journal features
movie reviews
photo of the day

head of state, athlete, billionaire, or drug lord

the journal of Michael Werneburg

twenty-seven years and one million words

Toronto, 2016.04.04

A headhunter once put it simply as he could: "What's your career trajectory, CEO, COO, or CFO?" I recoiled at the thought at the time, though I now know the answer and I'd have to put "missed" or "failed" in there somewhere. ;)

But now it seems that the real options to strive for should have been: head of state, athlete, billionaire, or drug lord. I find it hard to believe that there are still activist hackers, given the futility of the fight and the insane risks, but from time to time they do seem to delivermaybe. You'd think that a "law" firm like the one in the news this week would spend some fraction of its clandestine earnings on making a breach of this magnitude economically unfeasible.

If I may make a suggestion to the other money-laundering outfits out there:

a. Walk through your key business flows, and flag each step in the process for potential flaws and technical vulnerabilities. Build in redundant controls until each flow fails only on the side of caution. Revisit every year.

b. Understand what data you have, on whom, and understand the degree to which each is a target. Take everything you're not planning on using in the immediate time frame offline, encrypt it, and put it in a physically secure location. Don't pretend that these clients don't have enemies. Be prepared.

c. Read things like the classic APT1 report. Realize that if you don't respect these people's abilities, or aren't prepared to deal this level of sophistication, you're too stupid or arrogant to be in the business.

d. Realize that you're effectively a criminal organization. Trust no one within your organization; you're staffed (perhaps completely) with amoral opportunists who probably despise you. They can be bribed, and will work with the authorities. Redouble your efforts to keep your secrets out of their hands.

That's all that comes to mind.

I'm not so certain, in light of many of the state-sponsored breaches that have happened of late, that Mossack Fonseca was actually an activist hack. I think it's more like it was done at the behest of the US, given the list of characters that were embarrassed.

rand()m quote

Over the long term the only alternative to Risk Management is Crisis Management. Crisis Management is much more embarrassing, expensive, and time consuming.

—James Lam