Weird
This doesn't sound like your usual case of embezzlement.
Taking massive amounts of cash to buy tons of shiny, with the inevitable result of jail time, sounds more like there's something seriously wrong with that person, beyond criminality.
A now-former HP finance planning manager pleaded guilty on Wednesday to charges of wire fraud, money laundering, and filing false tax returns that follow from the misappropriation of company funds. According to the US Justice Department, Shelbee Szeto, 30, of Fremont, California, worked at HP Inc from August 2017 through June …
There's a psychological pathology at work, at any rate. I've seen this in other cases, where people embezzle recklessly, with little or no realistic hope of getting away with it. It seems to be compulsive.
There was a somewhat similar case where the company treasurer for a Michigan firm embezzled millions for a 419 scam. You might think someone in that position would have to be able to recognize a 419 — it's not like they're sophisticated — but she just kept pumping company funds into it.
I've see this many times. At least this one made some effort to conceal her tracks but apparently got a bit greedy with the $330K purchase. I've seen this in Governments. Local Government employees are given PCards and the Finance office is not tracking or requiring expense reports. The employees just start buying stuff for themselves and eventually the money adds up and a change in government brings attention to spending and the employees end up arrested. With the inevitable employee response "I didn't know this was not allowed!"
I understand how she faked documents for HP, and assuming they were done well, HP wouldn't know that her charges were false. However, if I'm understanding correctly, these payments were expected to be paid to a supplier, so how did she avoid the supplier complaining about not being paid? I would have thought that, after every supplier she handled started reporting late or nonpayment, someone would have checked on it if only to prevent angry suppliers. Somehow, this worked for three years.
There's no way she can actually make amends. But she can "try", totally unsuccessfully.
Trying to make amends is a mitigating factor in sentencing. So the lawyer is doing their best for their client, by publicly claiming this mitigating factor in the hope that their client gets a shorter sentence.
Well, first on the list is selling all the stuff she bought with stolen money and giving the proceeds back to HP.
Which will obviously not suffice because the stuff is no longer new, so it'll be sold at a markdown which might be quite important.
Second is her spending the rest of her life remembering that time she had it all only to squander it and find herself cleaning toilets.
Because she will never be given a company card again, that's for sure.
Second hand car prices are certainly ridiculous at the moment. The old battered 107 that we bought for our daughter about 5 years ago ( pre-dented) was just written off by the insurers after a local moron smashed into it while it was parked outside our house. We retained it, (re MOT'd it) from the insurers and accepted their settlement figure. Which was still higher after they'd deducted the scrap value, than we'd paid for it when we bought it. So; We still have the car, with an extra dent, and received more for its value than we paid. And our daughter is still driving it round uni.
When she starts work at a well known multinational computer company in the Autumn we'll give her the insurance money to buy a nice new(er) car. By which time she'll have had 6 years of driving use from the old banger.
Watches could certainly be sold at more than retail (I just had a valuation for insurance, and my good watch which is nearly 20 years old was valued at nearly 1.5x the cost of a new one....people will pay a premium and get a used watch now rather than sit on a waiting list for years to get a new one)
I never have understood the fascination some "people" have for useless bling like Gucci bags. I'm much more into "is it functional?" than "is it brand name?"
But then again, I'm not trying to impress anyone at 57 years old. It isn't like I'm out crusing the bars in a town of 15,000 people, or that designer suits would impress the local hicks. More likely get your sorry butt beaten in an alley for being a snob. :)
Bling is functional. Veblen goods provide social signalling and satisfy psychological cravings that some people are susceptible to acquiring under exposure to certain cultural artifacts.
Those may be functions you don't care about. Good for you; that's one (small) part of acting like a relatively efficient economic agent. It's a quirk of psychology, though. Nothing more.
I'm not interested in Veblen goods either. Some people — and I'm not saying you're one — regard that as some sort of moral superiority, and I think that's mistaken; it's far more complicated.
I'm very much of that opinion. "Street credibility" doesn't of itself equate to real life value.When the kids were little I drove a Berlingo. Think box on wheels, with potential to convert from car to van in minutes. Tons of space for kids' travel cots, toys and what-have-you. Street credibility, style and stuff like that =0%
Practicality 100%
I was rather in shock when I tripped over a coworker's $110,000 embezzlement scheme issuing checks to vendors using their ID numbers and then changing the payee info to her own. She was a piker compared to this one! Still, she got 2 years Federal time, then had the gall to use my name as a professional reference once she got out. I suggested the prospective employer check her criminal background and then lock the doors.
The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).
OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).
But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.
TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.
"100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."
That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.
Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.
The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.
"Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.
Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.
The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.
As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.
Google has reportedly asked the US Federal Election Commission for its blessing to exempt political campaign solicitations from spam filtering.
The elections watchdog declined to confirm receiving the supposed Google filing, obtained by Axios, though a spokesperson said the FEC can be expected to publish an advisory opinion upon review if Google made such a submission.
Google did not immediately respond to a request for comment. If the web giant's alleged plan gets approved, political campaign emails that aren't deemed malicious or illegal will arrive in Gmail users' inboxes with a notice asking recipients to approve continued delivery.
The UK government is upping the ante in attempts to have Arm listed on the London stock exchange, with reports suggesting it is considering the threat of national security laws to force the issue with owner SoftBank.
According to the Financial Times, the British administration is considering whether to apply the National Security and Investment Act (NSIA), which came into force at the start of the year, in a bid to have SoftBank change its mind over listing Arm exclusively on the Nasdaq in New York, as it has previously indicated.
The FT cites the usual "people familiar with the matter", who indicated there had not yet been a formal debate over using national security legislation, and the idea was opposed by some government officials.
The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure.
But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.
"Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."
Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.
The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.
The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.
Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.
In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.
Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.
Biting the hand that feeds IT © 1998–2022