Robert Mueller’s Deflective Force Field

Robert Mueller and His Deflective Forcefield

On July 24th at 8:32 AM EST, all eyes and ears were turned to the former special counsel, the honorable Robert Mueller. Going into the hearings, the Republicans hoped to expose multiple structural cracks in the report. The Democrats, on the other hand, tried to get just one conclusive evidence of collusion and election tampering to justify impeachment.

Just like other interested citizens, I have been following the Russian collusion and DNC email hacking saga since 2016, so naturally, I expected that Mueller would address some of the key findings in the report, but alas, my hopes for insight and clarity were dashed. What promised to be simple Q&A session turned out to be a painful, 454 minute game of charades where you never get to figure out any of the answers.

At 8:54 AM, 48 minutes and 18 seconds into his sworn testimony, Robert Mueller–the consummate DC political bureaucrat–activated his industrial strength fog machine and deployed a force field deflector shield. This set in motion a reoccurring pattern of ducking, dodging, and sidestepping direct and specific questions about his pet project report.

Despite the lack of clarity in his answers and his alarming unfamiliarity with his own work (e.g. not knowing who Fusion GPS was), I found the session to be insightful and a veritable treasure trove in terms of body language, image artifacts, and audio content worthy of analysis. Mueller spoke for about 7 hours and provided a rare opportunity to capture his conversational patterns, facial characteristics, and behavioral fingerprint when under duress while in a single continual homogeneous session–and all of this in a well lit environment in front of high resolution cameras. For video analytics, It don’t get no better than this!

A Note About Lie Detection
Nonverbal queues or AKA body language is a form of communication. It is similar to verbal communications expect that it’s done through facial expressions, gestures, touching, physical movements, posture, bling, tone, timbre, and various speech and voice characteristics. Nonverbal behavior comprises a large percent of all interpersonal communication and can provided insight into a person’s thoughts and feelings.

The theory behind the ability to detect lies from body language is that most people who are lying find it difficult to maintain physical and mental comfort under ongoing questioning. The result is observable distress in their speech and appearance. This is because disguising the truth requires significant amount of left brain creative processing, that in turn, increases cognitive load as the person struggles to ‘make up’ answers to what would otherwise be fast memory recollection responses.

That said, there is no such thing as an accurate lie detector. Polygraphs or professional body language readers can only spot person’s discomfort and stress as they relate to certain topics of conversation and then focus on these areas for further analysis. If the annals of polygraph testing teach us anything, it is that professional liars like Aldrich Ames, Robert Hanssen, and Kim Philby (who ironically wrote the chapter about catching double agents), were resistant to lie detection.

It is also relevant to note that criminal courts usually don’t accept polygraph tests or body language reading as evidence because they are considered unreliable by academic psychologists (Christine Blasey Ford may disagree with this finding) and by reputable scientists. In addition, the person who administers and assesses the test has a great deal of control over how the test is conducted and its outcome. This, by itself, can completely skew or invalidate the test.

An Experienced Counter Intelligence Officer
When evaluating Mueller’s testimony, it is important to remember that he is a professional with years of experience in debriefings (over 80 congressional testimonies), legal depositions, interrogations, and counter intelligence work. This was evident in his testimony. With a few exceptions, he avoided taking the bait from hostile questioners’ and utilized common counter-interrogation techniques such as draining the clock by asking for questions to be repeated (18 times), requesting the speaker to cite and point to the specific references in his copy of the documents (9 times), endlessly paging though his folder without finding or reading any of the referenced content (7 times), and answering at length about unrelated issues.

Mueller’s most frequent deflection tactic was to use I-phrases such as “I can’t get into…” or “I’m not going to…”. The former special special counsel declined to answer all relevant questions about topics such as the Steele Dossier, Fusion GPS, the usage of paid informants, and the genealogy of the FISA applications. As can be seen in Table 1, out of about 230 total questions, Mueller dodged about 198 and only provided vague non-committal responses to 10 others. This amounted to failing to answer about 87% of all questions. 

This was quite a performance for the shining knight of justice, especially if you consider the DOJ mission statement of:

“To enforce the law and defend the interests of the United States according to the law; to ensure public safety against threats foreign and domestic; to provide federal leadership in preventing and controlling crime; to seek just punishment for those guilty of unlawful behavior; and to ensure fair and impartial administration of justice for all Americans.

The key operative word here is “ensure”, not try, attempt, or do your best, but to verify and confirm.

Mueller Deflection Timeline
Chart 1: The distribution of Mueller’s instances of dodging or refusing to answer questions during his testimony

Mueller’s Response Algorithm
Mueller was selective in what questions he deflected. To the casual observer, it may have seemed that he was laconic across the board, but that wasn’t’ the case. In multiple non–sequential instances, he provided elaborate and definitive responses to questions but these were almost exclusively from Democratic Congress and Intelligence Oversight Committee members. With a few exceptions, most of his verbose responses could be categorized as being damaging to President Trump.

Mueller Keyword Cloud
Image 1
: Mueller’s Tag Cloud of the types of words and phrases that he used to avoid answering the questions. The operative sentence that proceeded most of these words was ”I’m not going to…

As can be seen in Table 1, the taxonomy of his answers contains a large variation of the first person “I”, “I’m”, and “my”. This suggests that Mueller felt a strong affinity to the document. He never used the form “we”, “our”, or “the team” which would have been more appropriate considering his repeated assertions that the report was a large team effort and that no single individual has mastered its content.

#

Time

Response to Question

1

8:54

I stick with the language that is in front of you

2

9:00

I will leave the answer to our report

3

9:02

I’m not going to discuss other matters

4

9:04

I’ll refer to the report

5

9:05

Pass

6

9:06

I can’t say I understand the statistics

7

9:15

I direct you to the report for how its characterized

8

9:16

I rely on the language in the report

9

9:21

This is one of those area which I decline to discuss and will direct you to the report

10

9:23

Again, I send you to the report

11

9:26

I have to pass on that

12

9:27

I rely on the report

13

9:30

This is outside my purview

14

9:30

That is outside my purview

15

9:31

Outside my purview

16

9:32

I refer you to the report

17

9:33

This is still outside my purview

18

9:34

I will refer you to the report on that episode

19

9:36

I’m going to ask you rely on what we wrote about that incident

20

9:38

I’m again would refer you to the report and the way its characterized in the report

21

9:38

I’m not going to get into that

22

9:40

I can’t get into that. That’s internal deliberation of the justice department

23

9:45

I direct you again to the report

24

9:46

Whatever was said will be in the report

25

9:47

I can’t answer that questions

26

9:50

That’s not in my purview

27

9:51

I can’t get into that

28

9:53

I can’t get into that

29

9:54

I am not going to get into it

30

9:55

I would refer you to the coverage of this in the report

31

9:56

I would refer you to the report

32

9:57

I send you back to the report

33

9:58

I refer you to the write-up of this in the report

34

9:58

I can’t beyond what’s in the report

35

10:00

I can’t get into internal deliberations

36

10:01

I can’t get into the evidentiary findings

37

10:02

Can’t get into that

38

10:19

I will leave it as it appears in the report

39

10:20

I’m just going to have to refer you to the report if I could

40

10:21

I don’t want to speculate

41

10:22

I rely on the wording of the report

42

10:24

With regards to Steele, that beyond my purview

43

10:25

It’s not within my purview

44

10:26

As I said before and said again, it’s not within my purview

45

10:28

I refer you to the report on that

46

10:29

That’s an area in which I cannot get into

47

10:40

I’m not going to get into what we may or may not have included in our investigation

48

10:41

I’m not going to get into subsidiary details. I refer you again to the page 91-92

49

10:46

I can’t speak to that

50

10:47

I am under orders that don’t allow me to give you an answer to that particular question

51

10:48

I can’t get into the discussion on that

52

10:53

I’m not going to be involved in the discussion on that…

53

10:56

I’m not going to go further in terms of discussion…

54

10:57

I can’t get into our investigative moves

55

10:57

I’m not going to get into that any further than I already have

56

11:02

I can’t speak to that

57

11:02

I would say I rely on what’s in the report

58

11:07

That letter speaks for itself

59

11:10

I’m not going to go beyond that

60

11:11

I refer you to the court proceedings on that issue

61

11:15

I’m not going to get into that

62

11:16

I can’t speak to that

63

11:18

I’m not going to talk to that

64

11:20

I’m not going to speak that

65

11:22

I’m not going to get into what was in Mr. Comey’s mind

66

11:23

I’m not going to delve more into the details of what happened

67

11:25

I’ll leave that to the attorney General

68

11:26

I’m not going to get into ta discussion on that

69

11:27

Again, I refer you to the report

70

11:28

I refer you to the lengthy dissertation on exactly whose issues that appears in the report

71

11:33

I can’t speak to that

72

11:34

That was outside out purview

73

11:34

I’m not going to speak to that

74

11:35

And I am not going to answer that question, sir

75

11:35

I’m not going to speak anymore to that

76

11:36

I’m not going to answer that

77

11:36

I have nothing to add

78

11:37

I’m not going to add to what I have stated before

79

11:39

I feel uncomfortable discussing anything to do with the Stone indictment

80

11:40

I’m not going to speculate

81

11:41

I’m not going top discuss that

82

11:43

Not going to talk about that

83

11:46

I’m not going to answer that

84

11:53

I’m not going to talk about that issue

85

11:58

I’m not going to get into that. It’s a little of track

86

12:00

I have to say the letter itself speaks for itself

87

12:01

I go back to the latter. The letter speaks for itself

88

12:02

I can’t answer that question in a vacuum

89

12:03

We have not specified the persons mentioned

90

12:04

I’m not going to speculate

91

12:05

I’m going to pass on that

92

12:08

I’m not going to comment

93

13:17

I’m not going to go into details of the report

94

13:20

Those areas, I’m going to stay away from

95

13:20

I’m not going to get into those matters to which you refer

96

13:24

I’m not going to speak to the series of happenings as you explained them

97

13:26

I’d have to refer you to the reports on that one

98

13:26

I’m not going to speculate

99

13:28

I can speak to the half of the half of your question that’s on the screen being accurate

100

13:28

I’m not going to speak to that

101

13:32

Again, I’m not going to discuss the issues related to Mr. Steele

102

13:34

Again, I pass on answering that question

103

13:37

That’s about all I’ll say on this aspect of it

104

13:41

I’m going to pass on that

105

13:42

I take your question

106

13:46

I’m not going to speculate along those lines

107

13:48

I’m not going to opine on that. I don’t have the expertise in that arena to opine

