Attacks on Managed Service Providers Expected to Increase

CISA, NSA, FBI, and similar organizations in the other Five Eyes countries are warning that attacks on MSPs—as a vector to their customers—are likely to increase. No details about what this prediction is based on. Makes sense, though. The SolarWinds attack was incredibly successful for the Russian SVR, and a blueprint for future attacks.

News articles.

Posted on May 17, 2022 at 6:10 AM27 Comments


John May 17, 2022 7:25 AM


Networked computers are not reliable.

This is said to be a surprise??!!


Clive Robinson May 17, 2022 8:36 AM

@ Bruce, ALL,

No details about what this prediction is based on. Makes sense, though.

I would expect attacks to in effect be guided by two basic premises,

1, Where the value is.
2, Which are the lowest hanging fruit as far as access is concerned.

One of the things I’ve continuously warned against is “XXX as a Service” systems be XXX fundamentally,

1, Communications
2, Storage
3, Processing

Whilst the second “storage” is fairly obvious and the third “processing” likewise, the first of “communications” is harder to see immediately.

To understand why sometimes you have to think “one or more steps removed”.

As a general rule there are two basic types of communications,

1, Routine
2, Exceptional

Each communication has four basic asspects, qualative/quantative, temporal, geographical, organisational. Which break out to,

1, The message content
2, The message size
3, The time the message is sent
4, The time the message is received
5, Where the message originated
6, Where the message terminated
7, Who/what sent the message
8, Who/what received the message

Some of these are “obvious” in all communications some are not. For instance the geo-location of a radio transmitter is often not that hard to estimate from it’s “ground wave bearings”. However unless very very close the location of a radio receiver is very difficult bordering on improbable[1].

Primarily “digital communications” is not by “radio broadcast” but by “point to point” circuit or packet switched “trunked” systems. Thus the originating and destination points with some care[2] can be estimated, but not strictly determined.

Similar can be said about the apparent geo-location and the Who/What.

All you realy know is the “time” you see the communication and it’s apparent size.

Even though these too can be faked in various ways, if they can be determined as “exceptional” rather than “routine” communications then the fact they have been sent, may actually be more important than the message contents communicated. This falls into the area of “traffic analysis”. Some networks such as encrypted padded “token rings” are way better at hiding such information than other types of network. Worst of all is probably packet switched CSMA systems on which ethernet was founded.

So whilst the SigInt agencies were at one time happy to hide out of sight on what to the users appeared the “edges” unseen, people are wising up to communications weaknesses and taking preventative steps (such as “networks on networks”).

So the SigInt agencies like the other crooks have to go where the value is but the users can not or can not easily see.

On modern data center systems it is very very rare for users even service administrators to actuall have “real access” at a level that enables them to determin if their activities or their data is being accessed by others…

So this makes the “hardware root” of such data center servers the new “hidden nodes” only this time in effect one or two steps closser to the user activities and data than monitoring just communications did.

There are a couple of other reasons you can throw in the pot for seasoning, but the above are tha main meat and veg of the meal, you become when you use XaaS or Cloud systems.

[1] Historicaly here are two basic ways to locate or “find” a radio receiver,

1.1, Capture/resonance of antenna.
1.2, Detection of local oscillator.

As you get very close you can “fix” it’s position by several other means such as being able to see it, hear it, sense it’s radiated heat or energy drain paterns. Which ever is used once a “fix” is obtained it is a matter of going in for the “Finish” what ever that might be (hence “Find, Fix, Finish”).

[2] One of the problems with all trunked systems is that they are “networks”. This implies “edges and nodes” which can be very problematical. Whilst you can see traffic going into and comming out of an edge, it’s wise not to fall into two mistakes,

2.1 Assume an edge has no unseen node
2.2 Assume a node does not duplicate or redirect a packet or circuit.

This means that unless you monitor all nodes and all their connecting edges you can not say where traffic originated from or the real termination point. Think about this in terms of an inteligent “Vampire Tap”.

Ted May 17, 2022 9:18 AM

It’s interesting that the advisory urges MSP customers to make sure certain safeguards are in their contracts.

