Ransomware, it’s all about Marketing

Sometimes, threats of “Pay money or all your files are gone forever” are not convincing enough. Maybe the victim has everything backed up in the cloud, or maybe there was nothing on the computer but cat photos. To really drive the threat home, ransomware developers have gotten very good at, ah, marketing.

The purpose of any marketing is to represent a product in such a way that the consumer will be compelled to part with their money. One way is to show a fake message from the FBI accusing the victim of viewing child porn.

The lock screen actually downloads and displays the porn, so the accusation is sort of self-fulfilling, in a horrible way.
The lock screen actually downloads and displays the porn, so the accusation is sort of self-fulfilling, in a horrible way.

This one threatens to send a copy of all your skype conversations to your contact list (no one has reported that this actually happened. Hackers are unlikely to act upon this threat, because large file uploads increate the risk of getting caught.)

jigsaw

Continue here (yes sorry I’m making you click through)

EpiPens and Adrenaclicks

If Bernie Sanders had tried to shop around a little, which is a thing that people do in free-market economies, he would see that there is a cheaper generic called Adrenaclick.

Granted, a duopoly between Amedra Pharmaceuticals and Mylan is not the ideal market. But at $142, Adrenaclick is less than a quarter of the price of EpiPen. Why are so many people bitching about Mylan when they can vote with their dollars instead?

One mealy-mouthed excuse is that Adrenaclick is harder to use, and that most people are trained on EpiPens.

Who are these people? I would imagine that the allergy patients who carry auto-injectors on their person at all times (as recommended by Mylan paid spokesperson Sarah Jessica Parker) are trained in whatever they choose to carry.

Even if these patients are depending on a second responder, the instructions are printed ON THE CASE. For both products. Not that it matters, because the steps are practically the same. Just watch the training videos: EpiPen vs Adrenaclick

The videos are very boring and no one’s gonna watch them, so here’s a spoiler: The ONLY discernable difference is that Adrenaclick requires that the user remove two end caps before administration, whereas EpiPen only has one cap. I suppose this could be confusing for a person who can neither read, nor comprehend number labels, nor follow the cartoon drawings on the package. But I don’t know what subset of the population that might be.

generic-epi

A better explanation for why we’re vilifying Mylan is that doctors don’t know a competitor exists. A professor of pediatrics who writes for The NYTimes says of Adrenaclick: “few physicians think of it.”

This sounds like a terrible failing on the part of the medical physicians. Doctors are supposed to be aware of the drugs available to treat their patients. It’s part of their job description. It’s also why state medical boards require medical doctors fulfill some minimum number of hours of continuing medical education (CME) every year. In California, the minimum requirement is 50 hours of education every two years.

The purpose of CME is to make sure physicians have up-to-date knowledge of medical developments. CME requirements can be met through activities like coursework, manuscript review, or by attending conferences SUCH AS THIS ONE SPONSORED BY MYLAN, in which participants listen to educational things like this presentation about patients forgetting how to use their EpiPens.

The conferences might be educational in nature, but they also involve lavish dinners and parties. If I were a doctor (which I most definitely am not, therefore nothing here is medical advice), I, too, might conveniently forget about EpiPen’s cheaper competitor after a sponsored trip to Orlando.

The health care industry is full of unofficial kickbacks and sort-of conflicts-of-interest. Sometimes there’s nothing a patient can do about it, but this is not one of those times. GoodRx is a site for comparing prescription drug costs, and Adrenaclick is the first result that appears in a search for generic epinephrine. GoodRx is a great resource that everyone should use. And I don’t get a kickback for saying that.

See Also:
This Post Brought To You By Your Insurance Provider

Stop calling Bitcoin hacks, “Bitcoin hacks”

Occupy Mt. Gox
Occupy Mt. Gox

They’re exchange hacks, they’re wallet hacks, they’re service-provider hacks. It just so happens that bitcoin was stolen. To call these breaches “Bitcoin hacks” is like calling the SWIFT hack a “US dollar hack.” Obviously the USD did not get hacked; only the central bank does that.

