He registered a company with a name very similar to an existing, legitimate computer hardware manufacturer. Then targeted companies that already had a relationship and already regularly paid invoices to the company with the similar name.
It mentions the victims were "multinational internet companies". The indictment goes farther, saying:
"Victim-1 was a multinational technology company, specializing in Internet-related services and products, with headquarters in the United States"
and
"Victim-2 was a multinational corporation providing online social media and networking services, with headquarters in the United States"
Edit: It mentions that both victims already regularly paid multi-million dollar invoices to the computer hardware company being impersonated. So, if you're trying to guess who the victims are, they are large enough that they run on their own purchased hardware, in fairly large quantities.
These clickbaity articles have become way more common on the web. There's rarely anyone writing quality content for the sake of the content anymore. It's all just glorified hyperlink farming and ad impressions.
I tried to be clever and use California's library system which has WSJ for free, because I thought "hey its 2017 library databases like ProQuest wouldn't still suck right"
well it was horrible like I just got jettisoned back onto Blackboard in the mid 2000s, so after that I just bought the WSJ subscription.
Why, it's as though those organizations that didn't resort to link farming and choking their page with ads went out of business because everybody wanted their journalists to work for free!
End users have been conditioned for two decades that everything online is free. The advertising industry wasn't pushed by end users to become more and more aggressive until ad blockers became viable and a must.
The best quality content I find is almost always someones personal, non commercial writeup. often times this is something as simple as the comment section of a article, or their own blog.
They put no ads and do it because they care about the subject and care about their reputation so they make sure its not spamy.
I have alwasy hoped for a micropayment system I could use to reward this behavior.
(And this is why I subscribe to media that does support long-form journalism and kit out journalists with the tools--and the paychecks--necessary to make it happen. Subscribe as in pay-money-to-on-a-monthly-basis. It's the only way it survives.)
Writing "quality content" takes time. with adblockers the norm, good writers have been put out of business. It's like what Uber and co did to cab drivers.
Maybe a mod should change the link to the justice.gov post I linked to in the parent? I don't see any articles out there that add anything substantial.
Lot of Europeans would not know that Lithuania is part of the EU (and in Schengen too), lots of Europeans would not be able to point to it on a map.
Estonia, Latvia and Lithuania are amongst the least known countries in the EU.
Hiding in Lithuania is silly because yes, it is part of the EU and no, it is not so large that you could disappear into the background.
What I'm surprised about is that the two companies paid their invoices without matching purchase orders, and that for amounts that large there was no extended verification process in place requiring at least two signatures and a destination account number check.
The majority of fraud like this goes the other way: small amounts just enough to be interesting and small enough to not go over the discretionary spending limits sent to 10's of thousands of companies.
I have a friend who's father is very, very wealthy. He purchases a lot of art and often actually finalizes the sales by emailing someone who works for him something to the effect of "please transfer X dollars to Y party for Z piece of artwork." A few years ago someone got access to his gmail account in what appeared to be a mass phishing attack and saw several of these emails in his sent email folder. The intruder was able to have a few million dollars successfully transferred to himself. It was several months before it was noticed and the guy was never caught.
My friend's father now uses two factor auth and has whoever receives those emails confirm via phone call the next day.
Last week I received a similar e-mail from my co-founder, asking me if I could transfer some money to an account. I found it a little strange, but not enough to question that it actually had to be done. Since I was headed to the office anyway, I waited until I got in, and asked him what the money was for.
"What money? What email?"
Turns out the e-mail was sent from a fake gmail account with the name of my co-founder. Hadn't spotted that the email address was wrong, as it was hidden in my email client.
I reported the email to Google and sent the scammer a sarcastic reply: "how many millions do you need?"
The scammers' response? "You're fired"
What a cheeky fraudster! That said, I'm sure he has pulled it off before.
Fraudsters frequently use "smurfs", who are often less than sophisticated, to get around this.
Pretend you're a not-too-savvy-about-international-finance person in the US who, because you have a pulse and are at least minimally socially established, has a checking account. The Internets tell you that you can make good money working from home as an accounts payable clerk. On showing up to work on the first day, your new boss tells you that the job is occasionally getting an email with instructions regarding an incoming wire transfer into your bank account, with instructions to keep 10% for yourself (your salary, obviously) and forward 90% to the supplier he tells you. Totally aboveboard, right?
