Uncategorized

DarkSide Goes Too Far with Colonial Pipeline Ransomware Attack

Scott BuchananLeave a comment

The ransomware attack on the Colonial fuel pipeline that supplies the U.S. East Coast is such a rich story it is hard to know what to discuss in a brief blog post. As anyone who gets news feeds knows, the software that took out Colonial is supplied by a (probably Russia-based) criminal enterprise called DarkSide. DarkSide’s business model is called “Ransomware-as-a-Service” (RaaS). They partner with affiliates who use the software to perform the actual attacks. The affiliates get paid something like 10-25% of the ransom money.

An article by Sophos Labs, a company that fights ransomware, gives details on how these attacks work. Typically, an attacker gets initial access to a company’s system by tricking some employee into revealing passwords or other critical information (“phishing”). The attacker then spends two or three months roaming around inside the systems, building up credentialling to get more and more access. They steal (“exfiltrate”) sensitive information like accounting, personnel, and R&D. This table shows some of the “tools” used in these attacks:

When it’s showtime, they encrypt the information on the company computers, which typically makes operations grind to a halt. They then demand ransom (in the form of Bitcoin). If the ransom is paid, they will send the victim a decryption program to allow them to decrypt their files.  If their demands are not met, they will publicly release the stolen, sensitive information. So this extortion is a double threat, to both operations and information exposure.

Here is an example of (I believe) an actual ransom demand note:

(Sorry, the text is hard to read).  DarkSide is professional in their own way. They assure their victims that they really will get their data restored if the ransom is paid: “…We value our reputation. If we do not do our work and liabilities, no one will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.”   Think of that, a help desk for your ransomware.

DarkSide likes to align themselves with Robin Hood, kind of: “Take from the rich, and give to the poor  keep it”. They claim to be apolitical, just in it for the money, and to not target nonprofits. They even offer to donate money to charities, so we can all feel good about this. (Charities typically refuse to accept stolen money, though).

In most cases, it is far cheaper for the victim to pay the ransom than to tough it out and try to scramble to restart their systems cold and to risk exposure of sensitive information.  DarkSide, after all, has its reputation to protect, so they scale the ransom demands accordingly, but make sure the victims hurt if they do not pay.

Forbes cybersecurity expert Davey Winder explains that with the Colonial hack, however, Darkside (and the affiliate who did the actual hacking) stirred up something of a hornet’s nest.

If you cut off gasoline supplies to the Washington, D.C. area, you better think through the consequences. I am sure that top national security officials were grilled by top top government officials as to “How could this happen?”, and, “You aren’t going to let them get away with this, are you?”. After some days of public waffling on the issue, it seems Colonial did pay DarkSide some $5 million. But..apparently DarkSide did not get to keep the loot, though it is hard to know what is real and what is public theater.

According to Winder,

DarkSide was effectively forced into retreat by alleged law enforcement or unspecified government disruption of the publicity blog and the ransom negotiation dark web site.

The main Russian-language criminal forum that acted as a recruitment post for potential affiliates banned all ransomware groups from advertising. The cryptocurrency wallets used by DarkSide were, it has also been said, found and funds exfiltrated.

You can follow some of the links in the paragraph above for more of the details here. (Most people may not realize the Bitcoin is not as private as imagined. Every transaction is out in public view; although technically the identities of transactors is cloaked behind anonymous user’s ID numbers, sophisticated data analysis programs can be used to trace transactions pretty reliably).

DarkSide has announced some “nicer” guideline for its further extortions. It seems like the good guys at least partially won that battle, but the war goes on. Winder further comments:

The business model will change, just as it has always evolved, but it won’t go away. Why would it when there are so many big corporate targets out there continuing to make the mistakes that let these attackers onto their networks?

If I were king, this is what I might do: Sentence the CEO of any company which is successfully hacked to six months in prison. Overnight, you would see corporate priorities magically realigned, necessary resources allocated, internal security protocols enforced, and so on. I predict the incidence of such hacking would drop by an order of magnitude within three months of such an “executive order”.

The Revealed Preferences of the National Hockey League

mdmakowsky1 Comment

American sports leagues are different from their international counterparts for a variety of reasons, but perhaps the simplest and most important is that they exist as singular entities, otherwise natural cartels whose network effects are explicitly codified as clubs whose barriers to entry ensure a steady stream of profits so long as their sport remains sufficiently popular. Negotiating against player unions of varying levels of organization, they routinely negotiate collective bargaining agreements that neatly establish the division of proceeds between capital and labor.

