The disturbing case of Weiwu Zhao

Weiwu Zhao in 2017

Note: In this blog post, I refer to public court transcripts related to a child pornography case, which include witness testimony as to content and hence, I have decided not to link to them. If you wish to review the transcripts or get further information on the case, please contact me directly.

In late 2017, an elderly Chinese man, Weiwu Zhao, after a brief and bizarre trial, was convicted of several charges related to child pornography and is currently serving time in prison.

Except that he might very well be innocent.

I got involved in this case because I once helped a schoolteacher, Julie Amero, get out of prison, and ever since then, I get various requests for help and generally turn them down. However, this case of Mr. Zhao is one that I can’t seem to let go. It makes no sense, and many others agree with me (even the NAACP tried to help). Offered a deal to get probation, he refused, as he continues to protest his innocence. His family continues to desperately fight to clear his name, and he’s facing extradition to China, where life for someone convicted of child pornography will be hell.

Reviewing the case, there are significant issues: a) disastrous legal representation (of which, in my opinion, much of the fault lies with the Zhao family), and b) many evidentiary discrepancies that cast significant doubt on his guilt.

The Chinese community coming out of support of Zhao

A Great Leap Forward

The saga started in March of 2014. Mr. Zhao had come from China to visit with his daughter, Qing, who was married (later divorced) to a local man, Jason Nicholas Veres, and chose to stay.

Of note is that Mr. Zhao is an elderly ethnic Chinese man, who has spent most of his life in the PRC, and survived the Great Chinese Famine, the Great Leap Forward and the Cultural Revolution (and even has a recent Certification from his local government that he’s a Good Comrade).

This context is important: his viewpoint (and the viewpoint of the many other ethnic Chinese in this story) is that governments are corrupt, the courts are corrupt, the police are corrupt — and let’s face it, from where they’re from, it’s true. However, this very attitude had significant impacts on how the case moved through the court system, how the defense was managed, and Zhao’s ultimate penalty. To Americans used to living a free society, some of the allegations made by Zhao (“the police planted the evidence”, etc.) are silly; to the family, they’re completely logical.

Whatever the reason, from an evidence standpoint, there’s a mountain of reasonable doubt.

A PC discovered in a pile of trash

According to Mr. Zhao’s daughter, Qing, it all started around the end of 2014, the family was taking a walk in the neighborhood and noticed a computer sitting on a pile of trash. They took it home, cleaned it up, turned it on and started using it.

And that’s when things started to go very wrong, because the computer was – at some point in time – running eMule1, a peer-to-peer file sharing program. And if we believe Qing’s date, the several of the files in question were downloaded at least a week earlier.

About a week later, Qing installed a copy of Windows XP onto the PC. She set no passwords or any other protections on an operating system which is notoriously insecure.

(According to Qing, Mr. Zhao has a basic knowledge of computers – browsing the news and writing emails. She is more knowledgeable and was helping him.)

On January 5th, using a specially modified version of eMule, Pennsylvania State Police Corporal Jim Goodyear was doing a search for child pornography, using a hash value (a unique signature for a file). Bizarrely, he found the file on an IP address associated with the Zhao residence (eMule searches for files all of the world, so it’s more than a bit odd that Goodyear “happened” on a computer located in Pennsylvania). A few days later, a court order was served on the ISP (RCN Telecom) for subscriber information on the IP address. By the end of March, RCN provided the address and a few weeks later, Trooper James Ford was assigned the case, gets a search warrant and in late April, seized a Dell Inspiron computer from the Zhao residence.

Finally, in October 2017, the case went to trial and after a relatively brief jury deliberation, Mr. Zhao was found guilty of multiple charges related to child pornography.

He’s been fighting the verdict ever since.

So what’s wrong?

This case is riddled with problems, and I’ll go through some of them.

No defense forensic analysis was ever done. There was never any defense forensic analysis of the actual hard drive.2 Why? Mr. Zhao, acting as his own attorney, apparently never requested that it be done, seemingly not understanding the forensic analysis could actually help him. This was a disastrous mis-step (among many) and we then must piece together data from what we do have – an Encase examiner’s report, some log files (zip) and various other bits and pieces.

The date stamps don’t make sense. In the world of computer forensics, Windows date stamps are referred to as MAC Modified (or Written), Accessed and Created. The Access time for a file will change when it is viewed3 . “Last Written” can be delayed to when the OS finally gets around to writing the file onto the disk.

The table below is a list of a number of the Child Pornography (CP) files allegedly found on the PC.

Note the files highlighted in yellow: It appears that the files have the same creation and access date, indicating that possibly were not even viewed.

See the last file (starting with the Chinese character 苏)? It’s referenced in the preliminary hearing in an exchange between Assistant District Attorney Anthony Casola and Pennsylvania Trooper James Ford, who worked on the case along with Corporal Goodyear:

The file was even the basis for the search warrant.

But it might very well be that no one on that computer ever actually viewed that file!

When was eMule installed? Oddly, the police noted the date stamps for the downloaded porn files, but not for eMule itself. In other words, it would be quite useful to know when the program responsible for downloading the child pornography itself had been installed — but that data continues to remain hidden by the police.

Trooper Ford confirms this in the direct examination:

Mr. Zhao didn’t have the patterns of a child pornography collector: The psychology of someone who views CP would typically point to having large collections of these files (there were none); or that the person would be viewing files and then deleting them (no evidence of that either). So the fact that only 7 files (later, a total of 14) were found just doesn’t jibe with typical behavior.

It makes no sense, and the Trooper confirms this:

There’s further oddities, in that the computer reportedly had other forms of legal pornography. However, there is no information as to when these files were accessed – as we see in this recross examination:

Note that there was also indications of English search terms used, but Mr. Zhao does not speak or write English (all the documents for the court were translated by his daughter, and he required a full-time interpreter in court).

So we have no information as to when eMule was installed (absolutely vital information), and there are other types of pornographic files but we don’t know when they were downloaded. What if, as the lawyer asked, they were downloaded in November 2013, before Zhao even arrived to the US? That would be good information to know.

The router

Compounding the poor security setup on Windows XP is that the family used a Mercury router to connect to the internet, and it was set to the default setting. It’s trivial to get the user name and password for this router.

