Bruce Schneier

 
 

Schneier on Security

A blog covering security and security technology.

« Ed Felten on TSA Behavioral Screening | Main | DNS Dead Drop »

December 17, 2008

Brazilian Logging Firms Hire Hackers to Modify Logging Limits

Interesting:

Some Brazilian states used a computerised allocation system to levy how much timber can be logged in each area. However, logging firms attempted to subvert these controls by hiring hackers to break systems and increase the companies' allocations.

Greenpeace reckons these types of computer swindles were responsible for the excess export of 1.7 million cubic metres of timber (or enough for 780 Olympic-sized swimming pools, as the group helpfully points out) before police broke up the scam last year. Brazilian authorities are suing logging firms for 2 billion reais (US$833m).

Posted on December 17, 2008 at 11:52 AM18 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

I think you wanted this story:

http://www.theregister.co.uk/2008/12/12/...

Posted by: Petréa Mitchell at December 17, 2008 12:09 PM


@Article: "Federal authorities are due to release more details of the prosecution of 107 logging and charcoal firms later on Friday, Greenpeace reports. A total of 202 people are facing prosecution in the case, it adds."

I could believe the scam, but I'm boggled that 107 firms and 202 individuals were allegedly involved. Trying to involve 1 other party is dangerous best, let alone over 100.

Posted by: HJohn at December 17, 2008 12:33 PM


Wow. That brings the importance of log management to a whole new level.

Posted by: Davi Ottenheimer at December 17, 2008 12:48 PM


@Davi Ottenheimer: "Wow. That brings the importance of log management to a whole new level."

I bet they had poor security at multiple tiers. There are so many layers where this could have/should have been prevented and detected.

Posted by: Anonymous at December 17, 2008 12:57 PM


That's weird. I've never even *heard* of an Olympic sized swimming pool made of Brazilian hardwood. Seems fairly impractical on the face of it. But I bet it'd be pretty expensive...

(note: This *is* sarcasm. I know what they meant.)

Posted by: Lazlo at December 17, 2008 12:58 PM


@ Anonymous

*log* management. get it? logs. ha ha

Posted by: Davi Ottenheimer at December 17, 2008 1:01 PM


"Wow. That brings the importance of log management to a whole new level."

Once the loggers logs have been chopped apart by the hackers, there's really no way to tell whether the loggers have logged all the logs.

Posted by: Adrian Lopez at December 17, 2008 1:13 PM


@ Davi:

LOL. My mistake. "Log" Duh, I need more coffee.

It does beg the question: How much log could a logger log if a logger could log logs?

Posted by: HJohn at December 17, 2008 1:21 PM


# chflags sappnd /usr/rainforest/*

Posted by: Chris at December 17, 2008 2:47 PM


Then there's substantial illegal logging: http://www.newyorker.com/reporting/2008/10/06/...

Posted by: Griskupar at December 17, 2008 3:11 PM


You realize this is a modern version of something entirely traditional, right? If you read the accounts of the timber industry that deforested the Great lakes area of the USA in the 19th century, the historians note that 90% of the timber was illegally logged. The timber companies would acquire logging rights for one small plot, and use it as a staging area to cut everything within range.

Brazil also has the giant fires; you can see them on the satellite pictures. It's like the firestorm at Peshtigo down there.

Posted by: elizilla at December 17, 2008 5:00 PM


I am a little suspicious about the numbers. While I definitely believe it is possible the logging companies are involved in such an act, I also tend to disbelieve specific numbers attributed by a politically opposed organization. It works in Greenpeace's favor to overestimate the initial values that are likely to swarm through media reports before dying down and the actual numbers come out (which most likely will never get reported).

Posted by: Jeremy at December 17, 2008 6:53 PM


@Jeremy
> I am a little suspicious about the numbers

I generally would be too, but how can you distrust anybody who measures timber in units of olympic-sized swimming pools?

Posted by: Tangerine Blue at December 17, 2008 7:01 PM


You might want to offer your services in improving the security of these systems and teaching their programmers some security principles.

Posted by: foo at December 17, 2008 8:51 PM


Apparently, hacking the system was cheaper than bribing government officials. The interesting question is whether the price of the former went down, or the price of the latter went up.

Posted by: wsinda at December 18, 2008 2:41 AM


@Jeremy: I'd tend to agree that numbers should be treated with suspicion. However, on the other hand, having had some experience with Brazilian methods of commerce, I'm pretty sure it will have come as a huge surprise to all involved that their little scam was found out. When business people cite "official corruption" as a competitive advantage, you know something's not right.

Also, I doubt very much that any hacking was involved, unless it was of the open wireless and network share kind. More likely someone with access to the spreadsheet was bribed.

Posted by: Calum at December 18, 2008 3:36 AM


@Calum: RTFA

Posted by: Anonymous at December 18, 2008 7:04 AM


Errm, I did. What I am saying is that I don't believe the fine article. Hackers are a much more interesting bogeyman for Greenpeace than some dude who accepted baksheesh in exchange for altering a few figures.

Posted by: Calum at December 19, 2008 6:49 AM


Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Powered by Movable Type. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier