1.1.1.1: Fast, privacy-first consumer DNS service

>"And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our code and practices annually and publish a public report confirming we're doing what we said we would."

It's worth pointing out that KPMG was Wells Fargo's independent auditor while the bank recently committed fraud on a massive scale by creating more than a million fake deposit accounts and 560,000 credit card applications for customers without their knowledge or approval.[1]

Calling KPMG a "well-respected auditing firm" when they failed to detect over a million fake bank accounts is a joke. See:

https://www.reuters.com/article/wells-fargo-kpmg/lawmakers-q...

[1] https://www.warren.senate.gov/files/documents/2016-10-27_Ltr...

Speaking as a former KPMG employee who did infosec, the financial audit and controls people are far removed from anyone with technical skill in this domain. It may be cold comfort, but these kinds of special purpose attestations may as well be done by a different company (insert BearingPoint joke here).

Right, that's why it's amusing to think we're supposed to believe that KPMG are going to audit a code base and logging infrastructure.

I've worked with KPMG subsidiary for security audit. This is an E&Y kind of company, where you pay x4 to work with the least competent people because you need a familiar name stamped on some report.

Genuinely asking, what are some companies that would be a good choice for this sort of thing?

> the bank recently committed fraud on a massive scale by creating more than a million fake deposit accounts and 560,000 credit card applications for customers without their knowledge or approval.

Suppose you were a Wells Fargo depositor and a Wells Fargo teller opened a fake account in your name without consulting you. What harm did you suffer?

How massive is this fraud if you measure it in a more useful way than "number of accounts"?

This has not been the only incident of them having turned a “blind eye” or doing things that were questionable.

1. They looked the other way when 100+ million of public money was laundered out of South Africa.

2. The scheme literally stole money destined to uplift poor rural communities

3. To top it off, a portion of the money was used to write of an extravagant wedding as a business expense.

4. When a junior auditor raised his concerns about the audit he was shut down.

http://amabhungane.co.za/article/2017-06-29-guptaleaks-the-d...

http://amabhungane.co.za/article/2017-06-30-guptaleaks-the-d...

http://amabhungane.co.za/article/2017-11-26-guptaleaks-kpmg-...

6. They put out false reports that were partly used as motivation to get rid of ministers fighting corruption.

https://www.timeslive.co.za/politics/2017-09-15-kpmg-cans-sa...

KPMG were not the only multinational firm that were complicit in fleecing the South African tax payer of billions. See

Mckinsey:

http://amabhungane.co.za/article/2017-09-14-how-mckinsey-and...

SAP: http://amabhungane.co.za/article/2017-07-24-guptaleaks-anoth...

T-systems:

http://amabhungane.co.za/article/2017-11-14-exclusive-gupta-...

The harm to consumers is phony credit history and random fees on many of those fake accounts.

The harm to WF shareholders was inflated metrics inflating the value of the company.

The whole point of KPMG was to validate these types of metrics for shareholders.

Agreed. Anecdotal but...

We have had to supply information to KPMG “IT Auditors” at a client due to some software we wrote.

In most cases the auditors are young grads who have never worked in an actual IT/software dev team. So they have very naive view and never ask the right questions. If one wanted to hide something it would be super easy.

KPMG was also implicated in the massive South African "state capture" scandal involving the (now fugitive) Gupta family and former president Jacob Zuma.

Among other things, KPMG issued a-later withdrawn-report that was used to undermine the well-respected finance minister, so that a more malleable person could be installed, while also auditing the Guptas during their worst excesses.

Lest we choose to dismiss this as crimes in an insignificant country, KPMG SA has been part of the worldwide group since the 70's, and South Africa's supposedly high auditing standards were a source of national pride.

The story seems to have gone dead after some senior leaders fell on their swords, but six months ago, there was serious talk about the firm being shut down in South Africa.

>"Suppose you were a Wells Fargo depositor and a Wells Fargo teller opened a fake account in your name without consulting you. What harm did you suffer?"

