Here we are, my friends. The 1000th post. Whew! It’s quite a load off to have finally made it. Hopefully this doesn’t come as a surprise to anyone since I’ve been announcing it for months, and if you have questions, hopefully the FAQ can answer them. I wrote and re-wrote this post several times. There’s so much to say. How can you sum up 5 years of a blog in one post? I have so much to say, but I’m not going to write a book about why I’m shutting the blog down, I’ll just focus on the major issue at hand - happiness. Isn’t that what life’s really all about?

It wasn’t that long ago that I unfortunately lost my love affair with security. Even a few years ago my wife would find me up way too late at night writing some little proof of concept code, excited to post about it the next day. A lot has changed. Some of it is external forces, and some of it is that I realized that I’ve done what I came here to do. When I ask audiences at conferences how many people have heard of XSS or CSRF or command injection or SQL injection, nearly everyone raises their hand. I can rest easy now in that the ultimate mission of the blog has been a success - people have been educated, partly through me, and partly because the industry at large has stepped up to the plate and done an amazing job of absorbing the problems.

I started ha.ckers.org as a place for me to experiment on my own, and share ideas with a few like-minded folks. I never intended it to be a big site, but scope creep from the original mission changed all that. I realized I could educate a lot more people than the 20 or so readers I had started out with. 20,000 readers, countless press articles and 5 years later, and I’ve been run through the meat grinder. My love for security was unfortunately replaced by a sense of servitude.

With any kind of work you get a sense of anxiety. But the biggest problem is that security stopped making me happy. I got into security because I enjoyed the intellectual puzzle. The industry around me has certainly changed several times since I got started but more importantly I too changed. My wife told me not too long ago that I wasn’t a hacker anymore, I was a politician, looking to see how I rated in the polls. I really didn’t like what I had become - that’s not me at all. I normally hate the press, and I’ve never enjoyed public speaking. It was always a necessary evil. An evil that I embraced far too much, if you ask me.

They say that if you look at the graph of happiness in your life you can tell what sort of life you led. For instance, if your life starts positive, then goes down, and then ends positive it’s a comedy. If it starts low, goes up and then ends badly, well, then you lead a tragic life. I’ve never claimed to be a futurist, and in fact, I’ve found the question, “What do you think we’ll see in the future” to be a terrifying question - what if I’m completely wrong?

I’m not an oracle and I really don’t like giving people incorrect information. But if I were to look at the graph of my life honestly, it wasn’t trending well over the last few years, looking more like downward trending saw blade of perpetual highs and lows. Although there have been a lot of individual highlights and amazing things that have happened, I’ve noticed and other friends, family, and peers have noticed that I’ve gotten less and less happy as a whole. As much as my trustworthy friends tried to convince me that the negative sentiment was meaningless, it was having a profound effect on my desire to continue. The saw blade was trending downward. I’m not blameless for how I got here - no one is perfect, least of all me.

Although I’m a fun loving person in many ways I also tend to be a pessimist and I do take things too seriously sometimes - definitely to a fault. I saw my happiness declining and the light at the end of that tunnel was getting further and smaller as I went on. It became harder to shrug things off, and I started worrying about even the simplest of things. So instead of being a victim of my own circumstance I made a decision to make my own destiny and start enjoying life again.

So this is it - I’m taking my happiness back and I’ll be taking on new and exciting challenges without the drama of intense public scrutiny. It’s time to make the graph of my life into a comedy - filled with excitement and wonder in the unknown. I’ll always have a soft spot for security; I’ll keep up on it, and I’ll continue to research and run my company, among a lot of other things, insofar as it doesn’t impinge on my happiness. Not hedonism, my friends, happiness. Now is the time to seize the day and start having fun again. Life’s too short.