108

13:48

I cannot agree with that. Not that it’s not true, but hat I can’t agree with it…

109

13:50

That portion or that matter does not fall within our jurisdiction

110

13:51

I direct you to the report for how its characterized

111

13:53

I’m not going to discuss any other alternatives

112

13:57

I can’t speak to that. That would be in levels of classification

113

13:59

I’m going to stay away from one particular or two particular situations

114

14:01

I’m not going to talk about specifics

115

14:02

I’m not going to speak to that

116

14:10

I’m not going to get into that. It goes into internal deliberations

117

14:12

Again, I’m going to pass on that

118

14:13

As I said before, this is an area that I cannot speak to

119

14:14

Again, I’m not going to speak to that issue

120

14:14

Questions such as that should go to the FBI

121

14:31

And I’m not going to discuss that

122

14:32

I’m not going to get into that

123

14:33

And again, I’m not going to respond to that

124

14:34

Again, I can’t respond

125

14:35

Again, I can’t speak to it

126

14:35

Again, I can’t answer that

127

14:36

Again, I’m not going to go there

128

14:37

I think you understand I cannot get into either classified or law enforcement information

129

14:37

I can’t respond to that question, it’s outside my jurisdiction

130

14:42

Again, I can’t speak to that

131

14:43

I can’t go into it

132

14:45

I’m no longer in the Federal government, so I’ll pass

133

14:46

I don’t want to wade into those waters

134

14:51

I defer to the report on that

135

14:54

I can’t get into a discussion on it

136

14:55

I can’t answer that

137

14:56

I can’t get into that

138

14:56

Again, it’s the same territory that I’m loath to get into

139

15:06

I’m not going to talk to that

140

15:06

I’m not going to talk to that

141

15:09

That I can’t get into

142

15:12

And I can’t get into that area

143

15:13

I can’t answer that question

144

15:16

I’m not going to get into that

145

15:17

I cannot get into that

146

15:21

I will not get into that

147

15:23

I leave that to you

148

15:24

Again, speculation

Table 1: Sampling of reasons from about 200 instances for Mueller’s refusal to answer questions

The Evaluation Process
Mueller’s testimony consisted of over 750,000 video frames. Evan a trained interrogator could only process a small percentage of this data. Add to this the observer’s distraction, blinking, and fatigue and it becomes virtually impossible for a human to be able to accurately capture the fine nuances of all of these these frames or sequences for content. At best, a person would be able to provide a summarized ‘gut feeling’ about the overall session and reference some vague (and often inaccurate) actions such as ‘he touched his nose’ which could suggest that he was lying.

AI based video analytics on the other hand, can easily process each video frame in a consistent, repeatable manner, and with no observer bios. The objective of my evaluation of Mueller’s testimony was not to determine if he was lying with certainty, but rather to identify recurring patterns of stress that are associated with deception and correlate them to the topics of conversation.

Mueller did a great job obfuscating the report details but the large high quality volume of video and audio in his testimony made it possible to analyze the session and find anomalies and various patterns that could provide insight into his mindset

In this project just as in several of my previous posts (1, 2, 3), I used AI based video analytics, text, and speech analysis platforms. These included:

For the text/speech, I used a hybrid approach to word and phrase speech pattern analysis. The textual analysis evaluated these types of speech categories:

  • I-words (I, Me, My, I’m)
  • Social words
  • Positive emotions
  • Negative emotions
  • Cognitive processes
  • Analytic reasoning
  • Clout
  • Authenticity
  • Emotional tone

For the video analytics, I established Mueller’s facial and other video objects baseline using several on-line sources and the main testimony video. The baseline cataloging included his unique facial expressions such as Microexpressions and other visually detectable actions like use of hand gesture, hand related activities, head motion, mouth movement, gaze, etc.

Microexpressions
Image 2: Sampling of Mueller’s Microexpressions such as (L-R): loathing/anger, surprise, fear, happiness

Sampling of Mueller’s Body Mechanics
Image 3: Sampling of Mueller’s’ body dynamics as related to left hand usage

Following the creation of a facial baseline catalog, I proceeded with the ML training using his unique data sets for non-facial activity such as paging through the report folder, eye blink rate, gaze, etc.

Sample of Training Sets for Paging Detection
Image 4: Sampling of image set used to train the machine learning (ML) to identify Mueller flipping pages through his report folders 

After the training was completed, I ran the first 15 minutes of Mueller’s testimony through the engine and performed a search for known classified objects such as him ‘reading the report’.

Mueller Reading the Report
Imager 5
: Sample search results of instances of Mueller looking at the report

I noted the detections and examined several thousand video frames prior, during, and after the detections to capture the actual ground truth. The visual search results of the 15 minute video segment correlated to within a 83% match rate against the baseline catalog created with the ML training set. I then used the missed detections to re-train the ML again and repeated this cycle several times on random video segments of his testimony until the match rate stabilized at about 94%.

In addition to creating a catalog of Mueller’s microexpressions I also created a library of sequences of his composite facial expressions. These sequences were close consecutively spaced combinations of microexpressions and other body activity that were 0.5-3.5 seconds long. One example for these types of composite expressions was eye flutter combined with ‘lip twitching’ or some other mouth movement.

In this sequence, Mueller typically stared at the speaker while his bottom lip would involuntary twitch or quiver several times or his lips would tighten; he would then break eye contact with the speaker and rotate his head downwards, recompose, then bring his head upwards and re-establish eye contact with the speaker.  

Mueller-Hard-Break
Image 6: Sample of a typical Mueller sequence showing mouth activity and breaking eye contact with the speaker. The context here is Rep Jim Jordan’s asking Mueller to confirm if Joseph Mifsud was interviewed, did he lie, and is he Russian or Western Intelligence

Once I completed calibrating Mueller’s video object catalog and the library of sequential expressions, I conducted searches for facial anomalies. Anomalies are defined as any variations from his standard single image or sequence patterns such as unusual cycle of head, eye, or mouth movements. 

For example, based on his standard detection for “blinking”, Mueller’s blinking interval baseline was established to be 3–7 seconds with a blinking duration of approximately 1/10th-1/3rd of a second (see Image 7-8). 

Mueller’s Natural Blink Cycle
Image 7: Sample of one baseline feature in Mueller’s visual object catalog showing his normal blink pattern.

Sample of Training Sets for Blinking Detection
Image 8: Sample detections of Mueller normal blinking pattern throughout his testimony. Mueller blinking follows a pattern of a full single closure of the eyelid at a 3-7 second interval

Any blinking variation form this base line generated an anomaly that was then evaluated manually before becoming certified as a new pattern of interest. This exception was then further evaluated in the context of the topic of conversation and the microexpressions involved. 

One such anomaly was associated with Mueller’s unusual blinking pattern. On closer examination, it turned out that what on the surface appeared to be unusual blinking was in fact a reoccurring cycle of rapid flutter of the eyelids. This unusual sequence was also at times accompanied by certain head, tongue, and lip movements.

After mapping this ‘Flutter Cycle” to the topic that was being discussed at the time of the event, it became clear that this was some sort of an involuntary display of distress and/or fear. It was so prevalent that it could even be used to predict what questions were being discussed.

Some of the subjects that triggered this ‘Flutter Cycle’ were: 

  • DOJ and FBI media leaks
  • Christopher Steele, the dossier and its funding sources
  • Fusion GPS and its work with the DNC, HRC, and foreign governments
  • Glen Simpson and Natalia Veselnitskaya
  • The meeting at the Trump Tower
  • Informants and surveillance (i.e. Mifsud, Downer, Halper, etc.)
  • The FISA warrants
  • DOJ and FBI leaks

Mueller Seizer Cycle
Image 9
: An illustration of Mueller’s typical Flutter Cycle.

The Flutter Cycle sequence was characterized by 2-5 rapid flutters of the eyelids and an upward eye roll, head, mouth, and accompanying tongue movements. This Flutter Cycle sequence seen in the left side of the collection in Image 10 (also, see 1:26:00 in the video) corresponds to questions by Rep Steve Chabot of Mueller’s investigation of the relationship between Glen Simpson, Natalia Veselnitskaya, and the latter’s visit to Trump Tower.

The same type of events were observed during other pointed inquires such as Rep Louie Gohmert’s challenging Mueller’s credibility due to his refusal to answer basic questions (see 1:33:30 in the video).

Mueller-Flutter-Cycle Mueller-Mouth quivering Mueller-Flutter-Cycle-2
Image 10
: (L-R) A sampling of three anomalies a complex facial flutter, lip twitching, and simple eye flutter sequences

Several other interesting anomalies that turned out to be repeating patterns in Mueller’s facial expression and composite sequences were:

  • Lip Twitching – Associated with microexpressions such as fear and surprise
  • Downward Head Nodding – Associated with other defensive posture the was triggered by breaking eye contact with the speaker
  • Flattened Mouth or Lips –  Associated with signs of frustration as in ‘I want to answer this question, but I really shouldn’t’
  • Prolonged Blinkless Stare Associated with angry and combative response to some question

Sampling of Mueller’s “Flutter Cycle” Events
Imager 11
: Samples of Mueller’s dozens of “flutter cycle” episodes during the Q&A

The Jolly Affable Mueller
Not all of Mueller’s testimony was marked by doom and gloom. On a number of occasions (mostly when talking to Democratic representatives), he showed himself to be charming, in high spirits, engaged, and animated. Mueller had no inhibitions about making remarks regarding the report’s failure to exonerate Trump and the possibility of persecuting Trump after he left office. He freely cited legal sources and DOJ procedures and protocols and provided detailed rationale for his team’s action and conclusions.

Mueller Fun and Jokes
Image 12: The suave, charming, engaged, and animated Mueller in action

Mueller’s predictable patterns of distress were almost always associated with ‘difficult’ questions on topics such as the role of Fusion GPS, spying on Trump, and Christopher Steele. Images 13 and 14 show a typical triggering events of a Flutter Cycles.

Mueller and Martha Roby-2
Image 13: Samples of Mueller’s Flutter Cycle episodes during Q&A session dealing with him leaking report details to the media

Mueller and Martha Roby
Image 14
: Sample of Mueller’s Flutter Cycle episodes during Q&A session dealing with separating the grand jury materials from the report

Analysis Results
Mueller’s body language and facial sentiment analysis shows high levels of discomfort and tension when discussing certain parts of the report. He exhibited many facial signs of distress that included:

  • Multiple Flutter cycles
  • Mouth quivering cycles
  • Self shooting and fidgeting behavior
  • Sudden breaking of eye contact
  • Rapid downward head movement
  • Hard swallowing
  • Tightening of the mouth and lips

I didn’t have a baseline for incidents where Mueller was being untruthful so I can’t explicitly call out potential incidents of lying during his testimony. However, the baseline of his normal conversational dynamics vs. the ones he exhibited show signs of clear distress which strongly suggest that at least from Mueller’s perspective, not all questions were equal and not all of his answers were factual.

