Barely Legally

Confessions of a Moot Court Bailiff

Bad Loans, Uber for

Here’s something new I learned about Uber: they have a self-induced subprime auto loan crisis. Via WolfStreet:

Two years ago when these folks launched the subprime auto leasing program to put their badly paid drivers into new vehicles they couldn’t otherwise afford, they apparently didn’t do the math.

This type of lease was offered to drivers with subprime credit ratings or no credit ratings who barely earned enough money to get by and make the payments, if they stuck around long enough. It allowed drivers to drive new cars. When it didn’t work out for them, they could return the cars after 30 days with two weeks’ notice. The only penalty for the early return is that Uber keeps the $250 deposit. And these leases came with “unlimited miles.”

No one in the car business would ever conceive of such a thing.

​Well, sure. Those old world, analog-only auto leases were rotting from the inside out. The auto loan industry was easily disrupted because the incumbent lenders insisted on making “good deals” in which they “didn’t lose thousands of dollars.”

But this is where Uber steps in to show everyone how it’s really done.

[Uber] had been estimating modest losses of around $500 per auto on average, these people said. But managers recently informed Uber executives that the losses were actually about $9,000 per car — about half the sticker price of a typical leased vehicle.

The losses are so steep because the leases have no mileage caps, and drivers are putting absurd miles on the cars. This craters the resale value of each car, of which Uber apparently has about 40,000.

Well, okay. But the real value here is putting drivers in the seats of cars, so you can expect the $360 million in losses is really more of a loss leader for getting new drivers on the road, right?

Despite the crazy terms, these leases aren’t cheap for drivers. Uber figured they’d drive a lot, and they’d have to pay more than they would have for a standard lease. Via The Wall Street Journal: “A 2014 Toyota Corolla was recently being offered for a term of 130 weeks at $122 a week, totaling roughly $500 a month, according to marketing materials distributed by Uber.”

By contrast, leases for Corollas are advertised all over the internet for as low as $159 a month, for 24 months and 24,000 miles. But read the small print, including the $1,499 down at inception and other upfront charges. And subprime buyers might not qualify.

Long story short: these are some bad, bad loans.

It’s so weird that companies like this can spend billions of dollars of other peoples’ money to disrupt industries by undercutting the incumbents who actually try to make money. Presumably, investors realize the prices for all these disruptive services will go up. But won’t that mean the disruptor becomes the disrupted (because profit margins are a vestigial novelty left over from the 19th century, natch)?

Published in No, Money Down! on

Populist Fallacies, Obamacare and

Jonathan Chait on how Trump Is Proving That Obama’s Legacy Will Survive:

It is not surprising that only this year did the Affordable Care Act become popular. The law’s unpopularity depended entirely on the existence of an imaginary alternative that was free of trade-offs. The populist fallacy that everybody can get better insurance for less money if only the government wasn’t run by morons is seductive. Obama’s wonkish explanations could not expose the fallacy’s hollowness. But the Republicans in power have proven excellent (if inadvertent) tutors.

Indeed, some of the most important subjects of the lesson have been the members of the governing party themselves, many of whom never bothered to grapple with the policy before. The Republicans have spent the year desperately trying to pass a repeal, even in the face of staggering public disapproval for their efforts, because they cannot admit their entire case against Obamacare has been built on a lie. “They can’t accept they’ve been promising something that is undeliverable and a bad idea for seven years,” a “well-connected former Republican aide” told a reporter.

On the one hand, this kind of cheerfulness can understandably be mistaken for Pollyanna-ish naïveté. Every time your side gets a win, you can’t pat yourself on the back and say “of course, it was always going to be fine.”

But on the other hand, look: I’m exhausted and it’s less than a year into Trump’s first term. The other day, I listened to three podcasts about the dangers posed by the North Korean nuclear ICBM program. I appreciate—no, I need—a little of Chait’s relentlessly positive mentality. It’s good to hope that no matter how hard the Trump Administration tries, it can’t roll back every bit of Obama’s legacy.

