There’s a new wrinkle on ransomware.

Smarter criminals are now exfiltrating files that they find which might be embarrassing to the organisation whose site they’ve hacked. Almost any organisation will have some dirty laundry it would rather not have publicised: demonstrations of incompetence, inappropriate emails, strategic directions, tactical decisions, ….

The criminals threaten to publish these documents within a short period of time as a way to increase the pressure to pay the ransom. Now even an organisation that has good backups may want to pay the ransom.

Actually finding content that the organisation might not want made public is a challenging natural language problem (although there is probably low-hanging fruit such as pornographic images). But, like the man (allegedly Arthur Conan Doyle) who sent a telegram to his friend saying “Fly, all is discovered” (The Strand, George Newnes, September 18, 1897, No. 831 – Vol. XXXII) and saw him leave town, it might not be necessary to specify which actual documents will be published.

Understanding risk at the disaster end of the spectrum

In conventional risk analysis, risk is often expressed as

risk = threat probability x potential loss

When the values of the terms on the right hand side are in the middle of their ranges, then our intuition seems to understand this equation quite well.

But when the values are near their extremes, our intuition goes out the window, as the world’s coronavirus experience shows. The pandemic is what Taleb calls a black swan, an event where the threat probability is extremely low, but the potential loss is extremely high. For example, if the potential loss is of the order of 10^9 (a billion) then a threat probability of 1 in a thousand still has a risk of magnitude a million.

I came across another disaster waiting to happen, with the same kind fo characteristics as the coronavirus pandemic — cyber attacks on water treatment facilities.


In the U.S. water treatment facilities are small organizations that don’t have specialized IT staff who can protect their systems. But the consequences of cyber attacks on such facilities can cause mass casualties. While electricity grids, Internet infrastructure, and financial systems have received some protection attention, water treatment is the forgotten sibling. A classic example of a small (but growing) threat probability but a huge potential loss.

The threat isn’t even theoretical. Attacks have already been attempted.

Using technology for contact tracing done right

There has understandably been a lot of interest in using technology, especially cell phones, to help with tracking the spread of covid-19.

This raises substantial privacy issues, especially as we know that government powers grabbed in an emergency tend not to be rolled back when the emergency is over.

One of the difficulites is that not everybody with a cell phone carries it all times (believe it or not), and not everybody leaves their location sensor turned on. So many of the proposals founder on issues such as these; all the more so as those who don’t want to be tracked are more likely to be evasive.

One of the cleverer ideas is an app used in Singapore, TraceTogether. If you install the app, and have Bluetooth turned on, then the app swaps identities with any phone with the app that comes close enough to detect.

Using public key infrastructure, the identity of the other phones you’ve encountered is stored, encrypted, on your phone (and vice versa on theirs).

If you get sick, the app will send your list of phones you’ve been close to the government which can use its key to decrypt them. They can then notify everyone and contact trace them in minutes.

Note that the app doesn’t record where you crossed paths with others, just that you did. This, together with the fact that nobody but the government can decrypt your contacts, gives you a substantial amount of privacy, probably the best you can hope for given the public health need.

The epidemiology of spam

As someone who’s had the same email address for nearly 40 years, I get a lot of spam. (Of course, almost all of it is automatically filtered away.)

It’s been noticeable that spam was way down from January this year; and became vanishingly rare once India was put on lockdown last week.

But this week it’s come roaring back as China once again opens for business. I guess we know where most of it comes from (and maybe spam has a role to play as a covid-19 detector — perhaps we can find out how many infections there are really in Iran, for example).

Detecting intent and abuse in natural language

One of my students has developed a system for detecting intent and abuse in natural language. As part of the validation, he has designed a short survey to get human assessments of how the system performs.

If you’d like to participate, the url is


Thanks in advance!

Towards a cashless economy

Australia is close to passing laws that would make it impossible to pay for anything with cash above $A10,000.

What’s interesting is who’s objecting: the Housing Association (cash for property innocently, really?); farmers (maybe this is about barter and/or tax avoidance), dentists (??), and big retail (hmm, sounds like high end products such as jewelry might be the issue here). Retailers are quoted as saying “customers like to save cash to make big payments” which sounds rather implausible.

One of the things that works against stamping out money laundering is that it means stamping out the black, and most of the grey, economy. The pushback from these parts of the economy is presumaby something between loss of perks and a feeling that the tax bite is too big.

Update to “A Gentle Guide to Money Laundering”

I’ve updated my guide to money laundering, mostly to include a discussion of Unexplained Wealth Orders, which seem likely to become a major part of the solution.

money laundering version 2 (Feb 2020)