Act 0 · Null Witness
Chapter 0.1
Trust
Lincoln Boulevard, Los Angeles · Twelve minutes late
The alarm on my watch went off eleven minutes ago and I have been running since nine of them.
This is not as impressive as it sounds. I run the way most people do things they’re bad at and too proud to admit — fast enough to look like I know what I’m doing, slow enough that anyone watching can tell I don’t. Lincoln Boulevard at two in the afternoon in the middle of May is not the ideal track for this kind of performance. The sidewalk is full of people walking at a normal human pace to their normal human destinations, blissfully unaware that the gangling idiot weaving between them is technically late to what might generously be described as the most important interview of his adult life.
I check my watch again. Eleven minutes. Twelve now.
Shit.
The sun is doing that thing it does in LA where it acts like a personal grievance. My transition lenses went dark about thirty seconds after I left the apartment and have not once considered going clear since. Through the amber tint, the city looks like a photograph left too long in a developer tray — bleached sidewalks, palm trees bending slightly in a wind coming off the ocean that you can smell but not quite feel, the persistent background haze that isn’t quite smog and isn’t quite marine layer and is in practice just the atmosphere LA wears because it’s decided that’s who it is now.
Three blocks out I can see the building. Four stories of glass and poured concrete, the kind of architecture that tries very hard to communicate serious professionals work here without spending enough money to actually be convincing about it. The Spaces logo is on the door. Co-location workspace. The fact that Sigil Systems — a company that by all available public information employs somewhere north of eight hundred people and holds active infrastructure contracts with the Pacific Compact Security Commission — is conducting hiring interviews out of a co-location workspace is, I have decided, not worth thinking too hard about right now.
I have enough problems.
I slow to something that could technically be called a jog in the last half-block and stop completely at the door, one hand on the glass, catching my breath. The city noise drops as I push inside — foot traffic and electric bus hum and the distant processed voice of some compact’s public address system reminding pedestrians on Santa Monica that their biometric transit pass needs renewal, all of it replaced by the curated ambient calm of a space designed to make you feel like productivity is possible.
It is very pleasant. I resent it immediately.
A note, while I’m catching my breath.
I know what you’re thinking. You’re thinking: here is a person who showed up twelve minutes late and is sweating through a hoodie to a job interview at one of the most influential cybersecurity firms operating in the western hemisphere, and you want to know how someone gets to this point. What sequence of decisions, what accumulation of choices and non-choices, produces a twenty-four-year-old with a circuit tattoo and a one-page resume standing in the lobby of a co-location office space on Arizona Avenue trying to look like he meant to arrive this way.
I will tell you. I have time. The interview is already ruined.
But I’m getting ahead of myself.
The attendant at the front desk is maybe twenty-two, with the practiced warmth of someone whose job requires her to treat every person who walks through that door like they belong there regardless of evidence to the contrary. She looks up from her terminal and produces the smile.
“Good afternoon. How can I help you?”
“Hi.” I unzip my hoodie while I talk, because the button-down underneath is at least nominally professional and the hoodie is currently doing me no favors. “I’m Cade Voss. I’m here to see Jeff Forcythe.”
Something flickers behind the smile when she checks her notes. Just a flicker — she recovers fast, she’s good at this — but I catch it. Twelve minutes late registers on a front desk attendant the same way it registers on everyone: as information about the kind of person you are.
“Of course. He’s been expecting you.” She gestures toward the staircase on the far side of the atrium. “Second floor, fourth space on the right.”
“Thank you.”
I take the stairs faster than necessary. Above the cafe, the second floor opens into a long row of semi-private workspace booths, divided by shoulder-height partitions. I scan right and find him at the fourth — blue blazer over a pinstripe shirt, neatly trimmed beard, the specific posture of a man who is typing on a laptop but is mostly performing the act of typing on a laptop while he waits for the person who was supposed to be here twelve minutes ago.
He looks up. He smiles. He glances at the clock mounted on the far wall before the smile finishes forming.
I see the glance. There is no universe in which I was not going to see the glance.
“Cade Voss?” He stands, extending a hand.
“That’s me.” I shake it. His grip is the grip of someone who has been coached on handshakes. “I’m sorry about the time.”