Are you joking? The fake accounts were set up in order to bilk customers out of money in the form of overdrafts fees and penalties.

"Some customers noticed the deception when they were charged unexpected fees, received credit or debit cards in the mail that they did not request, or started hearing from debt collectors about accounts they did not recognize. But most of the sham accounts went unnoticed, as employees would routinely close them shortly after opening them. Wells has agreed to refund about $2.6 million in fees that may have been inappropriately charged."[1]

It also probably impossible to quantify the time customers lost having to deal this. But I think it safe to say it was significant.

>"How massive is this fraud if you measure it in a more useful way than "number of accounts"

OK lets use dollar amounts as a metric - $2.6 million dollars in fees, levied against your own customers? And considering Well Fargo found an additional 1.4 million previously undisclosed fake accounts as recently as August[2] and that the regulatory probe has now widened beyond their retail banking unit and not includes their private wealth division I would say pretty fucking massive.

It's really interesting that you seek to trivialize the scope and severity of a story you seem to know so very little about.

[1] https://www.nytimes.com/2016/09/09/business/dealbook/wells-f...

[2] http://money.cnn.com/2017/08/31/investing/wells-fargo-fake-a...

[3] https://www.barrons.com/articles/federal-probe-expands-to-we...

I do know about this story. The purpose of the fake accounts was to meet sales quotas. Fees earned for the bank were accidental and usually nonexistent, for the obvious reason that if you charge your unwitting customer money, they are much more likely to realize they have an account with you.

Many privacy activists believe that the best proof of a no-logging assertion is for a court to order a provider to turn over logs and for the company to be unable to do so.

>"Fees earned for the bank were accidental and usually nonexistent,"

"Approximately 85,000 of the accounts opened incurred fees, totaling $2 million. Customers' credit scores were also likely hurt by the fake accounts.[43] The bank was able to prevent customers from pursuing legal action as the opening of an account mandated customers enter into private arbitration with the bank."

"The bank paid $110 million to consumers who had accounts opened in their names without permission in March 2017." The money repaid fraudulent fees and paid damages to those affected."[1]

That's 85,000 of what you call "non-existent" fees totaling 2 million dollars. And whether or not those were secondary effects of the fraud is completely immaterial.

It's a rather bizarre position to want to defend a bank that not only defrauded its customers but has also admitted to doing so. But you are entitled to that. What you aren't entitled to however is your own alternative facts.

[1] https://en.wikipedia.org/wiki/Wells_Fargo_account_fraud_scan...

Sounds interesting, got any sources for further reading?

I'm pretty confident that when 85,000 out of "more than a million" accounts earn fees, it's fair to say that fees are "usually nonexistent". You're talking about accounts that Wells Fargo didn't want and fees that it assessed by mistake. By a normal analysis, that wouldn't be a scandal of any kind, and it would call for no more than returning the accidental fees, without a 55x punitive damages award.

> "The bank was able to prevent customers from pursuing legal action as the opening of an account mandated customers enter into private arbitration with the bank."

That's really not going to work if the customer didn't intend to open the account. The fact that (by your numbers) average damages among those who were damaged at all were up to $23.50 may have had more to do with lack of legal action by customers.

As genuine as your question is, there are no good answers. The way we ended up with a Big Four is that the Fifth member of the Big Five (Arthur Andersen) audited Enron, essentially telling everybody that it wasn't an enormous fraud, but it was. All the senior people at AA avoided jail but the audit firm was so obviously untrustworthy it folded. But that doesn't mean the other Four are fine, it just means the "Too Big To Fail" problem is far worse for audit firms than for banking. If we took down one of the Big Four it would probably tank the whole world economy, and they know that, which is Not Good.

Audits provide reasonable assurance, not total. When auditors test access controls for a homegrown application for example, it is unreasonable to ask that a full code review is done to check 100% that checking the box next to Admin confers that, and that checking Read Only restricts it always. In my experiences performing these tests (as a young grad who had never worked on a software dev team), we would ask what the permissions were designed to provide and limit, and observe in the system that they did that. If a developer had programmed a backdoor that when you press A+B+3 and whisper into a microphone grants unlogged admin access, our test would miss that. But that's why we also test change controls and who has access to push to live, etc.

