Financial Cryptography

Gresham's Law thesis is back - Malware bid to oust honest miners in Monero

7 years after we called the cancer that is criminal activity in Bitcoin-like cryptocurrencies, here comes a report that suggests that 4.3% of Monero mining is siphoned off by criminals.

A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth

Sergio Pastrana Universidad Carlos III de Madrid* spastran@inf.uc3m.es

Guillermo Suarez-Tangil King’s College London guillermo.suarez-tangil@kcl.ac.uk

Abstract—Illicit crypto-mining leverages resources stolen from victims to mine cryptocurrencies on behalf of criminals. While recent works have analyzed one side of this threat, i.e.: web-browser cryptojacking, only white papers and commercial reports have partially covered binary-based crypto-mining malware. In this paper, we conduct the largest measurement of crypto-mining malware to date, analyzing approximately 4.4 million malware samples (1 million malicious miners), over a period of twelve years from 2007 to 2018. Our analysis pipeline applies both static and dynamic analysis to extract information from the samples, such as wallet identifiers and mining pools. Together with OSINT data, this information is used to group samples into campaigns.We then analyze publicly-available payments sent to the wallets from mining-pools as a reward for mining, and estimate profits for the different campaigns.Our profit analysis reveals campaigns with multimillion earnings, associating over 4.3% of Monero with illicit mining. We analyze the infrastructure related with the different campaigns,showing that a high proportion of this ecosystem is supported by underground economies such as Pay-Per-Install services. We also uncover novel techniques that allow criminals to run successful campaigns.

This is not the first time we've seen confirmation of the basic thesis in the paper Bitcoin & Gresham's Law - the economic inevitability of Collapse. Anecdotal accounts suggest that in the period of late 2011 and into 2012 there was a lot of criminal mining.

Our thesis was that criminal mining begets more, and eventually pushes out the honest business, of all form from mining to trade.

Testing the model: Mining is owned by Botnets

Let us examine the various points along an axis from honest to stolen mining: 0% botnet mining to 100% saturation. Firstly, at 0% of botnet penetration, the market operates as described above, profitably and honestly. Everyone is happy.

But at 0%, there exists an opportunity for near-free money. Following this opportunity, one operator enters the market by turning his botnet to mining. Let us assume that the operator is a smart and careful crook, and therefore sets his mining limit at some non-damaging minimum value such as 1% of total mining opportunity. At this trivial level of penetration, the botnet operator makes money safely and happily, and the rest of the Bitcoin economy will likely not notice.

However we can also predict with confidence that the market for botnets is competitive. As there is free entry in mining, an effective cartel of botnets is unlikely. Hence, another operator can and will enter the market. If a penetration level of 1% is non-damaging, 2% is only slightly less so, and probably nearly as profitable for the both of them as for one alone.

And, this remains the case for the third botnet, the fourth and more, because entry into the mining business is free, and there is no effective limit on dishonesty. Indeed, botnets are increasingly based on standard off-the-shelf software, so what is available to one operator is likely visible and available to them all.

What stopped it from happening in 2012 and onwards? Consensus is that ASICs killed the botnets. Because serious mining firms moved to using large custom rigs of ASICS, and as these were so much more powerful than any home computer, they effectively knocked the criminal botnets out of the market. Which the new paper acknowledged:

... due to the proliferation of ASIC mining, which uses dedicated hardware, mining Bitcoin with desktop computers is no longer profitable, and thus criminals’ attention has shifted to other cryptocurrencies.

Why is botnet mining back with Monero? Presumably because Monero uses an ASIC-resistant algorithm that is best served by GPUs. And is also a heavy privacy coin, which works nicely for honest people with privacy problems but also works well to hide criminal gains.

ID Dox - now it's getting personal - Andreas spoofed

Writes Andreas Antonopolous, a noted Bitcoin commentator, that he has been impersonated with a mere scan!

More than anything else this points at the fallacy of Identity Documents as the God of our Identity. AA may very well be a victim of our penultimate post on cheap-as-chips scans of your identity.

What's becoming clear is that identity is garnering more attention. Unwittingly, orgs and peoples who thought they had this under control are being dragged into the quagmire caused by firstly the Internet, then the upheavals caused by the great financial crisis and the drugs wars, and finally the devil of all devils, blockchain. Where will it end?

Meanwhile, here comes The Award-Winning David G.W. Birch @dgwbirch another understated twitter persona with slides and solutions for your identity:

The Award-Winning David G.W. Birch @dgwbirch A Short, Strategic Comment on Digital Identity by @chyppings #authentication #authorisation slideshare.net/15Mb/a-short-s… <- A short keynote for the Biometrics Congress in London. People liked it and asked for a copy so I've uploaded it to SlideShare.

I post this for debate not for endorsement ;-)

I'd also like to point out that it is unfortunate that <blockchain> is not a HTML entity, because that's what gets typed these days.

AES was worth $250 billion dollars

So says NIST...

10 years ago I annoyed the entire crypto-supply industry:

Hypothesis #1 -- The One True Cipher Suite

In cryptoplumbing, the gravest choices are apparently on the nature of the cipher suite. To include latest fad algo or not? Instead, I offer you a simple solution. Don't.

There is one cipher suite, and it is numbered Number 1.
Cypersuite #1 is always negotiated as Number 1 in the very first message. It is your choice, your ultimate choice, and your destiny. Pick well.

The One True Cipher Suite was born of watching projects and groups wallow in the mire of complexity, as doubt caused teams to add multiple algorithms- a complexity that easily doubled the cost of the protocol with consequent knock-on effects & costs & divorces & breaches & wars.

It - The One True Cipher Suite as an aphorism - was widely ridiculed in crypto and standards circles. Developers and standards groups like the IETF just could not let go of crypto agility, the term that was born to champion the alternate. This sacred cow led the TLS group to field something like 200 standard suites in SSL and radically reduce them to 30 or 40 over time.

Now, NIST has announced that AES as a single standard algorithm is worth $250 billion economic benefit over 20 years of its project lifetime - from 1998 to now.

h/t to Bruce Schneier, who also said:

"I have no idea how to even begin to assess the quality of the study and its conclusions -- it's all in the 150-page report, though -- but I do like the pretty block diagram of AES on the report's cover."

One good suite based on AES allows agility within the protocol to be dropped. Entirely. Instead, upgrade the entire protocol to an entirely new suite, every 7 years. I said, if anyone was asking. No good algorithm lasts less than 7 years.

Crypto-agility was a sacred cow that should have been slaughtered years ago, but maybe it took this report from NIST to lay it down: $250 billion of benefit.

In another footnote, we of the Cryptix team supported the AES project because we knew it was the way forward. Raif built the Java test suite and others in our team wrote and deployed contender algorithms.

Zooko buys Groceries...

Zooko's tweet got me thinking, and it wasn't the flood of rejection he received.

I have been in that state, and I knew exactly what he meant. Been there, done that experience where you have to add each item, you have to shop for value, drop the things you want, and live on rice & beans.

Like billions of people.

Let me share an anecdote. Once upon a time I lived in Amsterdam. We had a sort of student or groupie house with some of us on the ground floor apartment and some of us on the next floor up. It was one of those places where the crazy landlady wanted crazy non-locals because we paid in cash and didn’t cause trouble.

My startup had just failed - in 1998 nobody wanted to issue hard cryptographically-protected secure instruments that could describe any money at all. Go figure. But those weren’t my worries then, what I was worried about then was … money.

Of the sort that purchased groceries, not the sort that the cypherpunks dreamed of and had but didn’t have. I would take the money to the grocery store and buy stuff. It was my job to do chilli con carne once in a while, like every few weeks. The money was someone else’s. Therefore my actual job was like taking a little money to the grocery store, buying 6 cans of tomatoes, 3 cans of beans, 1kg of minced meat, 3 chillies, onions and a lot of rice. Then cooking it and serving it.

That could feed about 5 adults for about 4 days.

For about 6 months I was in this state of poverty. It wasn’t the first time, nor the last, nor the worst - but it meant several things. I really had to watch the money. And wash clothes and iron shirts and cook chilli con carne and feed the group. I couldn’t make decisions because I couldn’t afford to make decisions. I couldn’t vary the menu because that was the cheapest.

Until I picked up a contract doing "requirements" for a local smart card money firm, I was stuck in this state. Every week or two, one of the guys from upstairs would invite me to the Bagel's 'n Beans (I think it was called) at the corner and we'd do breakfast in the sunshine and talk about financial cryptography and how to issue eCash and how to save the planet. Then he’d pay, and he’d go off to work because his startup hadn’t collapsed yet, and he still had a paycheck.

I was very conscious of the fact that if I hadn't had good friends, I'd be screwed. I was basically living for free while they were working their day jobs. It's hard to explain to those who have never faced it but there is a special hell for those who've had good paying jobs and then they get shut out. Of course, this happens to millions or billions, I'm not special.

The guy who liked Bagels was @zooko. Ever since that period I've tried to invite my poorer friends. Money didn’t matter, except when it did. Money was for living, not for making. Money was for doing, not for counting.

And I have thought a lot about what that time meant to me. It was that experience, and later experiences that led me to understand that the fabric of society isn't commerce, it isn't capitalism, it isn't profit and it very much isn't the dollar or the euro or the yen. The fabric of society is relationships. I didn't know it then, but I slowly found myself in the search for community. Not because I needed it, or not only, but because I thought that in community was the answer.

To the problem, and in 2008 I found myself again in deep poverty in the rich country of Austria. This time I had a job doing community auditing, which worked out at about €1 per hour, comfortably well below the poverty line, but alive. But, while we were building that community, we were watching the world’s financial community get into gridlock. Banks failing, countries on the verge, etc.

Since around 2000 - the dotcom crash - a lot of us had expected a real hard recession. It never happened, and we were mystified. Then in 2008 the answer was revealed. The man they called the magician, Alan Greenspan, had led bailout after bailout. Not of banks, but of the entire world system: the dotcom crash, 9/11, mutual funds scandal, fannie mae, something else... had all been rewarded with monstrous injections in liquidity. The banks or Alan Greenspan or someone had turned the entire western financial system into a bubble or a Ponzi or something.

And this last decade has been the mother of all bailouts - Quantitative Easing is nothing more than a gift to the financial system.

The problem I'm looking at then takes on a new aspect. What happens when the mother of all bubbles pops? When, not only can we not afford the groceries, but when there aren’t any grocery stores? We know something of this from Greece, from Puerto Rico, from Venezuela. How is it that people survive?

I knew it was relationship but I didn't know how. I knew people would save people, but how? My experiences in Amsterdam and Vienna and a few other episodes gave me no clear pattern - I knew that people saved people, but who, when and why in each circumstance?

Until, after a few more years skidding along the planetary row I found the how in Kenya - the chamas. It wasn’t that Kenyans were smarter than the westerners (they can be, and they’re definitely smarter than NGOs and aid workers who come to help) but it was clearer that there were two environmental factors that led them to work smarter, better, safer: poverty and corruption. It was out of these twin forces - I theorise - that they augmented their family and local trust lines into chamas.

Finding the how was pretty exciting. It was the lightbulb moment - the Eureka thing. Enough for me to quit my really safe and boring job in Australia and go to Kenya to build the first generation of chamapesa. It wasn’t because our technology spoke to chamas and chamas listened. It wasn’t because I loved Africa and the people were wonderful, it wasn’t because the business plan gasped an exponential curve to the moon. And it wasn’t because we could put a billion Africans on the blockchain, or a million blockchains on Africans.

It was because here was the solution, to everything I had not been able to work out before.

Like Zooko and a billion other people I’d spent many years in the grocery accounting trap. Like Zooko and millions of other people I’d lived the life of intelligent comfortable wealth and didn’t really care how much things cost.

But like Zooko and a much smaller group of people, I've lived both those lives. That shock of poverty was burnt into our rich, educated privileged brains. And it matters. It drives us. It owns us, it changes us. I went to Kenya not for them but for all of us. To be nauseous, Chamapesa is our plan to get everyone to the grocery store so they don't care about the cost. And it is the rich west as well as the entrepreneurial Africans who'll need this.

So when Zooko posts on his experiences, and gets attacked for lack of humility or lack of gratefulness, I understand the angst that these people have, but honestly, they’ve missed the point. Having lived on both sides of the tracks, it isn’t gratefulness or humility or charity that we find or care for or should exhibit, it is clarity of thought.

And this is where we separate from those in Silicon Valley or the NGO armies or the twitter social justice warriors or regulators or other oligopolists. They’ll never understand because those people have only lived on one side of the tracks.

You can't "fight poverty" when you work for a family wealth fund. You can't "save the poor" when you live in Silicon Valley and whiteboards & google are the extent of your knowledge. You can't blockchain your way to understanding. You can't "bank the unbanked" when your entire worldview is driven by the World Bank. You can't "give charitably" and expect that money to be spent wisely by those who receive charitably.

You get your degree in poverty by living it, not by going to University and studying IMF reports. So when Zooko exhibits his particular penchant for unfiltered thought, it is not going to fit in with people's polite ways of ignoring problems - humility, gratefulness, charity are all comforting techniques to avoid the problem.

The problem that Zooko is being daily reminded of and is highlighting to a de-sensitised readership is this: at some point poverty becomes a trap such that no amount of normal or routine activity can extract you out of it. Only a serious and literally life-changing intervention can fix that problem.

And here's where I can add: chamas are the routine & normal activity that can address the trap, because they were designed to do exactly that. Which is a solution available to some, and not to others. We had it in Amsterdam in some pre-formative sense. The long term outlook for those with access to these societal techniques is far better than those without. Working to a stronger society then is why I'm working on chamas, with Africans, and not on blockchain with silicon valley types.

I understand that the cost of that is I will be called all sorts of things. But, in this game, it is more important to have clarity of thought than to be liked.

Bitfinex - Wolves and a sheep voting on what's for dinner

When Bitcoin first started up, although I have to say I admired the solution in an academic sense, I had two critiques. One is that PoW is not really a sustainable approach. Yes, I buy the argument that you have to pay for security, and it worked so it must be right. But that's only in a narrow sense - there's also an ecosystem approach to think about.

Which brings us to the second critique. The Bitcoin community has typically focussed on security of the chain, and less so on the security of the individual. There aren't easy tools to protect the user's value. There is excess of focus on technologically elegant inventions such as multisig, HD, cold storage, 51% attacks and the like, but there isn't much or enough focus in how the user survives in that desperate world.

Instead, there's a lot of blame the victim, saying they should have done X, or Y or used our favourite toy or this exchange not that one. Blaming the victim isn't security, it's cannibalism.

---

Unfortunately, you don't get out of this for free. If the Bitcoin community doesn't move to protect the user, two things will happen. Firstly, Bitcoin will earn a dirty reputation, so the community won't be able to move to the mainstream. E.g., all these people talking about banks using Bitcoin - fantasy. Moms and pops will be and remain safer with money in the bank, and that's a scary thought if you actually read the news.

Secondly, and worse, the system remains vulnerable to collapse. Let's say someone hacks Mt.Gox and makes a lot of money. They've now got a lot of money to invest in the next hack and the next and the next. And then we get to the present day:

Message to the individual responsible for the Bitfinex security incident of August 2, 2016

We would like to have the opportunity to securely communicate with you. It might be possible to reach a mutually agreeable arrangement in exchange for an enormous bug bounty (payable through a more privacy-centric and anonymous way).

---

So it turns out a hacker took a big lump of Bitfinex's funds. However, the hacker didn't take it all. Joseph VaughnPerling tells me:

"The bitfinex hack took just about exactly what bitfinex had in cold storage as business profit capital. Bitfinex could have immediately made all customers whole, but then would have left insufficient working capital. The hack was executed to do the maximal damage without hurting the ecosystem by putting bitfinex out of business. They were sure to still be around to be hacked again later.

It is like a good farmer, you don't cut down the tree to get the apples."

A carefully calculated amount, coincidentally about the same as Bitfinex's working capital! This is annoyingly smart of the hacker - the parasite doesn't want to kill the host. The hacker just wants enough to keep the company in business until the next mafiosa-style protection invoice is due.

So how does the company respond? By realising that it is owned. Pwn'd the cool kids say. But owned. Which means a negotiation is due, and better to convert the hacker into a more responsible shareholder or partner than to just had over the company funds, because there has to be some left over to keep the business running. The hacker is incentivised to back off and just take a little, and the company is incentivised to roll over and let the bigger dog be boss dog.

Everyone wins - in terms of game theory and economics, this is a stable solution. Although customers would have trouble describing this as a win for them, we're looking at it from an ecosystem approach - parasite versus host.

But, that stability only survives if there is precisely one hacker. What happens if there are two hackers? What happens when two hackers stare at the victim and each other?

Well, it's pretty easy to see that two attackers won't agree to divide the spoils. If the first one in takes an amount calculated to keep the host alive, and then the next hacker does the same, the host will die. Even if two hackers could convert themselves into one cartel and split the profits, a third or fourth or Nth hacker breaks the cartel.

The hackers don't even have to vote on this - like the old joke about democracy, when there are 2 wolves and 1 sheep, they eat the sheep immediately. The talk about voting is just the funny part for human consumption. Pardon the pun.

The only stability that exists in the market is if there is between zero and one attacker. So, barring the emergence of some new consensus protocol to turn all the individual attackers into one global mafiosa guild, a theme frequently celebrated in the James Bond movies, this market cannot survive.

---

To survive in the long run, the Bitcoin community have to do better than the banks - much better. If the Bitcoin community wants a future, they have to change course. They have to stop obsessing about the chain's security and start obsessing about the user's security.

The mantra should be, nobody loses money. If you want users, that's where you have to set the bar - nobody loses money. On the other hand, if you want to build an ecosystem of gamblers, speculators and hackers, by all means, obsess about consensus algorithms, multisig and cold storage.

---

ps; I first made this argument of ecosystem instability in "Bitcoin & Gresham's Law - the economic inevitability of Collapse," co-authored with Philipp Güring.

Elinor Ostrom's 8 Principles for Managing A Commmons

(Editor's note: Originally published at http://www.onthecommons.org/magazine/elinor-ostroms-8-principles-managing-commmons by Jay Walljasper in 2011)

Elinor Ostrom shared the Nobel Prize in Economics in 2009 for her lifetime of scholarly work investigating how communities succeed or fail at managing common pool (finite) resources such as grazing land, forests and irrigation waters. On the Commons is co-sponsor of a Commons Festival at Augsburg College in Minneapolis October 7-8 where she will speak. (See accompanying sidebar for details.)

Ostrom, a political scientist at Indiana University, received the Nobel Prize for her research proving the importance of the commons around the world. Her work investigating how communities co-operate to share resources drives to the heart of debates today about resource use, the public sphere and the future of the planet. She is the first woman to be awarded the Nobel in Economics.

Ostrom’s achievement effectively answers popular theories about the "Tragedy of the Commons", which has been interpreted to mean that private property is the only means of protecting finite resources from ruin or depletion. She has documented in many places around the world how communities devise ways to govern the commons to assure its survival for their needs and future generations.

A classic example of this was her field research in a Swiss village where farmers tend private plots for crops but share a communal meadow to graze their cows. While this would appear a perfect model to prove the tragedy-of-the-commons theory, Ostrom discovered that in reality there were no problems with overgrazing. That is because of a common agreement among villagers that one is allowed to graze more cows on the meadow than they can care for over the winter—a rule that dates back to 1517. Ostrom has documented similar effective examples of "governing the commons" in her research in Kenya, Guatemala, Nepal, Turkey, and Los Angeles.

Based on her extensive work, Ostrom offers 8 principles for how commons can be governed sustainably and equitably in a community.

8 Principles for Managing a Commons

1. Define clear group boundaries.

2. Match rules governing use of common goods to local needs and conditions.

3. Ensure that those affected by the rules can participate in modifying the rules.

4. Make sure the rule-making rights of community members are respected by outside authorities.

5. Develop a system, carried out by community members, for monitoring members’ behavior.

6. Use graduated sanctions for rule violators.

7. Provide accessible, low-cost means for dispute resolution.

8. Build responsibility for governing the common resource in nested tiers from the lowest level up to the entire interconnected system.

the Satoshi effect - Bitcoin paper success against the academic review system

One of the things that has clearly outlined the dilemma for the academic community is that papers that are self-published or "informally published" to borrow a slur from the inclusion market are making some headway, at least if the Bitcoin paper is a guide to go by.

Here's a quick straw poll checking a year's worth of papers. In the narrow field of financial cryptography, I trawled through FC conference proceedings in 2009, WEIS 2009. For Cryptology in general I added Crypto 2009. I used google scholar to report direct citations, and checked what I'd found against Citeseer (I also added the number of citations for the top citer in rightmost column, as an additional check. You can mostly ignore that number.) I came across Wang et al's paper from 2005 on SHA1, and a few others from the early 2000s and added them for comparison - I'm unsure what other crypto papers are as big in the 2000s.

Conf	paper	Google Scholar	Citeseer	top derivative citations
jMLR 2003	Latent dirichlet allocation	12788	2634	26202
NIPS 2004	MapReduce: simplified data processing on large clusters	15444	2023	14179
CACM 1981	Untraceable electronic mail, return addresses, and digital pseudonyms	4521	1397	3734
self	Security without identification: transaction systems to make Big Brother obsolete	1780	470	2217
Crypto 2005	Finding collisions in the full SHA-1	1504	196	886
SIGKDD 2009	The WEKA data mining software: an update	9726	704	3099
STOC 2009	Fully homomorphic encryption using ideal lattices	1923	324	770
self	Bitcoin: A peer-to-peer electronic cash system	804	57	202
Crypto09	Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions	445	59	549
Crypto09	Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems	223	42	485
Crypto09	Distinguisher and Related-Key Attack on the Full AES-256	232	29	278
FC09	Secure multiparty computation goes live	191	25	172
WEIS 2009	The privacy jungle: On the market for data protection in social networks	186	18	221
FC09	Private intersection of certified sets	84	24	180
FC09	Passwords: If We’re So Smart, Why Are We Still Using Them?	89	16	322
WEIS 2009	Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy	82	24	275
FC09	Optimised to Fail: Card Readers for Online Banking	80	24	226

What can we conclude? Within the general infosec/security/crypto field in 2009, the Bitcoin paper is the second paper after Fully homomorphic encryption (which is probably not even in use?). If one includes all CS papers in 2009, then it's likely pushed down a 100 or so slots according to citeseer although I didn't run that test.

If we go back in time there are many more influential papers by citations, but there's a clear need for time. There may well be others I've missed, but so far we're looking at one of a very small handful of very significant papers at least in the cryptocurrency world.

It would be curious if we could measure the impact of self-publication on citations - but I don't see a way to do that as yet.

Ledger - a journal for cryptocurrency papers

"Ledger" was recently announced as a journal for cryptocurrency papers, and the timing was rather spectacular. Everyone agrees this is a good idea.

Today I had a look, because I and some friends have some papers that might be published there. Several things reached out, so I thought I'd put them out here and see if they resonate.

1. The Ledger team seem to have taken on some criticism of the academic process and gone for more openness in several areas:

• Ledger has created a peer review system where reviews are publishable by authors. What Ledger have done is ensured that reviewers can be published and held accountable for their reviews. This should go some way to stopping academic cliques building up, a fate that I can attest to directly.


• Papers are CC-licensed so immediately and popularly available. Discourse is well served. I am not sure where the others are now, but I've had my arguments in the past with the proxies of Springer-Verlag wanting to own my mind. Those days are dead.


• Fast turn arounds promised.

2. Business-wise, Ledger is a direct competitor to existing forums Financial Cryptography (the conference) and to a lesser extent WEIS. Now, this is fine in my view as (a) the space has massively enlarged from the niche it once was, and we can easily support more forums, and (b) Ledger is oriented to the paper distribution process whereas others are primarily presentation-oriented and networking. Also (c) the founder and coiner of Financial Cryptography, Bob Hettinga, always made clear that this was a competitive market ;)

3. It is not immediately clear who the reviewers are. While the core might be its Editorial base, the asset of a peer-reviewed journal is its hardworking reviewers. Specifically, the asset can be attached.

4. And, immediately the attachment begins. If you look at the Editor's page, they have fallen into the same trap as the financial cryptography conference fell into in 1998 - academic control. Of the very long list of fine editors, only a tiny minority are outside the University system by either affiliation or title. Whatever you think of the academic world, it is very clear that it is a discriminatory system, and many fine contributions are squashed or stolen for it.

5. In which world, reputation and cites rule. Which leads to anonymous authorship:

Under extenuating circumstances, the journal may permit authors to publish under a pseudonym. Authors should include a statement describing why they wish to remain anonymous at the time of article submission. Only manuscripts where quality can be judged exclusively from the content presented in the paper, and where the scope of any conflict of interest problems would be limited (should they exist), will be considered for anonymous authorship.

Ledger are clearly skeptical of the notion of anonymous authorship because as academics they are so used to leaning on the reputation of the author. A bad paper by a leading author always trumps a good paper by an unknown, and it is practically the law that the profs must co-author the papers of the candidates so as to cross that barrier.

Ledger are thus clearly skeptical that the paper's words mean much independently of the author's reputation. Leaving it at odds with the Bitcoin community is as it is, as, under those rules, Satoshi's paper would not have been published, and we'd not be having these discussions. Now, it's fine for them to do this, but what I'd point out here is that this is further evidence of 4. above: academics setting themselves up to capture cites.

