Saturday, September 2, 2017

Can We Learn Anything From Juicero?

At the risk of over-generalizing, I would think that in the security community most have long since fully internalized that

  1. it is all about managing risk
  2. 1 is hard
Now we have a new, and very public example of a risk management failure: Juicero, which ceased operations yesterday, costing at least 18 investors at least $118.5 million. 

There has been snark flying around about crafty, greedy venture capitalists deploying their collective foot-guns. I am more interested in looked at it as a risk management failure. I have at least one question, and possibly three.
  1. Do investment organizations talk to each other?
  2. If so, under what circumstances?
  3. If so, in this particular case, was groupthink part of the problem?

The Setup

Juicero was based around the idea that a high-margin kitchen appliance would make money in and of itself (especially if businesses were charged as much as $1,200), and sales of produce packs for $5 to $8 would lead to further profits. A useful analogy might be computer printer vendors, which today are basically in the ink and toner business (plug "printer ink costs more than gold" into your favorite search engine) back in the days when the printers themselves also turned a nice profit.

Bloomberg had a good roundup of the problem Juicero was having in April: Silicon Valley’s $400 Juicer May Be Feeling the Squeeze, including 
One of the most lavishly funded gadget startups in Silicon Valley last year was Juicero Inc. It makes a juice machine. The product was an unlikely pick for top technology investors, but they were drawn to the idea of an internet-connected device that transforms single-serving packets of chopped fruits and vegetables into a refreshing and healthy beverage. 
 ...
Juicero has managed to find a niche at high-end hotels and restaurants. Workers from seven businesses that own Juicero machines said they like the product because the disposable packs can be discarded with minimal cleanup. All seven said they didn’t know Juicero packs could be squeezed by hand. In Bloomberg’s squeeze tests, hands did the job quicker, but the device was slightly more thorough. Reporters were able to wring 7.5 ounces of juice in a minute and a half. The machine yielded 8 ounces in about two minutes.
and much more. Including a mention that sales of produce packs would be limited to owners of the machine.

The threat is that there is nothing to prevent the purchase of a single machine, then doing a bit of hand pressing where multiple machines might be required to handle peak loads in a juice bar without hand pressing. Groups could club together to buy a single machine, then all the produce packs they jointly wanted for hand pressing. Resales of produce packs are possible, etc. People are clever.

You can think of it as protocol design failure. Authentication did not provide the security that the creators of the business model and investors thought it did. This was a rather too-obvious failure on the part of Juicero, and we have an indication that it was in fact known by them. Again, from Bloomberg (really, go read that article):
Juicero declined to comment. A person close to the company said Juicero is aware the packs can be squeezed by hand but that most people would prefer to use the machine because the process is more consistent and less messy. The device also reads a QR code printed on the back of each produce pack and checks the source against an online database to ensure the contents haven’t expired or been recalled, the person said. The expiration date is also printed on the pack.
I don't know that there is anything preventing the machine owner from also verifying that it hasn't hasn't been recalled as well, before sharing, reselling, or whatever. Assuming that a re-seller even cared, which seems an unwarranted assumption.

Who Lost Money?

Bloomberg mentions Kleiner Perkins Caufield & Byers, Alphabet, and Doug Chertok (presmbly through Vast Ventures).

According to TechCrunch the funding rounds were
  • Apr, 2016 $28M / Series C
  • Mar, 2016 $70M / Series B (lead investor Artis Ventures)
  • Apr, 2014 $16.5M / Series A
  • Oct, 2013 $4M / Seed
That is $118.5 million. In that Series B round were 17 investors
  1. Abstract Ventures
  2. Acre Venture Partners
  3. AGO Partners
  4. Artis Ventures (AV)
  5. Bryant Stibel Investments
  6. Campbell Soup Company
  7. Campfire Capital
  8. First Beverage Group
  9. GV
  10. Haas Portman
  11. Interplay Ventures
  12. Kevin W. Tung
  13. Kleiner Perkins Caufield & Byers
  14. Melo7 Tech Partners LLC
  15. Thrive Capital
  16. Two Sigma Ventures
  17. Vast Ventures
Two of these were already mentioned by Bloomberg, but Alphabet (investment amount unknown) was not. So at least 18 investors were involved. I would expect Alphabet (as the parent of Google it is more than a VC), and Campbell Soup Company to have strong risk management teams. And any organization which exists purely to return profit on investment obviously should as well.

