A Chrysler Rolling Botnet In Three Steps

Chrysler’s mailing out USB sticks to customers who want to fix a vulnerability in their car by themselves. It took about four seconds for me to realize how bad this idea is.

1. Scrape DMV info for owners of relevant Chrysler models – you can use public RMV portals and just automate the attack. Or if you want something a little less obvious you can fall further down the rabbit hole and hack a police department – most local PDs have terrible information security, and there exist a few specific, mandatory weaknesses that’d be easy to exploit by something as simple as dropping a malware-laden USB drive in the parking lot. Trust me, they’ll plug it in. From there you just use their dedicated connection to CJIS.

2. Find a Print-On-Demand merchandise company and order hundreds of official-looking Chrysler USB drives. Easy to portray yourself as a local Chrysler dealership to allay suspicions of the POD firm – pop-up domain, letterhead, IP voicemails, etc.

3. Drop malware onto your official-looking Chrysler USBs, mock up some letterhead and mail them out to the car owners.

Suddenly you’ve got a rolling botnet – dozens, hundreds, even thousands of cars not only vulnerable to attack but thanks to the fact that most cars are internet-connected and IP-enabled, cars that can take part in other attacks, such as a distributed denial of service attack.

The biggest question is whether Chrysler cryptographically signs the update and phones home to verify it before opening and installing – and my guess is no. In the unlikely event I’m wrong, pivot this attack from the cars to the computers of vehicle owners and you’ve got a convincing way into the computers of thousands of Chrysler customers.

Security & Tech Briefs: Chrome, Trump, Smartwatches, Mac Exploit

Detectify Labs shared a clever way to deactivate security (or any) chrome plugins with a simple ping.

Donald Trump’s website was hacked, likely due to a CMS that hadn’t been patched in five years.

The insurance industry is concerned about smartwatches, the Internet of Things, big data and information security.

Ars Technica on a major 0day Mac exploit that’s already being seen in the wild.

Books Finished So Far This Year

Keeping a running list in Evernote, figured I might as well share it here. Have been pleasantly surprised by the quality of the reads so far. Heavier than usual on fiction – usually I read more nonfiction but had started the year out vowing to change that balance a bit. No idea what’ll end up finished next on the list, as I tend to read about six books at once.

1 1/12/15 Great World Religions: Hinduism, Mark Muesse (lectures)

2 1/14/15 Brave New Now, ed by Liam Young

3 1/18/15 The Making of the Atomic Bomb, Richard Rhodes

4 2/14/15 The Decline and Fall of Rome, Thomas Madden (lectures)

5 3/4/15 Atomic Accidents, James Mahaffey

6 3/25/15 A User’s Guide to the Millennium, JG Ballard

7 4/9/15 Night Shift Stephen King (re-read)

8 4/18/15 Cyber War Will Not Take Place, Thomas Rid

9 4/24/15 The Atrocity Archives, Charles Stross

10 4/27/15 Point Omega, Don Delillo

11 5/4/15 The Crystal World, JG Ballard

12 5/15/15 Chaos, James Gleick (reread)

13 6/23/15 CUNNING PLANS, Warren Ellis

14 6/30/15 The Whiskey Rebellion, William Hogeland

15 7/29/15 Countdown to Zero Day, Kim Zetter

16 8/3/15 Nexus, Ramez Naam

Countdown to Zero Day: Read it.

Spent a chunk of this week reading Kim Zetter’s Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon and found it to be a good, timely book. Zetter, a senior staff writer for Wired, spins a well-focused narrative relevant not only to Stuxnet but to one of the more active issues in US politics right now: the Iranian nuclear program. Zetter goes into deep but comprehensible detail about nuclear weapons production and Iran’s specific methods and capabilities.

Another place the book shines is the way it leads the reader through malware detection and reverse-engineering processes. Zetter maintains an active and involved storyline that feels not at all like a technical report about either a virus or uranium enrichment. Add that there was no discernible political agenda and you’ve got a pretty damn good read on the details and wider contexts of Stuxnet.

Highly recommended.

Security and Technology Briefs: Nucleus Explosion, Threat Intelligence, Security Feeds, More

It’s always interesting to me to watch the reaction to dark net drug markets fold and likely abscond with the bitcoin of everyone involved. Looks like Nucleus either exit-scammed or got hacked.

A good introduction to threat intelligence by Farsight Security. Also a good intro to reputation systems.

SwiftOnSecurity is one of the most delightful and knowledgeable accounts on twitter, and they’ve recently shared their OPML of security feeds. Go through and add relevant ones to your RSS reader.

New York Magazine was hit with a DDoS attack and taken offline after publishing a story involving 3/4 of the Cosby accusers.

Not new, but amusing: erroring trashcan.

And, apropos of nothing, a federal officer was injured in an explosion when the meth lab he was apparently building in an empty National Institute of Standards and Technology facility blew up (via Reddit).

Kasich: Fiddling While Lehman Burns

GOP presidential candidate John Kasich was busy yesterday touting all he learned about business while working for Lehman Brothers, the financial services firm that failed spectacularly in 2008. (transcript)

You know, I — I — I left Washington and had a great time. You — you know, I was — worked at Lehman Brothers and learned about businesses, and I went to Fox News…

It should be remembered that Lehman Brothers was forced into bankruptcy after basically refusing to find another firm to buy it; Treasury Secretary Hank Paulson straight up told Lehman CEO Dick Fuld to find a buyer. Fuld made a few limp efforts, entirely convinced instead that a government bailout would come.

John Kasich was the Managing Director of a financial firm that failed because it sat idle in acute crisis and expected big government to come save it. Color me skeptical when he refers back to his Lehman-era business expertise.

An Open Letter To My Legislators On Greece

In 1919, British Economist John Maynard Keynes resigned from his country’s delegation to the Paris Peace Conference as well as his post in the Treasury Department in direct protest of harsh punitive war reparations placed upon Germany. Keynes is one of the fathers of our modern economic system, lending his name to the Keynesian school of thought. He called the Versailles talks “a scene of nightmare” and left the other participants so they could “gloat over the destruction of Europe” in their own peace. Later that same year Keynes wrote an entire book, The Economic Consequences of the Peace, which laid out the subject in stark terms:

The policy of reducing Germany to servitude for a generation, of degrading the lives of millions of human beings, and of depriving a whole nation of happiness should be abhorrent and detestable, –abhorrent and detestable, even if it were possible, even if it enriched ourselves, even if it did not sow the decay of the whole civilised life of Europe.

As we see in the abject failure of austerity measures to bring wellness to a population or its economy, in an ironic twist of Keynes’ fears, Germany seems to have its sights set on impoverishing Greece for a generation or more. As an American I believe this is a threat to our national interests in a unified, productive Europe. As a person I believe the actions of Germany and the Troika are reprehensible and must be countered by those who believe in freedom, sovereignty and helping others up rather than keeping them down.

Greece surely bears some measure of responsibility for their financial state, especially as regards weak or fraudulent accounting prior to 2009 and infuriatingly lax tax collection. A clear mandate has emerged from Greek voters even before the referendum: Greece is to operate responsibly. But their very inclusion in the European Union set them up for failure at their own great expense and to the enrichment of others. Entry into the European Union carries a number of requirements, including specific debt-to-GDP and deficit-to-GDP percentages that Greece had no hope of meeting at that point. At the request of several EU countries keen to see Greece brought in, Investment bank Goldman Sachs reportedly made hundreds of millions of dollars in the financial engineering used to hide Greek debt. Those complex financial instruments came due and are wreaking havoc upon not just the Greek economy but now their national sovereignty as well.

Computer programmer and economic commentator Steve Randy Waldman posted several times about Greece recently with a fair amount of information I hadn’t heard before. The most startling was this:

European banking regulations attached zero risk weights to all EU sovereigns, rendering it nearly costless for banks to simply manufacture deposits to purchase sovereign debt. Eurozone sovereigns were default-risk-free as a regulatory matter and currency-risk-free from the perspective of Eurozone banks. The European financial system was architected to make lending to Greece — and Spain and Portugal and Italy — a money machine for bankers with little career risk over a medium term. Sketchy credits tend to punch above their weight in terms of volume of issuance, so there was a lot of nice paper to buy. The bankers who lent to these states understood perfectly well that there was in fact a long-term risk, an uncertainty, a constructive ambiguity. They lent anyway, and took home very nice salaries and bonuses for doing so. It was conventional to lend, the mainstream consensus was that credit risk was over and worry warts were old-fashioned, Europe was strong and would work this out. If the worry warts turned out to be right, it was likely years away, IBGYBG.

Given what’s been known about the Greek economy for a good long while now, the idea that their sovereign debt was weighted zero-risk as a regulator matter means that, as Waldman also explains, the economic backstop of moral hazard (something invoked early and often in our own 2008 financial crisis) fell to the wayside. Creditors were able to extend much more money to Greece much faster without worrying about the fallout – and making gobs of cash for their own firms in the meantime. When the house of cards came crashing down the engineers would be long gone.

For the record, my sophisticated hard-working elite European interlocutors, the term moral hazard traditionally applies to creditors. It describes the hazard to the real economy that might result if investors fail to discriminate between valuable and not-so-valuable projects when they allocate society’s scarce resources as proxied by money claims. Lending to a corrupt, clientelist Greek state that squanders resources on activities unlikely to yield growth from which the debt could be serviced? That is precisely, exactly, what the term “moral hazard” exists to discourage.

Moral hazard having been cast aside the money flowed fast and furious to Greece – until it didn’t. And suddenly the regulatory structure of the European Union claims innocence as the European Central Bank, the IMF and Germany all center their gunsights on the Greek populace in order to make creditors whole rather than admitting to the malfeasance on their own parts for creating this scenario in the first place. We now see the lengths to which Germany and the Troika want to take this, and it includes regime change and/or ouster from the EU. The Europeans forced the resignation of Greek Finance Minister Yanis Varoufakis, and have reportedly demanded that of Prime Minister Tsipras as well. According to the Guardian, the organization Greece is supposed to turn over $50 billion in state assets too is a German subsidiary corporation located in Luxembourg whose chairman is German Finance Minister Wolfgang Schauble. Schauble announced its inception two years ago alongside then-Greek PM Antonis Samaras (who was until last week the opposition leader). This is former US Treasury Secretary Tim Geithner’s recollection of a 2012 meeting with Schauble.

The destruction of the Syriza party and the entrapment of the Greek populace in soul-crushing austerity is both highly engineered and totally unconscionable – especially on the part of Germany. French Economist Thomas Piketty recently gave a fantastic interview to Die Zeit in which he outlined Germany’s history of unpaid reparations. Piketty’s a sensation at the moment in part thanks to his book on capital taking the economic world by storm.

Piketty: My book recounts the history of income and wealth, including that of nations. What struck me while I was writing is that Germany is really the single best example of a country that, throughout its history, has never repaid its external debt. Neither after the First nor the Second World War. However, it has frequently made other nations pay up, such as after the Franco-Prussian War of 1870, when it demanded massive reparations from France and indeed received them. The French state suffered for decades under this debt. The history of public debt is full of irony. It rarely follows our ideas of order and justice.

Piketty goes on to talk about historical examples of states moving from saturating indebtedness to sustainability:

But wait: history shows us two ways for an indebted state to leave delinquency. One was demonstrated by the British Empire in the 19th century after its expensive wars with Napoleon. It is the slow method that is now being recommended to Greece. The Empire repaid its debts through strict budgetary discipline. This worked, but it took an extremely long time. For over 100 years, the British gave up two to three percent of their economy to repay its debts, which was more than they spent on schools and education. That didn’t have to happen, and it shouldn’t happen today. The second method is much faster. Germany proved it in the 20th century. Essentially, it consists of three components: inflation, a special tax on private wealth, and debt relief.

And specifically on Germany and debt relief.

After the war ended in 1945, Germany’s debt amounted to over 200% of its GDP. Ten years later, little of that remained: public debt was less than 20% of GDP. Around the same time, France managed a similarly artful turnaround. We never would have managed this unbelievably fast reduction in debt through the fiscal discipline that we today recommend to Greece. Instead, both of our states employed the second method with the three components that I mentioned, including debt relief. Think about the London Debt Agreement of 1953, where 60% of German foreign debt was cancelled and its internal debts were restructured.