Some of these include MSP monitoring and logging, enforcing MFA, running incident response and recovery plans, and so on.

I wonder if a customer would use an auditor to verify these controls. I’m also curious whose security posture is typically more up to snuff – the customer’s or the MSP’s?

What would common MSPs be?

Clive Robinson May 17, 2022 2:39 PM

@ Ted, ALL,

I wonder if a customer would use an auditor to verify these controls. I’m also curious whose security posture is typically more up to snuff – the customer’s or the MSP’s?

Those are almost irrelevant questions.

The first question is about who has the power in the relationship… In England we have a question,

“Which end of the 5h1ty stick are you? Because liquid 5h1t flows down hill…”

Even if you are the CIA or other part of the US Government, if they are “the customer” then they will not have the power. The service provider will either not offer liability above a minimum, and they will also probably have contractual clauses that requires “the customer” to take on risk, either directly or to externalise it through insurance etc.

Even when the Government is putting to contract, they will get considerably less than they pay for. The prime contractor will take 50% of the top, and take maybe 1% of the risk and sub contract the rest of it out. In turn the sub-contractors will take a big slice of the money and sub-contract out the risk. This is standard practice, and provided there are sufficient sub-contractors, eventually the work will end up with some assetless organisation run by two geeks and a dog, with an insurance policy that does not actually cover what they think it does so if anything goes wrong there is no payout any way.

But it can get worse a lot lot worse. Look up Lloyds of London and the “LMX Spiral”. Put simply there were way to few underwriters prepared to take risk, so they used the re-insurance market. The result was they sold the risk round snd around amongst a tiny number of “new name” syndicates. So when it went wrong there was not any diversification of coverage just a huge spiral of legal contracts with each one being fought every which way in court that went on for years[1].

But… as a judge in a civil case made fairly clear there is a principle of English law,

“That one cannot conclude a valid contract with oneself.”

So there was a very distinct probability that the whole reinsurance system at Lloyd’s where risk had been deliberatly and knowingly sold around was probably legally flawed if not outright fraud.

As I understand it there is no similar principle in the US preventing such “spirals” being “engineered”…

But obviously such companies involved with such spirals would not want such information getting out. Therefore it is likely that,

“I wonder if a customer would use an auditor to verify these controls.”

Would be robustly re-buffed in some manner.

As for who’s security posture would be better, I doubt very much that any MSP would be even remotely close to “top draw” as their basic business model would preclude it.

But then similar considerations would apply to the contract issuer or customer of such MSPs, so I doubt they would be upto much either.

To see why consider the following,

1, We know there are more undiscovered instances of vulnerabilities than we currently know how to fix.
2, The MSP base model is about “access”.
3, If you can get access from outside from a public network then so can anyone else.
4, Many vulnerabilities alow bypassing of authentication mechanisms.

Therefore the likes of MFA are a bit pointless when a vulnerability simply walks an unauthorised attacker around it.

If you value your data or the information about What/When/Who was accessed then you need to ensure “No External Access” at any time in any way, from either public or even private external networks.

So the MSP model is deficient and more likely to fail than not.

[1] The few “new-names” involved had every single asset that could be taken from them taken… Some killed themselves others became bankrupt, the most Evil Woman alive “Mary Weeden” the Wife of then Tory Party Chairman author Lord Archer[2] it was she that was responsible for those duped new-names. I was very nearly one of those names, but I got suspicious when they would not open up on the underwriting book about “asbestos debt” a Lloyds underwriter I had been in the military with warned me about. On asking I felt a couple of people were behaving oddly, effectively furtively so chose instead not to sign on the dotted line, about a year beforehand…

[2] Lord archer, son of a fraudster, and life long “con artist” at bet. Some in UK Politics saw through him, and gave warnings but others ignored them. The marriage like that of many Tory Party Wives was almost certainly not for love but status and power,

vas pup May 17, 2022 3:25 PM

New app to help spot online spies

“Designed with the help of behavioral scientists, the app prompts users with a series of questions to help assess if someone who has approached them might be fake.

This includes being on the look-out for flattery or offers which appear too good to be true.

According to the app’s website, users will even be able to earn “trophies and certificates which can be shared with their security team”.

