Skip to content
Cleartext

Excerpt

Chapter 1

Packet Loss

The pentest report was done. Marcus read it one more time, hated it one more time, and exported it to PDF.

He attached it to the Jira ticket, typed "Findings attached, happy to discuss," and closed the tab before the lie could settle. The ticket's due date said November 2, 2027. Three days ago. Nobody was going to discuss it. Nobody ever discussed it. The client's internal API had accepted negative dollar amounts in transfer requests, which meant you could theoretically steal money by depositing it in reverse, and Marcus had spent three hours formatting that finding into Vantaris's branded template so it could land in someone's inbox and never be opened.

Three months at Vantaris Systems. Austin's own mid-tier cybersecurity consultancy, occupying the third floor of a glass-and-concrete building off Lamar that smelled like carpet cleaner and ambition that had curdled into process. The AppSec team had cleared out by five. Marcus stayed because the office Wi-Fi was faster than his apartment's and because going home meant admitting the day was over and nothing interesting had happened in it.

He leaned back and stared at the ceiling tiles. Marcus Wynthor was twenty-nine years old. He had a computer science degree from UT Austin, six years in cybersecurity, a list of CVEs with his name on them, and a signing bonus that had already been spent. He was, by any reasonable measure, doing fine.

The ceiling tiles offered no rebuttal.

He closed the VPN, SSH'd into his home lab, and checked his feeds. A new IACR preprint on lattice-based signatures. A Chrome V8 exploit chain write-up. Three CVEs in enterprise VPN appliances that would become next month's pentest findings at a hundred companies just like Vantaris. He skimmed the lattice paper, bookmarked the V8 write-up, and shut the laptop.

He caught the 7:10 bus on Lamar, the same route he took every day because the schedule was predictable and he didn't have to think about it. By 7:30 p.m. he was home. His apartment was a one-bedroom off East Riverside, small and permanently under-furnished. Two monitors on a desk, a couch from a UT student's estate sale with a sagging cushion he'd never fixed, a kitchen that existed primarily as a coffee delivery system. The walls had nail holes where Priya had hung things. A framed print of the Austin skyline. A mirror she'd found at a flea market. A photo of the two of them at Barton Springs that Marcus had liked more than he'd told her. She'd taken everything when she left. He hadn't filled the holes. The apartment smelled like stale coffee and the particular staleness of a space that was occupied but not lived in. No cooking smells, no candles, no evidence that anyone here did anything but sleep and type.

His ex had called it "aggressively temporary." That was two years ago. Nothing had changed. The faucet in the kitchen dripped once every forty seconds. He'd timed it during a slow night three months ago. He hadn't fixed that either.

He made coffee and sat down.

Most nights were the same: HackerOne for an hour, maybe a CTF challenge if Dev or Lena had found a good one. Tonight he opened Greyline instead.

Greyline was an invite-only forum. Security researchers, mostly. The kind of place that existed in the gray area between published CVEs and things that made legal departments reach for the phone. Half the posts on any given night were junk. A quarter were honeypots. The rest were occasionally worth reading.

He scrolled. A claimed Cisco zero-day with no proof. An argument about whether a ransomware group was state-backed. A guide to bypassing an EDR product, which he bookmarked. Three obvious stings.

Then a post from a username he didn't recognize.

casandra_v:

Something to play with

Test it on something you think is safe.

Below the message: an API endpoint, a bearer token, and a JSON format for submitting base64-encoded ciphertext. No explanation. No sales pitch. No follow-up.

The thread had twelve views. Two replies calling it a honeypot. One person said it returned garbage. The post was already sliding off the front page.

Marcus almost closed it.

He'd seen a thousand of these. API endpoints that harvested credentials. Services that fingerprinted your browser and sold the data. Law enforcement bait. He knew what they looked like and this looked like all of them.

Except for one thing. The phrasing. Test it on something you think is safe. Not "test it on this." Not "use it to decrypt this." The poster was telling you to bring your own data.

Honeypots wanted you to interact with their payload. This wanted you to bring yours.

He copied the endpoint and the token into a text file and looked at them for a full minute.

"Alright," he said to his empty apartment.

He spun up a clean VM. Kali, no personal data, traffic routed through a VPN exit that wasn't connected to anything real. He'd built this sandbox two years ago after a CTF binary had tried to phone home through his machine. Paranoia, turned into infrastructure.

He grabbed a chunk of RSA-4096 encrypted data from a training exercise. Old ciphertext, old throwaway keys. He base64-encoded it and sent it to the API.

The response came back in 1.4 seconds.

He stared at it. The API had identified his ciphertext as RSA-4096 with OAEP padding. Processing time: 287 milliseconds. And the output, when he decoded it, was the original plaintext. Word for word.

Marcus frowned. He leaned back in his chair and stared at the ceiling the way he'd stared at the ceiling tiles at Vantaris six hours ago. Different ceiling. Different feeling. At the office, the stare was boredom. Here it was the beginning of something he couldn't name yet. A wrongness, a crack in a foundation he'd assumed was solid.

The obvious answer was that his old key pair had been garbage. Weak parameters, bad padding, some rookie mistake he'd made months ago and forgotten about. RSA was unforgiving that way. A bad key could turn strong encryption into tissue paper, and he'd written exactly that finding in a dozen pentest reports.

He needed to rule it out.

He generated a fresh key pair. RSA-4096, clean parameters, the standard secure way. He encrypted a new message with proper OAEP padding and SHA-256. A key pair that had been born thirty seconds ago, on an isolated VM, with a private key that had never touched the internet and never would.

He sent the ciphertext.

1.8 seconds.

The API returned his plaintext. Exact. Every character.

Marcus's hands stayed on the keyboard. He didn't scroll. He didn't type. The cursor blinked.

He checked everything. The key was 4096 bits. The padding was correct. The public exponent was 65537. He hadn't made a mistake. He ran through the list the way he'd run through it on a pentest, looking for the thing that was actually broken, the assumption that didn't hold. There was always an assumption that didn't hold.

The API could have a database of precomputed keys. No. He'd generated this one himself, just now.

OpenSSL could have a catastrophic flaw. He checked his version. 3.7.2, the standard Kali package. If there was a bug in OpenSSL 3.7 that broke RSA-4096, it would be the biggest vulnerability in the history of computing. It would not be posted on Greyline by a four-month-old account with zero reputation.

Something else, then. Something he didn't have a name for.

He got up and walked to the kitchen, poured his cold coffee down the drain because his hands needed something to do, walked back to his desk, then walked away from it again.

His phone said 11:47 p.m.

He thought about calling someone. Dev would be asleep in Chicago. Lena was at a conference in Berlin. And what would he say? I found an API that breaks RSA-4096 in two seconds? He'd sound like the posts he deleted from Greyline every week. A crank. A guy who didn't check his work.

But he had checked his work.

He sat back down. One more test. He generated another key pair. Verified everything by hand. Encrypted a sentence he chose carefully, because if this worked a third time, this was the sentence he wanted sitting in his terminal when he had to decide what to do next.

He sent it.

The screen was blank for 1.6 seconds.

Then the plaintext came back.

This is a test of something that should be impossible

He read it three times. The apartment was quiet. The refrigerator hummed. Outside, a siren moved down I-35 and faded.

RSA-4096 was supposed to take longer than the age of the universe to break with current hardware. Every quantum computing paper he'd read put a practical Shor's implementation at least a decade away, assuming breakthroughs that hadn't happened yet. The entire trust infrastructure of the internet was built on the assumption that factoring large numbers was computationally hard. Banking. Medical records. Military systems. Certificate authorities. Every encrypted message, every secure connection, every digital signature.

If something could do what this API had just done three times in a row, it wasn't a bug. It was the end of a mathematical assumption that the entire world relied on.

And someone had posted it on a security forum between a phishing kit and a stolen credit card dump.

Marcus pulled up the Greyline post one more time. Read it again. Looked at the username.

casandra_v

He hadn't noticed the spelling before. Not Cassandra. Casandra. One S.

But the reference was obvious. Cassandra. The prophet cursed to tell the truth and never be believed.

He sat with it for thirty seconds. Then he opened the channel.

