January 27, 2005

Unintended Consequences and the Case of the $100 Superbill

Axel points to a rather good article on Unintended Consequences with lots of good examples for the security thinker. If there is one cause that one had to put ones finger on, it is this: the attacker is smart, and can be expected to think about how to attack your system. Once you think like an attacker, you have a chance. If not, forget it.

Notwithstanding that minor ommission, here's the rather nice FC example, that of the mysterious $100 superbills.

Back in the 1970s, long before the revolution that would eventually topple him from power, the Shah of Iran was one of America's best friends (he was a dictator who brutally repressed his people, but he was anti-communist, and that made him OK in our book). Wanting to help out a good friend, the United States government agreed to sell Iran the very same intaglio presses used to print American currency so that the Shah could print his own high quality money for his country. Soon enough, the Shah was the proud owner of some of the best money printing machines in the world, and beautiful Iranian Rials proceeded to flow off the presses.
All things must come to an end, and the Shah was forced to flee Iran in 1979 when the Ayatollah Khomeini's rebellion brought theocratic rule to Iran. Everyone reading this undoubtedly knows the terrible events that followed: students took American embassy workers hostage for over a year as Iran declared America to be the "Great Satan," while evidence of US complicity in the Shah's oppression of his people became obvious, leading to a break in relations between the two countries that continues to worsen to this day.
During the early 90s, counterfeit $100 bills began to flood the Mideast, eventually spreading around the world. Known as "superbills" or "superdollars" by the US Treasury due to the astounding quality of the forgeries, these $100 bills became a tremendous headache not only for the US and its economy, but also for people all over the world that depend on the surety of American money. Several culprits have been suggested as responsible for the superbills, including North Korea and Syria, but many observers think the real culprit is the most obvious suspect: an Iranian government deeply hostile to the United States ... and even worse, an Iranian government possessing the very same printing presses used to create American money.
If you've ever wondered just why American currency was redesigned in the 1990s, now you know. In the 1970s, the US rewarded an ally with a special machine; in the 1990s, the US had to change its money because that ally was no longer an ally, and that special machine was now a weapon used to attack the US's money supply, where it really hurts. As an example of the law of unintended consequences, it's powerful, and it illustrates one of the main results of that law: that those unintended consequences can really bite back when you least expect them.

Read the rest... Unintended Consequences.

Posted by iang at January 27, 2005 09:11 AM | TrackBack

Again, the "What's-Your-Threat-Model" thinking applies. It's at least debatable if one manages to create a complete threat model, let alone think outside the box as attackers do.

However, *if* one manages to create a complete threat model, it's not necessary to think like an attacker - or, to put it the other way round, the attacker way of thinking is just part of your own complete assessment.

I highly doubt the ability of man to create anything in a "complete", 100% way.

Posted by: Axel at January 27, 2005 09:38 AM

I don't know how bills are printed these days, but wouldn't they need more than a special press to duplicate another country's currency? What about the particular inks, the particular paper? And what about the plates, wouldn't they need perfect copies of the plates used to press the U.S. bills? How would they get those, would they just photograph American money, or would they need copies of the actual plates used in the U.S.?

Posted by: Cypherpunk at January 27, 2005 05:14 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.