“Jeff Forcythe.” He waves it off, gestures to the seat across from him. “Don’t worry about it. Sit down.”
I sit. The bench is harder than it looks. I unzip my hoodie the rest of the way, which reveals approximately nothing impressive — a pale blue button-down that cost eleven dollars and has been ironed once, possibly by someone else, possibly years ago. Jeff Forcythe looks at it the way a doctor looks at an x-ray he already knows the diagnosis of. Then he looks at my face, briefly and completely, and I have the specific sensation of being read rather than seen.
“I appreciate you coming in,” he says, opening a thin binder. Inside, my resume sits on top of a stack of others. It is, I note with grim clarity, the thinnest one in the pile by a meaningful margin. “Our actual offices are in renovation — longer than planned, as these things go.” The explanation arrives without friction, the cadence of something said enough times that the saying of it has become unconscious. “Co-location spaces are better for first conversations anyway. Less institutional. Easier to be direct.” He leans forward with his hands folded. “Easier to have an honest conversation.”
Honest, I think. Okay.
“The team you’ve applied to — security engineering — has some interesting positions open right now. Walk me through your background. Your resume is light on specifics.”
“Most of my work has been freelance. Bug bounty programs, primarily. Some contracted development.”
“Bug bounty.” He nods slowly, in the way of a person who finds this neither impressive nor dismissive, just informational. “Volume? Severity range?”
This I can answer. “Thirty-one documented CVEs in fourteen months. Severity range four through nine-point-eight. Six critical. The critical findings were in enterprise network management software — authentication bypass, two pre-auth remote code execution chains, one that allowed pivoting from a guest network segment to production infrastructure without credentials.”
He writes something. “Which vendors?”
I name three. One of them holds Compact infrastructure contracts I had verified before I walked in, because I verify things. His pen pauses for half a second.
“And the development work?”
Here it is. The question I can actually answer in full. I feel something loosen in my chest.
“Offensive tooling, primarily. I built a fuzzing engine — genetic algorithm-based, not random. It learns which input patterns the target process handles badly and generates variants of those rather than mutating blindly. I ran it against application binaries, kernel drivers, network protocol stacks. Seventeen of the CVEs came out of it.”
“Pre-auth remote code execution.” He’s reading something in the binder — or appearing to. “Do you have experience moving laterally once you have a foothold? Or is your work primarily initial access?”
“Both. I build full chains when the target is interesting. Initial access, privilege escalation, lateral movement, persistence, exfiltration modeling. Bug bounty programs usually want the proof of concept at the entry point and nothing further, but I build the full chain privately to understand what the vulnerability actually enables.”
“Why privately?”
“Because the dangerous part of a vulnerability isn’t always where it is. It’s what you can reach from there.”
He looks at me with the quality of someone who has heard a lot of people say things and has developed a sense for which ones mean it. He seems to decide, without changing his expression, that I mean it.
“Any experience with mobile platforms?” He says it as a natural follow-on, which it isn’t. “Android specifically. Or network stack work on constrained hardware.”
I file the pivot without showing that I’m filing it. “Some. The Android security model is interesting at the binder layer — the IPC mechanism has had privilege separation issues that kernel patches keep chasing. I’ve done work in the media parsing stack, userspace and below. Some network driver analysis.” A pause. “Nothing submitted through formal channels.”
“Why not?”
“Remediation complexity. The disclosure window creates exposure before a viable patch is ready.” The true reason. Also not the complete one.
He makes a note. Longer than the previous ones.
“Your education,” he says. “Walk me through that.”
I knew this was coming. “I was at MIT for two years. Electrical engineering and computer science.”
“Was?”
“I left. Before finishing the program.”
“Voluntarily.”
“Yes.”
“Why?”
The honest answer is somewhere between too long and too complicated and not appropriate for this room. The short answer makes me sound like exactly what everyone has assumed since then — someone who couldn’t handle it, who is now sitting in co-location office spaces with a thin resume explaining himself to people with hiring budgets. “It wasn’t the right environment for the work I wanted to do,” I say, which is true and incomplete in equal measure.
Forcythe is quiet for a moment. He tilts his head slightly, in the way of someone deciding whether an answer told them what the answer didn’t say. “The work you’re doing now — the bug bounty programs, the independent tooling. Is all of it disclosed? Through official channels?”
