Things Matt Wrote

Writings from the intersection of law enforcement and the Internet

The 2022 Verizon Database Breach Investigations Report (VDBIR) shows that 88% of all incidents have a human element as partial causation for the breach. Why are people not getting this? Why are they so bad at basic security? Yes, some of them are just stupid. But that's the minority of people so we can't hang our hat on that. Maybe it's because we security practitioners, law enforcement investigators, and crime-prevention specialists are just not very good at our jobs. Maybe?

Leadership expert Simon Sinek has a model called the Golden Circle which provides a vehicle to help leaders better communicate company goals and achieve employee buy-in of the mission. Traditional top-down communication starts from what. What to do, or not to do, and then moves to how to get it done. The “why” of a task is only explained if the subordinates ask enough, and even then the answer is usually something along the lines of “because we said so”.

Sinek proposes that true leaders start with the “Why”. The conversation starts with an explanation of why something needs to be done and details the positive benefit the task will have on the organization and the employee. The leader gets buy-in for the project before they move to the hard details of the what and how.

As security and crime-prevention practitioners we are super at telling people what to do, and how to do it, but do we ever really explain the why? Our awareness training sessions usually go something like this: This is a phishing email. This is how you can tell it's a phishing email. “Bad things” will happen if you click the link in this email. O.K. Thanks for your time and we'll see you all again next year.

Did we get buy-in? Or did we only do security theater?

What if we started with the why.


I currently have 181 passwords in my password manager. Sadly, that's not even all of the passwords I keep as I have some systems and equipment that don't require stringent security so they don't get entered into the Bitwarden application. I maintain one Windows computer where the password is simply “Q”. Passwords for my virtual machines use a common alphanumeric scheme based on the operating system so I always know the password based on the machine. All in all, I probably maintain at least 200 passwords.

My password numbers may be a bit excessive as most people don’t have multiple sock-puppet accounts or feel the need to register their name with every new email service. A 2020 study conducted by NordPass found the average Internet user maintains one hundred passwords. And that's the problem.


Internet-enabled crime is largely underreported. Those affected by cybercrime may not know how or where to report their victimization. Some are too embarrassed to report it while many others don't even know they've been victimized. Regardless of the reason, the majority of persons victimized by cybercriminals fail to report it to law enforcement. A 2020 crime survey of England and Wales suggested that only 16.6% of frauds are being reported and only 1.7% of those victimized by “computer misuse offenses” are self-reporting their victimization.

Businesses aren't much better at reporting their victimization. This 2019 report by global IT and cybersecurity association ISACA found that enterprise and other business entities are vastly under-reporting cybercrime victimization, even when legally mandated to notify law enforcement and regulatory agencies.

The underreporting of cybercrimes makes the 2021 Internet Crime Report from the Internet Crime Complaint Center even more remarkable.

The Internet Crime Complaint Center (IC3) is the cybercrime reporting and analysis mechanism for the Federal Burea of Investigation. The center facilitates an easy and efficient way for citizens and businesses to self-report their victimization and losses. The collected information is then analyzed to look for trends and investigative leads. The results are distributed to FBI field offices for follow-up investigation and for information releases to educate the public. Each year the organization creates a summary of the previous year's numbers and publishes it as the Internet Crime Report.

The 2021 Internet Crime Report follows the trend of its predecessors in revealing that cybercrime has increased from the previous year. In 2021, the IC3 accepted 847,376 reports which is a 7% increase over the number received in 2020. The reported dollar loss is greater than 6.9 Billion dollars.

Remember that cybercrime victimization is grossly underreported? Yeah, so what are the true numbers for 2021? It's mind-boggling.


Personal Tech Stack – PART 2

Part 1 detailed the hardware that I use every day. You can read it here.

Part 2 is a listing of the services, applications, and extensions that I use to increase my productivity and make my life easier. Well, sometimes it makes things harder. Does anyone want to guess how much time I've spent trying to find the perfect to-do list app? (Cue the hysterical laughter of hardcore pen and paper adherents)


  1. Evernote. Let's just get this out of the way upfront as we are all on the constant search for the ultimate method to take and keep notes. I was an early adopter of Evernote but left when they socked us with a significant subscription fee increase a few years back. Then I spent years wandering in the wilderness experimenting with about every note-taking application available. Google Keep, OneNote, Joplin, Apple Notes, Bear, SimpleNote, and the list could go on. Last year, I broke down and paid Evernote's ransom demand because it is the best. At least for me.
  2. Dropbox. Same story as Evernote. I've tried other services and dropbox just works. I still have accounts and keep storage in Onedrive, iCloud, Box, and a few others, but Dropbox is my main cloud drive.
  3. BitWarden. Probably the most frequent question I'm asked is, “What password manager do you suggest?”. I used Lastpass for years and was happy with it until they rearranged their fee schedule and limited the number of devices you can link on the free tier. Password managers are not that complicated, technically, and don't deserve some of the extravagant fees they demand. Bitwarden is open source, easy to use, and is free.

