The Director

22

James Morris did not have a relaxed side: The hurricane lamp of his consciousness was always alight. So even in the emerald postcard of rural England, Morris felt restless. As lunchtime approached, he wanted to escape out the window of his office, into the meadows of Grantchester and the city beyond. Of all Morris’s hideaways and false fronts, this operation in a village just south of Cambridge was his favorite creation. The sign over the door read FUDAN — EAST ANGLIA RESEARCH CENTRE, and the employees were a mix of Britons and Chinese. But this was Morris’s place, funded mostly with black money from his joint operation with NSA. And it was truly secret, even from the Brits.

Morris’s computer messages were stacking up in multiple accounts. He needed to concentrate on his business, especially now when it was so tangled. But there was the problem of getting Ed Junot back into England. The chief of station in Grosvenor Square had somehow discovered Junot’s operational alias, and was demanding that the UK Border Authority prevent him from entering the country. That was bad enough, but the German security service had also cracked his alias identity and had put out a BOLO notice for his true name, as well.

Morris usually found it galvanizing to solve problems that eluded other people. He knew that if he could focus, he would jump into the electrons and find some invisible way to route Junot back to Britain through a clean entry point. But in his restless fever, he couldn’t get a fix on it just now.

Morris was stressed; though he would never admit it, the plain fact was that there was too much baggage stacked on his wagon: He was recruiting a European hacker network as he had promised Cyril Hoffman; he was supposed to be pursuing the murder of the Swiss walk-in, as he had pledged to Graham Weber; and most importantly and deviously, he was pursuing the separate agenda that was demanded by his dearest friend, Ramona Kyle — and the big idea her friends had developed for shaking the institution at the center of global finance. It wasn’t simply that these goals were in conflict. They were violently unstable, like volatile chemicals that might explode if they were mixed. They came together in Morris’s mind only, which was why he occasionally felt that his head was about to detonate.

The secret was to use the tools, people and front companies that had been created for one set of objectives to serve another. That was the simple truth about secret work. Because it was so hidden from outside observers, it was easy to misdirect. That was what Snowden had understood, burrowing away in the NSA’s archives. Once you had the keys to the castle you could go in any room and take what you liked.

“Rebalancing” was a word that soothed Morris. That was all he wanted to do, really. Whatever people might say later, he was trying to put matters back in a proper balance after a sixty-year misalignment. Morris tried once more to concentrate, but his mind kept wandering, whirring with thoughts of being somewhere else, not in charge. He willed himself to focus on the gray business of zeroes and ones on the screen before him, but it didn’t work.

He rose from his desk and walked down the hall to the office of Dr. Emmanuel Li, the director of the institute. He knew that he looked a mess, in the disguise he’d been wearing since he got to Britain. Before entering Li’s office, he tried to tidy himself up, patting down the hair of his wig, adjusting the odd, oversized eyeglasses that Denver had given him as part of this ensemble and pulling up his pants so they weren’t hanging on the narrow ledge of his buttocks.

Dr. Li was a fastidious man himself, with a buzz cut and round spectacles. He understood the reality of Morris’s secret primacy at the institute but chafed at it, too. Morris stuck his head in the door.

“I’m going out for an hour or two,” said Morris. “Lunch break. If anyone calls, I’m not here.”

Dr. Li made a polite, false laugh.

“But Mr. Morris, you are always ‘not here,’ even when you are here.”

“Then tell them I’m here. I don’t care. But I’m going out for a while. Stretch my brain.”

“This part of the body is not easy to stretch. It gets exercise when it does nothing. When it is stretched, it becomes tight.”

“Well, thanks for that, Dr. Li,” said Morris, muttering, barely under his breath, “Fuck me.”

Morris walked down the rear stairwell, avoiding the main entry and the reception desk, and out into the crisp midmorning. It was late fall, not quite winter, but the sun was low in the sky, casting deep shadows even at noontime. The grass was a rich moist green, thick like peat. The turf was protected by a little chain and a sign advising people to keep off, but Morris walked over it and down the dewy meadow toward the Cam.

A few punters were out on the water. Morris watched their long poles cut the surface. The ones who knew the technique sent their narrow boats forward like a shot. The novices jerked and quivered and held the pole so long it looked as if the boat might skitter away and leave them clinging to the lance for dear life, dangling above the water.