6. In not charging for papers, nor distribution & access, the Ledger has a clear financial business problem. It (probably) relies entirely on two sources: the volunteer time of reviewers, and the paid salary of academics.

---

The nature of scientific enquiry has moved on since the days of the controlled paper distribution. All papers from now on must be free of economic control, or we get the Satoshi effect - the most important paper in the field was never published in a forum, because under the rules of all the forums, it could not be published. The old forums out there had economic controls, and those controls were captured by the very people who could benefit from the controls - cites are promotions are money, and paper is trees is subscriptions.

Ledger presents the disturbing academic dilemma in a nutshell. The Internet has solved the paper-subscription economic barrier, but not the citation-peer-review circle. And, it leans very heavily on academics on salary, which is the other side of the same coin - what is the economic model that both sustains the machine, and rewards the quality?

If you're thinking I'm arguing both sides of this - you're right. I can see the problem. I don't have the answers - unless you want something superficial like "publish papers on the blockchain!" But we won't find the answers until we understand the problems.

When the security community eats its own...

If you've ever wondered what that Market for Silver Bullets paper was about, here's Pete Herzog with the easy version:

When the Security Community Eats Its Own

BY PETE HERZOG
http://isecom.org

The CEO of a Major Corp. asks the CISO if the new exploit discovered in the wild, Shizzam, could affect their production systems. He said he didn't think so, but just to be sure he said they will analyze all the systems for the vulnerability.

So his staff is told to drop everything, learn all they can about this new exploit and analyze all systems for vulnerabilities. They go through logs, run scans with FOSS tools, and even buy a Shizzam plugin from their vendor for their AV scanner. They find nothing.

A day later the CEO comes and tells him that the news says Shizzam likely is affecting their systems. So the CISO goes back to his staff to have them analyze it all over again. And again they tell him they don’t find anything.

Again the CEO calls him and says he’s seeing now in the news that his company certainly has some kind of cybersecurity problem.

So, now the CISO panics and brings on a whole incident response team from a major security consultancy to go through each and every system with great care. But after hundreds of man hours spent doing the same things they themselves did, they find nothing.

He contacts the CEO and tells him the good news. But the CEO tells him that he just got a call from a journalist looking to confirm that they’ve been hacked. The CISO starts freaking out.

The CISO tells his security guys to prepare for a full security upgrade. He pushes the CIO to authorize an emergency budget to buy more firewalls and secondary intrusion detection systems. The CEO pushes the budget to the board who approves the budget in record time. And almost immediately the equipment starts arriving. The team works through the nights to get it all in place.

The CEO calls the CISO on his mobile – rarely a good sign. He tells the CISO that the NY Times just published that their company allegedly is getting hacked Sony-style.

They point to the newly discovered exploit as the likely cause. They point to blogs discussing the horrors the new exploit could cause, and what it means for the rest of the smaller companies out there who can’t defend themselves with the same financial alacrity as Major Corp.

The CEO tells the CISO that it's time they bring in the FBI. So he needs him to come explain himself and the situation to the board that evening.

The CISO feels sick to his stomach. He goes through the weeks of reports, findings, and security upgrades. Hundreds of thousands spent and - nothing! There's NOTHING to indicate a hack or even a problem from this exploit.

So wondering if he’s misunderstood Shizzam and how it could have caused this, he decides to reach out to the security community. He makes a new Twitter account so people don’t know who he is. He jumps into the trending #MajorCorpFail stream and tweets, "How bad is the Major Corp hack anyway?"

A few seconds later a penetration tester replies, "Nobody knows xactly but it’s really bad b/c vendors and consultants say that Major Corp has been throwing money at it for weeks."

Read on for the more deeper analysis.

Posted by iang at 06:04 AM | Comments (0)

We need banks to fail. What other language speaks?

The obvious problem with TBTF - too big to fail - is that banks that successfully manoeuvre governments into awarding them with the honoured right of printing money for nothing (aka bonuses, and chicks for free) also set the governments up for the eventual fall.

Although bank failure is traumatic, the alternate is far worse, at every possible level. Economic theory has it quite simply: if a bank fails, then all the directors must be punished, all the shareholders be set to zero, and the creditors must lose. No other reminder is sufficient to instill in the public's minds the need to treat their banks with skepticism.

But western, socialist or community minded governments often fall into the Misean trap of thinking they can do better than the market. And at times, they can -- central banks have successfully taken over many banks, fixed them, and returned them to the market. At a profit, even.

But the market always reasserts in time. They only thing that changes is who pays for the folly. And so comes Icesave - against who's creditors a European court has ruled:

The ruling, delivered in Luxembourg by the European Free-Trade Association Court, dealt with the collapse of Icesave, an online subsidiary of Iceland’s Landsbanki. Before the crisis Icesave had used a European “passport” to open branches abroad and collected deposits in Britain and the Netherlands with almost no oversight from regulators in those countries. One condition of its passport was that it promised that its deposits were backed by a national deposit-insurance scheme in Iceland. Yet when the bank collapsed Iceland’s deposit scheme was overwhelmed. Icelandic depositors in the bank ended up getting their money back; the British and Dutch governments both had to step in to compensate depositors in their countries.

Many observers had expected the court to rule that Iceland was obliged to stand behind its national deposit-protection plan and not to discriminate against foreign depositors. Instead the court found that Iceland was obliged only to make sure that it had a deposit-insurance scheme. The state was not required to pay out if the scheme had no money because of a banking crisis. Oddly, the court also found that Iceland had not breached an obligation not to discriminate between domestic and foreign depositors, even though it made only the domestic ones whole.

As an individual who had lost money in such a case, I would be yelling for blood. But as an economist, this is the wrong approach -- I the individual should be yelling for blood at the shareholders' meeting while the bank is still solvent, not after it is obviously dead.

The way the Economist writes the above story is common sense, and can get no better. Obviously, a national deposit-insurance only insures the nationals, or more precisely the residents. It's that word - "national" - which was curiously not extended to "community".

Obviously, such a scheme was in place. What is not clear is, in the sad event that it failed, why would one imply that there was another scheme behind it? Or why would one imply that a given "national deposit scheme" was a bottomless pit of value for tapping? A scheme has a value, right?

The SoFFin (Sonderfonds Finanzmarktstabilisierung - Special Financial Market Stabilization Funds) is a program of the German government with the purpose to stabilize and restore confidence in the financial system. .... The SoFFin may grant guarantees of up to 400bn euros and recapitalize or purchase assets for an additional 80bn euros.

Only if one can suspend any judgement as to the credibility and creditworthiness of the players, can one assume that a fund would never fail, but this is what people typically do. If Wikipedia knows the number for Germany, why don't the people?

This assumption flies in the face of evidence that is presented daily. Well, yesterday at least: Six of the big Canadian banks are now downgraded:

"Today's downgrade of the Canadian banks reflects our ongoing concerns that Canadian banks' exposure to the increasingly indebted Canadian consumer and elevated housing prices leaves them more vulnerable to unpredictable downside risks facing the Canadian economy than in the past," said Moody's vice president David Beattie.

We need more of it. Meanwhile, in not so sensible news, the Greeks have gone precisely backwards and declared war on themselves:

Any transaction in excess of 500 euros will soon only be allowed via credit or debit card or by check, according to a plan by the Finance Ministry aimed at combating tax evasion.

The ceiling for cash transactions is to be lowered from 1,500 euros today to 500 euros and could be reduced further over in the course of 2013. Ministry sources say that in the first quarter of the new year all companies and certain self-employed individuals will have to obtain the POS (point-of-sale) terminals that provide for card transactions.

The problem with this is that, although the Greek problem of taxation failure is well known, there is another larger problem: the Greek economy is dying. And this is a problem for the whole population, not just the sub-sector know as "the government".

People need to eat. If the economy is failing, they need to resort to themselves, their local communities, their families and their long standing local trade relationships. They need small trades, efficient trades, hand to hand and barter.

Trust at a local level, because there is nothing else. It is no longer a question of savings, or deposit schemes, or even taxation - it's about survival. People need the cash.

Instead of assisting this process, and serving the very survival of their People, the government of Greece is assisting the banks which everyone knows to be bankrupt. Which then is a shot across the bows of the Greek People.

So one has to ask a question - are the People of Greece irretrievably stupid? Will they rush in droves to place their cash in banks, and trust in the Greek Government to make them whole if there are any failures? Is their national deposit scheme a bottomless pit of value?

Or, are they possibly like the now chastened British and Dutch - a little more skeptical of offers endorsed by a regulator who's best idea for repairing an economy is to strip raw circulating cash out of the economy. Or, the Spanish, who are moving (their cash and sometimes themselves).

Coincidentally, stripping the cash out of the economy is an idea championed to great effect in the 1930s by none other than the USA Federal Reserve.

When banks are bankrupt, we need them to fail. What other language will get the message through?

Women make us smarter?

In yet another "that's a bad gender term" debate somewhere, this article popped up: "Evidence for a Collective Intelligence Factor in the Performance of Human Groups," Woolley et al, Science 2010. Massacring it to extract its core message:

"However, three factors were significantly correlated with c [Group Intelligence]. First, there was a significant correlation between c and the average social sensitivity of group members.... Second, c was negatively correlated with the variance in the number of speaking turns by group members.... In other words, groups where a few people dominated the conversation were less collectively intelligent than those with a more equal distribution of conversational turn-taking.

Finally, c was positively and significantly correlated with the proportion of females in the group (r = 0.23, P = 0.007). However, this result appears to be largely mediated by social sensitivity (Sobel z = 1.93, P = 0.03), because (consistent with previous research) women in our sample scored better on the social sensitivity measure than men [t(441) = 3.42, P = 0.001]. In a regression analysis with the groups for which all three variables (social sensitivity, speaking turn vari- ance, and percent female) were available, all had similar predictive power for c, although only social sensitivity reached statistical significance (b = 0.33, P = 0.05) (12)."

The lobby for women may simply be missing a few marketing tricks. Instead of detecting "differences" and assuming them to be discrimination, there are positive things that can be highlighted.

Maybe it is as simple as coming up with a slogan or aphorism that captures the positive? That article suggests in a very solid and cohesive way that women make groups more intelligent. This is a message that could make even the most hardened geeks and misogynists take pause.

Why Central Banking will fail in the next N years -- and how Central Bankers might prepare us for it.

I think I have already predicted the apogee of Central Banking in claiming that the 20th century was theirs. It is not entirely clear what happens next; we won't know that until we (or they) build that future, and CBs themselves lose all their power such that they step aside and allow banks to fail.

That said, it is a rather dramatic prediction. So it behoves to review it from time to time. And to seek other opinion! With that in mind, I present a long essay from BullionVault's Paul Tustain, who starts out by saying:

I'VE ALWAYS been fairly sure you can't print money and get away with it indefinitely. But I couldn't well answer the question "Why not?"

It turns out the recent head of the British financial services regulator is similarly uncertain. He recently suggested the Bank of England write off half of the government's debt, which comes to exactly the same thing as printing money. How wonderfully simple. Of course it must be wrong, but why?

You can read the whole thing for the fuller answer. I'm just going to cherry pick. Firstly, show that a reminder that we need money:

CHIMPANZEES don't barter, but they trade a variety of delayed favours we won't go into here. South American vampire bats are more sophisticated, and run a small credit economy. The little darlings have such a need for blood that they lend, borrow and pay back amongst themselves rather than let a relative go bloodless for a whole night. They somehow manage to do the whole thing without plastic cards. A credit card – of course – is a device which creates both credit and debt, and you can spend the credit bit, which unfortunately leaves the debt bit overhanging, though oddly absent from the device's name.

Pure, distilled credit usually arises from us doing some work (labour), or transferring our property to someone else (selling goods). Either way, we generate an unreturned favour. So I'm going to call a unit of credit an 'Uf', and wherever possible I'll use the word 'Uf' instead of credit. Somehow it makes it much easier to understand what the hell is going on.

Chimps and vampires show that credit occurs naturally, just as it would have for the earliest humans. Beyond the smallest number of transactions it would have quickly become hard to agree who owed unreturned favours (Ufs) and to whom. Then somebody had the smart idea of using tokens to represent Ufs.

It is quite an important observation that money is simply an accounting system for favour returns. If we were to formalise this notion, money would be an accounting system that works in a world of many parties, where each are individual actors. (Some would say byzantine actors, others would say crooks.) In contrast, the accounting systems we actually call accounting systems, the ones we normally have occasion to use, are more simply which work well with only one party, self or or our employer, and there is a reasonable expectation that self does not steal from self.

The point here is that when we create money we are building an accounting system. And we might have different ways of doing that... Indeed we might set up an accounting system where someone stands in the center and lets users pay each other:

Vampires bats can't do what we can which is to formalise our simple transaction onto an account by booking two payments through the bank. If your friend were to pay you through the bank for the original favour you did then you could spend your Uf anywhere. Banking is useful, like Uf tokens are, because an Uf you earn from your friend, then record at your bank, becomes available for you to pay anyone who's got a bank account.

And now I'd like to step in and reveal a crucial distinction. Where Paul has started talking about banks, he has now drifted to payment systems. Pin this point on your wall above your monitor or laptop - there are banks and there are payment systems.

Banks happen to have payment systems, but banks also have credit. Why and how does credit exist? He explains it in some detail, but here's a succinct para:

It is pure nonsense to say that a gold standard means all money should be backed by vaulted gold. Suppose it was. It would prevent a man with a paid up £100 million property portfolio from borrowing £10,000 from his bank to pay someone £10,000 to build a garden shed. A monetary obstruction to this deal just isn't going to be tolerated, and it's a stupid idea to suggest the deal should be blocked simply because the consumer (rich property owner) or his bank currently has no gold at hand. It was precisely this sort of economic blockage that caused people to create money in the first place, and if you try to stop willing and credible exchangers from using one type of money they'll simply abandon your money, and either use someone else's or create their own.

Which is to say - people with wealth will work with credit, and credit will arise naturally to assist those people, in exactly the same way that money itself arose (which is nothing more than a credit system for favours done in the past).

Credit is natural. Now the question turns to how we deal with the industrialisation of credit in a banking system, and the more particular point of what happens when a bank over-extends. In a stable banking system, other banks knock on the door and get their agreed collateral back. In a Central Banking system, the banks pass their combined position to the CB who nets it. Paul introduces Brad's bank, one that acts badly, and is enouraged to act more badly:

....When his bank deposits its balance at Brad's bank to Central, then it clears away its risk of Brad's bank's failure. It is Central which will now be exposed to the failure of Brad's bank.

The role of Central Banking is (or has become) to take on the risk of any bank failng.

....It also explains that the last bank in the chain is accepting the risk that Brad's bank can't return the Ufs, and because banks can get off that risk by drawing a cheque on Brad's bank and depositing it into Central, the Ufs created by Brad's bank usually end up owed by Brad's bank directly to the Central Bank.

And banks take on that role with relish.

These days Central is feeble, and frightened of the political consequences of any bank failure, so it lets Brad's bank run up an ever growing balance on ever weaker collateral. Other banks can deposit any of Brad's bank's junk at Central. Central's bluff (that it might close down a dodgy bank like Brad's) has been well and truly called. If you are a sound bank you can now do stupid business with a bad bank which you know can never pay you properly, and it won't hurt you.

Because Central's Governor has made it known he won't let banks fail, he has set himself up as the patsy.

To ground this story, Paul puts it in today's financial speak:

The resulting huge Uf balances at Central can be made grand and confusing by saying "The Bank of England's Balance Sheet is expanding" which I'm sure makes everyone think it's doing a remarkably important job. What it really means is that the Governor won't demand that a busted bank pays up or shuts down, so Central just runs up an ever bigger deposit balance at an ever weaker bank. While Central permits this Brad's bank really is being allowed to 'create money out of thin air'.

In short: Banks ran ever bigger loan exposures, because they had to compete on dividends. They cleared them through the Central Banks, which declined to shut any down. Therefore the Central Banks expanded their balance sheets to hold the risk, thus further encouraging the banks to do more and more.

Indeed the current set up – where banks are not allowed to fail – turns out to be even worse than I previously thought. It does much more than offer succour to the odd unfortunate bank which steps over the limit of safety. It actually forces banks to be dumb. They have no choice but to approach the safety limit until they are bound to step over it. Any bank which does not step up to the plate will underperform all the others, and be subsumed by a more aggressive competitor. It's how evolution works; the survival of the fittest, where fitness means adapted to the prevailing environment. If you do not compete in the skewed environment where the Central Bank is a wimp you will expire because of it.

That's why banks are forced to make rosy judgments on the value of collateral.

Precisely. The regulatory environment *requires* banks to compete in badness. They cannot innovate (take on risk not understood by the CB), and they cannot seek to avoid being commoditised. Thus the only thing they can do is compete on dividends to their shareholders, who are guaranteed by the CB patsy.

If all of them act like this, they must all overstep the bounds, and the system must fail.

Central Banking is thus the problem NOT the solution. And therefore has grave difficulty in being any part of the solution, even if all the actors in the Central Banking world are honest, hard-working and try their darndest to avoid the inevitable.

Once we understand the theory of why Central Banking must fail, in the end, we all naturally reach for predictions and solutions. That's tough. Nobody who is in control has an interest in stopping the rot, all of us outside have no power. So the result will be unpredictable.

But maybe some good things can be snuck through to prepare for the inevitable.

Let's now return to the events of 2007-2008 because it brings forth a singular lesson. When the crisis of Lehman Brothers hit Britain, panic spread through the banks, and in a knee-jerk reaction to protect themselves, they refused to deal with each other.

Bad idea. In an effort to keep the banks working, some banks turned to new teams. E.g., sack the executives. But, as the story is widely told in private banking circles, one man held a gun to the banks' collective head and refused to go.

So long did he hold that gun that it was estimated that his bank was 2 hours from shutting down their ATM network. And if that bank's ATM network was shut down, all the others follow suit.

The entire British payments systems were 2 hours from freezing solid.

People in power in London well know what the people outside London, outside of power, are capable of doing - recall the Poll Tax riots? Or more recently?

So we now see the real fear behind the deadly embrace that Paul outlined: Central Banking will fail and take the banks with them, the banks operate the payment systems and the failure of them will cause society to screech to a halt.

The silver lining that can be brought out of this is that payment systems, and indeed other innovations, can be allowed to emerge out of society. Payment systems can be divorced from banks, and to a large extent this direction can be see in the European monetary regulations of the last decade (PSD and eMoney directive).

Central Banks cannot get off their rollercoaster ride to credit-fueled doom, but they can ensure that newer innovations are not coupled to their journey to destruction.

Consider Kenya and Tanzania, countries that now have THREE mostly independent payment systems: cash, banks and mPesa. If all banks were to fail, shut the doors and the ATMs were to go broke, then the people can turn to the other two. Cash transactions will suddenly be king. And as long as the mPesa system is able to operate divorced from the banks, it will become queen.

mPesa already handles something like 20-30% of the GDP of Kenya, and something similar in Tanzania; if it can pick up more load, then this society might survive. As long as cash and electronic can still circulate, people can eat. Credit will be frozen, the middle classes will be screwed, but as long as people can eat, the bloodshed will be less pronounced.

A country like Britain which has long handed the monopoly of payments to the banks will not have this option, and remains in its deadly banking embrace. Hence, their better bet would be nurture and encourage the innovations: BullionVault and their close cousin GoldMoney. Zopa. Alternative payments systems under the eMoney directive, and independent systems under PSD. They should pray for an mPesa.

The question then to the Bank of England is not how much governance they wish to load onto these innovations, but rather do you dare run the risk without them?

More STOP PRESS: A Ratings Agency has been brought to task!

In another outstanding development in the new normal of the post-GFC world, a bad actor has been brought to task:

The ruling in the Federal Court of Australia on November 5th held Standard & Poor’s (S&P) jointly liable with ABN AMRO, a bank, for the losses suffered by local councils that had invested in credit derivatives that were designed to pay a high rate of interest yet were also meant to be very safe.

What in effect does this mean? If you put your name on something as good, then you have to carry the consequences of it being bad. And the courts will hold you to it, or, they did in this case. As shareholders held Deloitte accountable in at least one Auditor case recently.

This is one of the essential, unavoidable causes of the GFC (marks I and II) -- that powerful players may take the upside of profitable participation in risky trades, but declare themselves non-liable for the downsides.

Was, in this case, S&P just caught out by a statistical bad apple, or was it raking it in? The Economist goes on to report:

The derivatives in question were “constant proportion debt obligations” (CPDOs). These instruments make even the most ardent fans of complex financial engineering blush: they are designed to add leverage when they take losses in order to make up the shortfall. S&P’s models, which the court said blindly adopted inputs provided by ABN AMRO, gave the notes a AAA rating, judging they had about as much chance of going bust as the American government.

That's a slam dunk. Adding that local councils are unsophisticated investors (and generally can't tell their elbow from their posterior) it is no surprise that they routinely invest in AAA ratings, and only AAA ratings. Hence, they rely on AAA.

Hence, S&P must be held liable for their good word on the meaning of AAA, assuming of course that the Economists' reporting is fair representation of the evidence presented.

Further, as S&P clearly did not do the diligence due to a statement with the gravitas of "as safe as the American government," the question of gross or criminal negligence looms large.

Price Discovery is Hard.

Seen on the net, copied as is, from James A. Donald:

On 2012-11-01 7:18 PM, CodesInChaos wrote:

> 3) You need to figure out an appropriate price. In the simplest case
> the uploaders simply send to the offer with the highest payment
> attached.

That just offloads the problem of price discovery somewhere else in the system.

Price discovery is hard.

Price discovery in micro transactions needs to be substantially automated - at both ends. People will not invest the effort needed for manual price discovery.

Bad, incompetent, or buggy price discovery has killed every previous effort to solve this group of problems.

Price information is probabilistic, thus a price discovery mechanism has to support a full Bayesian model, recursive probabilities estimating the probability that the true probability is p, performing maximum entropy modeling. This is the sort of work that gets very smart engineers hired at astronomical salaries by wall street.

[James A. Donald]

Finally, the media gets it: The cyber-jihad that the NSA bought to hometown America

I have struggled to write this story for a long time, and now Business Insider has written it for us:

In a world where you can watch cyberattacks happen in real-time, it's no wonder that nation-states are doing little to hide the cyber arms race and low-grade cyberwar that's taking place. However, what's surprising is that the country leading the charge — the U.S. — may also be the one with the most to lose.

"There is a world of bytes and a world of atoms, and increasingly the world of bytes is driving the world of atoms," Dr. Jarno Limnell, director of cyber security at Stonesoft, told us. "This is a whole new capability for these state-actors — previously there was no way to touch the U.S."

(fast forward to the crux of the issue)

Capabilities vary. China, which began its Information Warfare (IW) plan in 1995, has been stealing America's business secrets for more than a decade. Russia recently stated that it's "not making a secret of their plans to gain offensive [cyber] technologies."

The U.S. isn't in the best position to invite cyberwar. As RedSeal Chief Technology Officer Dr. Mike Lloyd told us when he described how easy it would be to attack the physical U.S. infrastructure: "People in glass houses shouldn't throw stones. [And] unfortunately, it's not just that—very simple stones can break our glass windows. We have very thin defenses."

OK, I'll spell it out - the USA has the most developed computer base of all countries, and is also the most attractive target. It is also as badly defended as anyone else, and may be the worst. E.g., it is the home of phishing, DDOS, breaching, and BotNet nodes. In particular, the record of breaches and phishing suggest that the USA is the country that was most at risk and had most losses from these attacks. (Question for all - Europe missed out on phishing, Russia got Kaspersky - why did USA get the worst of it?)

So in this environment, what is the Pentagon thinking? Good question. Here's an example of what the Pentagon is thinking:

The big question is whether a cyberattack can trigger a "real world" attack. Last year the Pentagon concluded that cyberattacks would justify a traditional military response. And in August BBC reported on a leaked Israeli memo that spelled out the hybrid use of cyber and military warfare in a proposed assault on Iran.

"This is the most troubling aspect of developing these weapons," said Limnell. "What is the action of the president if an attack happens, does it immediately become kinetic?"

Limnell said the difference between traditional warfare and cyberwarfare is that often cyberwarfare includes, indeed even prioritizes, civilian targets. And like the situation with the nuclear weapons in the 50s and 60s, there are no international rules for how we can use these weapons.

"Cyberwarfare is like Wild West right now, there’s a huge lack of norms and rules," Limnell said. "We will experience some type of major problem before we learn how to use weapons in the cyber domain."

Dumb. We already know that cyber attacks are mostly unattributable - the Chinese have been spying using these techniques for decades and China has not been caught. We now know the Pentagon generals are justifying their position by saying "it's cool, we'll just go kinetic if they dare throw a packet our way."

Dumber. So who do they throw their bombs at? Other than a country, their stuck - they have to go to the world and say "bad Iranians hurt us with packets, now we want to bomb them back into the stone age." That doesn't work, because the world saw the Iraqi debacle and won't play stupid again, but it seems that the Pentagon didn't get the memo. Worse - their casus belli is already known to be outright fraud because the USA has admitted launching StuxNet against the Iranians.

Can it possibly get any dumber?

The U.S. isn't in the best position to invite cyberwar. As RedSeal Chief Technology Officer Dr. Mike Lloyd told us when he described how easy it would be to attack the physical U.S. infrastructure: "People in glass houses shouldn't throw stones. [And] unfortunately, it's not just that—very simple stones can break our glass windows. We have very thin defenses."

Oh yeah -- it gets leveraged dumb. It's because the equation is stacked against the USA. The Pentagon have launched what is probably the dumbest attack of all time. The Stuxnet attack that they might see as an exchange of a pawn, letting their kinetic queen rove free, is actually exposing their entire board. Dumbest of all.

The reason for this is politely called the equity question in NSA circles. When it came to cyber defence, the NSA decided in the early 1990s that it was more important to make the Internet weak and vulnerable to spying, than to let the Internet be able to defend itself. This decision was prosecuted publically through crypto export regulations -- remember the crypto wars -- but also through a host of other interventions into the IETF, corporates, critical infrastructure (to them) and other places. When thinking about why USA banking suffered the brunt of phishing and breach losses, a large part of the big picture goes back to the NSA.

So the biggest dumb mistake of them all is that the Pentagon wants any excuse to go kinetic against the Iranians, but they've not defended their home ground over the last 20 years. The gates to the cyber-kingdom are not only wide open, they're 6 inches high and guarding a line of warning signs.

It's now official - Central Banks are not working to save the economy

Long time readers of this blog will recall that I predict that the era of Central Banking is now over. We are now in the process of watching the Central Banks destroy their legacy from within. Here is more evidence:

A review of evidence into Quantitative Easing (QE) has shown that the Government's hope that it will pull the UK out of recession may be unfounded.

Professor Chris Martin, from the University of Bath's Department of Economics, has looked at the impact of QE not just on financial markets but also the 'real' economy of jobs, inflation and output and concluded that there is no lasting benefit in continuing to pursue the policy.

He concludes that QE has produced a limited but temporary gain for the financial sector, but it has been of no help to the wider business community or individuals and families struggling against inflation and unemployment.

His review has looked at studies of the performance of QE by central banks, including numerous historical studies of small scale QE purchases and studies of the large contemporary QE programmes.

Now, it may be that the Central Banks find themselves convinced of having to prop up the financial sector, in order to save the rest of industry. But this logic doesn't impress for very long because (a) they are only succeeding in undermining the financial sector, rather than making banks more robust for the future, and (b) the populace isn't comfortable with paying the price of this worsening.

Realpolitik will reassert itself. As more time goes on, and more trouble is stored for the future, the potential for massive systemic failure increases. And it is the Central Banks themselves that are driving that systemic risk higher and higher, so they necessarily have to pay the cost when it comes around.

Still, the problem with predicting that the Central Banks are diligently removing themselves from the game is that we do not know what happens next. The end of the century of Central Banking is then a prediction of only small value. The far better question is what arises to re-structure finance in the future?

Food for thought from Chris Cook.

Four Planks to support the next evolution in secure browsing

There are now all the preliminary planks in place for the next step in evolution in the business of browser security.

A federal judge has rejected BancorpSouth's plan to use contractual agreements with customers as a shield against liability claims stemming from an online heist of some $440,000 that was illegally wire-transferred from the account of one of the bank's commercial customers in March 2010.

The first plank was an aggressive environment, this turned up in 2011 (by my reckoning).

The second plank was the decision by participants to avoid liability issues and to document that they had avoided liability issues.

The third plank was recognition by experts (as determined by courts) that online banking was insecure. Although I've pointed at this advice for years ("use another browser") courts don't recognise bloggists as experts. However, e.g., Lynn points in comments to USA federal regulatory advice that a single-purpose dedicated PC be used. That's recognised!

The fourth plank was sufficient clarity on how the courts would deal with the question, by means of actual rulings. This was never in doubt, because the courts always go that way in the long run, but while there were no rulings, people could "reasonably" argue that it was cool.

In his four-page ruling, Magistrate Judge John Maughmer says he based his decision about contractual obligations between banks and commercial customers on his interpretation of the UCC. And he acknowledges the waters are murky. "The court, having read the briefing of the parties, finds this to be a very close call," he says.

Nevertheless, Maughmer finds that the UCC does not provide blanket protections for banking institutions, in spite of indemnity noted in the contract.

"As enacted in Missouri and other jurisdictions, the Funds Transfers Act (UCC 4A) was not intended to preempt or displace all causes of action between a bank and its customers engaging in money transfers," Maughmer writes. "The uniformity and certainty sought by the statute for these transactions could not possibly exist if parties could opt to sue by way of pre-Code remedies where the statute has specifically defined the duties, rights and liabilities of the parties."

Other Cases. Inherent in the magistrate judge's findings is the question "What is reasonable?" regardless of whether that reasonableness comes from the bank or the commercial customer. What's contained within the contract and what is deemed "commercially reasonable" often are at odds, Navetta says.

The point being that the courts will find fault with an unreasonable contract. Those rulings we are now seeing, as quoted. As somewhat less than coincidentally, close analogues will inform the courts as to how to deal with liability in other browsing security issues. E.g., PKI certificates.

Smarter participants have seen the writing on the wall. VeriSign sold their CA to Symantec, correctly IMHO judging that the business was going to face increasing risks, while not generating the synergies across to other areas of its business to take on those risks. This confirms the truism of the industry - Others acquired market share, VeriSign understood the market.

All that remains is a headline high-value target to serve as the channel of forces. All of the trouble in the marketplace for certificates - a.k.a. secure browsing - has so far been against non-monetary uses of certificates. Paradoxically, the saving grace for the business may be that it never really got used for such high commercial value things as to be relied upon.

¡Olé! Privacy Between a pair of star-crossed lovers

Stories about new ideas in social networking are like snails after rain. Here's "Between," a smartphone app that works for couples only:

"So we turned our eyes to unmarried couples who need such a private relationship platform more than any other groups."

Between lets them share photo timelines, send messages and mark anniversaries, birthdays and other dates on each other's calendars.

Connection to the service is completed when both parties enter each other's phone numbers after registering.

However what gets interesting is when the sparks of anger not romance fly:

If a couple breaks up, one of them may disconnect the service and all the data will be deleted.

¡Olé! Stories about the hard problems in privacy are as rare as bullfighting at the RSPCA's annual garden party.

If there is a privacy and security problem that has so bedevilled the worlds thinkers -- even to the extent of most of them not recognising the problem -- it's this: if a couple shares stuff in the purest essence of romantic privacy, what happens when the alliance flips and the lovers-until-death become plaintiffs-to-the-death?

"Between in a way represents a commitment made by couples, so we rarely see teenagers using the service...their relationship usually doesn't last long enough to take full advantage of it," said Park.

That is why VCNC's engineers plan to develop a system which backs up data for up to one month after a breakup, just in case lovers decide to reunite and reopen their accounts.

"Think of it as an adjustment period for couples," said Park, adding users quite often complain when data is wiped under the current system.

"users quite often complain" must be evidence of Korean shyness -- if launched in America, the complaints would take hard filed copy form, at STBX's local court.

Still, notwithstanding that date with reality, my hat's off to this brave effort to deal with the *hard problems* of privacy - ¡Olé!

Banks will take responsibility for online fraud

Several cases in USA are resolving in online theft via bank account hackery. Here's one:

Village View Escrow Inc., which in March 2010 lost nearly $400,000 after its online bank account with Professional Business Bank was taken over by hackers, has reached a settlement with the bank for an undisclosed amount, says Michelle Marsico, Village View's owner and president.

As a result of the settlement, Village View recovered more than the full amount of the funds that had been fraudulently taken from the account, plus interest, the company says in a statement.

And two more:

Two similar cases, PATCO Construction Inc. vs. Ocean Bank and Experi-Metal Inc. vs. Comerica Bank, raised questions about liability and reasonable security, yet each resulted in a different verdict.

In 2010, PATCO sued Ocean Bank for the more than $500,000 it lost in May 2009, after its commercial bank account with Ocean Bank was taken over. PATCO argued that Ocean Bank was not complying with existing FFIEC requirements for multifactor authentication when it relied solely on log-in and password credentials to verify transactions.

Last year, a District Court magistrate found the bank met legal requirements for multifactor authentication and dismissed the suit.

In December 2009, EMI sued Comerica after more than $550,000 in fraudulent wire transfers left EMI's account.

In the EMI ruling, the court found that Comerica should have identified and disallowed the fraudulent transactions, based on EMI's history, which had been limited to transactions with a select group of domestic entities. The court also noted that Comerica's knowledge of phishing attempts aimed at its clients should have caused the bank to be more cautious.

In the ruling, the court required Comerica to reimburse EMI for the more than $560,000 it lost after the bank approved the fraudulent wire transfers.

Here's how it happens. There will be many of these. Many of the victims will sue. Many if the cases will lose.

Those that lose are irrelevant. Those that win will set the scene. Eventually some precedent will be found, either at law or at reputation, that will allow people to trust banks again. Some more commentary.

The reason for the inevitability of this result is simple: society and banks both agree that we don't need banks unless the money is safe.

Online banking isn't safe. It behoves to the banks to make it safe. We're in the phase where the court of law and public opinion are working to get that result.

Trust me, I'm a banker - how do Alice and Bob trade in a trust-failed world?

A friend proposed a problem with international trust - how do Alice and Bob swap currencies where trust in trade has broken down. Both parties want to complete the transaction, but have no support from 'the system'.

Ordinarily the parties could go to their banks and ask for e.g., letters-of-credit, but in this particular case banking services are frozen or drying up or unreliable. How then to do a swap of value when the only thing left is the basic payments system (one assumes that the banks have managed to keep that running...).

Imagine Alice has 1m of A$ to swap with Bob's 1m of B$. The quantities and currencies are uninteresting. What is interesting is that both parties have committed, but one will lose their head if the other does not follow through.

To borrow an idea from cryptographic bit-commit protocols, they could do it in tranches, which is what financial people call bits. It would go like this: Alice sends 10k to Bob. Bob returns with his 10k. And so on, until it is all done, 200 transactions in all.

This would work, but it might be possible to do better. Notice above that Alice is always neutral or at risk, while Bob is always neutral or positive. Also, Bob is learning to trust Alice, but Alice has no such reward.

Overall, we are talking about both risk & trust. On taking a risk, successfully, trust is built. With equal tranches, we have reduced the total risk overall, and increased trust, but we've done it in an asymmetric fashion. We could talk about balancing and benefiting from this.

How about this: Alice goes first, and this puts Bob in the driver's seat, so right now he is taking no risk! So Bob could return the favour. To do that, he could return with 20k. Bob now has matched Alice's contribution, and has now taken on the same risk as Alice had in her first round.

What does Alice return? She is now ahead by 10k. But she has received 20k, so her risk is actually not so bad. If she were to likewise double up, she could send 20k. Alice and Bob have now entered tit-for-tat, each taking on a risk of half their tranche.

Perhaps we could ramp it up more? Consider taking each risk position and rewarding it by ramping it up by a positive multiplier:

1. Alice sends 10k. Bob sends 30k - his risk is now at 20k, greater than Alice's original risk, so she is rewarded for her initial play.
2. Alice now holds 30k for only 10k exposure. So she should send 20k to catch up to Bob, 20k to meet his risk, and another 20k to double the risk, being 60k in total.
3. Bob now holds 70k received and has sent 30k. He should send 40k + 40k +40k = 120k.
4. Alice holds 150k and has sent 70k. She should send 80k * 3 = 240k.
5. Bob holds 310k, has sent 180k. He sends (H - S) * 3 = 390k.
6. Alice now holds H = 540, and has sent S = 310. She sends 690.
7. Bob now holds 1m. He should send 460, which is the lesser of outstanding balance and her straight formula.

From the above, a formula emerges. Each round (except first and last) should transmit (H - S) * R where H is the sender's holdings, S is the receiver's holdings, and R is the risk multiplier.

Risk multipliers are interesting. With R of 1, the initiator is always at risk, the follower is always with zero risk, catching up. But with R of 2, the follower matches her risk, not however extending it, so it quickly moves to balanced, symmetric exposure - tit-for-tat in a positive way. This is perhaps the comfortable compromise.

With R of 3, Bob extends and rewards Alice's initial risk, by taking on new risk that goes well beyond what he need do. This has the advantage of reducing the transactions from o(100) to o(10), and giving the economists an enjoyable chance to show the precise logarithmic reduction that applies.

Some comments on wider issues.

Each exchange could agree on what R or risk parameter they desire. And here we reach some interesting questions in negotiation -- who goes first? Who selects R? Also who selects the initial amount I? Mechanism design might suggest that out of such a negotiation, a fair split in parameters might emerge. E.g., like cut & choose. Or maybe it is a matter for parties to choose.

Also, there is a last round issue. The person who sends the last payment has an incentive to hold. Therefore the formula above might be modified to take account of the ceiling in payments, perhaps reducing the penultimate payments so as to require more trust as it gets closer. Especially for R = 3. It could also be balanced such that Alice as initiator is also the last to send.

This would be the game theory way of looking at it. It is important to recognise that contractual aspects would bring in protection as well. For example, I would be looking to publish any parties who do not complete, perhaps making this compulsory with a 3rd party agency. Also one might refer the thing to binding Arbitration, with rights to full publication and fines, including liens on any future transaction on any other member.... Finally, there should be clauses to include the players and their executioners - names and all - so as to limit the cuts in case the other party begs off.

Of course, the game theory aspects should be as strong as we can make them ... leaving the final exceptions to a short sharp dispute resolution process.

The Convergence of PKI

Last week's post on the jaws of Trust sparked a bit of interest, and Chris asks what I think about Convergence in comments. I listened to this talk by Moxie Marlinspike, and it is entertaining.

The 'new idea' is not difficult. The idea of Convergence is for independent operators (like CAcert or FSFE or FSF) to run servers that cache certificates from sites. Then, when a user browser comes across a new certificate, instead of accepting the fiat declaration from the CA, it gets a "second opinion" from one of these caching sites.

Convergence is best seen as conceptually extending or varying the SSH or TOFU model that has already been tried in browsers through CertPatrol, Trustbar, Petnames and the like.

In the Trust-on-first-use model, we can make a pretty good judgement call that the first time a user comes to a site, she is at low risk. It is only later on when her relationship establishes (think online banking) that her risk rises.

This risk works because likelihood of an event is inversely aligned with the cost of doing that attack. One single MITM might be cost X, two might be X+delta, so as it goes on it gets more costly. In two ways: firstly, in maintaining the MITM over time against Alice costs go up more dramatically than linear additions of a small delta. In this sense, MITMs are like DOSs, they are easier to mount for brief periods. Secondly, because we don't know of Alice's relationship before hand, we have to cast a very broad net, so a lot of MITMs are needed to find the minnow that becomes the whale.

First-use-caching or TOFU works then because it forces the attacker into an uneconomic position - the easy attacks are worthless.

Convergence then extends that model by using someone else's cache, thus further boxing the attacker in. With a fully developed Convergence network in place, we can see that the attacker has to conduct what amounts to being a perfect MITM closer to the site than any caching server (at least at the threat modelling level).

Which in effect means he owns the site at least at the router level, and if that is true, then he's probably already inside and prefers more sophisticated breaches than mucking around with MITMs.

Thus, the very model of a successful mitigation -- this is a great risk for users to accept if only they were given the chance! It's pretty much ideal on paper.

Now move from paper threat modelling to *the business*. We can ask several questions. Is this better than the fiat or authority model of CAs which is in place now? Well, maybe. Assuming a fully developed network, Convergance is probably in the ballpark. A serious attacker can mount several false nodes, something that was seen in peer2peer networks. But a serious attacker can take over a CA, something we saw in 2011.

Another question is, is it cheaper? Yes, definately. It means that the entire middle ground of "white label" HTTPS certs as Mozilla now shows them can use Convergence and get approximately the same protection. No need to muck around with CAs. High end merchants will still go for EV because of the branding effect sold to them by vendors.

A final question is whether it will work in the economics sense - is this going to take off? Well, I wish Moxie luck, and I wish it work, but I have my reservations.

Like so many other developments - and I wish I could take the time to lay out all the tall pioneers who provided the high view for each succeeding innovation - where they fall short is they do not mesh well with the current economic structure of the market.

In particular, one facet of the new market strikes me as overtaking events: the über-CA. In this concept, we re-model the world such that the vendors are the CAs, and the current crop are pushed down (or up) to become sub-CAs. E.g., imagine that Mozilla now creates a root cert and signs individually each root in their root list, and thus turns it into a sub-root list. That's easy enough, although highly offensive to some.

Without thinking of the other ramifications too much, now add Convergance to the über-CA model. If the über-CA has taken on the responsibility, and manages the process end to end, it can also do the Convergence thing in-house. That is, it can maintain its set of servers, do the crawling, do the responding. Indeed, we already know how to do the crawling part, most vendors have had a go at it, just for in-house research.

Why do I think this is relevant? One word - google. If the Convergence idea is good (and I do think it is) then google will have already looked at it, and will have already decided how to do it more efficiently. Google have already taken more steps towards ueber-CA with their decision to rewire the certificate flow. Time for a bad haiku.

Google sites are pinned now / All your 'vokes are b'long to us / Cache your certs too, soon.

And who is the world's expert at rhyming data?

Which all goes to say that Convergence may be a good idea, a great one even, but it is being overtaken by other developments. To put it pithily the market is converging on another direction. 1-2 years ago maybe, yes, as google was still working on the browser at the standards level. Now google are changing the way things are done, and this idea will fall out easily in their development.

(For what it is worth, google are just as likely to make their servers available for other browsers to use anyway, so they could just "run" the Convergance network. Who knows. The google talks to no-one, until it is done, and often not even then.)

PKI and SSL - the jaws of trust snap shut

As we all know, it's a right of passage in the security industry to study the SSL business of certificates, and discover that all's not well in the state of Denmark. But the business of CAs and PKI rolled on regardless, seemingly because no threat ever challenged it. Because there was no risk, the system successfully dealt with the threats it had set itself. Which is itself elegant proof that academic critiques and demonstrations and phishing and so forth are not real attacks and can be ignored entirely...

Until 2011.

Last year, we crossed the Rubicon for the SSL business -- and by extension certificates, secure browsing, CAs and the like -- with a series of real attacks against CAs. Examples include the DigiNotar affair, the Iranian affair (attacks on around 5 CAs), and also the lesser known attack a few months back where certificates may have been forged and may have been used in an APT and may have... a lot of things. Nobody's saying.

Either way, the scene is set. The pattern has emerged, the Rubicon is crossed, it gets worse from here on in. A clear and present danger, perhaps? In California, they'd be singing "let's partly like it's 2003," the year that SB1386 slid past our resistance and set the scene for an industry an industry debacle in 2005.

But for us long term observers, no party. There will now be a steady series of these shocks, and journalists will write of our brave new world - security but no security.

With one big difference. Unlike the SB1386 breach party, where we can rely on companies not going away (even as our data does), the security system of SSL and certificates is somewhat optional. Companies can and do expose their data in different ways. We can and do invent new systems to secure or mitigate the damage. So while SB1386 didn't threaten the industry so much as briskly kicked it around, this is different.

At an attacks level, we've crossed a line, but at a wider systems level, we stand on the line.

And that line is a cliff.

Which brings us to this week's news. A CA called Trustwave has just admitted to selling a sub-root for the explicit purpose of MITM'ing. Read about that elsewhere.

Now, we've known that MITMing for fun and profit was going on for a long time. Mozilla's community first learnt of it in the mid 2000s as it was finalising its policy on CAs (a ground-breaking work that I was happy to be involved with). At that time, accusations were circulating against unknown companies listing their roots for the explicit purpose of doing MITMs on unwitting victims. Which raised the hairs, eyebrows and heckles on not a few of us. These accusations have been repeated from time to time, but in each case the "insiders" begged off on the excuse: we cannot break NDA or reputation.

Each time then the industry players were likewise able to fob it off. Hard Evidence? none. Therefore, it doesn't exist, was they industry's response. We knew as individuals, yet as an industry we knew not.

We are all agreed it does exist and it doesn't. We all have jobs to preserve, and will practice cognitive dissonance to the very end.

Of course this situation couldn't last, because a secret of this magnitude never survives. In this case, the company that sold the MITM sub-root, Trustwave, has looked at 2011, and realised the profit from that one CA isn't worth the risk of the DigiNotar experience (bankruptcy). Their decision is to 'fess up now, take it on the chin, because later may be too late.

Which leads to a dilemma, and we the players have divided on each side, one after the other, of that dilemma:

To drop the Trustwave root, or not?

That is the question. First the case for the defence: On the one hand, we applaud the honesty of a CA coming forward and cleaning up house. It's pretty clear that we need our CAs to do this. Otherwise we're not going to get anywhere with this Trust thing. We need to encourage the CAs to work within the system.

Further, if we damage a CA, we damage customers. The cost to lost business is traumatic, and the list of US government agencies that depend on this CA has suddenly become impressive. Just like DigiNotar, it seems, which spread like a wave of mistrust through the government IT departments of the Netherlands. Also, we have to keep an eye on (say) a bigger more public facing CA going down in the aftermath - and the damage to all its customers. And the next, etc.

Is lost business more important than simple faith in those silly certificates? I think lost business is much more important - revenue, jobs, money flowing keeping all of the different parts of the economy going are our most important asset. Ask any politician in USA or Europe or China; this is their number one problem!

Finally, it is pretty clear and accepted that the business purpose to which the sub-Root was put was known and tolerated. Although it is uncomfortable to spy on ones employees, it is just business. Organisations own their data systems, have the responsibility to police them, and have advised their people that this is what they are going to do. SSL included, if necessary.

This view has it that Trustwave has done the right thing. Therefore, pass. And, the more positive proponents suggest an amnesty, after which period there is summary execution for the sins - root removal from the list distributed by the browsers. It's important to not cause disruption.

Now the case for the Prosecution! On the other hand, damn spot: the CA clearly broke their promise. Out!

Three ways, did they breach the trust: It is expressed in the Mozilla policy and presumably of others that certificates are only issued to people who own/control their domains. This is no light or optional thing -- we rely on the policy because CAs and Mozilla and other vendors and auditors and all routinely practice secrecy in this business.

We *must rely on the policy* because they deny us the right to rely on anything else!

Secondly, it is what the public believe in, it is the expectations of any purchaser or user of the product, written or not. It is a simple message, and brooks no complicated exceptions. Either your connection is secure to your online bank, and nobody else can see it *including your employer or IT department*. Or not.

Try explaining this exception to your grandmother, if the words do not work for you.

Finally, the raison d'être: it is the purpose and even the entire goal of the certificate design to do exactly the opposite. The reason we have CAs like TrustWave is to stop the MITM. If they don't stop the MITM, then *we don't need the heavyweight certificate system*, we don't need CAs, and we don't need Mozilla's root list or that of any other vendor.

We can do security much more cost-effectively if we drop the 100% always-on absolutist MITM protection.

Given this breach of trust, what else can we trust in? Can we trust their promises that the purpose was maintained? That the cert never left the building? That secret traffic wasn't vectored in? That HSMs are worth something and audits ensure all is well in Denmark?

This rather being a problem with trust. Lie once, lose it.

There being two views presented, it has to be said that both views are valid. The players are lining up on either side of the line, but they probably aren't so well aware of where this is going.

Only one view is going to win out. Only one side wins this fight.

And in so-doing, in winning, the winner sews the seeds for own destruction.

Because if you religiously take your worldview, and look at the counter-argument to your preferred position, your thesis crumbles for the fallacies.

The jaws of trust just snapped shut on the players who played too long, too hard, too profitably.

Like the financial system. We are no longer worried about the bankruptcy of one or two banks or a few defaults by some fly specks on the map of European. We are now looking at a change that will ripple out and remove what vestiges of purpose and faith were left in PKI. We are now looking at all the other areas of the business that will be effected; ones that brought into the promise even though they knew they shouldn't have.

Like the financial system, a place of uncanny similarity, each new shock makes us wonder and question. Wasn't all this supposed to be solved? Where are the experts? Where is the trust?

We're about to find out the timeless meaning of Caveat Emptor.

the emerging market for corporate issuance of money

As an aside to the old currency market currently collapsing, in the now universally known movie GFC-2 rolling on your screens right now, some people have commented that perhaps online currencies and LETS and so forth will fill the gap. Unlikely, they won't fill the gap, but they will surge in popularity. From a business perspective, it is then some fun to keep an eye on them. An article on Facebook credits by George Anders, which is probably the one to watch:

Facebook’s 27-year-old founder, Mark Zuckerberg, isn’t usually mentioned in the same breath as Ben Bernanke, the 58-year-old head of the Federal Reserve. But Facebook’s early adventures in the money-creating business are going well enough that the central-bank comparison gets tempting.

Let's be very clear here: the mainstream media and most commentators will have very little clue what this is about. So they will search for easy analogues such as a comparison with national units, leading to specious comparisons of Zuckerberg to Bernanke. Hopeless and complete utter nonsense, but it makes for easy copy and nobody will call them on it.

Edward Castronova, a telecommunications professor at Indiana University, is fascinated by the rise of what he calls “wildcat currencies,” such as Facebook Credits. He has been studying the economics of online games and virtual worlds for the better part of a decade. Right now, he calculates, the Facebook Credits ecosystem can’t be any bigger than Barbados’s economy and might be significantly smaller. If the definition of digital goods keeps widening, though, he says, “this could be the start of something big.”