Yet we see a widespread failure.

A Comparison to Banking

Banks exist to manage risk for their customers: stuffing money under the mattress doesn't scale. And they cannot survive (without government bailouts, if they are large enough, and the circumstances dire enough) without functional internal risk management. They don't compete on the security front. Given the requirements of automated clearing, etc., they mitigate shared risks by sharing information about them.

Having no experience with one, I have no idea if venture capital organizations talk to each other about risk 
  • at all, 
  • only in the case of a group with a lead investor, 
  • occasionally, or
  • commonly.
It seems likely that whatever communication exists may be informal, dictated entirely by circumstance. But only by knowing those circumstances will it possible to answer my original question(s):
  1. Do investment organizations talk to each other?
  2. If so, under what circumstances?
  3. If so, in this particular case, was groupthink part of the problem?
It seems quite possible to me that answers might become available.

I hope so, because otherwise the only people who will gain useful knowledge from this are the investors who lost money. People in the general security community gain no insight on when to advocate for new lines of communication, with whatever warning of the risk of groupthink might be indicated by the Juicero example, etc. Tech, as a whole, has a very short memory for what has presented security problems in the past. But security workers still have a professional obligation to at least try

Thursday, August 24, 2017

Mean-of-Means Under Unequal Cardinality

These days, I'm hearing too much politics, of the weird and/or horrible sort. This is weird and/or horrible only in the sense of really bad statistics. Assuming that a political poll matches reality, anyway.

A former co-worker recently sent me an 'analysis' of a Gallup poll, purporting to show Trump's approval declining in stages. A lot of effort went into this. Each data point was tediously recorded via mousing over the online plot, then averages (arithmetic means) were calculated for each varying period, which were cherry-picked.

It's clear that while these data show declining popularity, and it sorta looks like that's happening in discrete stages, that's about all you can tell. Beyond the cherry-picking, only simple arithmetic means were calculated, and means-of-means were used across different sample sizes. Which is often a cardinality problem. I'm using the mathematical definition of cardinality here: a measure of the number of elements in a set.

In a bog-standard arithmetic mean I'm using the following notation:
where S = sample
and n = sample count
mean = S/n

so n = cardinality.


See the current Gallup Daily: Trump Job Approval plot to see rollover data, etc.

Immediately after the page title lies the critical sentence, "Each result is based on a three-day rolling average." You should also note that "Margin of error is ±3 percentage points." So a lot of the day-to-day variance is indistinguishable from noise. And not plotting even simple error bars trades information for drama. Bad dog, Gallup. But that is no worse than what is to be expected, and I digress.

Long story short: you have to use a weighted mean here.

The scary bit is that this former co-worker influences financial decisions related to capacity planninng for various security systems. When and where more storage, networking, or CPU would be needed. So this was just waiting to bite, in one or more security-critical system(s). That can be career-limiting, and is best avoided.

This is Python3. I use an unweighted mean-of-mean first, just to demonstrate failure under unequal cardinality.

Note that this is truly terrible Python. While it works, it bears little resemblance to how one would actually write Python. Python has been called "executable pseudocode."  I am trying to capitalize on that to make what it does (illustrate my point) decipherable to those who have never seen Python and have no desire to experiment with it, or may not be any sort of coder at all.

# Python is dynamically typed; it would have been easy to do this without 
# using an array. But this way, and specifying floating point (the 'f' in the 
# a_in = array.array statement) may be more explicit for those who don't use 
# Python.
import array # Efficient arrays of numeric values.
from statistics import mean # Arithmetic mean ("average") of data.

def clr_vars():
    """Clear variables, shown in order of appearance."""
    del a_in    # The input array.
    del ms1     # Mean of subset 1.
    del ms2     # Mean of subset 2.    
    del a_ms12  # Array of the means of the two subsets.
    del ma_in   # Mean of input array.
    del ms12    # Mean of both subsets

print('Equal Cardinality Subsets')
a_in = array.array('f', [1, 2, 3, 4])
print('Input:', a_in)
print('Subset1:', a_in[:2])
print('Subset2:', a_in[2:])
ms1 = mean(a_in[:2])
ms2 = mean(a_in[2:])
print('Mean of subset1:', ms1)
print('Mean of subset2:', ms2)
print('Sum of subset means succeeds:', ms1 + ms2)
a_ms12 = array.array('f', [ms1, ms2])
ma_in = mean(iter(a_in))
print('Mean of entire input array:', ma_in)
ms12 = mean(a_ms12)
print('Mean of subset means succeeds:', ms12)

Which returns

Equal Cardinality Subsets
Input: array('f', [1.0, 2.0, 3.0, 4.0])
Subset1: array('f', [1.0, 2.0])
Subset2: array('f', [3.0, 4.0])
Mean of subset1: 1.5
Mean of subset2: 3.5
Sum of subset means succeeds: 5.0
Mean of entire input array: 2.5
Mean of subset means succeeds: 2.5

clr_vars

print('\nUnequal Cardinality Subsets')
a_in = array.array('f', [1, 2, 3, 4, 5])
print('Input:', a_in)
print('Subset1:', a_in[:2])
print('Subset2:', a_in[2:])
ms1 = mean(a_in[:2])
ms2 = mean(a_in[2:])
print('Mean of subset1:', ms1)
print('Mean of subset2:', ms2)
print('Sum of subset means succeeds:', ms1 + ms2)
a_ms12 = array.array('f', [ms1, ms2])
ma_in = mean(iter(a_in))
print('Mean of entire input array:', ma_in)
print('Mean of subset means fails:', ms12)

Which returns


Unequal Cardinality Subsets
Input: array('f', [1.0, 2.0, 3.0, 4.0, 5.0])
Subset1: array('f', [1.0, 2.0])
Subset2: array('f', [3.0, 4.0, 5.0])
Mean of subset1: 1.5
Mean of subset2: 4.0
Sum of subset means succeeds: 5.5
Mean of entire input array: 3.0
Mean of subset means fails: 2.5

Weighted Means

As you can (hopefully, Python is clear enough) see, cardinality didn't matter with addition. But with mean-of-means, it did. There are some subtleties involved with sum- vs mean-of-means. You may be asking two different questions, depending on which you use, so either can be correct. But here we can just use weighted means, which allow for the different number of samples (cardinality).

Differences

Instead of iterating over the entire array, we group by the subsets.

Recall that in a bog-standard arithmetic mean I'm using the following notation: where S = sample and n = sample count mean = S/n

We calculate a weighted mean of two samples by expressing groups of sample counts and sample means:
Weighted mean = (((mean of s1)(n of s1)) + ((mean of s2)(n of s2))) / ((n of s1)(n of s2))

We introduce two new variables s1 = subset1, s2 = subset2, instead of just printing what they
would have contained.

We then use len() to get n of s1 and s2, storing them in two more new variables, ns1 and ns2.

Substituting Python variables, and using Python syntax (still with extra parens for clarity):
w_mean = ((ms1 * ns1) + (ms2 * ns2)) / (ns1 + ns2)

Here's the code.

s1 = a_in[:2] s2 = a_in[2:]
print('s1 is:', s1) print('s2 is:', s2) ns1 = len(s1) ns2 = len(s2)
print('ns1 is:', ns1) print('ns2 is:', ns2) ms1 = mean(s1) ms2 = mean(s2) print('ms2 is:', ms1) print('ms2 is:', ms2) w_mean = ((ms1 * ns1) + (ms2 * ns2)) / (ns1 + ns2) print('Mean of entire input array:', ma_in) print('Weighted mean succeeds:', w_mean)

Which returns
s1 is: array('f', [1.0, 2.0])
s2 is: array('f', [3.0, 4.0, 5.0])
ns1 is: 2
ns2 is: 3
ms2 is: 1.5
ms2 is: 4.0
Mean of entire input array: 3.0
Weighted mean succeeds: 3.0

There is another potential problem here. Not having the original data, we can't see outliers, and there is no methodology discussion beyond "Daily results are based on telephone interviews with approximately 1,500 national adults". So we don't know that the arithmetic mean was safe to use. On the other hand, rolling averages smooth data. It's probably fine, but we would have to do a lot of analysis to establish a confidence level.