Money laundering is a fascinating, fascinating topic.
> Don't 'know your customer' laws ensure that no bank account is owned by an anon?
Unless your scammer is really, really stupid these accounts are in the names of third party patsies who are promised some cut or percentage of the amount, or have been conned into thinking they're helping someone out (usually the money would then be transferred from that US account to somewhere foreign via western union or the like).
Or in the name of some other person who has no idea the account exists. In the UK you basically need a utility bill and a photocopy of a passport to open an account which is not that hard to fake.
I'm in Denmark. We didn't get that far in the conversation though, but I'm sure the scammer had protective measures - like the ones mentioned by other replies - to prevent being caught easily after a transfer.
This actually happened to a law firm that I know of. One of their clients had their account hacked and in the client's mailbox they found emails from the law firm including some outstanding bills payable to the firm. The attacker then spoofed an email from the law firm to the client along the lines of "our bank details have changed to xxx please transfer your outstanding bill by [date]". The client didn't realise anything was wrong until the law firm chased him for the bill by which time the account the attacker had used was closed and the money moved offshore.
People would legitimately be surprised to learn how low tech ordering/invoicing/remittances remain in 2017 even for half billion dollar contracts.
There's very little automation, even EDI is the exception rather than the rule (particularly for one off orders), most are either still paper, fax, or insecure email.
Email remains pretty broken. You'll be lucky to get end to end encryption, and once it arrives it is hard to make assurances that the sender really sent it (or even the sender's domain).
People have tried to fix email but nothing as ambitious as TLS/HTTPS has been. And getting people to use a more secure platform built on top of HTTPS is likely a non-starter...
So what can be done? I legitimately don't know. Even snail mail can be "hacked" via sending a plausible sounding invoice to the right address at the right time.
"People would legitimately be surprised to learn how low tech ordering/invoicing/remittances remain in 2017 even for half billion dollar contracts."
Totally agree with this. I occasionally deal with relatively large contracts and it is amazing the amount of labor behind processing purchase orders, invoices, etc. Many companies locate their accounts payable/receivable departments in low-cost countries.
"People would legitimately be surprised to learn how low tech ordering/invoicing/remittances remain in 2017 even for half billion dollar contracts."
People in finance / accounting hate tech. Broad statement, I know... but if it's not Excel or whatever old and busted reporting system they have been using for the last 20 years, you know they are going to hate it and raise a huge stink if anyone tries to even upgrade them. This has been true for every company I have ever worked with.
You say, "You are on a version that's 12 years old, and riddled with bugs and security flaws. The software maker put out an end of life notice back in 2008 for this version and has a big warning sign saying that continuing to use it is very dangerous and opens you up to hackers. Also, even though we have backups, we have no idea how to re-install it should something fail... we don't even have documentation on what service packs it requires to run and we're terrified someone will accidentally run Windows Update on the machine it's on for fear of breaking something..."
Their response, "The new version changes the color of the button I use, so I don't want it." Every time.
Anyone work for an agency and have to track your time in the Project Management system and the Accounting systems? This is why. Old-ass, no-API systems that simply won't play nice with anything modern -- and the accountants who love them.
users refuse to upgrade because they know, that the new version will change the navigation, button colors, move menu items to ribbons and so on. not to mention it will contain new bugs and "features". see, users and devs have different perspectives. for user the software is the tool to perform a profit-generating business task (create invoice etc). for devs the software is a way of self-expression and an opportunity to change things because they can. devs despise user and his little business problems as much as business despises tech with its constant desire to storm into the room and start breaking things that were working perfectly fine before.
Seems like there's an opportunity ripe for exploiting then! Figure out how much it's worth to these companies to provide just enough support to keep the software running – as-is – forever. Certainly that should be easier than also changing the UX or whatever.
But how hard is this? I imagine it'd be a lot harder than one might naively expect. As evidence, consider how few (if any?) companies already do this. Maintaining software requires significant work; doing so for more than one version is even harder; doing so for a decade-old version that only one customer uses is probably just not profitable.
But, as a dev myself, I emphatically don't "despise user and his little business problems". I may tho – honestly – tell 'business' people or users that I can't guarantee that I can fix bugs because, e.g. I can't purchase a license for the (version of the) software needed to work with the project source code.