This is a little less naive and also slightly subtle. Let me re-write it:

If you believe that Facebook will continue to dominate and hold its market size, and if you believe that they will be able to successfully walk the minefield of self-issued currencies, then the result will be important. In approximate terms, think about PayPal-scaled importance, order of magnitude.

Note the assumptions there. Facebook have a shot at the title, because they have massive size and uncontested control of their userbase. (Google, Apple, Microsoft could all do the same thing, and in a sense, they already are...)

The more important assumption is how well they avoid the minefield of self-issued currencies. The problem here is that there are no books on it, no written lore, no academic seat of learning, nothing but the school of hard-knocks. To their credit, Facebook have already learnt quite a bit from the errors of their immediate predecessors. Which is no mean feat, as historically, self-issuers learn very little from their forebears, which is a good predictor of things to come.

Of the currency issuers that spring up, 99% are destined to walk on a mine. Worse, they can see the mine in front of them, they successfully aim for it, and walk right onto it with aplomb. No help needed at all. And, with 15 years of observation, I can say that this is quite consistent.

Why? I think it is because there is a core dichotomy at work here. In order to be a self-issuer you have to be independent enough to not need advice from anyone, which will be familiar to business observers as the entrepreneur-type. Others will call it arrogant, pig-headed, too darned confident for his own good... but I prefer to call it entrepreneurial spirit.

*But* the issuance of money is something that is typically beyond most people's ken at an academic or knowledge level. Usage of money is something that we all know, and all learnt at age 5 or so. We can all put a predictions in at this level, and some players can make good judgements (such as Peter Vodel's Predictions for Facebook Credits in 2012).

Issuance of money however is a completely different thing to usage. It is seriously difficult to research and learn; by way of benchmark, I wrote in 2000 you need to be quite adept at 7 different disciplines to do online money (what we then called Financial Cryptography). That number was reached after as many years of research on issuance, and nearly that number working in the field full time.

And, I still got criticised by disciplines that I didn't include.

Perhaps fairly...

You can see where I'm heading. The central dichotomy of money issuance then is that the self-issuer must be both capable of ignoring advice, and putting together an overwhelming body of knowledge at the same time; which is a disastrous clash as entrepreneurs are hopeless at blindspots, unknowns, and prior art.

There is no easy answer to this clash of intellectual challenges. Most people will for example assume that institutions are the way to handle any problem, but that answer is just another minefield:

If Facebook at some point is willing to reduce its cut of each Credits transaction, this new form of online liquidity may catch the eye of many more merchants and customers. As Castronova observes: “there’s a dynamic here that the Federal Reserve ought to look at.”

Now, we know that Castronovo said that for media interest only, but it is important to understand what really happens with the Central Banks. Part of the answer here is that they already do observe the emerging money market :) They just won't talk to the media or anyone else about it.

Another part of the answer is that CBs do not know how to issue money either; another dichotomy easily explained by the fact that most CBs manage a money that was created a long time ago, and the story has changed in the telling.

So, we come to the the really difficult question: what to do about it? CBs don't know, so they will definately keep the stony face up because their natural reaction to any question is silence.

But wait! you should be saying. What about the Euro?

Well, it is true that the Europeans did indeed successfully manage to re-invent the art and issue a new currency. But, did they really know what they were doing? I would put it to you that the Euro is the exception that proves the rule. They may have issued a currency very well, but they failed spectacularly in integrating that currency into the economy.

Which brings us full circle back to the movie now showing on media tonight and every night: GFC-2.

Why we got GFC-2

And so it came to pass that, after my aggressive little note on GFC-1's causes found in securitization (I, II, III, IV), I am asked to describe the current, all new with extra whitening Global Financial Crisis - the Remix, or GFC-2 to those who love acronyms and the pleasing rhyme of sequels.

Or, the 2nd Great Depression, depending on how it pans out. Others have done it better than I, but here is my summary.

Part 1. In 2000, European countries joined together in the EMU or European Monetary Union. A side-benefit of this was the Bundesbank's legendary and robust control of inflation and stiff conservative attitude to matters monetary. Which meant other countries more or less got to borrow at Bundesbank's rates, plus a few BPs (that's basis points, or hundredths of percentage points for you and I).

Imagine that?! Italy, who had been perpetually broke under the old Lira, could now borrow at not 6 or 7% but something like 3%. Of course, she packed her credit card and went to town, as 3% on the CC meant she could buy twice as much stuff, for the same regular monthly payments. So did Ireland, Portugal, Greece and Spain. Everyone in the EMU, really.

The problem was, they still had to pay it back. Half the interest with the same serviceable monthly credit card bill means you can borrow twice as much. Leverage! It also means that if the rates move against you, you're in it twice as deep.

And the rates, they did surely move. For this we can blame GFC-1 which put the heebie-jeebies into the market and caused them to re-evaluate the situation. And, lo and behold, the European Monetary Union was revealed as no more than a party trick because Greece was still Greece, banks were still banks, debt was still debt, and the implicit backing from the Bundesbank was ... not actually there! Or the ECB, which by charter isn't allowed to lend to governments nor back up their foolish use of the credit card.

Bang! Rates moves up to the old 6 or 7%, and Greece was bankrupt.

Now we get to Part 2. It would have been fine if it had stopped there, because Greece could just default. But the debt was held by (owed to) ... the banks. Greece bankrupt ==> banks bankrupt. Not just or not even the Greek ones but all of them: as financing governments is world-wide business, and the balance sheets of the banks post-GFC-1 and in a non-rising market are anything but 'balanced.' Consider this as Part 0.

Now stir in a few more languages, a little contagion, and we're talking *everyone*. To a good degree of approximation, if Greece defaults, USA's banking system goes nose deep in it too.

So we move from the countries, now the least of our problems because they can simply default ... to the banks. Or, more holistically, the entire banking system. Is bankrupt.

In its current today form, there is the knowledge that the banks cannot deal with the least hiccup. Every bank knows this, knows that if another bank defaults on a big loan, they're in trouble. So every bank pulls its punches, liquidity dries up, and credit stops flowing ... to businesses, and the economy hits a brick wall. Internationally.

In other words, the problem isn't that countries are bankrupt, it is that they are not allowed to go bankrupt (clues 1, 2).

We saw something similar in the Asian Financial Crisis, where countries were forced to accept IMF loans ... which paid out the banks. Once the banks had got their loans paid off, they walked, and the countries failed (because of course they couldn't pay back the loans). Problem solved.

This time however there is no IMF, no external saviour for the banking system, because we are it, and we are already bankrupt.

Well, there. This is as short as I can get the essentials. We need scholars like Kevin Dowd or John Maynard Keynes, those whos writing is so clear and precise as to be intellectual wonders in their own lifetimes. And, they will emerge in time to better lay down the story - the next 20 years are going to be a new halcyon age of economics. So much to study, so much new raw data. Pity they'll all be starving.

Causes of GFC-1 - the death of the partner

In a short cycle on banking(I, II, III, IV), I point the crooked finger of blame for the first great financial crisis at securitization, as the contractual and markets innovation that gave the USA property bubble the legs to consume society. Now, it seems that I'm just one guy, and everyone has their favourite theory, leading to a fairly long list of hopeful causes. By way of example, Roger Garrison crooks the Austrian finger unwaveringly at central banking:

As my colleague Leland Yeager puts it, "Each cyclical episode is a unique historical event." True enough, but my attention to the central bank as turbocharger helps to keep separate the particulars and the commonalities of the different cyclical episodes.

True enough, although I think it will take a decade or two before the economists sort through the contenders and come to consensus. Garrison wrote the above in a review of a new book from Kevin Dowd and Martin Hutchinson, Alchemists of Loss: How Modern Finance and Government Regulation Crashed the Financial System, which claims to be a comprehensive treatment of the many causes. Here's one that was new to me:

As Dowd and Hutchinson make clear, the redistribution of wealth and income away from business and industrial families meant the demise of the "old partnerships" and the rise of "managerial capitalism." It meant the separation of ownership and control. In an earlier time and without the limited liability that virtually defines the modern corporation, the owners of large-scale industrial and business concerns had plenty of "skin in the game." They had a strong incentive to watch the bottom line, all things considered, and they were in it for the long run. Individual businesses, both large and small, could rise and fall with changing circumstances, but for the economy as a whole the underlying concern for preserving capital value over the long run translated into a degree of macroeconomic stability. Precisely this critical source of stability has been continuously eroded over the years by the federal tax code and regulatory schemes.

So with the atrophy of the partnership form of business enterprises, the incentives to maintain long-run profitability have been continuously weakened. It follows, almost as a corollary, that the window for exploiting short-run profit opportunities at the expense of long-run viability has been continuously widened. Managerial capitalism has given rise to a whole class of traders in securities markets and especially in derivatives markets who get in and out of markets in pursuit of short-run gains. The opportunity for these cumulative short-run gains would not have been available (or would have been available on a much smaller scale) had it not been for the absence of "old partnerships" whose vigilance and long-run perspective would have provided an effective counterbalance.

This aspect of Dowd and Hutchinson's storyline rings true. ...

My Audit cycle (I, II, III, IV, V, VI, VII) hints at the very same effect, as the entire Audit industry moved from meticulous to loss-leader in the same 2 decades that mirrored the death of the partnership model. Further, as Professor Dowd's long and prolific career in Free Banking will testify, the disappearance of robust long-term retail banking and the rise of central banking is inherently tied up with the end of partnership banking (c.f., White's Free Banking in Britain).

Why did we as society replace the owner-manager with the salaried managerial trader?

Dowd and Hutchinson date the origins of modern finance to a theorem that Franco Modigliani and Merton Miller introduced in 1958, demonstrating the underlying equivalence of debt financing and equity financing, and to Harry Markowitz's ground-breaking work (a 1952 University of Chicago Ph.D. dissertation) that formalized the relationship between risk and rate of return. Modern financial theory became operational during the 1960s in the form of the Capital Asset Pricing Model (CAPM) and allowed for significant leveraging in the 1970s after Fischer Black and Myron Scholes extended the approach to the pricing of options. Still later developments in information technology and the strategic placement of computer hardware gave rise to flash trading, putting CAPM-based trading strategies on steroids.

Outside the context of booms and busts, modern financial theory can be the basis for an overall gain to society. Apart from flash trading, which appears to have no socially redeeming features, trading on the basis of a comprehensive assessment of alternative investment portfolios allows the risks that are inherent in a market economy to be borne by those who are most willing to bear them. A risk/rate-of-return assessment more generally can help tailor an investment portfolio to an individual's risk preferences. The problem, as Dowd and Hutchinson point out, is that the risks that the CAPM takes into account do not include systemic risks. The risk metric that was widely adopted in the 1990s, called "Value-at-Risk" (VaR), quantifies the riskiness of a particular portfolio - on the assumption that the market as a whole is stable. With this metric, you may assure yourself, for example, that you have a 95 percent chance that this portfolio will suffer no greater one-day loss than the calculated VaR (Dowd and Hutchinson 2010, 113). But what if the market as a whole is not stable? And what if the use of the CAPM, the reliance on the VaR, and the proliferation of derivatives serve to leverage both short-run profits and the market's instability?

Boom! Cycle back into the volatility & ignorance theory of financial markets, and we seem to be taking our first steps towards understanding where we are today. To summarise, the elimination of the partnership allowed short-termism to dominate in the modern bonus-fuelled trading enterprises, and it was precisely this worldview that supported the rise of VaRism. Or, systemic risk ain't my problem, boss, now about that bonus...

That's a hell of a contribution. Still, it's early days yet, and to be fair, reviewer Garrison reminds us:

The dot-com crisis of the 1990s occurred because a credit expansion took place during a time when technological innovations associated with the digital revolutions created a strong demand for investment funds in that sector. The housing crisis in 2008 occurred because a credit expansion took place during a time when the federal government was pushing hard for increased home ownership for low-income families. We understandably identify these different cyclical episodes (the dot-com crisis, the housing crisis) with "what was going on at the time." The common denominator, however, is the Fed's propensity to expand credit.

At this point, we might ask, "Will the real Alchemist please stand up?"

Which brings us full circle: Systemic Risk is the central bank's problem! So where were the central banks when the partners were selling out of the investment banks and the VaRists were running rampant on bonus steroids? They were pumping up the machine in mini-crisis after mini-crisis, so setting the stage for the mother of all systemic collapses.

From an academic point of view, this is a lot of fun! Aside from the fact that we're so deep in it we can only poke our nose above the smelly brown stuff, I would suggest the next 20 years will be a grand time to be an economist.

Why (my, all) financial systems fail -- information complexity

I spent over a decade building the snappiest financial system around. In that time I pursued one goal of efficiency: reduction of complexity. This wasn't only goodness in an angelic sense, it was a pragmatic goal to reduce my own costs in building systems.

The result was pretty spectacular: we were settling trades in seconds and doing so with every leg firmly fastened to the ground. That is, the whole thing was running with direct concrete ties to assets.

But, the big players weren't interested. Indeed they were more than uninterested, they were highly interested in making sure this would never ever happen. Time after time, the message was delivered: Never. Other companies received the same message, so after a few years, I started to take it seriously.

At the time I hypothesised that the reason for this was insider fraud, or at least profits capture. The complexities were endemic and there were very few people who could see the whole picture. So, I theorised that those who could understand the complexities were cashing in on their advantage; from the inside. And some very few who cashed in were also driving the information agenda, as their success made them both wealthy and influential:

more complexity!

Of course such a hypothesis is unlikely to find proof. By its very nature, how do you prove such a tendency towards chaos? Here comes an alternate perspective from ZeroHedge, citing two papers (1, 2):

And the punchline: "Liquidity requires symmetric information, which is easiest to achieve when everyone is ignorant. This determines the design of many securities, including the design of debt and securitization." Reread the last statement as it explains perhaps better than anything, the true functioning of modern capital markets and why they are terminally broken: in order to preserve the system, the banking cartel need to make everything of virtually infinite complexity so that no one has a clear understanding of what is going on!

Consider the perfect market hypothesis: the market already has all the information priced in, so you yourself cannot beat the market. Or, more politely, you get to earn the market rate of return, so you may as well invest in a unit fund that covers the entire market.

Although this hypothesis is proven, and proved time and time again (look at the averaged hedge fund returns against stock market returns over time), it is also clear that, at the limit, the hypothesis is impossible: if the market already knows, no new information will come to the market. In which case it gums up. (Leaving aside temporal arguments for now.)

So, the market also defends itself by creating reasons to bring in new information. ZeroHedge highlights Gorton & Metrick's punchline:

"Liquidity requires symmetric information, which is easiest to achieve when everyone is ignorant. This determines the design of many securities, including the design of debt and securitization."

The market promotes impenetrable securities, which promotes Ignorance, which generates symmetric information, and hence liquidity. QED.

Well, we're all on the same page. Banks support e.g., OTC or over-the-counter market, and will kill to preserve it, because it creates symmetric information. a.k.a ignorance, leading to profits. Meanwhile, I invented the Ricardian Contract which created an excessively visible and tangible chain of contract. These two concepts are at war, opposite poles of complexity versus transparency.

Which is where sites like Zero Hedge step in - to expose "shadowy" places where things are best left unseen.

Yeah. That's what I thought, too. As we watch the complexity-driven system implode it would be easy to assume that now is the time for transparency to rise from the ashes of Europe, thus to be renamed Phoenix.

But, such a thought would be facile and naive in the extreme. A forlorn hope. The implosion of the world financial system doesn't make people any wiser, just poorer. Since when has the world responded to a crisis by getting smart?

What Zero Hedge is really discovering is that rewards are there if you participate in being aware of the complexity. It is a proof of the hypothesis: wisdom emerges in understanding where the masses, the herd, have it wrong. It is not in itself an absolute, nor a way to save them. For anything good to arise, something else is needed.

Mexico sends the war into Texas, but it's too late to call out the National Guard

Over the Atlantic, where the Americans struggle with their own financial crisis, we have a real case of money laundering:

LAREDO — The high walls of Alexander Estates, an affluent development nestled near this border city’s country club and golf course, were supposed to keep the narcotics world at bay. But when federal agents raided the stately home of a downtown perfume salesman in January, it reinforced a notion that is feared by Texas leaders: the drug war spillover from Mexico is much broader than shootouts and kidnappings — it is cloaked in the seemingly routine business transactions of the border economy.

In this case, the alleged crime was the back-wash of dollars from drugs sales, laundered through a perfume dealer.

The Black Market Peso Exchange has been on the federal government’s radar for years. The system was perfected by Colombian drug lords and later adopted by Mexican drug cartels: When drugs are sold in the United States, the proceeds, in American dollars, are smuggled back into Mexico or Colombia, where they are exchanged for pesos at a discounted rate.

The peso-exchange businesses then use the dollars to buy products in the United States — in Mr. Datta’s case, millions of dollars worth of perfume — and have them shipped to purchasers in Mexico or Colombia.

Yeah. Of course, they have the money to corrupt any business (see Lynn's comments about drugs money and CDOs) and now that times are tight, they can find plenty of incentive.

I've previously written of the process of mexicanization. It begins with an aggressive prosecution by police of drug business; then the value of the illicit business rises, creating profits for the "businessmen" which leads them to fight the authorities. Pretty soon they realise the best way is to corrupt them.

This starts with the police. But pretty quickly spreads. In Mexico, bringing in the soldiers to police the police was a monumental step, and a mistake. Now the Mexican Army is criminalised. With the loss of the judiciary, civil society moves to collapse.

Think it can't happen here? Think again:

The FBI has released a new gang assessment announcing that there are 1.4 million gang members in the US, a 40 percent increase since 2009, and that many of these members are getting inside the military (via Stars and Stripes).

The report says the military has seen members from 53 gangs and 100 regions in the U.S. enlist in every branch of the armed forces. Members of every major street gang, some prison gangs, and outlaw motorcycle gangs (OMGs) have been reported on both U.S. and international military installations. ...

The report notes that while gang members have been reported in every branch of service, they are concentrated in the U.S. Army, Army Reserves, and the Army National Guard.

Many street gang members join the military to escape the gang lifestyle or as an alternative to incarceration, but often revert back to their gang associations once they encounter other gang members in the military. Other gangs target the U.S. military and defense systems to expand their territory, facilitate criminal activity such as weapons and drug trafficking, or to receive weapons and combat training that they may transfer back to their gang. Incidents of weapons theft and trafficking may have a negative impact on public safety or pose a threat to law enforcement officials.

Make no mistake: the mexicanization of the USA is happening, and will keep happening. What's it about?

US-based gangs have established strong working relationships with Central American and MDTOs to perpetrate illicit cross-border activity, as well as with some organized crime groups in some regions of the United States. US-based gangs and MDTOs are establishing wide-reaching drug networks; assisting in the smuggling of drugs, weapons, and illegal immigrants along the Southwest Border; and serving as enforcers for MDTO interests on the US side of the border.

One word: Drugs. One acronym: MDTO stands for Mexican Drugs Trafficking Organization.

Violence in Mexico—particularly in its northern border states—has escalated with over 34,000 murders committed in Mexico over the past four years.

One policy: the war on drugs. For brutal comparison with real wars, USA lost 53,402 combat deaths in WWI and 47,424 in Vietnam.

The USA no longer has an option of exporting its miserable war on people south of the border. They're sending it back.

Confidence in banking: the €500 supernote, or, we're all money launderers now

Chart of the day comes from the Economist:

Another sign of strain may be found in demand for €500 bills. These are too large for everyday transactions and are mainly used for mattress-stuffing or money laundering, say bankers. Demand for them surged after the collapse of Lehman Brothers in 2008, and it has ticked up again in recent months (see chart 2).

I don't know about you, but use of these unfortunate and economically nonsensical terms by bankers against their customers has always troubled me. Now however, I sense more than a slight cognitive dissonance with the suggestion that money launderers or mattress stuffers are surging.

During the Lehman Brothers Affair, the people lost a huge amount, possibly $150 billion.

The shockwave triggered all sorts of issues; one observer put it that, due to the response of banks like RBS to the crisis, the British ATM network was only hours from being shut down. And, that could have led within a day or to an outbreak of 'shopping with violence'.

In this sense, the people are not so much stuffing mattresses or money laundering, as unstuffing the bank's mattress or getting the money out before the financial system launders it down the tubes. The Lehmans uptick looks to be about 15bn, which looks pretty tame compared to the losses. Or if you take the financial community in Europe who potentially knew 1st hand about the meltdown, and divide by the size of the Lehman Brothers uptick, it's only a handful of supernotes for each aware banker...

To spell out what the Economist didn't put in words: we're looking at a run on the banks.

Even if we take it broader, by eyeball, the period of that chart shows an increase of 40% in demand for the supernote, from say 210 billion euros in 2007 to 295 now. Crudely put, we could imagine the initial starting value as a normal and stable state, and attribute any increase to a shift by the people into safer money stores.

40% is a pretty significant vote against the banks of Europe. Demand for the supernote might just be an inverse signal of confidence in banking.

In this sense, the euphemisms such as 'mattress stuffers' and 'money launderers/ backfire: although bankers in the past were keen to apply these terms to their cash-using customers, it now appears that the shoe is on the other foot. The bankers need to explain to the people in which mattress is the missing trillion euros, or whatever the final bill for Europe's financial meltdown ends up being.

Saving the euro requires more pain for some, more generosity from others and fundamental change for all. Is it worth it? Sooner or later, citizens must be asked. Without their support, no reform can last. And a real choice must include the option of leaving the euro. Now that this taboo has been breached, the euro zone should start thinking about how best to arrange the departure of those that cannot, or will not, live by Germanic rules.

Else, if this explanation isn't provided, and the money found, demand for supernotes is likely to increase as confidence in the banking system suffers from more 'strain', to use another euphemism. Or, in other words, we're all money launderers now, and the only question left is who runs fastest to who's fat mattress, the bankers or the people?

Either way, one to watch!

_Currency Wars_

If you want some view on the future, James Turk reviews a new book: Currency Wars, by Jim Rickards:

.... the first part being almost surreal because it reads more like a novel than non-fiction. It details Rickards’ participation in an exercise at the Warfare Analysis Laboratory near Washington D.C. This group is one of the Defense Department’s leading venues for war games and strategic planning, but in a first-ever event, the game in which Rickards joined was not a war-fighting simulation. Rather, several dozen people from the military, academic and intelligence communities fought a global financial war using currencies and capital markets to support national interests. Rickards and two colleagues were invited to give the simulation some real-world, Wall Street expertise about markets, which they certainly did.

I guarantee that when you start reading this part, you won’t put the book down until you learn the outcome of the war. It reads better than a suspense novel, even though the ending is somewhat anti-climactic and predictable. While I won’t spoil it for you by divulging the ending, I will note that gold has a big role to play. In fact, gold reappears throughout the whole book.

In the second section, Rickards analyzes the first two currency wars (CWI and CWII). ...

From the "you read it here first" department:

The final section of the book explains why the world is now fighting Currency War III, which Rickards believes began in 2010. He speculates that there are three possible outcomes from CWIII – paper, gold or chaos. Each of these alternatives is analyzed in detail, providing readers with much food for thought.

Actually, the scenes of this war go back to the issuance of the Euro as a credible alternative, and play their part in the great Financial Crisis of the 21st century. For confirmation of the thesis, Goldmoney's blog also pointed at The Real Contagion Risk which makes the same point: watch for the Central Banks to shift out of US Treasuries:

Step 1: As the global growth story frays, global trade decelerates, and the sovereign and total debt burdens of various countries drag at economic growth, fewer and fewer dollars will be accumulated and stored by various foreign central banks. The typical way dollars are stored is in the form of Treasury holdings. Because of this, several years of record-breaking Treasury accumulation by these foreign banks will grind to a halt and foreign Treasury holdings will begin to decline.

So what's our prediction? Well, it'll be a long slow decline from the dollar as reserve currency. The Euro looked good for a decade, but that's off it's shine now. Expect Central Banks to get back into the currency trading game -- and keep reserves of their bigger partners. And, the next shot in the war will be related to energy -- which is typically priced in dollars.

Gold? Well, everyone expects that to come up. James Turk says:

The harmful effects from abandoning gold still impair economic activity today because the necessary discipline has been removed from the monetary system, creating the global imbalances, debt loads, insolvent banks, risky derivatives and other problems that plague our world. So as economic activity sinks ever deeper into an abyss, think about the cause.

Yeah, and we used to say that governments should go back to the gold standard because we don't trust them with their own units.

Very proven true, no doubt, these days, but there has been a bit of a shift in thinking of late. For me, it was signalled by Alan Greenspan as far back as 1995 (?) when he said "nobody's listening any more." (In response to being asked why he didn't talk about gold anymore.) Fact is, governments will issue their own currencies, whether we trust them or not:

Namely, governments have created this mess, so we cannot rationally expect governments to get us out of it, which is something I have intuitively understood for some time but was also the main conclusion I reached from Rickards’ book.

And, the clanger is this: We don't trust governments, period. We don't trust them to issue their own inflation-protected currency, and we don't trust them to issue a gold-based unit either.

So, gold goes free. Economists are no longer advising governments to base off gold, because we know it won't work. Gold therefore will remain the independent watchdog it has since the closing of the gold window by Nixon; a three-way tussle between central bankers, gold banks and the buying public.

The future is a world of competitive currencies, USD, Euros, Yen, the Chinese unit ... and gold. With a very slow long decline of the power of the USD.

Disclosure: Author is long gold, and short fingernails.

Phishing doesn't really happen? It's too small to measure?