Edit - and to speak more to the topic at hand, there were plenty of people at the firm I worked with who absolutely had the technical expertise to perform such an in depth audit. They are simply engaged when higher levels of assurance are required. What level of scrutiny should your auditors provide your bathroom time monitoring system?

And to prove that they are unable to do so, would they need to get audited?

KPMG has earned a few nickname acronyms because of this in Germany: "Keiner Prüft Mehr Genau" or "Kinder Prüfen Meine Gesellschaft" ("no one audits carefully anymore" and "children audit my company" respectively).

We have a few former KPMG employees. They have many stories to tell, about everything from glass ceilings to harassment.

Signal did a version of that with the help of aclu.

Auditors are never "independent". They work for someone. If that someone is government or a client, great. If the auditor works for management, maybe OK for finding employee malfeasance, but no good for management malfeasance.

And of course, like tests, no audit can prove correctness, only can find flaws.

The audit checks your documented procedures, not your actual practices.

> to audit our code and practices annually and publish a public report confirming we're doing what we said we would

Some exec to developer: Hey John, KPMG wrote to us that they will be here on friday to make an audit, lets just remove those 10 lines that <do whatever that you don't want to be shown in audit> until audit finishes.

I don't want to imply anything about Cloudflare here, just a comment about how useful that kind of private audits are generally.

The arbitration clause is an overarching thing. The customer agrees to it when they legitimately open an account. It covers the entire banking relationship between that customer and the bank. Which is why Wells was able to use it to prevent litigation from their existing customer over the fraudulent accounts.

>It's worth pointing out that KPMG was Wells Fargo's independent auditor while the bank recently committed fraud on a massive scale by creating more than a million fake deposit accounts and 560,000 credit card applications for customers without their knowledge or approval.[1]

Why is it worth point out? Please detail the work you've done in establilshing that KPMG had access to the data and willfully ignored it.

Isn't the court system mostly powered by the threat of serious jail time if you're found to be lying, and penalties for your lawyers, too?

If you say "We don't have those logs," and you swear to it and a lawyer puts their name on the filing, it's not like Judge Alsup will start pentesting your company to find the one employee who accidentally has Dropbox pointed at an sftp mount of some production server.

Two links should give you a summary of the issues. I worked one of the biggest retailers in South Africa until a month ago. We dropped KPMG as our auditors because of all the unethical issues relating to them. https://mg.co.za/article/2017-09-15-gordhan-weighs-in-on-kpm... And https://www.dailymaverick.co.za/article/2017-09-11-op-ed-the...

An auditing company is pointless if they can't find fraud on such a massive scale or recognize that something is being hidden from them.

That's just it, it's not verifiable. Proving something by letting one audit doesn't change that. It's similar when companies get certified by ISO9001 or 270001, it doesn't prove much.

Publishing the full source code could help a little bit, but not much; one doesn't know what code is actually running.

Not that I really want to defend KPMG here, and this is obviously entirely anecdotal, but my team had our application code assessed by them (by request of the customer, so they could get some pointers on what kind of development they needed to focus on). I spent 2 days talking to them, answering questions, showing them data flows, database layouts, system diagrams, etc. They also required access to our source control (making the "let's remove this before the audit" idea pretty useless), issue tracker, etc.

The 2 people that I was in contact with were both competent and experienced. Definitely not "young grads who have never worked in an actual IT/software dev team" as someone claimed elsewhere.

> If we took down one of the Big Four it would probably tank the whole world economy

No it wouldn’t.

I don't do business in Germany, but I'm curious; which firms would you say are most-respected there?

Definitely worth pointing out, but I don't take issue with their wording. KPMG has a worldwide presence and is an incredibly popular auditing firm. It's certainly possible for KPMG to be a "well-respected auditing firm" in the public's perception and for them to fail to detect all unethical practices during an audit.