So while I still have the reflex to throw up my hands and say “there are no political consequences for anything anymore,” I want to think that Chait’s right. How can you have watched a Republican House, Republican Senate, and Republican President fail to repeal Obamacare, and not believe that our politics are at least a little tethered to reality? The proposed legislation was wildly unpopular, even moreso than the existing legislation.

More Chait:

For eight years, Republicans drove themselves into a fever-pitch hysteria against the Affordable Care Act without bothering to learn how the law worked. Working from the premise that Obamacare was a uniquely ill-designed law — death panels! train wrecks! — they easily persuaded themselves and much of the country that Republicans could write something vastly better.

Half a year of Republican-run government has systematically exposed the right-wing arguments against Obamacare as bad-faith rhetoric or outright fantasy. One small-business owner, who told the New York Times in 2012 that he opposed the law as something jammed down the public’s throat, was re-interviewed this year. “I can’t even remember why I opposed it,” he now says.

It’s hard to argue with results in this case, but you have to wonder what the next year looks like. ​

Published in Shame About Those Death Panels Though on

Cybersecurity, One Weird Trick for

Last month, the WannaCry ransomware attack caused a lot of damage to computer systems worldwide, but it could have been worse. It was limited in large part because one security researcher stumbled across a web domain named in the WannaCry source code. When the researcher looked up the domain, he saw no one had registered it; and so he put down the ten bucks for it, figuring it might be important. It turns out, if there was a web site at the domain, WannaCry uninstalled itself instead of encrypting users’ files and holding them for ransom.

A lot of outlets reported this web domain as a secret “kill switch” coded into WannaCry, but the anonymous security research wrote a fascinating essay titled How I accidentally stopped a global Wanna Decryptor ransomware attack:

The reason that was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to. A side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe the malware creators were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox and the malware exits to prevent further analysis. This technique isn’t unprecedented: the Necurs trojan queries five totally random domains, and if they all return the same IP it exits.

However, because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit… thus we unintentionally prevented the spread and further ransoming of computers infected with this malware.

Got that? Your computer has a special file that it uses to look up the address of a server before it checks the internet’s version of that server address. When you type barelylegally.com into your web browser, your computer first checks that special file—called a Hosts file—to see if it already knows what IP address barelylegally.com is. Spoiler alert: your Hosts file is empty by default, so unless you added something by hand, your computer will end up asking the DNS computers what this site’s IP address is.

Security researchers (like Mr. I Stopped WannaCry By Accident) use software that creates a fake computer within their computer. That way, they can get their fake computer infected with viruses in a controlled environment, and see what they do, and inspect them forensically. All this without compromising a real computer.

However, many of these fake computers—called sandboxes—come with a Hosts file that points every unregistered domain back to the sandbox. So the WannaCry author mashed his or her keyboard for a few seconds, came up with a super long and random-ish domain name, and assumed that the only way that domain could do anything but fail to load was if WannaCry was running in a sandbox.

Or if a security researcher registered the domain for ten bucks. ​

One more thing

In addition to checking to see if they’re running in a sandbox, viruses usually check to see what they’re supposed to be doing once they’ve infected a computer. They need their instructions: send out millions of spam emails for one client, mine a whole bunch of bitcoins for this other client, etc. Viruses do this by talking to control servers, and you’ll never guess where Russian spies are hiding their control servers:

According to a report published Tuesday by researchers from antivirus provider Eset, a recently discovered backdoor Trojan used comments posted to Britney Spears’s official Instagram account to locate the control server that sends instructions and offloads stolen data to and from infected computers. The innovation—by a so-called advanced persistent threat group known as Turla—makes the malware harder to detect because attacker-controlled servers are never directly referenced in either the malware or in the comment it accesses.

​Basically, the people who want to control a botnet put a specially-coded comment on one of Spears’s photos. The comment looks innocuous to the human eye, but infected computers recognize it and use that to receive their instructions.