The app also includes an inbuilt reverse image search to spot pictures which may be re-used from other sites, since this is often a hallmark of fake identities.”

Ted May 17, 2022 3:37 PM


The first question is about who has the power in the relationship…

Honestly, if I was a MSP customer, I would want to audit a MSP’s security claims. To your points, though, you’d want to thoroughly map out your legal and financial risks.

Did you see Bruce’s post that mentioned Kaseya? As you recall, Kaseya was a MSP who was attacked by REvil. That attack enabled attacks on 1,500 of Kaseya’s customers. According to Bruce:

Employees warned Kaseya’s management for years about critical security flaws, but they were ignored.

I haven’t read very thoroughly on that event. So I don’t know if an audit, or a deeper discussion, would have impeded down stream attacks. I’d like to have an insider’s peek at lessons learned.

SpaceLifeForm May 17, 2022 5:37 PM

@ Ted

Thanks for paying attention.

Note the conspiracy to commit money laundering charge. He will flip if it has not already occurred by now.



JonKnowsNothing May 17, 2022 6:40 PM

@Ted, @Clive, @ALL

re: Hire an Experto

There are a lot of variations on what constitutes and “audit” and in the proposed situation it boils down to “hire an expert to verify”.

While this is a circular roundabout arrangement it presumes that there is someone who does have the ability to verify AND that those someones are available to do the work AND that the fees for doing so are within the budget.

If you are on the top of the pyramid financially. and as Clive pointed out have control of the processes rather than being just shown a closet full of blinking LEDs with tour guide muttering “security infrastructure”, you might be able to hire some big guns in the field to do the once overs.

At the bottom of the pyramid, lies the targeted companies who are going to get ripped once the security blockade is breached. These folks may have some funds but often they don’t have funds to allocate to a deep inspection and have to rely on what folks at the top of pile have done, or rather, if the top dog is still doing business and there are other dogs in the kennel in that environment, then they figure it’s safe to presume that the kibble-ration is AOK enough to follow-on the leash.

As pretty much every topic, every week here, is chock a block with what The Experts Found or Didn’t Find on retrospect, the average schmoe doesn’t stand a chance at discovering anything in time to stick a finger in the dike.

You can talk to Elon Musk about how this is working for him…

You can also look up “Autonomy Corporation § Hewlett-Packard” to see how well that audit went.

Due Diligence is fine and recommended. Relying on an Audit to save your Company isn’t. Relying on a Audit in a Technically Difficult Field isn’t going to provide any enlightenment in the near term for a minimal investment.

Clive Robinson May 17, 2022 7:06 PM

@ Ted,

Re : Bruce’s comment of,

“Employees warned Kaseya’s management for years about critical security flaws, but they were ignored.”

It kind of makes my point of,

“Would be robustly re-buffed in some manner.”

Few not in the game, realise thus sub-contracting is about two things,

1, Avoiding all liability.
2, Making as much money for as little work as possible.

So as I said,

“The prime contractor will take 50% off of the top, and take maybe 1% of the risk and sub contract the rest of it out.”

It was this mentality in managment, by Booze Allen Hamilton, that alowed Ed Snowden to do what he did. And guess what a consulting industry thought was the primary concern at the time,

“We think Snowden type events should be wake-up calls for any organization to make sure that you have a crisis plan”

Yup did BAH “have a crisis plan”.

Let me tell you about “Crisis Plans” they are “reactive” not “proactive” not just in action but actual planning as well.

The reason is as I’ve said before, when it comes to attack “instances” and the “classes” they fall into,

“There are ‘Known Knowns’, ‘Unknown Knowns’, and ‘Unknown Unknowns'”

Whilst you can plan for ‘Known instances in Known Classes’ of attack, and sometimes ‘Unknown Instances in Known Classes’ of attack, you can not plan for ‘Unknown Classes’ of attack and all to frequently ‘Unknown Instances in Known Classes” of attack.

And to be honest any “Crisis Plan” written just around ‘Known Instances’ is going to be too large and unwieldy to prepare or use.

The usual analogy I use is “evacuation plans”… Imagine you have a team, they brainstorm up a hundred or so instances of emergancy events ranging from “fire” to “meteor strike” and they write an individual “evacuation plan” for each… of what use would they be?