It's perfectly fine for people to run software unchanged forever! As it is also perfectly fine for those same people to have to rebuild their business or a portion thereof around some new software when the existing software system fails catastrophically and can't be recovered.
Good luck with that... the problem, as I see it, is every company is different.
So you take 10 agencies, and you get 10 different core software platforms, and even when the platforms overlap, they are using various point-release versions that each of the the top-mother-hen-accountants just loves and won't let you touch. She doesn't care if it's hard to support, insecure, or if it's fundamentally unrecoverable if there's a catastrophic disaster -- she just wants what she wants. No amount of offering of features, or give time to training her staff will suffice. You'd need a dedicated staff of software devs, QA team, and IT support staff for each client.
I don't mean to be so cynical here... but it's like every agency / startup with 50-500 people that I've ever been at. You're stuck on the old crappy system until they change the accountants... you've got a very limited window when the top accountant / CFO changes that you can actually push to enact technology changes. If the new accountant is over 40... just forget about it, you're going to be stuck on tech that reeks of 90s UX that simply won't integrate or sync or even allow you to do batch imports / exports of the data (we tried with one of these old systems and hit an issue where they recorded time in like 7 places in the DB and if you didn't update them in the right order the system freaked out... suffice to say we didn't have the staff to build and test and support any integrations).
I still have one client who insists all of my expense reports be printed out. I can't just scan and email, I have to send paper copies of everything... I work remote, so... I'm literally mailing them in, waiting like 2 months, then -- assuming I filled everything out correctly and tagged it with the correct project code -- I get paid. This is a company with over 300 employees... and again, with them, I have to track my time in the Project Management Tools and the Accounting Tools... and the Accounting Tools to track time only work on Windows (but not Windows 10), so I have to fire up a specific VM to get Windows 7 (with the right service pack) to enter my time. Also the Accounting Project Codes are different from the Project Management project codes. It's such crap.
I expensed them for a copy of Windows 7, made a backup of that image and expense them for offsite storage (incase Windows Update accidentally runs), expense them for overnight tracked postage, and I charge them like an hour for the week just to add my time -- and they have 300 employees! It's so freakin' expensive and moronic to let the accountants run anything...
Software like that needs to consist of two parts, the frontend client and backend server. Even if the software is a hosted web app, the frontend needs to exist as a separate part. This way, the server backend can be upgraded over time to include better security, better efficiency, etc while leaving the client be so that the UI can remain frozen in whatever version the company initially trained their employees on.
If your old version was riddled with security flaws, and your priority was to mess with the UI colors, I have no confidence that your new version is less riddled with security flaws
"People have tried to fix email but nothing as ambitious as TLS/HTTPS has been. And getting people to use a more secure platform built on top of HTTPS is likely a non-starter..."
Makes me wonder if it's time to metaphorically pack it in, and respecify the SMTP infrastructure on top of HTTP(S), precisely because that seems like the only way we're going to get cert security with email systems. As long as it's an optional add-on to SMTP it seems it just isn't going to be added on. (Of course SMTP wouldn't go anywhere right away; I'm talking about a real process with transition times and such, not a mystical one where this would one day replace SMTP in a big bang.)
I mean, there's a loooot of i's to dot and t's to cross betwixt this little comment and an actual standard, but conceptually it doesn't seem too difficult. SMTP is conversational standard but it seems like we've probably got enough negotiation tech in HTTP to pull it off in a request/response manner nowadays.
> Makes me wonder if it's time to metaphorically pack it in, and respecify the SMTP infrastructure on top of HTTP(S), precisely because that seems like the only way we're going to get cert security with email systems.
Transport security is not the actual issue. SMTP over TLS has been around for a while and is fairly well functional. The problem is attaching an identity to the senders email. That's what S/MIME and GPG/PGP do, but the actual real-world problem here is that you need to somehow certify that the sender is the right person. So you can either have a centralized set of authorities (S/MIME) or Web of Trust (GPG/PGP). Neither option actually scales. Some countries started issuing certificates in their ID cards, but given that other countries don't even have ID cards, this is obviously not going to fix this either.
HTTPS has the same problems in principle, but it only needs to certify a comparatively small number of entities (web servers) as opposed to actual users.
