#business credit cards software | Explore Tumblr posts and blogs

max-levchin · 1 year ago

Text

Shamir Secret Sharing

It’s 3am. Paul, the head of PayPal database administration carefully enters his elaborate passphrase at a keyboard in a darkened cubicle of 1840 Embarcadero Road in East Palo Alto, for the fifth time. He hits Return. The green-on-black console window instantly displays one line of text: “Sorry, one or more wrong passphrases. Can’t reconstruct the key. Goodbye.”

There is nerd pandemonium all around us. James, our recently promoted VP of Engineering, just climbed the desk at a nearby cubicle, screaming: “Guys, if we can’t get this key the right way, we gotta start brute-forcing it ASAP!” It’s gallows humor – he knows very well that brute-forcing such a key will take millions of years, and it’s already 6am on the East Coast – the first of many “Why is PayPal down today?” articles is undoubtedly going to hit CNET shortly. Our single-story cubicle-maze office is buzzing with nervous activity of PayPalians who know they can’t help but want to do something anyway. I poke my head up above the cubicle wall to catch a glimpse of someone trying to stay inside a giant otherwise empty recycling bin on wheels while a couple of Senior Software Engineers are attempting to accelerate the bin up to dangerous speeds in the front lobby. I lower my head and try to stay focused. “Let’s try it again, this time with three different people” is the best idea I can come up with, even though I am quite sure it will not work.

It doesn’t.

The key in question decrypts PayPal’s master payment credential table – also known as the giant store of credit card and bank account numbers. Without access to payment credentials, PayPal doesn’t really have a business per se, seeing how we are supposed to facilitate payments, and that’s really hard to do if we no longer have access to the 100+ million credit card numbers our users added over the last year of insane growth.

This is the story of a catastrophic software bug I briefly introduced into the PayPal codebase that almost cost us the company (or so it seemed, in the moment.) I’ve told this story a handful of times, always swearing the listeners to secrecy, and surprisingly it does not appear to have ever been written down before. 20+ years since the incident, it now appears instructive and a little funny, rather than merely extremely embarrassing.

Before we get back to that fateful night, we have to go back another decade. In the summer of 1991, my family and I moved to Chicago from Kyiv, Ukraine. While we had just a few hundred dollars between the five of us, we did have one secret advantage: science fiction fans.

My dad was a highly active member of Zoryaniy Shlyah – Kyiv’s possibly first (and possibly only, at the time) sci-fi fan club – the name means “Star Trek” in Ukrainian, unsurprisingly. He translated some Stansilaw Lem (of Solaris and Futurological Congress fame) from Polish to Russian in the early 80s and was generally considered a coryphaeus at ZSh.

While USSR was more or less informationally isolated behind the digital Iron Curtain until the late ‘80s, by 1990 or so, things like FidoNet wriggled their way into the Soviet computing world, and some members of ZSh were now exchanging electronic mail with sci-fi fans of the free world.

The vaguely exotic news of two Soviet refugee sci-fi fans arriving in Chicago was transmitted to the local fandom before we had even boarded the PanAm flight that took us across the Atlantic [1]. My dad (and I, by extension) was soon adopted by some kind Chicago science fiction geeks, a few of whom became close friends over the years, though that’s a story for another time.

A year or so after the move to Chicago, our new sci-fi friends invited my dad to a birthday party for a rising star of the local fandom, one Bruce Schneier. We certainly did not know Bruce or really anyone at the party, but it promised good food, friendly people, and probably filk. My role was to translate, as my dad spoke limited English at the time.

I had fallen desperately in love with secret codes and cryptography about a year before we left Ukraine. Walking into Bruce’s library during the house tour (this was a couple years before Applied Cryptography was published and he must have been deep in research) felt like walking into Narnia.

I promptly abandoned my dad to fend for himself as far as small talk and canapés were concerned, and proceeded to make a complete ass out of myself by brazenly asking the host for a few sheets of paper and a pencil. Having been obliged, I pulled a half dozen cryptography books from the shelves and went to work trying to copy down some answers to a few long-held questions on the library floor. After about two hours of scribbling alone like a man possessed, I ran out of paper and decided to temporarily rejoin the party.

On the living room table, Bruce had stacks of copies of his fanzine Ramblings. Thinking I could use the blank sides of the pages to take more notes, I grabbed a printout and was about to quietly return to copying the original S-box values for DES when my dad spotted me from across the room and demanded I help him socialize. The party wrapped soon, and our friends drove us home.

The printout I grabbed was not a Ramblings issue. It was a short essay by Bruce titled Sharing Secrets Among Friends, essentially a humorous explanation of Shamir Secret Sharing.

Say you want to make sure that something really really important and secret (a nuclear weapon launch code, a database encryption key, etc) cannot be known or used by a single (friendly) actor, but becomes available, if at least n people from a group of m choose to do it. Think two on-duty officers (from a cadre of say 5) turning keys together to get ready for a nuke launch.

The idea (proposed by Adi Shamir – the S of RSA! – in 1979) is as simple as it is beautiful.

Let’s call the secret we are trying to split among m people K.

First, create a totally random polynomial that looks like: y(x) = C0 * x^(n-1) + C1 * x^(n-2) + C2 * x^(n-3) ….+ K. “Create” here just means generate random coefficients C. Now, for every person in your trusted group of m, evaluate the polynomial for some randomly chosen Xm and hand them their corresponding (Xm,Ym) each.

If we have n of these points together, we can use Lagrange interpolating polynomial to reconstruct the coefficients – and evaluate the original polynomial at x=0, which conveniently gives us y(0) = K, the secret. Beautiful. I still had the printout with me, years later, in Palo Alto.