Mueller distress patterns consistently overlapped with certain trigger topics and his verbal response to almost all of these interactions was a variation on the “I’m not going to…”.  He deviated from this pattern only a handful of times and actively engaged the questioner. One of these back alley knife fight sessions involved Rep Ben Cline’s stating that Andrew Weissmann was running a rogue investigation that was based on flawed legal theory that was overturned unanimously by the Supreme Court.

As the question was being asked, Mueller became defensive; he shifted uncomfortably in his chair, exhibited his Flutter Cycle, and replaced his poker face and laconic I-word response pattern with a passionate and verbose defense of Weissmann (see 3:19:40 in the video or sound file below). 

Mueller-Hard-Shifting
Image 15: Sample of one of Mueller’s distress patterns that includes his Flutter Cycle and uneasy shifting in his seat

Recording 1: Exchange between Rep Cline and Mueller about Weismann’s legal foundation of his obstruction of justice investigation

During this segment which lasted about two minutes, Mueller argued, spoke over Cline, and attempted several times to repeat his assertions about Weismann. This continued even after the subject of the questions changed to Obama’s culpability in Obstruction of Justice when he announced publicly that the HRC private email server did not pose any threat to national security. Mueller, without much difficulty, exhibited a decent mastery of the report’s content, cited specific areas in it that included the “lengthy discussion” and “lengthy dissertation”, and in general tried to rehabilitate himself and his team.

Conclusion
The overwhelming majority of Mueller’s testimony failed to illuminate any of the big questions about the DNC email hack, the genesis of the Steele Dossier, the DNC/Fusion GPS relationship with Russian state actors, and the 2016 surveillance on the Trump campaign. In fact, his answers raised even more questions about the real power behind the throne and R&R within the special counsel team.

If it is indeed the case, as Mueller confirmed in multiple answers, that no single individual on his vast team had intimate familiarly with the whole report, then who compiled the final version of the document?  Was this just a collation of multiple taskforce reports that were later combined into a single master? And if that is the case, who was the person that harmonized all the individual versions in order to make sure that the index, format, dates, people, places, reductions, and events were in sync?

Aaron Zebley
Image 16
: The Special Counsel Team and testimony attendees

It is noteworthy that Mueller continued to play the I-phrase card and refused to address any of the procedural questions about the compilation of the report. Even though, this information had little bearing on the report’s content and that there is nothing classified or proprietary about the way the DOJ writes and edits their documents.

Robert Mueller shows his card
Image 17: Mueller’s Trump Card

Even though Mueller attempted to obfuscate the report’s composition methods and authors, the writing style, document layout, context, and several other administrative clues strongly suggest that Andrew Weismann was the architect and Aaron Zebley was chief editor of the document. This is also likely the reason why Mueller insisted that Zebley be present by his side and be sworn in.

The evidence from the video analytics, speech dynamics, and the decision tree Mueller used to answer the questions (i.e. question objective vs. answer strategy) shows a decent mental agility and the ability to alternate between complete ‘radio silence’ and ‘singing like a canary’ on demand.

To those who still believe that Mueller was just a senile old man with little familiarity with the content of the report, consider the fact that his verbose answers show that he had a pretty good grasp of  the document. He also artfully navigated the many minefields in the report without blowing up a leg in the process. Some experts in the MSM have been suggesting that Mueller’s poor verbal performance and optics can be attributed to some form of cognitive impairment but this argument is inconsistent with his ability to effectively deliver the following:

  • Selectively discuss specific topics, most of which were prejudicial towards Trump
  • Answer questions that almost exclusively supported the impeachment narrative with certainty and conviction
  • Justify and emphasize specific areas in the report that exonerated his team from claims of bias towards Trump and instances of hostile conduct by FBI senior management and its agents (i.e. Comey, Strzok, Page, agent 2, and others)
  • Utilize the “I’m not going to…” strategy to answer any questions about the “insurance policy”
  • Refuse to address the media leaks that either came from him personally, his direct reports, or his team
  • Exhibited great mental agility and dexterity during the May 29th, 2019 Mueller news conference
  • Come up with over 198 different ways of not answering a direct question

The patterns identified by the analytics strongly suggest that all of Mueller’s behavioral stress patterns matched the typical anxiety profiles and signs of internal struggle that are exhibited by a deceptive suspect during an integration. For the first time in his long bureaucratic career, he found himself at the wrong side of the table with the bright lights in his face and a real possibility of being charged with perjury. For several hours, the fearless hunter became the pray and he clearly didn’t like the experience.

Contextually, the majority of his testimony turned out to be an underhanded attempt to use the Q&A session to justify, promote, and surreptitiously inject political narrative into the public hearing. None of this should come as a surprise as it is the same circular “impeach Trump” agenda that launched this investigation in the first place. At the end of the day, despite Mueller’s big title and god-like pedigree, he turned out to be just another DC power broker who apparently placed his bets on the losing presidential candidate.

Sample Report Pages
Image 18: Two pages (a total of 856 words) form the Mueller report dealing with George Papadopoulos being told by Joseph Mifsud about the Russian having “Dirt” on HRC.

Mueller’s elaborate 448 page report that took close to two years to complete, cost over 25 million dollars (that’s about $51K per page), involved 19 lawyers, 23 legal researchers, 40 FBI agents, 10 intelligence analysts, 7 forensic accountants, 25 other professional staff, and the unlimited resources of the DOJ, the State department, NSA, and the intelligence community, delivered an indefensible dud.

Reading the reports, you can’t but stop and appreciate the authors’ Kafkaesque sense of humor. In the example pages shown in Image 18, the report discusses the chain of transmission of the Russian “Dirt” from Joseph Mifsud, to Papadopoulos, to a mysteries western diplomat (Alexander Downer) who then informed the FBI, who naturally became alarmed and started this massive investigation. On the face of it, the document looks solid. It has all of the right trimmings, detailed claims, massive amount of footnotes, intelligence lingo, hush hush sources, and strategic reductions with alarming labels like “Harm to ongoing matter”. It is as convincing as a quality levitation magic act.

But, magic acts of levitating people are always predicated on the audience viewing the scene from a distance and through a carefully controlled field of view–which is exactly what the Mueller report and testimony turned out to be. It doesn’t work if you get a glimpse of the crane and the wires supporting the magician. Once you understand the mechanics of the magic, the awe gives way to a letdown.

You can test this premise by substituting any good magic act with the report and Mueller with any successful magician. Any question you ask the magician about the inner workings of his trick would be deflected using the exact same techniques Mueller used during his testimony. The most important rule in magic is NEVER tell the secret of the trick, just let the magic speak for itself.

The Mueller Levitation Magic
Image 19
: The incredible levitating magic act

What is ostensibly missing from these two magical pages in Image 18 is that the source of the “Dirt” was none other than Stefan Halper, a paid FBI informant who billed (using DUNS # 078459148) the Federal Government about $656,535 for his services. By the time you factor Halper and his harem of young female assistants, Mifsud and his life of luxury at his safe house, Downer’s expenses, and at least 11 other IC, CI, and State Department assets that supported Halper in fattening Papadopoulos before he was shish-ka-bobbed by bob, the cost of these two pages to the US taxpayer was probably upwards of a million dollars. So, to those of you who still think that majoring in contemporary English fiction won’t pay the bills, it clearly can! After all, what other line of work pays $1168 per word?

Stefan Halper Payment
Image 20: Stefan Halper’s government payment record for service provided to the DoD and DOJ from 2016-2018

Summum bonum
I have difficulty finding solace in Mueller’s bragging about the higher good from his recovery of about $40 million from the Paul Manafort persecution. I’m also not sure if we should laugh or cry about the concept of the DOJ becoming a profit center. The problem with the DOJ acting as a collection agency that recovers the cost of prosecution from its targets is the political nature of selecting their next victim. Each one of us including the Honorable Mr. Mueller has something in his past, present, or future that warrants jail time and property seizure. With over 3000 federal and thousands more state laws on the books, we are all guilty of some misdemeanor or a felony. Who in the DOJ then, gets to make the decisions about who/why to persecute and the ultimate greater good? Is it going to be one of the dozens of high power attorneys that regularly walk through the DOJ revolving doors to personally enrich themselves by constantly hopping between government gigs and private practice?

The problem with the whole Manafort affair is that if he was so thoroughly corrupt in 2007, then why didn’t Mueller investigate him earlier during his 11 year tenure as the director of the FBI. Why did he wait until 2018 to bring these charges?:

“…crimes arising out of payments he received from the Ukrainian government before and during the tenure of President Viktor Yanukovych.”

After all, the DOJ, FBI, and the IC had a supersized file on Manafort going back to 2007, so why wait for all these years?

Yanukovych Mueller and Manafort
Image 21
: The Triumvirate or Threesome (depending on your view)

Mark Twain once wrote that:

“Anybody can tell lies: there is no merit in a mere lie, [for a good deceit] it must possess art, it must exhibit a splendid & plausible & convincing probability; that is to say, it must be powerfully calculated to deceive.” 

Mueller’s report doesn’t come close to Twain’s definition of deceptive genius, but it does have a certain kitschy synthetic Disneyland feel to it. In many ways its similar to another secretive report, the Protocols of the Elders of Zion. Both, share the same conspiratorial elements, treachery, mysterious meetings, made-up events and agendas, secret societies, informants, and intrigue.

All of this hush-hush secret agent man stuff in the report seems very mysterious, but at its core, it’s really a simple criminal matter. If you’ve ever been a juror on a criminal trial, you should be familiar with the routine. If you haven’t, it goes a s follows:

  • The prosecution and the defense present their case with an opening statement
  • Both show evidence and present witnesses
  • Both cross-examine witnesses 
  • Each side delivers their closing arguments
  • The jury goes into deliberation and comes up with a verdict

In any normal criminal trial in the US, they typically follow the Federal Rules of Evidence, there is no such thing as secret testimony that can’t be verified or evidence that can’t be shown to the jury. If the DA doesn’t want to expose his sources/methods then they get excluded from trial. If witnesses can’t be cross-examined, their testimony is inadmissible. It’s as simple as that. And all of this procedural stuff doesn’t even address the issues with Mueller whitewashing the existence of several rogue and biased agents/attorneys on his own team.

Gowdy vs. FBI
Image 22
: Rep Gowdy and DOJ IG Horowitz Q&A session regarding Peter Strzok’s and Lisa Page’s involvement in the Mueller and HRC Email investigations

So, no, I wouldn’t classify Mueller’s report as a deceptive masterpiece, I would rather categorize it as more of a ‘true story’ type of a tale, blunderingly delivered by a DC swamp-raised shrimp.

The Little Shrimp from DC

The True Story
It’s true…
It’s true and the other thing is                
my sister had a baby
and I took it over because she passed away.             

and then the baby lost its legs and its arms                  
and now it’s nothing but a stump
but I still take care of it with my wife
and it’s growing and it’s fairly happy.               