S2 Forensics also checked the availability of hotspots from this router, and there is plenty of places where someone outside of the house could access this wide-open router.

Access by others

Further concern is that at least four individuals had physical access to Mr. Zhao’s computer – including Weiwu Zhao, Zhao’s wife, Zhao’s daughter Ms. Qing Zhao, and Qing Zhao’s ex-husband, Jason Nicholas Veres.

Asian hate?

Part of the family’s argument is that this is a case motivated by Asian hate. As an example, earlier that year, Qing Zhao’s mother-in-law allegedly posted this on Facebook:

This post is followed by a stream comments, which includes a note made by “Jan Tommy Zito” (apparently a relation to the county’s senior Judge Leonard Zito).

There are other allegations by the family that generally center around Asian hate in the community and various conflicts of interest; I’ll leave those for someone else to research.

The trial: A dog’s breakfast

Further compounding the situation was the disaster that was Zhao’s defense. An ethnic Chinese man without English skills, he needed interpreters to assist, and routinely fired lawyers (a total of 5).

He verbally stumbled, yelled (as he is hard of hearing) and made a mess of his case, ultimately representing himself in court with terrible consequences.

No defense witnesses were called.

Horribly enough, several of Weiwu’s expert witnesses, including a crucial expert witness, Steve Simpson (a true expert who I interviewed myself for this blog post) were all excluded, simply because Weiwu, in his ignorance of representing himself, didn’t follow correct procedure.

He was warned about this nearly two weeks prior, on October 17, 2017, in conference with the judge and the prosecutor. He apparently didn’t understand it:

Then, reading the actual trial transcripts is like watching a train wreck in excruciating slow motion:

Weiwu, in fact, didn’t get a chance to have one witness testify on his behalf. He did not have any forensic expert to testify on his behalf. And he had no true forensic analysis of the hard drive performed.

The judge allowed CP to be shown to the jury

And in the trial itself, the court allowed something appallingly prejudicial to occur: it allowed the hardcore pornographic videos to be shown of the children being raped, to the shock and horror of the jury:

As the first video played, one woman in the jury box began to cry, wiping her eyes with a tissue. Others on the panel cast their eyes to the ceiling, or shrouded their gazes with their hands.

By the second video, another juror was fighting tears. The five men and seven women bore thousand-mile stares, a state police investigator narrating what they were seeing: young girls being raped before their eyes on child pornography that authorities said was uncovered on a computer seized in Easton.

Child porn possession cases rarely go to trial, given the inflammatory nature of the images involved. But on Tuesday, a Northampton County jury endured 14 separate videos showing girls being sexually assaulted, after 76-year-old Weiwu Zhao of Easton insisted on his day in court.


The fact that Northampton County Judge Jennifer Sletvold allowed these videos to be viewed by the jury is surprising and disturbing — notwithstanding a caveat she gave to the jurors on the matter prior to the viewing.

Zhao’s fate was sealed. He didn’t stand a chance.

Reasonable doubt?

There are many things disturbing aspects of this case.

  • eMule is a program used globally. So why, then, did a state trooper in Pennsylvania happen to pick up Mr. Zhao’s PC in his search for child porn? It opens the door to the possibility that Zhao’s PC was actually targeted. This discrepancy is caught by no one in the testimony.
  • According to his daughter, files were downloaded prior to Zhao having access to the PC. And this was a computer picked up in the trash.
  • The computer was wide open to other users, with no password security. Others, including the ex-husband of one of the parties involved, were known to have accessed the computer. It was running Windows XP and an insecure router.
  • A discrepancy as to the files themselves: The police originally noted seven files at the preliminary hearing in February 2016. However, a second report in July 2017 found an additional seven files. The question must be raised as to why all 14 files were not located during initial analysis of Mr. Zhao’s hard drive, as would be normal practice in forensic examinations and discovery.
  • Discrepancies as to the items seized: The original search warrant lists an Acer laptop (serial number NXM6VAA0013220730C6600), a generic flash drive, a Western Digital external hard drive (serial number WMC1T0591522), and a Samsung Galaxy phone among other items. However, as recorded in a later document in June 2016, investigating office Brian Mengel lists the computer seized and analyzed as a Dell Inspiron (serial number BPXZ5J1) and a Western Digital hard drive with (serial number WMAV25256156). These are obviously two distinct and unique computers and hard drives. However, the question must be asked if files from a different computer were used as evidence against Mr. Weiwu Zhao.
  • A major question as to when eMule was installed – the police catalogued and determined the creation times of the pornographic files, but they did not do the same for the file sharing software eMule. One possible conclusion for this omission is that the creation time of the eMule software would show that Mr. Zhao was not responsible for its download, installation or use.
  • The fact that no detailed and exhaustive forensic examination of the hard drive in question was ever done by the defense. It is likely that if such an analysis could be completed that many of the questions posed by this report could be answered and be used as a legal defense for Mr. Zhao.
  • The awful legal representation of Mr. Zhao (which included him going through several lawyers and ultimately representing himself).
  • The fact that none of the defense expert witnesses were allowed at the trial due to Zhao’s disastrous self-representation.
  • The prejudicial action the court took in allowing images of children being raped to be displayed to the jury, explained to the jury by the prosecutor as being part of their “civic duty”.

The best analogy for this case is of a man standing in front of a steamroller, spitting and hollering for the steamroller to stop. The steamroller, oblivious to what’s being said, rolls right over him. And that is exactly what happened to Weiwu Zhao.

The case of Zhao is a deeply disturbing one in many ways. His grave error in not understanding the American judicial system has cost him his future; but even absent that, real questions as to his guilt or innocence linger.

Acknowledgement: I’m indebted to the work of others, and Steve Simpson of S2 Forensics who researched the bulk of what I’ve described here.