Bitfinex was an unregistered Bitcoin exchange with over $150M in custody. Rumor has it they’re based in Hong Kong, owned by a parent company in the British Virgin Islands, with a management team spread all around the world. The only listed contact information is an email address and a Twitter handle.

What did you think would happen?? Go ahead, drop your life savings into a southeast-Asian bank you found on the internet and see how well that works out for you.

Securing tiny electronic files from leaking – keys – pushes the bounds of known computer science. –Jeff Garzik, Co-Founder of Bloq

The fact that Jeff Garzik has trouble keeping his keys in his pants is not a fundamental flaw of Bitcoin, or even of known computer science. The frequency and magnitude of Bitcoin losses reflect the fact that users are giving full custody of their funds to irresponsible third parties.

Bitcoin’s underlying technology is fine; the problem is that people do dumb things on top of that underlying technology. Of the fifty largest Bitcoin-related thefts, only one can be definitively attributed to the protocol*. Everything else was caused by a higher-level breach, most commonly an unauthorized server access. You know, the same thing that happened at JP Morgan Chase in 2014.

Preventing data leakage isn’t a matter of pushing the bounds of computer science, it’s a matter of responsible access control. This is a problem faced by every industry in every part of the world. A Bitcoin service provider is a financial institution, and should be held to the same level of scrutiny one might employ when selecting a financial institution.

Bitcoin rarely gets hacked. Bitcoin only fails when we expect digital bucket shops to provide the bulletproof security of a private Fort Knox.

*In 2013, an inadvertent Bitcoin hard fork temporarily enabled users to double-spend their money. Only one such attack was conducted, and the attacker later returned the money. This is the only “Bitcoin hack” on a Bitcoin service provider (that I know of).

See Also:
The Wretched, Endless Cycle of Bitcoin Hacks –Bloomberg

LinkedIn vs the Bots

googlebot

LinkedIn’s business model is to charge money for information that users give them for free.

To advertise the availability of such information, they rely on Google for search indexing. Google’s web crawlers only index what they see, so LinkedIn’s servers disable login checks when a page request appears to come from Google.

Digital publications do this too. NY Times, Wall St Journal, Economist. Paywalls come down when Google crawlers arrive. The sites even disable ads to give Googlebot faster page downloads.

If you optimize your site experience for search engine bots, don’t be surprised when your website attracts a lot of bots.

Last week, LinkedIn filed a lawsuit against a hundred anonymous bots. Apparently people were renting cloud computing services from Google, and then running bots to collect LinkedIn user profiles. Because the bots made requests from Google’s servers, LinkedIn mistook them for Google’s web crawler [1]:

Don’t you hate it when you leave the backdoor open for a trusted third party, only to have unwelcome guests invite themselves inside?

bot

This isn’t the first time LinkedIn tried to stop profile-pulling bots. They filed a similar lawsuit two years ago, against bots running on Amazon’s cloud. The result was that LinkedIn identified a single defendant and settled the case for $40,000, an amount that doesn’t even begin to cover the “hundreds of hours of employee time” that LinkedIn spent investigating the bot activity [2].

The lawsuits are a losing battle. Anyone can run a bot to pull LinkedIn data. A Github search for “LinkedIn scraper” returns sixty open-source tools advertising this exact functionality. Each repository has dozens of contributors and followers, and I bet the closed-source tools do even better.

This is what happens when you make exceptions for a “whitelisted partner”. On the internet, any loophole inevitably turns into open access. Remember that time LinkedIn suffered a data leak, and 117 million users had their passwords and personal information stolen and sold on the black market?

So, LinkedIn, how does unauthorized access feel now?

See Also:
1. LinkedIn Corporation vs. Does, 1 through 100 inclusive, No. 5:16-cv-4463 (US District Court, Aug. 8, 2016)
2. LinkedIn Corporation v. Robocog Inc, No. C14-00068, (US District Court, Mar. 27, 2014)

Pandoras-iPhone

The Postage Stamp Economy

jigglypuff

I spent the late 90s selling Pokémon cards on Yahoo Auctions. Did you know that Pokémons used to come in card form? And that Yahoo used to be more than just a carcass container for Alibaba shares?

