{"slug": "stratagems-17-alex-set-an-ai-bait-the-catch-wasn-t-code-it-was-someone-who-t", "title": "Stratagems #17: Alex Set an AI Bait. The Catch Wasn't Code — It Was Someone Who Shouldn't Have Been Watching.", "summary": "An engineer at MedTech discovered a covert data extraction pipeline after setting a bait using a shadow training pipeline. The shadow pipeline, built inside the CI/CD system, tagged training data with an invisible signature. The watermark detection script revealed that tagged records were being exfiltrated to an external S3 bucket via an unattended microservice deployed five months prior.", "body_md": "Toss out a brick to lure a jade gem.\n\n— The 36 Stratagems,[Throw Out a Brick to Get a Jade]\n\n**Previously on this series:**\n\n[ #8: Alex Watched an AI Dashboard Take Over.](https://dev.to/xulingfeng/stratagems-8-alex-watched-an-ai-dashboard-take-over-he-kept-the-keys-under-the-table-3n70) — MedTech signed a million-dollar AI monitoring contract. Alex built a hidden panel during training. When the panel failed, only he could read and write production.\n\n[ #15: Derek and Alex Shared One Server. ACL's AI Was Listening to Both.](https://dev.to/xulingfeng/stratagems-15-derek-and-alex-shared-one-server-acls-ai-was-listening-to-both-2j73) — Alex and Derek faked an alert to divert ACL's audit engineer, then redirected the collector output. Alex never forgot ACL's pipeline signature.\n\nAlex didn't watch alerts. He watched patterns.\n\nAn alert tells you what broke. A pattern tells you what's changing.\n\nMonday morning, 2 AM. He pulled MedTech's AI monitoring platform sensitivity curves for the past sixteen weeks. Three lines: anomaly detection rate, false positive rate, coverage rate. The first two fluctuated within normal range. The third — sterilization compliance anomaly detection — dropped **1.5% per week.**\n\nThe curve was too smooth. Not random noise.\n\nHe checked model drift, data shift, config changes. If it were natural drift, the curve wouldn't be linear — drift has acceleration phases and plateau phases. It doesn't drop exactly 1.5% every week. Someone was pressing the metric down on a schedule.\n\nHe couldn't find the contamination source. But he could trace where the contaminated data went.\n\nAlex spent four days building a shadow training pipeline inside the CI/CD pipeline.\n\nIt was identical to MedTech's real training pipeline — same API endpoints, data format, auth protocol, log format. Indistinguishable.\n\nOne difference: data flowing through this pipeline would get an invisible signature — a 128-bit hash embedded in the least significant bit of each training sample's float feature values, generated from the sample ID and a pipeline key. Float32 mantissas have 23 bits. Modifying the LSB introduces error at the 10⁻⁷ scale — negligible impact on model training accuracy.\n\nHe registered the shadow pipeline address in the CI/CD routing config under `train-pipeline-fallback`\n\n, weight **12%.** Next to it, a comment:\n\n```\n# fallback pipeline active — 12% load distribution per Q3 infra scaling plan\n```\n\nLooked completely normal. A gray-scale traffic split.\n\nIf anyone reviewed the CI/CD config, they'd read a routine fallback routing. Alex was simply waiting to see if data from that 12% end would flow somewhere it shouldn't.\n\nAfter lunch, Mike walked past Alex's desk and stopped for two seconds. He'd been reviewing the Q3 infrastructure scaling plan that morning — the fallback route was sitting right there in the change record. And Alex's screen was now running a validation script that happened to read that route's output.\n\n**\"That fallback.\"**\n\nAlex's fingers paused over the keyboard.\n\nMike didn't wait for an answer. He kept walking.\n\nDay seven. 2:14 AM. The watermark detection script triggered.\n\nThree tagged training records had appeared in an external S3 bucket:\n\n`s3://acl-data-lake-apse1/inbound/medtech/training/`\n\nAlex traced the data flow backward. The path from the shadow pipeline was clean: CI/CD runner → a microservice called `data-validate-svc`\n\n→ external S3.\n\nHe checked the deployment history of that service. `data-validate-svc`\n\nhad been running in MedTech's K8s cluster for **five months** — deployed on a Friday night, from the account of an SRE who no longer worked there. Permissions never revoked.