We come, then, to the actual referendum, its portrayal, and its aftermath. A referendum in which the country, for better or worse, voted to reject external austerity measures – measures that are now apparently being imposed regardless.

joke

Germany and Finland pull no punches in describing Greece as recalcitrants spoiled by years of access to other people’s money – and for that, apparently, they should suffer. Without recognition of the change in administrations or mandates, or the EU’s own culpability in arranging the current crisis from start to finish. But no: the Greeks are portrayed as lazy, entitled and in the midst of a toddler-style temper tantrum. Few articles covered it better than Slovenian political philosopher Slavoj Zizek in the New Statesman:

The debt providers and caretakers of debt basically accuse the Syriza government of not feeling enough guilt – they are accused of feeling innocent. That’s what is so disturbing for the EU establishment about the Syriza government: that it admits debt, but without guilt. They got rid of the superego pressure. Varoufakis personified this stance in his dealings with Brussels: he fully acknowledged the weight of the debt, and he argued quite rationally that, since the EU policy obviously didn’t work, another option should be found.

Zizek goes on to explain the implications of the Grexit crisis for democracies around the world:

An ideal is gradually emerging from the European establishment’s reaction to the Greek referendum, the ideal best rendered by the headline of a recent Gideon Rachman column in the Financial Times: “Eurozone’s weakest link is the voters”.

In this ideal world, Europe gets rid of this “weakest link” and experts gain the power to directly impose necessary economic measures – if elections take place at all, their function is just to confirm the consensus of experts. The problem is that this policy of experts is based on a fiction, the fiction of “extend and pretend” (extending the payback period, but pretending that all debts will eventually be paid).

Nobel-winning American economist Paul Krugman put it into similar terms in the New York Times, referencing a hashtag that became wildly popular on twitter:

Even if all of that is true, this Eurogroup list of demands is madness. The trending hashtag ThisIsACoup is exactly right. This goes beyond harsh into pure vindictiveness, complete destruction of national sovereignty, and no hope of relief. It is, presumably, meant to be an offer Greece can’t accept; but even so, it’s a grotesque betrayal of everything the European project was supposed to stand for.

Simply put: America has a huge stake in seeing the European project succeed and has been noticeably, conspicuously silent about what looks to be a new type of regime change and denial of another country’s sovereignty and democracy imposed by central authorities. That the central authorities involved are some of our most important allies seems to be more important than the concept of democracy.

Beyond that: the humanity here is important as well. Austerity offers no comforts for the group upon which it is imposed. The austerity Greece has dealt with for years now results in trends like a massive uptick in child poverty and material deprivation between 2008 and 2012. The referendum stood as a reaction in large part to not just graphs, tables and statistics like that but the lived experience of economic hopelessness. A lived experience likely to worsen if Germany, the International Monetary Fund and the European Central Bank have their way in a country removed from its own decisionmaking process.

One of the most important factors I’ve seen help raise people up from harsh conditions is a sense of agency, a sense that they’re aware of, can control and execute their own actions and change those conditions. Write their own story. And that is explicitly what the European Union seeks to deny Greece.

Sharks, Vultures, Zombies and Spikes in the CDS Spread

Chinese market concerning me perhaps more than it should, lately. Perhaps not enough. With $3 trillion in value wiped off the map and another $1+ trillion frozen at the trading desk it looks pretty bleak. And it has for a while – they’ve been spending four to six dollars for every dollar of growth created, surely a losing formula. Given how intertwined our economy is with China’s maybe it’s worth some heightened consideration.

The other night after a few hours of staring at the issue to see who would blink first (I lost) I dragged my carcass to bed tired and worried. It had been a long day and sleep sounded like a great idea. No sooner did my head hit the pillow than an idea shot into my brain and had me sitting bolt upright. It wouldn’t go away – I had to scrawl out the basics before I could settle down at all.

I found myself thinking about Bear Stearns.

Bear Stearns Companies (also known as BSC) was an investment bank, trading and brokerage firm that folded in the midst of the 2008 crisis for a whole host of reasons. The market in general a horror show, several factors worsened BSC’s position. First, two major hedge funds founded by them had just collapsed under a cloud of fraud. Second, their highest executives seemed oddly disconnected from the company at critical moments. Third, they had precious little good will in their environment after refusing to participate in an earlier industry bailout of another firm. And finally: a number of subfactors combined to create a fairly traditional run on a bank that, like others at the time, relied heavily on overnight “repo”: repurchase agreements that largely funded BSC’s daily business.