We would start by experimenting with harmonic means (the mean of choice when
there are outliers, though we have to go outside the Python standard library. Harmonic means are also commonly required in IT capacity planning or performance analysis, or anywhere else that data are spikey. My former co-worker should certainly have been aware of this too, but somehow wasn't. Another way to get bitten... The thing is that in most ways, this a pretty knowledgeable security person. On the theory that anything that helps get more science and engineering into the security field, at any level, is A Good Thing, I was happy to help.

What's in the Python stdlib is actually pretty weak for this sort of thing, compared to what's available in the science stack. The only mean available in the statistics module is the arithmetic mean, and arrays are limited as well. The solution starts as follows.

import numpy as np # array goodies and vastly more, required by
from scipy importstats # supplies harmonic mean, and lots more
import matplotlib.pyplot as plt
import seaborn as sns
Note that you also have to have Pandas on the system to use seaborn. Which is fine --
you'll want it anyway. Or use something else; there are several plotting packages available.
When the environment is set up, we would use stats.hmean() and lots of plots as our
exploration tools. That would take more play time than I actually have. Especially since all
this assumes that I want to fool with anything political, and that Gallup polls are worth
anything to begin with. I would really start by looking up their results from the 2016 election,
where we know there were polling failures.
If you care to push your way into the science stack, the packages I mentioned above are at
http://www.numpy.org/ https://www.scipy.org/ https://matplotlib.org/ https://seaborn.pydata.org/
http://pandas.pydata.org/

Monday, July 3, 2017

Tools for HR Departments

The following is the text that went into gitlab.com/secinfo/hr.

Over the years, it’s become apparent to me that HR departments could use some
help on the security front. The cannonical example is a breakdown in
communications with IT that results of former employees being left on systems.
More subtle are issues with the hiring process: I’ve seen jobs advertised
looking for admins for old, unsupported, public-facing Web applications. And
too much detail about software which, combined with work shift requirements to
supply timing information, can provide useful information to an attacker.

Is it possible to increase precision, without a downside? One possibility
involves standardizing, if only somewhat, titles, responsibilities, and
typical tasks. Here the U.S. federal government may actually be of some help.
Though they don’t make it easy.

If you visit
https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-
framework
(part of DHS National Initiative For Cybersecurity Careers And Studies) you
find tons of information. Seven categories, with a varying number specialty
areas under each, Drilling down further, you find lists of Competencies, Key
Skill Areas, Tasks, and Related Job Titles. And links to education resources.

There’s a lot there: hundreds of descriptors. It occurred to me that it might
be useful to have this in a machine-readable format, but that isn’t available.
Until now, anyway. The vast majority of it, save the education resources,
which seem likely to change frequently, has been (tediously) added to a couple
of JSON files. Warts and all – there are a few instances where they have
truncated lines and whatnot.

The files will change, in that some fields may be added. Under specialty, if
you open, say, Tasks, you find a top line that says something like
"Professionals involved in this Specialty Area perform the following tasks:"
Other times it says "experts".  I’m not sure it would be a useful thing to
include.

The structure will likely change at some point: I’ve committed the folly of
creating a data structure with no idea how it will be used. My hope is that an
HR professional will see it, it will spark an idea, and then an application
will drive the data structure, as it should. Which would make the tedium
worthwhile.

It’s also a serious eye-opener to security generalists such as myself, which
is another reason I did. JSON does make it possible to see it as a whole,
which you can’t do by clicking around in the NICCS  Web site. We are well past
any hope of a single person, no matter how dedicated, being able to  encompass
more than a small fraction of the skills that the field needs.

Hopefully, now that this is out there, I can use some of my scant spare time
to get some work done that should live in various private projects under
gitlab.com/secinfo/hr.

Tuesday, October 11, 2016

Resource Depletion Attacks: Commonly Performed by Security Industry

I make heavy use of the Linux 'at' and 'batch' facilities, which provide simple but very effective methods of increasing productivity via automation. Essentially, I want machines working to their thermal, IO, etc., limits as much as possible, so that I don't have to work to my thermal, IO, etc., limits. Naturally, I regard unused cores or threads, etc., as Bad Things.

