The cigarette is almost done and I haven't blinked in six minutes.
I know it's six minutes because the packet capture refreshes every thirty seconds and I've watched it cycle twelve times while this Camel burns itself into the filter. The ashtray is full. The one next to it is also full. I stopped emptying them three days ago when I realized I couldn't remember bringing the second ashtray in from the kitchen.
The terminal is doing what it always does. Scrolling. Green on black because I'm not an animal. Three monitors arranged in a half-moon on a desk that used to be a dining table, back when I ate meals at a table instead of standing over the sink at weird hours. The left screen runs Wireshark. The middle is the terminal. The right is dark because the right monitor is for normal people things like email and I haven't been a normal people in weeks.
Something on my network pinged out at 3:17 AM.
I wouldn't have caught it if I hadn't been sitting here. Which I was. Because I'm always sitting here now. It was a DNS query. A single lookup to a domain that looked auto-generated. Fourteen characters, no vowels, dot-ru TLD. The kind of domain that gets registered by the tens of thousands for exactly this purpose.
My thermostat is smart. My fridge has WiFi. The light in my bathroom has a firmware version and an update schedule. Any of those could have sent it. That's the thing about filling your life with computers. When one of them starts talking to someone it shouldn't, good luck figuring out which one.
But I'm good at this.
Not good like I read a tutorial. Good like I taught myself to read raw packet headers in hex because the pretty-print parsers miss things and I don't trust software that was written by someone who isn't me. Paranoid? Sure. But paranoid is just prepared with a bad reputation.
I stub the cigarette out on the pile. Light another one. My hands are steady, which is interesting because the rest of me is not.
The DNS query resolved to an IP in a block owned by a hosting company in Romania that I've never heard of and that has exactly one page on the internet, and that page is a default Apache welcome screen. Which means nothing. Or everything.
I pull the pcap file into a filter. Show me every connection to that IP in the last twenty-four hours.
Six hits. Every forty-seven minutes.
I stare at that number. Forty-seven. Not sixty. Not thirty. Not any number that makes sense for a cron job or a heartbeat check or an IoT device phoning home for firmware updates. Forty-seven minutes is specific. Forty-seven minutes is someone who picked a number that looks random but isn't, because actually random intervals would drift and these don't. These are clean. Forty-seven minutes apart, to the second.
I lean back. The chair protests. My spine protests louder.
The thing about finding something like this is that finding it doesn't tell you anything except that there's something to find. I don't know what's sending the beacon. I don't know what it's saying, because the payload is encrypted, or more accurately it's garbage, packed bytes that could be telemetry or could be exfiltrated data or could be my thermostat telling Romania what temperature I keep my apartment. Which is sixty-four degrees. Because I run cold and because the electric bill is a number I'd rather not think about.
I start isolating devices. Pull the smart plug on the fridge. Wait forty-seven minutes.
The beacon fires.
Pull the thermostat off the wall. Wait forty-seven minutes.
The beacon fires.
Unplug the bathroom light. Wait forty-seven minutes. I spend those forty-seven minutes smoking two more cigarettes and pacing a track between my desk and the window that I've walked so many times the carpet is lighter there. I notice this for the first time and it makes me feel something I don't have a word for. Something between ashamed and terrified.
The beacon fires.
So it's not the IoT garbage. It's one of my actual machines. My laptop. My desktop. My phone. My actual, real, personal devices that have my actual, real, personal everything on them.
I sit with that for a minute. Let it settle.
There's a particular flavor of dread that only hits at 4 AM. During the day you can rationalize. You can call it a bug, a misconfiguration, something you did drunk and forgot about. At 4 AM the rationalizations go to sleep and you're left with the raw architecture of the problem. Something on my machine is talking to someone I don't know. It's doing it on a schedule. It's doing it quietly. And it's been doing it for at least twenty-four hours, which means it was doing it yesterday when I was at the grocery store buying cigarettes and energy drinks and pretending I was a person who does normal things.