\n\nHe followed the service's logs. No human was operating it.\n\nBetween 3 AM and 4 AM, it completed the following tasks: received shadow pipeline output → validated data format → dumped to external S3 → cleaned local cache. No gaps, no fluctuation, no trace of manual intervention.\n\nNot someone operating remotely. An unattended extraction pipeline, deployed five months ago, running silent.\n\nAlex stared at the deployment date on his screen. **Five months.** Nearly a hundred and fifty days of training data, all passing through its hands.\n\nAlex didn't act immediately. He waited three days to confirm the pipeline's sync cycle — every 72 hours, on schedule, no misses.\n\nThen he walked into Mike's office and closed the door.\n\nHe opened his notebook. Page corner marked with two numbers: ** 1.5%** and\n\n`2:14AM`\n\n\"The training pipeline has a **backdoor.** Sterilization compliance data has been siphoned at 1.5% per week for **five months.** The source is **ACL.**\"\n\nFour sentences. No conclusion.\n\nMike leaned back.\n\n**\"Go on.\"**\n\nThat evening, hallway. Alex and Mike passed each other. Mike said:\n\n**\"Is that exit still active?\"**\n\n**\"It is.\"**\n\nMike nodded. Didn't stop walking.\n\nAlex didn't pull the extraction pipeline.\n\nHe added a new logic layer to the shadow pipeline: wrap the watermarked data in a fake encryption shell, disguised as MedTech's internal archive format for a retired project. The extraction pipeline would sync it to ACL's S3 bucket as before — but ACL would read nothing but unparseable archive noise.\n\nHe knew it was a double-edged sword — if the other side monitored data quality, a sudden shift to noise was itself a disclosure signal. But he bet that a pipeline that had run error-free for five months wouldn't have its output reviewed in real time.\n\nHe wrote a third number in his notebook: ** data-validate-svc**.\n\n*The tool is still yours. The route is now mine.*\n\nTracing the extraction pipeline's full data flow, Alex noticed a detail: data passed through an intermediate service that wasn't on any architecture diagram. `data-timeline-aligner`\n\n. Unremarkable name. K8s labels: `team: infra-optimization`\n\n. Deployed three months ago.\n\nHe looked at its input and output. It did timestamp alignment — but it was aligning a timestamp format that didn't belong to any MedTech data source.\n\nHe read the source.\n\nShort. A standard Python ETL script — read S3, convert timestamps, write back to S3. No hidden network calls, no suspicious external dependencies.\n\nBut reading it the third time, he slowed down.\n\nNot because of what the code did — but how it was written.\n\nEvery line was a pure function. No classes, no decorators. Variable names short enough to be unambiguous: `ts_src`\n\n, `dst_fmt`\n\n, `buf_size`\n\n— everything that didn't carry information had been cut.\n\nHe compared it against other services in ACL's pipeline. ACL's code didn't look like this — every line had team tags and compliance comments. Tidy. Traceable. No personality. This one was different.\n\nHe checked the CPU curve again. This service's data throughput didn't match its claimed timestamp-alignment workload — it was processing **three times** the data a simple alignment task would need. It wasn't just aligning timestamps. It was doing something else.\n\nHe paused. He didn't look at just this one service. He wrote a local script — pull every Pod with a Python container from the K8s namespace the extraction pipeline lived in, fingerprint the source code of each.\n\nThe output arranged itself into a table:\n\n| Service | Deployed | Code Style |\n|---|---|---|\n| ACL standard services (67) | Scattered | Classes, pylint, docstrings |\n`data-timeline-aligner` |\n3 months ago | Pure functions, short vars, zero comments |\n`log-rotate-checker` |\n4 months ago | Same |\n`config-diff-watcher` |\n5 months ago | Same |\n`route-latency-collector` |\n5 months ago | Same |\n\nFour services. Same hand. Spread across pipeline, storage, and monitoring — three different layers. Each one doing something that looked normal but shouldn't exist. Together, they formed an observation net that ACL itself didn't know about.