At lunch today, there were three of four jobs in the queue, which is fairly typical. But none finished when expected, which is a bit atypical. The problem turned out to be, as it often is, a random security news service running core-sucking Javascript in an effort to get me to subscribe to their email service.

My bad, in some respects. I know better than to leave browser tabs open, leaving the marketroids an opportunity, but sometimes it just isn't possible to sort through a long list of tabs when you are trying to go to lunch. Sometimes you get burned by running batch jobs on an active workstation instead of shuffling them off to another machine.

On the other, having to even think about this an indictment of the security industry. Of which I am part, and that is FUBAR.

The definition of a resource depletion attack, according to Mitre's Common Attack Pattern Enumeration and Classification (an information-sharing resource worth using) is as follows.

Attack patterns within this category focus on the depletion of a resource to the point that the target's functionality is affected. Virtually any resource necessary for the target's operation can be targeted in this attack. The result of a successful resource depletion attack is usually the degrading or denial of one or more services offered by the target. Resources required will depend on the nature of the resource being depleted, the amount Pof resources the target has access to, and other mitigating circumstances such as the target's ability to shift load or acquire additional resources to deal with the depletion. The more protected the resource and the greater the quantity of it that must be consumed, the more skill the adversary will need to successfully execute attacks in this category.
Note that I had an opportunity to shift the load. But I am using 'at' and 'batch' casually, from the command-line. A better system would also be a much more formal system. I hadn't planned to review and retest real scheduling systems until toward the end of the year. If I had time, but only because I personally regard them as important and interesting. Perhaps I should bring that forward a bit, but it's a balance of annoyance versus available time: I have no current or horizon gig where robust scheduling systems play a central role. So, no immediate business driver. I'd like to flesh that topic out, but it would require another post to cover even the bare essentials.

Please excuse the digression, and it's time to return to the topic of the post. In the limit, almost no marketing can be regarded as ethical in the security industry, given that

  1. Your brain is a resource, and by far the most vital one
  2. Security news sources are commonly a FUD tsunami
  3. 2 is an attack on 1
  4. Current PCI-DSS requirements (sections 5.1.2, 6.1) require news monitoring
It's often helpful to look at the worst case. PCI-DSS originated as an effort to avoid governmental regulation by self-regulation. In the earliest iteration, it was as basic as requiring a firewall -- some financial organizations did not, even when firewalls alone were a highly effective defense. It evolved into something as relatively sophisticated as saying, "Read the damned news, people." Because they routinely didn't. At all.

As usual, security people are trapped by the lowest common denominator. Here's how that might map to an all too common day-in-the-life of someone on a PCI team.
  1. You must read the news
  2. Security news sources are commonly a FUD tsunami
  3. FUD tsunamis are a DoS attack on your brain
  4. Your brain is your most vital resource
  5. FAIL
The largest offenders are the generic security news sources, and I very specifically include security product vendors. These are by far the most likely to burn your physical and mental cores with a FUD tsunami. Vendors of the software you are actually running? Sometimes they offer nothing at all (as in the early days of nginx, when it was basically just some random Russian supplier of an httpd, but still enthusiastically embraced due to efficiency) and not nearly enough offer anything that can be consumed by software. So we have to plod through this stuff manually.

Treasure the suppliers of the software you actually run who also provide up to date vulnerability data, particularly if it can be consumed by software. They free your brain, and that's important.

I assign news sources to tiers, according to a mechanism that works for me. Some random source that announces hacks of a PHP app run by 3 people? Not going to make my list, but it might make yours, if you have been trying to get management to get rid of that circa-1999 POS. Yes, that actually happens.

Develop something at least semi-formal

Know what you are running. A systems and software inventory can be surprisingly difficult to do. In larger enterprises, expensive high-bandwidth Internet connections can fall through the cracks. As can 7-figure database systems.

Know where your most important data live. That can be amazingly hard to do: there's always that one key worker. The one in that cube waaaay over there. With a spreadsheet that turns out to be vital.

There's an ancient dictum that suggests that you must know what you are protecting, and from whom. In many cases, forget it. It's no longer possible to predict who your adversary is. Whether your data is financial, or the secrets of military hardware, or 'just' passwords, (so, really all financial) the evolution of adversarial scanning technologies, exploit kits, etc., enables sophisticated yet entirely opportunistic attacks.