It should come as no surprise that during my time as CTO PayPal engineering had an absolute obsession with security. No firewall was one too many, no multi-factor authentication scheme too onerous, etc. Anything that was worth anything at all was encrypted at rest.

To decrypt, a service would get the needed data from its database table, transmit it to a special service named cryptoserv (an original SUN hardware running Solaris sitting on its own, especially tightly locked-down network) and a special service running only there would perform the decryption and send back the result.

Decryption request rate was monitored externally and on cryptoserv, and if there were too many requests, the whole thing was to shut down and purge any sensitive data and keys from its memory until manually restarted.

It was this manual restart that gnawed at me. At launch, a bunch of configuration files containing various critical decryption keys were read (decrypted by another key derived from one manually-entered passphrase) and loaded into the memory to perform future cryptographic services.

Four or five of us on the engineering team knew the passphrase and could restart cryptoserv if it crashed or simply had to have an upgrade. What if someone performed a little old-fashioned rubber-hose cryptanalysis and literally beat the passphrase out of one of us? The attacker could theoretically get access to these all-important master keys. Then stealing the encrypted-at-rest database of all our users’ secrets could prove useful – they could decrypt them in the comfort of their underground supervillain lair.

I needed to eliminate this threat.

Shamir Secret Sharing was the obvious choice – beautiful, simple, perfect (you can in fact prove that if done right, it offers perfect secrecy.) I decided on a 3-of-8 scheme and implemented it in pure POSIX C for portability over a few days, and tested it for several weeks on my Linux desktop with other engineers.

Step 1: generate the polynomial coefficients for 8 shard-holders.

Step 2: compute the key shards (x0, y0) through (x7, y7)

Step 3: get each shard-holder to enter a long, secure passphrase to encrypt the shard

Step 4: write out the 8 shard files, encrypted with their respective passphrases.

And to reconstruct:

Step 1: pick any 3 shard files.

Step 2: ask each of the respective owners to enter their passphrases.

Step 3: decrypt the shard files.

Step 4: reconstruct the polynomial, evaluate it for x=0 to get the key.

Step 5: launch cryptoserv with the key.

One design detail here is that each shard file also stored a message authentication code (a keyed hash) of its passphrase to make sure we could identify when someone mistyped their passphrase. These tests ran hundreds and hundreds of times, on both Linux and Solaris, to make sure I did not screw up some big/little-endianness issue, etc. It all worked perfectly.

A month or so later, the night of the key splitting party was upon us. We were finally going to close out the last vulnerability and be secure. Feeling as if I was about to turn my fellow shard-holders into cymeks, I gathered them around my desktop as PayPal’s front page began sporting the “We are down for maintenance and will be back soon” message around midnight.

The night before, I solemnly generated the new master key and securely copied it to cryptoserv. Now, while “Push It” by Salt-n-Pepa blared from someone’s desktop speakers, the automated deployment script copied shard files to their destination.

While each of us took turns carefully entering our elaborate passphrases at a specially selected keyboard, Paul shut down the main database and decrypted the payment credentials table, then ran the script to re-encrypt with the new key. Some minutes later, the database was running smoothly again, with the newly encrypted table, without incident.

All that was left was to restore the master key from its shards and launch the new, even more secure cryptographic service.

The three of us entered our passphrases… to be met with the error message I haven’t seen in weeks: “Sorry, one or more wrong passphrases. Can’t reconstruct the key. Goodbye.” Surely one of us screwed up typing, no big deal, we’ll do it again. No dice. No dice – again and again, even after we tried numerous combinations of the three people necessary to decrypt.

Minutes passed, confusion grew, tension rose rapidly.

There was nothing to do, except to hit rewind – to grab the master key from the file still sitting on cryptoserv, split it again, generate new shards, choose passphrases, and get it done. Not a great feeling to have your first launch go wrong, but not a huge deal either. It will all be OK in a minute or two.

A cursory look at the master key file date told me that no, it wouldn’t be OK at all. The file sitting on cryptoserv wasn’t from last night, it was created just a few minutes ago. During the Salt-n-Pepa-themed push from stage, we overwrote the master key file with the stage version. Whatever key that was, it wasn’t the one I generated the day before: only one copy existed, the one I copied to cryptoserv from my computer the night before. Zero copies existed now. Not only that, the push script appears to have also wiped out the backup of the old key, so the database backups we have encrypted with the old key are likely useless.

Sitrep: we have 8 shard files that we apparently cannot use to restore the master key and zero master key backups. The database is running but its secret data cannot be accessed.

I will leave it to your imagination to conjure up what was going through my head that night as I stared into the black screen willing the shards to work. After half a decade of trying to make something of myself (instead of just going to work for Microsoft or IBM after graduation) I had just destroyed my first successful startup in the most spectacular fashion.

Still, the idea of “what if we all just continuously screwed up our passphrases” swirled around my brain. It was an easy check to perform, thanks to the included MACs. I added a single printf() debug statement into the shard reconstruction code and instead of printing out a summary error of “one or more…” the code now showed if the passphrase entered matched the authentication code stored in the shard file.

I compiled the new code directly on cryptoserv in direct contravention of all reasonable security practices – what did I have to lose? Entering my own passphrase, I promptly got “bad passphrase” error I just added to the code. Well, that’s just great – I knew my passphrase was correct, I had it written down on a post-it note I had planned to rip up hours ago.

Another person, same error. Finally, the last person, JK, entered his passphrase. No error. The key still did not reconstruct correctly, I got the “Goodbye”, but something worked. I turned to the engineer and said, “what did you just type in that worked?”

After a second of embarrassed mumbling, he admitted to choosing “a$$word” as his passphrase. The gall! I asked everyone entrusted with the grave task of relaunching crytposerv to pick really hard to guess passphrases, and this guy…?! Still, this was something -- it worked. But why?!

I sprinted around the half-lit office grabbing the rest of the shard-holders demanding they tell me their passphrases. Everyone else had picked much lengthier passages of text and numbers. I manually tested each and none decrypted correctly. Except for the a$$word. What was it…

A lightning bolt hit me and I sprinted back to my own cubicle in the far corner, unlocked the screen and typed in “man getpass” on the command line, while logging into cryptoserv in another window and doing exactly the same thing there. I saw exactly what I needed to see.

Today, should you try to read up the programmer’s manual (AKA the man page) on getpass, you will find it has been long declared obsolete and replaced with a more intelligent alternative in nearly all flavors of modern Unix.

But back then, if you wanted to collect some information from the keyboard without printing what is being typed in onto the screen and remain POSIX-compliant, getpass did the trick. Other than a few standard file manipulation system calls, getpass was the only operating system service call I used, to ensure clean portability between Linux and Solaris.

Except it wasn’t completely clean.

Plain as day, there it was: the manual pages were identical, except Solaris had a “special feature”: any passphrase entered that was longer than 8 characters long was automatically reduced to that length anyway. (Who needs long passwords, amiright?!)

I screamed like a wounded animal. We generated the key on my Linux desktop and entered our novel-length passphrases right here. Attempting to restore them on a Solaris machine where they were being clipped down to 8 characters long would never work. Except, of course, for a$$word. That one was fine.

The rest was an exercise in high-speed coding and some entirely off-protocol file moving. We reconstructed the master key on my machine (all of our passphrases worked fine), copied the file to the Solaris-running cryptoserv, re-split it there (with very short passphrases), reconstructed it successfully, and PayPal was up and running again like nothing ever happened.

By the time our unsuspecting colleagues rolled back into the office I was starting to doze on the floor of my cubicle and that was that. When someone asked me later that day why we took so long to bring the site back up, I’d simply respond with “eh, shoulda RTFM.”

RTFM indeed.

P.S. A few hours later, John, our General Counsel, stopped by my cubicle to ask me something. The day before I apparently gave him a sealed envelope and asked him to store it in his safe for 24 hours without explaining myself. He wanted to know what to do with it now that 24 hours have passed.

Ha. I forgot all about it, but in a bout of “what if it doesn’t work” paranoia, I printed out the base64-encoded master key when we had generated it the night before, stuffed it into an envelope, and gave it to John for safekeeping. We shredded it together without opening and laughed about what would have never actually been a company-ending event.

P.P.S. If you are thinking of all the ways this whole SSS design is horribly insecure (it had some real flaws for sure) and plan to poke around PayPal to see if it might still be there, don’t. While it served us well for a few years, this was the very first thing eBay required us to turn off after the acquisition. Pretty sure it’s back to a single passphrase now.

Notes:

1: a member of Chicagoland sci-fi fan community let me know that the original news of our move to the US was delivered to them via a posted letter, snail mail, not FidoNet email!

521 notes · View notes

neonblessing · 1 year ago

Text

⚠️ SPOILER ALERT! ⚠️ Click here to read Neon Blessing from the beginning!

“Look, you don’t have to give me a map. Just point me in the right direction.”

“Shiv, kid, I get it. You want revenge. But-”

“I don’t want revenge,” she said. She wasn’t certain if it was a lie.

“Then what do you want?”

“Answers.” Hell, she didn’t even know the finer points of what the two of them had stolen. The house had been full of valuable art, they’d passed a poorly-hidden wall safe on the way to the owner’s office, and they ignored it all in favor of the data drive that had sat atop a messy stack of papers. Ornarch hadn’t told them what was on there, just that it would go for a hundred thousand credits at a minimum, or a million from the right buyer. Most drives its size were just something convenient to hold, with the data itself stored on a chip a few nanometers thick. Whatever was on that drive had been complex enough that the whole damn drive was dedicated to memory. A sphinx glinted darkly on its surface, mirror finish set into matte black. There was something captivating about its sheer scale and the precision of its construction. Something a little sinister, too. Then he had shown up, and the rest of the night was a blurry nightmare of burning, screaming, and blood.

Kooler pursed his lips. “And once you have those answers, what are you going to do?”

“My job. Ornarch wants me to-”

Kooler’s eyes narrowed, and he tilted his head. “Isn’t your job breaking and entering? At least, I think that’s what you told me the first time we met. Forgive an old man’s memory for its failings, but I think I would have remembered hearing a teenager call themself an executioner.” He suddenly sounded very old, and very tired.

“Maybe I’ve changed. Why do you care?” It came out a little colder than she’d intended it to.

“Sorry, sorry. You’re right. None of my business.”

“So you won’t help me?”

“Staying neutral is how I stay alive. Everyone knows old Kooler keeps his mouth shut.”

“That’s a no?” Her heart sank. She’d known it was a long shot, but even still, Kooler was the closest thing she had to a lead.

Whatever he saw in her face gave him pause. “I… offered them ten thousand for the drive. I don’t even have half the hardware it would take to decrypt that… monster. I told them I wasn’t paying a credit more than that for a piece of software I couldn’t validate, no matter what rumors I’d heard. They took their business elsewhere. I don’t know where.”

“Rumors?”

“Have you been online since you stole it?” She hadn’t. “Half of the criminals in the Diluvian District are hunting after that sphinx drive. It’s anyone’s guess what’s on there, but Ebrelurge put a bounty out on it and then a few gang bosses joined the bidding war. As of this morning, the best offer is 1.6 million.”