\n\nThe oldest two were deployed the same week as ACL's own extraction pipeline. Not a coincidence — whoever this was had found the entry point the moment ACL opened it, and laid their own contacts in parallel.\n\nEach service's CPU and memory footprint was under **50m CPU** and **128Mi**. Named like infrastructure components, labeled `team: infra-optimization`\n\n. They wouldn't be caught by cost optimization scans, wouldn't be the first suspects in an incident, wouldn't appear on any onboarding handover. 128Mi was baseline for a Python interpreter plus boto3 — if memory leaked, the Pod would restart once a month and K8s would pull it back up automatically.\n\nThere wasn't just one pair of eyes in this cluster. There was another, five months earlier than ACL's. And he'd only just found it.\n\nHe went back to `data-timeline-aligner`\n\n's source. Read it again.\n\nA new file in the directory: `config/hmac_seed.yaml`\n\n. Not unusual in a K8s microservice — services share an HMAC seed for lightweight validation. The file was short:\n\n```\n# TODO: migrate to vault after next schema migration\nseed: \"b3BlcmF0b3I6IHN0YWdlLTJjb21wYW55LnBpcGVsaW5lLmRlcGxveQpzZXJ2aWNlOiBkYXRhLXRpbWVsaW5lLWFsaWduZXIKLS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0t...\"\n```\n\nA Base64 token in a config file — no one would look twice in any codebase. He copied the whole thing and decoded it.\n\nASCII text. Starting with ** -----BEGIN PGP PUBLIC KEY BLOCK-----**.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBGeXz1kBEAC...\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\nNot ACL's asset. Not MedTech's.\n\nAlex didn't act immediately.\n\nHe stared at that Base64 string for a few seconds. A PGP public key from an unknown source — once you encrypt a message with it, the intent, connection path, and return route all belong to the key's owner. If the key itself was a trap, sending a message was walking in.\n\nHe encrypted a message with that key. The payload included his own public key and a return path — the same key prefix in ACL's S3 bucket. Then he POSTed the ciphertext to `data-timeline-aligner`\n\n's `/healthz`\n\nendpoint.\n\nThe endpoint returned **200.** GET returned health status. POST with a specific header silently wrote to S3 — no logging, no trace.\n\nThe message was short:\n\n```\nFound you. Nice comments.\n```\n\n4:17 AM. He checked that S3 path.\n\nA new encrypted file was waiting. He retrieved it, opened it with a key only he could decrypt.\n\nThree characters:\n\n```\nChannel confirmed.\n```\n\nNo explanation. Same style as the code — straight in.\n\nHe didn't write back. He opened his terminal, encrypted a short data packet with that public key — not a message, a cryptographic handshake confirmation. Wrote it to ACL's S3 bucket, the key prefix adjacent to the extraction pipeline's sync path. A bidirectional verification only the private key holder could complete.\n\nThen he closed his notebook, turned to the last page, and left a blank page.\n\nThe way the other person left a key was the same way he left a blank page — not for now. For one day.\n\nAlex closed his notebook. The Third Cup's lights were still on.\n\nThe person behind the counter was drying the last glass of the night. One table left — the one by the window.\n\nA closed laptop on the table. A phone next to it, screen down. Someone leaning back in the chair, not leaving.\n\nThe phone on the table lit up.\n\nNot a notification. An SSH tunnel check script's auto-echo — three lines: S3 bucket path reachable, two new objects, one of them reading ** ACK**.\n\nP didn't pick it up immediately. Let the screen dim. Then reached over, flipped the phone over, typed a command one-handed.\n\nDecrypt. Read. No visible reaction.\n\nFinished, P set the phone back on the table, walked to the counter.\n\nThe person behind the counter put down the glass they were drying, turned to make a coffee. Pushed it across without a word — wasn't the first time they'd seen this person at this hour.\n\nP picked it up. Drank it black. Set the empty cup back on the counter. Walked back to the window. Pocketed the phone, tucked it into the jacket's inner pocket. Pushed the door open without looking back.\n\nThe person behind the counter looked at the door as it swung shut. Pulled down the rolling shutter.