But it’s difficult ’cause I’ve been working
a second shift at the factory to put food on the table,                
but all the love I see in that little
guy’s face makes it worth it in the end.

True story!

References
The Mueller Testimony: Full Transcript
The Mueller Report: Full Report
Human Resource Exploitation Training: Interrogation Manual

Toris, C., & DePaulo, B. M. (1984): Effects of actual deception and suspiciousness of deception on interpersonal perceptions 

MG Frank – ‎1997: The ability to detect deceit 

Analytical thinking:The analytical thinking algorithm was based on the results from a series of studies by: Pennebaker, Chung, Frazee, Lavergne, and Beaver (2014.

Clout: Clout refers to the relative social status, confidence, or leadership that people display through their writing or talking. The algorithm was based on the results from a series of studies by: Kacewicz, Pennebaker, Davis, Jeon, & Graesser, 2013.

Authenticity: The algorithm for authenticity detection was based on a series of studies where people were induced to be honest and deceptive. See Newman, Pennebaker, Berry, & Richards, 2003 and Textual Models of Deception to Interrogation Settings.

Emotional tone: The positive emotion and negative emotion tone algorithms were based on the results from a study by: Cohn, Mehl, & Pennebaker, 2004. See Linguistic Markers of Psychological State throughMedia Interviews: John Kerry and John Edwardsin 2004, Al Gore in 2000

Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

It’s All About Climate Change, Man!

Satyricon 2019

This year’s Google Camp will be hosting a summit with the biggest names in show biz, politics, high-tech, music, and fashion. It will include notables such as former President ObamaLeonardo DiCaprio, Prince Harry, Orlando Bloom, Harry Styles, Bradley Cooper, Nick Jonas, Priyanka Chopra, Gayle King, Mark Zuckerberg, Diane von Furstenberg, Katy Perry, and many others. 

The event is taking place at the 5-star Verdure resort in Sicily. Due to the high prestige and number of guests, the hotel is fully booked, and room prices start at $930 per night.

The all-expenses-paid, three-day event hosted by Google, will cost about $20 million which comes to about $33K per person, per day. The estimated 120-200 participants will discuss urgent global issues such as on-line user data privacy, freedom of speech, and global warming. The main focus of the event will be climate change, which, according to several of the attending subject-matter experts is the biggest threat to the world and our future generations.

The guests will be arriving at the event over the next 12 hours in 116 private jets and the world’s largest private megayachts. The estimated combined carbon footprint output from the resort activity and travel to and from the three-day event will be equivalent to the yearly carbon production of over 900K US households.

A Flight and a Dinner
Image 1: A dinner and a show at the Temple of Hera and private jets delivering the summit attendees

In the spirit of openness, Google went the extra mile to keep all resort activity a secret—all support, hotel, and security staff signed restrictive non-disclosure agreements prohibiting them from discussing or taking any images of the events and participants.

And yes, as the video analytics reveals, the environmentally-conscious guests are using plastic straws for sipping their very expensive, Google sponsored cocktails.

It's All About the Climate Man
Image 2: The Carbon footprint of David Geffen and Katy Perry, two of the over 140 Google climate change summit attendees

But WAIT! What did I just hear? Google doesn’t get its 260-400 million watts of energy (2-4 percent of the world’s electricity) from unicorn powered wind farms and eco-friendly solar panels? And it’s responsible for 1.5-3 million metric tons of carbon dioxide emissions every year, which is about 20%-40% of the internet carbon footprint?

I’m Shocked, SHOCKED To Find There’s Gambling in the Casino!

To the legions of the woke, if you haven’t caught up yet, you are looking at corporate greed incarnate. Where environmental disasters like the BP Deepwater Horizon or Union Carbide/Dow Bhopal were terrible but isolated events that could be attributed to human error or gross negligence, Google’s entire business model is based on a carefully executed global human and environmental exploitation.

Aren’t you a bit curious how is it that social media giants the likes of Google, Twitter, and Facebook spend hundreds of millions of dollars on software development, hardware, and pay astronomical electric bills for their worldwide datacenter operations, and still make billions in profit–all while offering these services for ‘free’?

At the end of the day, this whole climate change summit thingy is just a cynical PR move to hide the fact that Google can’t burn fossil fuel fast enough to power its worldwide data center expansion–which since 2016 have been working overtime to promote fake news via their ad-sense cash cow, while at the same time, destroying whatever little is left of privacy and suppressing free speech.

You can also group all of the rest of the progressive campaigns and slogans with the climate rhetoric. It doesn’t really matter if it’s ‘Beef is Murder’ or some other trendy gimmick. You can be certain that if it looks good, it tastes good, or feels good, most the celebrity role models are doing/having it on a wholesale scale.

Leonardo DiCaprio and Beef
Image 3
: Leonardo DiCaprio’s who is campaigning to reduce beef consumption is enjoying a beef dish, stake, roast beef, and a Spaghetti Bolognese

So next time the like of Google or a celebrity tells you just how important climate change is (or give you any moral advice) and asks you to donate to their foundation, tell them that you are open to learning more about it over dinner at the all-expense-paid outing on their private jet or megayacht.

References:

–  XRVision Sentinel AI Platform – Face recognition, image reconstruction, and object detection
–  Green private jets? Don’t make me laugh
–  Daily emissions of cruise ships same as one million cars
–  Google accounts for about 40% of the internet’s carbon footprint
–  Google isn’t actually tackling ‘fake news’ content on its ad network
–  The more outrageous, the better: How ad-sense makes money for fake news sites

Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

Uncovering the Dark Secrets of Dubious Software Startups

Yaacov Apelbaum-Lavitation API and Bridge for Sale

Maybe you are thinking about buying a new technology platform or investing in a software startup. Following industry practices, you will likely conduct some form of due diligence before you make your big move. This may include interviewing members of the management, technology and finance teams. You may also conduct operational audits, review sales figures, talk to customers, and check for references.

All advisable but in the end, you will still be left with a certain amount of nagging doubt. After all, how do you really know what this company’s true technology abilities are? How can you tell with a high degree of certainty that you are not buying the Brooklyn Bridge equivalent of some useless/over-hyped software? In today’s frenzied Internet of Things, mobile and Big Data buzz-ridden world, sometimes it seems as if the sky is the limit. To the uninitiated, it is exceedingly difficult to tell the difference between a solid early stage software idea and a useless concept professing to be the next big, anti-gravity SaaS solution.

I know. You are probably asking yourself: how difficult can it be? After all there are numerous simplified due diligence guides that answers questions like:

  • Does the company really own its supposed product?
  • Is the technology integrated/constructed in the right way?
  • Can their technology scale?

Unfortunately, when you are evaluating a technology potential, you may find that the answers to such questions are fuzzy and not always easily discernable. So before you make your investment decision based on some generic checklist, you may want to consider the following tale about the rise and fall of a flying super hero in tights.

In 2010, following the meteoric success of the Spider-Man movie franchise—which grossed over $2.5 billion worldwide—a stage adaptation entitled “Spider-Man: Turn Off the Dark” arrived to Broadway. The investors spared neither expenses nor talent in pouring over $75 million into the production in hopes of recreating the movie magic and revenue.

To stay true to Spider-Man’s legacy, the play executed some complex aerobatics sequences and flight scenes across the stage.  These stunts quickly gained notoriety as the show became plagued by accidents.

Some of the more noteworthy injuries included:

  • Stunt double Kevin Aubin broke both wrists when he was catapulted from one end
    of the stage to the other
  • Brandon Rubendall broke a toe that same month doing the same stunt as Aubin
  • Natalie Mendoza, who played villain Arachne, suffered a concussion when she was struck in the head with a piece of equipment
  • Carpio, Mendoza’s replacement, suffered a neck injury after a battle scene with
    Spider-Man
  • Stuntman Christopher Tierney fell 30 feet into the orchestra pit suffering a fractured skull, a fractured shoulder blade, four broken ribs, and three broken vertebrae
  • Daniel Curry, a stunt double, got his right foot stuck in a stage lift and then a trapdoor closed on the foot, breaking the foot and both of his legs, necessitating amputations

Yaacov Apelbaum - Spiderman fallThis reads more like an account from the trenches of Verdun than a Broadway musical. Despite the carnage, the performances went on with regular venue changes and constant retooling of the storyline and musical score.

Even negative press reviews such as the “Pigs Will Fly Before Spider-Man Recoups $65 Million Costs” could not stop the show.

Finally last month, the producers announced that they plan to end the production in January 2014, the main reasons being falling ticket sales and—not surprisingly—the inability to get injury insurance for the cast.

In the end, the show will have run for over three years and will have lost an estimated $60 million.

So, what went wrong? Why did life fail to imitate art? It seems that on the live stage, the same stunts that were so easy to achieve in virtual CGI failed miserably when ported to the physical world. Why wasn’t it obvious from the start that the Spider-Man storyline could only work in the pages of comics and on the silver screen?

The investors behind the Broadway adaptation were seasoned entertainment entrepreneurs. Before committing funds to the project, they conducted their due diligence and found the venture to be worthy. Yet over a period of 3 years and despite watching repeating cycles of misfortune, they failed to pull the plug. Apparently, hope springs eternal—at least in the investor’s breast. Sometimes, even though red flags may be staring you right in the face, you can still miss all of the warning signs.

Yaacov Apelbaum- Spiderman flyingGlen southern - Fat Spiderman

Image 1: Spider-Man Planned vs. Actual

Over the years, I have conducted due diligence on various software partnerships, acquisitions, and investment opportunities. It turns out that questions like: ‘how scalable/portable is this solution?’, or ‘how valuable is the code?’ are not only difficult to answer but often irrelevant. Yaacov Apelbaum - Dehydrated Water

And just like in the example of the Spider-Man fiasco, even seasoned professionals can fall victim to a well rehearsed pitch presented by a charismatic team of snake oil salesman who can sell you dehydrated water without even blinking.

In many ways, evaluating an investment opportunity in software is like a game of cat and mouse. Your evaluation will involve constant pursuit, near captures, and repeated escapes. You will have to sift through piles of partial facts, exaggerations, and in some cases even deliberate misinformation.

This is to be expected.  No cause for alarm though. Here is a three phase approach to conducting due diligence effective enough to help strip the thin veneer of pretense so that you can get deeper insight into how your potential acquisition functions and what its possible soft spots are.

Phase-1
Before you start probing any soft spots, though, you will need to get the regular DD action items out of the way.  Conduct some background research and get Intel on the  following:

  • Litigation (are the company and/or it’s principals in court for any reason?)
  • Costs to operate the business for the next 12 months based on current burn down rate
  • 3rd party licenses and vendor agreements (both, in terms of income and expense)
  • Customer base, future growth projections, and teaming agreements
  • Forecasted capital investments (what are the costs of boarding one new customer?)