The pause before I answer is half a second long. “My bounty work is fully disclosed through program channels. Vendor notification, CVE registration, coordinated disclosure timelines.”
“And work that falls outside formal bounty programs?”
I look at him. He looks at me. The question can be asked in exactly this way — conversationally, without accusation, as if it’s a standard line item on a standard form — by someone who already knows the answer and wants to see how you handle it, not what you say.
“I do work that falls outside formal program structures,” I say. “Findings get reported through appropriate channels.” A pause. “Eventually.”
He writes something. I cannot read it from this angle.
Somewhere in the last ten minutes the questions changed in kind without the change being announced. The early questions were about capability — what can you do, how do you think, show me the work. These later questions were something else. He was still holding my resume, but he wasn’t reading it anymore. He was reading me.
I had the vocabulary for this from the other direction. Profiling. Building a picture not from what someone says but from the negative space — what they omit, what they reach for when the clean answer isn’t available, how they carry the parts of themselves they haven’t decided to show. I had done it to systems. To networks. To the gap between what a service advertised and what it was actually running underneath.
I couldn’t name what he was doing with it.
“So.” He closes the binder. The clasp is very small in the ambient noise of the atrium. “The honest part of the conversation.”
Not another one, I think. Please.
“You’re technically more capable than most of what walks through here.” He says this without warmth — a fact, not a compliment. “The CVE volume, the chain work, the reasoning about what a vulnerability enables rather than just what it is. That’s not something we see often.” A pause. “The problem is that none of that matters to a hiring committee when what they’re looking at is a one-page resume with no verifiable employment history, no completed academic credentials, and work they can’t reference-check because it exists under terms that were never fully documented.”
I want to tell him the work exists. The CVEs exist. Three of those vendors are in his current client portfolio, I checked before I walked in, and my findings are in their security records — a different name, but still mine. I want to tell him what I actually am, which is not what this resume says I am, and watch his expression change.
I don’t. I sit there.
“What you’re capable of and what our process can verify are different things.” He says it with the even delivery of a person who has said a version of this many times and has learned to mean it less each time. “The compliance requirements we work under — employment verification, academic credentials, documented work history — aren’t at my discretion. They’re contractual, with clients who have their own audit obligations up the chain.” He opens my resume on the table between us without looking at it. “A one-page document with no verifiable employment record and an incomplete academic history, work that exists under terms that were never formally documented — I can’t put that in front of a panel regardless of what the capability actually is.” A pause. “The process isn’t designed for people who exist outside the structures it recognizes. I understand how someone doing the work you’re describing ends up there. That doesn’t change what the structures require.”
He slides my resume across the table.
“Sean.” He says it the way you say something you want to see land.
I blink. “It’s Cade.”
A half-second. The recalibration, very small. “Cade. Right.” He sets his hands flat on the table. “Have a good day, Mr. Voss.”
I take the resume. I stand. I walk toward the staircase without looking at him and I make it almost to the top step before I remember the entire atrium is open-plan and the attendant at the front desk has had nothing to do for the last twelve minutes except listen to every word of that exchange.
She is very interested in her screen when I walk past.
I hand her my resume. “Can you shred this for me, please?”
She takes it without comment and feeds it into the machine beside her desk. The sound it makes is not satisfying.
“Have a good day, sir,” she says.
“You too.”
Outside, the sun. My lenses go dark immediately. I stand on the sidewalk and look up at nothing and let out a breath that has been building since I walked in there — a long slow deflation, the sound a person makes when they’ve been holding something up for a while and have finally set it down.
Twelve minutes, I think. That has to be a record.
I want you to understand something about that room.
It wasn’t the first one. It was the ninth, if you’re counting, and I am absolutely counting. Nine interviews in fourteen months, and every single one has gone some variation of that same way — the resume, the thin look, the well-meaning lecture about certifications and team experience and professional presentation. The advice is always the same. Get certified. Go back to school. Build a record.
What none of them know, and what I am professionally prohibited from telling them, is that I have a record. It just doesn’t exist anywhere they’re allowed to see it.
The name attached to that record is not Cade Voss.
But we’ll get to that.
I check my watch. The notification has been sitting there for the last forty minutes, which is how long I’ve been consciously ignoring it.