Lord of birds. One point six fucking million?

He went on. “I don’t know where they went, but I know someone who might. Don’t go telling everyone I lent you a hand, but you’re- you’re a good kid. Just- hear them out when you see them. Don’t rush headlong into being a killer.”

“Yeah.”

Kooler pushed off the counter, sending his chair on a practiced arc towards a shelf of folders in one corner of the shop. He returned bearing a business card, a thin sheet of crisp white plastic stock with “Club RED – 1191-3962” embossed on it in brilliant crimson. The back side of the card was decorated with a staring eye in the same shade. “Kurtz–the owner of Club RED–knows me, and she’s got a panopt. Ask to see Odie. If it can’t help you, no one can.”

Shiv grinned. “Thanks, Kooler.”

“I’d say ‘any time,’ but really I’d rather not stick my neck out again.”

“With any luck, you won’t have to!”

The door squealed as she left.

First Page – Previous Page – Next Page

#9 #neon blessing #shiv #kooler

34 notes · View notes

redfoxwritesstuff · 8 months ago

Text

Sunflower: Book 1, chapter 15

Tom Hiddleston x OFC Series rated: M Chapter warnings: Our flashback is a bit.. Uhum. Steamy? AN: Do we get our conversation? How childish will Mia be? Can she act like a goddamn adult? LETS FIND OUT!