A common mistake made is questioning the choices made by teams as if they were independent firms competing against each other in a ruthless marketplace for economic survival like Sony, McDonalds, or Manchester United, when in fact their survival is largely pre-ordained by the cartel, their choices salient only to the prestige and short-term windfall profits of annual trophies.

Tom Wilson plays for the Washington Capitals, which happens to be my favorite team in the National Hockey League. He is extremely good at hockey. He scores goals, makes good choices in transition, plays commendable defense, and is extremely adept at physically hurting other players. It is for this last bit that he has received the most attention. His team gains a notable advantage when he is on the ice simply because the other team must allocate a disproportionate amount of their attention to where Wilson is and their own relative vulnerability. The other teams in the league, and many of their players, are increasingly of the publicly held opinion that this advantage is not gained in a manner within the rules of the game. Tom Wilson is a cheating bully who threatens the safety of every other player beyond an acceptable level who simply must be stopped immediately.

To be clear, they do not believe this.

The other teams and their players believe he is dangerous (he is). But they clearly do not think he is too dangerous. Tom Wilson is occasionally suspended or fined, his salary donated to charity. The players’ union (the NHLPA) has worked tirelessly to minimize the punishments he incurs for physically injuring the other members of the same union. The other teams within the league cartel has never once imposed a punishment on his employing team. Based on the relatively modest punishments doled out and the minimal interest the players union has in ensuring their members’ physical safety, it would be foolish to conclude that the NHL views Tom Wilson as a net negative or even symptomatic of a net negative institution within hockey.

The NHL sells hockey. Their cartel members aren’t competing with each other, they are competing as a league against other sources of entertainment, principally other sports. They are competing for attention. Three John Wick movies have left me convinced that violence is an excellent means of eliciting attention. The NHL isn’t punishing Tom Wilson or the Washington Capitals because every time he punches a player prone on the ice in the back of their neck, the possibility that a player may be paralyzed or killed receives twenty-five fold the attention that Connor MacDavid receives for being the most skilled player I’ve ever seen.

To be clear, the NHL doesn’t sell hockey or violence, they sell a bundle of goods that includes athletic skill, regional identity, cultural identity, and violence. Compared to the other major US sports, it’s not unreasonable to consider the violence within hockey to be the bundle component that overlaps the least with other competing products and, as such, contributes the most, at the margin, to their share of the market. Violence may literally be the most profitably thing the NHL sells.

Every time Tom Wilson or another players seriously injures a player, possibly ending a career or reducing the quality of the rest of their life, people will speculate on what sort of event will cause the NHL to change the nature of their sport, but I don’t know why there is any uncertainty.

They’ll change when revenues decline because fans prefer less violence in their sports entertainment consumption or when young athletes with brief peak earning windows express willingness to receive smaller wages in exchange for safer working conditions. Such things have been happening steadily for the last 25 years with all of the major sports, but hockey has put itself in a uniquely bad position to continue transitioning away from selling violence, one what may demand that teams earn smaller profits, and players smaller wages, in the short run in order to enjoy greater success in the long run. I guess it could happen naturally through artful negotiation, earned trust, and thoughtful planning.

You ever know a joke that you know only a small fraction of people will understand, but you tell it anyway?

Bracing for the Swarm of “Charismatic” Cicada Bugs

Scott BuchananLeave a comment

In the Mid-Atlantic region of the U.S., there are two basic types of cicadas. One type appears every year, but in small numbers. One bug up in a tree can fill a whole block with its buzzing sound. But every seventeen years, the periodic cicadas, also (incorrectly) called “17-year locusts”, emerge and drown out every sound but their own. They can make a residential neighborhood sound like an airport. The seventeen year swarm is due to emerge any day now.

Continue reading

You simply must go

mdmakowsky1 Comment

There is no shortage of travel media. A million writers, marketers, and eternally-aspirational “influencers” are desperate for your ear, while a litany of airlines, trainlines, and cruiselines are more than happy to take you there. Every year there is a new place that “you simply must go”, it’s “transformative”. Places that remain untouched. Places that are now safe to go. Places that are exciting or sandy or have the best seafood you’ve ever had. All desperate to tell you where to go, where you have to go.

It’s all very stupid. Not because you shouldn’t travel, quite the contrary. No, it’s all stupid because there are more places to go than you’ll have months on this earth. There are so many interesting, wonderful places to go, most of which you’ve never been to and never will. You really don’t need that much advice. You just need to go to as many places as you can, which means economizing on your limited resources, which are invariably time and money.