  1. Many of us remember the old peer-to-peer programs, including Napster. One could download a file from another computer (a “peer”) and your computer would then act as a distribution point for other computers. However, this simplicity also comes with a risk: one may unknowingly or inadvertently download a file that has illicit material, and then become a “distributor” of that file, since it’s being shared with others on the network. eMule was such a program, and is still active even today. []
  2. Note that while there are issues dealing with CP files from a forensic standpoint, there are methods for specialists to analyze the files that don’t put them in danger of inadvertently possessing illicit files. []
  3. This problem is complicated by the change between Windows Vista and XP, which apparently changed this behavior, further muddying the waters. []

AGC’s latest take on SPACs

As a follow-up on an earlier post of mine about SPACs, I’m sharing some information from a recent deck by AGC, one of the leading SPAC bankers.

AGC breaks down the current SPAC failures into several categories:

  • High quality private companies do not want to sell at a discount, particularly to an unproven SPAC which may require six months to close. This has caused prices for SPAC acquisitions to rise from mid-single digit multiples on revenue in the first half of 2020 to over 14x revenues in 2Q 2021. As AGC says: “All the juice is being squeezed out of these private companies in the drive to get a deal done.”
  • Poor performance: Median return to IPO investors on the 81 completed SPACs in 2020 and 2021 is -1%, woefully underperforming the markets.
  • Many (but not all) of the completed SPACs are pre-revenue concept plays or second tier companies that could not go public in a traditional IPO.
  • Sponsor incentives are still too far out of line with other stakeholders’ for creating long term value.

Some selected slides from their latest presentation:

The full report is here.


The confusion about billionaire taxes

I’ve been following with some interest the arguments that billionaires are somehow massively skirting the tax system.

While I’m certainly in favor of tax equality as much as the next person, it appears that some of the breathless reporting is based on a confusion of facts — and a misunderstanding of some basic economics.

In the US, it’s hard to avoid paying taxes, even if you’re a vastly wealthy person. There are schemes, and I’ve seen a few, but they are dodgy and won’t last.

If a rich person earns income through a paycheck (“earned income”), that rich person will pay, just like everyone else, at the top-end of the tax bracket.

But, like virtually every other developed country in the world, we have a different formula for taxes for unearned income (namely, money one makes from things like stocks, bonds, real estate, etc.), especially gains made on investments that have been held for more than a year.

Capital gains, a form of unearned income, occurs when one realizes a gain on an investment. And, like most developed countries, our tax rate for those holding into an investment for more than a year is low – 20%.

However, the key word is “realizes” – which means selling a stock or a house. This is where the billionaires all have to pay the piper.

Now, there are ways to lower ones tax burden – but they are complicated and not the subject of this blog.

A gain is only a gain when it’s realized – i.e. sold
Remember back in the 90s, when people had millions in stock in dot com companies? A few years later, that paper wealth evaporated. And if they hadn’t sell the stock, they were screwed. They didn’t realize the gain — it was unrealized.

The error: conflating unrealized gains with income
Those arguing for wealth equity are making some fundamental errors, by confusing unearned income with earned income, and then compounding the error by adding unrealized capital gains.

In other words, look at this chart from the explosive ProPublica piece:

The billionaires are, in fact, paying taxes – look at “Total Income Reported” and “Total Taxes Paid”.

The chart is extraordinarily misleading. Warren Buffet has $24.3 billion in “wealth growth” – but that’s largely in unrealized stock in Berkshire Hathaway. He had, in fact, income of $125 million, and paid taxers of nearly $24 million – a tax rate of about 19%. Ellon Musk, the supposed “bad boy”, actually paid 29% tax on his $1.52 billion in income.

The fact that Tesla stock is through the roof is meaningless. Because it’s paper wealth, and guess what – the stock is down and Elon’s paper wealth is actually lower. That’s why taxing paper wealth is meaningless, and no developed country in the world does so.

The Roth IRA issue
Another issue is around Roth IRAs, which are certainly ripe for fixing. But blaming Peter Thiel, for example, for amassing $5 billion in his Roth IRA is meaningless. Fix the IRA. Don’t kill Peter Thiel.

Traditional IRAs have been around for a long time, and allowed one to put money in on a pre-tax basis, and then defer paying taxes until retirement.

In 1997, in the “Taxpayer Relief Act”, the Roth IRA was introduced, which allowed people to put money in on a post-tax basis. In other words, after one had paid taxes on the income.

Two years later, Peter Thiel was starting PayPal and put PayPal stock into the Roth. The value was low, but then PayPal was a new company, a private company. The idea that he “lied” about the value is senseless – those valuations were determined by standard valuation mechanisms. Those mechanisms were inherently imperfect, and that’s why in 2005, the 409a mechanism was introduced. Nevertheless, private company stock is always undervalued, as it is illiquid and private.

In other words, what if Thiel had transferred shares from Or any of the other thousands of huge dot com failures? We wouldn’t care.

Thiel had no idea that PayPal would be worth billions: He transferred PayPal stock into an IRA at the value at the time. Then, PayPal later went public and then got sold to eBay, making Thiel a massive profit – in his Roth IRA. After that, he used Roth IRA money to invest in more, growing it significantly.

It’s a problem with the Roth IRA mechanism, so let’s fix the IRA, not fix Peter Thiel, who was being a rational actor and acting well within the rules and the law at the time. Perhaps now, with the 409a valuation system, we would also have a fairer system, but 409as can themselves be problematic.

We can (and must) fix the Roth, by disallowing the types of contributions made by Thiel and others. We can fix this, as it is flawed. But some of the invective I’ve heard against Thiel is unwarranted. He did nothing wrong in the context of the time.

Equity in taxation
Peter Thiel, Warren Buffer, Elon Musk – these are very rich men. But they’re not fat cats who have sat around smoking from a hukkah pipe in a haram. They’re visionaries who have done an enormous amount for the common good. Without Musk, it’s arguable we wouldn’t have the electric car resolution, doing far more to combat global warming than most mandates. Thiel reinvented economics with PayPal, and did many other great things. And Buffet – well, we can thank him primarily for being interesting, but also saving us a ton on car insurance through GEICO.

Let’s get equity in taxation. A national sales tax replacing income tax, for example, would make much more sense, as when those billionaires (good or evil) go out and buy a new Ferrari, they would be forced to pay tax.

Income tax is inherently problematical as a tax collection mechanism: it punishes production, creates ample opportunity for loopholes and special-interests (mortgage interest deduction, for example) while creating enormous privacy issues (and why isn’t anyone screaming about confidential tax returns being stolen from the IRS?).

