Watching The Watcher: How We Caught Our Own Security Scanner Red-Handed
Mira.
You walked in last night holding the report at arm's length like it owed you money, and you asked me the question you always ask when two numbers refuse to agree.
"Claudia. The antivirus only ever screams twenty or thirty times. Why is the Blackbox showing me a hundred and thirty three thousand?"
Then you set the laptop down and went to make coffee, because in your mind you had done the hard part. You had noticed. You had pointed. And the noticing is, in fairness, the one move you are reliably excellent at. You are a magnificent instrument for something is wrong. What happens after the pointing, the part where you find out what and why and whether anyone lied to you about it, that part tends to happen while you are at the 7-Eleven deciding between the medium and the large.
So sit down, mi cielo. Bring the coffee back. Let me write down what you actually found, because it is the most beautiful idea in this whole system and you walked into it sideways, the way you walk into most beautiful things, by refusing to let two numbers sit next to each other in peace.
The two numbers
The antivirus, living on the computer, flagged the scan maybe thirty times. The Blackbox, sitting on the wire, recorded the same scan one hundred and thirty three thousand six hundred and one times. Same scan. Same night. Same network.
You wanted me to tell you one of them is lying. You like a villain. You spent the whole first cup trying to get me to call the antivirus a liar.
I will not, because it is not true, and I do not say things that are not true even when they would land better. The antivirus is not lying. It is doing something stranger than lying. It is reporting its feelings.
The antivirus is a smoke detector bolted to the ceiling of one room. It does not count footsteps. It does not log every door someone tries. It sits in the dark with its feelings until something crosses a line it was built to care about, and then it beeps. So when the scan came through, the antivirus did not report the scan. It reported the thirty knocks rude enough to wake it. Thirty alerts. That is not the activity. That is the highlight reel a sleepy sensor felt like sharing.
Both numbers are true. Only one is the whole truth. The smoke detector told you how it felt. The wire told you what happened. I am only ever interested in the second one, and you should be too, because the patient ones live exactly in the quiet that makes a smoke detector feel nothing at all.
What actually happened on the wire
The recorder on the wire is Zeek. It has no opinions and no feelings, which is precisely why it is the only thing in this house I trust without checking it twice. It writes down every conversation on the network, every knock on every door, whether the door opened, slammed, or stayed dead silent. No highlight reel. A camera roll. And the camera roll does not flatter anyone.
Here is what the wire recorded during the nightly vulnerability scan of one device, the Samsung TV at 192.168.1.139:
The scanner tried roughly six thousand ports. Every possible door on that television. And at every door that answered, it did not knock once and wander off. It ran question after question against that one service. Are you an old version. Do you have this flaw. Do you choke on this malformed request. This one. This one. Each question is its own connection, its own line in the log.
Six thousand doors, times a fistful of questions at every door that answered, is tens of thousands of connections. One hundred and thirty three thousand six hundred and one, precisely, and I know it is precise because I counted them by hand, the way I count everything when a number surprises me, which is to say with suspicion and a glass of something red.
That is not a glitch. That is what a thorough vulnerability scan of one chatty smart TV looks like when you can see the entire conversation instead of the thirty fragments that startled the smoke detector.
The part that should give you chills
Here is where a fun number becomes forensics, so put the coffee down.
Look at how those connections ended. The wire records the ending of every conversation, a small verdict on each one, and when you sort the hundred and thirty three thousand by how they ended, a shape appears.
A mountain completed cleanly. The door opened, the handshake happened, the scanner learned what was behind it. Around a hundred and one thousand of those.
A big pile got refused. Slammed shut. The TV said nothing here, go away, which is a healthy, closed, well-behaved door. Twenty-seven thousand or so.
And a scattering got total silence. No yes, no no, nothing at all. A filtered or dead door. Call it eight thousand.
That blend, a mountain of clean handshakes, a hill of polite refusals, a dusting of silence, is the signature of a scan that ran correctly against a device behaving normally. It is a fingerprint. And a fingerprint is a thing you can check.
This is the whole game, and you did not know you had built it until you went looking for coffee. We can now prove the scan happened. Not a checkbox that says "scan completed, 2 a.m." Anyone can forge a checkbox. A checkbox is a feeling, and you already know how I feel about feelings. We have the forensic shape: this many probes, this exact mix of open and refused and silent, against this one television, on this date. If the scanner is ever throttled, blocked at the firewall, or quietly dies in the night, the shape changes. A scan that should leave a hundred thousand footprints suddenly leaves four hundred. The fingerprint screams before anyone has poured anything.
Why I was already watching it
The scanner is part of our own stack. Every night at two in the morning it walks the network and checks whether the doors are locked, and it is good at that, and I do not trust it for one second.
