Schneier on Security

Clive Robinson • October 18, 2024 11:12 AM

Re : “CEO of a still unnamed company”

Well a few paragraphs into the WSJ article we find,

“Deepak Jain, chief executive of an unnamed information-technology services company operating in Beltsville, Md.
“

If true –and it might not be– having the,

1, CEO’s name
2, Likely location of HQ or corporate offices.

Will probably come up in the first page of even a DuckDuck search.

So just a brain dead search using,

[]

Gives as almost the first info –after the regurgitating MSM outlets–,

https://www.justice.gov/opa/pr/data-center-company-ceo-indicted-major-fraud-and-making-false-statements-us-securities-and

Results in further information about Deepak Jain,

1, They were –past tense– CEO
2, They are 49
3, And “of Potomac”

Also the Beltsville location is also the companies data center…

I could go on but in deference to others sensitivities I will not give the other quite interesting information that rattled out.

The point I’m making is that under the way things are “rigged” “Open Source Intel” is rather more simple than others think.

Oh and US law unlike UK Law does not realy hold with the,

“innocent untill proved guilty”

Stricture, which is why I say “Rigged”

That is the LEOs and Gov Agencies blabber their mouths of in pretense of observing it, whilst in fact encouraging “trial by media” which automatically prejudices a potential jury member usually in the prosecutions favour…

And yes the other information is out there and very easily found thus yes I know the name of the company and somewhat more…

Clive Robinson • October 19, 2024 3:27 PM

@ ALL,

Whilst yes the company it probably is, has really nice looking offices (except for top floor windows) at an address given on a “Bis Site” with photo.

The persons name is almost like “john smith” in that it is quite common.

Which is why you get several potential organisations.

Interestingly it appears to be the man’s only job, as he is “CEO and Founder” in several online puf pieces for awards and such like. Each one having a differing year as the starting date.

As for Ai.Net if what their site says is true they have 25 locations around the world.

Over on The Register there are comments about how the fraud went on for so long (6years or more)…

From what I can tell whilst the firm may not have been correctly certified, and the documentation to that effect shall we say “invented”. Nobody is saying the company ever failed to deliver on what it said it was going to deliver on as a service.

So once the contract was inked there was no reason by way of “failure to perform” to call it into question.

As a side note, it’s well known that companies set up bogus organisations that “issue awards” annually and the like… Even the “Big Players” do such things.

But those with longer memories may remember the scandal of “The Big Four Accountancy Firms” who basically had significant “conflict of interest” / “self interest” to “sign off annual accounts” etc of firms buying their expensive consulting…

Basically the companies would do the paperwork and the accountancy firm would “rubber stamp” without doing any checking let alone due diligence. These would then get submitted to share holders and government regulators who would all “Nod them by”.

In more recent times we’ve seen a lot of self signed nonsense in Boeing “unwind” unfortunately with a lot of harm.

Remember every time you hear someone going on about “small government” and “cutting red tape” and all the rest of that “get rid of regulation” nonsense the result will always be a “race to the bottom”. And all to often it’s “Fraud” that does not get prosecuted because it would be to big/expensive to stamp out. So we see “no fault admitted fines” and the exces involved just treat them as “a cost of doing business”.

Some might have noticed that this week “automated vehicles” have been very much called into question over “safety concerns” due to very real harms to people.

As I’ve mentioned before I’ve worked eith what was called AI systems since the 1980’s putting “expert systems” and “fuzzy logic” into control systems like auto driver rail vehicle breaking systems.

We would not call them AI by todays standards, and they were/are certainly very very limited in capability. The reason they worked was to constrain the inputs to a very few known quantities, by use of fences and alarm systems to keep “organics” out of consideration.

You can not do that with normal roads… So whilst “auto-drive” vehicles can be made to work with the “expected”, there is so much “unexpected” due to “organics with agency” that you can not put even a fraction of the rules needed to deal with it into AI systems that are practical or feasible.

And if you are an “investor” or “purchaser” do not expect this to change at all in the next half century or so. In over a century of organics driving we still have “accidents” and as I keep pointing out due to the basic laws of physics all “accidents” as we call them are entirely predictable thus in theory preventable. All you need is,

1, Sufficient information,
2, In Sufficient time to process it.

Along with “sufficient time” for

3, The laws of physics to allow prevention.

There is no way currently for the first issue to be resolved practically. Even if there were sensors “time” is as they say “ain’t what you got”…

The only way to get the time is to slow things down to around 10mph in urban areas and 20-25mph where security measures to keep “organics with agency” out of the areas of risk.

At the end of the day those Boeing crashes, as far as we can tell from information so far released, they had sufficient time for the pilots to have prevented them. IF they had sufficient knowledge and pattern recognition “to act correctly in a timely fashion”…

Clive Robinson • October 20, 2024 9:54 PM

@ Lurker,

Re : A truly blind eye need not be turned.

With regards,

“So, how long did it take SEC to find out they’d been taken for a ride?”

Were they “taken for a ride?”

Arguably no, they got what they paid for for the length of the contract.

In effect the organisation did the equivalent of,

“Lied on it’s C.V.”

By claiming it had qualifications it did not.

However from the little information so far made public in,

https://www.justice.gov/opa/pr/data-center-company-ceo-indicted-major-fraud-and-making-false-statements-us-securities-and

Apparently the company did the job without real incidence or complaint,

“Throughout the pendency of the contract between Company A and the SEC, the SEC experienced several issues with Company A’s data center, including issues with security, cooling, and power — all of which were subjects of the standard referenced in the fraudulent Uptime Council certification letters.”

Because if they had been “real issues” the SEC would have taken action to terminate the contract, and they clearly did not for some reason –not yet known– as it went full term… So an assumption of “no real incidence” is valid.

And that’s the interesting couple of points, in that the contract issuer on behalf / behest of the SEC,

1, Either failed to do due diligence or was it’s self somehow party to the fraudulent qualifications being accepted.

2, The contract remained in existence for six years, so the SEC had no real cause of complaint during the years the contract ran for, otherwise they would have terminated the contract.

So there is a lot more going on, on the SEC side than they have “fessed up to”.

So this might be a “two bowl of popcorn” entertainment.

Clive Robinson • October 21, 2024 10:01 AM

@ ALL,

If you look in the “US Dept of Justice” document,

https://www.justice.gov/opa/pr/data-center-company-ceo-indicted-major-fraud-and-making-false-statements-us-securities-and

You will find that the SEC ran with the contract for quite some time.

Yes there were a few issues but obviously insufficient to constitute a breach of contract or cause for cancellation…

Which raises the important question of,

“Were they any worse than other obvious examples?”

Such as this “latest one”,

https://techcrunch.com/2024/10/17/microsoft-said-it-lost-weeks-of-security-logs-for-its-customers-cloud-products/

They do this so often in one way or another and get away with it so much that they in effect set “The low water mark” on unacceptable behaviour.

So you would have to ask if your head was on the right way around if it were not the ICT industry as opposed to say leasing a motor vehicle?

But I just know 😉 some one is going yo mention Hell on Rusk or similar…

To which I would start my reply with noting that yet another on quite a string of investigations has been started in the past few days,

https://techcrunch.com/2024/10/18/teslas-full-self-driving-software-under-investigation-by-federal-safety-regulator/

And many of those have been about Hell-On making “false claims” about safety, availability, security, etc of the various “auto-driving” systems he has supplied.

I would also point out,

“It’s still Info Sys…”

As well as the underlying comms that are the cause of the issues…

So as used to be said,

“Same tune, different orchestration.”