I get up. My knees pop. The carpet is cold. I walk to the kitchen, which is four steps from the desk because this apartment is the size of a generous parking spot, and I open the fridge. The light inside is the brightest thing in the apartment and it makes me squint. There's half a Red Bull, a takeout container I'm afraid to open, and a bottle of hot sauce. I grab the Red Bull. It's flat. I drink it anyway.
The fridge hums. Except it shouldn't be humming, because I unplugged the smart plug. I look down. I plugged it back in. I don't remember plugging it back in.
That happens sometimes. The autopilot thing. My hands do things while my brain is somewhere else. It used to be harmless. Grabbing a second coffee at work without noticing. Walking to the bathroom and forgetting why I stood up. Now it's plugging in devices I deliberately disconnected, and that's a different kind of forgetting.
I stare at the plug for a moment, then leave it. The fridge isn't the problem.
I go back to the desk.
My phone buzzes.
I look at it. Unknown number. One message:
You up?
Two words. The most normal two words anyone has ever sent at 4 AM. It's probably spam. It's probably some girl I gave my number to at a show three months ago. It's probably nothing.
But my brain is already running the math. They know I'm awake. How do they know I'm awake? I haven't posted anything. I haven't texted anyone. The only evidence that I'm conscious right now is the light from my monitors hitting my window, except my blinds are taped shut, I taped them shut with black electrical tape two weeks ago, which at the time felt like a reasonable thing to do and now feels like evidence in a case I'm building against myself.
The webcam LED isn't on.
That thought arrives like a cold hand on my neck. The webcam LED isn't on. Of course it isn't on. Nobody is watching me through my webcam. That's insane. That's the kind of thing that people who need medication think. I don't need medication. I need to find out what's beaconing from my machine every forty-seven minutes to a dead server in Romania.
But.
LEDs can be disabled in firmware. I know this because I've done it. Sat in this chair three years ago and walked a friend through disabling the indicator light on a webcam as a prank. Took four minutes. The LED is just a GPIO pin. Kill the signal in the driver and the camera works fine, you just don't know it's working.
I reach behind the monitor and grab the USB cable that connects my external webcam to the desktop. I pull it. The connector resists for a second, then comes free with a small plastic click.
I sit there holding the cable.
It didn't help.
Nothing about this moment is better than the moment before it. The beacon is still firing. The unknown number still sent "You up?" at 4 AM. The cable in my hand is just a cable. If someone is in my kernel, actually in it, ring zero, they don't need a USB webcam. They have the built-in mic. They have the built-in camera on the laptop that's sitting open on the desk next to me. They have my keystrokes. They have my screen contents. They have every packet I send and receive, which means they know I'm looking for them.
Which means every forty-seven minutes, they watch me try to find them.
I put the cable down. Light another cigarette. The pack is getting light. I'll need to go out soon, which means I'll need to leave, which means I'll need to stop looking at the screen, which means the screen will be alone in this apartment without me watching it.
I don't know when that started being a problem.
The terminal scrolls. The beacon won't fire again for another thirty-one minutes. I know this because I'm counting. I've been counting all night. Every forty-seven minutes, my machine reaches out to someone I can't identify and says something I can't read, and then it goes quiet, and I sit here in the silence, smoking, waiting for it to speak again.
Like I'm the one being monitored.
My phone buzzes again. Same number.
Nvm.
I stare at it for a long time.
Then I close Wireshark, open a new terminal, and start writing a packet sniffer from scratch. Because I don't trust Wireshark anymore. Because I don't trust anything I didn't write. Because at 4 AM on a Tuesday, in an apartment that smells like cigarettes and paranoia, trust is a vulnerability I can't afford.
The cursor blinks. Green on black. Waiting.
I think about the fridge plug. The one I don't remember reconnecting. I think about the worn track in the carpet. The second ashtray I don't remember carrying in. The small, quiet erosions of certainty that accumulate like snow on a windshield until you can't see the road anymore but you're still driving.
Something is wrong with my network.
Something might be wrong with me.
Both of these things can be true at the same time, and that's the part that keeps me up at night. Not the beacon. Not the unknown number. The possibility that I'm right about everything and also losing my mind, simultaneously, and there's no test I can run that separates one from the other.
I start typing.