Phase-2
Now that you have the basics you can proceed to look for chinks in the armor.  Schedule some face time with the technology team, including: security, architects, operations, IT, development, QA, etc.  It is important that you conduct both group and personal interviews with these individuals because the group dynamics will effect the detail and quality of the answers you get.

The topics that I find to be the most illuminating include:

Management Pedigree – Find out if the the leadership team has prior successful entrepreneurial experience. Take the time to check them out on-line before meeting them face to face. (LinkedIn is a great source for this.) Each technical leader should have at least five to seven years of “specific and proven” experience in the areas that the company is trying to innovate (i.e. cyber security, analytics, etc.). Having general practitioner without deep domain experience will dramatically decrease the chances of their success because they will have to learn on the job and this will undoubtedly be time consuming and error prone.

Also, look into the tenure of the key members on the technical team. Has the CTO or VP of engineering been with the company from the get go?  Is there rapid turnover in any of these key positions? A revolving door syndrome could be an indication that the company failed to mature their technology and is trying to bridge the gap by searching for “the one” who will save them from impending doom—a strategy which rarely works.

The Buzz Factor – Check out the industry buzz about the company, the segment in which the company operates in and the competitive landscape. See if they are covered by reputable media sources or if they have one any competitions or awards. A common strategy that some startups use is to make PR releases or pay for favorable coverage. Independent coverage is a good sign that the company is legit and is getting traction. When reading feature articles about the company, look for ranking.  Many publications will provide a listing of the top leaders in the domain. If your company is not in the top list and is just being mentioned using language similar to “also active in this space is…”, this could be a sign that they paid the publisher just to get into print.

Team Makeup – In software more so than in most other engineering disciplines, the human factor and the work environment are critical to success. A salt mine culture and a dysfunctional team are indications that the company will perform poorly. When evaluating the team, inquire about the FTE to contractor ratio. Heavy offshore presence could be an indication that the company is a façade with the bulk of the architecture, development, and engineering work being done offsite/offshore by some outsourced firm. This could a problem if you are under the impression that you are investing in domestic IP and human capital.

Work Culture – The work culture is a good indicator of how functional the organization is. Find out if they are burning the midnight oil every day and if so, why? Are they fixing bugs? Trying to catch-up on backlog features?  Working long hours in a startup is the norm, but doing it for long periods of time could be an indication that they have not yet found their stride. Ask questions like: “What do you love and hate about the company?” or “If you could change three things, what would they be?”

Compensation – This may not be obvious but compensation can teach you a lot about how well the company is doing. Working in a startup requires some financial tradeoffs but the  compensation for the technical team should be within/above the standard industry pay rates. The company should not run like a charity. Did the team get their bonuses last year? Missed yearly bonuses and compensation that is low on cash and high in stock options should raise red flags about how well the company is doing.

Phase-3
Now that you have your finger on the pulse of the organization you are ready to separate the wheat from chaff by identifying the most important takeaways about your target company.

As you complete the two previous DD phases, you will most likely discover that not all of the representations made to you were correct, nor were your original assumptions. The objective of this last exercise is to draw a critical line in the sand that if crossed will result in your walking away from the deal.

The following is my list of eight key assumptions that must pass validation:

1. Platform stability – This covers production matrix such as up-time, downtime, maintenance windows, and singed SLAs. The solution must have published SLA and a historical record of past system shutdowns. All systems go down for one reason or another. It’s important that you understand how frequently their system/sub systems bounce and what the reasons are. The need to babysit the system 24X7 or having a large IT to development ratio can be an indication that the solution is on constant life support.

2. Ease of deployability – This covers questions such as hosting (cloud based vs. hosted), provisioning, and the mechanisms for deployment of new customers and users. When it comes to creating new customer environments, look for manual steps used for copying code, configuring/populating databases, and the usage of script to create work regions. Clearly, any manual process for setting up and boarding customers and the need to manipulate the back-end through manually is a big no-no.

3. Solution scalability – This covers questions regarding number of current transactions per customer, number of customers, daily feed sizes, batch processing schedules, daily feed timeline, and core processing windows. Pay close attention to storage, processing, clustering, and load balancing. Look for obvious signs that the solution will not scale. For example, if the company plans to double its customer base in 12 months, they should already have in place the infrastructure to support such growth. Very few organizations are capable of simultaneously galloping and changing horses mid-stream by making significant alterations to to their storage and load balancing architecture.

4. Maintainability – This covers questions such as production release readiness, customer reporting, and bug tracking. Regardless of how young the company is and their appetite for technology debt, they need to have a functional configuration management, change control, and monitoring capabilities. This doesn’t mean that it’s either HP OpenView or bust. To achieve monitoring, open source tools like Nagios will do. Regardless of the tool, they need to have something in place that is integrated into their solution. Without such controls, they will be flying in the dark, which almost certainly will adversely impact their customers.

5. Disaster recovery, business continuity planning, and availability – This covers questions like how and if the company will recover from various disaster scenarios. What happens if they lose a customer database or the records of important transactions? Is this data being backed up daily? Have they ever attempted to recover from backups? If the company is providing financial services or uses big data, find out how they backup the sensitive information such as PCI data and the terabytes of records on their HDFS.

6. Sophistication of intellectual property – This covers questions regarding the robustness of the algorithms, the structure of the data models, the coupling of the various tiers, the utilization of new and cutting edge frameworks, (i.e. big data components like CPE, queue, plug-ins like R, etc.), and how well everything is mashed together. Remember, just because they use cloud storage/hosting or Hadoop doesn’t mean that their solution can achieve their business objectives or even successfully process large amounts of data.

7. Support for internationalization – This covers questions regarding multi-lingual support, localization, redundant hosting and customer support that follows the sun. Very few startups will be able to fully support internationalization.  If you are planning to offer this solution as part of your international portfolio of products, you will need real internationalization that goes beyond the skin deep ability to customize logos and labels.  Just like in the case of scalability question, if the functionality is not there now, it will require a significant development effort downstream.

8. Security and privacy –  This covers questions regarding authentication, anonymization, encryption, sensitive data storage, data retention, compliance with PCI, FFIEC, etc. Security, due to its nature, is viewed almost universally as overhead and an afterthought. If the platform you are evaluating needs to run silent and deep in hostile waters, you need to make sure that areas such as intrusion detection/prevention, access controls, malware/firewall management, and auditing are up to snuff.  Look for up-to-date security policies, records of ongoing security audits (SAS 70, CISA, etc.), vulnerability assessments reviews, and penetration tests. If the company has no such records on file, this can be a strong indication of poor security planning, which is a ticking liability time bomb.

General Consideration During your Due Diligence
My primary indicator of readiness and prospect for success is the number of customers that currently use the software. Obviously these numbers may vary with the type of the solution but if your investment target has a steady and growing customer base, they have at least survived the valley of death and are for real.  When evaluating the customer base, look for active accounts that use the system regularly.  In many startups, the customers are often made up of relatives/friends and pilot users, although, these types of accounts are important for testing they have little commercial value.

Remember, in the end, it doesn’t matter how compelling the business case may seem, what great technologies they have, or how modular their solution architecture is, without a real customer base, it’s a risky gamble.

A secondary indicator is that of the team and organization. Are you are just buying the software, the team, or the entire package? If you are only interested in the IP, then you will need to identify and secure the architects, lead developers, and core technical team in order to assimilate the technology. On the other hand, if you want the product, then you will need to insure that the organizational structure will be maintained.  This is not an easy thing to do, as often many core team member will cash their chips and move on to pursue other opportunities after the sale of the company.

A third indicator is that of Intellectual Property. You need to carefully address IP questions and determine who owns it, where the inventions come from, who was exposed to the inventions, what are the rights of the FTE/contractors to these ideas, and if there are any invention disclosure forms or patent filings in place.

An in-depth evaluation of the architecture through a code review of the key algorithms, data structure, and framework that form the secret sauce should help answer most of these questions. It is important that you conduct this discovery hands-on by reviewing code and metrics such as code quality, code complexity, and unit test coverage. This is the only way for you to insure that the magic is real.

Summary
Executing an effective technology due diligence is more of an art than a science because each software solution you will evaluate is unique. Many early and mid stage startups need to trade off between delivering basic business value and developing a fully mature prime time ready platform. These competing factors make it hard to determine with certainty if a solution has the potential evolve into a commercial success or if it is just being held together with chicken wire and chewing gum.

It is important to approach each discovery phase with a set of simple objectives that are critical for a favorable evaluation of the overall solution. This way, during the evaluation of each key assumption, you will be able to clearly identify the main decision gates and confidently make a go/no-go determination.

© Copyright 2014 Yaacov Apelbaum. All Rights Reserved.

On Privatizing Intelligence Gathering

Yaacov Apelbaum - F18 Instrument Panel Facebook Twitter and YouTube

Much has been said about the military’s effort to incorporate social media platforms into its arsenal of weapons.

Over the past two years, there have been several detailed reports claiming that the armed forces are engaging in large scale social media manipulation initiatives. In his article, “Military’s ‘persona’ software cost millions, used for ‘classified social media activities’”, Stephen Webster provides details about a contract issued by the USAF to develop software that will allow it to create, manage, and operate an army of sock puppets worldwide. In a different article, US Military Caught Manipulating Social Media, Running Mass Propaganda Accounts” Anthony Gucciardi describes how this is done.

The fact that the military is using SN manipulation tools to fight the war is laudable. It’s about time they started using non conventional solutions to carry the war into the back alley Internet cafes where virtual battlefields of radicalization are raging.

The national defense agencies, which are among the most technical and professional organizations out there, are self conscious about the pros and cons of dabbling with SN. The USAF social media guide illustrates these concerns. It offers a detailed analysis and operational recommendations for engaging in SN activity. for example, the global media information flow is shown through the following diagram:

Yaacov Apelbaum - USAF social media Distribution

In another section, the “guidelines to assist Airmen in engaging online conversations” offers a list of the following dos and don’ts:

No Classified Info
Do not post classified or sensitive information (for example, troop movement, force size, weapons details, etc.). If in doubt, talk to your supervisor or security manager.

Replace Error with fact Not Argument
When you see misrepresentations made about the Air Force in social media, you may certainly use your blog, their’s, or someone else’s to point out the error. Always do so with respect and with the facts. When you speak to someone with an adversarial position, make sure that what you say is factual and is not disparaging. Avoid arguments.

Admit Mistakes
Be the first to respond to your own mistakes. If you make an error, be up front about your mistake and correct it quickly. If you choose to modify an earlier post, make it clear that you have done so (such as by using the strikethrough function).

Use Your Best Judgment
Remember there are always consequences to what you write. If you’re still unsure, and the post is about the Air Force, discuss your proposed post with your supervisor. Ultimately, however, you have sole responsibility for what you choose to post to your blog.