I could also spend pages iterating all the people who’ve helped me think through the countless issues we’ve talked about, sent in ideas and generally made this website and WebAppSec in general a success. Rather than risk excluding anyone all I can say is that I truly, deeply respect all of you for your skills and appreciate what you’ve done for me and the industry as a whole. Perhaps no one but me will truly appreciate everything you’ve done, but trust me, you’re the real gods of WebAppSec. I wish you the best. So I leave it to you all - this industry along with all the good and bad, in very capable hands. Trust me, there are plenty of amazing people out there. Now it’s time for them to take their rightful place.

So… where can this mythical happiness monster be found, you may be asking? For me the journey to find happiness starts with a cold beer - so that’s where I’m headed. On behalf of id and myself, adios, my friends! Thank you for reading.

One post left…

I know people have a few questions about the remaining fate of the site, so I decided to write a little FAQ prior to my last post:

Q: Are you planning on keeping ha.ckers.org up for reference at least?

Yes. There’s a very small chance (read near zero) that I will be making any updates though.

Q: Are you going to keep comments open on the blog?

The short answer is no. I’ve already been shutting down comments on some of the older posts to reduce the volume of comment spam. I’ll probably leave comments in place for a few months and then close it up, just to reduce the maintenance. So if you have anything you want to say about any of the recent posts, please say it now.

Q: Are you planning on keeping sla.ckers.org up?

For the foreseeable future, yes. I do want to encourage people to keep researching, and innovating, even if I’m not directly a part of it. So yes, there’s no plans on taking sla.ckers.org offline, and I still encourage people to visit and ask “dumb” questions. You have to get started somewhere, and it all starts with intense curiosity. For those who are starting, don’t be afraid to approach people who know what they’re talking about. If they blow you off, they’re jerks, but a lot of times they’ll be patient and help. It never hurts to try. Update: sla.ckers.org and ha.ckers.org both suffered a massive RAID and simultaneous backup failure on December 17th 2010 related in part to an exhaust system failure in our redundant cooling system. So some dates are messed up on comments over the last few months of posts, some files and directories (like hashmaster) are gone, and sla.ckers.org suffered some loss of posts because we had to go back to an old backup. Sorry about that. It’s hard to predict so many failures at once.

Q: I still want to read what you’re writing, are you posting anywhere else?

I may post in lots of places regarding various topics and for various reasons, but no, my days of WebAppSec blog posting a la ha.ckers.org are over. It’s time for others to pick up where I left off. But if you just want to read 300+ more pages of RSnake content, please check out Detecting Malice.

Q: Why 1,000 posts and not 10,000 or 100,000 posts?

Because I made a promise to myself to make it to 1,000 posts. That’s it. Simple enough. It was really easy to get to 100 posts, and even easier to get to 250. After that, it got harder and harder. I was thinking about stopping at 500, but one day I checked and I had accidentally gotten to over 550… so then I made another promise that I’d stop at 1000. And here we are, my friends - one post remaining.

Q: Someone mentioned to me something about a “Dread Pirate RSnake”. What is that?

A year or so ago I was thinking that rather than shutting down the blog outright I would find a talented person to take my place. Like the character in the Princess Bride, the Dread Pirate Roberts, they could take on the Dread Pirate RSnake persona, and pass that along to others once they got tired of the name. I talked with several people about that who seemed interested in taking up the cause, but after thinking about it longer I decided it was a bad idea. Ultimately I decided the blog was fun while it lasted, but it’s over for me, and my handle doesn’t need to live on. The research is the important part and others have long ago taken over those reigns anyway.

Q: Will you continue to be part of security?

In short, yes, I’ll still be working in security. I’ll always be available by email, but no, my time in the spotlight is thankfully coming to a close. It’s time for other people to get their moment in the sun. Having already made a few commitments I will remain somewhat visibly involved in the security world, but otherwise I’m trying to do less and less in the public eye. I’m definitely not leaving security altogether though. SecTheory will continue to operate, and I have a number of security ideas in the works that will no doubt see the light of day at some point, but that’s about it. And Jer seems to think I may twitter more now than ever. Who knows? Only time will tell. I really dislike twittering though, so the forecast does not look good.

Q: What about any other vulns you find?