The obvious and correct answer is none to not a lot. What you actually do is look at the individual instances and group them by commanality into clases. You then try to find ways to pull classes together into super-set classes by altering your responses so you have increased commonality. Hopefully you get the hundreds of instances down to just one or two evacuation plans that people can learn.

The problem is that whilst “evacuation plan” instances usually have a very great deal in common so are amenable to collection into classes that can then have common responses, because of the very limited nature of instance types, the same is not true when “Human Agency” is involved.

Human agency “plans around plans” as a basic criteria of success…

Thus you end up with two basic Crisis Plans,

1, For “acts” by nature / god”
2, For “Human agency” by insiders

With a third overlaping in the middle for events by the likes of terrorists and criminals,

3, For “Human agency” by outsiders

All have a basic preset set of banal Public Relations comments and a list of people to call into “Crisis Managment Teams” with the typical Who / Where / When and with What lists. Because the reality is there is little else you can do, especially if the event has “human agency” behind it.

OK people will try to “slap lipstick on the pig” but at the end of the day that is just to justify the long meetings and nice ring binders…

Do I sound cynical, probably but I’ve been through to many “crissis planning” sessions to be anything but…

The reality of Ed Snowden is,

1, People are needed to perform tasks.
2, People can not be trusted.

And the lesson from that is exactly the same as it was before…

As I said back near on a decade ago,

“You are not a murderer, untill you are”.

It’s the same with trust,

“You are not untrustworthy, untill you are”.

The When and the Why of somebody flipping / switching for the first time from trusted to untrustworthy is not actually known, even though some talk of “MICE” there are others, and most are not very pre-meditated, hence them getting caught.

Ted May 17, 2022 8:06 PM


Re: Kaseya attacker

Wow. Yaroslav Vasinskyi. 22 yo and facing 115 years. He should flip. At least by 25 when his brain fully matures.

I personally cannot argue with this science. Hopefully he will be in a better place.

Ted May 17, 2022 10:02 PM

@JonKnowsNothing, Clive, All

There are a lot of variations on what constitutes and “audit”

Yes, true. If your company was choosing a MSP to work with, it probably wouldn’t hurt to ask if they participate in any assessment programs.

I see CCCS[1] has guidance for consumers of managed services. In it they list various assessment standards and frameworks, including:

  • ISO270001/2
  • NIST – Risk Management Framework

Not that these would take the place of contract language. However, if a rigorous audit of the contract was infeasible maybe these could further support risk mitigation.

[1] Canadian Centre for Cyber Security

JonKnowsNothing May 17, 2022 10:42 PM

@Ted @All

re: probably wouldn’t hurt to ask if they participate in any assessment programs

Due diligence is always a good idea but as far as the scope of the topic consider

1) The company states in their brochures that they participate in N-Programs

2) The company states in face to face meetings they participate in N-Programs

3) You ask to see their certificates of completion or whatever these N-Program supply in way of documentation and you get shown some papers that say that.

4) You even dig deep and hire a Hot-Up-and-Comer-Ted to do the review Ted reviews the program specs and the documentation and maybe even gets a peek at some sample code which looks very clean.

Is any of the above going to really help you? There is no way in 1-10days or 30-150 days that you can audit for 50+% compliance on all aspects of all those specifications. Nor can you guarantee that once you “move along” to the next section that the one you just completed didn’t change for the worse.

This is the round robin of audit and compliance. Even deep pockets like HP got a botched audit although there were enough sirens blaring that you could hear the warning all over Silicon Valley only to be ignored by the CEO of HP at the time because they wanted something for their own internal reasons and the public reasons and the public warnings were tossed away in the drive to Get The Deal. It’s not the first nor the last time this will happen and it didn’t hurt the CEO career much, last I read they were doing very well all the same.

One of the issues is that people “think” an “audit” means “something” it doesn’t and there is no way an audit can do what they think it does.

It’s like looking a barn wall. It is painted red?. Is it painted red on the other side of the wall? There is no way directly way to know unless you go look, so you walk around and sure enough that wall is painted red. Are you done? No. Because you walked away from the first side, you no longer know if that side remained painted red of if someone smeared a big graffiti tag right in the middle of it.