Morris took out a secure cell phone, on which he had disabled the GPS locater. He saw so many messages from Headquarters and from his various outposts it was wearying just to scroll through them. He had two other phones with him, also GPS-free, with different aliases and entirely different networks of contacts, but he didn’t bother to look at them. They would only add to the buzz in his head. Everybody wanted him and nobody could find him, which was normally the way he liked it. But today was different. His pantomime of control was wearying. Today he wanted someone to control him.

He took the third phone, in an identity that had been stolen for him a year ago, and dialed a number in Cambridge. A human being never answered this number; the phone only took messages. Morris asked for Beatrix and said he would be there in thirty minutes. It cost money to have this privilege of access, like having a jet idling on the runway. But money was the least of Morris’s problems.

Morris walked the muddy footpath though Grantchester Meadows toward Cambridge. He was really buzzing now, a tickle of excitement softening his limbs. When he passed a petrol station, he ducked into the men’s room and removed his wig and glasses and put them in his pack.

The walkers from Cambridge were trooping toward him on the lunchtime jaunt they liked to call the “Grantchester Grind.” Morris slipped past them, through the cattle gates and turnstiles along the public way, dipping toward the black muck along the Cam.

The swans were out at the Granta Pub and floating indolently in Mill Pond. Their beaks coiled into their necks in a sinuous curve. They were filthy creatures, for such beauties, like ballet dancers with a thousand-dollar-a-day habit. They seemed so graceful afloat, but up close they were ugly, unpleasant birds.

Beatrix was waiting in a modern apartment just past Market Square, near the Lion House shopping arcade. She had the lights dimmed when Morris arrived. She’d had a little time to prepare, at least. It was awful when she had to get the place ready while he waited and his desire melted. Morris heard the slap of a gloved hand. The door opened. She was dressed in black leather, corsets and studs girding her body; her bosom was armored in a black brassiere. Morris fell to his knees.

By two-thirty, James Morris was back at the research center, sending a volley of messages to subordinates on several continents and in several aliases. It helped that he was lit now like a Halloween lantern, and that the anxiety had drained from his body, so that it was pliable again and his mind could think.

Weiss had been messaging from Headquarters, asking where he was. She needed to answer some inquiries from the comptroller, which had required opening some restricted electronic files, using authority she had in Morris’s absence but rarely used. Morris passed over her communications, as he had for a week. Weiss was the bookkeeper. Morris barely registered her activities most of the time. He liked to call her a “fire-and-forget missile,” but in practice this mostly meant “forget.”

Morris had meetings scheduled at the end of the afternoon with two prospective “fellows” of the institute. He was like a team manager before the trading deadline, trying to get all the right players in place. His research budget was elastic; he could hire as many world-class hackers as he could find, to do whatever he instructed. Here in England, he had the incomparably opaque Dr. Li to handle arrangements. Prospective candidates might suspect they would be working for China; perhaps a few thought the real sponsor might be GCHQ in Cheltenham. But it was a rare person who saw the American hand.

The first of these final crash recruits was an Israeli electrical engineer named Yoav Shimansky. He had dropped out of Cambridge a year ago after winning a graduate fellowship, gotten into debt feeding a drug habit and had begun hacking for profit about a year ago.

Morris had begun inquiring about the Israeli after one of his operatives had noticed some artful coding in a hack on numbered accounts at a Swiss private bank. They traced the code back to an IP address in Russia, which in turn linked to one in Israel, which connected finally to the real author of the code in the UK, who turned out to be Shimansky. He had other interesting qualifications: He had served in the Israeli military, which meant that he knew his way around classified systems, and he had visa problems in the UK, which meant that he was vulnerable.

The Israeli candidate was waiting in an interview room on the first floor. Dr. Li’s secretary knocked on Morris’s door and told him it was time, past time, and that Dr. Li had already gone downstairs to meet the visitor. Morris didn’t hear at first; he was listening to a club mix on Spotify; a DJ named Oliver repeated over and over the words: “The night is on my mind.” When the administrator from downstairs rapped on his door, he removed his earbuds. He put his cell phones in the safe, adjusted his wig in the mirror to make sure it fit, put on his goggle-eyed glasses and descended the stairs. He was not an imposing physical presence, in or out of disguise, which gave him an anonymity he had always used to advantage.

Shimansky sat at a table, with a computer screen and keyboard in front of him. Li sat across from him, facing another screen that displayed the same information. The Israeli was scrawny from his drug habit, and had deep circles under his eyes and an unhealthy brackish pallor from spending too much time indoors. He was fidgety in his seat, while Li sat still as a statue.

