Thought | David Stagg

The Pledge

The final shot of Let The Right One In is a nonpareil revenge ending. After an entire movie of bullying, we taste saccharine joy in the grand payback we dream of executing on our foes (watch the clip or watch the movie, spoiler alert).

There is something infinitely satisfying in people getting their comeuppance, and that last act where it’s revealed to us is a hell of a dopamine hit.

Add Signal to that collection of hits.

To know Signal and their affront – and we’ll get to what Signal is in a second – you have to know Cellebrite. (Cheery name, nefarious business.) A “digital forensics company” that promises to “protect and save lives” and “bring justice to victims and convict bad actors in the most challenging cases,” you’d read their marketing materials and hand over your life to them. In order to make good on the promises of “justice,” the company makes myriad products to assist individuals and organizations in accessing and collecting digital data. Specifically, there are these two:

UFED, a program that allows one to “lawfully access locked devices with ease,” aka bypass security protocols like your facial recognition, phone passcode, and more
Physical Analyzer, a program that, once UFED has done its job and you’re in the device, reveals and analyzes “key pieces of digital evidence (and) trace events,” aka files, folders, and metadata. (Like every location you’ve ever been at when you took a photo.)

In a best-case scenario, technology like this is used for good. Terrorist phone found, it’s unlocked, unencrypted, and reveals the location and plans of future terrorist actions, plot thwarted. Good guys win.

If only there were more money in that line of work.

The Turn

In true-case scenarios, Cellebrite is one of the more iniquitous actors on the stage. Their largely secret operations provide software to law enforcement agencies to questionably profile large groups of humans and manipulate personal liberties. According to Upturn, a Washington, DC-based 501(c)(3), that deals in policing, government, and technology, “given how routine these (mobile device) searches are today, together with racist policing policies and practices, it’s more than likely that these technologies disparately affect and are used against communities of color.” As they write, “Every American is at risk of having their phone forensically searched by law enforcement.”

Cellebrite would love that.

Law enforcement in all 50 states and in DC have purchased some form of mobile device forensic tool (MDFT). “State police forces and highway patrols in the US have collectively spent millions of dollars on this sort of technology to break into and extract data from mobile phones,” VICE’s Motherboard wrote; state police departments have spent over $11.5MM on MDFTs since 2015 (Appendix C – with locales listed, too).

Signal itself has also written that Cellebrite’s “customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere.”

In its quest for a global police state that leverages its products, in early December, Cellebrite announced support for breaking into Signal, claiming they can now “help law enforcement lawfully access the Signal app. … At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives.”

There’s only one catch: That’s impossible.

The Prestige

Ralph Waldo Emerson wrote, “When you strike at the King, you must kill him.” Cellebrite came after the wrong monarch.

Moxie Marlinspike is the pen name for Matthew Rosenfeld, the man who founded the Signal Foundation. That nonprofit is dedicated to providing open-source tech (read: free for everyone) to protect “free expression and enable secure global communication.”

The jewel in that King’s crown is Signal, a true-encryption messaging application that has no ads, no trackers – nothing. Whereas other messaging (and social) apps claim to “responsibly manage” your data, Signal just flat out doesn’t store it. It has end-to-end encryption, ensuring a level of privacy the watchmen hate. They would much prefer to “responsibly” police your state rather than treat you as innocent.

The private app has been used by people to truly avoid unlawful, unwanted, and unsolicited surveillance, a lot of which comes from the government of the citizens. There is no possible way to interpret the app’s metadata. So when the company claims that “Cellebrite Physical Analyzer now allows lawful access to Signal app data,” it’s a deliberate lie.

Thus, Moxie has a counterargument to make.

This means Signal can package a file in their app that only runs when the phone is hooked up to a Cellebrite program, and, when that does happen, execute code.

Once they came after his app, he decided to do some investigating of his own, writing up his findings on Signal’s blog. Lying inside Cellebrite’s products he finds sweet, sweet revenge.

Because Cellebrite’s software makes claims in the ballpark of bypassing security, Moxie examined Cellebrite’s product security. Under the hood, he found that a number of industry-standard risk- and exploit-mitigating defenses aren’t even there. (Moxie points to a third-party plugin that their products leverage that was last updated in 2012; since then, over 100 security updates have been released, all of which can be exploited in Cellebrite’s software.)

This means Signal can package a file in their app that only runs when the phone is hooked up to a Cellebrite program, and, when that does happen, execute code. If one were so inclined, that code could, as Moxie relays, alter the results of not just the scan being performed on the current phone but also alter the results on every scan ever performed or will be performed by that Cellebrite machine. It can be done in actual stealth (technically, “with no detectable timestamp changes or checksum failures”).

And that’s only one of the many, many ways the exploits Moxie found can be exploited. Moxie also documents the company’s use of pirated libraries from companies like Apple to create their products, something Apple is no doubt interested in knowing about.

The icing on the cake: Signal will be randomly assigning these reverse-exploit files with random versions on random app installs that will never interact with the Signal app in any capacity. The only significance is to (rightfully) call into question the integrity of all past, present, and future data from Cellebrite.

It’s a thing of nerd beauty. Or, as Omar says, you come at the king, you best not miss.

Photo by Jason Henry/The Wall Street Journal

Update: We got ’em.

In mid-April, (famous to the financial sector) David Einhorn wrote a letter to the investors of his firm Greenlight Capital. He wrote about the usual suspects: winners, losers, and justification for the performance. Everyday material.

His overarching thesis, in the letter, was that the stock market was completely broken.

