Hacker News new | past | comments | ask | show | jobs | submit login
Due Diligence That Money Can’t Buy (krebsonsecurity.com)
79 points by feross 3 days ago | hide | past | favorite | 29 comments

I don't like Krebs one bit but this actually matches my own experience. The most dangerous people for investors are the ones that are totally convinced that their utterly impossible idea is going to work. All they need is just a little bit more money and they'll turn the corner. Remember all those other investments that at first seemed not to pan out and eventually did? This is one of those!

Except of course it never is.

Let's see: over-unity energy generation, the infinite compression algorithm, beamed energy using audio, batteries that can charge in a second, they flying car and so on. All of these would be great things to have if not for those pesky laws of physics. And they are total investor bait, investors can't help but share the dream, they too would use this product if only it existed, therefore the market must be huge.

Typically the entrepreneur(s) are well meaning but clueless and that is what makes them all the more dangerous: they totally believe that their idea is possible and anybody saying otherwise is just out to get them.

I've written about this phenomenon here:


I did a quick search on "infinite compression" and was somewhat taken aback at the results - I particularly like the one where the approach is described in a rather vague way but then there is an offer:

"I’m a little busy these days. Do any of you have time to put this lossless, infinite compression algorithm, together? If you get it to work, I’ll split the royalties with you."

I can't work out if it is a joke or not....

Well, here is how it works (takes off thinking cap):

You don't go all the way in one go, the algorithm just does 1% compression each time so it leaves something for the next rounds. You then keep on doing that until you reach the desired size. It's not super fast but first let's get it to work. I already have a patent!

There is just this one minor technical problem that I still need to overcome, but once that's done the sky is the limit.

"one minor technical problem that I still need to overcome"

Presumably that would be decompression? ;-)

No, for some reason after 30 rounds or so of running it depending on the data that I feed it it will stop compressing. It's lossless after all, and after that the filesize slowly increases. Must be a bug somewhere. It decompresses just fine. How hard can it be? /s.

I had rather hoped you could repeat the process indefinitely = maybe to get down to one byte or even one bit. Only requiring one bit of storage would help a lot in lots of situations - not to mention the potential for increasing network throughput!

I implemented it once as well, all the way down to single but storage.

Turned out to be a huge security nightmare though, because it kept decompressing into other people’s files!

Another problem was telling the compressed bits apart.

Why did you stop at 1 bit?

Otherwise investors might get suspicious that something was up.

On another note, I have this protocol that can transfer any file in just 64 bits. It needs a rather large dictionary on both sides but other than that it 'just works'. Interested?

Nah, I got another guy who can do it in 56 bits.

I know, but first let's fix this one bug. With a potential of approaching infinite dollars any kind of valuation for this algorithm would be fair so how about it?

One of the very first tech DDs I ever did was a totally rigged demo. I don't think I ever wrote about it. Those people must have really hated me for puncturing their balloon. Some other investors took the bait and lost tons of money.

Why even bother with this when you store infinite data in pi[0]?

[0] https://github.com/philipl/pifs

You can really do that, sort of, for example:


The problem, of course, is that you have to decompress the file a large number of times. (The length of that number looks suspiciously similar to the length of the original file.)

Hehe, that one is actually really funny and neat.

My infinite compression algorithm totally works. It's just a little slow.

    def compress(input, threshold):
        decompressor = lambda: 0
        while code_size(decompressor) > threshold or input != decompressor():
           decompressor = randomize_code()
        return decompressor

Same scam, different (and bigger) method.

I see this regularly on my e-commerce businesses: Some company says they want to purchase $XX,XXX of our products, they have a shipping company they want to use that will pick-up from our warehouse, they ask us to get a quote from this company and then bill the original purchaser for the full-amount.

Of course, the shipping company wants the payment first, and then the purchaser will disappear.

Never fallen for it. Seen it a thousand times. Had to train my support agents to recognize it so they don't even bother bringing them my way.

There is a slightly more complex version of this scam, where they actually wire transfer payment for the shipment from a sham account. The money actually appears in your account, and many people believe that the transfer is irreversible, but international wires often 'appear' about 2 weeks before they clear.

Is this the same Krebs that erroneously publicly accused someone of the recent Twitter hack, publishing their name and place of residence?

Edit: Yes, looks like it is.



I'm not familiar with any of this, but just read those links and they don't back up your claim.

The person he accuses in the first post (Chaewon) is one of the three charged.

Just because someone has been charged (not convicted) doesn't mean anyone is justified in doxing them. Slightly more comprehensive reads of two incidents of Krebs doxing can be found at [1,2].

>In March 2018, he came under fire from users of a German image board pr0gramm.com after he revealed details about several admins and moderators in an article which claimed to identify who was behind the cryptocurrency mining service Coinhive.

>In April last year, Krebs was again slammed by security researchers after he doxxed two of them on Twitter, apparently because he disagreed with them about the operations of Spamhaus.

Krebs certainly covers some interesting stories, but I do not hold him in high regard.

[1]https://www.itwire.com/security/krebs-accused-of-doxxing-man... [2]https://www.itwire.com/security/infosec-researchers-slam-ex-...

> Just because someone has been charged (not convicted) doesn't mean anyone is justified in doxing them.

Maybe, maybe not. Personally, when I see wrongdoing, I like to expose it.

He did it under his own name on his own blog, taking on significant personal liability in doing so. This is not at all the same as an anonymous person doxxing someone.

>Personally, when I see wrongdoing, I like to expose it.

If you have irrefutable proof, you should be going to the appropriate LEA. If you don't have that proof, you should not be posting someones home address to the masses to do with as they please and masquerading it as irrefutable proof.

We have all heard horror stories of innocent people being mistaken for criminals (sharing a common name, case of mistaken identity, malice or negligence of the person doing the doxxing, etc.) and having their lives threatened or ruined due to overzealous internet-warriors playing vigilante. Recall the 'Boston Bomber' + Reddit/4chan debacle? Innocent people being doxxed left and right to a vengeance hungry crowd. Not to mention that other innocent people who happen to live at the same address are subject to the punishment you unilaterally decided to hand out.

If you think that is an acceptable risk in the name of your personal sense of justice, I doubt we'll ever see eye to eye on the matter.

>This is not at all the same as an anonymous person doxxing someone

If Krebs doxxed you or I doxxed you, the result for you is the same. I fail to see your point here.

> We have all heard horror stories of innocent people being mistaken for criminals

Sure. All the horror stories involve doxxing by anons. This is not the same at all.

> If Krebs doxxed you or I doxxed you, the result for you is the same. I fail to see your point here.

Well if he was wrong to doxx me, I'd be able to sue him into oblivion. If you doxxed me, there'd be no repercussions for you. That personal liability pretty much ensures that Krebs isn't going to doxx me unless he's absolutely certain that he's right.

Yeah... Krebs isn’t a particularly reliable source.

He's a bit on the sensationalist side but he's usually reliable enough.

I've helped on duedil with some finance friends as a favour and the main hustle seems to be some guy with a dodgy background laundered through a couple countries, persuading people he can deliver on a transaction of some large size, which is the anchor, so when he walks away with "small," "administrative fees," it's framed as a minor rounding error on the transaction size that was just a part of the risk "everyone" was taking, and not just a ~$100,000 scam.

[edit: removed a snooty anecdote]

Why the post called "money can't buy" due diligence, when it goes to illustrate how it was collected with a paid subscription to domaintools.com ? Hm..

The title is confusing but not incorrect, since the article is about do-it-yourself due diligence (which could require spending money) vs. buying lies from the wrong people.

If the deal seems too good to be true, it probably is.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact