Aetheric Research, Ltd.

For the sake of completeness, I tender for the consideration of the masses the following “tips”–though that’s hardly the right word–on the basic rules of staying safe online.  It’s worth noting that simply providing ‘tips’ as though safety was merely something to ‘keep in mind’ is really not enough; if you want to be safe, you have to make a comittment to safety and security.  Avoiding hazards is not a result of anything other than close and careful attention to everything that you do online.  Accordingly:

• Think before you click.  Especially on windows or error messages that pop up, think about what you’re doing before you click any part of it–especially before clicking a “yes” button.  Especially for Windows users, Microsoft has done a great disservice by spawning endless annoyance windows that have ingrained auto-agree behaviors into people’s minds–and hence allowed more than a few trojans into people’s computers.  Hovering the pointer over hyperlinks in webpages will display the URL that it leads to at the bottom of the browser; pay attention to this, to make sure you want to go where the link leads you.  Actually read error messages that show up, and if you’re going to be placing a support call about them, write down the exact wording; error messages exist for a reason–to tell people exactly what is wrong.
• Turn off automatic running and previewing ‘features’ on everything.  Yes, it’s a great convenience for the user to be able to pop a CD in a drive and have it automatically run a program.  It’s a great convenience for you to have your email show up without having to open it up.  It’s also an incredible convenience for anyone wanting to install some breed of malware onto your system–especially if you should happen to not pay attention to the previous bullet point and automatically click the ‘authorize’ button on any warnings that may appear.  True, turning off these features is a hassle, and results in more work; however, it’s less of a hassle to open emails and CDs by hand than to try to take back a stolen identity–especially if your identity is worth stealing, you may still be fighting that for decades.
• Use different passwords for different things.  A plurality of people, even after several highly-pubicized compromises of password information, remain lazy in their password discipline.  If you use different passwords on different sites, the only account that will be compromised in the event of a break-in on that site will be the one associated with that site.  Simply adding a letter or a number is not good enough, either; there are numerous tutorials online about how to choose secure passwords, and there are numerous tools available to help manage them.
• Turn on automatic updates for your operating system and for your antivirus program.  The only people who should not automatically run those updates are administrators of large corporate networks; they have to test patches before the patches are applied to production systems, and as such have means in place to control the updating of the systems under their charge.  Unless you are a systems and networks administrator for a large business or enterprise network, there is little to no reason not to keep the updates on automatic update.  The vast majority of malware is filtered out by simply keeping your system up to date and by paying attention to what you allow to run; the first filters out the majority of hostile software that relies on exploiting weaknesses in the operating system; the second filters out trojans masquerading as something else.
• Do not forward chain emails.  Yes, that means that the cute bunnies that someone sent you will not be sent to your Aunt Martha from your email address–however, it’s more than likely that those cute bunny pictures exist somewhere online.  The folks at Tineye have built a search engine for figuring that sort of thing out; find out where the pictures originally came from there, and send the link to your Aunt Martha.  This keeps her inbox from filling up; this gives credit to the original content creators; and this gives less opportunity for hostile software to spread.
• Turn off HTML emails.  Yes, plain text emails are boring, but they’re also safe.  If your email requires pictures and animations and other flashy things, then what you require is a website or a blog, not an email.  Viruses cannot spread through plain text.  Besides–if what you say doesn’t work without a cute font and a bunny picture, it probably wasn’t worth saying to begin with.
• There Ain’t No Such Thing As A Free Lunch.  Anyone offering you an “amazing deal” is probably trying to scam you.  If the price for a product or service that you’re seeing is more than a few percent away from the price elsewhere, then it’s probably not legitimate.  
• Never–never–NEVER–buy anything at all from an email that you did not specifically solicit.  Especially not ‘discount pharmaceuticals’ or whatnot.  There are more than enough legitimate sources for anything that is sent out in spam emails–and any email that shows up from any source that you did not make first contact with is spam.  Not only will buying these goods likely result in identity theft, but you are financing organized criminal operations, and you are putting yourself in danger of being clubbed to death by an irate mail administrator.  Do not click, do not open, do not reply that you want to be ‘taken off the mailing list’–if your mail provider offers a ‘mark as spam’ button, use that, or delete it.  The only reason spam continues is because it is profitable, and it only takes one or two people to buy something forit to remain profitable.
• Think before you click.  Again.  If you have to think about whether you should click something for more than a few seconds, then the answer is likely that you should leave it alone or deny it permission.  If you still aren’t sure, then find someone who does this manner of thing for a living and ask their advice–you’ll get a much better answer if you compensate them in some fashion for their time.  

