Tax evasion and welfare fraud

Hey all,

now that all the technical stuff is going to the zynamics company blog , I will have some room here for writing about other topics. Beware: Politics might be involved, or just general rants.

Tonight I will write a little bit about tax evasion and welfare fraud. I somehow wound up in a discussion about the topic, and the end result was that I spent 20 minutes doing a bit of research on the topic.

Background: The German government was offered a CD containing data of people that have moved money into swiss bank accounts, presumably to evade taxes. The person offering the CD claims that it contains almost exclusively data of tax evaders, and demands a fee of 2.5 million EU to provide the CD to German authorities.

This situation has spawned a debate about the legality of the situation: Is it "right" for the German government to buy data that was obtained in a presumably illicit fashion ? (I intentionally avoid "illegal" here -- the person that obtained the data might be in breach of contract with his employer, but it is unclear whether he broke any criminal laws)

Clearly, it is a tricky question - but the difficulty of this question is not the topic of this blog post.

Recently, a German politician (who, ironically, was repeatedly involved in corruption affairs, most notably in the CDU-party-donations affair) by the name of "Roland Koch" argued that welfare fraud is a serious problem in Germany, and that 15% of all welware recipients do not actually want to work. He argued for annuling benefits of these 15% in a large conservative newspaper (the FAZ).

So in todays discussion, the question came up: What is actually the "bigger" crime (in terms of financial damage): Tax evasion of welfare fraud ?

It is relatively straightforward to calculate the cost of welfare fraud: Germany spent 21.7 billion EU in 2008 on the "Hartz-4" system. This includes administrative overhead. Assuming that Mr. Kochs claim has merit, and assuming that overhead is also inflated due to fraud, ~3.3 billion EU are lost annually to welfare fraud.

It is much more difficult to calculate the cost of tax evasion. There are many numbers that are difficult to justify, and most appear to be made up arbitrarily. The only halfways reliable number I could find was from this article:

The amount of money generated from tax investigations that followed evasion was ~1.6 billion EU in 2004. Inflation-adjusted to 2008 at 2% inflation, this ends up being ~1.73 billion.

This implies something rather interesting:

1. Assuming that every third tax evader is caught (which I deem more realistic, just by gut feeling, e.g. without any scientific base), tax evasion is already a much bigger problem than welfare fraud.

The question of course is: What is the actual rate of tax evasion to "getting caught" ?

The new, shiny, reverse-engineering-centric zynamics blog !

Hey all,

for all those that have almost gotten sick of me posting only rarely on this blog:

We have a shiny new reverse-engineering-centric blog up on http://blog.zynamics.com ! :)

The entire team will post RE-related issues there, so I think it'll be a rather good read :)

Interesting Blog Posts

Hey all,

so while you, dear reader, are still waiting on me finally fullfilling my promise about blogging more, I have some interesting links for you :)

Vincenzo Iozzo has been blogging about some cool stuff he has been doing using NaviPython, REIL, MonoREIL etc. recently, and you can read about it here:

http://viozzo.wordpress.com/2009/12/11/scripting-with-binnavi-cyclomatic-complexity/
http://viozzo.wordpress.com/2009/12/18/finding-interesting-loops-using-monoreil/

Cheers,
Halvar

Clarification to the previous post

Hey all,

I thought I need to clarify something about the previous post: I was trying to explain the fact that people reacted harshly to the hint that a new standard is being drafted, without knowing anything about it. So I talked about the historical perspective on the old OIS draft, and what my thoughts about it were, and what I think the reasons are that researchers usually do not bother with these things much.

This was not meant as a reaction to the ISO standard under discussion. Katie Moussouris clarifies a lot of important points here -- and what she writes is completely sensible.

Anyhow, enough of this :-). The upside of the entire discussion: I really like the pun in the above link. Yes, I know that I have a weird sense of humor.

Why are most researchers not a fan of standards on "responsible disclosure"

I usually try to stay away from the politics of vulnerability disclosure, mostly because I think (to paraphrase Feynman) that politics of vulnerability disclosure are as useful to the vulnerability researcher as ornithology is to birds.

But it seems that the entire discussion is not going away. The intensity of the reactions to k8em0's twitter post might be partially explained by the history of this all. I'll try to refresh what I remember:

A lot of the older vulnerability researchers remember the ghastly OIS attempt at forcing a standard written by a bunch of non-researchers down the throats of the research community. From the outside, it looked mostly like an attempt to kiss up to some vendors that were spending a lot of money on security review during that time.

I might be stepping on some people's toes, but to me it looked like a high-school class where the dimmest students drew up guidelines on how smart students "should" behave, and gave that to the teacher in order to earn brownie points - including clauses like 'not contradicting the teacher'.

Unfortunately, most of the research community prefers to do work instead of discussing with people that have little interesting to say about how the researchers should work. The result of this is that researchers were rarely ever involved in the entire discussion. Not for lack of opportunity, but mostly lack of interest -- if I can actually go and surf, why would I discuss with a bunch of people sitting in an office about the right way to come back to the beach ?

The entire discussion has always been somewhat phony. The entire "responsible/irresponsible" angle is sligthly fraudulent. The way I see it is the following:

1. It is acceptable for AV companies to charge for signatures, which are in essence "information about malware"
2. It is acceptable for AV companies to not publish, nor provide, malware to other parties, or to charge for it
3. It is acceptable for software vendors to charge so I can use their software. It is also acceptable for them to charge more so that I can read their source code.
4. Why again should a researcher be obliged to provide information to vendors free of charge again ?
5. If anyone argues it's "responsible" to make everyone safer, I say: I'll give all my bugs to all vendors the same day that all security companies of the world provide free licenses for everyone for their software.
   

But well. Honestly, I am not sure whether I should post this. I do not really feel like spending too much time discussing this. But perhaps that's part of the problem...

Low blogging frequency

Hey all,

first of all, I seriously have to apologize for the low frequency of blog posts nowadays. We have been doing a bunch of interesting things at work that I will post about shortly. Amongst the
things on my "to-post" list are:

• Rants on our experiences distributing VxClass
• A method to perform exact directed graph comparison in O(1) (with some caveats ;) -- we have been sitting on this for a year or three, but were caught up in other things so writing it up fell by the wayside
• Automated generation of byte signatures from the VxClass results
  

Anyhow, expect a higher blogging frequency from this blog in the next weeks. I will restrict my use of twitter for this.

Looking for Memoryze dumps of malware

Hey all,

I am looking for Memoryze dumps of various pieces of malware -- the more the merrier. Does anyone here have some ?

Cheers,
Halvar

Adventures in choosing what to vote

accidental posting, not ready yet