←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 8 comments | 01 Apr 18 12:14 UTC | HN request time: 0s | source | bottom
Show context
bogomipz ◴[01 Apr 18 19:07 UTC] No.16729876[source]
>"And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our code and practices annually and publish a public report confirming we're doing what we said we would."

It's worth pointing out that KPMG was Wells Fargo's independent auditor while the bank recently committed fraud on a massive scale by creating more than a million fake deposit accounts and 560,000 credit card applications for customers without their knowledge or approval.[1]

Calling KPMG a "well-respected auditing firm" when they failed to detect over a million fake bank accounts is a joke. See:

https://www.reuters.com/article/wells-fargo-kpmg/lawmakers-q...

[1] https://www.warren.senate.gov/files/documents/2016-10-27_Ltr...

replies(10): >>16729897 #>>16730009 #>>16730105 #>>16730119 #>>16730193 #>>16730271 #>>16730746 #>>16730782 #>>16731153 #>>16731246 #
ksk ◴[01 Apr 18 22:08 UTC] No.16730782[source]
>It's worth pointing out that KPMG was Wells Fargo's independent auditor while the bank recently committed fraud on a massive scale by creating more than a million fake deposit accounts and 560,000 credit card applications for customers without their knowledge or approval.[1]

Why is it worth point out? Please detail the work you've done in establilshing that KPMG had access to the data and willfully ignored it.

replies(1): >>16730859 #
1. hueving ◴[01 Apr 18 22:21 UTC] No.16730859[source]
An auditing company is pointless if they can't find fraud on such a massive scale or recognize that something is being hidden from them.
replies(1): >>16732507 #
2. ksk ◴[02 Apr 18 05:22 UTC] No.16732507[source]
Thats like saying Linux is a useless project because of giant security holes that stay hidden for decades. I prefer to live in the real world, which is a lot more nuanced, and my question still stands.
replies(1): >>16741929 #
3. hueving ◴[03 Apr 18 04:32 UTC] No.16741929[source]
That's a bad analogy because the Linux project isn't dedicated to auditing the Linux project.

It's like calling a home security system pointless if it doesn't detect any forced entries.

replies(1): >>16742115 #
4. ksk ◴[03 Apr 18 05:21 UTC] No.16742115{3}[source]
I think its a perfect analogy.

>because the Linux project isn't dedicated to auditing the Linux project.

Huh? Code Review? Testing? The entire point of open source especially w.r.t security is to have millions of eyes on the source. Heck with the entire world being able to audit and review the source code, people still find bugs that were introduced decades ago.

>It's like calling a home security system pointless if it doesn't detect any forced entries.

I'm afraid that didn't make much sense to me.

Anyway, why are we focusing on irrelevant minutia or language anyway. I simply asked a commentor to show the work they've done for basing their opinion.

replies(1): >>16765844 #
5. hueving ◴[05 Apr 18 15:36 UTC] No.16765844{4}[source]
>Heck with the entire world being able to audit and review the source code

That's irrelevant when we are talking about a company being paid specifically to audit something. The entire world is able to send me food as well, but I don't get mad when it doesn't except for when I pay someone to do it.

>I simply asked a commentor to show the work they've done

And it was a dumb question. An auditing company that failed to detect massive fraud either willfully ignored it to sellout or was too incompetent to recognize it.

replies(1): >>16768986 #
6. ksk ◴[05 Apr 18 21:37 UTC] No.16768986{5}[source]
>That's irrelevant when we are talking about a company being paid specifically to audit something. The entire world is able to send me food as well, but I don't get mad when it doesn't except for when I pay someone to do it.

Linux is developed almost exclusively by people who get paid for their work. Billions of dollars of real money has been poured by IBM, Intel, RH, etc. You are thoroughly confused my friend. Lets stick with the original point.

> An auditing company that failed to detect massive fraud either willfully ignored it to sellout or was too incompetent to recognize it.

So explain how they audited the firm, explain which data they had access to and how they were incompetent

You can't define your way out of providing evidence. An auditor does X. They couldn't do X, therefore they were incompetent. That schoolyard logic doesn't work. People will ask you to backup your opinion. Its completely fine to say I don't know...

replies(1): >>16769704 #
7. hueving ◴[05 Apr 18 23:29 UTC] No.16769704{6}[source]
>Linux is developed almost exclusively by people who get paid for their work. Billions of dollars of real money has been poured by IBM, Intel, RH, etc. You are thoroughly confused my friend. Lets stick with the original point.

What aren't you getting? Developing is not auditing. KPMG wasn't paid to do banking, they were just paid to audit.

>So explain how they audited the firm, explain which data they had access to and how they were incompetent

As an auditing firm you either demand enough data to do a real audit or you walk away from the deal. So either they didn't have enough data or they were sell-outs rubber stamping it. That's just how auditing works.

>People will ask you to backup your opinion. Its completely fine to say I don't know...

It's not an opinion. It's literally what they are paid to do. If I pay for a hamburger and someone just gives me a pile of sand, any bystander can tell that the seller didn't do their job.

If you want more evidence of KPMG incompetence, check out this: https://seekingalpha.com/news/3344058-ge-urged-proxy-advisor...

replies(1): >>16776945 #
8. ksk ◴[06 Apr 18 20:11 UTC] No.16776945{7}[source]
Sorry, don't want to waste my time any further. Its obvious to me that you have zero actual evidence, and no knowledge of what was done, or what was overlooked. Goodbye.