The internet is a massive convenience, and is rapidly becoming entirely necessary for societal function.  Like any other place where people gather, there is danger of crime; just like walking through a bad part of town, keep your eyes open and your wallet hidden, and you’ll likely avoid any hazards.

Various occupations have bits and pieces of folklore associated with their work–gremlins, from last week’s FFF, were originally a tale told by pilots and aircraft mechanics before they were fuzzy creatures with a problem with midnight snacks.  The computer world is no exception; various technical occupations have their own bits and pieces of folklore that are handed down over time and which fill the same kind of explicative niche for these people as the gremlins did for mechanics.

The Aura of Competence is an experience common to most support technicians who have worked in the field for any length of time.  The support tech will show up to fix a problem that the customer has reported, and the simple act of showing up is “enough” to make things run smoothly again.  

Numerous “explanations” for this effect exist–some of which involve notional particles called “bogons” which are charge-carriers for “bogosity,” the principle that makes things break down.  The highly selective nature of this kind of entropy nearly always strikes certain select users, and always at times when they were “not doing anything, [they] swear!”

Presumably, the technician acts much like the moderating medium in a nuclear reactor, then, and inhibits the bogon flux, thus allowing the machine to operate smoothly again.

Another variation is when a process (registering someone on a website, say, or printing a document) continually fails, and no amount of coaxing by the user will make the process successfully complete.  Again, the technician shows up and either performs the “exact same” actions, or watches the user do so–and the process succeeds.  The user will generally protest that it had only “just” started working when the technician showed up.

This variant is rather like the koan of the LISP machine, in that the process will only work when someone of sufficient understanding is present.  

This effect may be found in other sufficiently technical disciplines, whenever there is equipment whose functioning is beyond the ability of a layman to fully understand.  Rationally, the users in all the above cases must not have observed some difference in the machine’s setup or the procedure; however, users are not usually very rational and will seek to rationalize that the technician’s presence must have had some kind of magic effect.  Accordingly, it may be in the technician’s professional best interests to play along; users tend to become more than a little resentful if they’re informed that the problem is all in their head, and some of these users may write the technician’s paycheck.

Running software development projects ‘in the cloud’ has several barriers that traditional development projects do not face.  First, regardless of the project, you’ll need someplace to keep the files when you’re not working on them; most “cloud storage” currently is biased towards either backups or towards documents; obtaining a URI to work with a project from one cloud on a service hosted in another cloud is rather like pulling teeth.  This barrier can be overcome with some careful work (or a solution that I’m currently developing), but in the meantime, ShiftEdit has some useful features.

ShiftEdit is a PHP editor with the typical syntactical highlighting, automatic indenting, and paren-completion that developers have come to expect from traditional IDEs.  It has a clean interface and works well enough on the CR-48 to be worth using.  Most critically, beyond the FTP retrieval of object files that other competitor products provide, ShiftEdit allows for SFTP and SVN.  

The SFTP access can be leveraged to obtain files from any server that you have SSH access to; read/write may be a little slow (depending on the server) but it works well enough.  The SVN access does not yet support SVN+SSH, but the developer assures me that this capability is in the works.

ShiftEdit is still very much in active development; the developer takes the time to respond to queries about the status of the project and to trace down any errors that may occur.  

Things I like: clean, useful interface; built-in versioning; under active development

Things I dislike: not enough documentation

Things I would change: adding SSH+SVN, perhaps adding a little storage on the server for small projects

Edit:  Ok, make that VERY active development.  It looks like SSH+SVN was added while I wasn’t looking.  Even more recommended now. :-)

The Examiner reports yet more fallout from the HBGary Federal leak: agencies of the US Government contracted with them to deliver “persona management” software that would enable the creation of, and use of, ten profiles per user with all the associated details required to make them appear to be independent, legitimate users.

Using “sockpuppet” accounts to build the illusion of a greater level of support on a given topic than actually exists is nothing new.  ”Alt” accounts are a fine old tradition, refined to an art by generations of trolls, and the techniques discussed by HBGary for ‘legitimizing’ their existence are largely unnecessary and overly complex.  Ultimately, any use of this program, absent some genuine talent for trolling on the part of the operator, is going to be doomed to failure.

