Tuesday, March 02, 2010

Trainings class with SP and me at CSW !

Hey all,

SP and me will be teaching a trainings class this year at CanSecWest. If you have some background in reverse engineering and want to
  • become a more efficient reverse engineer
  • become a more efficient bug hunter
  • become better at understanding stuff like Acrobat's JScript Engine
this class is for you. We will teach you stuff including but not limited to:
  • Quickly find where the interesting parts of the executable are: Who is parsing user input ? Who is responsible for the crypto ?
  • Save time: Identify what open-source libraries are statically linked into the executable. Why audit binary when you can read source ?
  • Want to understand what Acrobat is doing ? Or most C++ programs nowadays ? Generate UML diagrams from binaries, showing you all the classes and their hierarchy.
Anyhow, follow this link if you are interested. I think it's going to be a blast.


Monday, February 08, 2010

Tax evasion and welfare fraud

Hey all,

now that all the technical stuff is going to the zynamics company blog , I will have some room here for writing about other topics. Beware: Politics might be involved, or just general rants.

Tonight I will write a little bit about tax evasion and welfare fraud. I somehow wound up in a discussion about the topic, and the end result was that I spent 20 minutes doing a bit of research on the topic.

Background: The German government was offered a CD containing data of people that have moved money into swiss bank accounts, presumably to evade taxes. The person offering the CD claims that it contains almost exclusively data of tax evaders, and demands a fee of 2.5 million EU to provide the CD to German authorities.

This situation has spawned a debate about the legality of the situation: Is it "right" for the German government to buy data that was obtained in a presumably illicit fashion ? (I intentionally avoid "illegal" here -- the person that obtained the data might be in breach of contract with his employer, but it is unclear whether he broke any criminal laws)

Clearly, it is a tricky question - but the difficulty of this question is not the topic of this blog post.

Recently, a German politician (who, ironically, was repeatedly involved in corruption affairs, most notably in the CDU-party-donations affair) by the name of "Roland Koch" argued that welfare fraud is a serious problem in Germany, and that 15% of all welware recipients do not actually want to work. He argued for annuling benefits of these 15% in a large conservative newspaper (the FAZ).

So in todays discussion, the question came up: What is actually the "bigger" crime (in terms of financial damage): Tax evasion of welfare fraud ?

It is relatively straightforward to calculate the cost of welfare fraud: Germany spent 21.7 billion EU in 2008 on the "Hartz-4" system. This includes administrative overhead. Assuming that Mr. Kochs claim has merit, and assuming that overhead is also inflated due to fraud, ~3.3 billion EU are lost annually to welfare fraud.

It is much more difficult to calculate the cost of tax evasion. There are many numbers that are difficult to justify, and most appear to be made up arbitrarily. The only halfways reliable number I could find was from this article:

The amount of money generated from tax investigations that followed evasion was ~1.6 billion EU in 2004. Inflation-adjusted to 2008 at 2% inflation, this ends up being ~1.73 billion.

This implies something rather interesting:
  1. Assuming that every third tax evader is caught (which I deem more realistic, just by gut feeling, e.g. without any scientific base), tax evasion is already a much bigger problem than welfare fraud.
The question of course is: What is the actual rate of tax evasion to "getting caught" ?

Tuesday, January 19, 2010

The new, shiny, reverse-engineering-centric zynamics blog !

Hey all,

for all those that have almost gotten sick of me posting only rarely on this blog:

We have a shiny new reverse-engineering-centric blog up on http://blog.zynamics.com ! :)

The entire team will post RE-related issues there, so I think it'll be a rather good read :)