From what I hear from security folks, transport security is still an issue. You can negotiate up to TLS easily in SMTP, as long as you don't care about certificate validity. But without caring about certificate validity, MITM is still quite possible.
sure, there are still providers that don't offer TLS, but my point is that fixing TLS doesn't even begin to tackle this actual problem. It's an orthogonal problem. This issue is about authorization/authentication, not about transport security/MITM attacks. PGP and SMIME, even when used for signing only will protect against this attack while even fully deployed TLS will not.
I wish you best of luck, but I'm afraid this is a pipe dream. You can't tie a real person/institution to an identity in a privacy preserving manner which is what's required here. This is fundamentally a social problem and I'm afraid no technical solution exists. Technical tools may help, though.
Depends on what you mean by transport security. I agree TLS solves important aspects, but I can still pretend like I am xylakant@example.com without issues, since most domains (especially corporate ones!) don't enforce strict enough SPF/DKIM/DMARC policies. If anyone can pretend to be any user, I'd say transport security is lacking.
In Thunderbird I have a DKIM validation plugin that shows the status below the subject line. I've seen e.g. large global oil companies that don't have any DKIM on their emails in 2016. That means anyone could send emails as ceo@oilcorp.com (or better yet (cfo|ITsupport|HR)@oilcorp.com) to employees of oilcorp and it would look genuine.
You might be interested in Dan Bernstein's IM2000 proposal, which centers around the idea that instead of sending email to a local server which forwards it to some number of other servers before it lands in an inbox, the local server hangs on to the body of the email and just sends a notification that it's available to be read.
This helps reduce the spam problem, because a mail sender needs to be contactable in order to read the content. Serving up the mail with https is a no-brainer.
You still have reputation problems and certificate authority issues, but the value of a botnet to send spam is greatly reduced.
That's pretty interesting. Once the recipient contacts the sender to view the contents, presumably their client could also download the contents to have it locally available, no? Would the retrieval of the email have to be user-initiated?
I'm all for technical solutions to this problem, but after reading the original article, I can't help but pointing out that this scam was social engineering, not technical engineering.
A technical solution to transport security doesn't solve very many problems on its own, either human or social; it's just a prerequisite to truly solving most of them.
If email is broken for sending invoices, then the correct response is to stop sending invoices over email. Banks figured this out already: Stop sending things directly in email, and instead send notifications. Have the user log into the banking system to see the notification.
So, host invoices on your own domain, and only send links to clients. Clients can confirm they are talking to the correct server when downloading the invoice. Same as they should be used to doing for any email with links regarding money.
Banks figured this out already: Stop sending things
directly in email, and instead send notifications.
Yeah, and it sucks and everyone hates it.
That's all very well when you're sending someone a bank statement and you don't care if they bother to read it - but when you want to send someone an invoice, and you're keen that they read it and respond in a timely manner, you need a higher standard of customer service.
Most of the world seems happy to click through to read a Facebook notification, so I don't know why someone who gets paid to do it would not click through to see an invoice.
The main problem with clicking through is normally clunky authentication systems that make it not just a click through, but a painful dance before you finally get to the target resource.
Clicking through doesn't solve any problems. It's real easy to spam people with links to www.mybank.com.evil.com. Only training the user to navigate directly can even hope to avoid such attacks.
There's no problem with showing a preview of non-secure content. As long as the recipient knows to visit the official secure server for official copies of important information.
Automating the payment would be a really bad idea, but the workflow of receiving the contract/invoice, running it through internal systems, negotiation and legal could use some software help.
All my contract negotiation & signing over a few bucks has been done using cloud based encrypted services for years. Yes email is not encrypted, but I'm not sure what the problem is, or how this even relates to the article.
This was a phishing scam over new deals. New deals can't generally be automated, shouldn't generally be automated, and the issue here involved human factors that are likely to always exist. The presumption that more computers and more encryption could fix what happened in this story seems misguided to me.
I wonder how long a less greedy approach would have worked. I would guess a larger number of smaller invoices might have gone unnoticed for some time. This egregious approach lasted for 2 years.
Requiring people to be involved in spending of large sums is often a feature and not a bug. It's not infallible but neither are computerized financial systems (e.g. SWIFT)
Email uses tls. If both ends support it, it uses it. Most popular email providers support it. Also, dmarc signs emails the guaranteeing domains, and if you want email to be reliable, you must support dmarc.