First, when attempting to sockpuppet or astroturf a position as several different people, one’s writing style has to be disguised.  Spotting someone’s characteristic ‘fist’ is not easy, and is not an exact science, but there are many cues that will tip off the careful and attentive reader–characteristic typos, for instance, or idiosyncracies of punctuation.  Few people make their posts in exact accordance with the AP Stylebook–and those posts would themselves be highly characteristic.  Word choice, too, makes a significant difference–the English language vocabulary is large enough and contains enough synonyms for different shadings of words that word choice can often reflect the mental state of the person writing.

Secondly, using multiple personas will lead to mistakes.  It is inevitable that, when managing multiple personae, slipups will happen–this happens even to the best trolls, and is a significant factor in catching them.  All it takes is for one persona to display knowledge that the would not reasonably have as that persona, and suspicions will arise; pulling the thread will unravel the whole thing as previously unnoticed inconsistencies come to light.

Thirdly, most people are not going to bother researching the “full background” of every person they argue with on the internet.  While the facebook/myspace/etc profiles may be consistent and hang together under casual scrutiny, almost by definition the only time someone will be likely to investigate ‘em is if they’re suspicious already–at which point, various indicators (apparent monomania over a subject, lack of internet presence before a certain date, etc.) will clue in the careful investigator to the sockpuppet nature of the poster.

Fourth, approaching people with personas generated from old classmates is one of the oldest scams in the book, and the method for defeating it is so well-known as to form a trope–the “false memory gambit.”  Asking the so-called classmate, “Hey, do you remember back when such-and-such happened?” where the event described did not, in fact, happen (or, for more subtlety, did happen but they weren’t involved) is a trivially easy means of establishing identity–the “shared secret” forms the basis of many systems of cryptography.  Getting around that requires a true master of social engineering–and given HBGary’s demonstrated failures in that realm, it’s unlikely that they would be able to communicate to the software users any sort of expertise in this field.

Fifth, the IP roulette described is bound to cause difficulties.  Maintaining a static IP per persona is a reasonably good idea, albeit wasteful of IPs and unlikely to make much difference–most users of most fora are unaware of the IPs that any individual users may have; those are usually only available to administrators.  The “bank of proxy IPs” is more or less equivalent to using a TOR proxy; those will likely all be quickly flagged by administrators as being proxy IPs and, accordingly, banned.

Finally, if your propaganda message requires astroturfing and sockpuppeting to get out, there are far more effective ways of doing it (not the least of which is “writing a better propaganda message”) than sitting a bunch of airmen down to try to troll internet fora.  Single strong personalities will get far better results than a lot of shallow sockpuppets–especially given that each user is, according to that plan, responsible for ten alts apiece, the personalities and posting history of each will be, of necessity, very thin.  While this approach may fool the “Sarah Lou” school of users, it’s unlikely to work for any length of time on any messageboards with enough population to sustain such an interruption.

(And then, of course, there are always professional astroturfing agencies that already have the expertise to pull ths off properly–once again, HBGary was trying to reinvent the wheel.)

Ars reports that further examination of the leaked HBGary correspondence reveals that one of the focuses of their work was in developing rootkits that would bypass detection from existing antivirus products and would be capable of forwarding keystroke logs past existing firewalls.

Rootkits are a special kind of malware.  Most malware is written to take advantage of various holes in the operating system; some trojans convince users to open such a hole ‘voluntarily’.  Rootkits attempt to bypass a large portion of the operating system, generally by providing administrative access to low level portions of the system’s running code–in the case of the HBGary ‘products’ this would be the Windows kernel, the ‘supervisor’ program that orchestrates all the other programs.  Rootkits act to subvert and redirect portions of the operating system; by modifying certain system functions, they both cloak their presence from the user and act to allow elevated or hidden access to the interloper.

HBGary is not the only ‘legitimate’ firm to make use of rootkits; a little over five years ago, there was significant outcry due to Sony installing a rootkit via an autorun vulnerability on users’ computers as part of a copy protection scheme.  This was rather a PR disaster for Sony; as part of the rootkit’s function, certain files–those starting with “$sys$”–were hidden from users; this provided significant opportunity to other malware vendors to install various kinds of viruses and the like to the systems that Sony compromised.

