Blog Ipsa Loquitur

Last month, the WannaCry ransomware attack caused a lot of damage to computer systems worldwide, but it could have been worse. It was limited in large part because one security researcher stumbled across a web domain named in the WannaCry source code. When the researcher looked up the domain, he saw no one had registered it; and so he put down the ten bucks for it, figuring it might be important. It turns out, if there was a web site at the domain, WannaCry uninstalled itself instead of encrypting users’ files and holding them for ransom.

A lot of outlets reported this web domain as a secret “kill switch” coded into WannaCry, but the anonymous security research wrote a fascinating essay titled How I accidentally stopped a global Wanna Decryptor ransomware attack:

The reason that was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to. A side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe the malware creators were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox and the malware exits to prevent further analysis. This technique isn’t unprecedented: the Necurs trojan queries five totally random domains, and if they all return the same IP it exits.

However, because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit… thus we unintentionally prevented the spread and further ransoming of computers infected with this malware.

Got that? Your computer has a special file that it uses to look up the address of a server before it checks the internet’s version of that server address. When you type into your web browser, your computer first checks that special file—called a Hosts file—to see if it already knows what IP address is. Spoiler alert: your Hosts file is empty by default, so unless you added something by hand, your computer will end up asking the DNS computers what this site’s IP address is.

Security researchers (like Mr. I Stopped WannaCry By Accident) use software that creates a fake computer within their computer. That way, they can get their fake computer infected with viruses in a controlled environment, and see what they do, and inspect them forensically. All this without compromising a real computer.

However, many of these fake computers—called sandboxes—come with a Hosts file that points every unregistered domain back to the sandbox. So the WannaCry author mashed his or her keyboard for a few seconds, came up with a super long and random-ish domain name, and assumed that the only way that domain could do anything but fail to load was if WannaCry was running in a sandbox.

Or if a security researcher registered the domain for ten bucks. ​

One more thing

In addition to checking to see if they’re running in a sandbox, viruses usually check to see what they’re supposed to be doing once they’ve infected a computer. They need their instructions: send out millions of spam emails for one client, mine a whole bunch of bitcoins for this other client, etc. Viruses do this by talking to control servers, and you’ll never guess where Russian spies are hiding their control servers:

According to a report published Tuesday by researchers from antivirus provider Eset, a recently discovered backdoor Trojan used comments posted to Britney Spears’s official Instagram account to locate the control server that sends instructions and offloads stolen data to and from infected computers. The innovation—by a so-called advanced persistent threat group known as Turla—makes the malware harder to detect because attacker-controlled servers are never directly referenced in either the malware or in the comment it accesses.

​Basically, the people who want to control a botnet put a specially-coded comment on one of Spears’s photos. The comment looks innocuous to the human eye, but infected computers recognize it and use that to receive their instructions.

Published on under Fear of a Bot Planet

Craig Garthwaite, a professor of strategy and healthcare at Northwestern University, on why replacing Obamacare is so hard: it’s fundamentally conservative.

Republicans are engaged in a brutal civil war between hard-liners and moderates as they struggle to craft legislation to repeal and replace Obamacare. The episode invites an almost existential question for the GOP: Why, after seven years of nearly endless war against Obamacare, is the party unable to deliver a more conservative policy that provides access to health care to a similar number of Americans?

As a life-long Republican who has spent months contemplating this question, I’ve come to an answer that will be hard for many conservatives to swallow: Passing an Obamacare replacement is difficult because the existing system is fundamentally a collection of moderately conservative policies.

​Garthwaite’s op-ed is a nice recitation of the philosophical reasons conversatives should be comfortable supporting a market-based healthcare system like Obamacare. However, it doesn’t delve into the parentage of Obamacare, or why the DNA of the bill is so amenable to conservative principles.

For example, the right-leaning Heritage Foundation think tank consistently advocated for implementing the sorts of health insurance exchanges core to Obamacare, as recently as 2006. As governor of Massachusetts, Mitt Romney signed into law and implemented health insurance reform that looks awfully like Obamacare’s.

Fact is, there are a lot more reasons Congressional Republicans could support health care than ‘Reagan thought government could do stuff okay sometimes.’

Published on under Dog Bites Car Stories

Alastair Pal for Reuters UK: Fake online stores reveal gamblers’ shadow banking system.

The seven sites, operated out of Europe, purport to sell items including fabric, DVD cases, maps, gift wrap, mechanical tape, pin badges and flags. In fact, they are fake outlets, part of a multinational system to disguise payments for the $40 billion (31.6 billion pounds) global online gambling industry, which is illegal in many countries and some U.S. states.

The findings raise questions about how e-commerce is policed worldwide. They also underline a strategy which fraud specialists say regulators, card issuers and banks have yet to tackle head-on.

​Okay, so it’s no great surprise that despite the fact that gambling is illegal in the U.S., it’s still possible to find web sites that’ll take your money. That’s not news. What’s interesting about this story is how they take your money. Gambling sites set up stores that accept real money for fake goods, laundering the funds:

In December, a reporter placed an order for a yard of burlap cloth on one of the sites,, a website run by a UK company called Sarphone Ltd. The fabric, advertised in U.S. dollars at $6.48 per yard, has “many uses including lightweight drapes,” the website says. Sarphone did not respond to requests for comment.