I don’t need to belabor many of his points as even the most common person with access to the Internet knows the word GameStop, but it was one of the bullet points Einhorn referenced alongside Elon Musk’s reckless “jet fueling” of the saga, Tether’s nefarious accounting, and Archegos’ family-office self-dealing. Einhorn sees a system that is fractured:

“It’s as if there are no financial fraud prosecutors; companies and managements that are emboldened enough to engage in malfeasance have little to fear.”
David Einhorn
Letter to Greenlight Capital investors, Apr. 2021

No cops, no regulation, all Wild West.

In Einhorn’s letter, he also brought to light Your Hometown Deli (4.3 stars on 51 reviews!). Since this is a viral story and you’ve likely heard of it, here is the recap that major media outlets have been running with: A small deli in New Jersey made a combined $38,000 over the past two years and is (befuddlingly) publicly traded (HWIN) that has made it worth $100MM depending on its share price – despite closing for basically all of 2020 due to COVID.

Red flags everywhere:

The shop’s CEO-slash-CFO-slash-Treasurer-slash-Director owns shares that are valued at $20MM – and he’s the wrestling coach of a nearby institution
The VP of the shop is a high school math teacher
Neither the shop owner nor the VP takes a salary for their work

Einhorn wrote:

“Small investors who get sucked into these situations are likely to be harmed eventually…”
Einhorn
Letter

That’s the point, here. Meme stock, right? Another dubious investment vehicle, another way retail investors can try and catch and ride a wave that almost always ends with a wish in one hand and shit in the other. End of story.

Oh, and a couple more things, though. The shares trade “thinly on the over-the-counter market,” according to CNBC. The shop’s owner also has ownership in the group that leases the building to the deli. The chairman of Your Hometown Deli Limited Liability Company – Peter Coker, Jr. – owns or is in bed with multiple Eastern equity firms and whose dad was the CEO of a New Zealand-based jetpack company when New Zealand was a notorious front for criminals heavily implicated in the Panama Papers. (Not coincidentally, Coker, Jr. was also the chairman of New Zealand-based Wellington Securities beginning in 2002.)

And oh by the way the deli listed now-disbarred lawyer Gregg Jaclin on its early financial documents. Jaclin just happens to have recently been found guilty of fraud, SEC false filings, “schemes to conceal material fact from a government agency,” and obstruction of justice. Said a different way: Jaclin is guilty of federal crimes relating to setting up shell companies. The SEC entered a “final judgment against New Jersey lawyer Gregg E. Jaclin for running a fraudulent shell factory scheme through which sham companies were taken public and sold for a profit,” they wrote.

Your Hometown Deli: 4.3 stars on 51 reviews

When Einhorn writes about the deli-as-cautionary-tale, that’s unequivocally true. Considering he is a player in the game and the stonks craze is partially responsible for Greenlight’s mediocre Q1 performance, it stands to reason he wants more regulation and to legislate out the unfair play.

But the subtext is the real story. The media reports on the viral nature of the deal but scratch one layer beneath the surface and it’s a complete joke. If you’re suckered into investing in Your Hometown Deli, trust me, I have some oceanfront property in Arizona to sell you.

Instead, it’s the Coker family, lifelong tax goons, drawing in people like Jaclin to help launder and stash money.

In 1992, the elder Coker applied for bankruptcy, The Morning Call noting him as a “solvent debtor who wishes to appear insolvent”; a man whose “memory regarding his assets has suffered from selectivity and incompleteness,” whose “sole reported income” is for the $1,800 a month his wife claims, whose filings omit “his multiple country club memberships and his monthly operating expenses.” (Now, Coker is the founder of Tryon Capital Ventures, to which Your Hometown Deli pays $15,000 a month for consulting services.)

On the other hand is the junior Coker who was ordered to pay $1.15MM in restitution for his “work” with Sitework Safety Supplies collecting payroll taxes from his employees but not handing them over to the IRS stemming from the mid-2010s. Coker, Jr. who, in the present, is the chairman of South Shore Holdings which operates the “ultra-luxury” brand THE13… which applied for a stay in order to not suspend operations because its bank issued a demand for immediate payment of HK$2.48 billion (about $320MM USD).

An American who tried on tax evasion as a wealth vehicle that now operates an ultra-luxury deli in New Jersey.

This family is obviously crooked. The apple didn’t far very far from the tree. In regards to Your Hometown Deli, as Cory Doctorow writes, “It appears that mysterious people, possibly in China and Macau and Hong Kong, decided to park $100MM in a convenience store and got a couple (of) local high-school teachers in on the bit.”

You have probably suspected as much at some point: Rich people know how to stay rich. They know the loopholes, they have enough money to find the loopholes, and, if that doesn’t work, they know how to outright cheat – especially when the “fine” becomes a cost of doing business. We’ll do it the proper way until it doesn’t work for us, then we’ll just pay the fee, apologize, and continue to do it.

The Cokers’ actions are just exposed stupidity but, like seeing one roach inside your house, it means there are hundreds more inside your walls. As Yuval Noah Harari has written, once businesses became entities and had the same rights as humans, a myth (businesses as humans) became real. Capitalists (read: Adam Smith, Wealth of Nations) will argue this protection is necessary for people to take risks thus breeding innovation, competition, and investment in people. And that’s true. But the laws of unintended consequences gave iniquitous actors a meteoric rise to protection and control that becomes almost impossible to dismantle.

That’s what Einhorn is saying. Coker’s scheme was tipped off to Einhorn who exposed it with the help of a viral headline. (No doubt, an SEC investigation will follow.) But there are thousands (hundreds of thousands? millions?) of instances of these actual viruses that plague the stock market. While the fun, viral headline is “look what crazy retail investing has done to the stock market!!!”, the often ignored, underreported, and uncovered truth is something incredibly nefarious.