Published in Fear of a Bot Planet on

Market-Based Solutions

Craig Garthwaite, a professor of strategy and healthcare at Northwestern University, on why replacing Obamacare is so hard:it’s fundamentally conservative.

Republicans are engaged in a brutal civil war between hard-liners and moderates as they struggle to craft legislation to repeal and replace Obamacare. The episode invites an almost existential question for the GOP: Why, after seven years of nearly endless war against Obamacare, is the party unable to deliver a more conservative policy that provides access to health care to a similar number of Americans?

As a life-long Republican who has spent months contemplating this question, I’ve come to an answer that will be hard for many conservatives to swallow: Passing an Obamacare replacement is difficult because the existing system is fundamentally a collection of moderately conservative policies.

​Garthwaite’s op-ed is a nice recitation of the philosophical reasons conversatives should be comfortable supporting a market-based healthcare system like Obamacare. However, it doesn’t delve into the parentage of Obamacare, or why the DNA of the bill is so amenable to conservative principles.

For example, the right-leaning Heritage Foundation think tank consistently advocated for implementing the sorts of health insurance exchanges core to Obamacare, as recently as 2006. As governor of Massachusetts, Mitt Romney signed into law and implemented health insurance reform that looks awfully like Obamacare’s.

Fact is, there are a lot more reasons Congressional Republicans could support health care than ‘Reagan thought government could do stuff okay sometimes.’

Published in Dog Bites Car Stories on

Adventures in Money Laundering

Alastair Pal for Reuters UK: Fake online stores reveal gamblers’ shadow banking system.

The seven sites, operated out of Europe, purport to sell items including fabric, DVD cases, maps, gift wrap, mechanical tape, pin badges and flags. In fact, they are fake outlets, part of a multinational system to disguise payments for the $40 billion (31.6 billion pounds) global online gambling industry, which is illegal in many countries and some U.S. states.

The findings raise questions about how e-commerce is policed worldwide. They also underline a strategy which fraud specialists say regulators, card issuers and banks have yet to tackle head-on.

​Okay, so it’s no great surprise that despite the fact that gambling is illegal in the U.S., it’s still possible to find web sites that’ll take your money. That’s not news. What’s interesting about this story is how they take your money. Gambling sites set up stores that accept real money for fake goods, laundering the funds:

In December, a reporter placed an order for a yard of burlap cloth on one of the sites, myfabricfactory.com, a website run by a UK company called Sarphone Ltd. The fabric, advertised in U.S. dollars at $6.48 per yard, has “many uses including lightweight drapes,” the website says. Sarphone did not respond to requests for comment.

This order went unmet. After a few weeks an email from My Fabric Factory arrived saying the product was out of stock. The payment was refunded.

​The most surprising thing about this is that it sounds like regulators largely rely on credit card processors to self-report gambling transactions.

Published in The Ol' Burlap Switcheroo on

The Other Lisa S. Davis

Lisa Selin Davis, in the Guardian: For 18 years, I thought she was stealing my identity. Until I found her:

In 2013, my license was suspended again, this time for an unpaid ticket from 2012, for “Drive Cell Phone”, as the officer wrote. Like an addict, I cycled through every tactic with the DMV: charm, threats, shame; I tried begging and berating them. Once again, I pleaded guilty and paid a fine to get my license back, and once again I filled out the “Unauthorized Use” form.

Finally, the DMV told me that I wasn’t the victim of identity theft; there was simply another Lisa S Davis with the same birthday in New York City. Our records were crossed. When cops run a license, they don’t check the person’s address, signature, or social security numbers. They check the name and the birthday, and both the other Lisa S Davis’s and mine were the same. We were, in the eyes of the law, one person, caught in a perfect storm of DMV and NYPD idiocy.

When I visited the board of elections office in downtown Brooklyn, they told me the same thing. Lisa S Davis and I: we were one.

​Come for the tale of outdated government IT, stay for the white Lisa S Davis thoughtfully checking her privilege.

Published in I smell a sitcom, folks on