTno3SWZRY3hGT1N3SWM2SFg1VmlNYlJ6a01ZUU9RVUVZ

RXRQd0o1YkRBUjdmSXpiL3FMakJyZEFnCldRPT0KPTVwa0EKLS0tLS1FTkQgUEdQIFBVQkxJQyBL

RVkgQkxPQ0stLS0tLQo=

--__4gngb4li5euq647g0t9x_15486932_--

Source