Two Microsoft researchers have published a paper pouring scorn on claims cyber crime causes massive losses in America. They say it’s just too rare for anyone to be able to calculate such a figure.

Dinei Florencio and Cormac Herley argue that samples used in the alarming research we get to hear about tend to contain a few victims who say they lost a lot of money. The researchers then extrapolate that to the rest of the population, which gives a big total loss estimate – in one case of a trillion dollars per year.

But if these victims are unrepresentative of the population, or exaggerate their losses, they can really skew the results. Florencio and Herley point out that one person or company claiming a $50,000 loss in a sample of 1,000 would, when extrapolated, produce a $10 billion loss for America as a whole. So if that loss is not representative of the pattern across the whole country, your total could be $10 billion too high.

Having read the paper, the above is about right. And sufficient description, as the paper goes on for pages and pages making the same point.

Now, I've also been skeptical of the phishing surveys. So, for a long time, I've just stuck to the number of "about a billion a year." And waited for someone to challenge me on it :) Most of the surveys seemed to head in that direction, and what we would hope for would be more useful numbers.

So far, Florencio and Herley aren't providing those numbers. The closest I've seen is the FBI-sponsored report that derives from reported fraud rather than surveys. Which seems to plumb in the direction of 10 billion a year for all identity-related consumer frauds, and a sort handwavy claim that there is a ration of 10:1 between all fraud and Internet related fraud.

I wouldn't be surprised if the number was really 100 million. But that's still a big number. It's still bigger than income of Mozilla, which is the 2nd browser by numbers. It's still bigger than the budget of the Anti-phishing Working Group, an industry-sponsored private thinktank. And CABForum, another industry-only group.

So who benefits from inflated figures? The media, because of the scare stories, and the public and private security organisations and businesses who provide cyber security. The above parliamentary report indicated that in 2009 Australian businesses spent between $1.37 and $1.95 billion in computer security measures. So on the report’s figures, cyber crime produces far more income for those fighting it than those committing it.

Good question from the SMH. The answer is that it isn't in any player's interest to provide better figures. If so (and we can see support from the Silver Bullets structure) what is Florencio and Herley's intent in popping the balloon? They may be academically correct in trying to deflate the security market's obsession with measurable numbers, but without some harder numbers of their own, one wonders what's the point?

What is the real number? Florencio and Herley leave us dangling at that point. Are they are setting up to provide those figures one day? Without that forthcoming, I fear the paper is destined to be just more media fodder as shown in its salacious title. Iow, pointless.

Hopefully numbers are coming. In an industry steeped in Numerology and Silver Bullets, facts and hard numbers are important. Until then, your rough number is as good as mine -- a billion.

Liability & disclosure - the end of an era is in sight?

Liability is increasing slowly for cyber-exposed companies. We're in an exploratory court phase as litigants try different things. For a while, we'll see these filings in USA courts, which won't get far ... but then one will find the formula, and a company will be hit by a huge judgement.

"The US Department of Defense has been hit with a $4.9 billion (£3.1 billion) lawsuit over a recently disclosed data breach involving TRICARE , a healthcare system for active and retired military personnel and their families."

Meanwhile, pressure for breach disclosure increases. Now the SEC is in on the act:

"The SEC guidance clarifies a long-standing requirement that companies report 'material' developments, or matters significant enough that an investor would want to know about them. The guidance spells out that cyberattacks are no exception.

For example, the SEC says, a company probably will need to report on costs and consequences of material intrusions in which customer data are compromised. The company's revenue could suffer, and it could be forced to spend money to beef up security or fight lawsuits. In addition, if a company is vulnerable to cyberattack, investors may need to be informed of the risk, the SEC said."

This is also a first step that has increasing and more costly ramifications. May as well get used to it: disclosure will be part of the future. Liabilities are coming.

Perhaps the great age of software freedom is coming to an end, in more ways than one?

Global Jobbing

Blast from the past. The Economist talks about the great economic problem of our time. No, not global warming but global jobbing.

To understand why these changes are so exciting for some people and so scary for others, a good place to start is the oConomy section on the website of oDesk, one of several booming online marketplaces for freelance workers. In July some 250,000 firms paid some 1.3m registered contractors who ply their trade there for over 1.8m hours of work, nearly twice as many as a year earlier.

ODesk, founded in Silicon Valley in 2003, is a "game-changer", says Gary Swart, its chief executive. His marketplace takes outsourcing, widely adopted by big business over the past decade, to the level of the individual worker. According to Mr Swart, this "labour as a service" suits both employers, who can have workers on tap whenever they need them, and employees, who can earn money without the hassle of working for a big company, or even of leaving home.

It is still small, but oDesk shows how globalisation and innovation in information technology, the two big trends that have been under way for some time, are moving the world nearer to a single market for labour. Much of the work on oDesk comes from firms in rich economies and goes to people in developing countries, above all the Philippines and India. Getting a job done through oDesk can bring the cost down to as little as 10% of the usual rate. So the movement of work abroad in search of lower labour costs is no longer confined to manufacturing but now also includes white-collar jobs, from computer programming to copywriting and back-office legal tasks. That is likely to have a big impact on pay rates everywhere.

It puts the whole thing into context of the current 2nd dip in USA and Europe. My first contribution to this debate was to predict the above in a paper & implementation of a jobs market in 1997. Because this used a sort of variation on Ricardian Contracts, and turned the global jobbing market into a financial system, it qualifies as FC.

(My second contribution was equally exciting, built in 2009-2010, and I guess someone will overtake it in 14 years as well. If you are in the angel business, you can find out about it sooner...)

Oh, and in case you didn't quite understand the oTalk above ... here's some hard econ data:

Michael Spence, another Nobel prize-winning economist, in a recent article in Foreign Affairs agrees that technology is hitting jobs in America and other rich countries, but argues that globalisation is the more potent factor. Some 98% of the 27m net new jobs created in America between 1990 and 2008 were in the non-tradable sector of the economy, which remains relatively untouched by globalisation, and especially in government and health care -- the first of which, at least, seems unlikely to generate many new jobs in the foreseeable future. At the same time, says Mr Spence, the mix of jobs available to Americans in the tradable sector (including manufacturing) that serves global markets is shifting rapidly, with a growing share of the positions suitable only for skilled and educated people.

(Readers will recognise Prof. Spence as the man who wrote the paper that inspired the silver bullets hypothesis.)

How Liability is going to kill what little is left of Internet security…

Long term readers will know that I have often written of the failure of the browser vendors to provide effective security against phishing. I long ago predicted that nothing will change until the class-action lawsuit came. Now signs are appearing that this is coming to pass:

That's changing rapidly. Recently, Sony faced a class action lawsuit for losing the private information of millions of users. And this week, it was reported that Dropbox is already being sued for a recent security breach of its own.

It's too early to know if these particular lawsuits will get anywhere, but they're part of a growing trend. As online services become an ever more important part of the American economy, the companies that create them increasingly find that security problems are hitting them where it really hurts: the bottom line.

See also the spate of lawsuits against banks over losses; although it isn't the banks' direct fault, they are complicit in pushing weak security models, and a law will come to make them completely liable. Speaking of laws:

Computer security has also been an area of increasing activity for the Federal Trade Commission. In mid-June, FTC commissioner Edith Ramirez testified to Congress about her agency's efforts to get companies to beef up their online security. In addition to enforcing specific rules for the financial industry, the FTC has asserted authority over any company that makes "false or misleading data security claims" or causes harm to consumers by failing to take "reasonable security measures." Ramirez described two recent settlements with companies whose security vulnerabilities had allowed hackers to obtain sensitive customer data. Among other remedies, those firms have agreed to submit to independent security audits for the next 20 years.

Skip over the sad joke at the end. Timothy B. Lee and Ars Technica, author of those words, did more than just recycle other stories, they actually did some digging:

Alex Halderman, a computer science professor at the University of Michigan, to help us evaluate these options. He argued that consumer choice by itself is unlikely to produce secure software. Most consumers aren't equipped to tell whether a company's security claims are "snake oil or actually have some meat behind them." Security problems therefore tend not to become evident until it's too late.

But he argued the most obvious regulatory approach—direct government regulation of software security practices—was also unlikely to work. A federal agency like the FTC has neither the expertise nor the manpower to thoroughly audit the software of thousands of private companies. Moreover, "we don't have really widely regarded, well-established best practices," Halderman said. "Especially from the outside, it's difficult to look at a problem and determine whether it was truly negligent or just the kind of natural errors that happen in every software project."

And when an agency found flaws, he said, it would have trouble figuring out how urgent they were. Private companies might be forced to spend a lot of time fixing trivial flaws while more serious problems get overlooked.

(Buyers don't know. Sellers don't know.)

So what about liability? I like others have recognised that liability will eventually arise:

This is a key advantage of using liability as the centerpiece of security policy. By making companies financially responsible for the actual harms caused by security failures, lawsuits give management a strong motivation to take security seriously without requiring the government to directly measure and penalize security problems. Sony allegedly laid off security personnel ahead of this year's attacks. Presumably it thought this would be a cost-saving move; a big class action lawsuit could ensure that other companies don't repeat that mistake in future.

But:

Still, Halderman warned that too much litigation could cause companies to become excessively security-conscious. Software developers always face a trade-off between security and other priorities like cost and time to market. Forcing companies to devote too much effort to security can be as harmful as devoting too little. So policymakers shouldn't focus exclusively on liability, he said.

Actually, it's far worse. Figure out some problem, and go to a company and mention that this issue exists. The company will ignore you. Mention liability, and the company will immediately close ranks and deny-by-silence any potential liability. Here's a variation written up close by concerning privacy laws:

...For everything else, the only rule for companies is just “don’t lie about what you’re doing with data.”

The Federal Trade Commission enforces this prohibition, and does a pretty good job with this limited authority, but risk-averse lawyers have figured out that the best way to not violate this rule is to not make explicit privacy promises at all. For this reason, corporate privacy policies tend to be legalistic and vague, reserving rights to use, sell, or share your information while not really describing the company’s practices. Consumers who want to find out what’s happening to their information often cannot, since current law actually incentivizes companies not to make concrete disclosures.

Likewise with liability: if it is known of beforehand, it is far easier to slap on a claim of gross negligence. Which means in simple layman's terms: triple damages. Hence, companies have a powerful incentive to ignore liability completely. As above with privacy: companies are incentivised not to do it; and so it comes to pass with security in general.

Try it. Figure out some user-killer problem in some sector, and go talk to your favourite vendor. Mention damages, liability, etc, and up go the shutters. No word, no response, no acknowledgement. And so, the problem(s) will never get fixed. The fear of liabilities is greater than the fear of users, competitors, change, even fear itself.

Which pretty much guarantees a class-action lawsuit one day. And the problem still won't be fixed, as all thoughts are turned to denial.

So what to do? Halderman drifts in the same direction as I've commented:

Halderman argued that secure software tends to come from companies that have a culture of taking security seriously. But it's hard to mandate, or even to measure, "security consciousness" from outside a company. A regulatory agency can force a company to go through the motions of beefing up its security, but it's not likely to be effective unless management's heart is in it.

It's completely meaningless to mandate, which is the flaw behind the joke of audit. But it is possible to measure. Here's an attempt by yours truly.

What's not clear as yet is how is it possible to incentivise companies to pursue that lofty goal, even if we all agree it is good?

Regulating the future financial system - the double-entry headache needs a triple-entry aspirin

How to cope with a financial system that looks like it's about to collapse every time bad news turns up? This is an issue that is causing a few headaches amongst the regulators. Here's some musings from Chris Skinner over a paper from the Financial Stability gurus at the Bank of England:

Third, the paper argues for policies that create much greater transparency in the system.

This means that the committees worldwide will begin “collecting systematically much greater amounts of data on evolving financial network structure, potentially in close to real time. For example, the introduction of the Office of Financial Research (OFR) under the Dodd-Frank Act will nudge the United States in this direction.

“This data revolution potentially brings at least two benefits.

“First, it ought to provide the authorities with data to calibrate and parameterise the sort of network framework developed here. An empirical mapping of the true network structure should allow for better identification of potential financial tipping points and cliff edges across the financial system. It could thus provide a sounder, quantitative basis for judging remedial policy actions to avoid these cliff edges.

“Second, more publicly available data on network structures may affect the behaviour of financial institutions in the network. Armed with greater information on counterparty risk, banks may feel less need to hoard liquidity following a disturbance.”

Yup. Real time data collection will be there in the foundation of future finance.

But have a care: you can't use the systems you have now. That's because if you layer regulation over policy over predictions over datamining over banking over securitization over transaction systems … all layered over clunky old 14th century double entry … the whole system will come crashing down like the WTC when someone flies a big can of gas into it.

The reason? Double entry is a fine tool at the intra-corporate level. Indeed, it was material in the rise of the modern corporation form, in the fine tradition of the Italian city states, longitudinal contractual obligations and open employment. But, double entry isn't designed to cope with the transactional load of of inter-company globalised finance. Once we go outside the corporation, the inverted pyramid gets too big, too heavy, and the forces crush down on the apex.

It can't do it. Triple entry can. That's because it is cryptographically solid, so it can survive the rigours of those concentrated forces at the inverted apex. That doesn't solve the nightmare scenarios like securitization spaghetti loans, but it does mean that when they ultimately unravel and collapse, we can track and allocate them.

Message to the regulators: if you want your pyramid to last, start with triple entry.

PS: did the paper really say "More taxes and levies on banks to ensure that the system can survive future shocks;" … seriously? Do people really believe that Tobin tax nonsense?

Bitcoin and tulip bulbs

Many people are asking me about BitCoin, and I've put off writing about it because I need to be clear on why I think it is not a long term player. Of course, I've been wrong before ... Anyway, it looks like John Levine has done the job for me:

Bitcoin and tulip bulbs

Bitcoin, for anyone who's not up on their techno-trends, is this year's hot trendy digital payment system. Its main claim to fame is that it is peer-to-peer, not depending on a central bank to issue or validate the "coins", actually blobs of cryptographically signed bits. This makes it both fairly anonymous and hard to manipulate (at least in the ways that real money is manipulated), making it a darling of anarcho-libertarians.

A lot of people have opined on its merits, most notably this Quora message.

I took a look at the design of Bitcoin, which is credited to "Satoshi Nakamoto". Nobody seems to know who he is (or who they are), but he definitely knows his crypto. As a piece of cryptographic software design, it's quite clever. As a system you might want to use to pay for stuff, it's hopeless.

To somewhat adapt the arguments in the Quora message, Bitcoins suffer from two problems, one technical and the other economic. [techo-issue elided]

The other problem is economic. A year ago, you could buy bitcoins for about 1¢ apiece. In January, they cost about $1. Now they're about $10. We have a name for that -- it's a bubble. (Bitcoin fans tend to assume that bitcoins are money, and describe what's happending as deflation, but you'll have to look pretty hard to find any real-world examples of 1000 to 1 deflation.) Since there's no central bank to manage exchange rates, nor can you pay your taxes with them, which is the practical definition of money, a bitcoin is only worth what the next sucker thinks it's worth. So what we have here is a system that lets you pay for stuff with tulip bulbs, or perhaps shares of stock in theglobe.com.

John's rant mostly covers it, but for the hardcore monetarists I'll add: money is expected to be a store of value. BitCoin doesn't speak to value at all, and it is the antithesis of the Ricardian Contract, which describes its value in glorious and legal detail. So it's whatever value we as holders want it to be.

Typically such a bubble bursts when we run out of speculators who agree on its appeal. In this case, it is eerily familiar with history of last decade. It shares something of the media hype of DigiCash, and also the user-base of e-gold. So it will burst when we run out of cypherpunks, and when the user base reaches a tipping point.

And, as Lynn Bell pointed out, last decade was the decade of the alternative issuers. This decade, facebook, apple and google will try it, and may succeed (if that is they can keep the geeks at a distance and build an integrated team with some monetarists in it)...

---

Entries in the BitCoin Log

1. Bitcoin and tulip bulbs
2. Is BitCoin a triple entry system?
3. BitCoin - the bad news

1st round in Internet Account Fraud World Cup: Customer 0, Bank 1, Attacker 300,000

More grist for the mill -- where are we on the security debate? Here's a data point.

In May 2009, PATCO, a construction company based in Maine, had its account taken over by cyberthieves, after malware hijacked online banking log-in and password credentials for the commercial account PATCO held with Ocean Bank. ....

There are two ways to look at this: the contractual view, and the responsible party view. The first view holds that contracts describe the arrangement, and parties govern themselves. The second holds that the more responsible party is required to be <ahem> more responsible. PATCO decided to ask for the second:

A magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in an ACH fraud case filed by a commercial customer against its former bank. According to the order, which must still be reviewed by the presiding judge, the bank fulfilled its contractual obligations for security and authentication through its requirement for log-in and password credentials. ....

At issue for PATCO is whether banks should be held responsible when commercial accounts, like PATCO's, are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to the commercial accounts they manage?

"Obviously, the major issue is the banks are saying this is the depositors' problem," Patterson says, "but the folks that are losing money through ACH fraud don't have enough sophistication to stop this."

And lost.

David Navetta, an attorney who specializes in IT security and privacy, says the magistrate's recommendation, if accepted by the judge, could set an interesting legal precedent about the security banks are expected to provide. And unless PATCO disputes the order, Navetta says it's unlikely the judge will overrule the magistrate's findings. PATCO has between 14 and 21 days to respond.

"Many security law commentators, myself included, have long held that *reasonable security does not mean bullet-proof security*, and that companies need not be at the cutting edge of security to avoid liability," Navetta says. "The court explicitly recognizes this concept, and I think that is a good thing: For once, the law and the security world agree on a key concept."

My emphasis added, and it is an important point that security doesn't mean absolute security, it means reasonable security. Which from the principle of the word, means stopping when the costs outweigh the benefits.

But that is not the point that is really addressed. The question is whether (a) how we determine what is acceptable (not reasonable), and (b) if the Customer loses out when acceptable wasn't reasonable, is there any come-back?

In the disposition, the court notes that Ocean Bank's security could have been better. "It is apparent, in the light of hindsight, that the Bank's security procedures in May 2009 were not optimal," the order states. "The Bank would have more effectively harnessed the power of its risk- profiling system if it had conducted manual reviews in response to red flag information instead of merely causing the system to trigger challenge questions."

But since *PATCO agreed to the bank's security methods when it signed the contract*, the court suggests then that PATCO considered the bank's methods to be reasonable, Navetta says. The law also does not require banks to implement the "best" security measures when it comes to protecting commercial accounts, he adds.

So, we can conclude that "reasonable" to the bank meant putting in place risk-profiling systems. Which it then bungled (allegedly). However, the standard of security was as agreed in the contract, *reasonable or not*.

That is, *reasonable security* doesn't enter into it. More on that, as the observers try and mold this into a "best practices" view:

"Patco in effect demands that Ocean Bank have adopted the best security procedures then available," the order states. "As the Bank observes, that is not the law."

(Where it says "best" read "best practices" which is lowest common denominator, a rather different thing to best. In particular, the case is talking about SecureId tokens and the like.)

Patterson argues that Ocean Bank was not complying with the Federal Financial Institutions Examination Council's requirement for multifactor authentication when it relied solely on log-in and password credentials to verify transactions. Navetta agrees, but the court in this order does not.

"The court took a fairly literal approach to its analysis and bought the bank's argument that the scheme being used was multifactor, as described in the [FFIEC] guidance," Navetta says. "The analysis on what constitutes multifactor and whether some multifactor schemes [out of band; physical token] are better than others was discussed, and, to some degree, the court acknowledged that the bank's security could have been better. Even so, it was technically multifactor, as described in the FFEIC guidance, in the court's opinion, and "the best" was not necessary."

Navetta says the court's view of multifactor does not jibe with common industry understanding. Most industry experts, he says, would not consider Ocean Bank's authentication practices in 2009 to be true multifactor. "Obviously, the 'something you have' factor did not fully work if hackers were able to remotely log into the bank using their own computer," he says. "I think that PATCO's argument was the additional factors were meaningless since the challenge question was always asked anyway, and apparently answering it correctly worked even if one of the factors failed. In other words, it appears that PATCO was arguing that the net result of the other two factors failing was going back to a single factor."

This problem has been known for a long time. When the "best practices" approach is used, as in this FFIEC example, there is a list of things you do. You do them, and you're done. You are encouraged to (a) not do any better, and (b) cheat. The trick employed above, to interpret the term "multi-factor" in a literal fashion, rather than using the security industry's customary (and more expensive) definition, has been known for a long long time.

It's all part of the "best practices" approach, and the court may have been wise to avoid further endorsing it. There is now more competition in security practices, says this court, and you'll find it in your contract.

---

Caveat: as with all such cases, this is a preliminary ruling, and it can be overturned including several times... before we see a precedent.

Declaration of Cyberwar - emerging hype cycle or growing nightmare?

Just when you thought it couldn't get any worse for infosec, there's more bad news on the horizon.

WASHINGTON—The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force. ....

In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official.

Recent attacks on the Pentagon's own systems—as well as the sabotaging of Iran's nuclear program via the Stuxnet computer worm—have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. A key moment occurred in 2008, when at least one U.S. military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact.

Cyberwarfare is becoming more than just another talking point for the US Military, it's becoming a plank in government policy.

How significant is this? Well here's a data point. Lieutenant-General David Hurley has just been appointed as the new Chief of the Australian Defence Force. In a TV interview that night, he stated that one of the top four priorities for his term is cyberwarfare [1]. He called each of the other three as gamechangers (to which I concur) but did not elaborate on his one-word declaration of cyberwar.

What does that mean, other than a scurrilous lead for Australia's infosecarrazi press to follow up on? *Cyberwarfare is now top drawer stuff*. While us infosec types are scrabbling around trying to figure out what all the fuss is about (theories including:

• media hype
• excuse for new divisions,
• just new lingo for what was once known as EW or Electronic Warfare,
• a more cost-effective way to extend foreign policy, where cost is equated to dead diggers on TV,
• interference in civilian affairs,
• landgrab for the new Big Brother state,
• domestic battle with the NSA, DSD, GCHQ and friends,
• etc etc, inter alia...)

the military has put it on the agenda. On the *top of the agenda* of a force of 58,000 permanent warmakers, now with new improved government sanction to go out and bomb some electrons.

If the normally sensible Australians have bought into cyberwarfare, that means typically that the Americans are long gone down that path, and the British and Canadians have their walking shoes on as well. NATO won't be far behind, and NZ will join after their routine decade of protest.

The future of information security may well travel down a government / compliance path as we're squeezed between the 363kg gorilla of cyberwarfare on the one side, and the general incompetence of vendors on the other side. This will see all the vendors drawn over to cyberwar side, and an inevitable loss of innovative work on in the private sector. Not that we saw a lot, but there was always hope.

The end result will be more wrong threat models leading to more best practices and ultimately more compliance directed out of a military/political agenda. The compliance cycle that we saw stifling the American anti-phishing efforts will be the beginning, not the end, it will become the sad norm, not the upsetting exception.

Curiously however, there may be new common sense over on the other side of the Pacific. Lt Gen Hurley's opposite number in USA has also just been appointed as the new Chair of the Joint Chiefs of Staff:

[General Martin] Dempsey is “deeply skeptical” of technology being able to alter the basic nature of combat. He wrote recently in the introduction to the Army’s main operating concept, “We operate where our enemies, indigenous populations, culture, politics, and religion intersect and where the fog and friction of war persists.” In the end, it comes down to boots on the ground performing their jobs under competent command leadership.

His critics claim he doesn’t think as much as he should about future warfare and that he is too narrowly focused on the wars in Iraq and Afghanistan. ...

If anything's clear, the entry of the war machine into civilian cybersecurity affairs is likely to be bad news. Business and trade is far too delicate a thing to clobber with the heavy, blunt weapon of state responses. Maybe we need an old soldier to remind the futurists that war is actually a brutal thing?

No matter what the futurists have said over the last several centuries, it is always the grunts on the ground who are called upon to go in and make the job real. And it is always the people who bear the brunt of desk-flying futurists.

[1] Of the other three top priorities, one is the new fighter plane, the JSF or F35, which is Australia's largest defence purchase ever (ditto USA!). Another is the incorporation of the two new mini-carrier or logistical lift ships, which signals that Australia is going for integrated force projection, somewhat like Gen. Douglas MacArthur's island hopping in the Pacific campaign. In short, Australia is now building capacity to engage in the odd island invasion or two.

The third priority was equally big, but I don't recall it because I was too busy picking my jaw off the ground from hearing him slide that single neoligism into the middle of his conservative and comprehensive priorities.

#1 Censored Story - Dropping the Dollar

Someone pointed me to Project Censored, which has a list for the "25 top censored stories," and up there, right on top was "Global Plans to Replace the Dollar."

In July 2009, President Medvedev illustrated his call for a supranational currency to replace the dollar by pulling from his pocket a sample coin of a “united future world currency.” The coin, which bears the words “Unity in Diversity,” was minted in Belgium and presented to the heads of G8 delegations.

In September 2009, the United Nations Conference on Trade and Development proposed creating a new artificial currency that would replace the dollar as reserve currency. The UN wants to redesign the Bretton Woods system of international exchange. Formation of this currency would be the largest monetary overhaul since World War II. China is involved in deals with Brazil and Malaysia to denominate their trade in China’s yuan, while Russia promises to begin trading in the ruble and local currencies.

