Chapter 299: Countdown to Joint Testing

The elevator doors slid open on the second basement level. A gust of cold air hit him, carrying the dry, distinct smell of a server room. Lin Chen didn't pause. His right foot touched the floor first; his left hovered for half a second before settling lightly. The corridor’s motion-sensor lights failed to trigger. He pulled out his key, unlocked the glass door, and stepped inside. Only a single desk lamp was on in the office. In the dimness, the indicator lights on three server racks blinked in a steady rhythm, like silent breathing.

He draped his coat over the back of his chair and pulled open a drawer. Inside, neatly arranged, were ibuprofen, knee pads, two rolls of kinesiology tape, and a mistake notebook with dog-eared edges. He tore off a strip of tape and applied it to the outside of his left ankle with practiced efficiency. No wasted motion. Pain was a physical signal, not an emotion. He swallowed an ibuprofen tablet, plugged in the power cable, and woke the main monitor.

The terminal interface was frozen on last night’s sandbox log: [INFO] Request destroyed. He hit Enter and pulled up the API documentation for the Provincial Second Hospital. The PDF was massive and loaded slowly. While waiting, he stood before the whiteboard. He bit down on the cap of a black marker and drew three branches beneath the heading “Joint Testing”: 1. Dedicated Line Handshake & Authentication 2. Data Stream Cleaning & Desensitization 3. Penetration Test Whitelist Configuration. The pen tip paused. He added a parenthesis after the third item: (Audit Team’s Third-Party Tool Signature Database).

His phone screen lit up. A message from his technical partner, Zhou Yu: "Firewall rules updated per your list from last night. But the hospital’s legacy system runs on SOAP, not REST. Our gateway needs a protocol converter, or the handshake will time out." Lin Chen replied: "Write an adapter. Use an XML parser as the middleware layer. Set the timeout threshold to 15 seconds. Log everything to disk." Zhou Yu: "Understood. Starting compilation on my end. Is your joint testing environment ready?" "Setting it up. Pushing the test package in two hours."

He sat back down, raised his chair by two notches so his left leg could stretch out naturally. The sound of keystrokes echoed in the empty office, dense and even. He started with the authentication module. The provincial health commission’s dedicated line required mutual TLS certificate authentication. He pulled up the root certificate issued by the CA and configured it into the Nginx reverse proxy layer. The code wasn’t complex, but the margin for error was virtually zero. A single misaligned field would break the entire handshake. Out of habit, he opened his mistake notebook and flipped to the previous page, where it read: "2021.03 Gov Cloud API - Incomplete certificate chain caused 403. Lesson: Certificate paths must be absolute. Environment variables cannot be trusted." He cross-checked the paths, confirmed they were correct, saved the config, and restarted the service.

The terminal flashed a green prompt: [OK] TLS handshake successful. He exhaled and picked up the thermos on his desk. The water had gone cold. He took a sip and moved on to writing the data desensitization script. DICOM headers for medical imaging contained a wealth of patient privacy data, and the audit team’s first checkpoint would be compliance. He wrapped a regex filtering function to mask names, ID numbers, and addresses. He’d already fallen into the traps of rare characters and legacy encodings the night before, so this time he directly called a UTF-8 forced-conversion library. The fallback logic ended up longer than the business logic itself.

4:00 PM. His left foot began to swell. The edges of the kinesiology tape curled slightly, and a sharp sting crept up his Achilles tendon. He stood up, gripped the edge of the desk, and slowly paced two laps. The window at the end of the corridor was open, offering a view of the slow-moving traffic on the city’s elevated highway. He returned to his seat, propped his left leg on a spare chassis nearby, and kept typing. Time waited for no one, but the body had its own rhythm. He had learned to find balance in the intervals between pain, just like he had years ago, frantically copying the last snippet of C++ code in a county internet cafe before the power went out.

5:20 PM. Zhou Yu’s test package was pushed to the internal repository. Lin Chen pulled it, extracted it, and deployed it to the sandbox environment. He launched the joint testing script. The progress bar began to roll. [INFO] Connecting to 10.88.x.x... [INFO] SOAP envelope parsed. [INFO] Payload size: 4.2MB. The data packets flowed smoothly into the cleaning pipeline. The desensitization module ran normally. The log window scrolled with green success messages. He stared at the screen, his finger hovering over the Enter key, waiting for the final confirmation command.