We’re all getting vaccinated and it’s time to get outta here. So where do I think you should go? I have no idea, but here is how I travel:

  1. I write a list of places I/we want to go. It has to be at least 15-20 deep and I try to update it twice a year.
  2. I try to identify pockets of time when we can travel months in advance, the bigger the window, the better.
  3. When its time to book a trip, I just start googling airfare for places on the list and write down numbers.
  4. Whatever is currently the best price opportunity (not just the cheapest) we go and then cross it off the list when we get back. This is a fuzzy “within-destination” estimation. Nashville is always going to be cheaper than Paris, but if Paris is $400 cheaper than the last few times we looked, then that’s a better choice than Nashville at half the price.

That’s the search protocol. Then there is the single most important rule: Never pay for something that you don’t want. This is essentially an “off-season” rule.

  1. Only go to places with beaches in the winter if you don’t want to actually sit in the sand all week.
  2. Only go to the mountains in the summer, unless you plan on skiing everyday.
  3. Avoid large American cities around major holidays.
  4. Avoid ALL large cities around New Years.
  5. Avoid anywhere hosting an All-Star Game, Super Bowl, etc. Same goes for Kentucky during the major horse races unless you have a ticket.
  6. I’d say avoid Spring Break and Beach Week destinations, but is that seriously something you’d even consider? Please.

Simple rules once you are there.

  1. Find a hotel/airbnb walking distance from public transportation.
  2. Walk everywhere you can.
  3. Walk everywhere you intend to drink alcohol.
  4. Eat most meals standing up, sitting outside, or at the bar.
  5. Don’t spread your food budget evenly. It’s better to have one super expensive meal and 13 meals at trailers, trucks, and kiosks.
  6. Go to a local sporting event
  7. Go to the library
  8. Go to bookstores and junk stores, even antique stores, but never knick knack stores. Intentionally adorable is not the same thing as quirky or idiosyncratic.
  9. Drink what the locals are drinking.
  10. Find something they make there, maybe tour a factory or brewery or lavender field.
  11. If there is a major university, see if they have a History PhD program. If they do, see if there are students who will give you a walking tour for cash. I’ve done this twice and it was awesome. Don’t do this in Rome, the student will be arrested and fined.
  12. Find the art they care about that tourists don’t. Opera, theater, symphony, spoken word. If it sucks leave at intermission.
  13. Most tourist traps are traps but sometimes they are the Blue Lagoon hot springs in Iceland and you should actually go.
  14. Keep walking. Bring good socks and shoes, maybe a couple knee sleeves. Advil. Hydrate.

I don’t know where you should go, just go. You can probably still get a reasonable flight to Toronto or Berlin or Greenville and you should just go.

Was “World War II” Just a Myth?

Scott BuchananLeave a comment

May 5, 2415

[To:] Mark Livingstone,

25 The Standards,

Verneville, Alassippi

Dear Mark:
in your last letter you made one palpable hit, but only one: I admit that the atomic wars of the Twenty-first Century and the cataclysms of the Twenty-second Century destroyed so much of our cultural inheritance, including nearly all our Nineteenth and Twentieth Century history, that there is very little we can turn to of those times that is authentic. Apparently that is the only point we will be able to agree on.

I cannot possibly believe, for instance, as you do, that there ever did exist an Abraham Lincoln as so glowingly portrayed by our two or three surviving “history” digests; nor can I believe there ever was a World War II, at least such as they described. Wars, yes – there have always been wars, and a World War II may have occurred – but certainly not with such incredible concomitants.

In short, your history is much too fictional for me.

Continue reading

Active empathy makes for better research

mdmakowskyLeave a comment

There are skills necessary for good research and policy design, but not all of them can be taught. One of the skills I advocate that my students develop, but to be honest I’m not sure if I’m all that convincing, is active empathy i.e. to willfully try to place yourselves in the context that is driving the model underlying your research question and imagine how you would behave. This is, perhaps, more work than it sounds.

Trying to imagine how you would behave in a given decision context requires not just imagining how you would make the best possible decision, but what you might actually do. This means imagining your own hypothetical state of mind in the model event context. How tired you might be, how frustrated or bored or scared. How invested you are cognitively or how distracted from the entire enterprise. Would you even be conscious of the decision in the moment you were making it, or would you only realize it upon later reflection?