Last week, I presented to the Delaware Valley Chapter of the International Association of Financial Crime Investigators. The intent of the talk was to demonstrate the lack of privacy when using Google products but many of the follow-up questions were about specific technologies that I personally use. I received several subsequent emails seeking additional clarification and technical advice. So, I thought I'd do a write-up detailing my personal Tech Stack. Here is a general list of the technology, both hardware and software, that I use every day (almost).

The writing will be published in two different pieces due to its length. The first piece will detail the physical hardware devices and the second will be the software and services.

I don't want this to be construed as some affiliate marketing effort so there are no links to the products. You'll have to do the hard part yourself.


1) Apple Macbook Air (Apple silicon M1 chip, 16GB of memory, 1TB drive). I've had quite a run of laptops over the years and have owned four different ones in the past 18 months. You can read a bit about this experiment HERE. But for the past six months, I've been using a Macbook Air with the Apple silicon ARM-based M1 chip and it's pretty awesome. In terms of design and construction, it's unrivaled. macOS Monterey is good and always being further refined. If I could run Pop_OS on this piece of hardware the sun, moon, and earth, would be in perfect alignment.

2) Lenovo Thinkpad X1 Carbon (5th generation)running the PopOS Linux distribution. I have a special affinity for Thinkpad machines (I currently own three different models) and will always have one ready to boot up. This machine runs the Linux distribution PopOS by System76. I want this to be my everyday computer but I need to use some applications that just don't play will well with Linux yet.

3) Apple iPhone 12. Meh. Works well and I have no complaints. I only switched back to an iPhone because of the continuity with the Macbook. And Google is evil so owning an Android-based phone is longer tenable.


If you do a Google search for the term “Felony Lane Gang”, you will get “about 2,860,001” results. That’s a little more than a bunch. Most of them appear to be news reports with titles such as,“Felony Lane Gang targets Moms”, “EPD arrests woman they say is part of the Felony Lane Gang”, or “Felony Lane Gang Ramping Up Again”. The commonality of these reports is the generalization that all of these bad actors have a familial connection. The news reporters and journalists undoubtedly get this bent from those of us in law enforcement and financial industry security who flippantly suggest the connection. We casually suggest the conspiracy by referring to every group who steals bags and cashes checks through the far drive-through teller lane as “the Felony Lane Gang”. Singular. As if they are all connected like a crime family or neighborhood sect of a national gang.

They are not. And we should stop doing this.

“The” Felony Lane Gang did exist. They were a group from Florida that traveled the east coast and were eventually arrested and prosecuted in the Middle District of Pennsylvania. My home bailiwick. Many of us remember this case, and I’m sure that a few readers of this newsletter were involved in the investigation and prosecution of the case. It was brilliant work. Here is one of the press releases from 2014 that I could find still online

The method of operation (MO) was to steal purses and bags from unattended vehicles, then disguise themselves as the victims, and cash the checks through the far lane of the bank drive-through. The distance of the far lane made it more difficult, and sometimes impossible, for the teller to discern the actual identity of the driver presenting the check. The thief just had to look closely enough. The farthest lane of the drive-through has become known as the “Felony Lane”.


There is an old saying that goes something along the lines of “if you want to get rich during a gold rush, don’t mine for gold, sell the shovels”. There is a lot of truth to this and the wisdom of the statement is easily apparent through multiple verticals, not just mining. In the age of big data, don’t make the data, store it! So says Amazon as they rake in billions through Amazon Web Services fees.

Keeping with the plan of suppling the infrastructure rather than engage in the actual activity, we find another financial services provider who found money laundering just too profitable to turn away from. The cryptocurrency exchange Binance seemed to reason there was no need to engage in the overt criminal activity that generates the money when it’s just as profitable to turn a blind eye as the funds traveled through their networks. And in some cases they had to work to create “plausible deniability”.

In this special investigative report, Reuters claims that Binance, among other things, “acted against its own compliance department’s assessment by continuing to recruit customers in seven countries, including Russia and Ukraine, judged to be of “extreme” money-laundering risk”, and “watered down compliance rules” concerning Know Your Customer regulations.