Ah, the hardest question of all. I haven’t made up my mind. Some issues will no doubt get disclosed to the appropriate parties. Some may end up in a friend’s lap for them to disclose under their name. The remaining issues… who knows? To be honest, like a lot of researchers these days, I’ll probably just sit on them.

10 posts left…

While at Bluehat Jeremiah got a question from someone (I believe he worked at Opera) saying that even something as simple as turning off third party cookies will break things like Yandex. Jer had an amusing response which was, “What’s that?” followed by, “So you’re telling me I need to be less secure because someone else wants to go to a site that I’ve never heard of?” I was laughing too hard to hear whether the guy had a useful retort or not. But I doubt the guy in the audience was prepared for this argument. Now some people would argue that no, it’s your own responsibility to secure your browser as much as you need it to be. It’s always been my take that if you let people have something insecure it’s never going to get any more secure than it is that day (for the vast majority of users), because of the least common denominator and the fact that the web developers are going to use as much of that functionality as they can - forcing me to use JavaScript to log into my bank and such.

Normal users want a subset of what the browser is capable of, but even more usability than what a browser comes with by default. If they can tie their browser in with Twitter, make it auto-log-in to every account they have and pipe in music from iTunes all at once, that’s a good day. While security people for the most part want a different subset of the browser, and want very few of the usability improvements that browsers are adding in. Unfortunately, we are also stuck with whatever everyone else wants, because we do have to use the same sites. And the worst part is the browsers weren’t designed with guys like Jeremiah in mind - they were designed with thoughts of people who had never used a computer before. As such the browsers are building on legacy software that needs to support other legacy software atop a very flexible architecture making it harder and harder to be secure over time.

As such, yes, Jeremiah is absolutely forced to have a less secure browsing experience because of Yandex and the 1000x other edge cases that we have been unable to break for fear of backlash. This includes breaking requests to localhost because of Google Desktop. This includes breaking cross zone RFC1918 requests because of legacy banking apps. All kinds of dumb things that should have never been built like that are causing us to be less secure, and until we’re willing to break the web (like with the CSS History hack fix that Mozilla championed) we’re going to be stuck with the least common denominator problem. I wish I had the answer, but I don’t.

36 posts left, and counting…

If I had more time on my hands this would have been a fun one to play with. Although OWASP has dropped information leakage from their list of top 10, it’s still a fun puzzle to put together if you can gather tidbits of info. Johnny Long specializes in piecing together small seemingly inconsequential pieces of info against a target. I wish I could find the paper on it, but many years ago there was a paper describing one technique to unblur text in an image. The basic technique, if memory serves, was that you could take each character in the font in question, blur that font and see what it ended up looking like. By comparing the blur your just created with the blur in the image you could figure out each character.

When Vista came out it shipped with a default theme called Aero, which made semi-transparent windows. The semi-transparency uses both an overlay of a dithered color scheme as well as blur. The dither may be the harder of the two to overcome because it’s dithered based on the width of the window itself and it changes depending on the focus of the window in question. The blur, however, is probably the easiest. Windows uses a default font for most applications. Therefore it should be fairly easy to de-obfuscate text that is behind screen-shots of the Aero theme.

There are obviously problems with this - the first one being that it’s not the whole window that’s transparent, only a slice on the top, but I’ve found some vaguely interesting things that were definitely not meant to be in scope of the screenshot through the Aero transparency. The second problem is that this only really helps if the thing behind the screenshot is actually of interest. But, let’s assume that those issues are met. The nice thing is the kind of people who tend to post screenshots are experts in their field. They’re often public speakers, analysts, or people who are giving instructions on how to use something. So there could be quite a bit of sensitive information in those screenshots. I only spent an hour or so trolling screenshots one day and found a few vaguely interesting peices of info.

I have sat on this concept for a few years, hoping someone would come out with it first, but I haven’t seen anything written on it, so here it is. Either way, it’s probably a minor in reality, but I recommend turning off Aero and all transparency when possible - especially if you’re like me and have to give a lot of presentations that include screen-shots of desktop applications (E.g. browsers).