Masterlist

~~~~~~<3

It had been four days. Four long, slow days. Four days where Mia could try to think without the overwhelming presence of a stranger in her space. Four days where Mia found herself longing for that presence.

Tom had been gone for four days and it had been twenty four hours since she had heard from Tom. Radio silence filled the air, though she tried to drown it out with music, television and conversations. How could silence gnaw at her heart in the very same way as the insane devotion that radiated off him did?

He was busy. He was working. He was… not here. And that bothered her. A lot. It shouldn’t, but it did. And that killed her. Not physically, but god did she kind of wish it did.

She wasn’t clingy typically but she couldn’t help it. This was his fault. He demanded that she invest. How could she not when he insisted on finding any crack in her heart to worm his way in and try to find purchase to take root.

He had made her think he was different. Hell, he had all but said he was different.

This was supposed to be different.

But here she was, four days alone.

Sally was asleep and the apartment was large, empty and frigidly silent. She had worked a early shift and tomorrow had a late one. Exhaustion was deep in her bones but she needed to stay up way too late tonight.

What was it like to have someone to be at home with, to not be alone in the silence of the night when she had no choice but play chicken with the morning light?

A ping from her phone caught her attention. Glancing at it, she saw it was just another news push notification. It wasn’t a feature she wanted but it was installed automatically with the latest software update. There was enough in her life to be anxious about without getting 24 hour updates every day of the year on what god awful thing was happening in another state or country. It had been a few weeks but she hadn’t been able to figure out how to turn it off.

It was just a matter of time until she figured it out though. She swore it. Every time it had gone off it had given her false hope that he finally sent something, she swore she’d figure it out.

This was ridiculous.

The reason for the radio silence was obvious. She had been right and he realized it. It was that simple. No need to pine, question and dance like a goddamn schoolgirl.

With time away, Tom realized that everything Mia had said Saturday morning was right. In a few days or a few weeks she would get a notice from some lawyer initiating the annulment. Would he cancel the card he left for her to use?

It’s not like it was hard to replace, really. It was just a credit card, he obviously could live without the physical card for a while. How hard would it really be on him if he changed his mind?

“Some promise that was.” Mia tossed the card absently onto the end table next to her.

Ping.

Ignore it. There was no point in checking. It wasn’t him. it was never him.

Okay, she was being a bit dramatic. Really dramatic, maybe. She didn’t know. It was dumb. She was being dumb. It was too soon to decide he ghosted her.

“Fuck,” She slumped back on the couch. “I guess I’ll be able to say I got ghosted by an actor.”

Ping.

She couldn’t help it, she grabbed her phone knowing exactly what she’d find. It would be a second news story of little to no importance to her day to day life. An auto accident near by that slowed traffic patterns or a missing person on the other side of the country. A storm in Brazil or a heatwave in India. It would be a protest in China. It would be nothing.

It was a text message from contact Tom.

“Can I call?” The message read. Another followed, “It’s late, I know.”

She sent a single k back and waited for the other shoe to drop. There was nearly no wait for the phone to come to life in her hand. She hadn’t added a picture to his contact, it was just Tom H lighting up her screen.

Nothing more.

She took a deep breath and answered, “Hello,”

“Is everything alright?” Tom’s tone was difficult to pinpoint.

“Yeah-” She cleared her throat and sat up. “I’m fine. It’s fine. Everything’s fine. Just lay it on me.”

“Lay what on you?” Tom sounded confused and that confused her. “What are you talking about?”

“You haven’t said anything, all day.” Her eyes burned and her throat felt tight. She needed air. The apartment was suffocating as she stood.

“It has been a minute, I suppose.” He was picking his words carefully.

“Can you just- why are you calling?” The glass door slid closed behind her. If Tom was going to do whatever she wanted to not have to worry about Sally waking up for it.

“I wanted to talk to you?” Tom sounded unsure, on the other side of the country he had found himself off balance.

“About what?” Mia felt the anger sweeping in to push away her sadness. It wasn’t healthy but it was a bad habit that she often found solace in. Anger was safe. For her at least, not those in her way.

“You’re upset with me?”

“Stop asking questions.” Mia snapped. “What do you want?”

“I wanted to make sure you got the couch alright.” Tom’s voice was starting to pull tight. “Why did you think I wanted to call?”

“To tell me I was right.” Mia’s voice cracked. This was it, their first fight was going to happen and it hadn’t even been two weeks. “To tell me…”

Tom’s tone changed from the defensive and softened considerably. He may not be able to read her mind but he knew she was hurting. “I’m not calling to ask for an annulment. Why on earth did you think that?”

“You never texted back. You stopped talking and I just- It’s been over a day and it’s been slowing down. It was just-” she clamped down on the words as her voice threatened to give away how close she was to tears, that safe anger winking out in her shame.

“You missed me?” his voice was so soft. “I got absorbed in work. I’m sorry.”

“No, no.” Mia forced a chuckle. It was all a misunderstanding. She was acting like a love sick schoolgirl. She was a grown ass woman married to a grown ass man. She shouldn’t be crying and thinking their marriage is over just because he didn’t text her for a day. “I swear- I’m not clingy.”

“It’s alright.” Somewhere on the other side of the universe, he sat down heavily on the too big bed. “Things are new and delicate. I’m just as guilty for not being aware.” Silence ticked on. While they had texted while he was away (until it stopped) they hadn’t actually talked on the phone.

“I saw part of your interview.” Mia wasn’t sure why she said it.

“Which one?” Tom asked, his voice warming to life. “What did you think?”

“The one where you talked about me.”

“Did I- Was what I said alright?” Tom wasn’t totally sure which one she was talking about but he didn’t want to complicate things more.

“I don’t like lying.” Mia said. “I know why you need to but I don’t like it.”

“It’s not really lying, its just implying different and reinforcing our privacy.” That still sounded like lying to Mia but she let it go. She was pretty sure he more than implied they knew eachother for longer than a night in the segment she watched anyway.

He could lie so easily and didn’t even agree with her on the definition of lying. The fact that he played pretend well enough to do it for a living showed he was good at telling lies too.

Shaking her head, she pushed the thoughts away. Tom had never given her a reason to think he would lie to her. He has been earnest and honest from the moment they woke up Saturday.

“Hiding parts of my private life is just a fact of my life. If I want to hold anything back for myself without the public picking it apart, it needs to be protected from them.”

“I know.” Mia sighed as she leaned against the railing. The fight felt like it had been narrowly avoided.

“It’s people in my life I tell the truth but to protect the people in my life I don’t tell the world the whole truth.”

“I know, I know-”

“It’ll take time to get used to.”

Silence filled the air again. This time it didn’t have that same icy chill to it. She had missed him and that scared her.

“Tom?” Her heart beat too hard in her chest. Did he miss her? Even just a little?

He hummed on the other side of the universe and she wondered what he was doing. They had a time difference of three hours. It was late for her but even later for him. Was he preparing to go to bed? Was he just getting in from a night on the town?

“What is it?” He asked after she failed to say anything.

She wanted to tell him she missed him. She wanted to ask when he was going to come back. She hated it.

“Don’t be a stranger.” God, that was so lame. Out of everything she could have said, that’s what she came up with?

“I have been, haven’t I?” It was Mia’s turn to be silent. She wasn’t sure what to say. It was weird to be married to a man she didn’t know.

“I mean, what’s what we kind of still are, aren’t we?” It was the best she could come up with to say.

“I’m sorry. I’d gotten busy and fallen away from texting you. I- Luke tacked on a few appearances. The trip got extended. Usually it’s nothing, I didn’t think anything of it. Until I did. But by then- I didn’t know what to say.”

The ability to apologize was not one that Mia had seen much in the men that had spent time in her life. It reassured her that he could do something as simple as say ‘sorry’.

“I should be back by Friday.” Tom said, sounding sure. Just as sure as he had sounded before he left. “I promise.”

“Don’t.” Mia’s voice came harder than she intended. “Don’t promise if you don’t have control over keeping it.”

“Mia-”

“I need to get to bed. Work tomorrow.”

What moments of warmth they had shared during the call had cooled. Would it always be like this? She hoped not. Could she ever feel safe enough to stop icing him out as soon as things warmed up?

“I’ll call again tomorrow?” Tom fell back on the hotel bed. This call had not gone how he intended but who’s fault was that? He should have just told her when the plan changed.

“If you want.” She didn’t know what else to say as she stepped back into the apartment, locking the sliding door behind her.

“I do want.” Tom hesitated, “It’s good to hear your voice. To talk to you. I missed you.”

She didn’t know what to say. Couldn’t say anything. Her heart pounded in her chest and her hands trembled. “Goodnight, Tom.” Was what she managed to squeak out before disconnecting the call.

~~~~~<3

Tom pressed her against the door. His hand was large and firm against her waist, holding her right where he wanted. Fumbling, with his wallet trapped in his pocket, he struggled with the other hand. His pants were tight around his hips and his current state of mind didn’t help matters.

Her nails scratched at the hair at the back of his neck as she clung to him. It felt like she was floating, swimming through a sea of desire and alcohol. She needed him. She wanted him. “Hurry.”

“Got it.” The wallet slipped out. It was a struggle to flip it open with one hand, then find the hotel keycard. In the process of getting the card out, he dropped the leather wallet to the floor.

His breath was hot in her ear. Lips worked, leaving harsh kisses along her neck. As he worked the card into the slot, he moved his hand from her waist to her breast, stopping for a firm squeeze that had a soft moan slip from her lips.

“I need you.” She whimpered as the door beeped, denying entry.

“Who do you need?” Tom asked as he flipped the card around, trying different sides hoping one would work.