Of course that is a trivial example, but to get a better sense of limitations is to read a some Annual Reports and concentrate on the CPA’s Scope and Limitations statement. Every CPA and CPA firm in the USA has a boiler plate for the 3 or so different types of audits they perform.

Once you really understand what it says and what it doesn’t, you will have achieved a level of clarity about Annual & Quarterly Statements as provided to the SEC. A lot of gloss – on the paper.

Ted May 18, 2022 12:36 AM

@Clive, JonKnowsNothing, All

So you have very valid points. It wouldn’t make sense to go crazy chasing shadows. I’m still surprised that only 40% of MSPs use MFA themselves, according to a linked report.

Clive Robinson May 18, 2022 5:20 AM

@ Ted, JonKnowsNothing,

I’m still surprised that only 40% of MSPs use MFA themselves,

MFA is seen by many to be,

1, Expensive to implement.
2, Expensive to operate.
3, Expensive to maintain.
4, Of no real security purpose.

All of which are true to some extent, but MFA is not a “sum of the parts” solution, so should not be looked at in that way.

So the report kind of tells you a lot about the point of view of the “Directing Minds” of MSPs…

Oh have a read of the bottom of this,

It might tell you why “Bunker Mindset” is hitting the C-Suite when it comes to “audits” and the like.

Ted May 18, 2022 7:22 AM

@Clive, JonKnowsNothing

Re: SolarWinds lawsuit/s

Good article. New aim: legally defensible security.

Clive Robinson May 18, 2022 9:13 AM

@ Ted, JonKnowsNothing, ALL,

Re : legally defensible security

Take a moment or two to “chew down” on that thought, and work out the likely ingrediants that will make that pie…

Lawyers are a form of “Guard Labour” and as such are “Authoritarian followers” not just be nature, but nurture as well. Not only do they take an “at war” mentality with every one, –seeing all as potential enemies,– they rarely understand the notion of impartial or benificial parties, so they do not “trust” in the human sense.

Thus their advice has four basic components,

1, What benifits them.
2, What protects them.
3, What disadvantages any opponent.
4, What might benifit their client.

When you look at it from that perspective you can see which way it is going to go and it will not realy be benificial for any client of their client ie “the customer” or as is more often the case these days the users who are “product”.

Yes I sound cynical but I’ve a few decades of “alligator teeth marks” from the legal brethren even though I have sent some of their hides down to the tannery… Just remember when you drag one alligator out of the swamp, all you are doing is helping other alligators by giving them the ability to grow…

As far as I’m concerned bulldoze in the swamp so it gets way smaller is the best option, anything that crawls out gets sent to the tannery dead or alive, where the first step is skinning.

Winter May 18, 2022 9:32 AM


Lawyers are a form of “Guard Labour” and as such are “Authoritarian followers” not just be nature, but nurture as well.

I always considered them to be mercenaries. However, like so many prejudices, that falls apart when you know them closer, and see that most are socially engaged and motivated with a love for justice and the law.

I must add that my personal acquaintances with lawyers was in academic settings, far, far away from corporate law. The people I spoke with were activists for the protection of privacy.

lurker May 18, 2022 10:30 AM

re: SolarWinds suit

It was brought by “a group of investors” concerned that SW “embraced intentional or severely reckless deceit on investors.” Follow the money . . .

I read XPAN’s Rakoski as saying in the final para: CISOs should spend less time and money on security tech, and more on contract language.

JonKnowsNothing May 18, 2022 11:14 AM

@Ted, @All

Actually this is the one I was referring to:

  • HPE’s (then HP’s) $11bn acquisition of Autonomy back in 2011.

While the case continues its meandering between USA and UK jurisdictions, it looks ever more probably that “Autonomy founder Mike Lynch” might be joining Julian Assange on a flight to the USA but for different charges.

  • The ruling [05 17 2022] clears the way for the British software exec’s extradition proceedings to the US to face criminal charges. Lynch faces trial on 17 charges of wire fraud and conspiracy regarding Hewlett Packard’s acquisition of his software company back in 2011.

