“That’s absurd!” David said. “There’s no way ELOPe can monitor a phone conversation.”

“Really?” Gene said. He waved a sheaf of papers in front of David. “What did more than twenty contractors do over the holiday? Can you guarantee that no one created a voice-to-text bridge?”

“Fuck.” David’s shoulders slumped in defeat.

“OK, we get the message,” Mike said. “No emails, no computer use, and no phones if possible. Can we meet back here in, say, two hours?”

“Yeah, sure, kid. Two hours.” Gene packed up his bag and left.

Without a computer to look up a campus map, David and Mike spent forty minutes wandering the buildings of the Avogadro campus.

“Come on, let’s just look up the address,” David said.

“No dude, we just said we wouldn’t use any computers.”

“What harm can come from looking up one thing in the directory?”

Mike didn’t answer, and instead accosted the next person that came down the hallway. “Excuse me, I’m looking for the IT department that handles access controls?”

She gave him a strange look. “Just look it up in the directory.” She turned and went on.

“You just picked her because she was cute and blonde,” David said, laughing.

Mike just smiled back.

David tried with the next person who walked down the hall, an older man with a two day beard and a pot belly. “Do you know where we can find the IT department that handles access controls?”

“Sure, that’s the Internal Tools department. They’re in the basement somewhere.”

“Which basement?” Mike asked. “We have twelve buildings.”

The man shrugged. “It’s dark and dingy, that’s all I remember,” he answered as he walked away.

“They’ll all dark and dingy,” David complained.

“Don’t worry about it, it’s our first useful clue.”

Fifteen minutes and four basements later, they found the Internal Tools IT department in the basement of one of the original converted factory buildings.

The first person they found refused to help them at all on the grounds that if their access had been removed, it had to have been done legitimately. But they argued for so long and at such volume that it attracted the attention of a nearby engineer.

“I’m Pete Wong,” he said, introducing himself. “I’m in the Internal Tools department. I implemented the Control Access and Permissions application. On the off chance there really is a problem, I’d be interested in investigating it.”

Pete led them back over to his work area.

“Let me see who authorized these access changes,” Pete said, as he took a seat behind his desk. “The only way any changes can be made is using the Control Access and Permissions app, or CAP. If someone removed your access inappropriately, I can find out who, and we can contact them.”

David and Mike looked at each other in relief, glad to finally find someone who seemed helpful and knowledgeable. They took side by side chairs in front of Pete’s desk.

“It’s odd,” Pete said after working on his computer for a minute. “CAP should log information for two users. The first user would be the person who actually logged on and was using CAP, and the second user is the person who authorized the work. We need the two because sometimes a manager has their admin make changes for them. We need to track that the admin modified access rights, but the executive authorized it. According to this, Gary Mitchell authorized the removal of your access rights to the ELOPe project, but there is no record of the user who made the change.” Pete paused, and poked at his mouse, clearly frustrated. He looked up at them.

“It’s almost as if it wasn’t a person, but another application,” Pete said thoughtfully after a minute.

“Can you tell us more?” David asked. “We’re both programmers. Can you explain it to us?”

“Well, I was going to say that it was almost as if CAP was being called by another web app, rather than a person directly. Most of the web apps we write have service level interfaces so that we can have one application interact with another.”

“That makes sense. Some kind of XML interface?” Mike suggested, interested in the technical details.

“Exactly, but CAP is, for obvious reasons, a sensitive application from a security perspective. We didn’t write a service level interface for it.” Pete thumped his fingers on his desk, and stared off into the distance. “Now that I think about, I received a request to write a service level interface for CAP just before the holiday break, but I denied the request.”

“Who asked you to?” Mike asked.

“Let me check. We have an Internal Tools request database where it would be logged.” Pete typed for a minute. “Huh. The request came from Gary Mitchell. What the hell is Gary up to?”

“I can’t stand Gary, and I definitely don’t trust him,” David said, “but in this case, I don’t think Gary is up to anything at all.” He paused. “Look, is there any way that someone could have emailed in an access change? Or emailed in a request to change CAP so that it would accept email inputs?”

“By email? No, of course not. They would have to submit their requests via the appropriate web application…” Pete said, and then trailed off. “Hmm… It is really funny that you ask that question.”

“Yes?” Mike prompted, with a meaningful glance at David.

“A couple of weeks before the Christmas break there was a really odd request. From a guy named John Anderson in Procurement. He asked me to write an email to web bridge so that people could submit their Procurement requests via email. And it turned out to be really easy to write a generic bridge that did just that. In fact, I remember testing it against our Internal Tools Request app, and it worked just fine.”

“But that wouldn’t allow someone to make unauthorized changes would it? I mean, they would still have to provide a login name and password to a secure system, would they?” Mike asked, his voice going up a notch.

“Not exactly.” Pete said. “See, the Procurement system wanted to know the authorized user. I figured that AvoMail is secure right? I mean, you interact with AvoMail over a secure HTTP connection, so nobody can see your password, nobody can pretend to be you. I wrote the web service layer so that when it saw the email bridge, it would automatically use the sender of the email as the authorized user. The email system seemed as secure or better than a username or login.”

Mike and David nodded rapidly, showing they understood, and encouraging Pete with his explanation. David felt gratified that there just might be an explanation behind how ELOPe was accomplishing so much. It took the events of the past few weeks out of the realm of the supernatural, and back into the realm of the technical. Technical problems could be solved.

“So you’re saying that someone who has access to email can hit pretty much any web page inside Avogadro? If they somehow hacked the email system, they could get uncontrolled access to any web application? Didn’t that seem a little risky to you? Didn’t it have to go through some kind of security review?” Mike asked the questions rapid fire.

Pete visibly wilted under the onslaught of questions.

“Sorry,” Mike started again. “I’m just trying to understand. I’m not judging anything.”

Pete nodded in acceptance. “Well, I feel embarrassed saying this. Sean Leonov had asked me to do it. I thought that if it was for Sean, well, I should pull out all the stops and get it done. I mean, I’m stuck down here in Infernal Tools.” He gestured at the cinderblock basement wall behind him, in stark contrast to Mike and David’s wall-to-wall windowed offices. “How often do I get to impress someone?” Pete shook his head. “So, no, I didn’t get it reviewed. It’s totally off the radar.”