Detecting rootkits is inherently a very difficult task.  Usually, rootkits can hide themselves from conventional antivirus products (HBGary’s boasts about lack of detection from the standard AV products reveal only very base malware writing competency, as this is a required feature for any new malware) by subverting the runtime environment of the system; hence, no program running on the system can be trusted to reveal a new infection–detection is most reliably accomplished by booting from a ‘trusted’ operating system, one that runs on a read-only medium.  

Cleaning up after a rootkit is an onerous task; generally, the safest method to use will be to wipe the system and restore from a known-safe source.  In the case of known rootkits, AV vendors tend to be very quick to update their signatures–once a rootkit is known to be in the wild and has been detected, then the method by which it can be detected and removed will be quickly determined and distributed.  

Needless to say, any use of rootkits is ethically suspicious–the use of malware as a weapon for espionage is a logical one, but given HBGary’s demonstrated lack of competence in other fields, no confidence as to the proper targeting or usage of said malware can be assumed.  Additionally, holding onto a collection of OS security flaws rather than providing them to the vendor for a fix is ethically unsound; Microsoft, especially, is already very lackluster about fixing known security flaws; reporting these holes would likely do little to impact their business, especially as al-Qaeda is hardly likely to be running the latest patches on their systems.

Defending against HBGary’s rootkits would be relatively simple for a competent corporate network security administrator with access to a proper IDS or IPS; the network traffic “disguised as ad clicks” would be readily apparent moving across the network and could be blocked and mitigated at that level.  Home users would find detection and removal to be more difficult, having fewer resources, but little damage would likely be done–especially as any destination server for extracted traffic would be very quickly closed down by interested parties.

All in all, rootkits are just another unsavory part of HBGary’s product line; presumably, at least some of these have been leaked along with the emails, so it would be in HBGary’s best interest as a company to either dissolve quickly or report the full contents of their “inventory” to antivirus and OS vendors–otherwise, when, inevitably, their “products” are used for the usual criminal reasons, HBGary will end up being sued–and it is doubtful that they will be able to handle the inevitable suits as well as Sony was able to.

Gremlins first came to the notice of the public from stories of military pilots who claimed to see small creatures causing mishaps with their machines.  Various media have portrayed these agents of entropy ever since, usually in the context of airplanes but sometimes sinking their fangs into other complex machinery.  

In the Information Age, Gremlins would find that their activities would not impact things quite so much as formerly.  With the variety of sensors and diagnostics available, the old standards of severing cables and cutting hydraulic lines would not be as effective; the activity would not go unnoticed, given the ever-watchful ‘eye’ of various processors that are built into engines specifically to counter any such problems.

However, these very same processors give the Gremlin far more opportunity for their shenanigans; being much smaller scale and more vulnerable to interference, a light touch can go a long way towards interrupting vital processes in a way that is even harder to diagnose and repair than it would otherwise be.

The advent of computers in the office grants them even more opportunity, for the paradigm that the computer enables allows for entire new catagories of chaos.  Viruses and worms could well be their agents of interruption, wreaking havoc with the vulnerable hardware and software and causing more work for the IT analogues of the mechanics of old.  

It may well be that gremlins have infiltrated the offices of Microsoft and other large software vendors–new vulnerabilities come out every week for Microsoft products, but those operating systems based on technology developed before gremlins began to take an interest in computers (and those which are open-sourced and hence have fewer opportunities for a sly tweak of a bit here and there, given the number of eyes watching for that) are less influenced by their attentions.

Given the patterns of virus distribution, it may well be that gremlins’ natural habitat has moved to China, Russia, and other less-industrialized nations–this is perhaps unsurprising, given that the older machinery with which they are familiar may still be in use in some of those locations.  

Perhaps the strongest indicator of gremlin activity may be the Stuxnet worm:  beyond simply infecting systems and slowing or stopping them, the Stuxnet worm caused actual damage to machinery–damage that was difficult to fix and in a location that required deep disassembly, a hallmark of gremlin infestation.  That the worm spread far beyond its “target” is, perhaps, a testament to their other work in finding vulnerabilities–and if it were the work of gremlins, then other examples will be likely to show up in the future.

The internet’s ability to camoflage identity may well assist the gremlins in their work.  Their natural love of mischeif could well result in the sort of childish pranks popularly assigned to ‘hackers’ and the like; their elusive, shifty nature meshing well with the milieu involved.  A large part of Anonymous could well be gremlins, recruiting various regular people to camoflage their operations and to extend their troublemaking to the real world.

Gremlins would mesh quite well with the modern world, so long as they kept up with new technology, and would likely achieve some remarkable successes in troublemaking.

Having acquired some lovely large asian pears at a fruit stand, I decided to make pear bread this past week.  The recipe is as follows:

3c flour
1/4 teaspoon baking powder
1 teaspoon baking soda
1 teaspoon salt
1 tablespoon ground cinnamon
3/4 cup vegetable oil
3 eggs
2 cups white sugar
2 cups grated pears
1 cup chopped pecans (optional)
2 teaspoons vanilla extract

The dry ingredients are mixed together, then the wet ingredients–grate the pears directly into the wet ingredient mixture.  Preheat your oven to 350 F, and grease and flour either two loaf pans or a 9×13 pan–the loaf pans are more along the lines of how it ‘should’ be, but it still works well enough in the 9×13.  Bake for ~50 minutes, with the usual knife-to-the-center test for done-ness.  

Be sure to try it warm, fresh from the oven–it’s absolutely spectacular this way.

I was recently asked what steps would need to be taken to maintain an encrypted archive of private documents that could be accessed on several different machines.  Musing over the security difficulties of carrying around, e.g., a regular drive and a USB key with encryption keys on it, the idea of a virtual machine image came up as a good possibility.

Most modern operating systems contain provisions to allow all or part (e.g. the /home directory) of the filesystem to be encrypted; the keys to unlock these parts of the drive are generally stored in an encrypted form themselves, unlocked via some token the user has–usually a password, though other solutions may exist with two or three factor authentication.  

Writing a machine image to an external disc, and using it within the confines of a reasonably trusted virtual machine player (e.g. a copy of VMWare or similar stored on that disc) that can be invoked from within the OS on the hosting hardware should provide reasonable isolation from any malware running on the hosting machine; for better safety, a boot image on the removable drive with enough operating system to load a virtual machine player could be invoked, if the host hardware supports booting from USB devices.  For even better security, several programs exist which can store an encrypted volume inside any other volume; adding the ‘hidden’ flag per the OS specifications will assist in maintaining privacy of sensitive papers.

The procedure for building such a system would be as follows:

Step One:  Obtain the following materials:  A reasonably-sized portable hard drive with USB interface; a system known to be free of malware; disc images of your operating system of choice and a small X-capable linux distribution; VMWare Player (or similar virtual machine player) binaries for Linux, Windows, or MacOS–whichever host systems you’re likely to use.

Step Two:  Scrub the drive using low-level formatting tools.  Drives direct from manufacturers have been inadvertently populated with various sorts of malware in the past; this is basic common sense.

Step Three:  Partition the drive to contain a boot partition and a data partition.  You can do this while installing the small Linux boot OS.

Step Four:  Install the small Linux OS.  Ensure that the data partition is formatted in a manner readable to a wide variety of operating systems–FAT32 or NTFS, for example–if you plan on accessing it from other operating systems.  You’ll want an absolute minimum of services running–just enough to spawn an X display and to detect and run any network drivers.  Configure boot preferences to automatically run the VM player on login.

Step Five: Set up the OS of choice from within the VM Player.  Keep the machine image on the data partition.  You’ll want to make sure that you have the area where your sensitive data will be stored properly encrypted.  

Optional:  Set up obfuscation tools, such as methods to obscure MAC addresses, TOR proxying, and the like.  Also, setting up a VPN connection is very highly recommended, as this will prevent sniffers on the host system’s subnet from discerning your traffic; no traffic should leave your virtual system that is not encrypted.

Step Six:  Test your setup on several host systems to ensure that it works and that it has been configured properly to avoid penetration from malware on the host system.

This setup will not protect against keyloggers or shoulder surfing, nor van Eck phreaking or other advanced surveillance techniques, but it should protect nicely against most normal data thievery, depending on the encryption scheme chosen.  Note that any non-encrypted parts of the volume could conceivably be changed by a careful agent; it may benefit you to run your VM-hosting OS from read-only media, as an alternative to putting it on a separate partition of the hard drive.

It is perhaps a testament to the orderly and efficient working of the adblock extension that I only just noticed that I had not yet reviewed it.  Sitting quietly in a button up in the corner, Chrome Adblock filters out advertisements across the web quietly and efficiently.