What would your resource constraints be and what would it feel like to live under those constraints? What sort of rewards or punishments are you considering? This is where it pays to be honest with both your current and hypothetical selves. If you’re a car salesman, are you more excited about making the most money or being the best salesperson in the lot? If you’re a cop, are you more excited about making a big arrest or making it through the day with the minimum of interactions? Do you care more about your boss liking you or your fellow street officers?

This also, more often than not, means imaging you are a completely different person. This is where it is strongly advisable to practice not just active empathy, but active humility. I like to think I am pretty good at putting myself in other people’s shoes, but I also know I will never be able to fully empathize with the experience of being a woman in an abusive domestic context with two young children during a global pandemic. What I can do, however, is start by actively empathizing with the elements of that context that are accessible to me and my life experience, and then do my best to add into the exercise the different constraints, outside options, and resources available that might change the decisions made. I can enrich the mental model I am building by trying to appreciate what it means to make decisions, in any context, under the duress of physical fear and heightened uncertainty, while all the while acknowledging my exercise is inherently limited by my own experience.

Having invested real time and energy in this exercise, you’ll be in a better place to guide your research and policy design, not just because you’re thinking about the problem from the ground level, but because you’ve forced yourself to acknowledge where your blind spots are, and can do your best to address them. First person narrative accounts (“anecdotes”) don’t usually make for great data, but they are great way to let someone else’s experience to partially (but never fully) fill in your gaps. To be clear, I don’t view this as an alternative to standard rational choice frameworks of analysis. Quite the contrary, I think it exactly when the choices being made by others seem entirely irrational that it is most advisable to step back and try to actively empathize with the decisionmaker– to try to see the choices, constraints, and other players in the game as they actually see them. It’s amazing what can quickly become completely rational once you consider in resource constraints, especially information constraints, people are operating within.

If it sounds like I’m trying to convince economists everywhere of the merits of Method Acting, don’t worry, I’m not.

No, scratch that. That’s exactly what I’m doing. Just keep your rehearsals to yourself.

Hyperinflationary Efficiency?

Zachary BartschLeave a comment

I’m advising a senior thesis for a student who is examining the strength of Purchasing Power Parity in hyper-inflationary countries. Beautifully, the results are consistent with another author* who uses a more sophisticated method.

For those who don’t know, absolute purchasing power parity (PPP) depends on arbitrage among traders to cause a unit of currency to have the same ability to acquire goods in two different countries. If after converting your currency you can afford more stuff in foreign country, then there is a profit opportunity to purchase there and even to re-sell it in your home country.

Essentially, when you make that decision, you are reducing demand for the good in your home country and increasing demand in the foreign country (re-selling affects the domestic supply too). Eventually, the changes in demand cause the prices to converge and the arbitrage opportunities disappear. At this point the two currencies are said to have purchasing power parity – it doesn’t matter where you purchase the good.

So does PPP hold? One way that economists measure the strength of PPP is by measuring the time that it takes for a typical purchasing power difference to be arbitraged away by 50% – its ‘half-life’.  The more time that is required, the less efficient the markets are said to be.

The ex-ante question is: Is PPP be stronger or weaker during hyperinflationary periods?

Continue reading

I could do better

mdmakowskyLeave a comment

My favorite soccer team has been badly coached for 2 years and I am regularly convinced I could do better.

These are not the thoughts of a rational man and its causing me no small amount of consternation, bordering on intellectual crisis. Which is, of course, a lie, but adding a touch of intellectual melodrama never hurts when you’re trying your damnedest to write something new every week.

It is a puzzle, to be sure. There have been two coaches in the last two years, the second having only been there a week. The first was experienced, accomplished, and internationally famous. I’m quite confident he was wrong in the majority of decisions he made, but I at least had a model for why he was so often wrong.

When an ostensible expert appears to be failing at their job far worse than a hypothetically cheaper replacement, I always look for the rational reason why someone might be choosing to fail. In this case, we were observing an individual who could achieve mediocrity without effort. His past accomplishments gave him credibility with the players and his stock of knowledge as of 2011 was sufficient to carry him to large pay checks. To achieve mediocrity required near minimal effort. Could he update his tactics, both within the structure of the game and his management of personnel? Of course. But doing so would require enormous amounts of effort. His salary had peaked, his future managerial prospects dimmed by age and recent results, and as such the returns to effort were dwarfed by the returns to leisure. Allow me to enter ego into the calculus. What sounds more cognitively costly: acquiescing to reality that your human capital has been rendered obsolete and rebuilding your modus operandi from scratch with the full knowledge that you may spend your wealth-laden golden years failing in public? Or denying it fully, shifting all blame for failure onto the personnel, and bemoaning that it is not your human capital that is obsolete, but rather that the labor pool available to you is fundamentally flawed? To me its a no-brainer, and it’s why I am fully of the belief that there actually are bloggers in their mom‘s basement who could have better managed a team.