Many providers won't throw out emails with invalid DKIM signatures. Many senders (!) specify too lax SPF rules. (Because feedback loops are not accessible/open/standardized enough.)
And furthermore TLS only protects the email between hops.
But yes, email is not the problem. The problem is of course human error and legacy systems that are not user friendly. If they were properly composable then there would be no need for occasional out-of-band channels for sending/receiving invoices - like email.
The funny thing is that these incidents are probably what it takes for those particular companies to beef up their security culture. Everyone else will likely keep their heads down: "How asinine of them! This dumb thing could never happen to us." The truth is that without the right security processes and culture in place, it could really happen to anyone dealing with substantial value and overworked mid-level managers, a form of the principal–agent problem[1].
Security incidents have a stark resemblance to emergency room visits. People are so hard to sell on prevention, and they end up paying big for an ER visit.
To me, the surprising thing is that they managed to get the bank transferred to the "correct" fraudulent accounts.
If you send an existing customer another invoice, but with a changed bank account number, chances are that the money goes to the same bank account as they used previously. Even if you explicitly add a note about the changed account number, chances are still very high that they use the old one.
I freelance and just moved, trying to get accounting departments to send checks to the correct address is worse than pulling teeth. Even after making large notes about the address changes and emailing them repeatibly. I should figure out how this guy managed to do it ;)
New Zealand also recently got ATMs which can process checks.
I can assure you that checks are basically dead in New Zealand. I'm 30 and I've never owned a checkbook. The only checks I ever see are birthday money from my grandparents.
Most shops haven't accepted checks for years.
Almost everything these days is done with direct bank transfers.
cheques are gone in the UK. You don't get a cheque book with accounts by default anymore, I guess those ATM's are leftover from when cheques where cool.
They where due to be phased out entirely by 2018, but it seems like that's been extended a bit.
Agree. In my company it is practically impossible to change vendor account details without going through a lot of process and paper work. Suggests controls in these tech companies are surprisingly poor.
The important bit of this for HN is that he got these companies to pay by using their sales order, invoice, payment process, and that process is common to most companies.
If you have a small or an open source project you're going to struggle to get companies to pay unless you can fit their process.
This means that it's probably worth while offering a "professional" licence. This grants no extra functionality, but allows the company to put in a sales order, and allows you to deliver something and allows you to issue an invoice.
>crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers.
In other words simple social engineering. These finance people are scared of their CEOs and VPs so they jump at their requests, often skipping the verficiation stage because "Bossman will get pissed if I ask him for his secondary auth. My manager told me I'd be fired if I pissed off bossman again."
If anything, the companies that get hit by such simple scams deserve to be. They clearly don't have the corporate culture and accountability to stop a simple fake money request. Lets stop blaming the technology here and start blaming the real problem: executive entitlement and the incredibly classist structures at most companies where the bottom people can't even question the top people.
This is why these scams work so well. The people in finance are petrified at questioning an executive. That shouldn't be the case, especially if they claim to be compliant with various financial and technical regulations and certification processes. A lot of good HIPPA is when everyone is too scared to tell a surgeon he can't send patient information that way or SOX if accountants are scared of their bosses.
Ironic we nearly went under a few times during the early days because our customers (tier 1 telecoms and financial firms) would drag their heels for months and months over invoices many magnitudes less than this.
Makes me wonder what's up with the process at these firms - wish we knew enough to say whether they're the exception or the rule.
Except that you create a toxic environment inside your accounts team, who have to constantly deal with incoming calls demanding money.
And if you're the kind of organization that makes a process out of paying each vendor as late as possible (I mean beyond the agreed terms) - which some do - then you'e likely a shitty org in many other ways too.
There is quite a bit that could be mined from this story, but just as a start:
1) The most zealous and persistent phishing awareness campaigns/training I've encountered has been at large corporations. I can imagine a series of articles, if not an entire career, that is based on exploring the psychology of employees in varying organization sizes being influenced by their perceptions of the stake they feel they hold in the performance of the organization (i.e., their "ownership") and how much their actions, positive and negative, might bear notable influence.
Not confident I made my point clear, but the idea being I'm going to think differently about jumping up and down on a cruise ship vs. a row boat...