The report highlights an even more pressing questions concerning cryptocurrency finance: Ethics and compliance according to whose standards? Who are the regulators? What countries rules do these multi-national “virtual” businesses adhere to? Who is the enforcer?

What a great time to be in the business of financial crime investigation and enforcement!

#cyficrime #AML

Regular readers of this blog or those who subscribe to the Threats Without Borders newsletter, have read my concerns about security training. This article from ZDNet highlighting the failure of such efforts struck a chord with me, but not because I agree with the position of the article. Well, not entirely. I agree that security training is not the be-all, end-all, and new learning techniques are needed.

The article proposes that security training is failing because it’s not being delivered in a way that creates a security mindset. The author believes the effort needs to be all-encompassing and daily.

"I think one of the most important things to realize is most of the education and training done, it's not very effective," "The 30-minute video you're obligated to watch once a year doesn't do the job".

Yes, I’ll agree with this, but maybe it’s not all on the security professionals.

I like to use the analogy of telling a child not to touch a hot stove. You can tell a child over and over to not touch the stove coil while it's glowing red hot, and even show them the scars you have from doing it, but until they do it and get burned they don't have any context. And because they don’t have any context, because they haven’t felt the pain, they’re going to touch the hot stove.

Consider phishing. How many phishing victims have received some form of training? A LOT. Yet they still clicked the link. In many of the cases I have investigated, the person responsible for clicking the link or sending the money order says to me, “ I knew it looked suspicious” and “ I know better, I saw the same thing in training”,

Almost all promise me “ I won't make that mistake again”. And they won't. Much like a child never touches a hot stove top twice, they must get burned for the message to have an impact.

#cyficrime #cybersecurity #infosec #risk

I stopped making new year's resolutions a long time ago because I wasn't very good at keeping them. The pressure to maintain the effort became another stressor in my life. You can only fail at losing 15 pounds or daily teeth flossing so many times. I still set yearly goals but they are something that I have developed a plan and a roadmap to achieve.

Making new years resolutions is still popular for others and I have heard many declare their ill-fated intentions over the past few days. One of the most frequent themes I've heard has been the desire to “return to normal” referencing the Covid-19 pandemic and the way it's turned our lives upside-down since 2019.

What is normal at this point? I can only assume the declarants mean a return to life as is it was in December 2019. Do we really want to go back there at this point? And how would we do that? You can't put the past two years back in the bottle.

This longing for “normal” is foreign to those of us that defend against, or investigate cyber-financial crime. The concept of normalcy doesn't exist. Well, other than the bad guys are unrelenting in their attacks and continuously evolving their tactics to defeat us. There isn't a normal because the game is continuously evolving. Much like a virus, ransomware, phishing emails, business email compromise attacks, money laundering methods, and social engineering techniques are continually mutating in response to the tactics of security and law enforcement. There are new variants every day! The theme may be the same but the characters and their schemes are ever changing.

We never have the desire to return to normal because there is no normal. Normal is chaos. Everyday.

Welcome to 2022 and another year of combating cyber-financial crime. Normalcy is not an option.

#cyficrime #cybercrime #risk

New York Times author Nikole Hannah Jones recently made headlines herself for claiming that the United States dropped a nuclear weapon on the Japanese cities of Hiroshima and Nagasaki due to the sunk cost fallacy. The United States had spent so much money and time in creating an atomic weapon that it used the resulting tool only to prove that it was worth the effort. Anyone who has a half understanding of world history knows this is incorrect. This claim made in the weeks, months, or even a few years after the event, would be understandable. But after 81 years of study, scrutiny, and academic review, this assertion is proven wrong. So wrong, that someone who makes it should be held in no more regard than a person who still claims the earth is flat. Of course, Ms. Jones isn't about the truth.

Giving credit where credit is due, government decision-making and policy can be influenced by sunk costs. Personally, it is easy to pivot when realizing we're “throwing good money after bad” but in the machine of government, that is much easier said than done. Particularly, when the ego is involved.

Law enforcement agencies have this odd organizational setting where it's not quite a strict hierarchal military rank and file system but yet not run like a free market business entity. Much like a business, law enforcement agencies must satisfy the needs of their customers – the public it serves, and the executive board – the elected politicians. But unlike a business, the customers can't just go to a competing business. No matter how poor the service, the customers keep paying the bill – in the form of taxes. And the executives are everchanging, so if the law enforcement leadership conflicts with the CEO or Board of Directors they need only wait them out through the next election.


Enter your email to subscribe to updates.