[#] Cryptanalysis — Lecture 14 of 22 @ 2:00pm
WAIT’s campus is a twenty-minute walk from here through the Palisades, which means I am, by the generous application of optimism, five minutes late to a class I have no interest in attending in the first place. I stand on the sidewalk doing the calculation — lecture hall versus the subway home, academic obligation versus the very reasonable desire to go lie face-down on my bed until tomorrow — and the calculation produces the same answer it always does, which is that I will feel equally terrible either way and at least one of these options doesn’t add an F to my transcript.
I roll my sleeves back to the elbow. The circuit tattoo catches the light. I pull the hoodie zip to my sternum and start walking.
Professor Alan Dietrich has been teaching cryptography at WAIT for eleven years and he looks like he has hated every single day of it. He is one of those academics whose physical appearance has become entirely continuous with his professional disappointment — the permanent furrow, the slightly yellow tinge of the office-dwelling complexion, the way his suits fit like they were purchased for a slightly larger, more optimistic version of himself. He is in his sixties. He treats every student under thirty as a personal affront.
I have known this about him since the second week of the semester, which is why I tried, at the beginning of the third week, to simply not attend anymore.
That did not work out.
“Good afternoon,” he says, not looking up from his desk as I push through the lecture hall door. A few heads turn. Most of them go back to their business when they see it’s me — the guy who sits in the back row and types on his laptop for the entire class is not especially interesting. The hall is filling up. I’ve got maybe five minutes before the lecture starts. “You’re late, Mr. Voss.”
“I know.” I approach his desk. I’ve already got the assignment out of my bag — a mid-term project, fifteen pages stapled, a USB drive clipped to the cover page. Three weeks of work. Finished a week ago, because I finished everything a week ago, because the material is not difficult and I have been doing cryptanalysis as a hobby since I was sixteen. “I wanted to submit the mid-term.”
He looks at it. Then at me. “The mid-term isn’t due for two weeks.”
“I know. I thought if I turned it in early I could—”
“Attend fewer lectures?”
The way he says it is the way you say something to a person you’ve already decided is beyond helping. “The material covered in lectures fourteen through twenty-two,” I tell him, because I have looked this up, “is all material I already have working knowledge of. RSA, elliptic curve, zero-knowledge proofs, lattice-based constructions. I thought if I demonstrated that through the project—”
“Put it away.”
I stop.
“Mr. Voss.” He leans back in his chair and looks at me over the rim of his glasses with the expression of a man who has had this conversation many times and has stopped finding it interesting. “I have been standing at the front of this room talking to people who think exactly what you think for eleven years. That they already know the important parts. That the lecture is a formality. That their time is more valuable than the education they’re paying for.” He points at me, then at the seats. “Sit down. Submit the project on the due date with everyone else. And if I don’t see you in this room for every remaining lecture this semester, I’ll have the prior submissions pulled from the record and you’ll retake the course.”
“You can’t—”
“Watch me.” He goes back to his papers. The conversation is over. He has decided the conversation is over, and there is a particular kind of institutional authority that doesn’t argue, it simply continues existing in your way until you stop arguing with it.
I stand there for exactly three more seconds. Then I put the assignment back in my bag and I walk up the steps to the back row.
The students near me find other things to look at. A few of them are wearing the sympathetic expression of people who have had their own versions of that exchange. Most of them just look relieved it wasn’t them.
I set my bag down. I pull out my laptop. I open it.
Fifteen pages, I think, staring at the skull and crossbones wallpaper while the machine wakes up. Three weeks of work. Perfect marks on every prior submission. And the man just told me to sit down like I’m a discipline problem at a middle school.
The specific injustice of this sits in my chest like a coal. Hot, dense, requiring somewhere to go.
I look down at the open laptop. Then up at Professor Dietrich, who has opened his own machine at the lecture podium and is preparing his slides with the unhurried authority of a man who knows the class will not start without him.
Then back down at my laptop.
Then at the USB network adapter at the bottom of my bag, with the little antenna folded against its side.
I know, I think. I know. But hear me out.
Here is the thing about asymmetric key cryptography that most people miss when they’re learning it.
The math works. RSA works. Elliptic curve works. The theoretical framework for public-key infrastructure is genuinely elegant — two keys, one to encrypt, one to decrypt, a lock that only the intended recipient can open. It is a beautiful idea. The professor is not wrong to teach it.
