Value cycle and value equation (SENSORICA)

Creative Commons (BY NC CA) licence granted by the author(s)

Disclaimer: This blog entry reflects the thoughts of the author and does not speak on behalf of the Sensorica community. Further, the work is built on the work of the Sensorica community on value equation. Moreover, the author has many views on the value equation and this blog represents only of the many perspectives. Lastly, the author assumes that the reader is familiar with concepts of Open-value network.
The current capitalistic economic model was designed in the industrial era to reflect the thoughts, culture, technology, knowledge and processes of that era.  In fact, our current economic model has been optimized to reflect the technological (information processing) capacity of industrial era. The era of internet, however, requires a new economic model and new efficiency mechanisms. In order to understand the notion of value equation, it is important to understand the value cycle and the efficiency mechanisms of the current economy.

Value cycle

Value cycle refers to the processes of how value is created, exchange, distribution and accumulated in the economic system.

Fig: Value Cycle

Value creation refers to what we call "use-value" in economics.  People contribute in the value creation process by providing time, ideas, financial capital, labour, etc and value-streams (or relationship between contributions) are built during the value creation process, which often involves a (large) number of people, in order to satisfy present and/or future needs and wants of the market. Once sufficient value is created, it becomes Goods, Product and/or Services including knowledge (GPS) that can be exchanged for another GPS, which has undergone a value creation process by a (large) number of people.  The issue is that the value exchange among GPS becomes a matching problem.  That is, 5 apples = 3 oranges = 7 bananas = … varied by personal subjectivity; this is why money exists to simplify and create efficiencies in the value cycle. Afterwards, the exchanged GPS (ex: money, apples, etc) needs to be distributed (reward, salary, labour hours, etc) among a (large) number of people. Lastly, exchanged GPS or value is stored and re-used for future value creation processes (ex: savings, seeds, etc).

Currencies exist in order to create efficiencies in the market place by creating units for the value cycle. Conceptually, currency could be thought of as a standard for the unit of value.  Perhaps not so surprisingly, money becomes the de-facto currency since it already exists as units but at the end of the day, money is nothing more than a solution for the matching problem. In its current state money solves two crucial matching problems - value exchange problem (5 apples = 3 oranges = 7 bananas = $10) and value distribution ("equitable" reward) problem (or salary/pay in simple words). In a free-market system, this is a matching problem in a sense that the basic units exists and the people can do the matching ; hence, 1 apple = $2, 1 orange = $1, 1 banana = $0.5, etc. (exchange process), similarly, 1 hour work of engineer = $60, etc. (distribution process); whereas, in a controlled market, the government does the matching (subsidies, fixed income, etc). In reality, all systems are a combination of the two.

There are three major problems within the current industrial era based value cycle that would need to be addressed within the internet era. First, reserves (accumulation) process becomes value creation process by the principles of interests (money makes money); this makes money the de-facto currency. Second, only money is used for motivation during the value creation process by influencing the value distribution process, even though, research shows that money is a negative motivator (hygiene factor) - that is, without money people still work but with money people may or may not work. Third, value creation process can involve thousands of people (for example, open-source projects) but exchange value (including reward and money) can only be distributed to a small subset of participants in the value creation process. This phenomenon is observed because accounting during the value creation process and valuation during the value distribution process are optimized for the industrial era by reliance on extreme human intervention and not for internet era.

The key idea behind value equation is to reformulate the value distribution problem to a matching problem and disconnect money (or exchange value) from the process of value distribution. Even though, money could be the reward to be distributed, it is not the only basis of the accounting. In this way, value equation and accounting can provide a solution to the matching problem of value distribution in the internet era. The value equation, however, does not solve the value exchange or accumulation problem; although, the ideas in this blog could be extended to those problem sets.

Side notes:  Unitized (unit based) currency made sense when we did not have the technology to be able to "solve" complex NP-hard or NP-complete problems.  Perhaps, we still do not have the technology and mechanism (data) to "solve" the matching problem for a larger problem (ex: marketplace) but we do have the technology to "solve" matching problem for the value distribution process.  Although, technically speaking, we do not know how to "solve" NP-complete problems efficiently, that is, calculate the optimal solution. However, we do know how to approximate them and for a certain class of NP problems, we understand the range of error of the approximation.

Value equation

As mentioned above, value distribution process currently (in traditional organizations) uses money. Money, again, is a solution to the matching problem for the value exchange process that is also used within value distribution processes (ex: salary). Nevertheless, organizations also use stocks in the value distribution process. Stocks are unitized solution to the matching problem for the distribution process similar to as money is to value exchange process. Similarly, equity represents a non-unitized solution to the matching problem for the value distribution process. Value equation, simply put, is a way to decide how many stocks or how much equity to issue to each contributor to the project. That is, equity or stock may or may not have any market value or exchange value, similarly value equation is simply an agreement on the rules for the distribution of exchange value.

Conceptually, value equation could be thought of as an algorithm to solve the matching problem of how many stocks to generate or how to create equity in order to match the rewards to contributors as per the ethos of the system. The current societal approach to problem of value distribution today is that we create units and then hope that the solution to the problem is optimized in such a way that all parties would be satisfied. This is a challenging problem since we are relying to humans to solve a matching problem.  Matching problems are NP-complete or complex and hence, the optimal solution or even approximation thereof is not possible due to human factors (we cannot possibly track and compute this information in our heads). An optimal solution to the value distribution matching problem would accurately map the contributions to rewards but there is no such thing as the "true" value of contribution. This requires a complex accounting system to track the contributions and rewards as well as algorithm to perform the mapping. 

Value and contributions are subjective unless we analyze entropy (ecological economics deals with this to introduce objectivity) and/or information (which I argue is also subjective).  In comparing value distribution process to value exchange process, the question is similar to that of how many apples for oranges?  It depends on who we ask but we may get a median or mode types of responses to determine the "democratic" subjectivity but this subjectivity changes with time, advertisement, scarcity, etc.

Determining a value equation thus is a subjective issue determined by the ethos of the system. Value equation could vary from a capitalism (completely free-market) to communism (complete equality) to time-based system, and mathematics based (machine learning and collective intelligence). Similarly, the governance of value equation or governance equation (decision on value equation itself) would also vary from democracy (a representative decides on value equation, direct democracy (every participant decides on value equation) and liquid democracy (trust based representative decide on value equation) to meritocracy, dictatorship, kingship, etc.

One of the major advantages of value equation is the flexibility in defining the system based on ethos. Whereas the industrialized system enforced a certain ethos (capitalism vs. communism), the internet era allows for choice of ethos. Nevertheless, there are certain best practices that could be adopted to ensure longer-term continuity of the system.  The following section would provide one of my thoughts on how to design such a system (or value equation).

Note: rewards in our present society refer to money (and/or reputation at times, etc) but in future, rewards could be vary varied. For example, barter system (1-1 trading) and network barter system (many-to-many trading) is an interesting way to solve the matching problem of value exchange.  EconomyApp is working on the network barter system but it uses money as units in the barter system. It would be interesting in the future to link the value exchange and distribution matching problems. I think this would give rise to a completely different currency system.

 "Solving" for Value equation

In our approach in traditional economics, we generate money and then solve for equitability or satisfaction. That is, money is created and then we use the income distribution as a measure to understand the health of economic system. At Sensorica, we have been using a similar approach in the value equation design process: create the equation and then verify to see if people are satisfied and perhaps negotiation could be used after the fact for satisfaction. In this blog, I would like to present a different approach.

Key idea behind this new approach for value equation is to fix the income distribution first (how poor should be the poor and how rich should be the rich) and then place people ("high or low in the food chain") based on their contribution. Hence, using the placement of people with respect to their contribution as health check rather than the distribution of income. In other words, the income distribution (or relative inequality) is fixed.

The placement of people on the income distribution, however, is probabilistic (as per contribution) in the algorithm since the algorithm is stochastic in nature hence it would reduce any "corruption" or human negotiation errors.  Also, since it is stochastic (random at times), the solution generated may be more acceptable due to the phenomenon of procedural justice. From a motivation perspective, the algorithm is designed to ensure continuity of value creation process since it provides incentives to work hard (higher probability of being higher in the "food" chain) while keeping the income spread low and standard of living relatively decent at the bottom since anyone could end up at the bottom (but most likely those who don't contribute much would end up at the bottom).  