Avoid The Offensive
Do not post any defamatory, libelous, vulgar, obscene, abusive, profane, threatening,
racially and ethnically hateful, or otherwise offensive or illegal information or material.

Avoid Copyright
Do not post any information or other material protected by copyright without the permission of the copyright owner.  Also, consider using a Creative Commons license to protect your own work (see
http://creativecommons.org for details).

Trademarks-  Don’t Breach
Do not use any words, logos or other marks that would infringe upon the trademark, service mark, certification mark, or other intellectual property rights of the owners of such marks without the permission of such owners.

Don’t Violate Privacy
Do not post any information that would infringe upon the proprietary, privacy or personal rights of others.

Avoid Endorsements
Do not use the Air Force name to endorse or promote products, opinions or causes.

No Impersonations
Do not forge or otherwise manipulate identifiers in your post in an attempt to disguise, impersonate or otherwise misrepresent your identity or affiliation with any other person or entity.

Use Disclaimers
Identify to readers of a personal social media site or post that the views you express are yours alone and that they do not necessarily reflect the views of the Air Force. Use a disclaimer such as: “The postings on this site are my own and don’t necessarily represent Air Force positions, strategies or opinions.”

Stay In Your Lane
Discussing issues related to your AFSC or personal experiences is acceptable but do not
discuss areas of expertise for which you have no background or knowledge.

Considering the fact that SN bridges numerous EULA and jurisdictional boundaries, it’s likely that these tools will end up violating some privacy laws. But with that having been said, I also have the utmost faith in the military’s ability to regulate and control itself. Between the office of the inspector general, the Uniform Code of Military Justice, and the clear constitutional limitations imposed on the military’s ability to operate on US soil, I think that there are enough checks and balances to prevent wide scale domestic Orwellian style abuse of this technology.

So, what seems to be the problem? Well, the biggest issue is that parts of the SM intelligence collection, monitoring, and analysis are no longer being carried out by the military/three letter government agencies. Rather, it’s being conducted by a horde of private intelligence firms. Some of these include: Palantir, Stratfor, HBGary Federal, Berico Technologies, Endgame Systems, and Booz Allen Hamilton which recently gained notoriety thanks to Edward Snowden’s mega leaks.

A better insight into the functioning of this rent-an-intelligence world of shadows can be gleaned from the hack by LulzSec. In 2010, the group successfully breached the private intelligence firm HBGary/HBGary Federal. The hack captured over 75,000 e-mails. It revealed the close cooperation between large commercial firms such as Bank of America and various government agencies. For example, it showed that BoA solicited the Department of Justice for help regarding possible disclosure by WikiLeaks. The Department of Justice then referred BoA to the political lobby firm Hunton and Willliams, which in turn connected the bank with a group of information security ‘fixers’ known as Team Themis.

Team Themis—a group made up of HBGary Federal and the intelligence firms Palantir Technologies (named after Saruman’s seeing stone in J. R. Tolkien’s Lord of the Rings), Berico Technologies, and Endgame Systems—was consulted regarding ways to destroy the credibility of WikiLeaks and Glenn Greenwald, a Salon.com reporter who wrote favorably about WikiLeaks. The strategy, sought to “sabotage or discredit the opposing organization” and even included a plan to submit fake leaked documents and then call out the error.

Interestingly, some of the leaked documents contained Palantir’s and HBGary’s PowerPoint decks and e-mails which detailed various Machiavellian schemes. A notable example was the strategy for destroying the credibility of Glenn Greenwald.

Yaacov Apelbaum - Palantir presentation about Glenn Greenwald 1

Yaacov Apelbaum - Palantir presentation about Glenn Greenwald 2

Yaacov Apelbaum - Palantir and WikiLeaks

Even more troubling were plans to use malicious software to hack into computers owned by the opponents and their families. The e-mails show a proposal to develop and use “custom malware” and “zero day” exploits to gain control of a target’s computer network in order to snoop their files, delete content, monitor keystrokes, and manipulate websites.

Yaacov Apelbaum - HBGary Exploit Development Services

In one e-mail, a 27 year old Matthew Steckman, a Palantir employee who was central to the Themis operations, boasted:

We are the best money can buy! Damn it feels good to be a gangsta.

It turns out that Palantir, in addition to living the “gangsta” life style  to the fullest was also shooting ‘sideways’ at it’s competitors by allegedly misappropriating IP by fraudulent means and conducting domestic industrial espionage.

The bizarre story revolves around Shyam Sankar, Palantir’s Director of Forward Deployed Engineering who allegedly represented himself as a principal of SRS Enterprises, a straw company registered under the names of his parents in Florida, he and his brother fraudulently obtained i2 competing software solutions and used them to design Palantir’s products.

Yaacov Apelbaum i2 Palantir lawsuit
Image 1: i2 Civil Action Against Palantir

 

Yaacov Apelbaum- S R S Enterprises Llc

Image 2: Company registration Details for SRS

 

Shyam Sankar 
Image 3: Shyam Sankar

Yaacov Apelbaum - Shyam Sankar Palantir

I don’t know if any of these allegations are true because the case was just settled before going to trail, but if even some of details are correct, this is the stuff that spy novels are made out of.

I’m not sure what I find to be more outrages in this case, Palantir’s complete disregard for the law or their nonchalant gangster attitude.

I have no problem rationalizing the military’s proposal to carefully use software like MetalGear to conduct “classified blogging activities on foreign-language Web sites to enable CENTCOM to counter violent extremist and enemy propaganda outside the U.S.”, but Palantir and HBGary were proposing to use such technologies wholesale on US soil for subversive (and most likely illegal) corporate and financial gain.

Several months after the attack against HBGary Federal, Anonymous hacked into another private intelligence firm Stratfor. They released a stash of about five million e-mails which provided deep insight into how the private security/intelligence companies view themselves vis-a-vis government agencies like the C.I.A. and F.B.I.

In one e-mail to his employees, Stratfor chairman arrogantly dismisses the C.I.A.’s capabilities.  He writes:

From: George Friedman [mailto:gfriedman@stratfor.com]
Sent: Wednesday, December 29, 2004 9:13 AM
To: analysts@stratfor.com; exec@stratfor.com
Subject: CIA head of analysis fired

Jamie Miscik, Deputy Director of Intelligence at the CIA was fired today. As
DDI, she ran the analytic shop. According to media reports, she was fired
for squandering resources on day to day reports while ignoring the broad
trends. In other words, she was fired for looking at the trees and being
unable to see the forest. She was also accused of spending too much time
updating policy makers and too little time trying to grasp the broad
trends–giving customers what they wanted instead of what they needed. In
the end, it was her customers that turned on her.
My charge against her was and remains that she took no pride in her craft
and turned intelligence into PR and shoddy process. She and her gang are now
history.

This gives Stratfor an enormous, historic opportunity. The CIA model of
analysis has been invalidated. The ponderous, process driven machine that
could only manage the small things now needs to be replaced by a robust,
visionary, courageous analytic system. Stratfor has the opportunity to show
the way. In fact, we are showing the way. Everyone in Langley knows that we
do things they have never been able to do with a small fraction of their
resources. They have always asked how we did it. We can now show them and
maybe they can learn.

Reading this statement makes you wonder how the C.I.A has ever managed all of these years without Strafor’s robust, visionary, and courageous guidance.

Stratfor Also illustrated their ability to collect deep intelligence by performing private surveillance activities on US soil of protestors in Occupy Austin movement. To achieve this, one of their agents went undercover and joined an Occupy Austin meeting in order to gain insight into how the group operated.

Yet, in another e-mail reveals their ability to gain access to secret government documents. Fred Burton, the Stratfor vice president for Intelligence told one corporate client: “The F.B.I. has a classified investigation [that may be of interest and]…I’ll see what I can uncover.” in similar e-mail, he claims to have access to top secret materials captured during the raid on the OBL [Osama Bin Laden] compound and goes as far as offering a Q&A session regarding it’s content:

From: Fred Burton
To: Secure List
Subject: OBL take — quick response needed
Sent: May 12, 2011 15:25

I can get access to the materials seized from the OBL safe house.
What are the top (not 45) questions we want addressed?

Sean Noonan
Tactical Analyst
Office: +1 512-279-9479
Mobile: +1 512-758-5967
Strategic Forecasting, Inc.
www.stratfor.com

Now, I could understand if Strafor was offering supplementary intel to various government agencies, but the ironic implication here is that they are syphoning classified information from the government and handing it over to their corporate clients.

Indeed, as Morpheus stated, “Fate, it seems, is not without its sense of irony”, Stratfor, the organization that prided itself on teaching the C.I.A a thing or two about security and intelligence gathering got Pwnd through the most benign means.

When you read the details of the Stratfor and HBGary exploits, you can’t help but scratch your head in amazement. For example:

HBGary website failed through a simple SQL injection. The site didn’t scrub nor sanitize any requests. This allowed the attackers to quickly retrieve the site’s User IDs and Passwords.

With a User ID and Password in their possession, they download the entire user database. Next, they proceeded to crack it. If the password database was properly protected, they would have gotten nowhere, but again, poor security design enabled them to retrieve all the passwords. It turns out that the HBGary Federal database stored passwords in simple MD5 hashes. To overcome this, the attackers used readily available rainbow tables.

After getting the passwords of two of HBGary’s executives, Aaron Barr and Ted Vera, they discovered that the passwords only consisted of eight characters: six lower-case letters and two numbers. With the User ID and Password details of the two executives, the attackers found out that this pair reused their passwords in multiple applicaitons, including: e-mail accounts, LinkedIn (see bellow), Twitter and a customer facing server. So now Anonymous was able to access their e-mails too.

Yaacov Apelbaum - HBGary's Aaron Barr Hacked Linkedin
Image 4: Aaron Barr’s 2013 defaced LinkedIn page

Yaacov Apelbaum - HBGary's Aaron Barr Hacked Linkedin-After
Image 5: Aaron Barr’s 2014 updated LinkedIn pages (note the striped personal details and the recommendation by Pulkit Kapila, from Bozz Allen Hamilton

Aaron Barr LinkedIn Page 2018
Image 6: Aaron Barr’s 2018 LinkedIn page

The accounts on the support server belonged to ordinary users but the system wasn’t patched against a privilege elevation attack. Now, with administrative access and due to the fact that one of the executives was also the administrator of the entire e-mail system, Anonymous gained full control of all HBGary Federal e-mail accounts. Using this vulnerability, they gained access to the account of another executive, Greg Hoglund, where they found an e-mail containing the root password for the entire site.

Anonymous had a root password, but couldn’t access the site server from outside of the firewall. They needed to login as a standard user and then switch to root.