Morris was rubbing at his nose when he arrived. He took the empty seat next to Li.

“I’m Hubert Birkman,” he said, extending his hand. “I’m the principal engineer. I used to work for Hubang Networks here in the UK. Then I came to the center.” Morris spoke with a mid-Atlantic accent, somewhere between Britain and America.

“I’m Yoav,” said the Israeli. “Unemployed.”

“We know your work. That’s why Dr. Li and I wanted you to come see us today. We do penetration testing at FEARC. We need to get inside our clients’ systems, to show them their vulnerabilities and help them make corrections. We’re looking for people who know how to hack, basically, but aren’t crazy.”

“I heard all that, thank you very much,” responded the Israeli. He spoke from deep in the throat, every word heavy with phlegm, so that he sounded sardonic even when his statements were straightforward.

“Our biggest clients are in the financial sector,” said Morris. “Large banks, some hedge funds, even some central banks.”

“Okay, sure, whatever. I don’t mind.”

“We’d like to see what you can do,” said Morris. “That’s our drill when we interview potential fellows. We want to see you penetrate a system, to make sure you have the technical skills. I assume Dr. Li explained all that.”

Shimansky nodded dubiously.

“I told your Chinese boss I would break into the Bank Gstaad. That’s my demo tape, except it’s not a tape, it’s happening on-screen. I prepare some of it before, but still: You watch, whatever you want. But I have to ask, you are not a cop, right?”

“We have nothing to do with law enforcement in the United Kingdom or any other country. We are a research institute only, with close links to our funders in Asia, of course.” He nodded to Dr. Li at his side. “We will share only with our clients whatever you do for us as a research fellow. Including what you show us today. All that will be in the contract, along with the nondisclosure agreement.”

“How much you pay?”

“Sorry. You go first.”

Shimansky shrugged.

“You have the money. I need the job.”

“So log in.” Morris pointed to the computer. “Today, your username is ‘fellow’ and the password is ‘guest.’”

Shimansky logged himself into the center’s system, which immediately displayed a Mozilla browser.

“Go ahead,” said Morris. “Walk us through it.”

“Okay. So first I go to TOR. You want me to do that, to hide where I am, unless you are crazy.”

“Use TOR, of course,” said Morris, nodding. How quaint that the Israeli trusted the “Onion Router” as an anonymizer. Its triple layers had been peeled back by the NSA, but hackers still swore by it.

“So I pick my target, Mr. Dieter Kohler, a vice president of Bank Gstaad. I do some research on him already, so I know that he is a big traveler, uses all the travel sites and airline sites. So I do ‘man-in-the-middle attack,” when he thinks he goes to buy airline ticket, giving them his information, he is really going to me, to my proxy server. Here, I show you how the capture worked, on my site.”

Shimansky’s fingers tapped at the keys, and the screen displayed his own Internet site. Then up on the screen came a display that looked exactly like the website of Sitzmark Airlines, a charter company that arranged helicopter ski trips.

“So a week ago Mr. Dieter Kohler goes to Sitzmark Airlines to make charter reservation for this winter. I know he will do this because he did it last year and the year before that; always in October, okay. But when he goes to Sitzmark, thinking it is a trusted site, he really goes to my proxy, which I take from cache.”

As the Israeli typed on the computer, his wan face seemed to come alive. It was like the thrill of any sport; when the player was in the zone, he gave up conscious control to preconscious intuition.

Morris has been following the display closely, but now he broke in.

“How did you get the certificate, so Kohler’s computer would think your dummy was a trusted site? Even this little airline would have Transport Layer Security, right?”

“Of course they have TLS. I have to spoof that. So, I show you. I get certificate from Trustnode. Not direct, but someone I know, he buys one, then gives to an Israeli friend, who gives to another Israeli friend, who gives to me.”

The screen image changed to a screenshot for the certificate authority’s Verisign certificate.

“Nice,” said Morris.

“Now Kohler makes his reservation. He types in all his information, credit card, everything else, thinking this is TLS-protected, but he doesn’t know it’s me. I show you.”

Shimansky brought up more screenshots that showed the capture of Kohler’s basic data, name, address, credit card number, security code.

“So you went phishing, without phishing.”

