Archive for the 'Uncategorized' Category

Update to “A Gentle Guide to Money Laundering”

I’ve updated my guide to money laundering, mostly to include a discussion of Unexplained Wealth Orders, which seem likely to become a major part of the solution.

money laundering version 2 (Feb 2020)

More thoughts on Huawei

“5G” is marketing speak for whatever is coming next in computer networks. It promises 100 times greater speed and the ability to connect many more devices in a small space. However, “5G” is unlikely to exist as a real thing until two serious problem are addressed. First, there is no killer app that demands this increase in performance. Examples mentioned breathlessly by the media include being able to download an entire movie in seconds (which doesn’t seem to motivate many people), the ability for vehicles to communicate with one another (still years away), and the ability for Internet of Things to communicate widely (the whole communicating lightbulbs phenomenon seems to have put consumers off rather than motivated them). Second, “5G” will require a much denser network of cell towers and it’s far from clear how they will be paid for and powered. The 5G networks touted in the media today require specialized handsets that are incompatible with existing networks and exist only in the downtown cores of a handful of cities. So “5G” per se is hardly a pressing issue.

Nevertheless, it does matter who provides the next generation of network infrastructure because networks have become indispensable to ordinary life – not just entertainment, but communication and business. And that’s why several countries have been so vocal against Huawei’s attempts to become a key player.

There are two significant issues. First, a network switch provider can see, block, or divert all the traffic passing through its switches. Even encrypting the traffic content doesn’t help much; it’s still possible to see who’s communicating with whom and how often. Huawei, however much it claims to the contrary, is subject to Chinese law that requires it to cooperate with the Chinese government and so can never provide neutral services. It doesn’t help to say, as Huawei does, that because it never has acted at the behest of the Chinese government, it never will in the future. Nor does it help to say that no backdoor has ever been found in its software. All network switches have the capability to be updated over the Internet, so the software it is running today need not be the software it is running tomorrow. It is not surprising that many governments, including the US and Australia, have reservations about allowing Huawei to provide network infrastructure.

Second, the next generation of network infrastructure will have to be more complex than what exists now. A long-standing collaboration between the UK and Huawei tried to improve confidence in Huawei products by disassembling and testing them. Their concern, for a number of years, was that supposedly identical software built in China and built in the UK turned out to be of different sizes. This is a bad sign, because it suggests that the software pays attention to where it is being built and modifies itself accordingly (much as VW emissions testing software checked whether the vehicle was undergoing an emissions test and modified its behaviour ). However, their 2019 report concluded that the issue stemmed from Huawei’s software construction processes, which were so flawed that they were unable to build software consistently anywhere. The software being studied is for today’s 4G network infrastructure, and the joint GCHQ-Huawei Centre concluded that it would take them several years even to reach today’s software engineering state-of-the-art. It seems inconceivable that Huawei will be able to produce usable network infrastructure for an environment that will be many times more complex.

These two problems, in a way, cancel each other out – if the network infrastructure is of poor quality it probably can’t be manipulated explicitly by Huawei. But its poor quality increases the opportunity for attacks on networks by China (without involving Huawei), Russia, Iran, or even terrorist groups.

Huawei systems are cheaper than their competitors, and it’s a truism that convenience trumps security. But the long-term costs of a Huawei connected world may be more than we want to pay.

The difference between kinetic and cyber attacks

It’s striking — and worrying — that missile launches by North Korea, no matter how unimportant in the big picture, get worldwide news coverage every time they happen.

But North Korea’s ongoing cyberattacks, which are having serious effects and are raising startlingly large amounts of money for the regime are mentioned only on technical sites, and only occasionally.

We have to hope that military and government have a more balanced view of the relative threat — but it seems clear that politicians don’t.

Backdoors to encryption — 100 years of experience

The question of whether those who encrypt data, at rest or in flight, should be required to provide a master decryption key to government or law enforcement is back in the news, as it is periodically.

Many have made the obvious arguments about why this is a bad idea, and I won’t repeat them.

But let me point out that we’ve been here before, in a slightly different context. A hundred years ago, law enforcement came up against the fact that criminals knew things that could (a) be used to identify other criminals, and (b) prevent other crimes. This knowledge was inside their heads, rather than inside their cell phones.

Then, as now, it seemed obvious that law enforcement and government should be able to extract that knowledge, and interrogation with violence or torture was the result.

Eventually we reached (in Western countries, at least) an agreement that, although there could be a benefit to the knowledge in criminals’ heads, there was a point beyond which we weren’t going to go to extract it, despite its potential value.

The same principle surely applies when the knowledge is on a device rather than in a head. At some point, law enforcement must realise that not all knowledge is extractable.