This order went unmet. After a few weeks an email from My Fabric Factory arrived saying the product was out of stock. The payment was refunded.

​The most surprising thing about this is that it sounds like regulators largely rely on credit card processors to self-report gambling transactions.

Published on under The Ol' Burlap Switcheroo

Lisa Selin Davis, in the Guardian: For 18 years, I thought she was stealing my identity. Until I found her:

In 2013, my license was suspended again, this time for an unpaid ticket from 2012, for “Drive Cell Phone”, as the officer wrote. Like an addict, I cycled through every tactic with the DMV: charm, threats, shame; I tried begging and berating them. Once again, I pleaded guilty and paid a fine to get my license back, and once again I filled out the “Unauthorized Use” form.

Finally, the DMV told me that I wasn’t the victim of identity theft; there was simply another Lisa S Davis with the same birthday in New York City. Our records were crossed. When cops run a license, they don’t check the person’s address, signature, or social security numbers. They check the name and the birthday, and both the other Lisa S Davis’s and mine were the same. We were, in the eyes of the law, one person, caught in a perfect storm of DMV and NYPD idiocy.

When I visited the board of elections office in downtown Brooklyn, they told me the same thing. Lisa S Davis and I: we were one.

​Come for the tale of outdated government IT, stay for the white Lisa S Davis thoughtfully checking her privilege.

Published on under I smell a sitcom, folks

Willy Staley’s profile of Mike Judge in the New York Times is full of gems like this:

Calling “Idiocracy” a documentary is one of those jokes about Donald Trump that was made constantly in the latter months of 2016 and now reeks of a certain strain of ineffectual liberal smugness. Still, it’s an observation not entirely without merit. As recently as two years ago, the movie felt like a relic of the jingoistic Bush years, but then history shuddered in such a way as to render it clairvoyant.

In “Idiocracy,” the secretary of state is sponsored by Carl’s Jr., a company whose chairman very nearly became our current secretary of labor. In 2505, the Oval Office is occupied by an ex-wrestler and porn star named Dwayne Elizondo Mountain Dew Herbert Camacho; our president has been on the business end of a Stone Cold Stunner and once appeared in a nonpornographic segment of an otherwise soft-core Playboy VHS tape, dumping sparkling wine onto a limousine. His name is a brand name, too.

I hope one day to learn there’s a German word for “proposing something deliberately absurd which later turns out to be entirely factual.” They’ve got all the best ones, like joy derived from the suffering of others, and “grief bacon.” This would just complete the trifecta.

Of course, this profile largely exists to promote Judge’s new work, not his old. Turns out Silion Valley rhymes with Idiocracy more than I had thought:

If “Idiocracy” imagined that America would one day amuse itself into ruin, then “Silicon Valley” offers a compelling case for how we’ll go about doing it — not in spite of our best and brightest, but because of them.

Do the Germans have a word for “Mike Judge kinda needs a hug?”

Published on under I'm More of a Druid of Meh

If you haven’t read Susan Fowler Reflecting on one very, very strange year at Uber yet, do have a read about the kind of people that run Uber. Here’s how her piece starts:

After the first couple of weeks of training, I chose to join the team that worked on my area of expertise, and this is where things started getting weird. On my first official day rotating on the team, my new manager sent me a string of messages over company chat. He was in an open relationship, he said, and his girlfriend was having an easy time finding new partners but he wasn’t. He was trying to stay out of trouble at work, he said, but he couldn’t help getting in trouble, because he was looking for women to have sex with. It was clear that he was trying to get me to have sex with him, and it was so clearly out of line that I immediately took screenshots of these chat messages and reported him to HR.

And it only gets more ridiculous from there. Now, Uber is not the only tech company that mishandles sexual harassment claims; maybe Silicon Valley companies in general are disrupting stagnant office environments in favor of free market sexual harassment policies. After all, according to the 2015Elephant in the Valley survey of senior women in technology, 60% reported unwanted sexual advances; of those, nearly two-thirds had received advances from a superior. Half of those advances from a superior happened more than once.

These problems have solutions. One tech CEO, Debbie Madden, writes Many in Tech Have Gotten Harassment Against Women in the Workplace Right for Decades:

Here’s an idea: adopt a zero tolerance policy for harassment. Do this today, and hold people accountable for their actions. For all of the Uber employees who have done wrong — fire them immediately. Yes, Uber must investigate and confirm each allegation. But that doesn’t take years, it takes days. Once confirmed, fire immediately.

Firing employees who sexually harass other employees? How disruptive! There’s more to it than just firing the lousiest male employees, though: Rachel Thomas wrote last fall about The Real Reason Women Quit Tech (and How to Address It). She includes lots of great ideas and links to studies and articles, but this bit about internalized gender bias might be my favorite:

Researchers at Deutsche Bank hypothesized that women managing directors were leaving the firm to work for competitors because they were seeking greater work/life balance. However, they discovered instead that women were leaving because they were being offered higher ranking jobs by competitors that they weren’t being considered for internally.

It must be tough to run a business when you only promote half of your qualified employees.

Published on under It's a Man's World