Premise behind the Value equation algorithm

(Some raw ideas for now)

Relative background needed

1) Process fairness
2) Cooperative vs. competitive games
3) Risk-based Game theory
4) Auction games
5) Scale-free networks
6) Statistics (for based lottery games)

(the talk talks about co-operative games a lot)
(most interesting part ~39 minutes on process fairness within cement delivery industry)  <-- there is a lot of other literature on process fairness

3) See the paper by Lara Buchak - "Risk aversion and rationality", July 2009

(although, I am not sure which type of auction game to play -- which bidding system)

5) Scale-free networks (wikipedia) - Better source of information: scientific america - scale free network (2003) article

(Again, lots more interesting papers exist on scale-free networks)

6) Lottery mathematics or stochastic weighted matching (for mathematicians)

Basic Idea:
- People get equity based on chance (probability is based on their contribution, the higher the contribution, the higher the probability of getting higher equity)
- Process could be more important than meritocracy or equality
- People are willing to agree upon a chance based system as long as the process is fair
- Because of chance, people have an incentive to reduce their risk and collaborate to lower the income differentiation (conceptually, increase the minimum wage and reduce the maximum wage)
- People would continue to play the game (as long as the effort generates exchange value) 


- Value accounting system exists and people insert contribution data (contribution is everything - time, money, ideas, labour, material, etc)

- People bid to decide how much should the lowest worker get paid as compared to the highest worker (in ratio) ex: 1:12 (they tried this in Switzerland), 1:100, etc
- Auction can be a multiple round auction (for fixed number of rounds of until the system stabilizes) 
- Auction can be repeated with time (every months, every year, etc) at fixed or random interval
- Auction can be repeated when after the value exchange process has begun.
Nuance: In a unitized based system (ex: money based currency such as dollars), people may also bid on minimum wage.

At the conclusion of each auction:
- The system creates the income distribution function that follows either normal distribution or power-law distribution 

Nuance - 
- It would interesting to experiment to see which combination is better for distribution between governance equation and valuation equation.  Example: governance equation could follow normal distribution (most people have the same voting power), whereas, value equation could follow power-distribution (high contributors can a lot more than low contributors)
- it would be interesting to experiment ask people to bid between normal and power-law distribution

Next, the system picks people to win the "lottery" every, whereas, the lottery is where you get placed in the income distribution (or percentile). Your probability of winning a higher percentile lottery would need to proportional to your contribution.  

- Contribution could be peer valuated or weighted.  
- People may or may not assign a decay function for your contribution (ex: depreciation of physical goods)

Lastly, the exchange value is distributed as per the distribution function and your placement on the distribution function.

Note: the auction could be conducted as a form of series of questionnaires  (mandatory or not) or direct democracy or liquid democracy, governance equation, etc.  For this game, I assume there is 100% submission and that the bidders understand the game (perfectly knowledgeable, participative, and rational bidders)

Posted in Uncategorized Tagged

Analyzing Malware for Embedded Devices: TheMoon Worm (w00tsec)

All the media outlets are reporting that Embedded Malware is becoming mainstream. This is something totally new and we never heard of this before, right? The high number of Linux SOHO routers with Internet-facing administrative interfaces, the lack of firmware updates and the ease to craft exploits make them a perfect target for online criminals. The Internet of Threats is wildly insecure, but definitely not unpatchable.

To all infosec people out there, it's important to understand these threats and report it properly to the media. Some top-notch researchers recently uncovered "Massive Botnets" infecting refrigerators, microwaves, gaming consoles, soda machines and tamagotchis. The problem is that they never provided any sort of evidence, no malware samples, no IOC's and did not write a Hakin9 article describing it.

Refrigerator Botnet? Revd. Pastor Laphroaig says Show the PoC || GTFO

The aim for this post is to provide more information to identify/execute embedded binaries, describing how to set your own virtual lab. In case you missed it, head to the first post from the "Analyzing and Running binaries from Firmware Images" series.

TheMoon Worm

Johannes from SANS provided me a sample from "TheMoon" malware and posted some interesting information on their handler's diary. Their honeypots captured the scanning activity and linked the exploit to a vulnerable CGI script running on specific firmwares from the following Linksys routers: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900.

SANS handlers classified TheMoon as a Worm because of the self-replicating nature of the malware. The worm searches for a "HNAP1" URL to fingerprint and identify potentially vulnerable routers. If you check your FW and Server logs you may find lot's of different IP's probing this URL.

The worm was named like this because it contains images from the movie "The Moon". It's possible to carve a few PNG's inside the ELF binary:


Identifying the Binary

A total of seven different samples were provided: they all seem to be variants from the same malware due to the ssdeep matching score.


Let's start by running the file utility and readelf to identify the architecture (MIPS R3000 / Little Endian):


The EXr.pdf variant (MD5 88a5c5f9c5de5ba612ec96682d61c7bb) had a VirusTotal Detection Rate of 3 / 50 on 2014-02-16.



We'll be using QEMU to run the binaries on a controlled environment. I commonly use two different setups to run MIPS Linux binaries, both based on the Malta platform.