(Incidentally, one of the arguments made about the use of violence and torture is that the knowledge extracted is often valueless, since the target will say anything to get it to stop. It isn’t hard to see that devices can be made to use a similar strategy. They would have a pin code or password that could be used under coercion and that would appear to unlock the device, but would in fact produce access only to a virtual subdevice which seemed innocuous. Especially as Customs in several countries are now demanding pins and passwords as a condition of entry, such devices would be useful for innocent travellers as well as guilty — to protect commercial and diplomatic secrets for a start.)

Democratic debates strategy

In an analysis of the language used by US presidential candidates in the last 7 elections, Christian Leuprecht and I showed that there’s a language pattern that predicts the winner, and even the margin. The pattern is this: use lots of positive language, use no negative language at all (even words like ‘don’t’ and won’t’), talk about abstractions not policy, and don’t talk about your opponent(s). (For example, Trump failed on the fourth point, but was good on the others, while Hillary Clinton did poorly on all four.)

In some ways, this pattern is intuitive: voters don’t make rational choices of the most qualified candidate — they vote for someone they relate to.

Why don’t candidates use this pattern? Because the media hates it! Candidates (except Trump) fear being labelled as shallow by the media, even though using the pattern helps them with voters. You can see this at work in the way the opinion pieces decide who ‘won’ the debates.

The Democratic debates show candidates using the opposite strategy: lots of detailed policy, lots of negativity (what’s wrong that I will fix), and lots of putting each other down.

Now it’s possible that the strategy needed to win a primary is different to that which wins a general election. But if you want to assess the chances of those who might make it through, then this pattern will help to see what their chances are against Trump in 2020.

Incumbency effects in U.S. presidential campaigns: Language patterns
matter, Electoral Studies, Vol 43, 95-103.
https://www.sciencedirect.com/science/article/pii/S0261379416302062

Tips for adversarial analytics

I put togethers this compendium of thngs that are useful to know for those starting out in analytics for policing, signals intelligence, counterterrorism, anti-money-laundering, cybersecurity, and customs; and which might be useful to those using analytics when organisational priorities come into conflict with customers (as they almost always do).

Most of the content is either tucked away in academic publications, not publishable by itself, or common knowledge among practitioners but not written down.

I hope you find it helpful (pdf):  Tips for Adversarial Analytics

Unexplained Wealth Orders

Money laundering conventionally focuses on finding the proceeds of crime. It has two deterrent effects: the proceeds are confiscated so that ‘crime doesn’t pay’; and discovering the proceeds can be used to track back to find the crime, and the criminals that produced it.

Since crimes prefer not to leave traces, the proceeds of crime used to be primarily in cash — think drug dealers. As a result, criminals tended to accumulate large amounts of cash. To get any advantage from it, they had three options: spend it in a black economy, insert it into the financial system, or ship it to another country so that its origin was obscured.

Money laundering detection used to concentrate on these mechanisms. Many countries have made an effort to stamp out the cash economy for large scale purchases (jewels, cars, houses, art) by requiring cash transactions of size to be reported, and by removing large denomination currency from circulation (so that moving cash requires larger, more obtrusive volume). Most countries also require large cash deposits to banks to be reported. Preventing transport of cash across borders is more difficult — many countries have exit and entry controls on cash carried by travellers, but do much less well interdicting containers full of cash.

One reason why much of current money laundering detection is ineffective is that there are now wholesale businesses who provide money laundering as a service: give them your illicit money, and they’ll give you back some fraction of that money in a way that makes it seem legitimate. These businesses break the link between the money and the crime, making it almost impossible to prosecute since there’s no way to draw a line from the crime.

Unexplained wealth orders target the back end of the process instead. They require people who have and spend money in quantity to explain how they came by the money, even if the money is in the financial system and apparently plausible. This is extremely effective, because it means that criminals cannot easily spend their ill-gotten gains without risking their confiscation.

Of course, this is not a new idea. Police have always kept a look out for people who seemed to have more money than they should when they wanted to figure out who had committed a bank robbery or something similar.

The new factor in unexplained wealth orders is that the burden of proof shifts to the person spending the money to show that they came by it legitimately, rather than being on law enforcement to show that the money is proceeds of crime (which no longer works, because of the middemen mentioned above). This creates a new problem for criminals.

Of course, the development and use of unexplained wealth orders raises questions of civil liberties, especially when the burden of proof shifts from one side to the other.  However, unexplained wealth has always attracted the attention of taxation authorities and so these orders aren’t perhap as new as they seem. Remember, Al Capone was charged with tax evasion, not racketeering.

Unexplained wealth orders seem like an effective new tool in the arsenal of monay laundering detection. They deserve to be considered carefully.