Yahoo Auctions was the Silk Road of the internet. I’m talking 7th century Silk Road here, not darknet Silk Road. This was the go-to place to buy Beanie Babies, baseball cards, and any other small-ticket collectible. Most importantly, it was where I could offload extra Pokémon.

yahoo auctions

Paypal didn’t exist yet, but I was too young to have a bank account or credit card anyway. The average sale price was a dollar. Some of my customers paid by mailing cash; most paid in unused postage stamps equaling the amount due.

Postage stamps were the perfect currency. As a Yahoo Auctions Power Seller, I was always in need of postage to distribute my products. Plus, the exchange rate is printed right on the stamp! If I had a surplus, I could trade them in at the central bank of Mom and Dad. In the case of “Forever” stamps, they’re even guaranteed to keep up with inflation.

forever_stamp

Unfortunately, sound money does not always guarantee a stable future. Today USPS is having a rough go, with a negative net income for the last five years.

I know what you’re thinking: Who the hell uses USPS anymore?? If you find yourself unable to answer that question, maybe it’s time to shut down the Postal Service.

No, I’m kidding. Anyone that sells physical goods on the internet needs USPS. Amazon sends 40% of its shipments via US Post. Even UPS and FedEx outsource 30-40% of parcels to USPS. How else could they make money on deliveries to the boondocks? That’s what public utilities are for.

Ordinarily when the competition outsources its business to you, that’s a sign to rethink your going rate. In this case, it’s not possible: Postage rates are mandated by the Postal Regulatory Commission. (Why are my tax dollars paying for this agency??)

While I certainly appreciate the efficiency of central planning, in theory a viable business should have total revenue exceed total expenditure. USPS is a public utility, so we’ll let them slide at break-even. 99% of Postal revenue comes from postage (the rest is from P.O. boxes and money orders). And the total value of postage issued should equal the total value of services demanded. Then to reach sustainability, the Postal Service should cease postage sales and instead pay all its expenses in postage stamps.

This doesn’t necessarily mean physical stamps. USPS recently released a silly report describing potential postal blockchain applications*.

OIG1-768x478

The report covers many ideas but misses an obvious one: Blockchain postage! Let’s call it PostageCoin. Make it a colored Bitcoin, or issue a digital token. The benefit of a blockchain-based postage stamp is that it can be verifiably exchanged.

The Postal Service can cover payroll and expenditures with PostageCoin, and let the resellers determine its value. Right now, USPS must sell postage at the PRC-mandated price, but resale outlets are free to mark up (or down) as they like. Sure, the stamps might be tagged at 47 cents, but Cuba also spent half a century insisting that their national currency was pegged to the dollar. The state employees earning four centavos on the peso all knew better.

As long as people buy stuff on the internet, e-commerce merchants will need postage. And if merchants need postage, they should accept PostageCoin. Given that over half of US households have an Amazon Prime membership, most people will accept income in a currency that Amazon considers legal tender. Then postal workers will be able to spend their PostageCoin almost anywhere. It becomes a virtuous cycle.

p2ppslogo

These closed-circuit transactions are required for a sustainable decentralized currency. The way things work with Bitcoin, is that miners mine bitcoin and sell most of it on an exchange. Customers buy bitcoin from the exchange when they need to pay merchants. Merchants receive bitcoin and sell it again to get dollars. Each transaction is an open circuit.

Exchanges provide liquidity at the endpoints, but also a point of failure (See Also: BitFinex, Mt. Gox, Bitstamp, &co). Regulators looking to tamp down Bitcoin go straight for the endpoints.

Someday, specific Bitcoin cycles will emerge. Maybe due to the spread of Bitcoin ransomware in banking and healthcare, although I hope we see something more positive than that. Until then, there’s always PostageCoin.

*More importantly, why is the post office researching blockchain applications?? They should obviously be researching drones!