
Due Diligence That Money Can’t Buy - feross
https://krebsonsecurity.com/2020/09/due-diligence-that-money-cant-buy/
======
jacquesm
I don't like Krebs one bit but this actually matches my own experience. The
most dangerous people for investors are the ones that are totally convinced
that their utterly impossible idea is going to work. All they need is just a
little bit more money and they'll turn the corner. Remember all those other
investments that at first seemed not to pan out and eventually did? This is
one of those!

Except of course it never is.

Let's see: over-unity energy generation, the infinite compression algorithm,
beamed energy using audio, batteries that can charge in a second, they flying
car and so on. All of these would be great things to have if not for those
pesky laws of physics. And they are total investor bait, investors can't help
but share the dream, they too would use this product if only it existed,
therefore the market must be huge.

Typically the entrepreneur(s) are well meaning but clueless and that is what
makes them all the more dangerous: they totally believe that their idea is
possible and anybody saying otherwise is just out to get them.

I've written about this phenomenon here:

[https://jacquesmattheij.com/evergreen-investor-scams-
kooks-a...](https://jacquesmattheij.com/evergreen-investor-scams-kooks-and-
crooks/)

~~~
arethuza
I did a quick search on "infinite compression" and was somewhat taken aback at
the results - I particularly like the one where the approach is described in a
rather vague way but then there is an offer:

"I’m a little busy these days. Do any of you have time to put this lossless,
infinite compression algorithm, together? If you get it to work, I’ll split
the royalties with you."

I can't work out if it is a joke or not....

~~~
jacquesm
Well, here is how it works (takes off thinking cap):

You don't go all the way in one go, the algorithm just does 1% compression
each time so it leaves something for the next rounds. You then keep on doing
that until you reach the desired size. It's not super fast but first let's get
it to work. I already have a patent!

There is just this one minor technical problem that I still need to overcome,
but once that's done the sky is the limit.

~~~
arethuza
"one minor technical problem that I still need to overcome"

Presumably that would be decompression? ;-)

~~~
jacquesm
No, for some reason after 30 rounds or so of running it depending on the data
that I feed it it will stop compressing. It's lossless after all, and after
that the filesize slowly increases. Must be a bug somewhere. It decompresses
just fine. How hard can it be? /s.

~~~
arethuza
I had rather hoped you could repeat the process indefinitely = maybe to get
down to one byte or even one bit. Only requiring one bit of storage would help
a lot in lots of situations - not to mention the potential for increasing
network throughput!

~~~
pftburger
I implemented it once as well, all the way down to single but storage.

Turned out to be a huge security nightmare though, because it kept
decompressing into other people’s files!

Another problem was telling the compressed bits apart.

~~~
Simon_says
Why did you stop at 1 bit?

~~~
jacquesm
Otherwise investors might get suspicious that something was up.

On another note, I have this protocol that can transfer _any_ file in just 64
bits. It needs a rather large dictionary on both sides but other than that it
'just works'. Interested?

~~~
Simon_says
Nah, I got another guy who can do it in 56 bits.

------
tjbiddle
Same scam, different (and bigger) method.

I see this regularly on my e-commerce businesses: Some company says they want
to purchase $XX,XXX of our products, they have a shipping company they want to
use that will pick-up from our warehouse, they ask us to get a quote from this
company and then bill the original purchaser for the full-amount.

Of course, the shipping company wants the payment first, and then the
purchaser will disappear.

Never fallen for it. Seen it a thousand times. Had to train my support agents
to recognize it so they don't even bother bringing them my way.

~~~
nickff
There is a slightly more complex version of this scam, where they actually
wire transfer payment for the shipment from a sham account. The money actually
appears in your account, and many people believe that the transfer is
irreversible, but international wires often 'appear' about 2 weeks before they
clear.

------
forgotmypw17
Is this the same Krebs that erroneously publicly accused someone of the recent
Twitter hack, publishing their name and place of residence?

Edit: Yes, looks like it is.