What the professor is wrong about — what the textbook is wrong about, what every certification course I’ve ever looked at is wrong about — is the premise that the math is the problem.
The math is never the problem.
People are the problem. Specifically, the fact that you can build a cryptographically perfect system and then hand the keys to someone who will ignore every warning their browser produces because warnings are annoying and they just want to check their email. You can make the most secure lock in the world and someone will leave the door open.
What I’m about to do is not sophisticated. It is embarrassingly simple. That’s the point.
The network card goes into the USB port on the side of my laptop. The antenna unfolds. I open a terminal — themed, because I’ve always had opinions about terminal aesthetics, black background and a green prompt because some things are traditional for a reason — and I pull up Bettercap.
Let me explain what I’m about to do, since you’re here.
Every device on a network has two addresses. The IP address — the logical one, the one you know, the one that gets printed on the ticket — and the MAC address, the physical one burned into the hardware itself at the factory. When your laptop wants to talk to the router, it doesn’t just shout the router’s IP into the air. It broadcasts an ARP request — Address Resolution Protocol — basically asking: “Hey, whoever has this IP address, what’s your MAC address so I know where to actually send this?” The router answers, your laptop caches the response, and traffic flows correctly.
ARP spoofing is telling the network you are someone you aren’t.
I’m going to send a stream of crafted ARP packets to two targets simultaneously — the router and the professor’s laptop. I’ll tell his laptop that my MAC address belongs to the router. I’ll tell the router that my MAC address belongs to his laptop. Both of them update their caches. Both of them believe me. Why wouldn’t they? Nobody put a lock on the mailbox. Now all of Dietrich’s traffic flows through my machine on its way to and from the network, and he has no idea. I am the invisible post office clerk standing between his desk and the rest of the world, reading everything that passes through my hands before I pass it along.
The SSL part is the only mildly interesting piece. HTTPS is supposed to make interception irrelevant — even if someone sits in the middle, the traffic is encrypted and unreadable. But that protection depends entirely on the client — Dietrich’s browser — actually enforcing it. Bettercap’s SSL stripping module intercepts his requests before they go out, downgrades the connection from HTTPS to HTTP, and serves him a plain-text version of the site. The padlock in his browser turns gray. Or it should. He’d have to look at it to notice.
He won’t look at it. Nobody looks at it. That’s the whole thing.
The WAIT faculty network announces itself immediately. Eleven endpoints. I watch them populate in the scan output, MAC addresses resolving to manufacturer IDs, device types assembling themselves from the handshake traffic like a portrait coming into focus.
One of them is an Apple machine. On the faculty SSID. At the IP address that corresponds to the podium network port.
Hello, professor.
10.2.2.0/24 > 10.2.2.203 » set https.proxy.sslstrip true
10.2.2.0/24 > 10.2.2.203 » https.proxy on
10.2.2.0/24 > 10.2.2.203 » net.sniff on
10.2.2.0/24 > 10.2.2.203 » [endpoint.new] endpoint 10.2.2.1 detected as D9:32:90:EC:09:3C [router]
10.2.2.0/24 > 10.2.2.203 » [endpoint.new] endpoint 10.2.2.102 detected as D9:32:90:BE:44:20
10.2.2.0/24 > 10.2.2.203 » [endpoint.new] endpoint 10.2.2.214 detected as C4:CD:91:34:E7:15
10.2.2.0/24 > 10.2.2.203 » [endpoint.new] endpoint 10.2.2.31 detected as 28:E7:A9:BB:8E:21
10.2.2.0/24 > 10.2.2.203 » [endpoint.new] endpoint 10.2.2.209 detected as 00:50:E4:13:AE:58 [APPLE INC.]
Up at the podium, Dietrich has navigated to the university’s faculty media portal to pull up his slides. The lecture hall has filled around me without my noticing — a hundred and sixty, maybe a hundred and eighty students settling into their seats, pulling out tablets and notebooks, doing the pre-class ritual of getting comfortable for something they’ve already decided they don’t want to be at.
I run the OID lookup on the Apple endpoint’s MAC address. Confirmed faculty machine. I set the ARP spoofing targets — the router and the professor’s device — and watch the traffic start routing through me.