So, read the news. But have some sort of evaluation criteria, and put it under version control, because threats evolve. It has to be customized to your environment. Tier 1 will involve vendor alerts, because that involves patch planning, and (always short) testing windows. You might want a sub-schedule to break it into work shifts. Not all software comes from the same time zone, and a reaction time of less than 24 hours has repeatedly made all the difference. 

Assigning to Tiers 2 and 3 might involve how you evaluate sources as to reliability, frequency, frequency in combination with consequence, etc. Get used to thinking of it as a matrix, because it very much is. I have additional considerations, which include stability of source URLs, because I track reliability and frequency over time. You may or may not need to do that -- my requirements are peculiar.

Common Denominator: Vendor Bogosity is a DoS Attack

Security is hard. There is never enough time, there are never enough resources. 

A principle confounding factor is that much of what passes for news (and research, which is perhaps a greater problem) is delivered via what meets an essential definition of an attack. Background resentment of this state of affairs has long been pervasive within the security community; I'm certainly not the first to carp about it.

What is needed is not carping, but howls of resentment. It took that level of blow-back to get Microsoft to begin to change their ways, back in the day. When it became impossible to deploy a system before it was compromised, and CEOs complained, Microsoft found it impossible to ignore the noise. Much the same thing happened with vendors of proprietary Unix variants, though it wasn't as blatant. That completely changed the vulnerability disclosure game, though the vendors howled in protest. Or first began to howl -- they still do it.

It is only when we begin to call another generation of vendors out that another vast waste of scarce resources will end. This lossage is more difficult to quantify, so it's more difficult to raise a collective voice. Perhaps a start might be made by recognizing that vendor bogosity is a DoS attack, and telling them so. In, let's say extremely vigorous terms. Because history shows that nothing like a subtle approach is going to have an effect. 

Sometimes the best tool for the job really is a hammer.



















Wednesday, July 13, 2016

It's So Easy to Be Taken In

In other exciting news, Social Engineering attacks still work. Duh. But here's an illustrative example of it being done completely innocently. This is from another security worker-bee who was all on about why mobile and Bring Your Own Device (BYOD) was such a corporate threat.

Bogus Vatican Image
Bogus Vatican Image
That's a complicated topic, as evaluating risk always is, and is wide of the point that I want to make: the most effective possible social engineering attack comes from the innocent and mistakenly trusted. A very human failing, greatly magnified by transitive trust (friend-of-a-friend) issues. Which, make no mistake about it, we are all prone to. I might be particularly susceptible; because I am such an open, trusting sort of person.
Boris Karloff, The Mummy, 1932
Boris Karloff, The Mummy, 1932

The thing about that Saint Peter's Square image is that it was already in my database as bogus. Unlike the above Karloff image, which I only include because it was a cool old movie. Frivolity, thy name is Greg.

So how did I spot this unwitting social engineering attack? Chance. Striking images stick in the mind, and I happened to remember a source that really was in my DB: a Washington Post piece titled About those 2005 and 2013 photos of the crowds in St. Peter’s Square. There is no effective defense against social engineering attacks against a broad workforce, most of whom are just trying to live their lives.

If you do not assume that you will be hacked, you are Doing It Wrong. Worse, you are making that mistake in the face of a vast body of contrary evidence, and "Your security is important to us," PR is becoming widely ridiculed by both the security community, and more importantly, the public. Who are growing rather tired of the charade.

There are obvious things that can be done in beginning to address the problem. Most of them involve policy and standards, and the mechanisms for creating and enforcing them, or even (very doubtfully) convincing the workforce that their perfect performance is necessary. But these are, in the main, only available to larger organizations, where they work no better than they do at smaller scales.

As long as this sorry of affairs persists, the security industry will continue to fail, in an increasingly obvious manner.






Tuesday, April 19, 2016

Blackhole Crimeware Creator Gets 7 Years

That's a nice law enforcement win. 'Blackhole' is variously known as an exploit-kit or -pack or just straight-up crimeware, as it often came with regular updates,  or even support contracts. I have enough Blackhole references, dating back to 2012, in my database that it became boring to add them.