The CPA firm involved with the acquisition was fined £15m in relation to the Due Diligence and Audit performance of the Autonomy books. That HP CEO relied on the assertions of the CPA firm about the state of the target company.

The example is for CPAs, however any Certified Anything has the same problems. It’s a corollary to the problem of “Trust”. You cannot “trust” anyone.


Search Terms

Judge details Lynch’s $700k signoff via iPhone text in full Autonomy judgement
Still no damages number, likely to be way less than $5 billion

ht tps://www.theregister .com/2022/05/18/lynch_judgement/
(url lightly fractured)

Clive Robinson May 18, 2022 12:17 PM

@ lurker, ALL,

Re : CISOs should spend less time and money on security tech, and more on contract language (Rakoski viewpoint).

And how do you think that viewpoint arose, “Why?”, and as importantly “What the likely out come is going to be?”.

@ Winter,

Re : I always considered them to be mercenaries.

I actually know many people who would fit under the definition of mercenary. That is they provide “Guard Labour” for “Hire or Reward” this does not make them bad or objectional people…

Think of body guards and security personnel of all types, and I suspect there are many who are covered by the definition of “mercenary” who read this blog, but do not think of themselves that way.

Mercenary in the general way of things is a “job” like many others, it is not in of it’s self good, bad, heroic, evil, or many other words “observers” may chose to attribute to it.

Look at it this way a Police officer runs up and shoots someone dead, is that good or bad?

If it’s someone who appears to you to be innocent then it’s bad even evil. If however it’s some one waving a machete or similar thus to you appears dangerous then the shooting to you might be good even heroic.

But both viewpoints are at best “probably wrong” that is as an “observer” we are probably missing a lot of information, or have not had time to process the information we have seen.

I hold what appears to be conflicting views of,

1, I do not believe in death sentences.
2, I do believe I have the right to “protect me and mine” against threat in any way necessary.

Which might appear odd for someone who used to be in the millitary… But actually is quite a common viewpoint in military personnel that hold higher ranks or specialist positions.

Snipers for instance “kill people” that is part of their job description and something they do, which most military personnel actually do not[1]. For most snipers that word “necessary” is the most important there is. That is without it they would in most cases become psychologicaly disturbed. That is the deliberate and knowing taking of another persons life has to be “necessary” and part of that is “proportionate”. Sometimes it’s called,

“The cold calculus of death”

It alows the normal morally and ethically unacceptable to become acceptable. Few “observers” have ever thought about such things, even reading about it makes them uncomfortable. But as technology progresses, it’s something we have to face head on. Does a driverless car act to protect the passanger or pedestrian who steps out, who? takes priority and why?

As an engineer, that “cold calculus” applies to very much of what I do, because anything that contains an energy source or storage is potentially lethal.

Look at it this way, a car battery at 13.8volts is very unlikely to kill you. However use a rotary gapping device into an ignition coil and the “Back EMF” will give hundreds if not thousands of volts, certainly more than enough to stop your heart.

But it’s more subtal and less obvious as well. Lets say you design a bridge, you know it is impossible to make 100% safe…

But what percentage is acceptable 51%, 90, 99, 99.9 how many 9’s are acceptable? You know if you design it to be “too safe” it will not get built, because it would not be “cost effective” and that is where that “cold calculus” kicks in.

But does an “observer” understand that?

Much of my time as a design engineer I’ve worked on “Safety Systems” of many types, some have to “fail safe” others have to be “Intrinsically Safe” they are similar but quite different concepts. I usually try to design them both in, but that is not always possible (think ignition systems as an example).

I sometimes have to design systems I know are actually unsafe…

What would an “observer” think of that statment?

That is they are “component parts” of larger systems. As a rough rule of thumb the more basic a component the less likely it is to be fail safe or intrinsically safe, it’s how the components are build into systems that infers these properties.

But how do “observers” see this or even understand it without knowledge, they probably do not have?

That is the “observer” problem, is the one you can not “design out” no matter what you do.

[1] As I’ve mentioned before there are three types of combat shooting,

1.1, Shoot to “Scare”.
1.2, Shoot to “Wound”.
1.3, Shoot to “Kill”.