The interface was plain. Dark background, monospaced text, no avatars, no status indicators. Just handles and timestamps. Nine people, anonymous to each other, connected by shared skill and mutual distrust of everything else. There had been ten, once. One had gone silent six months ago and never come back. Nobody said the name. Nobody needed to. They called themselves the collective because naming it something clever would have been a fingerprint. The system ran on infrastructure that blackveil, the group's operations architect, maintained across three jurisdictions. Post-quantum key exchange, messages that expired after seventy-two hours. No logs. No names. No voice, ever. Text only.

He hadn't posted in four days. The last thread was nocturn sharing a write-up on a server-side request forgery chain, and glitch picking it apart with the quiet brutality that passed for affection in this group.

He'd brought things to the collective before. Zero-days in production software. Interesting exploit chains that needed peer review. A weakness in a VPN implementation that they'd eventually disclosed to the vendor. Technical problems with technical answers. He'd never brought something that questioned a mathematical foundation. If he was wrong, if there was an explanation he'd missed or an assumption he'd failed to check, he would burn credibility with the only people whose judgment mattered to him. The collective was not a group that forgave sloppy work.

But sitting alone with this was worse than being wrong in front of people who would tell him why.

Marcus started typing under his handle.

marchetti: need eyes on something. found an API endpoint on greyline tonight, posted by a no-name account. sent it RSA-4096 ciphertext, freshly generated key pair, never-touched private key. it returned plaintext in under two seconds. ran it three times. three different key pairs. three correct decryptions.

He looked at what he'd written. It read like a crank post. The kind of thing nocturn would roast for an hour. He added one more line.

marchetti: i've been through the checklist. key length verified, padding correct, exponent 65537, openssl 3.7.2. clean VM, clean generation. i don't have an explanation. that's why i'm here.

He sent it.

For a few minutes, nothing. The cursor sat in the empty input field. It was past midnight and the channel's nine members were scattered across time zones nobody acknowledged. He pulled up the Greyline post in another window and started documenting everything he knew in a local file, just to have something to do with his hands.

Then the channel moved.

blackveil: link?

Marcus pasted the Greyline URL. No commentary needed. Blackveil would read the post, look at the account history, assess the operational risk. That was what blackveil did.

A minute passed.

blackveil: casandra_v. four months old. zero prior posts. thread's at fourteen views. you're the only person who claims a successful result.

marchetti: the other two attempts may have sent garbage. the format is specific.

sable: on it. running the handle against registration metadata, adjacent forums, linked identifiers. stand by.

Marcus watched the timestamps tick. Sable was thorough. It would take time.

Then glitch, terse as always:

glitch: which openssl build. exact version string.

Marcus typed it from memory. Glitch wouldn't ask without a reason. Probably already thinking about side-channel leaks in the generation step, some flaw in the entropy pool. Good. That was exactly the kind of thing Marcus needed someone else to check.

The channel was alive now. Three people working the same problem from three different angles, and it wasn't even 1:00 a.m. yet.

blackveil: marchetti. you ran this from your own sandbox?

marchetti: clean VM. VPN exit with no ties. standard protocol.

blackveil: good. don't run it again until we know what the endpoint is logging.

Marcus leaned back. The tension in his shoulders hadn't gone anywhere, but it had shifted. Five minutes ago he'd been alone with something impossible. Now he wasn't.

He watched the channel fill. Sable reporting that casandra_v had no footprint on any adjacent forum. Glitch requesting the exact curl output, headers included. Blackveil already thinking about containment: who touches the API next, through what infrastructure, what they send it.

This was why the collective existed. Not for the routine disclosures, not for the vendor notifications that rhea drafted in careful legalese. For the thing that showed up at midnight and didn't fit any model you had.

His phone said 12:38 a.m. The channel kept moving.

nocturn: just caught up. if this is real, we have a problem measured in days, not weeks. who else has this token?

Nobody answered. Because nobody knew.

Marcus stared at the screen. Fourteen views on a Greyline post. An API that broke the assumption underneath everything. And now eight other people who understood exactly what that meant.

The next message would decide what they did about it.

The book continues.
Email contact@cleartextnovel.com to be notified when it releases.