To achieve this, they utilized a simple social engineering exploit. Using Greg Hoglund’s account, they contacted an administrator who had root access to the server. Through an e-mail exchange, they said that they had a problem logging in to the server and convinced the root admin to reset Greg’s password and also reveal his username–the two pieces of information they needed to complete their exploit and gain access to the Stratfor list of customers and their credit card files, which interestingly enough, were kept in a plane text file.

This wasn’t unique to HBGary or Strafor. In all hacking cases involving private security or intelligence companies, the analysis of the attack shows that it was executed via the most rudimentary methods. No mission impossible scenarios took place, the root cause was just your common run of the mill information security negligence and incompetence.

Time and time again, these von Wallenstein style wannabe spies have proven themselves to be a legal and an ethical liability. Case in point is that regardless of their patriotic pitch and public assertions of lofty ideals such as “solve the most important problems for the world’s most important institutions”, most of these individuals and companies are bottom feeders who are in it just for a fistful of dollars and narcissistic bragging rights. From the various e-mails disclosed, its obvious that they have no qualms conducting criminal influence operations against their customer’s political opponents and their families on US soil.

image Aaron Barr the Man with the thousand faces
Image 6: Aaron Barr as a Secret Service Agent and other personas

The complete lack of moral scruples from guns for hire, like Aaron Barr, who engaged in the worst type of for-pay defamation doesn’t seem to change with time. Barr—after scrubbing his on-line persona several times—resurfaces in 2015 as a progressive, environmentally friendly activist this time dedicated to promoting Russian collusion theories, climate change awareness, and bemoaning the loss of on-line privacy.

Aaron Barr Promoting Russian Collusion 
image
Image 7: Aaron Barr the champion of transparency and a crusader against Wikileaks

Regardless of how attractive privatizing national security may seem at the moment, ultimately national intelligence should be managed by military and career civil servants that should report to elected officials who in turn should have specific term limits. True, this may not be the best way; after all, J Edgar Hoover managed to abuse the process throughout the terms of six different presidents. But in the end, the system does self-correct. It has been doing that now for over two hundred years.

© Copyright 2013 Yaacov Apelbaum. All Rights Reserved.

Ripping Off Google

Yaacov Apelbaum-Google Add Con

My wife is a potter. She conducts most of her glazedOver pottery business on-line. Over the past 2 years, she has incrementally leveraged social networks to supplement her regular marketing and advertising efforts and she has progressively built-up a large following of loyal customers and a network of peer artists. She will tell you that without a doubt, a focused Internet advertising campaign translates instantly to higher site traffic and sales.

glazedOver Pottery-Coffee MugClearly, an important component in successfully operating a small on-line craft business is to leverage social and professional networks and to tactfully promote your product. One way to do this is by paying a service to expose your store. Another, more organic method, is to form a guild that promotes the interests of a group of related artists via blogs and other publications. High traffic sites like these typically contain interviews, product reviews, giveaways, and links to member shops.

The Internet barons the likes of Google and Microsoft are aware of the relationship between traffic and revenue, and so they court high volume sites to host advertising content.  One of the most popular on-line money making schemes (eclipsed only by Nigerian get rich quick 4XX offers) is the Google AdSense program. With programs like AdSense, you place sponsored advertisements on your blog and Google then delivers specialized content based on your site classification. The premise of this model is that if you have a high traffic site, you will most likely generate product or service sales for the ad sponsor. The more clicks, the more you make.

Google obviously requires that the sponsor of the AdSense campaign operates a legitimate website or blog. Their definition of what is deceptive or manipulative behavior is quite specific as you can see from their guidelines:

Quality guidelines
Make pages primarily for users, not for search engines. Don’t deceive your users or present different content to search engines than you display to users, which is commonly referred to as “cloaking.”

Avoid tricks intended to improve search engine rankings. A good rule of thumb is whether you’d feel comfortable explaining what you’ve done to a website that competes with you. Another useful test is to ask, “Does this help my users? Would I do this if search engines didn’t exist?”

  • Avoid hidden text or hidden links.
  • Don’t use cloaking or sneaky redirects.
  • Don’t send automated queries to Google.
  • Don’t load pages with irrelevant keywords.
  • Don’t create multiple pages, subdomains, or domains with substantially duplicate content.
  • Avoid “doorway” pages created just for search engines, or other “cookie cutter” approaches such as affiliate programs with little or no original content.

If your site participates in an affiliate program, make sure that your site adds value. Provide unique and relevant content that gives users a reason to visit your site first.

Hosting Google adware has both its fans and its critics. Some users abstain from the practice on the grounds that it cheapens and waters down their brand (akin to placing a 30 foot billboard on your Victorian mansion), but many other popular blogs and websites do it enthusiastically, and they make some decent $$$ in the process.

It seems that if necessity is the mother of invention, then revenue from high internet traffic is the father of the con. Site sponsored advertising practice has now become so popular that many enterprising individuals/organizations are running large campaigns for site scams know as MFA (made for AdSense). These scraper sites are siphoning millions of dollars from the likes of Google.

The scam is ingenious and requires dedicated resources and some technical skill (like purchasing domains and manipulating content). I discovered this several days ago after my wife told me that someone was showcasing her pottery work on their site without crediting her. She first came upon it when she noticed an interesting pottery link in her twitter feed and asked me to have a look. After clicking on the link, I was routed to a site called VisionPottery.com.  At first, the site looked  legit; just another average blog dedicated to hand crafted goods.

Yaacov Apelbaum-Marla TwittVisionPottery.com-Hand Made Pottery Bowls VisionPottery.com-Error Page   VisionPottery.com Domain Information   Beverly Butler Emerald Enterprises LLC
Twitter feed, article, other site pages, and domain ownership information

The blog was designed reasonably well. The cover article titled “Folk Art Craft-From the past” featured a set of my wife’s pottery bowls. I scanned the article for a link to her shop (assuming that the author used her work as an illustration), but found neither links or credits.

Yaacov Apelbaum-Caroline JonesWhen I checked the properties of the actual image, I was surprised to discover that it was hosted on the server and not linked to her site in any way (clearly, a copyright violation). I figured that the next best thing would be to read the article more carefully. The essay turned out to be laced with numerous grammatical errors and its contents made little sense.

Massive grammatical incoherencies smack of either human or machine altered text, so I performed a quick on-line search and located the original essay in “Articlebase.com”.

I diffed both essays and confirmed that the article hosted on VisionPottery.com was in fact a plagiarized version.

A textual analysis of the content revealed that the changes were purely based on a simple word substitution technique where one word, for example America is replaced by United States.  It is clear that the plagiarizer’s objective was not to ‘lift’ the ideas from the article. Rather it was an attempted to prevent search engines from identifying and tagging the content as duplicate and thus improve their SEO (search engine optimization). This was also confirmed by the fact that the name of the original author could be found at the bottom of the plagiarized text.

An examination of the site structure reveled that it was built with a combination of machine generated scripts (many still contained the default WordPress template settings) and manual customization (logos and UI elements). The contents on the other hand, was managed by human ‘adaptors’ who took existing materials and resources from various on-line locations and altered them to create the appearance of an original composition, all for the sole purpose of scoring better search engine visibility.

Yaacov Apelbaum-Hunt Mallard Cove.comChecking the VisionPottery.com domain registration shed some additional light on its modus operandi. The site is registered to Beverly Butler of Emerald Enterprise LLC; Beverly proudly advertises herself as the owner of the same on LinkedIn. As it happens, the server hosting her VisionPottery site also hosts many other parasitic marketing sites that operate along the same lines. Interestingly, the plagiarized version of the essay text where my wife’s bowls were found was also used verbatim by several other sites registered to different owners that were hosted on this machine as well.

Yaacov Apelbaum-AdSense Ready Sites A quick estimate (based on a sampling of the domains hosted on one server) suggests that there are potentially tens of thousands of sites that engage in this type of activity each making upwards of $150 a month. Clearly, this is a well coordinated and thriving criminal enterprise.  It also turns out that there are hundreds of thriving franchises that for as low as 79.95 will provide you with ten ready AdSense sites (you also get a starter kit, a centralized dashboard to manage your growing Internet empire, and even a spamming pipeline into relevant Twitter feeds).  A major sales pitch for these offer is the promise of “Passive-Residual” income which is defined by one developer of such sites as:

“… a steady stream of income that you have to do nothing at all to maintain, once you have established it. Passive-Residual Income is the ONLY income that gives you the freedom to come and go as you please, on your own schedule, while working at home or in your spare time.”

If you think that this is business as usual on the lawless Internet, think again. This type of conduct severely impacts all of us, from content creators who’s work is stolen and diluted, to service providers like Google who lose millions in revenue and all the way down to the average end user who gets spammed.

And yes, VisionPottery.com does have a copyright notice at the bottom of their web page, after all, they are only trying to protect their IP from other unscrupulous marketing entrepreneurs. Can you blame them?

 

© Copyright 2010 Yaacov Apelbaum All Rights Reserved.

The Anti-Virus Virus

Yaacov Apelbaum-Anti-Virus Virus

Several weeks ago, my wife was searching online for the words to one of Shel Silverstein’s poems.  With the Internet within closer reach than the bookshelf in our den, she went to Google and typed in the key words “shel silverstein pancakes,”  and within 0.32 seconds got several matching results (Image 1).

Yaacov Apelbaum-Search Results Page

Image 1: Google Search Results

She clicked on one of the top results on the first search page and almost instantly got prompted by a message box (Image 2) indicating something to the effect that her computer contained various signs of viruses and immediately needed to be examined.  It then offered an option to perform a security scan.

Yaacov Apelbaum-Virus Message 1

Image 2: Infection Warning

We keep our OS well patched and the anti malware software up to date, so she decided to decline the offer and clicked on the cancel button.  The message box went away but then another screen popped up telling her that her system was being scanned for viruses.  Thinking that she may have clicked the OK button instead by mistake, she waited for the scan results.

Yaacov Apelbaum-Virus Scan

Image 3: Infection Warning

When the scan was complete (within 15 seconds or so), she was informed that her computer indeed had been infected with several nasty viruses (Image 3) and that she would need to download and install the offered security program in order to remove these viruses (Image 4).

Yaacov Apelbaum-Virus Download

Image 4: Malware Download Dialog Box

At that point, she realized that malware itself was communicating with her and trying to install itself on her machine.  She clicked the Cancel button dialog box but instead of terminating the installation, she was taken back to the first message box which told her again that her computer contained various signs of viruses and needed to be examined.  Essentially, she was trapped in a loop, unable to close the Browser. After another round of scans and cancelations, she decided to bring up the Task Manager and terminate the process from there.

Several days later during dinner, she happened to mention her run-in with the malware and I made a sly comment that these are the rewards we reap for hanging around dubious websites.  She took offense. “Dubious web sites?” she said, mocking me, “this was the fourth entry on the first search results page of Google. How ‘dubious’ can that be?”