“You got it, Mr. Birkman. I have all his information. And also, because I own the proxy server, I know the IP address that Herr Kohler is coming from. He shouldn’t be using his company computer to make his personal ski reservations, but, you know, he is like most people, so he does.”

“Got it,” said Morris.

“I even ask Kohler for a password for the charter flight reservation. Because I know maybe he uses the same password multiple times. People shouldn’t, but they do.”

“People are stupid,” said Morris, with a wink that was barely visible behind his oversized glasses. He had already decided to hire the Israeli kid, but he wanted to see the rest of his demo.

“Yes, this is a useful and true fact, Mr. Birkman. So now I have his password, too. His bank is small, so it doesn’t use two-factor authentication, but only static passwords for remote access. And it has stupid employees, who use the same password everywhere. So what do I do now? I go to the Bank Gstaad site and pretend that I am him.”

Shimansky typed some more, and the monitor displayed the Bank Gstaad employee’s screen, in real time. The Israeli typed in the username and password he had stolen from Kohler, and he was in the system, seeing a display of the bank’s proprietary information.

“I am lucky. I see what the bank vice president sees. Here, I show you, these are the numbered accounts that Herr Kohler manages.”

A series of numbers came up on the screen, followed by some large amounts in Swiss francs. All were over ten million; some were over one hundred million.

“But there is a problem,” said the Israeli in a sly voice. “I know the numbers, but I do not know who they belong to. How do I fix that?”

“You tell me,” said Morris.

“Easy. The URL of the bank’s public website is gstaadbank.com.ch. Here it is.”

Shimansky typed in the firm’s Web address and the monitor displayed the client-friendly interface of its website, with the white of the Alps and the blue sky as a background behind the basic information.

“So the bank’s customers come to this site all the time, to check their accounts. They shouldn’t do it, I know, but they do. Okay, so I use a cache version of the real Gstaad site to build a proxy that looks just the same, exactly the same, except that the URL of mine is one letter off. So the address of my dummy site is gstasdbank.com.ch. Here is what it looks like.”

He typed in gstasdbank.com.ch, one mistyped letter, an s instead of an a, an easy mistake to make, and sure enough, up came a site that looked identical to the one before. Like the real site, it asked clients to register the usernames and passwords to get information about their accounts.

“God bless ‘fat fingers,’” said Morris.

“Yes, and I can tell you, Mr. Birkman, that rich people’s fingers are pretty fat. So when they go to the Gstaad site, sometimes they mean to hit that second a but they miss it and hit the s that is next to it. And so they are at my site, and not the bank’s. Here, like I show you.”

On the monitors was a screenshot of a customer’s completed sign-in, with username and password typed to access the site.

“When they go to look at their money, the site crashes, what a pain this is, so maybe they go back again, but this time, they hit the right letters, the a and not the s, and they are back at Bank Gstaad for real, but it’s okay for me, because I have their username and password, and also, I have their IP address.”

The Israeli displayed the IP address information for the Bank Gstaad customer he had most recently hacked.

“So if I do a little detective work on this IP address, I can see that it belongs to Mr. Alireza Najafi-pur, who does his commercial banking through Dubai…”

Shimansky typed some commands, and the screen displayed the IP address of a Dubai branch of a global commercial bank.

“… but who really lives in Tehran.’’

The Israeli typed again, and now the screen displayed the image of a simple commercial website written mostly in Farsi, but an English-language address visible in the upper left-hand corner that showed the firm in question was a food-distributing company based at 3 Dr. Bahonar Street, off Bahonar Square, in the Niavaran district of Tehran.

“So now I know something, eh?” said Shimansky.

“Yes, you do,” agreed Morris.

“But you see, this is really only the beginning of how I can make mischief. Because I can inject SQL into the system of the bank and the accounts of the users, too. And then I really begin to know some things.”

A few more clicks on the keyboard, and Shimansky showed the rudiments of an attack using Structured Query Language that is injected into a database and then can read, write, delete or modify data stored there.

“So this is what I do,” said the Israeli. “And you just watched me do it, so you know this is no bullshit. If your clients need, what, protection against this, okay, I am ready.”

“Roger that,” said Morris. “We’d like to offer you a fellowship. No bullshit.”

“So now I ask again, how much, please.”

“That depends. Our research fellowships begin at a hundred fifty thousand dollars annually. With bonuses, that can go higher. This is for exclusive work. No freelancing.”

“I can make this much at a bank. No way. I stay unemployed, I make more money.”

“Maybe, but you have visa problems.”

“You solve them?”

“Of course. Our institute has many friends here in the UK.”

“Okay, very nice, but a hundred fifty thousand still is not enough. Sorry.”

“Let me ask you a question that might affect how much we can offer you. Did you ever work for Unit 8200 when you were in the Israeli army?”

“What are you? An Israeli spy?”

“Maybe,” said Morris. “But answer my question. Were you in 8200? Did you do any cyber-work when you were in the army?”

“Sure. Of course I did. What you think they would do with someone like me? Turn me into a paratrooper? I have trouble taking a walk on the beach in Tel Aviv with my shirt off, too many people laugh at me.”

“I won’t ask you what you did for 8200, but I take it you know your way around classified cyber.”

“Who’s asking? China?”

“No, me. Hubert Birkman.”

“Yeah, sure. I know my way around lots of things.”

Morris wrote a number down on a piece of paper and passed it to Dr. Li, who had been silent throughout the interview. The Chinese man pursed his lips.

“Could you excuse us for a minute?” said Morris, motioning for Dr. Li to join him in the hall. The Israeli resumed fidgeting.

Morris returned thirty seconds later, with the Chinese man who was his nominal boss.

“Dr. Li has authorized me to make an unusual offer to you. We are prepared to pay two hundred fifty thousand as an annual research stipend, plus full use of the computer lab here, plus bonuses for any unusual penetration work, such as zero-day exploits, to reflect the value they would have in the marketplace. Plus we will take care of your visa problem, and find you housing here in the Cambridge area. How does that sound?”

“Pretty fucking great, actually.”

The Israeli was finally smiling, dropping his cynical ex-junkie hacker pose as he contemplated all that money and, for once, a hassle-free lifestyle.

“We need you to start work right away, and we want to focus you on large banks; very large banks. Are you cool with that?”

“Why not?” he said, trying to sound unimpressed.

“Okay,” said Morris, shaking Shimansky’s hand. “We have a deal. You ready to sign the contract and nondisclosure agreement?”

“Whatever,” said the Israeli.

Morris pushed a four-page agreement across the desk. It was marked with the letterhead One World, which was one of the cover names Morris was using for his project. Dr. Li got up and left the room.

“Initial each page at the bottom and sign the last page where the red sticker is,” said Morris coolly.

Shimansky began reading the document.

“Don’t try,” said Morris. “It’s all legal bullshit. You won’t understand it, believe me, and I don’t have time. Just initial and sign.”

The Israeli shrugged. He signed as instructed and pushed the paper back to Morris.

The young American’s face and posture changed. The slouch was gone, and so was his lackadaisical manner.

“Welcome to my world, Mr. Shimansky. This is a legally binding document in the United Kingdom and everywhere else that has a legal system. It says that if there are any disputes, they will be arbitrated by a mediator of our choosing. It also includes a nondisclosure agreement that holds you responsible, with unlimited liability for damages, if any warranties are breached. If you say or do anything we feel violates this contract, we can take you to court.”

“What kind of agreement is that?” asked Shimansky.

“My kind, your kind, it doesn’t matter, because you just signed it.”

The Israeli glowered at Morris. He didn’t like to be manipulated so crassly.

“So I can leave,” he said.

“Try it,” said Morris. “Be my guest.”

Shimansky rose and opened the door of the interview room. An armed guard was standing in the hallway. The Israeli tried to pass but the guard pushed him back into the room and down into the chair he had just vacated.

“We’re going to be friends, honest,” said Morris. “You’ll like the work. But don’t try that again.”

“What is the work?” asked the Israeli. “And please, Mr. Birkman, no more bullshit about your clients.”

Morris smiled. He took off his wig, which was itchy, revealing his short brush of hair.

“I’m glad you asked that, Yoav. How would you like to hack a bank with me and some of my pals: the biggest goddamn bank in the world? How would you like to take money out of one account and put it into another? How would you like to make debtors become solvent at the push of an ‘enter’ key? Does that appeal to your sense of mischief? Nu?”

The Israeli cocked his head. What hacker wouldn’t want a challenge like that? It was like asking a bank robber if he wanted to take down Fort Knox.

“You pay me, like you said, and I’m in.”

“Attaboy. I knew I would like you. So let me explain a few things about what we have in mind.”

Morris laid out his scheme. Even Yoav Shimansky, a man who made it a point never to show his emotions, could not help but be impressed.