The new manager is a temp. He’s never managed a team before. Then again, neither have I. He has, however, played professional soccer at the highest level. He has been placed on the management training track by a world-class organization. He has none of the maladapted human capital or rational-addiction-adjacent reasons to fail at his job. He has all of the local and tacit knowledge from being on the training pitch and in the locker room that I don’t.

I’m still confident I could have done a better job than he did today. Why is that?

I can construct a model to rationalize my beliefs, but that model gets awfully “just-so” very quickly. It relies on assumptions I can’t justify and broad generalizations that, if evenly applied, would hurt the case for myself as superior even more so than the current job holder. Of course, I can invent a narrative where I am the superior sports team manager, but that narrative would have to rewrite my entire personal history going back so far as to render me a completely differ human, and one who no doubt would have just as many (and possibly the same) blind spots.

I guess what I’m saying is that I know I shouldn’t be the manager. Every rational bone in my body knows that is a silly idea and I would fail miserably. But I think there is a case to be made that sometimes we can look at the person making decisions for our favorite team, look at their track record, and confidently say “They would be making better decisions if they talked it over with me.” When the armchair quarterback says ‘the coach is an idiot” they’re not saying they want to be the coach. They’re saying they want to be in the room. They want a voice because they think they could contribute.

Someone tell Tottenham Hotspur that I’m available. I’m not free, but I can be had.

Singing IPUMS Praises

Zachary Bartsch2 Comments

This is a late post, but I just want to sing the praises of IPUMS.

I first encountered IPUMs data in Sacerdote’s paper on intergenerational human capital transfers in which he showed literacy rates by birth cohort throughout the 19th century (figure 4 is downright beautiful). I’ve since dug-in myself concerning school attendance and human capital.

In the papers that students write in our econ elective classes, it’s not unusual for them to contain FRED data. Given that we don’t teach time-series, the papers are usually empirically weak. But this semester in my Wester Economic History course, I’ve encouraged student to utilize IPUMS. There are 4 students who are using it whose ideas I will surely publicize in the future:

  • Historical patterns of deaf employment, education, human capital, & income
  • The economic impact of the Brooklyn bridge
  • The composition of US interstate migrants relative to their host state
  • Patterns compulsory schooling

IPUMS is so darn rich. I strongly recommend it if you haven’t yet taken advantage of it.

Stoned Age Cave Paintings

Scott Buchanan1 Comment

It has long been argued that many of the artists drawing on cave walls were not merely trying to draw the external world as accurately as possible. Rather cave art was:

A deliberate mix of rituals inducing altered states for participants, coupled with brain chemistry that elicits certain visual patterns for humanity’s early chroniclers.

The cave painters had rituals that involved taking drugs (undoubtedly plants) that they consumed in a frenzy to get to this creative state. This behavior and the same results were noted by 1960s-era academics studying the effects of peyote, a hallucinogenic cactus found in North America.

Some drawings which illustrate these patterns are:

There seem to be a number of geometric patterns like honeycombs, tunnels and funnels, cobwebs, and spirals which show up repeatedly across different continents. This has fueled speculation that those prehistorics were tripping out on veggies like peyote and magic mushrooms. In his “Stoned Ape” theory, the late Terrence McKenna proposed that consumption of shrooms gave the earliest humans higher energy and group cohesion and helped humanity to evolve the use of language.

A more recent study by Tel Aviv University researchers suggests that another way that Stone Age artists got into an altered state was plain oxygen deprivation. Many sites of cave art, particularly in France and Spain, are at the end of long, narrow passages. If a couple of guys got into one of those rooms, with a blazing torch or two, the oxygen level would soon be significantly depleted:

They found that oxygen concentration depended on the height of the passageways, with the shorter passageways having less oxygen. In most of the simulations, oxygen concentrations dropped from the natural atmosphere level of 21% to 18% after being inside the caves for only about 15 minutes. 

Such low levels of oxygen can induce hypoxia in the body, a condition that can cause headache, shortness of breath, confusion and restlessness; but hypoxia also increases the hormone dopamine in the brain, which can sometimes lead to hallucinations and out-of-body experiences, according to the study.

Drawings like the following from the Altimira cave are pretty impressive under those circumstances: