(Note, this is a continuation of our previous story chapter since sometimes
it's more fun to read fiction than to wonder what's going on these days
with Cloudflare or whatever.
Landing in Miami is like visiting a tier of hell just below Limbo. It is
not saturated in evil so much as the established gateway to more evil
places. As you disembark from your flight you can almost see a direct line
from providing no-questions-asked banking to drug dealers in the eighties,
to offering an endless series of apartments (aka money hiding spots) to the
Venezualan upper class, to the current endless series of crypto companies
headquartered in the newly hip Brickle office spaces next to SmileDirect
and fancy brew pubs.
In the sense that NYC deals in finances, San Francisco in software
companies, Boston in "higher education", Miami is more about your more
generic small-scale scams as the underlying substrate upon which the rest
of the economy is based. The tropics engender a sort of flexibility and
adaptability which is about finding new scam-niches and exploiting them
before anyone else has caught on.
But your meeting here is not about crypto-coin or real estate built with
permeable concrete guaranteed to spall in the face of salt-water-laden
winds. It's with a company building testing software of all things. "Boring
is rewarding" you say to yourself, as you drive past a literal graveyard to
a small joint called "Hush" which you give an approving nod to.
Hush serves fried alligator, which tastes like fried anything, as you sit
across from your lunch companions, Stewart and Amy. They are drinking beers
you've never heard of, and they lay out their scheme, without regard to
OPSEC since nobody in this restaurant other than you would likely
"We've been building a large set of unit testing libraries for
cryptographic primitives, lots of complicated string building stuff,
machine learning, you name it."
"Great." You say. "Always good to have quality testing libraries". But
exchange a look and you realize you've misinterpreted them.
"Our public libraries have a tendency to ... sometimes think things are
very well written and secure when they are ... not. It's just sometimes our
unit testing has bugs, you know? We have really good documentation in a lot
of languages though. And great support. 24/7. Discord, Slack, forums, you
"So the theory here is you don't target any particular software in the
supply chain? You just encourage bad testing practices?" You're pondering
their value, while at the same time trying to think about what alligator
actually tastes like under all the grease. The flavor, as far as you can
determine, is "Chewy".
Stewart struggles for a second to get the words out, like a huge machine
optimized for literally anything other than the current task of explaining
things to other humans using words. "Sometimes it's best when the check to
see if ASLR is enabled doesn't actually work, so your bugs that you find
have a chance to be exploitable. We're not in the business of putting bugs
in things. We just make the bugs you do have....better."
"I see. What about code we actually want to be secure?"
"I recommend everyone local uses our FIPS certified library, which,
admittedly, is expensive and does the same thing as our free code, but
maybe with more effort put into the actual tests themselves." Amy says this
to you without any hint of chicanery, as if this is a simple fact, almost
not worth saying. It is, you realise, a very tropical CONOP.
"I will make sure this is required by various regulations after you are
funded. I'll have my team send you the paperwork." you say. And with that,
the conversation moves to pleasant nonsense as you internally contemplate
your next flight - out of here and into the cold.