[https://krebsonsecurity.com/2020/07/whos-behind-
wednesdays-e...](https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-
epic-twitter-hack/)

[https://krebsonsecurity.com/2020/07/three-charged-in-
july-15...](https://krebsonsecurity.com/2020/07/three-charged-in-
july-15-twitter-compromise/)

~~~
markdown
I'm not familiar with any of this, but just read those links and they don't
back up your claim.

The person he accuses in the first post (Chaewon) is one of the three charged.

~~~
ziddoap
Just because someone has been charged (not convicted) doesn't mean anyone is
justified in doxing them. Slightly more comprehensive reads of two incidents
of Krebs doxing can be found at [1,2].

>In March 2018, he came under fire from users of a German image board
pr0gramm.com after he revealed details about several admins and moderators in
an article which claimed to identify who was behind the cryptocurrency mining
service Coinhive.

>In April last year, Krebs was again slammed by security researchers after he
doxxed two of them on Twitter, apparently because he disagreed with them about
the operations of Spamhaus.

Krebs certainly covers some interesting stories, but I do not hold him in high
regard.

[1][https://www.itwire.com/security/krebs-accused-of-doxxing-
man...](https://www.itwire.com/security/krebs-accused-of-doxxing-man-based-on-
single-source-in-twitter-scam-yarn.html)
[2][https://www.itwire.com/security/infosec-researchers-slam-
ex-...](https://www.itwire.com/security/infosec-researchers-slam-ex-wapo-man-
krebs-over-doxxing.html)

~~~
markdown
> Just because someone has been charged (not convicted) doesn't mean anyone is
> justified in doxing them.

Maybe, maybe not. Personally, when I see wrongdoing, I like to expose it.

He did it under his own name on his own blog, taking on significant personal
liability in doing so. This is not at all the same as an anonymous person
doxxing someone.

~~~
ziddoap
>Personally, when I see wrongdoing, I like to expose it.

If you have irrefutable proof, you should be going to the appropriate LEA. If
you don't have that proof, you should not be posting someones home address to
the masses to do with as they please and masquerading it as irrefutable proof.

We have all heard horror stories of innocent people being mistaken for
criminals (sharing a common name, case of mistaken identity, malice or
negligence of the person doing the doxxing, etc.) and having their lives
threatened or ruined due to overzealous internet-warriors playing vigilante.
Recall the 'Boston Bomber' \+ Reddit/4chan debacle? Innocent people being
doxxed left and right to a vengeance hungry crowd. Not to mention that other
innocent people who happen to live at the same address are subject to the
punishment you unilaterally decided to hand out.

If you think that is an acceptable risk in the name of your personal sense of
justice, I doubt we'll ever see eye to eye on the matter.

>This is not at all the same as an anonymous person doxxing someone

If Krebs doxxed you or I doxxed you, the result for you is the same. I fail to
see your point here.

~~~
markdown
> We have all heard horror stories of innocent people being mistaken for
> criminals

Sure. All the horror stories involve doxxing by anons. This is not the same at
all.

> If Krebs doxxed you or I doxxed you, the result for you is the same. I fail
> to see your point here.

Well if he was wrong to doxx me, I'd be able to sue him into oblivion. If you
doxxed me, there'd be no repercussions for you. That personal liability pretty
much ensures that Krebs isn't going to doxx me unless he's absolutely certain
that he's right.

------
motohagiography
I've helped on duedil with some finance friends as a favour and the main
hustle seems to be some guy with a dodgy background laundered through a couple
countries, persuading people he can deliver on a transaction of some large
size, which is the anchor, so when he walks away with "small," "administrative
fees," it's framed as a minor rounding error on the transaction size that was
just a part of the risk "everyone" was taking, and not just a ~$100,000 scam.

[edit: removed a snooty anecdote]

------
vizzah
Why the post called "money can't buy" due diligence, when it goes to
illustrate how it was collected with a paid subscription to domaintools.com ?
Hm..

~~~
HelloNurse
The title is confusing but not incorrect, since the article is about do-it-
yourself due diligence (which could require spending money) vs. buying lies
from the wrong people.

------
WrtCdEvrydy
If the deal seems too good to be true, it probably is.