37 posts remaining…

With all the talk about cloud computing I thought it would be interesting to post this article. It turns out you can create a single chassis that contains around 67 terabytes in it for $7,867. That’s pretty incredible, and most interestingly, if you follow the link, you’ll see the cost breakdown compared with other alternatives which it pretty much blows away. It almost doesn’t make any cost sense to outsource your storage to the cloud with those cost savings. It really can be cheaper to bring it in house.

Now there are some down-sides, and they primarily have to do with high availability. There’s a good article explaining some of the potential downsides although id told me, “port multiplier doesn’t matter there, even 2-1 oversubscribed they are fine for doing what they are meant to” so take the criticism with a grain of salt and do your own fact checking. Either way, the cost savings are so dramatic, this could be an evolutionary step and I bet things will get a lot more solid down the road to elevate the issues of availability. So it might be premature to jump into this kind of storage for those massive databases you’re supporting, but given a little time and increased density I bet this technology makes a huge difference in cost down the road.

As a side note, for you people who were around for a while, I did some quick math - it would take just north of 46.5 billion floppies to equal that one 4U box. Also, as a fun fact most smart-cell phones these days are faster than the machine that we started ha.ckers.org on. Amazing how times have changed!

This post is a bit out of left field compared to what I normally talk about, but I hope some people get some value out of it. If you don’t recall the BOFH (bastard operator from hell) series, or haven’t been in the industry long enough to happen across it, you should read some of the old stories, if you need a laugh and a several hour long distraction. The basic premise was that the lazy operator would find any and every reason to do the opposite of what people wanted especially if it let him play video games at his desk. Death and destruction of the clueless and their home directories would often ensue.

Enter tin whiskers (lots of pictures). Tin whiskers are a vaguely-understood electromechanical process that is related to the use of completely tin solder as opposed to tin-lead amalgam solder. It is a problem that has been known for a decade or more, but it is becoming more pervasive due to a rise in reliance on electronics. Because of the near outright ban of lead based solders in some places in the world, the completely tin process has led to an increase in faults. Tin whiskers can cause short circuits and even metal vapor arcing which can literally fry electronics.

Some of the issue around education of the issue is around planned obsolescence - the computer industry expects that people will just replace their computers with new ones when new ones become available. A hardware failure is just another kick in the butt to shell out for that new Mac Book Pro you’ve been drooling over. People always want the best and greatest and this is reason enough. But the problem is there is a lot of hardware out there that runs a lot of what we rely on that will stay in place for a decade or more in some cases. If it ain’t broke don’t fix it, right? The problem is that it will break, and it’ll break in unpredictable ways.

Routers, switches, database servers, UPS systems, emergency sensors, orbital satellites, SCADA systems, cars, airplanes, etc… etc… Our jobs, and more critically our lives, literally depend on a lot of physical hardware to function. Unfortunately, a lot of this tech relies on scary build processes that are destined to fail.

So if you are the BOFH and you really want to take the rest of the week off or you really want an excuse to get rid of some piece of hardware that has been a thorn in your side for years now, you now have a new plausible excuse to give management when you throw that machine in the trash - tin whiskers. For the rest of us, perhaps we should be careful to build redundancy into our hardware designs and our computers/networks to lessen the impact of this pervasive design fault. This is just another reason to build in redundancy. And with that, I hope everyone is having a good week!

