Uber as Enron Archetype

Something’s been bugging me about Uber for a while. The more I watch it, the more it feels like Enron.

That’s a hell of an inflammatory statement, I know. And it’s coming from a (theoretically) pro-regulation liberal. No surprise there. But I’m not inherently anti-Uber. It’s made some amazing moves so far and I don’t particularly like traditional taxi services (or the way they treat Uber – or people involved in the debate). My one experience with Uber was passable – good trip to my destination, shady trip back. So I’m not an extremist about the issue.

But – and I recognize the extreme and silly-sounding nature of this next statement – I keep envisioning Uber dissolving suddenly in a wave of accounting improprieties. I’m not accusing Uber of Enronesque fraud here, I’ve no evidence for that. But some of their actions immediately and starkly invoke for me a path so similar to the failed energy giant.

The first thing that struck me in this way is Uber’s strong anti-regulation evangelism embodied in a vocal CEO. In Enron’s case it began with Ken Lay taking as many steps as possible to deregulate the energy market in general and the California energy market in particular. With Uber we see similar passionate advocacy from Travis Kalanick. Kalanick’s views about the free market aren’t a standalone indicator of Enronism but fit into a larger context.

Uber also evokes an image of Enron in their unflinching willingness to operate on the far border or outside the bounds of law and regulation. An early warning in Enron’s history was the Valhalla scandal, in which traders placed huge bets and engaged in crooked accounting as well as skimming profits. Once the bets were discovered and, in a panic, successfully hedged, Enron made its institutional reaction clear in a message to the traders: Please keep making us money. An SEC suit was required for any kind of consequences.

A second example becomes more relevant: unsatisfied with the level of deregulation in California’s market Enron traders and financial engineers conspired to violate both CA law and good corporate citizenship. They increased profits through schemes like exporting energy to another state and imposing an artificial scarcity so the energy could be re-imported at a much higher rate.

That’s not to mention the outright fraud committed by Enron in cleaning debt off its balance sheets through the use of Special Purpose Entities – something they self-justified as legal and defended as a phenomenon of a more optimized, less regulated market. A market that only existed in their heads and on their legal opinions.

Compare such disdain for regulation and legality with Uber’s operations in emerging markets such as India and France. Places where they’re explicitly told they’re operating in violation and continue to do so. In some cases they depend on loophole methodology and in France seem to have simply shrugged and told employees and drivers they would pay the legal fees and fines as a cost of operation, in utter disdain of law and rule.

As a second manifestation of Enron’s tendencies consider Uber’s considerations in going after critics. The latter has an established record of considering dirty tricks to hit back at those who don’t hold it in high esteem, including an executive publically ruminating about using a journalist’s Uber history against them. Enron made it a habit to force reassignment of auditor personnel who weren’t “with the program” as well as threaten to pull or withhold business from critical ratings firms.

For a third parallel consider transparency. Enron was purposely opaque, admitting and revelling in the idea that they employed a “black box” system generating profits in secret. While not as openly dismissive Uber has established a record of defiant opacity. They’ve racked up fines and judgments for refusing to turn over required data in accord with transparency regulations. Enron hid all that largely to keep the momentum of their massive fraud going forward – what’s Uber’s reason?

There are a substantial number of places where Enron and Uber diverge, of course. But Uber’s anti-regulation, market disruption and dominance rhetoric so neatly echoes that of Enron that I end up fearing the former will collapse in just as catastrophic a wave of accounting scandals.

At the time of its downfall, Enron held approximately $60 billion in assets.

Last week Uber received a valuation of $50+ billion.

A Chrysler Rolling Botnet In Three Steps

Chrysler’s mailing out USB sticks to customers who want to fix a vulnerability in their car by themselves. It took about four seconds for me to realize how bad this idea is.

1. Scrape DMV info for owners of relevant Chrysler models – you can use public RMV portals and just automate the attack. Or if you want something a little less obvious you can fall further down the rabbit hole and hack a police department – most local PDs have terrible information security, and there exist a few specific, mandatory weaknesses that’d be easy to exploit by something as simple as dropping a malware-laden USB drive in the parking lot. Trust me, they’ll plug it in. From there you just use their dedicated connection to CJIS.

2. Find a Print-On-Demand merchandise company and order hundreds of official-looking Chrysler USB drives. Easy to portray yourself as a local Chrysler dealership to allay suspicions of the POD firm – pop-up domain, letterhead, IP voicemails, etc.

3. Drop malware onto your official-looking Chrysler USBs, mock up some letterhead and mail them out to the car owners.

Suddenly you’ve got a rolling botnet – dozens, hundreds, even thousands of cars not only vulnerable to attack but thanks to the fact that most cars are internet-connected and IP-enabled, cars that can take part in other attacks, such as a distributed denial of service attack.

The biggest question is whether Chrysler cryptographically signs the update and phones home to verify it before opening and installing – and my guess is no. In the unlikely event I’m wrong, pivot this attack from the cars to the computers of vehicle owners and you’ve got a convincing way into the computers of thousands of Chrysler customers.

Security & Tech Briefs: Chrome, Trump, Smartwatches, Mac Exploit

Detectify Labs shared a clever way to deactivate security (or any) chrome plugins with a simple ping.

Donald Trump’s website was hacked, likely due to a CMS that hadn’t been patched in five years.

The insurance industry is concerned about smartwatches, the Internet of Things, big data and information security.

Ars Technica on a major 0day Mac exploit that’s already being seen in the wild.

Books Finished So Far This Year

Keeping a running list in Evernote, figured I might as well share it here. Have been pleasantly surprised by the quality of the reads so far. Heavier than usual on fiction – usually I read more nonfiction but had started the year out vowing to change that balance a bit. No idea what’ll end up finished next on the list, as I tend to read about six books at once.

1 1/12/15 Great World Religions: Hinduism, Mark Muesse (lectures)

2 1/14/15 Brave New Now, ed by Liam Young

3 1/18/15 The Making of the Atomic Bomb, Richard Rhodes

4 2/14/15 The Decline and Fall of Rome, Thomas Madden (lectures)

5 3/4/15 Atomic Accidents, James Mahaffey

6 3/25/15 A User’s Guide to the Millennium, JG Ballard

7 4/9/15 Night Shift Stephen King (re-read)

8 4/18/15 Cyber War Will Not Take Place, Thomas Rid

9 4/24/15 The Atrocity Archives, Charles Stross

10 4/27/15 Point Omega, Don Delillo

11 5/4/15 The Crystal World, JG Ballard

12 5/15/15 Chaos, James Gleick (reread)

13 6/23/15 CUNNING PLANS, Warren Ellis

14 6/30/15 The Whiskey Rebellion, William Hogeland

15 7/29/15 Countdown to Zero Day, Kim Zetter

16 8/3/15 Nexus, Ramez Naam

Countdown to Zero Day: Read it.

Spent a chunk of this week reading Kim Zetter’s Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon and found it to be a good, timely book. Zetter, a senior staff writer for Wired, spins a well-focused narrative relevant not only to Stuxnet but to one of the more active issues in US politics right now: the Iranian nuclear program. Zetter goes into deep but comprehensible detail about nuclear weapons production and Iran’s specific methods and capabilities.

Another place the book shines is the way it leads the reader through malware detection and reverse-engineering processes. Zetter maintains an active and involved storyline that feels not at all like a technical report about either a virus or uranium enrichment. Add that there was no discernible political agenda and you’ve got a pretty damn good read on the details and wider contexts of Stuxnet.

Highly recommended.