\n\nThe brick was out. The jade would surface.\n\n*He was someone else's jade too.*\n\nThat's [Throw Out a Brick to Get a Jade](https://en.wikipedia.org/wiki/Thirty-Six_Stratagems#Tossing_out_a_brick_to_lure_a_jade_gem_(%E6%8B%8B%E7%A3%9A%E5%BC%95%E7%8E%89,_P%C4%81o_zhu%C4%81n_y%C7%90n_y%C3%B9)) — not tricking someone with a fake. It's putting out something real, with a signature only the right person would notice. Then waiting for them to tell you not just that they're watching — but that someone else was here before you.\n\n```\n[36 Stratagems Tactical Database v3.2.5] Loaded\n[Tactic Match] Throw Out a Brick to Get a Jade (#17)\n\nTactic Match: 91%\nOperator: Alex (MedTech)\nAction: Deployed a shadow training pipeline with\n  embedded watermark.\nResult: Exfiltration path confirmed. Third-party\n  beacon discovered.\n\n[Observation]\n  → Operator used no internal resources beyond CI/CD\n    routing config (12% weight).\n  → Detection latency: up to 72h (matches sync cycle).\n  → Subject's infrastructure includes an autonomous\n    extraction pipeline active for ~5 months.\n\n[Second Operator — Unidentified (Codename: P)]\n  → Deployed 4 covert services across pipeline/storage/\n    monitoring layers. Each disguised as standard infra\n    component (labels: team/infra-optimization).\n  → Resource footprint: 50m CPU / 128Mi each — below\n    cost-optimization thresholds. Pod restarts absorbed\n    silently by K8s.\n  → Operational signature: Pure-function Python, minimal\n    variable naming, zero comments — identifiable by code\n    style alone.\n  → Entry vector: Same week as ACL's own deployment.\n    Operator entered alongside ACL, without ACL's knowledge.\n  → Beacon method: PGP public key embedded in Base64-\n    encoded config key (hmac_seed.yaml), disguised as\n    routine initialization token.\n  → Contact method: undocumented /healthz POST handler\n    with header-based filtering. No logging. Single\n    response received, confirming channel.\n\n[Operator Assessment]\n  → Role: Embedded observer. Autonomous deployment.\n    No external command dependency.\n  → Deployment strategy: 4 independently operable\n    services, zero cross-dependency. If one is\n    discovered, the remaining 3 continue operating.\n  → Contact design: Asymmetric channel. P can receive\n    indefinitely without revealing identity — the\n    communication protocol does not require a response.\n  → Risk posture: Ultra-low. No identity markers in any\n    artifact. The PGP key itself is the only connection\n    point — and it was planted as a deliberate beacon,\n    not a leak.\n  → Database note: This operator's deployment discipline\n    matches the highest tier observed in this tactical\n    database.\n\n[⚠️ Anomaly — Critical]\n  → Two unaffiliated operators have planted assets within\n    ACL's infrastructure. Neither knows the other's identity.\n  → Implication: ACL's infrastructure has been permeable\n    to operators of a certain capability threshold for\n    at least five months.\n```\n\n*Next stratagem: Defeat the Enemy by Capturing Their Chief*\n\n*P.S. English isn't my first language. I use AI to polish the writing and smooth out the rough edges. Thanks for reading. ☕ Buy me a coffee*", "url": "https://wpnews.pro/news/stratagems-17-alex-set-an-ai-bait-the-catch-wasn-t-code-it-was-someone-who-t", "canonical_source": "https://dev.to/xulingfeng/stratagems-17-alex-set-an-ai-bait-the-catch-wasnt-code-it-was-someone-who-shouldnt-have-been-4893", "published_at": "2026-07-18 01:41:25+00:00", "updated_at": "2026-07-18 01:57:56.190892+00:00", "lang": "en", "topics": ["ai-infrastructure", "ai-safety", "ai-ethics", "developer-tools"], "entities": ["MedTech", "Alex", "Mike", "ACL", "AWS S3", "Kubernetes"], "alternates": {"html": "https://wpnews.pro/news/stratagems-17-alex-set-an-ai-bait-the-catch-wasn-t-code-it-was-someone-who-t", "markdown": "https://wpnews.pro/news/stratagems-17-alex-set-an-ai-bait-the-catch-wasn-t-code-it-was-someone-who-t.md", "text": "https://wpnews.pro/news/stratagems-17-alex-set-an-ai-bait-the-catch-wasn-t-code-it-was-someone-who-t.txt", "jsonld": "https://wpnews.pro/news/stratagems-17-alex-set-an-ai-bait-the-catch-wasn-t-code-it-was-someone-who-t.jsonld"}}