I don’t think I need to introduce this email, I think it speaks for itself:

Valued Road Runner Business Class Customer,

This email is in regards to the Time Warner (Road Runner) account for the following location

–snip–

The Road Runner Abuse Control Department has received a complaint of network abuse originating from a computer connected to your cable modem. We recognize that most Internet abuse complaints are the result of computers infected with viruses/worms or compromised by a trojan horse( a.k.a. “trojan” for short). Trojans allow malicious third parties to gain access to your system(s) for the purpose of using your Internet connection to intentionally commit the abuse in question. The abuse commonly comes in the form of either unsolicited email ( a.k.a. “spam”) or port scanning (connection attempts to other systems across the Internet for the purpose of finding vulnerable systems to infect or exploit). However, if not addressed in a timely manner, your machine(s) potentially may be used for other more illegal activities

A portion of the complaint we have received is copied below for your review:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|date |id |virusname |ip
|domain |Url|
+—————————————————————————
——————–
|2010-04-14 02:20:04 CEST |514019 |unknown_html_RFI
|71.41.152.29 |ckers.org |http://ha.ckers.org/xss.js

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If your recognize this activity and it was intentionally sent, you may be in violation of our Acceptable Use Policy (AUP) and it’s important that you contact us immediately to discuss. If you do not recognize this, you likely have a compromised or infected system connected to your cable modem and will need to take action to clean and secure all Internet connected-computers as soon as possible. We take these complaints very seriously and further substantiated complaints could, at some point, require us to disable your cable modem in an effort to protect the integrity of our network. We obviously have no desire to interfere with your ability to conduct business and would prefer to not take such action, so please pursue whatever measures are necessary (up to and including the formatting of hard drives and/or assistance from a third party IT professional) to correct the problem with due urgency.

If it would be helpful, Road Runner does offer free anti-virus and firewall software for commercial use. You will need your Road Runner account information to register the software, so you may need to contact your local Time Warner office for assistance. For more information, please visit the following link:

http://www.rr.com/pss

Additionally, we have a suggested course of action on our Website, but please be aware that it is intended for use by residential customers to clean a single computer and may not be feasible for use in a commercial environment. Moreover, some of the suggested software is licensed for personal use only. We cannot accept responsibility for compliance with software licenses, so please be aware of rules and restrictions related to the installation and use of any applications suggested. If interested in this course of action, please visit the following link:

http://www.rrsecurity-abuse .com

If you have a network connected via a router, you may be able to view the router logs, looking for either a large amount of email activity or the port scanning activity specified above. This may indicate which computer is the offending system and thus help you simplify the solution.

The corrective action taken is entirely your responsibility. We are merely making contact to alert you to the problem in an effort to both protect our network and enforce our policies. But we ask that you do take corrective action as soon as possible and contact us to advise, preferably by simply replying to this email. Also feel free to contact us with any questions you have regarding this issue.

Thank You,
Time Warner Cable (Road Runner) Abuse Control, Regional Office
twcsecurity-abuse@texas.rr.com
1-877-588-8508

I didn’t realize 2 lines of completely benign JavaScript that can be included on websites is now considered abusive. I can’t wait until someone ads Google Adsense as unknown_html_RFI. If you know who submitted this, please smack them upside the head for me and then sit them down and help them find a job that doesn’t require a keyboard. kthanksbye.

Well another RSA Conference has come and gone. Lots of vendor noise about their product being the only secure one on the market, and other nonsense, as is to be expected. Although I did notice a bit of realism this year. It did seem like everyone had eaten a big helping of humble pie, which was refreshing. Even the sales guys weren’t making as hard as a pitch as I’m accustomed to. So all in all, it was a good time. Lots of drinking, lots of good conversation, and I even managed to sneak in and see Jeremiah’s presentation on the top 10 new webappsec vulns from 2009 (how he managed to fit that all into 50 minutes still boggles the mind). I didn’t make it to as many parties as I would have liked to this year - maybe I’m getting old, or maybe I started drinking too early. Either way…

One notable quote was from Howard Schmidt who said, “There is no cyberwar,” but I don’t think he ever defined what a cyberwar would look like - so I don’t know how we’ve decided we aren’t in the midst of one. Maybe he’s absolutely right and we aren’t in the middle of anything like a war (just the low rumble of espionage), but I’d like to hear his definition one way or another so that I can know when I should start being outraged.