I found it hard to believe that the writers of the malware were clever enough to sneak by the Google filters and make it to the top of the first search results page.  I executed the same search she did just day previous.  My search results were almost identical, but ironically her malware link had by then moved a step upwards in relevance.

Instead of clicking on the link I copied its URL and went directly to the website (Image 5)

Yaacov Apelbaum-Derkeiler.com-3

Image 5: Actual page with download link and keywords

The web site turned out the be a newsgroup called derkeiler.com, which is one of the most popular and most heavily advertised mailing list archives on the net.  Looking closer at the page, I found the following:

  1. At the top was the bold title “SHEL SILVERSTEIN”
  2. Below the title was a bogus poster name in the format of name@xxxxxxxxx.com
  3. Next was a link which activated the malware download script.
  4. Finally at the bottom of the page was an extensive list of hundreds of keywords that were associated with the works of Shel Silverstein.

I looked at the parent directory page and found a long list of dated directories (Image 6).

Yaacov Apelbaum-Derkeiler.com-1

Image 6: Parent Directory (note heavy commercial advertising)

Each one of these directories contained dozens of linked entries. After randomly clicking on about 30 links, I determined that most of them were identical to the Shel Silverstein page (Image 5) in terms of content, layout and malware activation functionality.  I checked out several other public newsgroups and “personal” web sites to compare. It appeared as if indeed there was a method to this madness.

Yaacov Apelbaum-Derkeiler.com-2
Image 6: Sample directory contents with links to malware download

So what does it all mean? Well, the modus operandi seems to be as follows:

  1. The creators of the malware install the program on a large number of personal websites (some have been breached and others are dedicated). One example is Rosuto Samurai which was allegedly created to support fantasy gaming but in reality never had any content beside the malware.
  2. They then proceed to automatically create hundreds of highly popular topic pages (i.e.  Ipod, Shel Silverstein, movies, etc.) in newsgroups and mailing lists, each of which contains a link to the malware download website.
  3. Each of the pages also includes a large list of keywords (generated by some machine learning process) that are associated with the topic.  The purpose of the keyword list is to increase the radar signature for the search engine spiders.
  4. The search engines find these individual topic pages, traverse the keyword list and algorithmically determine that all the words are related.  They also see the hyperlinks and postings on each page (which makes them appear like miniature websites) and as a result assign them a top rating—which to the user, translates as top hits in topic search results.

The outcome of this strategy is cheap and effective SEO penetration and viral dissemination of viral contents (no pun intended) via top search results.

Another interesting observation—which is not without its irony—is that large vendors such as Microsoft are completely unaware of this practice and are aggressively purchasing advertising space on these sites, (including ads for their security products).  Clearly, this is being done without the realization that they are actually sharing living space with some of the most aggressive malware distribution centers.

Stay tuned, in a future posting, we will dive deeper to see who is actually developing and marketing this malware.

Quis Custodiet Ipsos Custodes?

 

© Copyright 2010 Yaacov Apelbaum All Rights Reserved.

Windows Live Credit Card Phishing

Phish

I recently received an email claiming to be from Microsoft Live. The email stated that due to some processing issues, they could not authorize my credit card and so I would need to login to their website to update my credit card information by clicking on their link.

Over the years, I have seen a number of these types of messages, but this was the first one targeting me personally.  After skimming through it, I realized that it was a blatant phishing attempt, nevertheless, I still marveled at the ingenuity of the scammers.

Yaacov Apelbaum-Fake MSN Image

Billing and Account Management

Dear Windows Live Hotmail member,
During our regularly scheduled account maintenance and verification procedures, our billing department was unable to authorize your current payment method information.

This might be due to either of the following reasons:

A recent change in your personal information (i.e. change of address, credit card)

Submitting invalid information during the initial Sign Up or upgrade process.

An inability to accurately verify your selected payment method information due to an internal error within our processors.
Please use the following link to update your payment method information :

http://billing.microsoft.com/logon.srf?action=SignIn&reason=auth&type=auto&uid=187&acct=49472101102

The above link may have been blocked for your privacy. To activate the link please look for the Show content link that is usually located on top of this message.

NOTE! If your account information is not updated within 48 hours then your ability to use your Windows Live Hotmail account will become restricted.

Thank you for using Windows Live Hotmail!
Please do not reply to this e-mail, as this is an unmonitored alias.

Yaacov Apelbaum-Fake Windows Live Image

  © 2009 Microsoft Corporation. All rights reserved.

For the uninitiated, phishing (pronounced “fishing”) is a fraudulent attempt to acquire sensitive information from a user.  Such information can be: credit cards, user IDs, passwords, and/or account information.  It is often accomplished via email or phone

Phishing falls into the category of exploits  known as “social engineering”. Even though they are mostly low tech, (requiring neither sophisticated technology nor advanced programming), they can to be successful (especially the well executed and new exploits) because most people tend instinctively to do what they are told and will not challenge the authority and authenticity of what seems to be an official correspondence.

In a typical phishing scenario, the perpetrators (usually located offshore) send a simple email—claiming to be from the customer service department of a recognizable organization  (like a bank, on-line service, etc.)—the email will inform you of some  problem with your account. You are then instructed to provide details of your bank, email, or credit card account in order to correct this problem.

Even though, phishing exploits can have many variations, they can be grouped into the following are five usage scenarios:

  1. Forged identities — In this exploit, the attacker creates an email address that is related to a reputable organization like “Windows Live Customer Support”. Even though on the surface, their email address looks legitimate (as in: billing@windowslive.com), it is not. If you’re not paying attention, it can be easy to mistake a message like this for a genuine customer support request.
  2. Compromised accounts — In this exploit, the attacker uses a compromised user account to send an email to everyone in the address book for that account. An email you receive from a known account dramatically increases the credibility of that message, and therefore the likelihood of a successful phishing attack.
  3. Direct phone calls — In this exploit, the scammer may contact you directly by phone, telling you that they work for some financial institution (may offer to lower your interest rates) or the fraud investigation departments.  They will inform you that your account has been breached and will directly ask you for your account details in order to verify it.
  4. Bogus websites — In this exploit, the attacker will send you a link to what seems to be a functional website.  The site will include official-looking logos, language, or other identifying information taken directly from a legitimate websites. The address of the site will show resembles the name of a reputable company but with some spelling variations. For example, the name”microsoft.live.com” could appear instead as: “micorsoft.live.com”
  5. Social Network Harvesting — In this exploit, a communication from a scammer will ask you for personal information.  You may mistake it for an email from a friend wanting to reconnect. The email will include convincing details about your personal life which ware recovered from social networks such as LinkedIn, Facebook, etc.

In general, the objective of phishing is to recover your webmail credentials since the resale value of a legitimate web mail account on the black market can be as high as $2-$3—twice the amount they could get for a stolen credit card number.  So for a phisher, breaching several dozens accounts a day can be a lucrative business, making $100K-$500K for the life of the scam.

In the case of my phishing email, when I followed the link in it,  I was taken to a credit card entry form (Image 1). As I expected, the form looked genuine, it had all the right corporate trimmings: a Microsoft logo, copyright notice, and even a link to a help page (which ironically offered the following advice “You should keep this number secret, protect it, and never write it on your card.”)

Yaacov Apelbaum-Phishing Credit Card Form 
Image 1: Phishing Credit Card Entry Form

As with most phishing sites, I was expecting to find some bogus or misspelled Microsoft URL, but instead I was surprised to see that the web address of the webpage actually belonged to a company called Human & Technology H&T (Image 2), clearly, htech21.com doesn’t even sound like Microsoft.  I’ve checked the parent URL out and It turns out, that this company was at one point a legitimate Korean hardware manufacturer, than, two years ago, their CEO was arrested and the company became the target of one of the biggest class-action lawsuits in history.

CEO So what is the connection between htech21.com and this phishing expedition?  It appears that the perpetrators of this scam decided to cut some costs and instead of purchasing and hosting their own domain, they chose to break into the H&T corporate web site and place their credit card collection pages on it.  At one point, our scammers discovered that Human & Technology has gone out of business (this could also have been an inside job) and safely assumed that this orphaned website (which has not been updated for 3 years) is no longer being maintained or monitored, and as such, was a perfect staging platform for a phishing operation.

It is also interesting to note, that the site’s help file focused on ATMs (Automated Teller Machines), strongly suggests that at least some of the phishing website contents have also been used in other scams.

ATM

Yaacov Apelbaum-Human & Technology Phishing Website Korean  Yaacov Apelbaum-Human & Technology Phishing Website English
Image 2: Phishing Host Website

It is hard to recognize legitimate customer service communications from phishing expeditions. This difficulty if further compounded by the fact that for many, using services such as Amazon, EBay, and e-banking has now become a  a way of life.  For most users, the potential inconvenience of being looked out of their favorite on-line services outweighs the risk of disclosing their account information. Unfortunately, the on-line services are not helping this situation either because most are either impossible to reach by phone or their offshore support centers are largely useless.

So how does one survive in the hostile jungle of email exploits? The following are my top 10 Do’s and Don’ts of email:

  • Do Not open emails that have a wrong or incorrect spelling of your name. Phishers often harvest email addresses in balk and may not have your full name. Because of this, they will try to guess your name from your email address.
  • Do Not open emails that are not addressed to you by name. Phishers will almost never personalize correspondences; they will refer to you as “Dear Customer” or “Dear Valued Customer” because they send balk solicitations to millions of email addresses.
  • Do Not respond to any account management email requests that come from your bank. If your bank needs to reach you, they will send you an official letter or leave you a voice mail with a valid callback telephone number.
  • Do Not open unsolicited emails. Nothing in life is free, this includes the invitation to view naked celebrities and the Prozac and Viagra offers in your inbox.
  • Do Not use email links to go to any financial websites. Type in the URL yourself and save it as a bookmark.
  • Do verify the website URL you are about to log into, check the spelling carefully before you provide your login details on any web page.  Pay close attention to domain name following the “http://” section of the address.  Many phishers will Intentionally create very long names to obfuscate the fake URL.
  • Do log in to your on-line accounts regularly and look for unrecognized transactions.  Do the same with your monthly credit card statements.
  • Do Not send your account details via email to anyone.  email traffic is unencrypted, so anyone on route can intercept the message.
  • Do check that the Internet connection you are using is secure. Look for HTTPS in the address field of your browser.  You may also want to click on theEncrypted connection iconpadlock to view the actual server certificate.  This will help you verify that it was issued by a reputable authority and assigned to the company managing the website in question.
  • Do make sure that you have an updated anti-virus software and that your firewall is turned on.

© Copyright 2009 Yaacov Apelbaum All Rights Reserved.