[WARN] DICOM tag (0010,0020) parsing failed. Fallback to raw string. A warning popped up. Not an error, but a degradation. Lin Chen’s brow furrowed slightly. He opened the raw data packet and inspected it with a hex editor. The hospital’s legacy system had mixed non-standard control characters into the Patient ID field during export. A standard parser would simply discard them, but to the audit team’s penetration testing tools, they looked like potential injection vulnerabilities.

He closed the editor and opened a new terminal. grep -r "0x00" /tmp/dicom_dump/ The command finished running, outputting over three hundred lines of anomalous records. He leaned back in his chair and closed his eyes. The ibuprofen hadn’t fully kicked in yet, and his temples throbbed faintly. He couldn’t gamble on the audit team overlooking this dirty data. The compliance red lines for medical systems were never something technology could simply bypass.

He opened his eyes and let his fingers fall back onto the keyboard. def sanitize_control_chars(data): He wrote a byte-level filtering function that scanned byte by byte, stripping out all non-printable characters while preserving the integrity of the original structure. The code wasn’t long, but it required repeated testing of boundary conditions. He imported the test dataset and ran it. First pass: passed. Second pass: passed. Third pass: memory usage spiked. He pulled up the profiler and found redundant string concatenation inside the loop. He switched to a pre-allocated byte array and rewrote the logic. Fourth pass: execution time dropped from 1.2 seconds to 0.4 seconds.

7:00 PM. All the office lights were on. Lin Chen pushed the patched fix to the sandbox. The joint testing script ran again. The progress bar rolled once more. This time, there were no warnings. The log window was as clean as freshly wiped glass. [INFO] All DICOM tags validated. [INFO] Desensitization complete. [INFO] Ready for penetration test.

He saved the logs and archived the package. His phone vibrated. It was Su Man: "The audit team’s car has entered the campus. They brought two portable penetration testing rigs. Old Zhao just called me, asked if we can hold the line. I said yes. Don’t reply to him. Just focus on your work." Lin Chen didn’t reply. He stood up and walked to the whiteboard. He drew a checkmark next to “Joint Testing.” An arrow pointed to a blank space. He wrote: "Penetration Test. White-Box Audit. Zero-Trust Verification."

He returned to his seat and opened the monitoring dashboard. The sandbox’s traffic graph began to pulse. External IPs were attempting connections. The firewall rules were active, intercepting requests at the gateway. He switched views to examine the fingerprint signatures of the audit tools. They were using a customized vulnerability scanner. Their behavior was restrained: probing ports first, testing protocols next, and only then touching the business logic. This was how a professional team operated. No noise, just hunting for cracks.

8:15 PM. The first wave of probe requests arrived. The sandbox returned a standard 403 response. The logs were complete. Lin Chen stared at the screen. His left foot had gone completely numb. He ignored it. He knew that for the next four hours, every line of log would be admissible evidence. Code didn’t lie, and neither would the audit team. He picked up his thermos, only to find it empty. He set it down and placed both hands on the keyboard.

In the terminal, a new log line slowly materialized: [INFO] External scanner detected. Pattern: CVE-2023-xxxx. Target: /api/v1/dicom/upload. Lin Chen’s pupils contracted. They had skipped the routine port scan and struck directly at an undocumented upload interface. This endpoint was only mentioned in internal documentation and theoretically shouldn’t have been exposed. He quickly pulled up the routing table and checked the configuration. No errors. Yet the logs showed the request had indeed penetrated the gateway.

His fingers flew across the keys, tracing the request path. traceroute revealed that the traffic had bypassed the main firewall, routing through a backup channel reserved for the hospital’s dedicated line. It was a debug port left over from a system cutover three years ago. It should have been closed long ago, but an operations script had accidentally reactivated it.

Lin Chen stopped typing. The office was quiet, save for the low hum of the server fans. He opened his mistake notebook and wrote on a fresh page: "Legacy port exposed. Operations blind spot. Audit team has reached the core path. Handling window: 12 minutes." He closed the notebook and yanked the network cable. Physical isolation was the last resort. He needed time to rewrite the routing policy.

The moment the screen went dark, he heard footsteps in the corridor. Light, but growing steadily closer. The audit team had arrived early.