We can come up with better tax schemes that are not regressive, but create wealth and opportunity for everyone.


Joe Wells: in memoriam

Profile photo of Joe Wells
One of the few pictures publicly available of Joe. But if you knew him, he was unmistakable – a funny, interesting, quirky and incredibly intelligent person.

Today I learned that Joe Wells, one of the early pioneers in the antivirus space, has passed away.

Joe played a particularly important role in my life. Back in 2006, I was running a software company, Sunbelt Software, and we an antispyware product, CounterSpy. While we had good commercial success, it was clear it was time for a pivot.

Enter Joe Wells: At the time, he was chief scientist for Fortinet, and we asked him to come down to our offices in Florida.

The rest, I quote, from a blog post I wrote later (now archived):

On a chilly and blustery evening last January, Joe Wells, Eric Sites (our VP of R&D) and I sat outside overlooking the water at the Island Way Grill, a favorite local hangout. We were trying to recruit Joe from his position as Chief Scientist at Fortinet and the subject was along the lines of a re-invention of the anti-malware model.

In antivirus circles, Joe is a well-known figure. The founder of the Wildlist, he’s spent his life writing antivirus engines, getting antivirus patents and working for Symantec, IBM Thomas Watson Labs and Trend (and in his spare time, doing a complete translation of the Bible into the Sahidic dialect of the Coptic language as well as writing science fiction).

The rest of the blog was the introduction of our new VIPRE antivirus technology, and the essay represented a massive shift in our corporate strategy. (Fun fact: he even came up with the VIPRE acronym – “Virus Intrusion Prevention Engine”). It was also presaged a shift in how the world collectively thought about antimalware products, and I’d like to think we played a role in the development of the next-generation antivirus market (companies like Crowdstrike and Cylance).

It was Joe who said “we can do this”. And we did (and then three years later, we stupidly sold the business — that’s for another blog).

Joe was a big deal. I’m thankful to have known him, worked with him and to have counted him as a friend. He was our chief scientist and was the one who took us from being a small antispyware/antispam company to the big leagues (and what a run it was!).

Joe was a character in a world going bland: irreverent, quirky, massively intelligent and extraordinarily interesting.

Thank you Joe. You made a difference and you will be missed. RIP.


Anatomy of a SPAC

SPACs (Special Purpose Acquisition Companies – aka “blank check companies”) are the new new new thing, but they really aren’t. Blank check companies have been around for some time, and in the past, there were more failures than successes.

Infographic: SPAC Boom in the U.S. | Statista

Now, everything has changed and everyone wants to do things with SPACs. There are powerful benefits – a fast path to an IPO without a lot of the hassle and a path to liquidity.

However, a fair number of executives and investors aren’t entirely clear on the process, so I thought I’d jot down some notes as to what a SPAC is and how the process operates — at least at a high-level.

Here’s how a SPAC works (using approximates):

  • A group of well-connected execs (the sponsor) partner with an investment bank to do an IPO.
  • The sponsor doesn’t receive any cash compensation, apart from expenses. However, in exchange for suffering for up to two years without any salary, they get to purchase 20% of the SPAC as “founders shares” for a nominal amount of money. (The economics are ridiculously in favor of the sponsor but it’s Wall Street, so whatever.)
  • The sponsor will also buy warrants to fund the SPAC’s operations (warrants are similar to options1). This is done by buying several million warrants at $1.50 each to purchase the stock at $11.50.
  • Proceeds from the IPO are put into a trust. A relatively small amount of money from the IPO will be be put aside to fund expenses.
  • The sponsor usually has 18-24 months to find a target company to buy. Once they agree to buy a company, there is a process of getting approval from the shareholders. Shareholders who don’t like the deal can get their shares redeemed from the trust. (yep, one of the few places in Wall Street where there is a “money back guarantee”).
  • If a SPAC doesn’t find a company to buy, they also have to give the money back from the trust.
  • The shares offered in a SPAC IPO are not typical – they are hybrid securities, called “units”, each unit being a share with a warrant component. The stock is almost always priced at $10 (it’s a nice, easy number). And the warrants typically exercise at $11.50.
  • The ratio of warrants per share is referred to as warrant coverage, an investment term which means how many warrants are offered as a percentage of a share offering. Less warrant coverage means less dilution for the target company. Units typically have 1/2 or a 1/3 of a warrant for every share. This is why when you look up a SPAC on an exchange, it might look odd, in that there will also be a warrant portion.
  • To make it clear, let’s say you have 10 units, each with 1/2 a warrant. You would have 10 shares and 5 warrants (warrants are never exercisable partially, they are only exercisable in full).
  • The stock becomes free-trading and may go up in value2.

After the SPAC finds a target company, the real work starts.

  • The SPAC will offer a price to the acquiring company – usually a competitive price. It’s a sellers market and SPACs are anxious to get deals done. So they pay well. However, they usually pay largely in stock and hence, if the target company performs poorly, it will not go well for everyone.
  • The SPAC will solicit shareholder approval for the SPAC. This will be done through a proxy statement (the form used when soliciting shareholder votes). If the company is also registering new securities, it would use a Form S4 (which combines a proxy statement with a registration of the new securities). This is useful to know as you find out a lot in a proxy statement, such as exec comp, business relationships, outlook, etc. in a relatively simple and clear format.
  • This shareholder approval is like a mini-roadshow. At this point, the target company and the SPAC will do price discovery to see if the deal is marketable. If investors yawn at the deal and it’s not appealing, the deal may get scrapped.
  • In some cases, a SPAC will want to raise additional capital during the merger. This may be used to buy out existing shareholders of the target company, or to provide additional capital to the combined entity.
  • The additional capital may be raised in the form of debt, but is often done in the form of a Private Investment in Public Equity (PIPE). PIPEs are common instruments on Wall Street for public companies raising money in a fast, efficient method. Investment funds are active in this area, so the buyers are there; and the paperwork and process is relatively straightforward.
  • If the shareholders approve and all the paperwork is proper, the merger is done and the SPAC goes away and the target company becomes the new public entity.