“My husband.” That set fire to him.

The door beeped the correct tune this time, granting them entry. Tom hooked the door handle with his hand, slapping it down clumsily after yanking the card from the door. The door swung open, no longer providing a solid surface to support their weight.

Tom held her up with a arm flung around her waist as they stumbled in. He kicked blindly, relying on feel alone to help him ensure he kicked his wallet somewhere into the room.

“My wife.” Tom breathed as he kicked the door shut behind them. Alone at last.

~~~~~<3

Taglist:

@winterisakiller, @alexakeyloveloki, @jennyggggrrr @dangertoozmanykids101, @tilltheendwilliwrite @tinchentitri @wizardcherryblossom @buttercupcookies-blog @violethaze @kats72 @soulpiercing @evedia

#Tom hiddleston x ofc #tom hiddleston x oc #Tom hiddleston x original female character #Tom hiddleston x original character #tom hiddleston fanfic #Tom hiddleston fanfiction #tom hiddleston rpf

17 notes · View notes

blacklabelcrm · 1 year ago

Text

Lend Ease Free: Empower Your Money Lending Business

Lend Ease Free is a powerful software tailored for money lending businesses. With no cost, streamline operations, track loans, and serve clients efficiently, maximizing profitability and customer satisfaction. Visit https://blacklabelcrm.com/

#white label business credit #build business credit software #business credit building software #business credit builder software #free money lending business software #white label business lending #cash lending business software #white label commercial lending #white label business loans #business credit cards software

1 note · View note

mariacallous · 9 months ago

Text

Shortly before noon on Aug. 19, 2023, a Russian cruise missile sliced past the golden onion domes and squat apartment blocks of the Chernihiv skyline in northern Ukraine. The Iskander-K missile slammed into its target: the city’s drama theater, which was hosting a meeting of drone manufacturers at the time of the attack. More than 140 people were injured and seven killed. The youngest, 6-year-old Sofia Golynska, had been playing in a nearby park.

Fragments of the missile recovered by the Ukrainian armed forces and analyzed by Ukrainian researchers found numerous components made by U.S. manufacturers in the missile’s onboard navigation system, which enabled it to reach its target with devastating precision. In December, Ukraine’s state anti-corruption agency released an online database of the thousands of foreign-made components recovered from Russian weapons so far.

Russia’s struggle to produce the advanced semiconductors, electrical components, and machine tools needed to fuel its defense industrial base predates the current war and has left it reliant on imports even amid its estrangement from the West. So when Moscow launched its full-scale invasion of Ukraine in February 2022, major manufacturing countries from North America, Europe, and East Asia swiftly imposed export controls on a broad swath of items deemed critical for the Russian arms industry.

Russia quickly became the world’s most sanctioned country: Some 16,000 people and companies were subject to a patchwork of international sanctions and export control orders imposed by a coalition of 39 countries. Export restrictions were painted with such a broad brush that sunglasses, contact lenses, and false teeth were also swept up in the prohibitions. Even items manufactured overseas by foreign companies are prohibited from being sold to Russia if they are made with U.S. tools or software, under a regulation known as the foreign direct product rule.

But as the war reaches its two-year anniversary, export controls have failed to stem the flow of advanced electronics and machinery making their way into Russia as new and convoluted supply chains have been forged through third countries such as Kazakhstan, Turkey, and the United Arab Emirates, which are not party to the export control efforts. An investigation by Nikkei Asia found a tenfold increase in the export of semiconductors from China and Hong Kong to Russia in the immediate aftermath of the war—the majority of them from U.S. manufacturers.

“Life finds a way,” said a senior U.S. intelligence official, quoting the movie Jurassic Park. The official spoke on background to discuss Russia’s evasion of export controls.

Some of the weapons and components analyzed by investigators were likely stockpiled before the war. But widely available Russian trade data reveals a brisk business in imports. More than $1 billion worth of advanced semiconductors from U.S. and European manufacturers made their way into the country last year, according to classified Russian customs service data obtained by Bloomberg. A recent report by the Kyiv School of Economics found that imports of components considered critical for the battlefield had dipped by just 10 percent during the first 10 months of 2023, compared with prewar levels.

This has created a Kafkaesque scenario, the report notes, in which the Ukrainian army is doing battle with Western weapons against a Russian arsenal that also runs on Western components.

It is an obvious problem, well documented by numerous think tank and media reports, but one without an easy solution. Tracking illicit trade in items such as semiconductors is an exponentially greater challenge than monitoring shipments of conventional weapons. Around 1 trillion chips are produced every year. Found in credit cards, toasters, tanks, missile systems, and much, much more, they power the global economy as well as the Russian military. Cutting Russia out of the global supply chain for semiconductors is easier said than done.

“Both Russia and China, and basically all militaries, are using a large number of consumer electronic components in their systems,” said Chris Miller, the author of Chip War: The Fight for the World’s Most Critical Technology. “All of the world’s militaries rely on the same supply chain, which is the supply chain that primarily services consumer electronics.”

Export controls were once neatly tailored to keep specific items, such as nuclear technology, out of the hands of rogue states and terrorist groups. But as Washington vies for technological supremacy with Beijing while also seeking to contain Russia and Iran, it has increasingly used these trade restrictions to advance broader U.S. strategic objectives. For instance, the Biden administration has placed wide-ranging prohibitions on the export of advanced chips to China.

“At no point in history have export controls been more central to our collective security than right now,” Matthew Axelrod, the assistant secretary for export enforcement at the U.S. Commerce Department, said in a speech last September. U.S. National Security Advisor Jake Sullivan has described export controls as “a new strategic asset in the U.S. and allied toolkit.”

Russia’s ability to defy these restrictions doesn’t just have implications for the war in Ukraine. It also raises significant questions about the challenge ahead vis-à-vis China.