10.2.2.0/24 > 10.2.2.203 » set arp.spoof.targets 10.2.2.1,10.2.2.209
10.2.2.0/24 > 10.2.2.203 » arp.spoof on
10.2.2.0/24 > 10.2.2.203 » [net.sniff.mdns] mdns 10.2.2.209: PTR query for _faculty._wmit._tcp.local
10.2.2.0/24 > 10.2.2.203 » [net.sniff.mdns] mdns 10.2.2.209: PTR query for _share._faculty._wmit._tcp.local
10.2.2.0/24 > 10.2.2.203 » [sys.log] [inf] https.proxy creating spoofed certificate for *.waitla.edu:443
At the podium, Dietrich clicks through to the login page for the media portal. He has seen the SSL warning on this page so many times that it has become invisible to him. Six years of clicking through the same warning. Six years of the browser saying something is wrong here and six years of a tenured academic saying yes yes I know and clicking past it.
He types his credentials.
They appear in my terminal before he finishes typing them.
[22:34:49] [net.sniff.https] POST http://media.waitla.edu/login.aspx (text/plain)
HTTP/1.1 POST https://media.waitla.edu/login.aspx
Host: media.waitla.edu
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_2) AppleWebKit/605.1.15
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=9C4F119A60F6C07B9413359147046110
fac_username=ADietrich&fac_password=Unix1972&login=Submit
I look at the password for a moment.
Unix1972.
The year Unix was created. As a password. On a machine used by a cryptography professor.
I sit with this for a second — really sit with it, in the way you sit with a joke that’s too perfect to laugh at. The man standing at the front of this hall has spent the last eleven years explaining to other people why their information security practices will get them violated, and his password is a nostalgia trip to 1972. There’s a doctoral thesis in this. There are several.
I don’t write the thesis. I write the next command.
I open a second terminal window and begin the next step — not because I need anything from his machine, not because there’s anything on a cryptography professor’s faculty portal that I want or could use. I do it because the alternative is sitting in this chair for the next ninety minutes listening to a man explain RSA key generation to people who are mostly on their phones, and if I’m going to be here anyway I might as well be doing something that requires my actual attention.
Up at the front of the hall, Dietrich clears his throat into the microphone.
“Good afternoon, everyone. Today we’re going to be covering asymmetric key exchange.” His voice fills the hall with the specific resonance of a PA system that was state of the art in 2019. “This, like every facet of cryptography, begins and ends with keys — which as you know, facilitate the locking and unlocking of encrypted data…”
His voice fades into the background. My eyes are on the terminal.
You want to know the funny part?
He’s not wrong about any of it. The math is exactly as he describes it. The framework is exactly as elegant as he says it is.
He’s just teaching it to the wrong part of the problem.
The remote session opens without incident. I’m in.
$ crackmapexec smb 10.2.2.209 -u ADietrich -p Unix1972
SMB 10.2.2.209 445 WAITLA-FAC-09 [*] Windows 10 x64 (name:WAITLA-FAC-09)
SMB 10.2.2.209 445 WAITLA-FAC-09 [+] WAITLA\ADietrich:Unix1972 (Pwn3d!)
Pwn3d. The tool’s own editorial comment, right there in the output. Even the software finds it slightly too easy to be satisfying.
I lean back in my chair and look up at the ceiling for a moment — the specific posture of a person who has just done something they knew they were going to do from the moment they sat down, and is now briefly acknowledging the gap between who they know they are and who they’d like to be.
The gap has been there a while. I’ve made my peace with it.
Around me, a hundred and sixty people are learning about cryptographic key exchange from a man whose password is the year a forty-year-old operating system was created. The irony is, as irony tends to be, completely wasted on the room.
My watch buzzes. A different notification this time — not a class reminder. A message, through an encrypted channel I check maybe twice a day, from a contact I’ve had for three years and met exactly never.
Two words.
Call me.
I look at the notification for a moment. Then I close the remote session, pull the network adapter from the USB port, and fold the antenna back against its body. I put it in my bag. I close the terminal windows one by one.
Mr. Slash does not say call me unless something has changed.
Something has changed.
I spend the remaining eighty-three minutes of the lecture not hearing a single word of it.