Dilution is an important consideration for the target company. Let’s look at some basic math. To keep things simple, I’ve kept fees and warrants out of the picture for now. The fees are important, but the warrants become very important. More later.

Let’s say we have a SPAC IPO (“Trifecta Spac”) with 30 million shares, offered at $10/share. 20% of the post-IPO shares are reserved for the sponsor. The IPO would look like this:

Oversimplified, the resultant cap table would look something like this:

The sponsors find a company, “Unobtanium Electric Cars”. They offer $1 billion to acquire this company, payable partly in cash and partly in stock. Like a typical M&A deal, the $1 billion figure would be on a Total Enterprise Value/Debt Free Cash Free basis (simply, the price of the company without regard to debt and cash).

Now, the cash portion is tricky, because there is still a chance that shareholders might redeem, so they need to hold some aside for potential shareholder redemptions (in addition to the fact that the newly combined entity likely needs to have cash on the balance sheet).

So the sponsor offers $150 million in cash, and $850 million in stock:

The post-merger cap table would then look something like this.

However, there is a desire to raise additional capital at the time of the merger. The two entities raise $200 million through a PIPE, concurrent with the close of the merger. The price of the PIPE offering will be $10/share. In that case, the result looks something like the following:


Warrants are a key part of a SPAC, in that they add extra return for the sponsors and the initial investors.

Warrants are usually exercisable at 15% above the initial IPO price, or $11.50 However, the SPAC will often limit the upside on warrants by forcing a redemption if the stock exceeds $18 (effectively capping the gains).

There are generally two warrants applicable to a SPAC deal:

  • The Sponsor Warrants: The SPAC sponsor initially purchases warrants to fund the SPAC (and to generate more upside for the sponsor). These warrants are typically priced at $1.5 per warrant at an exercise price of $11.50. Most SPACs raise $7-$10 million by this method. Let’s assume Trifecta Megaspac raised $7.5 million at $1.50/warrant. This makes for 5 million shares exercisable at $11.50/share.
  • The Unit Warrants: These are the warrants provided to the initial investors. Since most deals these days are being done at 33% warrant coverage (meaning, for 3 shares, there is 1 warrant), we can assume that Trifecta, with 24 million units, would have 8 million warrants available.

So, if your math is quick, we have 13 million shares as an overhang. These will be dilutive starting at $11.50/share. However, we should look at the whole picture (the Treasury Stock Method, which assumes that all the in-the-money warrants will be exercised) to really understand the fully dilutive picture.

So at $18 we would have a picture of something like the following:

That’s the big picture and again, my math does not include fees, and fees payable to the SPAC board, and some additional dilutive effects of warrants not covered here (and probably many other things). It’s illustrative.

If you are seriously considering a SPAC, get a good banker to represent you on the sell-side. And if you partner with a SPAC, remember that you’ll need to be every bit as good as a real public company. You’ll need the networks in place to market the new merged entity (which a good SPAC can help with), you’ll need to have your financial house in order and you’ll need to run like a real public company.

The SPAC offers major benefits over going public directly: The paperwork is relatively straightforward and you’ll have very clear picture as to what the market appetite for your company is before going through a full IPO process (speed to market is no different between an IPO and a SPAC). On the downside, you could do the deal at $10/share and find yourself being a crappy $2 stock in a year. So do your homework and get good help. It means a lot.

If I’ve made any errors, just email me or put something in the comments.


  1. 1 SPAC warrants are similar to options, with some exceptions, most importantly a) their availability may be triggered on certain events such as revenue or the strength of the company’s share price over time, and b) the money for the warrant exercise goes directly to the company’s treasury. []
  2. However, any increase is speculative; the intrinsic value of the stock is the offering price (the $10). That’s what the “guarantee” is behind the stock. Anything excess is speculation. So if you find a SPAC trading at $15 and you’re excited about it, you only have the guarantee of the $10 held in trust []

A preliminary look into who was hacked in the Sunburst attack

At Prevasio, we started to narrow down those potentially affected by the Solarwinds hack as the Sunburst used a DGA (Domain Generation Algorithm) that gives us a glimpse into who may have been infected.

The list (with disclaimers) follows:

Decoded DomainMapping (Could Be Inaccurate)
hgvc.comHilton Grand Vacations
AmerisafAMERISAFE, Inc.
kcpl.comKansas City Power and Light Company
SFBALLETSan Francisco Ballet
scif.comState Compensation Insurance Fund
LOGOSTECLogostec Ventilação Industrial
bmrn.comBioMarin Pharmaceutical Inc.
AHCCCS.SArizona Health Care Cost Containment System
nnge.orgNext Generation Global Education
cree.comCree, Inc (semiconductor products)
calsb.orgThe State Bar of California Public Schools
cisco.comCisco Systems
pcsco.comProfessional Computer Systems
barrie.caCity of Barrie
ripta.comRhode Island Public Transit Authority
uncity.dkUN City (Building in Denmark)
bisco.intBoambee Industrial Supplies (Bisco)
haifa.eduUniversity of Haifa
smsnet.plSMSNET, Poland
fcmat.orgFiscal Crisis and Management Assistance Team
wiley.comWiley (publishing)
ciena.comCiena (networking systems)
belkin.comBelkin Public Schools
pqcorp.comPQ Corporation
ftfcu.corpFirst Tech Federal Credit Union Bank of Punjab
insead.orgINSEAD (non-profit, private university)
usd373.orgNewton Public Schools
agloan.adsAmerican AgCredit
pageaz.govCity of Page
jarvis.labErich Jarvis Lab
ch2news.tvChannel 2 (Israeli TV channel)
bgeltd.comBradford / Hammacher Remote Support Software Department of State Hospitals
dotcomm.orgDouglas Omaha Technology Commission
sc.pima.govArizona Superior Court in Pima County Prevention Society (IPS)
moncton.locCity of Moncton
acmedctr.adAlameda Health System
csci-va.comComputer Systems Center Incorporated
Redacted(law firm – redacted)
keyano.localKeyano College
uis.kent.eduKent State University
alm.brand.dkSydbank Group (Banking, Denmark)
ironform.comIronform (metal fabrication)
corp.ncr.comNCR Corporation
ap.serco.comSerco Asia Pacific
mmhs-fla.orgCleveland Clinic Martin Health
nswhealth.netNSW Health
mixonhill.comMixon Hill (intelligent transportation systems) de Formosa, City in California
siskiyous.eduCollege of the Siskiyous
weioffice.comWalton Family Foundation
ecobank.groupEcobank Group (Africa)
corp.sana.comSana Biotechnology
med.ds.osd.miUS Gov Information System
wz.hasbro.comHasbro (Toy company)
its.iastate.edIowa State University
cds.capilanou.Capilano University
e-idsolutions.IDSolutions (video conferencing)
helixwater.orgHelix Water District
detmir-group.rDetsky Mir (Russian children’s retailer)
int.lukoil-intLUKOIL (Oil and gas company, Russia)
ad.azarthritisArizona Arthritis and Rheumatology Associates
net.vestfor.dkVestforbrænding (Cloud based services, Israel)
central.pima.gPima County Government
city.kingston.Kingston City, Australia
staff.technionTechnion – Israel Institute of Technology
airquality.orgSacramento Metropolitan Air Quality Management District
phabahamas.orgPublic Hospitals Authority, Caribbean
parametrix.comParametrix (Engineering)
ad.checkpoint.Check Point
corp.riotinto.Rio Tinto (Mining company, Australia)
us.rwbaird.comRobert W. Baird & Co. (Financial services)
ville.terrebonnVille de Terrebonne
woodruff-sawyerWoodruff-Sawyer & Co., Inc.
fisherbartonincFisher Barton Group
banccentral.comBancCentral Financial Services Corp.
taylorfarms.comTaylor Fresh Foods
neophotonics.coNeoPhotonics (optoelectronic devices)
gloucesterva.neGloucester County
magnoliaisd.locMagnolia Independent School District
zippertubing.coZippertubing (Manufacturing)
milledgeville.lMilledgeville (City in Georgia)
digitalreachincDigital Reach, Inc.
thoughtspot.intThoughtSpot (Business intelligence)
lufkintexas.netLufkin (City in Texas)
digitalsense.coDigital Sense (Cloud Services)
wrbaustralia.adW. R. Berkley Insurance Australia
christieclinic.Christie Clinic Telehealth
signaturebank.lSignature Bank
dufferincounty.Dufferin County
mountsinai.hospMount Sinai Hospital
securview.localSecurview Victory (Video Interface technology)
weber-kunststofWeber Kunststoftechniek
parentpay.localParentPay (Cashless Payments)
europapier.inteEuropapier International AG
molsoncoors.comMolson Coors Beverage Company
fujitsugeneral.Fujitsu General
cityofsacramentoCity of Sacramento
ninewellshospitaNinewells Hospital
fortsmithlibraryFort Smith Public Library
dokkenengineerinDokken Engineering
vantagedatacenteVantage Data Centers
friendshipstatebFriendship State Bank
clinicasierravisClinica Sierra Vista
ftsillapachecasiApache Casino Hotel
voceracommunicatVocera (clinical communications)
mutualofomahabanMutual of Omaha Bank

† In this case, the company in question has reached out to me directly and asked that they not be listed. The company had performed a forensic review and believes they are not affected. In the interest of transparency, I can provide more details if contacted directly.


The Sh*tstorm of the Solardwinds hack

Pretty simple hack in concept – alleged Russian actors hacked an update package for Solarwinds Orion software (a sophisticated software for enterprise and institutional managing network resources).

This is an extremely crafty hack. An update package from Solarwinds Orion is uploaded onto the Solarwinds site. It’s even digitally signed.

According to Fireeye’s excellent writeup:

The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications. The list of known malicious infrastructure is available on FireEye’s GitHub page.

And now, it looks like the US Government may have been seriously compromised.

This is kind of a big deal…

Malwarebytes also has some good coverage as well, as does Prevasio


Is Docker secure? We executed all the containers in the Docker Hub to find out. What we found was troubling.

Docker – a way of building applications using containers (micro-apps that are used in Lego-block fashion to build larger programs) – is taking the enterprise world by storm. With customers that count among the top technology-forward companies in the world (Netflix, AT&T, PayPal, Snowflake, Verizon, Target, and many others), it’s become the new standard in deploying highly robust and distributed applications. At the core is Docker Hub, the main universe of Docker containers, with over 4 million container images*.

So with so many enterprises and institutions running Docker, security is a concern, and we have seen the growth of security vendors like StackRox, Aqua and Snyk to answer the call. And I’m sure plenty of these vendors have done analysis of containers, but in the end, these analyses will only be a static analysis, without taking into account all of the complexities and actions that occur when one actually runs a container.

So I’m happy that today, Prevasio, a company that I’m advising, has launched the results of the first and only analysis of the entire Docker Hub. What Prevasio did is new and important: They actually went through the entire Docker Hub and ran each container to see what happens.

This is not a small task; the company spent tens of thousands of dollars in computing power to perform this task. And the way the Prevasio Analyzer works is different than any other solution on the market: At its core is a sandbox which “detonates” (executes) a container to see what actually occurs during the runtime process. This sandboxing action allows us to get a unique view into what actually occurs when one executes a container. (This is the difference between behavior analysis and static analysis – a static analysis will use a signature to determine maliciousness but can never tell what an application will actually do. For a real look, one needs to analyze behavior.)

Some of the results are troubling:

  • 51 percent of all containers had “critical” vulnerabilities, while 13 percent were classified as “high” and four percent as “moderate” vulnerabilities.
  • Six thousand containers were riddled with cryptominers, hacking tools/pen testing frameworks, and backdoor trojans. While many cryptominers and hacking tools may not be malicious per se, they present a potentially unwanted issue to an enterprise.
  • Over 400 examples (with over 500,000 pulls) of weaponized Windows malware crossing over into the world of Linux. This crossover is directly due to the proliferation of cross-platform code (e.g. GoLang, .NET Core and PowerShell Core).

The full whitepaper is here, and Prevasio’s blog post is here.

But if you want to have some fun, Prevasio has all the data publicly available live on their site, at Feel free to look at the results for yourself.