“The technological question becomes a key part of this story and whether or not we can restrict it from our adversaries,” said James Byrne, the director of open-source intelligence and analysis at the Royal United Services Institute, a British think tank.

In the Russian city of Izhevsk, home to the factory that manufactures Kalashnikov rifles, shopping malls are being converted into drone factories amid a surge in defense spending that has helped the country’s economy weather its Western estrangement. Arms manufacturers have been urged to work around the clock to feed the Russian war machine, while defense is set to account for one-third of the state budget this year.

“We have developed a concept to convert shopping centers—which, before the start of the SMO [special military operation], sold mainly the products of Western brands—to factories for assembly lines of types of domestic drones,” Alexander Zakharov, the chief designer of the Zala Aero drone company, said at a closed event in August 2022, according to the Russian business newspaper Vedomosti. “Special military operation” is what the Russian government calls its war on Ukraine. Zala Aero is a subsidiary of the Kalashnikov Concern that, along with Zakharov, was sanctioned by the United States last November.

Defense companies have bought at least three shopping malls in Izhevsk to be repurposed for the manufacture of drones, according to local media, including Lancet attack drones, which the British defense ministry described as one of the most effective new weapons that Russia introduced to the battlefield last year. Lancets, which cost about $35,000 to produce, wreaked havoc during Ukraine’s offensive last year and have been captured on video striking valuable Ukrainian tanks and parked MiG fighter jets.

Like a lot of Russia’s weapons systems, Lancets are filled with Western components. An analysis of images of the drones published in December by the Washington-based Institute for Science and International Security found that they contained several parts from U.S., Swiss, and Czech manufacturers, including image processing and analytical components that play a pivotal role in enabling the drones to reach their targets on the battlefield.

“The recurring appearance of these Western products in Russian drone systems shows a keen dependence on them for key capabilities in the drone systems,” the report notes. Lancets are not the only drones found to contain Western components. Almost all of the electronic components in the Iranian Shahed-136 drones, which Russia is now manufacturing with Iranian help to use in Ukraine, are of Western origin, a separate analysis published in November concluded.

Early in the war, the Royal United Services Institute analyzed 27 Russian military systems, including cruise missiles, electronic warfare complexes, and communications systems, and found that they contained at least 450 foreign-made components, revealing Russia’s dependence on imports.

One of the principal ways that Russia has evaded Western export controls has been through transshipment via third countries such as Turkey, the UAE, and neighboring states once part of the Soviet Union. Bloomberg reported last November that amid mounting Western pressure, the UAE had agreed to restrict the export of sensitive goods to Russia and that Turkey was considering a similar move. Kazakh officials announced a ban on the export of certain battlefield goods to Russia in October.

Suspected transshipment is often revealed by striking changes in trade patterns before and after the invasion. The Maldives, an island chain in the Indian Ocean that has no domestic semiconductor industry, shipped almost $54 million worth of U.S.-made semiconductors to Russia in the year after the invasion of Ukraine, Nikkei Asia reported last July.

Semiconductor supply chains often span several countries, with chips designed in one country and manufactured in another before being sold to a series of downstream distributors around the world. That makes it difficult for companies to know the ultimate end user of their products. This may seem odd—until you realize that this is the case for many everyday products that are sold around the world. “When Coca-Cola sells Coca-Cola, it doesn’t know where every bottle goes, and they don’t have systems to track where every bottle goes,” said Kevin Wolf, a former assistant secretary for export administration at the U.S. Commerce Department.

While a coalition of 39 countries, including the world’s major manufacturers of advanced electronics, imposed export restrictions on Russia, much of the rest of the world continues to trade freely with Moscow. Components manufactured in coalition countries will often begin their journey to Moscow’s weapons factories through a series of entirely legal transactions before ending up with a final distributor that takes them across the border into Russia. “It starts off as licit trade and ends up as illicit trade,” said a second senior U.S. intelligence official, who spoke on condition of anonymity.

The further items move down the supply chain, the less insight governments and companies have into their ultimate destination, although sudden changes in behavior of importers can offer a red flag. In his speech last September, Axelrod, the assistant secretary, used the example of a beauty salon that suddenly starts to import electronic components.

But the Grand Canyon of loopholes is China, which has stood by Moscow since the invasion. In the first days of the war, U.S. Commerce Secretary Gina Raimondo warned that Washington could shut down Chinese companies that ignored semiconductor export controls placed on Russia. Last October, 42 Chinese companies were added to export control lists—severely undercutting their ability to do business with U.S. companies—for supplying Russian defense manufacturers with U.S. chips.

But as the Biden administration carefully calibrates its China policy in a bid to keep a lid on escalating tensions, it has held off from taking Beijing to task. “I think the biggest issue is that we—the West—have been unwilling to put pressure on China that would get China to start enforcing some of these rules itself,” said Miller, the author of Chip Wars.

A spokesperson for the U.S. Commerce Department’s Bureau of Industry and Security (BIS) said: “Due to the restrictions imposed by the United States and key allies and partners, Russia has been left with no choice but to spend more, lower its ambitions for high-tech weaponry, build alliances with other international pariah states, and develop nefarious trade networks to covertly obtain the technologies it needs.

“We are deeply concerned regarding [Chinese] support for Russia’s defense industrial base. BIS has acted to add over 100 [China]-based entities to the Entity List for supporting Russia’s military industrial base and related activities.”