2) Putting aside the questionable application of it in this specific case, "cybercriminal" is an outmoded term that I believe actually undermines the mundane and routine nature of these crimes. Regardless of magnitude, it imbues the perpetrator and their activities with some 90s-era aura of mystery and preternatural skill—an exceptional event executed by exceptional individuals under exceptional circumstances.
This aligns well with my 2017 Nicholl Fellowship screenplay entry called "Do Unto Others" where in Act III the protagonists use their insider knowledge of International Banking and Wire Transfers to clean out the hidden stash of illicit monies hidden by disgraced Enron executives[1].
To me, plausibility is important in fictional works that reach for meaning or defined structure, at least where possible. I mean, I love Hackers but of course groan at scenes inside "The Gibson" and whatnot. This guy actually made it work - I'm impressed.
I saw speculation on Twitter that it was Google or Apple and Facebook. But to me, it seems like it could be any of dozens of companies based on "Internet-related services and products" and "multinational ... online social media/networking".
The space, though, is more narrow than that. Victim 2, for example, is specifically a social media company. Can't be that many social media companies, headquartered in the US, running their own metal, with more than one multi-million dollar invoice for it in a 2 year period.
How many could that be? I can only think of 3 or 4 contenders.
It's more commonly known as the "Nigerian Prince Scam". The scam itself is decades old, Email and Internet scam artists have ushered it into the 21st Century :)
Nigeria is associated with the scam and it was also known as 'Nigerian 419'. That's because the the first wave of these scams came from Nigeria. The '419' part of the name comes from the section of Nigeria's Criminal Code which outlaws the practice. These scams now come from anywhere in the world.
"I have $20M in US currency that needs to be moved out of the country as quickly as possible. If you have a US-based bank account that can do wire transfers I'll give you 4% in exchange for this transaction. The money came from my relative, a rich noble who unfortunately does not have any heirs in the US but decided to spend his later years in Florida and keep all of his money in a local bank so he could look after it personally."
"I am currently working overseas in Nigeria and would greatly appreciate any help. This has been a big point of pain in our family."
I would think a simple 2nd factor check, by phone to the actual vendor would have prevented this. For such large amounts the time involved would be worth it
I've worked for companies in the past where no money would ever be paid out to anyone but government (tax bills etc.) without the party sending them the invoice having a valid purchase order number that referred to a pre-agreed supplier record that specified tha company name and address and the bank account to send it to.
It was annoying at times, but it also meant their accounts department could match every single expense to a specific contract or pre-agreed authorisation, complete with who (on their end) had made the request and who had signed off the request.
Even if you don't do that for everything, even just doing that for everything above a certain amount would make such fraud a lot harder.
Try to call international company with thousands of workers and get somebody who knows anything on phone. Also, most workers simply don't care for a tiny chance of scam, it's not their money after all.
Seems like a reasonable requirement as part of any large deal like this. Even if each party pays someone 200k a year solely to sit in an office and make calls verifying large invoices you're still talking about a small amount compared to the size of these contracts.
A phone check can solve a lot when you've got a single point of contact at a company and they know all its subdivisions and are on first name terms with the accounts receivables department(s). That's not likely to be the case for a large multinational with multiple divisions selling multiple products to different divisions of the client, especially assuming the scammers have socially engineered their way to having enough information on existing contracts and invoices to be able to plausibly adapt them for their own purposes.
Similar scams have targeted (medium-large, funded) startups as well.
Typically the attacker starts by phishing an employee, then uses information discovered through that to trick someone else in the company to initiate a wire.
He probably became verbose. You always think you would stop after the first 10m, but most folks want to see how far they can take it. I figure after the first 20m, he was like, I could do this forever! I would have stopped after the first 10m. They would have never missed the money and it could have turned into an accounting error.
He registered a company with a name very similar to an existing, legitimate computer hardware manufacturer. Then targeted companies that already had a relationship and already regularly paid invoices to the company with the similar name.
It mentions the victims were "multinational internet companies". The indictment goes farther, saying:
"Victim-1 was a multinational technology company, specializing in Internet-related services and products, with headquarters in the United States"
and
"Victim-2 was a multinational corporation providing online social media and networking services, with headquarters in the United States"
Edit: It mentions that both victims already regularly paid multi-million dollar invoices to the computer hardware company being impersonated. So, if you're trying to guess who the victims are, they are large enough that they run on their own purchased hardware, in fairly large quantities.