The Adblock extension comes with a fairly useful set of configuration tools.  You can whitelist domains that you wish to support on the third tab of the settings page; you can select your preferred block lists on the second page; and on the first page you have the option to show google text ads–to be encouraged, given that they’re unobtrusive and not annoying–and to block ads within youtube videos.

This last is not fully functional-yet-but as the extension is under active development, that should move out of ‘beta’ status within a few versions.

Whitelisting is easy to accomplish; there’s the option to put in the filter by hand, using the same format as the popular firefox adblocker, as well as a ‘wizard’ interface to automatically generate the rules for individual domains or subdomains.  

Blacklist lists, on the second tab, are easily managed as well; a series of checkboxes allows them to be selected individually, and a button is provided to select all of them at once.  

The only other feature of note is an optional context menu entry, allowing specific blocking of an ad, of all ads on a site, or whitelisting of a site.  

All in all, this extension works quietly and effectively, and is nearly invisible to the user after some small initial setup.  It provides the option to enable ads for sites you wish to support quickly and easily while blocking most of the known annoyances, “weird old tip” or otherwise.  

Things I like:  It works, it’s unobtrusive, and it’s easy to set up and ignore.

Things I dislike:  It does not yet make toast.

Things I would change:  Frankly…nothing.  It does exactly what I asked for.  Send this guy a donation; he’s doing it right.

Those in the field of computer security are often scrutinized with suspicion by both media and business.  Antivirus companies, for instance, have sometimes been suggested to create viruses themselves in order to maintain their business–high prices for software updates and ‘professional’ versions of their scanning products may give some people the image of a mafia ‘protection’ racket.  That some companies have, in the past, hired high-profile ‘hackers’ to their company certainly does not help matters; while the so-called ‘hackers’ do tend to be talented, the fact that they have done actual harm causes them to be viewed with suspicion–the leopard cannot change his spots.

So to couple with the news that HBGary was involved in a conspiracy to discredit reporters and that they were run by someone completely incompetent with basic security tenets, news has now come out that they were attempting to modify the recently widely-publicized Stuxnet worm for their own purposes.

It is perhaps fitting that someone who thought that data mining social media was a new and different idea would think that repurposing a worm known to have caused millions of dollars’ worth of damage–real-world damage, too, not just lost productivity–was somehow not ethically repugnant.  

There is no ethical reason for a “cybersecurity” company to deploy malware.  Even in the context of “cyberwarfare,” there is no reason why private companies should be involved in developing or deploying malware; warfare is the province of the Department of Defense.  

Further, it wouldn’t work.  Stuxnet has been addressed fully by all AV vendors; its method of propogation is known, the viral signature is known, and the countermeasures to remove it are known.  In fact, it was useless in the western world at the time it was originally released–the payload, the disruption of the industrial control systems, relied on a vulnerability that was patched by Seimens years ago.  The only reason why it had an effect in Iran is due to their lax security and their lack of access to software updates.

Beyond that, there has been extensive analysis of the Stuxnet worm (as befits the celebrity status of being the first notable instance of malware being used specifically to cause targeted damage to a specific system) that has noted the very amateurish techniques behind its construction.  True, the sabotage of the ICS was well carried out–it did its job well–but the viral payload that enabled the infection of the systems was like something out of a “malware for beginners” manual.  Besides the use of multiple zero-day exploits, the polymorphism and rootkit installation are very well-known techniques that AV vendors have been very successful in mitigating.  

Using Stuxnet for any purpose other than that specific ICS sabotage is useless:  that would involve removing the competent part and retaining the incompetent part.  It would be quickly detected and its infuence mitigated by AV software, and it would become just one more variant of the same thing out in the wild, clogging up spam filters and unpatched systems–more needless work for the competent, ethical administrators without resulting in any reward for these incompetents.

HBGary Federal is to be condemned for this breach of ethics, and no ethical company or person ought to do business with them–though their utter lack of competency with basic security for a so-called ‘security’ firm ought to have given a warning sign that hiring them for any purpose other than wasting money would be a mistake.

In other, related news, Palantir Technologies, implicated during the last breach as being in collusion with HBGary to smear opponents of BoA, has made statements to distance themselves from HBGary.  While their hands are certainly far from clean in this matter, it appears that HBGary Federal has become the designated scapegoat for this particular incident.