Most military personnel only get taught the first two. Having been taught all three, I can tell you for free, there are sound psychological reasons for doing this.

Clive Robinson May 18, 2022 12:31 PM

@ Ted,

Re : I will start with flouring a cyberattack as…

In the UK we say “over egging the pudding” and similar.

Howrver what you give from their legal team is to us so obviously lies, it astounds us that they think they can get away with it.

They know full well they can make such absolutly unsupported claims for several reasons.

1, The judge likely has insufficient knowkedge to tell what a steaning pile it is.
2, Even if the judge does question it they will “pass it off” as something they have been informed of by “expert testimony”.
3, If push comes to show and the other side calls them on it, they probably already have some idiot on retainer who will in effect perjure themselves, knowing full well that if they are sufficiently mealy mouthed they will not get prosecuted for what are at the base just outrageous lies.

Such is the “legal system” in the US currently.

JonKnowsNothing May 18, 2022 2:55 PM

@@Ted, @All

re: Due Diligence Failure

How unsurprising this statement showed up in a MSM report on Musk-Twitz-Bust

Musk’s offer to buy Twitter waived “business due diligence,” and the Twitter board relied on that commitment when it approved the transaction and recommended that shareholders vote for it. Twitter’s proxy statement told shareholders that one reason to approve the agreement is “the likelihood that other potential acquirers would require substantial due diligence, creating a delay and risk to reaching the signing of such a potential transaction.”

As Elon realizes he bought a Pig In A Poke, he plays the stock market in attempts to alter the price and/or damage the TwitzCo enough to somehow walk away from the deal while TwitzCo falls off the leader boards and he keeps his $1,000,000,000 forfeit fee. (1)

That presumes you “TRUST” that he actually has a $1,000,000,000. The guy is couch surfing, sponging off his high rent friends. There’s a difference between what’s On Paper and What’s In Your Pocket.


1) Normally the SEC takes dim views of stock price manipulations, particularly insider trading or other deals to alter the stock price using information outside of “public knowledge”.

In recent years, this has been less enforced, as After Hours Trading by big financial firms and hedge funds move the stock prices on information closely held until the After Hours Trade window opens and when General Trading Opens claim it was “available public knowledge” when the prices moved.

It’s all in the timing.

Search Terms

Twitter board tells

Elon Musk

We will not alter the deal

Pig in a poke idiom 1555:

I wyll neuer bye the pyg in the poke
Thers many a foule pyg in a feyre cloke

SpaceLifeForm May 18, 2022 2:59 PM

Billable Hours

Need. More. Billable. Hours.

And another Scotch and water, thanks.

That is the reality many lawyers live in.

Ted May 18, 2022 3:26 PM


Re: HP and Autonomy acquisition

What a fiasco. I see what you mean. We are not immune from misrepresentations issued from supposedly trusted institutions.

The details are certainly interesting. I’ve enjoyed several books on stunning financial crimes. However, I find the investigations and judgements to be positive signs.

I remember listening to a podcast about Russia and Putin. The guest was asked how Russia might fare under a different leader. They responded that Russia more importantly suffered from diminished institutions – think a robust and impartial legal system.

Now if we didn’t have somewhat decent institutions to hold errant parties accountable, I’d be more concerned.

Ted May 18, 2022 8:25 PM


Howrver what you give from their legal team is to us so obviously lies,

I’d like to rephrase “lies” here to “corporate optimism.”

Continuing with SolarWinds’ legal response, we should all note that aspirational statements (aka corporate puffery) cannot be considered materially misleading.

These would include statements such as SolarWinds “is committed to taking its customers security and privacy concerns seriously” and that it “strives to implement and maintain security processes.”

Because, according to the Fifth Circuit: investors and analysts are too sophisticated to rely on vague expressions of optimism rather than specific facts.

Pretending that doesn’t hurt.

SpaceLifeForm May 18, 2022 8:46 PM

Must control app store.

Must control platform.

Are Apple and Google MSPs?


Both Apple and Google are dreaming.

It’s all about the dollar signs. As you may have noted, neither control their platform. See Pegasus for example.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.