Click to enlarge

But I wanted to do a quick writeup on the RSA Conference registration computers themselves, while I was thinking about it. For some reason, my entire life, I have just assumed programmers think the same way I do. Then I am always annoyed to find out they don’t. Physical security is tough, don’t get me wrong, but kiosks are one of those things you really need to be careful to protect from physical tampering and logical attacks. Anyway, I was sitting there waiting for one of the pages to load, and it was taking forever. Because there was no onscreen indicator that it was waiting, I started wondering if the form was even working at all, or if there was some dumb JS error or something else that would cause the page to never load. So I clicked on one of the links at the top in the navigation and it gave me a “Diagnose Connection Problems” error and worse yet, it popped out of the Kiosk mode. Never a good sign. It looks like they’re protecting the application from most classes of attacks simply by disallowing outbound network access. Let’s assume there were no way around that for a second (and I’m not convinced of that, incidentally).

Most people would probably say that security is good enough. Any attack I could mount would be useless because I couldn’t exfiltrate the data off of that machine. Oh, but it’s not that simple. For that application to work it must be able to contact the site in question (the registration portal). That portal has access to a database. As such, the database itself is essentially dual-homed (on the Internet and on this Kiosk intranet). So all I should need is some JavaScript malware to steal people’s information as it pretends to register them, and instead log the data into my database fields. I can be somewhere else and check the records in the database for my account, and poof - I have access to whatever data I wanted to log. I can get JavaScript execution by simply typing it into the URL bar and just like magic, I have a way to steal conference registrant’s information. And there’s the cookies and any other tampering I might be able to do in the config options in IE. It’s definitely NOT a huge deal, but rather just another example of how it’s incredibly complex to build a truly secure browser based kiosk system that can defend against determined attackers. No identities were stolen in the making of this post. Now, back to work!

There’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?

There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers - but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable - or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.

The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they lose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.

So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you - I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.

Just about every conference I speak at someone comes up to me and says, “I’ve been reading your stuff for years, but you don’t write anywhere near as much as you used to - what happened?” Alas, I actually have been writing more now than I ever have before. Just not on this blog. My latest endeavor has actually been the most ambitious writing experiment I have ever undertaken. I decided to write a new book from scratch with no outside additional authors. For those of you who’ve done it or tried it, you know what I’m talking about. I shopped the book around to a number of publishers, but in the end, I decided to pull the publishing rights back from O’Reilly (yes, it was going to be an O’Reilly book for a while) and after working with a few other potential publishers I eventually decided to simply drop the price and make it an eBook.

When I originally started writing the book it’s working title was “The First 100 Packets” because it was going to be all about what you could detect about user intentions within the first 100 packets - makes sense, right? Well, as I wrote it I started thinking that was a worse and worse title because, of course, long term user disposition is a really important and related topic (and just as interesting to me as well). So I up-ended the book and re-wrote a big chunk of it and the title became "Detecting Malice". You can check out the website for a table of contents. Now, why should you buy this book?

What if you could get the equivalent of 500 hours of my brain shoved into one big 300+ PDF book for only $39.95? What if it was written very similar to this blog, in bite sized chunks and from my own voice, so it wasn’t stuffy and boring like a lot of technical books tend to be? I’m honestly very proud of this book and I think it’ll have a lot of value for anyone who is tasked with the horrible job of trying to secure a website, as opposed to breaking into it. As such it’s also not for everyone as it was not written with offense in mind at all. This is not a book to learn how to be a better penetration tester! This is a book for people who want to know how to detect malicious users, and understand user intent through data analysis.

Anti-fraud and fraud loss prevention is an important area of security that I don’t talk about all that much on the site, mostly because security is less sexy than hacking - let’s be honest. I’ve received a lot of flak over the years for not talking about security enough from those who are on the defense side. People have told me that I focus way too much on the hacking side of things and don’t help the good guys out enough. Well, consider this my big contribution to the area of anti-fraud research! Like I said, I’m actually very proud of this book for its technical merits but feedback is always welcome as I revise it and make it better in future revisions.