Export controls have typically focused on keeping specific U.S.-made goods out of the hands of adversaries, while economic and financial sanctions have served broader foreign-policy objectives of isolating rogue states and cauterizing the financing of terrorist groups and drug cartels. The use of sanctions as a national security tool grew in wake of the 9/11 attacks; in the intervening decades, companies, government agencies, and financial institutions have built up a wealth of experience in sanctions compliance. By contrast, the use of export controls for strategic ends is relatively novel, and compliance expertise is still in its infancy.

“It used to be that people like me could keep export controls and sanctions in one person’s head. The level of complexity for each area of law is so intense. I don’t know anyone who is truly an export control and sanctions expert,” Wolf said.

Export controls, experts say, are at best speed bumps designed to make it harder for Russia’s defense industrial base to procure Western components. They create “extra friction and pressure on the Russian economy,” said Daniel Fried, who as the State Department coordinator for sanctions policy helped craft U.S. sanctions on Russia after its annexation of Crimea in 2014. Russia is now paying 80 percent more to import semiconductors than it did before the war, according to forthcoming research by Miller, and the components it is able to acquire are often of dubious quality.

But although it may be more cumbersome and expensive, it’s a cost that Moscow has been willing to bear in its war on Ukraine.

Western components—and lots of them—will continue to be found in the weapons Russia uses on Ukraine’s battlefields for the duration of the war. “This problem is as old as export controls are,” said Jasper Helder, an expert on export controls and sanctions with the law firm Akin Gump. But there are ways to further plug the gaps.

Steeper penalties could incentivize U.S. companies to take a more proactive role in ensuring their products don’t wind up in the hands of the Russian military, said Elina Ribakova, a nonresident senior fellow at the Peterson Institute for International Economics. “At the moment, they’re not truly motivated,” she said.

Companies that run afoul of sanctions and the Foreign Corrupt Practices Act, a U.S. federal law that prohibits the payment of bribes, have been fined billions of dollars. Settlements of export control violations are often an order of magnitude smaller, according to recently published research.

In a speech last month, Axelrod said the United States would begin issuing steeper penalties for export control violations. “Build one case against one of the companies extremely well, put out a multibillion-dollar fine negotiation, and watch everybody else fall in line,” Ribakova said.

And then there’s the question of resources. BIS has an annual budget of just $200 million. “That’s like the cost of a few fighter jets. Come on,” said Raimondo, speaking at the Reagan National Defense Forum last December.

The agency’s core budget for export control has, adjusted for inflation, remained flat since 2010, while its workload has surged. Between 2014 and 2022, the volume of U.S. exports subject to licensing scrutiny increased by 126 percent, according to an agency spokesperson. A 2022 study of export control enforcement by the Center for Strategic and International Studies recommended a budget increase of $45 million annually, describing it as “one of the best opportunities available anywhere in U.S. national security.”

When it comes to enforcement, the bureau has about 150 officers across the country who work with law enforcement and conduct outreach to companies. The Commerce Department has also established a task force with the Justice Department to keep advanced technologies out of the hands of Russia, China, and Iran. “The U.S. has the most robust export enforcement on the planet,” Wolf said.

But compared with other law enforcement and national security agencies, the bureau’s budgets have not kept pace with its expanding mission. The Department of Homeland Security has more investigators in the city of Tampa, Florida, than BIS does across the entire country, Axelrod noted in his January speech.

On the other side, you have Russia, which is extremely motivated to acquire the critical technologies it needs to continue to prosecute its war. The Kremlin has tasked its intelligence agencies with finding ways around sanctions and export controls, U.S. Treasury Undersecretary Brian Nelson said in a speech last year. “We are not talking about a profit-seeking firm looking for efficiencies,” the second senior U.S. intelligence official said. “There will be supply if there is sufficient demand.”

18 notes · View notes

justinspoliticalcorner · 2 months ago

Text

Mae Anderson at AP, via NewsNation:

NEW YORK (AP) — The U.S. Justice Department has filed an antitrust lawsuit against Visa, alleging that the financial services behemoth uses its size and dominance to stifle competition in the debit card market, costing consumers and businesses billions of dollars.

The complaint filed Tuesday says San Francisco-based Visa penalizes merchants and banks who don’t use Visa’s own payment processing technology to process debit transactions, even though alternatives exist. Visa earns an incremental fee from every transaction processed on its network. According to the DOJ’s complaint, 60% of debit transactions in the United States run on Visa’s debit network, allowing it to charge over $7 billion in fees each year for processing those transactions. “We allege that Visa has unlawfully amassed the power to extract fees that far exceed what it could charge in a competitive market,” said Attorney General Merrick B. Garland in a statement. “Merchants and banks pass along those costs to consumers, either by raising prices or reducing quality or service. As a result, Visa’s unlawful conduct affects not just the price of one thing – but the price of nearly everything.”

In a statement, Julie Rottenberg, Visa’s general counsel, said the lawsuit doesn’t take into account the “ever expanding universe of companies offering new ways to pay for goods and services.” “Today’s lawsuit ignores the reality that Visa is just one of many competitors in a debit space that is growing, with entrants who are thriving,” Rottenberg said. She added the lawsuit is “meritless” and the company will defend itself “vigorously.” The Biden administration has aggressively gone after U.S. companies that it says act like middlemen, such as Ticketmaster parent Live Nation and the real estate software company RealPage, accusing them of burdening Americans with nonsensical fees and anticompetitive behavior. The administration has also brought charges of monopolistic behavior against technology giants such as Apple and Google.

DOJ sues Visa in an antitrust lawsuit on the basis that the card issuer has de facto monopolized the debit and credit card markets.