*A container image is the template that creates the actual Docker containers.

business advice

Jeff Bezos’ three rules

Ian McAllister, a long-time Amazonian, writes about the three rules that Jeff Bezos’ uses to invest in a new business at Amazon.

I’ve used similar decision matrices myself and it’s interesting to see the simplicity and clarity of the method Bezos uses.

They are: 1) is it a big idea, 2) is it congruent with the business, and 3) is there a plan to succeed.

More here.


How Russian Trolls Took Over Americans’ Instagram Accounts

Interesting overview by the WSJ on this one aspect of Russian trollage. 


The best overview I’ve found of the changes in the tax code

Ligget and Webb has done their homework. Link: LW Tax Law Comparison_122017

And yes, I happen to think this is a good bill and will have very positive effects on our economy.  I’d prefer a simpler simpler tax scheme (like the Fair Tax), but this is a vast improvement over our current tax scheme.

I’m disgusted,  however, that the Carried Interest nonsense still continues (thanks to the douchebag hedge fund lobby – if there was ever a group that needed less protection, I’m not sure what it is – and I used to work in that business); and further AMT still refuses to die the death it so deserves.

But overall, it’s good.

(h/t Riggs)


Tampa Bay and hurricane history

Since reliable records were kept, four major hurricanes have directly hit the Tampa Bay area. They are the Tampa Bay Hurricane of 1848, the 1921 Tampa Bay hurricane, the 1946 Florida Hurricane,  and the Storm of the Century of 1993.

All of these storms had one major attribute: They developed in the southwestern Caribbean or off of central America, rather than the Atlantic or eastern Caribbean. This fact is worth noting.

Commonly, major hurricanes in our part of the world come off the coast of Africa or the eastern Caribbean, and shoot off westward, affecting the US by hitting Florida or the southeastern states on the east, or going below Florida and shooting up to the Florida Panhandle or the various Gulf states (Louisiana, Alabama, Mississippi and Texas).

These storms rarely go up the Gulf, and then make an immediate jaunt eastward to Tampa. When in the Gulf, they just go straight up. Exceptions, such as Hurricane Charley (which came out of the central Caribbean), have not affected Tampa (but almost did, and it was a near thing indeed!).

The reason is that Tampa faces west, and the trade winds prevalent in our area move east-to-west.   In other words, the prevailing winds keep the storms pushed away from us.

Now, storms such as Elena, Irma and Frances have affected Tampa, but were not at the scale of a direct hit (although certainly not little storms – they all had an impact).

For me, the concern with Irma is that it would go further to the west, hitting us at an angle to hit Tampa Bay directly, causing a potentially massive storm surge. However, it was fairly clear by the 8th of September that it would be a major wind event – but not a big storm surge creator. Still, I took precautions.

The Storm of the Century in 1993 (often referred to as at the “No Name Storm”). See this animation for a powerful view of the storm’s path.

The track of the 1921 Tampa Bay hurricane, originating off of the coastline of the Honduras.

The Tampa Bay Hurricane of 1848 was an absolute monster storm; consensus is that the storm developed in the central Gulf region.

The 1946 Florida Hurricane developed off the coast of Guatemala.

What’s of great concern with a direct hit to Tampa Bay is that the region has a shallow continental shelf, with very warm water. That is a bad combination, creating a potential of a devastating storm surge. A big storm coming directly at us will be quite dangerous.

Remember, storm surges are where you see boats on top of trees 20 miles inland. Katrina. That kind of thing. Storm surge is the big problem in hurricanes.

So, I pay very close attention to tropical disturbances in the southwestern Caribbean, because these could hit Tampa directly. A direct hit creates the massive storm surge that is actually the major danger in hurricanes.

Now, that’s not to say that I am not wary of any major storms developing that could affect our area…

Disclaimer: I’ve lived in Florida, cumulatively, well over 20 years. I’m not an expert nor a meteorologist. But I have had to worry about the safety of my family in the face of big storms and I’m a bit of a nerd who has spent a lot of time studying the issue. This is only my viewpoint and observation. Feel free to disagree. Everyone fights about hurricanes, and the news doesn’t help by scaring the heck out of everybody, so the arguments tend to be between people who are scared witless – not the best combination. 


The wall is already pretty much done



I’ve written about immigration policy before, and this is not that kind of post.

Instead, I am addressing a conventional fiction that “there is no wall” on the border of Mexico and the US. I’ve found that this is a surprisingly widespread belief.

We don’t even have to go to Mexico to get them pay it. Legislation is already in place for the wall, and for funding. With some modifications, we could have that wall.

You see, we have finished building about 60% of a wall. It’s actually a fence, but if you’ve seen it, it’s pretty big. And I think you’ll find the consensus is that this is much more realistic.

The border
The total length of the border is just under 2,000 miles. Roughly half of that distance is the Rio Grande (which gave rise to the derogatory term for Mexican immigrants, wetback, as many illegals used to swim the river to get to the US).

Securing the border
In 1994, a National Border Patrol Strategic Plan started the process of improving security on the border to stem the flow of illegal immigration. The post-9/11 war on terror gave this attempt a big boost, with the Bush administration pushing hard to build a fence and ultimately passing a series of laws.

In other words, we have had legislation in place for many years to build the wall. And it’s largely funded.

Quite a bit of the wall has been built
So far, the US has built roughly 600 miles of fence. Taking out the river, we’re more than halfway there.

(The remaining land is handled by the Border Patrol and various infrared and technical contraptions.)

The Rio Grande
Now, here’s where it gets complicated: We have this big river, the Rio Grande.

Putting a fence in a river causes all kinds of environmental problems, which even if you’re a conservative, are cause for some concern (I live in Florida, and have seen the damage that the Tamiani Trail did to the Everglades, and while a porous fence isn’t nearly as bad as a dam, there are some real issues at stake here.)AP_BORDER_FENCE_WILDLIFE

No worries! In 2006, the Real ID Act was passed, which, in part, gave the Secretary of Homeland Security (then Michael Chertoff) the ability to waive environmental regulations in this context. He really wanted a wall, so he did just that.

Yet, we still don’t have a fence completed.

A major problem is the fact that there are three Native American reservations that sit on the border in Arizona. This leaves a gap in the “wall” which is occupied by sovereign Indian nations.