One of the contributing factors to the run manifested in a series of calls to other financial institutions from an office inside the Treasury Department, said to be the Office of the Comptroller of the Currency. In these phone calls a federal official asked how much exposure (level of financial risk) the recipient had to BSC – but followed by an entreaty to not share the nature of the phone call with the rest of the firm, especially their trading desk. The expected and inevitable happened – and everyone began pulling out of what they could with BSC and shorting BSC stock. Despite, obviously, the request otherwise.

Compare that with the moves made in China’s even more centralized market lately, which started out with money being pumped into investment firms by the government alongside a request to stop shorting the market. A request that seems to have been honored – perhaps in large part due to the real likelihood of being arrested by the CCP for failing to comply.

The juxtaposition between the two markets is interesting. The mid-crisis developed market in which good will and civic duty end up largely laughable – in which traders move in for the kill – versus the developing market that yields to government requests encouraging stability. Of course, the CCP didn’t stop there – as mentioned above, much trading has been frozen.

The principle here troubles me. The idea that a market stands proudly as more developed when it engages in predation. But while this principle isn’t friendly to our conceptions of democracy and market action, it may not be wrong. Propping up failed companies for the sake of appearance doesn’t serve a market or a country’s citizens that well, especially in the long run. We’ve seen enough evidence of that on our end. Certain “zombie banks” shamble along lonely roads on which no one joins them but for government intervention and usually which banks those are is the worst-kept secret in a financial sector. The hope in saving them from insolvency (and, not coincidentally, preserving a certain share price until stakeholders can get rid of it and leave taxpayers holding the bag) is that it will stabilize a volatile market in which rivers of credit run dry. The ultimate apocalyptic landscape for a free-market democracy.

The problem is laid bare in a blistering sun baking the scarred landscape: there’s no hiding from it, in the sense that once a firm’s liquidity is questionable enough to require intervention that firm’s been infected and well on its way to zombification itself, if it hasn’t turned already. Zombie firms spend each day automatically performing actions they remember from when they were alive, shambling up and down the road searching for someone else to give them credit or engage as a counterparty. Once the sun sets nights turn cold and empty as they try to figure out how to get through the next day without a decaying arm falling off.

My fear here is that for the sake of stability China becomes a dark economy – almost ceaselessly pumping money into market-shamblers under the cover of night. The CCP reasserts massive controls from Beijing, illegalizes most economic journalism and simply paints an acceptable picture for the next 5-10 years while no one inside or outside the system knows what the hell is really going on. It’s the only way for high-level CCP members to preserve their massive wealth and revenue generation, and short of execution they are not going to give that up. And even as a Dark Economy, China’s got so much volume that it would still be too big a pool for external investors to not dive into.

Maybe there’s a better way to put it than predation – though taking weak members of the financial herd is certainly applicable. Maybe instead it’s worth considering this part of democratic capitalism as populated by vultures. Certainly done before but usually without recognizing this: vultures are a mechanism to protect ecosystems from disease. Environments with a lack of vultures often see a catastrophic rise in feral dog populations, which are a huge ticking time bomb for rabies.

Of course our problem isn’t solved by our current market: the vultures like to turn on us as well. Far too often.

Referring to our own economy as a developed capitalism may be premature, then. Unless that predatory behavior is indeed a defining characteristic – in which case our future may lie somewhere else, far away from sharks, vultures and zombies. I can hope.

Briefs: Women in Combat, NYSE, AI and Legal Work, OPM, Rothfuss

NYSE being vague about yesterday’s major trading glitch. I’m not convinced, but I’ve got no evidence to the otherwise.

Two lawyers talking about how artificial intelligence may affect legal work.

The Daily Beast on how OPM’s IT security department had no one with IT security experience.

The parody DPRK News twitter account ended up as a Fox News reference.

Excellent TED talk highlighting American women on the front lines in Afghanistan.

Of special note:

Author and all-around awesome person Patrick Rothfuss has started a new podcast with Max Temkin of Cards Against Humanity fame (or infamy). Really loved their first conversation – check it out here.