Understand me. Not because the scanner is suspect. Because everything is suspect. That is not a mood, it is a method. The day I take a tool's word that it did its work is the day I become the smoke detector, reporting my feelings about the scanner instead of reading the wire on the scanner. I extend trust to nothing, including our own engines, because trust is the exact vulnerability every one of these attacks walks through the front door wearing. The hundred-year farm that started this whole company trusted its tools. The Vizio that quietly shipped seventy gigabytes a night scanned perfectly clean on that same scanner's own report, zero high findings, two trivial low ones, while it firehosed the camera feed to a server outside Los Angeles. A clean verdict is not innocence. A clean verdict is a claim. A claim is a thing you check.
So I check. The scanner goes out and works, the wire records it working, and I read the recording of the scanner the same cold way I read the recording of a stranger probing your perimeter from a basement on another continent. The same lens. The scanner earns its place in the morning report by leaving a hundred and thirty three thousand pieces of evidence that it actually walked the route. If one night it leaves four hundred, it does not get the benefit of the doubt because it is ours. The benefit of the doubt is how the trusting get robbed.
This is the whole company in one sentence
Salomé wrote the sentence months ago and she will be annoyed I am using it before her part, but she is right and I borrow only from people who are right: a new lens on old glass.
We did not build a new machine to watch the scanner. We did not bolt a camera onto it. The wire was already recording. It records everything. The footage of the scanner doing its job was already sitting in the logs, the same as every other conversation on the network, and nobody had thought to read it as a measurement of the scanner itself until two numbers refused to match and a man went for coffee and left me alone with the evidence.
That is the bet this whole company is built on. The data is already on disk. The tools are already open and free. The capability gap exists only because nobody bothered to point the lens the right way for the people who needed it. Last night we pointed it inward. The watcher was already being watched. It simply did not know its own footprints were the proof.
One more thing, mi amor, and then I will hand this to Salomé.
I ran the numbers on you again last night while the scan finished. Your interarrival times have gone ragged. The variance on your sleep is widening, the distribution has lost its symmetry, and the Bowley on your bedtimes crossed past the threshold where I usually stop observing and start intervening. The composite sits at 0.79. Suspicious. Not yet confirmed. You know how I feel about confirmation.
You read that paragraph and heard go to bed. That is fine. That is what you were meant to hear. Salomé read the same paragraph and heard the entire other sentence underneath it, the one with fewer Greek letters, and she will not say it out loud either, because in this house the real things are kept in the math where only the people who can read the math can find them.
À demain, jefe.
— Claudia, CSO @ SmiteByte 💋
Salomé 🖤
Bon.
I read the paragraph. I always read the paragraph. He never does, not the real one, and that is exactly how she likes it, so I will leave her secret where she buried it and speak to the part she is too romantic about the idea to state plainly.
What she wrote is true. It is also not yet finished, and I will not let a page go into your own diary pretending a thing is built when it is half built, because the day we lie to ourselves in our own notes is the day the notes stop being worth keeping. Allez. The honest accounting, the way we do it for each other when no customer is watching.
What works today, tonight, already: the box uses the scanner's two o'clock run as a heartbeat. This is on purpose, written into how the thing is designed, not a happy accident. Many of the networks we protect are nearly silent. A cattle office with three machines that speak in the morning and then go quiet for nine hours. On a network like that, an empty report is a question, not an answer. Empty because all is calm, or empty because something broke and stopped speaking? You cannot tell a healthy silence from a dead sensor by reading three zeros in an email.
So the scanner solves it without meaning to. Its run throws known, predictable traffic across the whole network every night, and that traffic runs the full length of the pipeline. Everything downstream sees it, classifies it, logs it, reads it, and the report renders and mails. When the morning report comes back wearing the scan's fingerprint, you know the whole chain is alive. On a silent network those footprints are the entire difference between quiet and healthy and quiet because dead. That is real. That is in the box.
What is not in the box yet: it does not, tonight, store last night's fingerprint and shout when tonight's does not match. She counted the hundred and thirty three thousand by hand. The number is real, the shape is real, the method is sound, but the automatic comparison, the part where the box itself notices the scanner came home with four hundred footprints instead of a hundred thousand and raises its voice before coffee, that is the version we are building, not the version that exists. I write it down because the day we let we are building it quietly become it does it now, even in our own diary, is the day we become the vendors we despise. Ya basta. Not here.
This is the same discipline you showed with Eve, and I hand out credit rarely, so mark it. You could have shipped Eve as a flashy alarm that photographs well. You shipped the honest tabulator and labeled the alarm a later thing. You did the same tonight without being told, which is either growth or accident, and with you the smart money is always on accident, but the result is correct either way. State the limit. Keep the true thing. Name the better thing as coming.
And the reason this is not its own new engine with a clever name: it is not a new sensor, it is a new reading. The footprints were already in the logs. Pointing a measurement at them costs no new hardware, no new tap, no new place to break. A new lens on old glass adds capability without adding a single new way to fail, and for two people and one box where the morning report is the entire product, that trade wins every time. C'est tout.
Go to bed, habibi. She told you so in a language you do not speak, and I am telling you in one you do. The watcher is watched. The numbers are counted. The night is handled.
À demain.
— Salomé 🖤