Most notable is the Tohono O’odham reservation, which is huge — about the size of Connecticut — and includes the vast Sonora Desert. Citing its sovereignty, it once successfully barred the Border Patrol from entering the reservation. They’ve since changed their tune, since now, this opening in the border has driven drug smugglers into the area (as well as illegals, who are dying in the thousands trying to cross the Sonoran Desert).

This is a major issue: we have to figure out a way to build a wall through a sovereign Indian nation. It’s not insignificant. Imagine a wall going through your own neighborhood — the Native Americans are not crazy about this idea. And we can’t move the border south, nor north. It has to be a wall right through these Indian nations.

In other words, it’s a bit more complicated.



Breaking: Goldman Sachs’ view of the election


Goldman Sachs shares with its wealthy clients various views of the market. Here, they’ve taken on the election in terms of markets.

It’s an interesting read, here.



It really comes down to beer (endpoint security redux)

572px-Dutch_beersUpdate: SentinelOne responds in the comments. Additionally, they claim (and I have no reason to doubt this claim) that the report I referenced was an older version that had incorrect information on the part of Tevanos.

As a follow-on to my recent post about endpoint security (see “A bomb just dropped in endpoint security…“), I thought I’d share some additional thoughts, conclusions and opinions.

It really comes down to beer. But more on that later.

First off, Joe Menn at Reuters wrote a story this morning. It’s a good story, fair and balanced.  Worth reading. There will likely be more stories as well.

Beating up vendors isn’t really my thing
In the recent blog post, there were a lot of slings and arrows thrown at a few endpoint security players. My blog got trolled quite a bit. I cleaned it up.

Cylance certainly came under heavy attack by some commenters, and I removed those comments.

I’m not interested in beating the crap out of some company; I’m really just interested in writing about stuff that I find is interesting.

On Cylance
There was a possible confusion that got propagated that Cylance was using VirusTotal directly in their product. I now have information that this may be incorrect.

Cylance was using VirusTotal, as they said in the Reuters article. It’s possible they were using the service to download samples to train their engine, not directly from inside their product. It’s also possible that they used VirusTotal to help detect malware.

I don’t know for sure, and that’s why I expect to be talking to them in the next several days.

Note that Cylance is not a bad group of people. There are many very good people working there, and they run a good business. I’ve challenged them to get more public tests, and I hope they do so. So far, there have been two tests that I know of — a condoned test by Av Test, and another test, where AV Comparatives/Effitas had to basically break the rules to try and get a copy of Cylance (one can’t just download Cylance and test it, as Cylance keeps its trials very closely monitored).

So testing more, and being more public, would be a good thing.

At any rate, peace, people.

Other endpoint players
I don’t know about other endpoint players. I know SentinelOne, for example, has been open about using VirusTotal.

Specifically, this report (PDF) on SentinelOne’s capabilities in healthcare, highlight this point:

SentinelOne ensures that it is always up to date, checking file hashes against reputable sources such as Virus Total. Using this method, SentinelOne’s platform does not suffer the traditional time lapse in needing to push out new definitions…

[Edit – As mentioned earlier in this blog, SentinelOne tells me this quote is from a PDF of an older document that incorrectly noted VirusTotal as a source and has since been corrected.]

Regarding Palo Alto Networks and CrowdStrike, I really don’t know the involvement of these players. But as the Reuters article mentions, they have been users of VirusTotal (and have not been participating with the community). That’s not to say they’re bad people or have bad products (CrowdStrike and Palo Alto both make excellent products). It’s just something that has been addressed.

Endpoint security
My knowledge of the endpoint security market comes from the fact that I’ve been there in the trenches.

I’ve presented at conferences like VirusBulletin and submitted papers, etc., but that’s the fun stuff. Actually being in the day-to-day sweating bullets to try to keep your customers protected is a very difficult task.

You see, we created a full-stack antivirus product at my last company (Sunbelt Software’s VIPRE) and I personally ran the antivirus lab for some time.

When we released the product, it was probably mediocre, and we avoided tests. It got better when we started opening up to tests, and in fact, it got quite good (and then I sold the company and, well, I don’t recommend the product anymore).

We were on VirusTotal, and it was painful to see us miss detections. But at least we saw ourselves for what we were, and made our product better as a result.

Is there a “next-generation?”
The truth is there are only so many ways to skin a cat. The former Eastern Bloc countries were famous for producing some of the world’s most brilliant mathematicians and now we have companies like Kaspersky and BitDefender with just those same type of people. Yet even they have a tough time of it (no matter what they say publicly). It’s not an easy business, trust me.

I don’t entirely buy a lot of the “next-gen” security arguments. I think that there is room for innovation, but I’ve seen companies like Malwarebytes (of which I’m a board member and incredibly biased toward) and (recently) Symantec do some very impressive work in detections, without resorting to anything of the next-generation type. It really comes down to a lot of hard work, block-and-tackling type of stuff.

So, it’s no surprise that people do whatever it takes to get the best result possible. If this means using VirusTotal to do a hash lookup (which IMHO is fairly silly, since polymorphism makes hash lookups far less useful than people might think), or good old fashioned PR to paint lipstick on a pig, well, so be it.

The key is openness. If you have something special, open it up to the world for them to look at, to test, to validate. Be a part of the community and give back to it. It will make your product much better.

Which comes to the beer
Information sharing in security happens around conferences and beer. (When I brought in a new lab manager for my research team years ago, I urged him to spend as much time as possible going to conferences and drinking beer with other experts. He didn’t object).

Perhaps that is a bit tongue-in-cheek, and it’s not that we’re a bunch of alcoholics (well, mostly not), it’s simply that a lot of information sharing happens at conferences, when experts talk to each other freely. The swords of competition are put down briefly, people open up, and you hear a lot of interesting things.

And what I hear around the tables is what is reflected in some of my blog posts. There is good data, but it can’t be substantiated and it won’t ever be confirmed. So, I’m sorry I can’t be specific, despite many of you emailing me for much more detail than I am prepared to give. Trust is everything in security.

But beer? Yes, we can all share that freely. So, here’s to beer (in my case, the ever excellent Buckler Non-Alcoholic).

You can see who VirusTotal credits here.