While hiring them doesn't prove that Cloudflare's code and practices are sound, it does reduce the risk that they aren't.

All in all, KPMG is still well respected (so is E&Y and smaller firms).

We regularly receive government grants, and the best audit experiences I've had was with the small, EU-funded auditors. They have a high level of integrity and technical/financial knowledge. But that is a very specific niche.

FT had a lot of coverage, if you're looking for a non-South African source (linking behind the paywall is probably not going to work, but you can Google for it).

https://www.bloomberg.com/news/articles/2017-09-22/kpmg-unde...

https://www.telegraph.co.uk/business/2017/09/15/kpmg-south-a...

https://www.reuters.com/article/us-kpmg-safrica/kpmgs-south-...

http://www.bbc.com/news/business-41283462

It's also been extensively covered in the South African media.

The "too big to fail" argument is what saved KPMG in South Africa:

https://www.reuters.com/article/us-kpmg-safrica-exclusive/ex...

Thats like saying Linux is a useless project because of giant security holes that stay hidden for decades. I prefer to live in the real world, which is a lot more nuanced, and my question still stands.

That's a bad analogy because the Linux project isn't dedicated to auditing the Linux project.

It's like calling a home security system pointless if it doesn't detect any forced entries.

I think its a perfect analogy.

>because the Linux project isn't dedicated to auditing the Linux project.

Huh? Code Review? Testing? The entire point of open source especially w.r.t security is to have millions of eyes on the source. Heck with the entire world being able to audit and review the source code, people still find bugs that were introduced decades ago.

>It's like calling a home security system pointless if it doesn't detect any forced entries.

I'm afraid that didn't make much sense to me.

Anyway, why are we focusing on irrelevant minutia or language anyway. I simply asked a commentor to show the work they've done for basing their opinion.

>Heck with the entire world being able to audit and review the source code

That's irrelevant when we are talking about a company being paid specifically to audit something. The entire world is able to send me food as well, but I don't get mad when it doesn't except for when I pay someone to do it.

>I simply asked a commentor to show the work they've done

And it was a dumb question. An auditing company that failed to detect massive fraud either willfully ignored it to sellout or was too incompetent to recognize it.

>That's irrelevant when we are talking about a company being paid specifically to audit something. The entire world is able to send me food as well, but I don't get mad when it doesn't except for when I pay someone to do it.

Linux is developed almost exclusively by people who get paid for their work. Billions of dollars of real money has been poured by IBM, Intel, RH, etc. You are thoroughly confused my friend. Lets stick with the original point.

> An auditing company that failed to detect massive fraud either willfully ignored it to sellout or was too incompetent to recognize it.

So explain how they audited the firm, explain which data they had access to and how they were incompetent

You can't define your way out of providing evidence. An auditor does X. They couldn't do X, therefore they were incompetent. That schoolyard logic doesn't work. People will ask you to backup your opinion. Its completely fine to say I don't know...

>Linux is developed almost exclusively by people who get paid for their work. Billions of dollars of real money has been poured by IBM, Intel, RH, etc. You are thoroughly confused my friend. Lets stick with the original point.

What aren't you getting? Developing is not auditing. KPMG wasn't paid to do banking, they were just paid to audit.

>So explain how they audited the firm, explain which data they had access to and how they were incompetent

As an auditing firm you either demand enough data to do a real audit or you walk away from the deal. So either they didn't have enough data or they were sell-outs rubber stamping it. That's just how auditing works.

>People will ask you to backup your opinion. Its completely fine to say I don't know...

It's not an opinion. It's literally what they are paid to do. If I pay for a hamburger and someone just gives me a pile of sand, any bystander can tell that the seller didn't do their job.

If you want more evidence of KPMG incompetence, check out this: https://seekingalpha.com/news/3344058-ge-urged-proxy-advisor...

Sorry, don't want to waste my time any further. Its obvious to me that you have zero actual evidence, and no knowledge of what was done, or what was overlooked. Goodbye.