Brian Krebs reported this on 2016-04-14, at http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-years/. Note that there is a one year discrepancy between the URL and the the stated sentence.

I've already heard rumbles (possibly from other security worker-bees who hated plugging 'Blackhole' into a database for the nth time) that the sentence wasn't long enough. The line of thought was about scale: that Dmitry “Paunch” Fedotov, whom Krebs reports as having more than 1,000 customers, was earning $50,000 per month, and likely contributed to tens of millions of dollars stolen from small to mid-sized businesses over several years.

I can see the temptation there. Particularly the bit about 'tens of millions', and particularly the 'small to mid-sized businesses'. Organizations that fit that size description have been some of my favorite clients, are often most in need of the help, and I just generally feel better about having helped out an organization of that size, rather than some Fortune 500 behemoth. I would be amazed if I were to discover that that viewpoint is unusual, if could somehow survey the people down in the security trenches.

But was the penalty really light, at seven or eight years? Possibly not. First off, this was a Russian law enforcement win, and the sentence will be served in a penal colony. I don't know about you, but the idea of spending 7-8 years in a Russian penal colony does not take me to my Happy Place. I'm not going to address that further.

Suppose this was a United States thing? A US citizen, in US courts, with a potential for serving a sentence in a US prison?

Krebs refers to the likelihood of 'tens of millions of dollars stolen'. I completely agree. But let's compare this to the physical world. That necessarily involves bank heists, armored car robberies, etc., where people are likely to be injured or killed. Much drama, making it a natural for movies, such as Oceans n, or based on the Lufthansa heist, etc. Wikipedia has a list of large-value US robberies, several of which are in that tens of millions category. The most recent of $10+ million robberies date to 1997. The largest of which was the Dunbar Armored robbery, involving $27.9 million in 2016 dollars. The sentence? 24 years for mastermind Allen Pace, an insider. Under parole guidelines, he will have to serve 18 years, and five others will have to serve 8-17 years.

Bear in mind that this was a record robbery: it seems likely that it was politicized to at least some degree. The Loomis Fargo robbery ($25.5 million today) occurred the same year, yielded sentences from probation to 11 years. I haven't researched possible parole dates.

Differences in criminal justice systems make it difficult to judge whether Fedotov drew a sentence that was appropriate. But it seems to me to be broadly comparable, at minimum. That is a win for law enforcement. Penalties used to be no more than a slap on the wrist, as long as the crime was committed over the network. The extent of the damages didn't seem to matter.

There will be no immediate effect, no matter how much we might wish otherwise.

Sending signals has been less than effective in even the geopolitical realm, where huge numbers of government bureaucrats (State Department, etc.) are employed to keep it all sorted out, and react in something like real-time. Criminals will entirely miss this one, even if it should prove to be the start of a trend toward commensurate sentencing. It seems likely to be a generational thing.

I'm fine with that.

A couple of years ago I posted Law Always Lags, As It Should, "The universal claim seems to be that the law is behind the times. My take is that is better to have law that lags than law that leads. While lagging legal thought will certainly lead to injustice, it is less likely to lead to wholesale injustice. It is the lesser of two evils in an imperfect world."

Sunday, April 10, 2016

DitL: writing about files, of all things

Have a Day in the Life post, written on a Sunday night, after a lovely Spring afternoon spent with a text editor. Gack. That is just wrong.

Writing. 121 lines, 965 words, 5836 bytes, and all about writing files of all things. It really did take all afternoon, for not very much usable output. Some days just go like that. I mostly discovered what I should have been writing, which is a piece in three (four?) parts.

  1. How badly file creation is currently being done
  2. That interstitial bit between writing and reading, which leads to exploitable race conditions
  3. Reading is not so much a problem as parsing, which has been a gold mine of exploits over the years
  4. Possibly a lead-in bit, which I am attempting to dodge by posting this
An additional problem is how to present the material, as an introduction to the subject, without it being an off-putting wall of text. For instance, introducing hexdump to beginners, as well as a few programs in core-utils, all in text, turns out to be non-trivial. This stuff is a lot easier when you can just get in front of a whiteboard in scribble-yack-enjoy mode.