OpenWRT Malta CoreLV platform is intended to be used with QEMU (in big or little endian mode). The install procedure is pretty straightforward using OpenWRT Buildroot. OpenWrt Buildroot is the buildsystem for the distribution and it works on Linux, BSD or MacOSX. In case you didn't remember, authors from Carna Botnet used it to cross-compile its binaries.

Installing prerequisites (on your favorite Debian Derivative):

Now head to the openwrt folder and set the proper settings for your Linux Kernel, choosing "MIPS Malta CoreLV board (qemu)" for the Target System and "Little Endian" for the subtarget. Don't forget to save the config.



Now build your image (use the -j switch to speed up if you have multiple cores, e.g "-j 3"):


Your image will be ready after a couple of minutes. Now you need to install QEMU full system emulation binaries and start it with the right command switches:


To exit the console simply hit CTRL+A followed by C and Q.

If you want to connect your emulated machined to a real network, follow the steps from Aurelien's Blog or simply run the following commands to get Internet access:

If you don't want to compile the Kernel by yourself, you can grab the pre-compiled binaries from here or here (at your own risk).

You may remember that it was not possible to run busybox-simet using the standalone qemu-mips-static. It's possible to fix that by manually patching QEMU or you can run it inside the proper virtual machine (OpenWRT Malta MIPS/Big Endian):


Debian MIPS Linux

I won't describe how to set up your Debian MIPS Linux because Zach Cutlip already did an amazing job describing it on this blog post. The process is quite similar to the OpenWRT one and if you're too lazy to build your own environment, Aurelien provides pre-compiled binaries here. Don't forget to set you network connections properly

Dynamic Analysis

In order to emulate the Linksys Environment, let's download and unpack the Firmware from E2500v2 (v1.0.07).

Let's copy and extract the root filesystem (e2500.tar.gz) and the malicious binary (EXr.pdf) to our test machine (Debian MIPS). Remember to copy the worm to the appropriate "/tmp" folder. Backup your QEMU image, start sniffing the connections from the bridged network (tap1 on my case) and bind the necessary pseudo-devices to the chrooted path. You can run the binary directly on your Debian MIPS environment, but using chroot and the target filesystem is highly recommended. If you try to chroot and run the worm without linking these devices, it will refuse to run and it won't drop the second stage binary.

You can use strace to log the syscalls and start your chrooted shell to run the malicious binary. I had some issues using strace on the 2.6.32 Debian MIPS Kernel (vmlinux-2.6.32-5-4kc-malta). The 3.2.0  (vmlinux-3.2.0-4-4kc-malta) version seems to be running fine.


If you don't want to use strace, simply start sh chrooted and run the malware:


The worm tries to remove files containing certain extensions and perform a series of system checks. After a few seconds the binary is removed from /tmp/ and three files are written on the disk: .L26 (PID), .L26.lunar (Lunar Base URL) and .L26.out (Debug log).


It's possible to dump QEMU's physical memory using the pmemsave command by hitting CTRL+A, C (to enter QEMU's administrative interface) and entering:


The 256MB raw dump will be saved on your host's local path. You can now try to use volatility or run strings against it.



The worm starts scanning for ports 80 and 8080 on a hardcoded list of networks. If the /HNAP/ URL returns a string identifying the targeted routers, the malware sends a HTTP POST trying to exploit a command injection on the vulnerable CGI.





Decoded POST:

TheMoon will also start an HTTPS server ("Lunar Base") on the router using the random port identified on the .L26.lunar file. The certificate's Common Name, Organization and Organizational Unit are hardcoded and other values seem to be random. Trying to find these entries on SSL certificates datasets would be really interesting.


The HTTPS server hosts three files: gerty.png, lunar.png and favicon.ico:




Rkhunter reports a few warnings on the infected system. I have upload the complete output from rkhunter to Pastebin, get it here.


Another useful technique is to compare the contents from the filesystem with a known good template. You can use binwally, WinMerge or binwalk's hashmatch.




I did not spend much time reversing the files and its functions as the main purpose of this post was to provide information to identify and execute embedded binaries, describing how to set your own virtual lab using QEMU.

It's still possible to improve the analysis by faking the nvram, by running a GDB server with QEMU or using Volatility with the proper profile and debugging structures, but this post is already way too long. You should also have a look on Avatar, from EURECOM. Avatar's goal is to enable complex dynamic analysis of embedded firmware in order to assist in a wide range of security-related activities, including malware analysis, reverse engineering and vulnerability discovery.

Let's keep drawing public awareness on the security issues of the Internet of Threats, persuading manufactures, ISP's and final users to collaborate to address these problems.

Posted in Uncategorized Tagged