Additionally, nine Latin American countries have agreed on the creation of a regional currency, the sucre, aimed at scaling back the use of the US dollar.

Avid readers of FC will know this has been going on for a long time (long list here), and it's nice to see the news from the last 2 years concisely rendered.

Question of some pondering for me was, then, why is this *the number 1 censored story* ? Well, if one thinks about it some, the connection is clear.

In order to maintain the powerbase of Washington DC, the USD must remain supreme, because it is by the power of the dollar that economic force is wielded around the world, and it is the power of the dollar that buys the military machine at the pointy end of Ferguson's comment.

Except, this party's over. Outside the media eye, for a decade now, the world has been easing gently over to a multicurrency future. Here's just more latest news:

Mexico has quietly purchased nearly 100 tons of gold bullion, as central banks embark on their biggest bullion buying spree in 40 years. The purchase, reported in monthly data published by Mexico’s central bank, is the latest in a series of large gold buys by emerging market economies intent on diversifying reserves away from the faltering US dollar. China, Russia and India have acquired large amounts of gold in recent years, while Thailand, Sri Lanka and Bolivia have made smaller purchases.

*Central banks became net buyers of gold last year after two decades of heavy selling* – a reversal that has helped propel the price of bullion to a series of record highs. On Wednesday gold was trading at about $1,510 a troy ounce, down 4 percent from a nominal record high of $1,575.79 reached on Monday.

As a result of Mexico’s purchase, central banks, sovereign wealth funds and other so-called “official sector” buyers are on track to record their largest collective purchase of gold since the collapse of the Bretton Woods system, which pegged the value of the dollar to gold, in 1971. GFMS, a precious metals consultancy, had predicted that the official sector would make net gold purchases of 240 tons this year, compared with a post-Bretton Woods peak of 276 tons in 1981.

So why slap the heavy stamp of censorship on such a boring finance story? No bodies, no blood, no bombs.

Because every day this story is unknown is another day without currency flight, and another day the current regime avoids the tough questions. It buys more time for *everything else* that is going on. E.g., one supposes, Obama's efforts to balance his budget, contain inflation, withdraw forces from land wars in Asia, and other tasks in the struggle for peace.

So, it's the number one story to censor because it is the number one story to those who are in a position to censor. For the rest of us, it isn't, it's just more humdrum and drone and 1 percent this and 2 percent that.

"And," as my local TV station closes every day without fail, "that's finance."

Gold can only be bought with cash. Please Select!

Chris Skinner talks about his surreal experience with a gold ATM:

The idea is that you put cash in and get gold out.

So nice.

I plumped for the cheapest gold nugget priced at £100 and inserted my MasterCard.

Oh no, it didn’t work.

I guess that’s because you need to go to the other ATM to get cash to come back and get your gold.

With gold now enjoying its resurgence in notoriety as the alternate world currency, it's probably time to refresh our memory of the May Scale, reproduced below.

'May Scale' of monetary hardness
Hardness	Item
1	Street cash, US dollars
(Hard)
2	Street cash, euro currencies, japan
3	e-gold
4	Street cash, other regions
5	Interbank transfers of various sorts (wires etc), bank checks
6	personal checks
7	Consumer-level electronic account transfers (eg bPay)
8	Business-account-level retail transfer systems
(Soft)
9	Paypal and similar 'new money' entities, beenz
10	Credit cards
(Ridiculously soft)

Fig. 1. The May Scale

With such a scale at hand, it is easy to see why the gold ATM doesn't take credit cards. Even without the May Scale tucked in your wallet, just in case you thought to whip it out and read out the laws of economics to your ATM, this one gives you handy instructions:

If data breaches are feared more than hackers, what is the perverse result?

This headline struck my attention:

Data Breaches Feared More than Hackers

The majority of compliance professionals feel that their organizations are well or very well prepared to fend off hacker attacks, however, their confidence wanes significantly when assessing other data breach threats. This according to a survey conducted by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA).

This mirrored my results in The Market for Silver Bullets, in that the cost of the loss to intangibles and indirects such as reputation and compliance reviews would far outweigh the direct losses to the individuals. Consequently, this would have perverse effects on the treatment of risks.

I didn't really go into what those perverse effects were. Suffice, I thought at the time, to say, security's really screwed up, there is no way you can expect a rational result from this mess. But one thing struck me on reading that heading.

If the indirect effects of the data breach are feared more than the direct effects of the hacker's impacted damages, then there is an easy solution. Simply share the results, and generate a win-win for both. E.g., if the hacker manages to breach, and steal X data sets, he now has two opportunities. He can either exploit the breach set for some gain X*y where y is the average gain per identity, or he can settle with the lead victim.

Because we know that the indirect costs to the victim will far outweigh the direct gain to the attacker, there is an easy settlement. The victim is easily incentivised to pay for the breach to be settled without additional costs. And the attacker gains too as he has less work to do. Negotiation will find a convenient price between the two bounds.

Thus, this state of affairs predicts that the market for silver bullets leads to a market for extortion. Hack citibank, sell them their data back. I have no firm data, but I am comfortable with predicting that the difference is an order of magitude. That is, the costs to the victim are around 10 times the benefit to the attacker. Plenty of room there for a win-win solution.

(For those who are worried about the impact of an illegal contract, it is easy enough to put a silk dress on the pig and sell the breach techniques, with an NDA attached. This of course is the worry behind those breach markets. How close to extortion does it take us? Where do the morals stop and where does the crime start? A topic for another day...)

As a slight footnote, to confirm my prediction of this particular perverse result, I followed the article. Here's the relevant section found on the survey provider's site, two groups called Society of Corporate Compliance and Ethics and Health Care Compliance Association.

Fears of an accidental breach far outweigh fears of an intentional breach. Respondents were asked how likely they felt that data would be released through hacking attacks, intentional breaches by employees and third party vendors, and accidental breaches by employees and vendors. In general the feeling was that accidental breaches were far more likely. Just 8% felt that it was somewhat or very likely a hacker would gain access to the system, When it came to breaches by employees, 61% thought an accidental breach was somewhat or very likely, but just 30% thought the same of an intentional breach. Likewise 41% thought an accidental breach by a third party vendor was somewhat or very likely but only 13% thought an intentional breach was somewhat or very likely.

Unfortunately, no such luck. Right crowd, different story :) Oh well. So markets in extortion won't happen, right?

The Zippo Lighter theory of the financial crisis (or, who do we want to blame?)

The Economist summarises who the Financial Crisis Inquiry Commission of USA's Congress would like to blame in three tranches. For the Democrats, it's the financial industry and the de-regulation-mad Republicans:

The main report, endorsed by the Democrats, points to a broad swathe of failures but pins much of the blame on the financial industry, be it greed and sloppy risk management at banks, the predations of mortgage brokers, the spinelessness of ratings agencies or the explosive growth of securitisation and credit-default swaps. To the extent that politicians are to blame, it is for overseeing a quarter-century of deregulation that allowed Wall Street to run riot.

For the Republicans:

A dissenting report written by three of the Republicans could be characterised as the Murder on the Orient Express verdict: they all did it. Politicians, regulators, bankers and homebuyers alike grew too relaxed about leverage, helping to create a perfect financial storm. This version stresses broad economic dynamics, placing less emphasis on Wall Street villainy and deregulation than the main report does.

Finally, one lone dissenter:

A firmer (and, at 43,000 words, longer) rebuttal of the report by the fourth Republican, Peter Wallison, puts the blame squarely on government policies aimed at increasing home ownership among the poor. Mr Wallison argues that the pursuit of affordable-housing goals by government and quasi-government agencies, including Fannie Mae and Freddie Mac, caused a drastic decline in loan-underwriting standards. Over 19m of the 27m subprime and other risky mortgages created in the years leading up to the crisis were bought or guaranteed by these agencies, he reckons. These were "not a cigarette butt being dropped in a tinder-dry forest" but "a gasoline truck exploding" in the middle of one, Mr Wallison says.

Yessss..... That's getting closer. Not exactly a gasoline truck, as that would have one unfortunate spark. More like several containers, loaded with 19m fully-loaded zippo lighters driven into the forest of housing finance one hot dry summer, and distributed to as many needy dwellers as could be found.

Now, who would have driven that truck, and why? Who would have proposed it to the politicians? Ask these questions, and we're almost there.

Ernst & Young called to account -- should Audit firms be investigated for their role in the crisis?

In a long series of essays on the topic of Audit, I asked the question, why didn't the Audit firms pick up the disasters of the global financial crisis? Not all of those failed firms, as that would be too much to ask, but not even one?

As far as I know, no audit firm rang any alarm for any impending disaster for any business that consequently ran into trouble in the GFC. Not a single one!

Which raises the question: not even accidental combinations of misfortunes are being noticed by Auditors? What would it take to get an auditor to ring the alarm bell?

We have a statistically significant sample -- all the world's big firms. By some statistical hypothesis, either some alarm bells should have rung, or, no alarm bells were ever going to ring.

Some might be asking the same thing. Ernst & Young have now been sued by the New York Attorney General, Andrew Cuomo:

NEW YORK (Reuters) – Accounting firm Ernst & Young was sued by New York prosecutors over allegations it helped to hide Lehman Brothers' financial problems, in the first major government legal action stemming from the Wall Street company's 2008 downfall.

The civil fraud case contends that Ernst & Young stood by while Lehman used accounting gimmickry to mask its shaky finances. The lawsuit says Lehman ran "a massive accounting fraud," but it did not name as defendants any former top executives at the investment bank whose September 2008 collapse helped spark the global financial crisis.

You can read the indictment here. Now, it's hard to speculate reliably as to where this will go, other than to a quiet settlement. What is more interesting to me at the systemic level is that an audit firm is being brought to account.

People close to Cuomo said one factor in bringing the case was that he knows that the U.S. Securities and Exchange Commission already is investigating former Lehman chief Richard Fuld and other former top Lehman executives.

Cuomo "wants to go after the one party he knows isn't being sued," said John Coffee, a professor of corporate law at Columbia University.

Whatever that means. Ernst & Young predictably say they did nothing wrong and all transactions were "by the book." Could well be, and the court will no doubt audit that very statement, as well as the statements of the bankrupcy court:

The lawsuit comes nine months after a court-appointed examiner in the Lehman bankruptcy concluded that Ernst & Young was "professionally negligent" in its audit duties.

The report by examiner Anton Valukas also said that Lehman could also have claims against Fuld and former chief financial officers Chris O'Meara, Erin Callan and Ian Lowitt for negligence or breach of fiduciary duty related to the use of Repo 105 transactions.

For me, the big question remains: if we can't expect an audit firm to pick up any signs of trouble, what can we expect of them? Perhaps we could save our money and do our due diligence another way?

The lawsuit seeks more than $150 million in fees that Ernst & Young received from 2001 to 2008 as Lehman's outside auditor -- less than 1 percent of its global annual revenue -- plus other unspecified damages.

However it turns out, the result will be important.

Mervyn King calls us to the Old Lady's deathbed?

I've been watching an odd series of posts over in UK's Finanser site with amusement:

All along the lines of,

• the public has lost faith in the banks,
• are looking for any alternative,
• Meanwhile a bunch of social alternatives have popped up,
• so there are alternatives.

Add to that the fact that securitization renders banking a historical inefficiency, and central banking a vestigial cost structure (see the impromptu series on the end of banking, I, II, III).

It's time to change the music, but I've predicted that nobody's going to be the first to say that.

I spoke too soon. Last month, Hasan pointed to Mervyn King again, who's just come out and said:

"One might well say that a financial crisis occurs when the Basel risk weights turn out to be poor estimates of underlying risk. And that is not because investors, banks or regulators are incompetent. It is because the relevant risks are often impossible to assess in terms of fixed probabilities. Events can take place that we could not have envisaged, let alone to which we could attach probabilities. If only banks were playing in a casino then we probably could calculate appropriate risk weights. Unfortunately, the world is more complicated. So the regulatory framework needs to contain elements that are robust with respect to changes in the appropriate risk weights, and that is why the Bank of England advocated a simple leverage ratio as a key backstop to capital requirements."

In short, what the Governor is saying is that Basel III is not the answer. It might be part of the answer, but he's raising some skepticism. Then, he discusses solutions:

"Another avenue of reform is some form of functional separation. The Volcker Rule is one example. Another, more fundamental, example would be to divorce the payment system from risky lending activity - that is to prevent fractional reserve banking (for example, as proposed by Fisher, 1936, Friedman, 1960, Tobin, 1987 and more recently by Kay, 2009).

Blink and you missed it! The end of fractional reserve banking? On the table?

In essence these proposals recognise that if banks undertake risky activities then it is highly dangerous to allow such "gambling" to take place on the same balance sheet as is used to support the payments system, and other crucial parts of the financial infrastructure. And eliminating fractional reserve banking explicitly recognises that the pretence that risk-free deposits can be supported by risky assets is alchemy. If there is a need for genuinely safe deposits the only way they can be provided, while ensuring costs and benefits are fully aligned, is to insist such deposits do not coexist with risky assets.

So there we have the reversion to Glass-Steagall and removal of deposit taking from risk-making, or as he puts it, kicking the payments system out of banks' jurisdiction. My words fail, so back to his:

We certainly cannot rely on being able to expand the scope of regulation without limit to prevent the migration of maturity mismatch. Regulators will never be able to keep up with the pace and scale of financial innovation. Nor should we want to restrict innovation. But it should be undertaken by investors using their own money not by intermediaries who also provide crucial services to the economy, allowing them to reap an implicit public subsidy. It will not be possible to regulate all parts of the financial system as if they were banks. ...

Which in effect is a fall-back to Glass-Steagal, but this time there is a recognition of something called the migration of maturity mismatch. Innovation might be the cassus belli above, but securitization is firmly in Mr King's sites.

But, wait, there's more! Across the pond, Mr King reports that they're talking about redeeming the implied public subsidy of lender of last resort:

As Jeffrey Lacker, President of the Federal Reserve Bank of Richmond, has argued, "merely expanding the scope of regulation to chase those firms that extract implicit guarantees by engaging in maturity transformation would be an interminable journey with yet more financial instability in its wake" (Lacker, 2010).

For "implicit guarantee" read lender of last resort. For "maturity transformation" read securitization, CDOs and the shift from banking to market.

It's happening. Jeffrey Lacker of the Fed has called for a stop to the lender of last resort, and the Governor of the world's first central bank has put it on the table for negotiation. In effect, they're throwing in the towel. In speech celebrating the inventor of the central bank, Mervyn King has called the beginning and the end of an era of financial history.

Central banking is on its last legs, the Old Lady of Threadneedle Street is on her deathbed.

What remains is to give her a decent burial, and preserve our economy in her wake. The shift from Banking to Markets continues, apace.

---

1. What banking is. (Essential for predicting the end of finance as we know it.)


2. What caused the financial crisis. (Laying bare the end of banking.)


3. A small amount of Evidence. (In which, the end of banking and the rise of markets is suggested.)


4. Mervyn King calls us to the Old Lady's deathbed?


5. (Introducing the death of the partner and the central bank as turbocharger as 2 new causes)

A small amount of Evidence. (In which, the end of banking and the rise of markets is suggested.)

In the last couple of weeks I posted a thesis on what caused the global financial crisis. In technical terms it is the invention and usage of securitization, a.k.a., the market for mortgage-backed securities. In economic and policy terms, it is the shift from banking to markets .

It sounds too simple to be true, but I'll stick to my guns. So, how to show this? Scientifically this is a difficult one to show. Instead, I'll just do this: make observations on big things happening, and interpret them from the theory.

Let's look at the EU who are currently dealing with Ireland. Here's the Economist summary:

The decision by finance ministers in the EURO ZONE to create a European Stabilisation Mechanism as a permanent system for resolving future sovereign-debt difficulties did little to soothe markets, at least at first. The mechanism distinguishes a "solvency" crisis from a "liquidity" one, with bondholders in insolvent countries expected to take the brunt of losses, but does not come into force until 2013. However, markets were encouraged by a hint of more immediate help from the European Central Bank. Jean-Claude Trichet, the ECB's president, advised that people were "tending to underestimate the determination" in Europe to solve the debt crisis. - See article

What does that tell us? Well, the EU went in with a big fat cheque book and acted as lender of last resort, one of the primary functions of central banks. They bailed out Ireland (the country, the banks, the economy, whichever). And the markets weren't impressed.

Europe's policymakers are crying foul. "The speculation on international financial markets can't be explained rationally at all," declared Wolfgang Schäuble, Germany's finance minister.

It's entirely rational: lender of last resort is appropriate to banking, but not appropriate to markets. The markets themselves have figured out the first part, the politicians, not.

(OK, so this skims past the second part, how to deal with markets, and all the pointed questions of what EU should do right now; and how to get themselves out of the mess -- see the article for more on that. I'm simply concentrating on the core, underlying, fundamental systemic cause of failure. Without understanding that, there is no foundation in discussing policy or rescue prescriptions.)

Let's now turn to the USA. There, the highly successful Federal Reserve has now revealed more details about how it managed the crisis:

The numbers are staggering, encompassing more than a dozen emergency programs set up starting in 2007 or 2008. In one program alone the Fed doled out nearly $9 trillion in funds to borrowers such as Morgan Stanley and Merrill Lynch, largely at interest rates below 1 percent. (This program involved overnight loans, so the amount of Fed credit outstanding at any single point in time was much smaller.)

Other programs, with longer-term loans also measured in the trillions of dollars.

The Fed actions were just part of a larger array of government bailouts for the financial industry, which were deeply unpopular with most Americans. Rescue programs run outside the Fed included insurance-style backstops for bank debts and the investments from the Treasury's $700 billion TARP (Troubled Asset Relief Program).

In contrast to the EU, the Fed went to town, bought everything ... and is now able to sell it all back:

At the same time, it's possible that the release of details will end up largely vindicating the Fed for the massive financial support that it gave the economy at a time of severe stress. The emergency loans, in the view of many finance experts, helped to avert a much deeper economic slump. And those loans have now been largely paid back without losses to the central bank.

The Fed therefore scores top points as lender of last resort, and the obvious complaint is that the EU isn't spending enough. However, there is a rider or caveat on that:

"My view is that the Fed has done an excellent job since the crisis started, but they didn't do a very good job before the crisis started," says Pete Kyle, a finance expert at the University of Maryland. He says the central bank, as a key financial regulator, should have ensured that US banks had plenty of capital on hand to weather a storm.

Some other economists echo that view, arguing that the Fed and other bank regulators should have done much more to safeguard against a surge in high-risk mortgage lending during the years leading up to the crisis, at a time when US home prices were soaring.

Once a crisis is under way, however, the standard view among economists is that a central bank should act as a "lender of last resort," providing credit as freely as possible to prevent widespread bank failures at a time when ordinary investors are in a panic.

When people resort to language like "the standard view" we know something's wrong. The economists are wobbling: they know the standard view, they see the lender of last resort is facing bankrupcy under its own rules, and they're feeling quite bad and conflicted about it.

Whatever is happening to the skepticism of the markets and the economists, this still doesn't tell the ordinary people what went wrong. We're so used to conflicting signals from economists and markets, we'll discount them all without a second thought.

Let's get a little bit more haptic. Let's reach in and touch the problem. Here it is:

Dan Edstrom is a guy who is in the right place at the right time. His profession? He performs securitization audits (Reverse Engineering and Failure Analysis) for a company called DTC-Systems.

The typical audit includes numerous [stuff, snipped]. The following flow chart reverse engineers the mortgage on the Ekstrom family residence. It took Dan over one year to take it this far and it clearly demonstrates what happens when there are too many lawyers being manufactured.

Dan went in and documented the mortgage on his house. Think of this as who owns Dan and Teri's house? or from an accountant's pov, who owns the cash flow?

Do you understand it? Of course not. Be not ashamed, the real point is, nobody else understands it either, and that includes the banks.

When the banks found themselves masters of the mortgage-backed securities market, they were holding onto a poisoned chalice. The value that was released in this method was immense: the entire risk premium of banking was delivered into their hands within days, but in exchange for selling off the banking risk, they took on a complexity risk as graphically suggested in that above diagram (or tabulated by ProPublica).

The first premium was large enough to overshadow the second negative premium; can you say appetite for risk? What inevitably occurred was a ponzi-like feeding frenzy on mortgage-backed securities, while complexity created a powder keg with a slow-burn fuse under the castle.

Quite how the spark gradually ate its way along the slow-burn fuse to the powder keg within is a fascinating subject, and one that many will discuss. Many causes and effects within. However, the key issue is this: switching from long term loans to the mortgage-backed securities market, a.k.a. securitization not loans, was the crux.

Now, if we see that, and we recognise there is no turning back, then the big question is, how are the central bankers going to deal with the shift from banking to markets ?

---

1. What banking is. (Essential for predicting the end of finance as we know it.)


2. What caused the financial crisis. (Laying bare the end of banking.)


3. A small amount of Evidence. (In which, the end of banking and the rise of markets is suggested.)


4. Mervyn King calls us to the Old Lady's deathbed?


5. (Introducing the death of the partner and the central bank as turbocharger as 2 new causes)

What caused the financial crisis. (Laying bare the end of banking.)

Another month, another mini-crisis. Many banks remain in trouble, many countries too, adding weight to the claim that we're not through yet. Say hello, double dip, or depression. Whatever the economists end up calling it, it will be with us for a few years yet.

For what it's worth, I'd suggest this will be a 10 year story. Today's news is about Ireland, yesterday we were in Greece, tomorrow it will be another fun travel destination, where our money will buy more, as long as it's not us.

Each of those countries are looking at scenarios that will be a decade minimum to work through, to pay off their debt.

What does that make a citizen think?

Whatever you think about your national profits for the next decade being expropriated for the sins of your fathers, it seems to make sense to take more than ordinary care, and to sort it out properly this time. This one isn't the localised moral hazard of the S&L crash, it isn't the Asian Financial story of dominos too cozy, it isn't the Russian panic, nor LTCM.

Those were regular, this one's exceptional. This is more like the Japanese experience, on an OECD scale, or the Great Depression. Both things which were at their root central banking crises.

So what's the cause? It does all seem to be a bit bemusing as theory after damnable theory goes wafting by, and still we don't see the end of the crisis. Theories I've seen and dismissed as mere symptoms:

• derivatives blowup
• sub-prime meltdown
• greed, pure filthy evil greed
• incentives for (greedy, evil) bankers
• cost of wars and other remote adventures
• regulatory intervention
• Sarbanes-Oxley and the death of a thousand cuts
• BIS's capital ratio and how nobody paid attention
• repeal of Glass-Steagall
• the shift away from dollar as reserve supremo
• too big to fail
• moral hazard
• rating agency fraud
• naked short selling
• explosion of public debt...

There is one and only one underlying cause for this crisis. It's the thing that answers everything, and the thing that nobody wants to talk about. It's the massive shift in structural nature of the business that took 30 years to develop, and suddenly everyone's caught by surprise.

It's banking, or more precisely, it's

the end of banking, as we know it

(Which is why I wrote a long post on what banking is.) Banking is no longer essential to society because there is now another method to achieve what banking achieves. That is, we now have two methods to distribute society's savings on the stage of the economy: from small-left to big-right, as it were. Both methods work, but the new method has advantages that will make it dominate over time.

The new method is called:

securitization

It's new, because it was invented in the USA in 1970 (hence the Z). While it is pretty simple to describe, it is (arguably) complex to see:

1. take say 1000 vertical loans to people such as housing mortgages,
2. aggregate them up into a huge single fund (essentially, a company that handles the cash flow from the loans)
3. then slices the fund up horizontally into say 5000 shares
4. sell the shares!
5. new shareholders are paid the a tiny slice of each mortgage, until term.

I'll leave it as an exercise for the reader to compare how that relates to banking, and just skip to the essence of the shift from the definition of banking: term. The bank can "originate" these loans to the 1000 customers, aggregate them into a fund, slice the fund into shares, and sell the shares.

Here's the clanger: At this point, the bank has sold off the loans to other investors, which means the bank has sold off the risk.

After this point, the bank is no longer in the risk business! What's more, it can do this in 100 days and under. Which means it is no longer in the term business either.

Which means, the bank and those loans are no longer at risk of the economy. Nor a run. In fact, the bank need no longer be in the risk business at all, because it can sell off all its risk. To a market. As the ever-popular Prof Ferguson puts it:

These changes swept away the last vestiges of the business model depicted in It's a Wonderful Life. Once there had been meaningful social ties between mortgage lenders and borrowers. James Stewart's character knew both the depositors and the debtors. By contrast, in a securitized market the interest you paid on your mortgage ultimately went to someone who had no idea you existed. The full implications of this transition for ordinary homeowners would become apparent only 25 years later.

Which means, anyone doing business in securitization is not doing banking.

Now go back to the structure of the banking industry. I showed that the structure, and the regulation, was predicated on the risk inherent in the term structure of banking loans.

As banks are no longer taking on that risk, the structure is no longer required. That is, central banking is no longer useful to the economics of banking, and regulation based on public policy interests and lender of last resort issues is therefore unfounded.

Which further means the regulation is probably (almost certainly) wrong, the incentives are mismatched, the risk analysis is unnecessary, ... on and on it goes. Add in a dash of technology like the Internet, cryptography, and disintermediation (think Zopa or microfinance) and the mix is heady, and unstoppable.

Banks are not doing banking any more, so trying to make them act like they were doing banking is not helpful, it is harmful. In economics terms, there is a fundamental shift:

from banking to markets

But the world is still treating banks as if they do banking. From Basel-3 on down:

But on one point Pandit [Vikram Pandit, CEO of Citigroup] cannot be challenged. Since the promulgation of Hammurabi's Code, in ancient Babylon, no advanced society has survived without banks and bankers. Banks enable people to borrow money, and, today, by operating electronic-transfer systems, they allow commerce to take place without notes and coins changing hands. They also play a critical role in channelling savings into productive investments.

...
When the banking system behaves the way it is supposed to - as Pandit says Citi is now behaving - it is akin to a power utility, distributing money (power) to where it is needed and keeping an account of how it is used. Just like power utilities, the big banks have a commanding position in the market, which they can use for the benefit of their customers and the economy at large.

So the regulators are making mistakes, a steady series of them. Says TheFinanser's Chris Skinner in evident disgust at the BIS's numberitis:

Hmmm ... HBOS had a higher Tier I Capital Ratio than Lloyds TSB in 2008; Alliance & Leicester and Bradford & Bingley were well above the BIS requirements; RBS is particularly well capitalised; and Northern Rock appeared to have no issue in 2007, as mentioned.

And yet, these are all the failed banks of Britain!

This Tier I Capital Ratio measure ain't that good is it?

The rules of the financial world have changed, the structures have not.

In particular, banks are off-the-hook for term failures, but they still make money as if they were on-the-hook. Hence, as banks and other participants discovered that securitization was a licence to print money (because the risk had been sold off to others in the funds markets) what happened?

Everyone dived madly into subprime. Everyone made money! Appetite for risk went sky high, because ... the risk was sold off to the market, and all that was left was the fees! Hence, we had a bubble of risk off-selling in many forms which ultimately led to the global financial crisis.

(You're probably wondering why the banks got so stuck when they had sold off their risk. It may be because <drumroll> they also bought securitized assets from the same markets that they'd sold into! </tara> Outstanding shift from Banking to Speculators, further exercise left for reader, look to the definition of banking again!)

Nobody in the world of banks dares admit it, because the money is too good. But it can't last, and some are wise to the game. Prof. Ferguson pointed to a speech by Mervyn King:

Mervyn King, governor of the Bank of England, called on Tuesday night for banks to be split into separate utility companies and risky ventures, saying it was "a delusion" to think tougher regulation would prevent future financial crises.

Mr King's call for a break-up of banks to prevent them becoming "too important to fail" puts him sharply at odds with the direction of domestic and international banking reform.

What's the new world, where banks are no longer needed to do banking? Well, smaller, more purpose-limited ventures is one good start. "Utilities" is a good word. Expect to see more of this sort of proposal.

But, don't expect to see anyone agree that it's the end of banking, as that is still too politically untenable.

---

1. What banking is. (Essential for predicting the end of finance as we know it.)


2. What caused the financial crisis. (Laying bare the end of banking.)


3. A small amount of Evidence. (In which, the end of banking and the rise of markets is suggested.)


4. Mervyn King calls us to the Old Lady's deathbed?


5. (Introducing the death of the partner and the central bank as turbocharger as 2 new causes)

What banking is. (Essential for predicting the end of finance as we know it.)

To understand what's happening today in the economy, we have to understand what banking is, and by that, I mean really understand how it works.

This time it's personal, right? Let's starts with what Niall Ferguson says about banking:

To understand why we have come so close to a rerun of the 1930s, we need to begin at the beginning, with banks and the money they make. From the Middle Ages until the mid-20th century, most banks made their money by maximizing the difference between the costs of their liabilities (payments to depositors) and the earnings on their assets (interest and commissions on loans). Some banks also made money by financing trade, discounting the commercial bills issued by merchants. Others issued and traded bonds and stocks, or dealt in commodities (especially precious metals). But the core business of banking was simple. It consisted, as the third Lord Rothschild pithily put it, "essentially of facilitating the movement of money from Point A, where it is, to Point B, where it is needed."

As much as the good Prof's comments are good and fruitful, we need more. Here's what banking really is:

Banking is borrowing from the public on demand, and lending those demand deposits to the public at term.

Sounds simple, right? No, it's not. Every one of those words is critically important, and change one or two of them and we've broken it. Let's walk it through:

Banking is borrowing from the public ..., and lending ... to the public.

Both from the public, and to the public. The public at both ends of banking is essential to ensure a diversification effect (A to B), a facilitation effect (bank as intermediary), and ultimately a public policy interest in regulation (the central bank). If one of those conditions aren't met, if one of those parties aren't "the public", then: it's not banking. For example,

• a building society or Savings & Loan is not doing banking, because .. it borrows from *members* who are by normal custom allowed to band together and do what they like with their money.
• a mutual fund is not banking because the lenders are sophisticated individuals, and the borrowers are generally sophisticated as well.
• Likewise, an investment bank does not deal with the public at all. So it's not banking. By this theory, it's really a financial investment house for savvy players (tell that to Deutschebank when it's chasing Goldman-Sachs for a missing billion...).

So now we can see that there is actually a reason why the Central Banks are concerned about banks, but less so about funds, S&Ls, etc. Back to the definition:

Banking is borrowing ... on demand, and lending those demand deposits ... at term.

On demand means you walk into the bank and get your money back. Sounds quite reasonable. At term means you don't. You have to wait until the term expires. Then you get your money back. Hopefully.

The bank has a demand obligation to the public lender, and a (long) term promise from the public borrower. This is quaintly called a maturity mismatch in the trade. What's with that?

The bank is stuck between a rock and a hard place. Let's put more meat on these bones: if the bank borrows today, on demand, and lends that out at term, then in the future, it is totally dependent on the economy being kind to the people owing the money. That's called risk, and for that, banks make money.

This might sound a bit dry, but Mervyn King, the Governor of the Bank of England, also recently took time to say it in even more dry terms (as spotted by Hasan):

3. The theory of banking

Why are banks so risky? The starting point is that banks make heavy use of short-term debt. Short-term debt holders can always run if they start to have doubts about an institution. Equity holders and long-term debt holders cannot cut and run so easily. Douglas Diamond and Philip Dybvig showed nearly thirty years ago that this can create fragile institutions even in the absence of risk associated with the assets that a bank holds. All that is required is a cost to the liquidation of long-term assets and that banks serve customers on a first-come, first-served basis (Diamond and Dybvig, 1983).

This is not ordinary risk. For various important reasons, banking risk is extraordinary risk, because no bank, no matter where we are talking, can deal with unexpected risks that shift the economy against it. Which risks manifest themselves with an increase in defaults, that is, when the long term money doesn't come back at all.

Another view on this same problem is when the lending public perceive a problem, and decide to get their money out. That's called a run; no bank can deal with unexpected shifts in public perception, and all the lending public know this, so they run to get the money out. Which isn't there, because it is all lent out.

(If this is today, and you're in Ireland, read quietly...)

A third view on this is the legal definition of fraud: making deceptive statements, by entering into contracts that you know you cannot meet, with an intent to make a profit. By this view, a bank enters into a fraudulent contract with the demand depositor, because the bank knows (as does everyone else) that the bank cannot meet the demand contract for everyone, only for around 1-2% of the depositors.

Historically, however, banking was very valuable. Recall Mr Rothschild's goal of "facilitating the movement of money from Point A, where it is, to Point B, where it is needed." It was necessary for society because we simply had no other efficient way of getting small savings from the left to large and small projects on the right. Banking was essential for the rise of modern civilisation, or so suggests Mervyn King, in an earlier speech:

Writing in 1826, under the pseudonym of Malachi Malagrowther, [Sir Walter Scott] observed that:

"Not only did the Banks dispersed throughout Scotland afford the means of bringing the country to an unexpected and almost marvellous degree of prosperity, but in no considerable instance, save one [the Ayr Bank], have their own over-speculating undertakings been the means of interrupting that prosperity".

Banking developed for a fairly long period, but as a matter of historical fact, it eventually settled on a structure known as central banking [1]. It's also worth mentioning that this historical development of central banking is the history of the Bank of England, and the Governor is therefore the custodian of that evolution.

Then, the Central Bank was the /lender of last resort/ who would stop the run.

Nevertheless, there are benefits to this maturity transformation - funds can be pooled allowing a greater proportion to be directed to long-term illiquid investments, and less held back to meet individual needs for liquidity. And from Diamond's and Dybvig's insights, flows an intellectual foundation for many of the policy structures that we have today - especially deposit insurance and Bagehot's time-honoured key principle of central banks acting as lender of last resort in a crisis.

Regulation and the structure we know today therefore rest on three columns:

1. the function of lender of last resort, which itself is exclusively required by the improbable contract of deposits being lent at term,
2. the public responsibility of public lending and public borrowing, and
3. the public interest in providing the prosperity for all,

That which we know today as banking is really central banking. Later on, we find refinements such as the BIS and their capital ratio, the concept of big strong banks, national champions, coinage and issuance, interest rate targets, non-banking banking, best practices and stress testing, etc etc. All these followed in due course, often accompanied with a view of bigger, stronger, more diversified.

Which sets half of the scene for how the global financial crisis is slowly pushing us closer to our future. The other half in a future post, but in the meantime, dwell on this: Why is Mervyn King, as the Guv of the Old Lady of Threadneedle Street (a.k.a. Bank of England), spending time teaching us all about banking?

---

1. What banking is. (Essential for predicting the end of finance as we know it.)


2. What caused the financial crisis. (Laying bare the end of banking.)


3. A small amount of Evidence. (In which, the end of banking and the rise of markets is suggested.)


4. Mervyn King calls us to the Old Lady's deathbed?

---

[1] Slight handwaving dance here as we sidestep past Scotland, and let's head back to England. I'm being slightly innocent with the truth here, and ignoring the pointed reference to Scotland.

NSA loses the crown jewels, or, Law of Unintended Consequences meets Flights of Brittleness

Lynn points to a long story in The New Yorker that gives a well-written and strong story by Seymour M. Hersh on the origins of the current Cyber War propaganda push by the US Department of Defence. I and many others of the community called this a budgetary war, not a real threat, and it is good to see that there are many in the USA administration that have called "bull" on the Cyber War claim.

Picking up from page 7:

Why not ignore the privacy community and put cyber security on a war footing? Granting the military more access to private Internet communications, and to the Internet itself, may seem prudent to many in these days of international terrorism and growing American tensions with the Muslim world. But there are always unintended consequences of military activity—some that may take years to unravel.

Of particular note for those who subscribe to the "heavy" approach to secure systems, and poo-poo the doctrine of risk management in favour of absolute security, is an example of the Law of Unintended Consequences, and how complicated it is when you push the envelope at so many levels.

Ironically, the story of the EP-3E aircraft that was downed off the coast of China provides an example. The account, as relayed to me by a fully informed retired American diplomat, begins with the contested Presidential election between Vice-President Al Gore and George W. Bush the previous November. That fall, a routine military review concluded that certain reconnaissance flights off the eastern coast of the former Soviet Union—daily Air Force and Navy sorties flying out of bases in the Aleutian Islands—were redundant, and recommended that they be cut back.

“Finally, on the eve of the 2000 election, the flights were released,” the former diplomat related. “But there was nobody around with any authority to make changes, and everyone was looking for a job.” The reality is that no military commander would unilaterally give up any mission. “So the system defaulted to the next target, which was China, and the surveillance flights there went from one every two weeks or so to something like one a day,” the former diplomat continued. By early December, “the Chinese were acting aggressively toward our now increased reconnaissance flights, and we complained to our military about their complaints. But there was no one with political authority in Washington to respond, or explain.” The Chinese would not have been told that the increase in American reconnaissance had little to do with anything other than the fact that inertia was driving day-to-day policy. There was no leadership in the Defense Department, as both Democrats and Republicans waited for the Supreme Court to decide the fate of the Presidency.

The predictable result was an increase in provocative behavior by Chinese fighter pilots who were assigned to monitor and shadow the reconnaissance flights. This evolved into a pattern of harassment in which a Chinese jet would maneuver a few dozen yards in front of the slow, plodding EP-3E, and suddenly blast on its afterburners, soaring away and leaving behind a shock wave that severely rocked the American aircraft. On April 1, 2001, the Chinese pilot miscalculated the distance between his plane and the American aircraft. It was a mistake with consequences for the American debate on cyber security that have yet to be fully reckoned.

For what went wrong after that, read the rest of the story!

Cryptographic Numerology - our number is up

Chit-chat around the coffeerooms of crypto-plumbers is disturbed by NIST's campaign to have all the CAs switch up to 2048 bit roots:

On 30/09/10 5:17 PM, Kevin W. Wall wrote:

> Thor Lancelot Simon wrote:
> See below, which includes a handy pointer to the Microsoft and Mozilla policy statements "requiring" CAs to cease signing anything shorter than 2048 bits.

<...snip...>

> These certificates (the end-site ones) have lifetimes of about 3 years maximum. Who here thinks 1280 bit keys will be factored by 2014? *Sigh*.

No one that I know of (unless the NSA folks are hiding their quantum computers from us :). But you can blame this one on NIST, not Microsoft or Mozilla. They are pushing the CAs to make this happen and I think 2014 is one of the important cutoff dates, such as the date that the CAs have to stop issuing certs with 1024-bit keys.

I can dig up the NIST URL once I get back to work, assuming anyone actually cares.

The world of cryptology has always been plagued by numerology.

Not so much in the tearooms of the pure mathematicians, but all other areas: programming, management, provisioning, etc. It is I think a desperation in the un-endowed to understand something, anything of the topic.

E.g., I might have no clue how RSA works but I can understand that 2048 has to be twice as good as 1024, right? When I hear it is even better than twice, I'm overjoyed!

This desperation to be able to talk about it is partly due to having to be part of the business (write some code, buy a cert, make a security decision, sell a product) and partly a sense of helplessness when faced with apparently expert and confident advice. It's not an unfounded fear; experts use their familiarity with the concepts to also peddle other things which are frequently bogus or hopeful or self-serving, so the ignorance leads to bad choices being made.

Those that aren't in the know are powerless, and shown to be powerless.

When something simple comes along and fills that void people grasp onto them and won't let go. Like numbers. As long as they can compare 1024 to 2048, they have a safety blanket that allows them to ignore all the other words. As long as I can do my due diligence as a manager (ensure that all my keys are 2048) I'm golden. I've done my part, prove me wrong! Now do your part!

This is a very interesting problem [1]. Cryptographic numerology diverts attention from the difficult to the trivial. A similar effect happens with absolute security, which we might call "divine cryptography." Managers become obsessed with perfection in one thing, to the extent that they will ignore flaws in another thing. Also, standards, which we might call "beliefs cryptography" for their ability to construct a paper cathedral within which there is room for us all, and our flock, to pray safely inside.

We know divinity doesn't exist, but people demand it. We know that religions war all the time, and those within a religion will discriminate against others, to the loss of us all. We know all this, but we don't; cognitive dissonance makes us so much happier, it should be a drug.

It was into this desperate aching void that the seminal paper by Lenstra and Verheul stepped in to put a framework on the numbers [2]. On the surface, it solved the problem of cross-domain number comparison, e.g., 512 bit RSA compared to 256 bit AES, which had always confused the managers. And to be fair, this observation was a long time coming in the cryptographic world, too, which makes L&V's paper a milestone.

Cryptographic Numerology's star has been on the ascent ever since that paper: As well as solving the cipher-public-key-hash numeric comparison trap, numerology is now graced with academic respectability.

This made it irresistible to large institutions which are required to keep their facade of advice up. NIST like all the other agencies followed, but NIST has a couple of powerful forces on it. Firstly, NIST is slightly special, in ways that other agencies represented in keylength.com only wish to be special. NIST, as pushed by the NSA, is protecting primarily US government resources:

This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems.

That's US not us. It's not even protecting USA industry. NIST is explicitly targetted by law to protect the various multitude of government agencies that make up the beast we know as the Government of the United States of America. That gives it unquestionable credibility.

And, as has been noticed a few times, Mars is on the ascendancy: *Cyberwarfare* is the second special force. Whatever one thinks of the mess called cyberwarfare (equity disaster, stuxnet, cryptographic astrology, etc) we can probably agree, if anyone bad is thinking in terms of cracking 1024 bit keys, then they'll be likely another nation-state interested in taking aim against the USG agencies. c.f., stuxnet, which is emerging as a state v. state adventure. USG, or one of USG's opposing states, are probably the leading place on the planet that would face a serious 1024 bit threat if one were to emerge.

Hence, NIST is plausibly right in imposing 2048-bit RSA keys into its security model. And they are not bad in the work they do, for their client [3]. Numerology and astrology are in alignment today, if your client is from Washington DC.

However, real or fantastical, this is a threat model that simply doesn't apply to the rest of the world. The sad sad fact is that NIST's threat model belongs to them, to US, not to us. We all adopting the NIST security model is like a Taurus following the advice in the Aries section of today's paper. It's not right, however wise it sounds. And if applied without thought, it may reduce our security not improve it:

Writes Thor:
> At 1024 bits, it is not. But you are looking
> at a factor of *9* increase in computational
> cost when you go immediately to 2048 bits. At
> that point, the bottleneck for many applications
> shifts, particularly those ...
> Also,...
> ...and suddenly...
>
> This too will hinder the deployment of "SSL everywhere",...

When US industry follows NIST, and when worldwide industry follows US industry, and when open source Internet follows industry, we have a classic text-book case of adopting someone else's threat, security and business models without knowing it.

Keep in mind, our threat model doesn't include crunching 1024s. At all, any time, nobody's ever bothered to crunch 512 in anger, against the commercial or private world. So we're pretty darn safe at 1024. But our threat model does include

*attacks on poor security user interfaces in online banking*

That's a clear and present danger. And one of the key, silent, killer causes of that is the sheer rarity of HTTPS. If we can move the industry to "HTTPS everywhere" then we can make a significant different. To our security.

On the other hand, we can shift to 2048, kill the move to "HTTPS everywhere", and save the US Government from losing sleep over the cyberwarfare it created for itself (c.f., the equity failure).

And that's what's going to happen. Cryptographic Numerology is on a roll, NIST's dice are loaded, our number is up. We have breached the law of unintended consequences, and we are going to be reducing the security of the Internet because of it. Thanks, NIST! Thanks, Mozilla, thanks, Microsoft.

---

[1] As well as this area, others have looked at how to make the bounty of cryptography more safely available to non-cognicenti. I especially push the aphorisms of Adi Shamir and Kerckhoffs. And, add my own meagre efforts in Hypotheses and Pareto-secure.

[2] For detailed work and references on Lenstra & Verheul's paper, see http://www.keylength.com/ which includes calculators of many of the various efforts. It's a good paper. They can't be criticised for it in the terms in this post, it's the law of unintended consequences again.

[3] Also, other work by NIST to standardise the PRNG (psuedo-random-number-generator) has to be applauded. The subtlety of what they have done is only becoming apparent after much argumentation: they've unravelled the unprovable entropy problem by unplugging it from the equation.

But they've gone a step further than the earlier leading work by Ferguson and Schneier and the various quiet cryptoplumbers, by turning the PRNG into a deterministic algorithm. Indeed, we can now see something special: NIST has turned the PRNG into a reverse-cycle message digest. Entropy is now the MD's document, and the psuedo-randomness is the cryptographically-secure hash that spills out of the algorithm.

Hey Presto! The PRNG is now the black box that provides the one-way expansion of the document. It's not the reverse-cycle air conditioning of the message digest that is exciting here, it's the fact that it is now a new class of algorithms. It can be specified, paramaterised, and most importantly for cryptographic algorithms, given test data to prove the coding is correct.

(I use the term reverse-cycle in the sense of air-conditioning. I should also stress that this work took several generations to get to where it is today; including private efforts by many programmers to make sense of PRNGs and entropy by creating various application designs, and a couple of papers by Ferguson and Schneier. But it is the black-boxification by NIST that took the critical step that I'm lauding today.)

62 Million Contracts are now no longer perfectable. Blame me?

In terms of value at risk, this has to be the winner in the monthly "most outrageous post across my desk" competition:

According to attorney Ellen Brown, author of "Web of Debt", a California bankruptcy court has followed what are now being called "landmark cases in other jurisdictions" in ruling that as many as 62 million mortgages may not be foreclosed on.

The result could force the biggest banks into bankruptcy because having millions of homeowners get title to their homes with no further mortgage payment would decimate the asset portfolio. As pointed out in a San Francisco Chronicle article in 2007:

"The loans at issue dwarf the capital available at the largest U.S. banks combined, and investor lawsuits would raise stunning liability sufficient to cause even the largest U.S. banks to fail...."

This is an issue that I knew about. We tried to solve it. Blame me. Which makes it much harder to write about.

What's going on here? And why the chicken-little panic? How much truth is in this? Unfortunately, some:

The problem is that at the height of the real estate bubble, mortgages were sliced and diced into investment products -- securities -- that changed hands frequently.

Whoa! Stop right there! This was not a problem constrained to the height of the bubble, but a structural innovation that has dominated the last 30-40 years. Permit me to set the record straight:

The problem is that at the height of the real estate bubble since the invention of securitization in the 1970s or so, mortgages were are sliced and diced into investment products -- securities -- that changed hands frequently.

If you wish to understand anything about the financial crisis, understand this:

securitization was a game-changer.

It was invented in the 1970s or so, and it set the scene for the massive boom we saw in the 2000s, and the massive collapse 2007-2009. Most confusing still, it's a good thing. Moving right along...

As a convenience for the mortgage industry, many of these mortgages were recorded electronically by a system called MERS (Mortgage Electronic Registration System).

At issue was when Citibank tried to foreclose on a property in California, the homeowner's defense was that the actual deed was held by MERS and yet since MERS could not offer a homeowner signed documentation to a mortgage agreement, they could not prove ownership and since they couldn't prove ownership, the Deed of Trust could not be transferred and Citibank's note was therefore uncollectible.

Basically, throughout the securitisation process that created the global financial collapse, the issue that was staring us in the face was that the various transactions were not being perfected. That is, the contracts were not being adequately backed up according to the standards of the day. That standard is ultimately measured in court, or not as Citibank has discovered above.

I saw this when I designed my system, and set out to resolve it. The Ricardian Contract form solves the above problem, in part because it is signed, and in other part because it solves a lot of other issues lurking in the mess above. And, when Jim and I filed it into the SEC, they realised that it addressed their concerns, too.

But like this blog post, the problems brought about by securitization's success were put off until tomorrow. And tomorrow's tomorrow. And ... then came 2007. Some singularity somewhere caused systemic ripples throughout the system, which caused all contracts to shake and wobble. But it is important, nay, essential to realise: the fundamental structural feature was securitization. The systemic wobble event was not important. Keep your eye on the securitization ball as it rolls on unchallenged through the USA financial quagmire.

Now they've gone to court, and:

The California bankruptcy court concluded:

"Since the claimant, Citibank, has not established that it is the owner of the promissory note secured by the trust deed, Citibank is unable to assert a claim for payment in this case."

So that's what is meant by a contract not being perfected. You can talk about it. You can sell it, slice & dice it, derive it and steal it. Start a boom, pay outrageous bonuses, watch the bubble burst. But you can't get a court to back all these things up. Which matters not one jot if everyone believes the boom will go forever...

Which leads to somewhat of an observation over modern finance... heck, all finance, and probably all business!

Finance is an inverted pyramid that sits on the apex of dispute resolution. Somewhere in a middle layer are contracts. Somewhere up top on the mesa are mortgages and loans and prosperity and the happiness of owning your own home. Down the bottom is dispute resolution.

If the apex collapses, don't be standing nearby with a camera.

Feel the dark side of Intellectual Property Rights. You know you want to....

The dark side of Intellectual Property is this: the structure of the market encourages theft, and more so than the more polite in society would predict. It's something that has really annoyed both sides of the debate; those who want to steal grumble about owners making it hard, while owners grumble that they need the help of their government for terrorising the first lot into financial dependency.

Two of the most abject victims of wikinomics are the newspaper and music industries. Since 2000, 72 American newspapers have folded. Circulation has fallen by a quarter since 2007. By some measures the music industry is doing even worse: 95% of all music downloads are illegal and the industry that brought the world Elvis and the Beatles is reviled by the young. Why buy newspapers when you can get up-to-the-minute news on the web? Why buy the latest Eminem CD when you can watch him on YouTube for free? Or, as a teenager might put it: what’s a CD?

Now, if it does that, if IP is structured that way, we can ask a number of searching questions. Was that what we intended? Is this a good thing or a bad thing? Can we improve it?

An interesting case of a company called Zynga (mentioned in last week's story) seems to make the case. First off, theft seems to be part & parcel of intellectual property:

In the latest SF Weekly cover story, multiple former employees of Zynga, speaking on condition that their names not be published so that they could discuss their work experiences candidly, tell us that studying and copying rivals' game concepts was business as usual. One senior employee who has since left the company describes a meeting where Zynga CEO and founder Mark Pincus said, "I don't fucking want innovation. You're not smarter than your competitor. Just copy what they do and do it until you get their numbers."

There's two ways of looking at this. Maybe Pincus has perfected a novel use of the perfect market hypothesis in innovation? Outstanding! In brief, the perfect market hypothesis as applied would say that the market has already acquired all the information, hence there is no point in trying to beat it, hence we should simply acquire the market.

Or maybe he has developed a new theory of creative destruction in innovation, following Schumpeter? It's certainly not my grandmother's definition of innovation, and some would call it by worse names (Guernica springs to mind, if I can bring in an IP link).

The Creative Destruction Theory of Innovation

On the other hand, the artists have a different take on the topic:

One of the more common complaints among former Zynga employees is about Pincus' distaste for original game design and indifference to his company's applications, beyond their ability to make money. "The biggest problem I had with him was that he didn't know or care about the games being good -- the bottom line was the only concern," a former game designer says. "While I'm all for games making money, I like to think there's some quality there."

Above, the "former game designer" suggests that his view of "goodness" should override the market's view, as expressed by the bottom line. The clear statement of his boss is the other way around.

Such a disdain for the message of the users is somewhat typical of fields of artistic endeavour where artists create their own shared, internal sense of goodness, and seek to avoid the market's view as insufficiently enlightening or overly opaque (etc). From where I sit, this is a view that artists can hold in a greenfield design where there simply isn't a market, and/or where the artist is also the investor.

But that latter point is troubling. Innovators are like artists, as a whole. One could suggest that innovators won't monetarise, because they'll be focussed on "goodness" and we might well be wasting our time supporting them to the extent of actually listening to them (I speak as an innovator, but prefer you not to mention it today). One could also suggest that they can't monetarise because that trap makes them perpetually too poor to invest.

What then happens if the innovatory process is really stacked in this direction? What happens if most innovators can't monetarise? How do we support a rationale whereby we as society should continue to support innovators with intellectual property rights at all? Why patents, brands, ideas, copyright, etc?

One answer is so they can recover at least something after it is appropriated:

Another former employee recalls a meeting where Zynga workers discussed a strategy for copying a gangster game, Mob Wars, and creating Zynga's own Mafia Wars application. "I was around meetings where things like that were being discussed, and the ramifications of things like that were being discussed -- the fact that they'd probably be sued by the people who designed the game," he says. "And the thought was, 'Well, that's fine, we'll settle.' Our case wasn't really defensible." (Mob Wars' creator, David Maestri, proprietor of Psycho Monkey, did sue Zynga for copyright infringement. The case was settled for an undisclosed amount.)

So let's stop doing upfront licensing and sales of IPR. The point being that as long as the innovator keeps innovating, and product gets to market, it matters not to everyone else whether he's paid for it before or after its use. Everyone wins.

Just not the way we thought. Not what the brochure said. The goal of intellectual property rights then might not be to save the rights, but to lose them. And, the more you lose, the better, as the the better the theft, the more you can claim back.

(On the search for a good aporism here! Comments welcome.)

If that were so, if we were to assume IP theft as a goal of public policy, we'd be switching our emphasis to making IP easier to prove and recover in litigation. Registrations might deal with the first part (but are arguably too too cumbersome and expensive).

What deals with the second part? How do we improve the rate of recovery in IP litigation? By all accounts, the victim in any litigation is typically the small guy, so the innovator has it stacked against him or her there, too.

The Facebook model succeeds. Next steps: copying, responding, losing.

Along the lines of previous reporting, it seems that Facebook has won its spurs. Eliot van Buskirk reports from Wired:

Facebook is making a play to become the dominant player in virtual currency — the funny money you use to everything from digital magazines to Farmville turnips. It’s already a billion-dollar business in which Facebook, the world’s largest social network, will face stiff competition from other behemoths like Apple, Google and PayPal.

Facebook already has a big advantage over those companies: a virtual currency, Facebook Credits, that works across different apps rather than being tied to one specific app or another.
...
Sales of virtual goods are projected to reach $1.6 billion this year in the United States alone, according to an Inside Network report. About half of that will be spent on social games, and the majority of that in Facebook games such as Farmville.

Facebook claims 30 percent of revenue when people buy these credits — the same cut Apple and Google slice off when users buy virtual goods within their apps — but is already the number one app across all smartphone platforms according to Nielsen.

This means that Facebook will earn its investors the return demanded. Because it has an active market place of many thousands of suppliers, it has gained control of the monetisation within its world, and it takes significant margin of that activity, this means that Facebook has cracked the revenue model in a way that few others have.

However, other big Internet players will notice the success, will revisit their flawed models, and will move to adopt the one that Facebook has worked out for them.

Apple has yet to create a cross-app virtual currency, but offers other virtual goods — iTunes songs, for instance — through pre-paid gift cards. Users may start wondering why they can’t use iTunes credits to purchase goods within iPhone apps like Farmville — and vice versa. And because so much money will be spent in this way, this problem could become a source of annoyance for users and app developers alike.

This is of interest to financial cryptography players as it establishes the basic business rules to play in this market. It's also of interest to regulators and incumbents (read: banks) who want to squash the market:

The U.S. has strict laws against creating new forms of currency, but there’s enough wiggle room for Apple (iTunes), Google (Checkout, Android), Paypal, individual developers, and others to join Facebook in creating virtual currencies that work in apps across their respective platforms, even those beyond games — music, movies, productivity apps, and so on. And that’s when things could get tricky, in the huge and expanding market for virtual goods.

Unfortunately the signs auger badly for them. As frequently commented here in this blog, the European Union tried to beat this one back in the 1990s and succeeded so well it lost. Meanwhile, the USA supported, and partly won with Paypal, but then reversed course and is now set to lose. And, unless the banks wave the get-out-of-jail-free card, they won't be getting as much attention as before. Curiously, their favourite "save me" card might be more justified this time (you know your banking, right?) but it's already been spent, and the results weren't good. Patience should be thin.

Perhaps it is time to roll out Goodhart's law as this blog's aphorism ad nauseum? Meanwhile, bringing the two battles together, this means that while the B-list is moving to copying, the A-list now starts its regulatory response phase.

Good luck on that immense strategic battle! Interesting times ahead.

Internet Intellectuals, Media Security Reporting, and other explorations in the market for silver bullets

Evgeny Morozov and a whole lot of other media-savvy people have a silver bullets moment when analysing Haystack, a hopeful attempt at bypassing censorship for citizens in countries like Iran. The software was released, lauded by the press, and got an export licence from the USA government.

By all media-validated expectations, Haystack should have been good to go on and wreak merry havoc against Iranian censorship. Until Jake Appelbaum and his team took a poke at it and discovered it permitted tracking of the dissidents. Then the media flipped and attacked. Familiar story, right?

I want to know why the media was so quick to push this tool. I want answers.

Morozov asks, in various ways, what went wrong? Here's a breakdown of what I think are his essential points, and my answers.

Why didn't the security community come in and comment? That's easy. The security community is mostly a commercially minded group of people who work for food. It includes a small adjunct rabble who make a lot of noise breaking things. Not for money, but for fun & media attention. Allegedly, Appelbaum said:

Haystack is the worst piece of software I have ever had the displeasure of ripping apart. Charlatans exposed. Media inquiries welcome.

If Jake's deep sarcasm isn't slapping you on the forehead, here it is in plain writing: we break the tools because it's cool, because the media write about it, and because it's fun. But the presence of the crowd-pleasing infosoc vigilantes doesn't mean that anyone is going to fix the broken efforts. Or provide good advice. No, that costs money:

UPDATE #1: I just received information that "Haystack has been turned off as of ~19:00 PST, Sept 10/2010", with Austin Heap agreeing that "Haystack will not be run again until there is a solid published threat model, a solid peer reviewed design, and a real security review of the Haystack implementation."

Look at for wider example, the fabled OpenPGP encryption system. In its long history, the major providers emerged as PGP Inc and GnuPG. Both of these groups had substantial funding or business reasons to carry on, to build, at one time or another. Which meant that their programmers could eat. As an alternate case in point, my own efforts in Cryptix OpenPGP went up and down to the tune of money and business need, not to the tune of crackers or bugs or media attention. The hoi polloi took their best shot at these products, and a few cracks were found, but the real story is how the builders built, not how the cracks were found.

So in essence we have in the security community an asymmetric relationship with the world. We are happy to break your product for our fun; but we won't be fixing it. For that, put your money on the table. If you want to change that, get the media to make building secure apps more sexy than breaking them. Simple, but the opposite of how the Haystack story went.

Next. Why did the State Department endorse Haystack with a license to export? The best way of seeing this is a case of "the enemy of my enemy is my friend." It has been evident since the start of the Bush administration (1990?) that the US government has a policy of taunting the Iranians when and how they can. So, of course, the Haystack product fit with the policy.

One could look at the technical merits of the product, and come to some sort of hopeful case. The license is not an endorsement of any strong security, it's actually the reverse. It is an endorsement that the security isn't strong enough to worry the USA. There is one further aspect: the exporting organization has a way to avoid any hard discussions: simply open source the product.

From that perspective, the State department has no benefit from not issuing the license, and every reason to issue it.

What is probably more interesting is to ask: what do we do about a product that puts Iranian lives at risk? The easy answer is to not put lives at risk. Let's not do that, it would seem undeniable to think otherwise, right?

Wrong. It is wrong, at three levels.

Firstly, this is clearly against the policy and practice of the various governments in this space, who routinely put foreign lives at risk in order to pursue local objectives. (We already established some alignment there, above.) According to the count of lives next-door in Iraqi, we're seemingly running at a 100:1 ratio, order of magnitude, of putting their lives at risk, compared to our lives. We might talk about "undeniable value of human life" but the facts make that a difficult assumption.

We could simply say that we the Internet, we the Intellectuals shouldn't adopt the low tactics and cavalier attitude of our governments. We are better than them!

Except, that's unfounded as well. Secondly: Consider the OpenPGP community: this community distributed encrypted software that was frequently used by the same target audience as Haystack. I know because I was part of that community (proudly) and I heard some of the stories.

Stories of success, and stories of failure. People used OpenPGP product and people disappeared and people died.

So why this apparent contradiction? Why is OpenPGP so secure, but people still die, whereas we don't accept Haystack which is insecure and might lead to deaths? The answer is risk.

All security is risk-based. Adi Shamir put it best:

• Absolutely secure systems do not exist.
• To halve your vulnerability, you have to double your expenditure.
• Cryptography is typically bypassed, not penetrated.

Security is relative to everything, and the "black box" called Haystack or OpenPGP is only a part of that context. The security of Haystack may be sufficient in one context, OpenPGP may be hopeless in another context.

And it takes quite a lot of experience, and fairly difficult analysis of the overall context to establish whether the risk of a tool is worth taking. For example, we deep in the security community know that all OpenPGP products can be utterly defeated with equipment worth about five bucks.

Which should make the point: we can't easily say that the use of Haystack will be absolutely safer or less safe. We can only take on risk, or expose others to risk through our efforts, which is why Haystack may well have deserved the Entrepreneur award: the team went where others were too afraid to go, the true spirit of an Entrepreneur.

Finally, thirdly, and to close on risk, we must always consider the null option: we do nothing, therefore we cannot put lives at risk. Right?

No, wrong again. The Null option, do nothing, doesn't work either. If we do not supply OpenPGP secure communications to the Iranian dissidents (or Haystack or whoever, or whatever) then they will use less secure techniques. Because of our actions to limit the availability of secure tools, our actions of denial will increase risk for some others.

That's because we can assume that the dissidents will diss, and we can either help them by providing better tools, or stand idly by while they die for want of better tools. We have to negate the easy implication of "causality & responsibility," there is no simple binary responsibility here; people die if we act, and they die if don't act. Our risk might go down if we do nothing, their's may go up.

What in summary do we have? How to answer the blogsphere angst of "how did this happen to us? Why can't you fix it? The government must do something?"

That's leading to the final question. Why is it that this is so hard, when it seems so easy? Who can we blame for the hype? Why have the expectations of the media been so truly flipped over in the blink of an eye?

The security market is a market in silver bullets.

In other words, in a silver bullets market, there is an absence of well-agreed solid practice & theory. There are lots of producers, and there are lots of products, and lots of theories and lots of practices. But, within the security community, these theories are at war with one-another, and for every apparently sustainable argument, you'll be able to find someone to trash it. And the data to prove it trash-worthy.

In this sense, security is about as well understood as freedom. Just to give a case in point: this article quotes the misnamed and misunderstood Kerckhoffs' Principle:

"Although we sincerely wish we could release Haystack under a free software license, revealing the source code at this time would only aide the authorities in blocking Haystack."

That’s a statement in direct conflict with Kerckhoffs' Principle, a cornerstone of security philosophy. The Principle states that the only security worth doing is that which remains secure even if your enemy knows the totality of how it works. Haystack’s refusal to publish the software is an enormous red-flag to security practitioners, suggesting strongly that some aspect of the security it provides somehow hinges on a parlour trick that - once known - becomes useless or potentially hazardous.

This is a reference to Kerckhoffs 6 principles of secure communications which fails for a too-simple reading of one of them. It's a common problem.

Kerckhoffs' second principle states "It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience;" Unfortunately, this is not strictly true. K2 remains a principle and not a law, and yes, when people talk about Kerckhoffs' law, they are wrong.

It's perhaps easier to show this by a hypothetical: if for example Haystack had been built as a Skype plugin, or had used RIM's Blackberry enterprise layer, etc, would we then be able to rely on it? Yes, remembering our risk discussion, because it would be better than the alternate. But these things are secret, breaking K2. Or for more realworld example, if the NSA were to mount Haystack, now with new-improved-secret-crypto!, do you think they would be publishing the source?

Why then does K2 work for us, or as Shannon's maxim, "the enemy knows the system" ? Because revealing the internal design generally makes it much harder to hide behind incompetence. And the silver bullet aspect of the entire security world makes it almost a given that an incompetent result is ensured. In this, Haystack has proved the general incompetence principle of secrecy: that a secret system is likely to hide a great deal of incompetence.

But, that can still be a good risk to take. It all depends. There is no absolute security, so where you draw the line, depends. On everything. Now perhaps we see why Adi's words above, and Kerckhoffs principles, *all of them*, have sustained over time. Knowing the Principles and Hypotheses of security engineering is a given, that's the job of a protocol engineer. That which separates out engineering from art is knowing when to breach a hypothesis.

All this by way of showing that one man's security wisdom might be another man's folly, and in such a world, a silver bullet is a seemingly valuable thing.

Should we support Haystack, knowing all the above? Yes. But maybe we needed hindsight to see the reasons, laid out more clearly. Look at the public lambasting that the participants have had!

Now, imagine you want to do a better job. Feel scared and queasy? Yup, in the climate generated by the media, the security folk and the political agenda, today, there are relatively few incentives to take on this task. Instead, there are much greater incentives to build a social network and really monetarise the potential for massive abuses in privacy than to muck around with democracy and freedom of speech and all that.

Secondly, consider the open security community. We will break it for you, but we won't help you fix it. Like the media, our attention is slanted dramatically against you.

So, in practice, it should be no surprise that groups such as the Haystack team are few and far between. It's almost as if we have the devil's choice: a dodgy system or no system at all. A good security model is not a cheap option, it's not a practical option, nor an economic option. Security will kill your dreams, the structure of the industry makes it so.

If your objective is to help freedom of speech, then delivering crypto systems will help, even ones with known leaks. That's assuming they will do some good, in the balance. There is one final advantage, it is also a lot easier to fix broken tools than to fix absent tools. In contrast to accepted wisdom, writing the solid security model up front, with no customer base, is a fool's errand.

Innovation: a word, a dream or a nightmare?

It is fairly normal to hear people talk about innovation, but it doesn't take much experience to realise there is a gulf between the reality and the buzzword. Innovation is not something we can bring to the company just by talking about it. Here's some cold water poured on popular notions by Govindarajan and Trimble (G&T):

The fashion these days is to focus on the supply side of innovation: for example, by encouraging everyone to think big thoughts. 3M, the maker of Post-it notes, ...

Fashion in innovation thinking is an oxymoron if ever I saw one! When did 3M invent Post-it notes? No matter, let's carry on:

...expects its workers to spend 15% of their time on their own projects. Google expects them to spend 20%. This approach is attractively democratic: by giving everyone a chance to innovate, it makes everyone feel special. Or so the theory goes. G&T are ready with the cold water. The let-them-loose approach spreads resources thinly and indiscriminately. Companies dissolve into a thousand small initiatives rather than focusing on a few big problems. It also produces far too many ideas: managers have to spend weeks sorting through the chaff to find a few grains of wheat.

I've seen the 20% idea in operation, and it doesn't work. Calling it democratic is a good approximation, so there is some value to it in a tight bureaucracy seeking to "empower" its people. But innovation-driving it isn't, and doing it in a technology company like google reveals a profound misunderstanding of the techie's human psyche. I'd even suggest that the approach quite possibly hides the sources of true innovation.

G&T say that you need to start by recognising that innovation is unnatural.

Hallelujah! Now, ask your boss whether she'd like something unnatural to happen to her this week ... and we'd be getting close to why that it isn't going to happen.

Established businesses are built for efficiency, which depends on predictability and repeatability—on breaking tasks down into their component parts and holding employees accountable for hitting their targets. But innovation is by definition unpredictable and uncertain. Bosses may sing a pretty song about innovation being the future. But in practice the heads of operational units will favour the known over the unknown.

Right. But it is also not just companies that are obsessed with these things. People are scared, scared for their jobs. Mundane is safe, innovation gets you fired, or if you are lucky the credit will be lost to others. Far safer to talk the buzzwords, only.

So how to to turn big corporations or departments into innovation factories? Well, it's probably unreasonable because we are likely in that statistical impossibility space. Either people will talk about it, and not do it (for fear of their jobs), or people will do it and lose their jobs. So every lesson will be an anti-innovation lesson, and any accidental slippage into innovation will be dismissed as a statistical outlier.

Annecdote: I recall presenting on the fundamentals of why innovation is impossible in banking, to a big british bank's Head of Innovation. Of course, he argued I was wrong. But after he left, two of his employees told me that while he talked the talk very well, he did everything possible to avoid innovation. He was the head of Innovatory Capture & Suppression, and he served the bank well.

The only way to crack the anti-innovatory structure of business is to change the rules.

Many would-be innovators deal with the trade-off between efficiency and innovation by rejecting traditional management entirely. They repeat mantras about “breaking all the rules” and “asking for forgiveness rather than permission”. They set up skunk works (small, autonomous units with a remit to innovate) and mock the boring corporate types who write their pay-cheques. But again this is counter-productive.

However, not the rules written on paper, but the meta-rules of the operation! (People who talk about breaking the rules are generally using this as a cover to get their own way.)

G&T argue that companies need to build dedicated innovation machines. These machines need to be free to recruit people from outside (since big companies tend to attract company men rather than rule-breakers). They also need to be free from some of the measures that prevail in the rest of the company.

Right! But! That gets us back to the same dilemma:

But they must avoid becoming skunk works. They need to be integrated with the rest of the company—they must share some staff, for example, and they must tap into the wider company’s resources as they turn ideas into products. And they must be tightly managed according to customised rather than generic rules. For example, they should be held accountable for their ability to learn from mistakes rather than for their ability to hit their budgets.

We can talk about it but we won't actually do it. Or, what we do will not be it. Or what we do will be captured or dispersed, so not learnt.

Innovation in big corporates, as a turnaround, /has been done/. But the cases are relatively rare, and the conditions are hard to duplicate. Innovation happens in the startup sector, and the word innovation is never used there, it's just business, or survival, or the founder's omniscience. That is, the natural state of the startup is to write the meta-rules, so it is totally natural that the unnatural takes place.

Which perhaps confirms that the only successful strategy for innovation a large company has is to buy out small successful startups ... Sorry about that!

Niall Ferguson - Empires on the Edge of Chaos

Niall Ferguson spoke a few weeks ago at something called the CIS, supposedly a right-wing thinktank in Australia. He's well known for his Ascent of Money series, which is the thing you buy on DVD if you want to tell your Mum about economics and the way the world works. He's also that rarest breed in economics - he's not an economist at all, he's a historian.

His speech is here. It's a very big video download (26Mb), it seems, so I'll post this *after* my download else I'll never see it. Also, see it on vimeo directly which might work better.

Other writings on the same theme can be found in An Empire at Risk and America, the Fragile Empire. But frankly, the words in print don't do justice. It's a great presentation, both in terms of the picture it draws, the evidence assembled, and how well it was presented.

(The introduction of around 8-9 minutes is very skippable...) (Slightly edited to incorporate new links.)

I Love Gold

Gunnar points to:

I Love Gold:

memes in infosec III - Perimiter defences against the unknown, invisible, unmeasurable...

Clive Robinson writes in comments, and I can do little more than post it as a special Friday 13th edition. Good luck:

---

The problem of spend too little, get hurt, spend too much, waste resources unprofitably is older even than money.

It is the basic problem with all defensive behaviour. If you go back to the times of the "hunter-gather" the gathers had an issue (as do all prey): if you put all your resources into gathering then you will not see the predator stalking you. If all gathers spend their time looking for predators, then no gathering will occur and they will starve. Thus there is some trade-off towards an optimum value of lookouts for any given predator, terrain or group size of gathers.

Interestingly the optimum is usually less than four, for all predators and group sizes that fit within a moderate shout range in open terrain. For larger groups, it is usually the number of watchers that will go around the edge of the group and remain within moderate shout range in open terrain. In closed terrain it depends not on shout distance but visual distance. Which is why you get very large groups (antelope, etc) in the open savanna, but much smaller-sized groups (monkeys) in closed areas such as scrub and forest, etc.

Now the important thing to notice is that the number of watchers goes up at a very very small fraction of the number of gathers.

All of which is why traditionally we have looked at perimeter defence. However it has a "physical assumption" underlying it which is "locality" which further assumes "visibility". In a network environment with 0-day attacks, everywhere that is connected is local. Thus perimeter defence only works with visible attack vectors (i.e. those that are known or exhibit behaviour that is sufficiently different from the norm to be detected).

Thus there are three basic classes of attack vector,

1. Known (i.e. known knowns).
2. Visible (i.e. unknown knowns).
3. Unknown (unknown unknowns).

Within reason the Known Class can be correctly defended against with up-to-date Anti-malware, without effecting the day-to-day activities of a host (within the network perimeter). A simple measurand for this class is the number of attacks stopped.

Again within reason, the Visible Class may be mitigated against using various probabilistic techniques. This however may well involve considerable delay (with respect to attack time, not human time) and require "isolation" or "quarantining" hosts within the network perimeter which will usually negatively impact day-to-day activities of a host (within the perimeter). A simple measurand for this class is the number of events detected, a more difficult but more useful measurand is to distinguish between the "positives" (i.e. those that are seen and are proven to be attacks, those that are seen and assumed to be attacks and those that are seen and proven to be false alarms).

At first sight the Unknown Class cannot be defended against because there is "nothing to see" thus detect. Therefore the only perimeter possible is a "perfect air gap" which in current times makes a significant impact on some day to day activities of the hosts on such networks. Because there is "nothing to see" it could be argued that there is no measurand.

Setting the resource line should place it between the Visible and Unknown classes, but in most cases, resource restrictions actually puts it between the Known and Visible classes.

The question then arises, is the Unknown class really unknown?

The answer is probabilistic or a "Qualified No".

If an attack does not copy any host data and does not modify any host or its data and does not impact a hosts day-to-day activities, then its impact inside the perimeter is negligibly small at that point in time (it might for arguments sake use spare CPU cycles and memory to crack password files from another location).

Such activity might be very difficult but not impossible to spot. Currently, with monolithic executable files and current operating systems, it is effectively not possible to spot.

However there is a way that this problem can be resolved but it requires a different computing platform methodology both in hardware and software.

---

At which point, Clive stopped, leaving us dangling :)

Hacking the Apple, when where how... and whether we care why?

One of the things that has been pretty much standard in infosec is that the risks earnt (costs incurred!) from owning a Mac have been dramatically lower. I do it, and save, and so do a lot of my peers & friends. I don't collect stats, but here's a comment from Dan Geer from 2005:

Amongst the cognoscenti, you can see this: at security conferences of all sorts you’ll find perhaps 30% of the assembled laptops are Mac OS X, and of the remaining Intel boxes, perhaps 50% (or 35% overall) are Linux variants. In other words, while security conferences are bad places to use a password in the clear monoculture on the back of the envelope over a wireless channel, there is approximately zero chance of cascade failure amongst the participants.

I recommend it on the blog front page as the number 1 security tip of all:

#1 buy a mac.

Why this is the case is of course a really interesting question. Is it because Macs are inherently more secure, in themselves? The answer seems to be No, not in themselves. We've seen enough evidence to suggest, at an anecdotal level, that when put into a fair fight, the Macs don't do any better than the competition. (Sometimes they do worse, and the competition ensures those results are broadcast widely :)

However it is still the case that the while the security in the Macs aren't great, the result for the user is better -- the costs resulting from breaches, installs, virus slow-downs, etc, remain lower [1]. Which would imply the threats are lower, recalling the old mantra of:

Business model ⇒ threat model ⇒ security model

Now, why is the threat (model) lower? It isn't because the attackers are fans. They generally want money, and money is neutral.

One theory that might explain it is the notion of monoculture.

This idea was captured a while back by Dan Geer and friends in a paper that claimed that the notion of Microsoft's dominance threated the national security of the USA. It certainly threatened someone, as Dan lost his job the day the paper was released [2].

In brief, monoculture argues that when one platform gains an ascendency to dominate the market, then we enter a situation of particular vulnerability to that platform. It becomes efficient for all economically-motivated attackers to concentrate their efforts on that one dominant platform and ignore the rest.

In a sense, this is an application of the Religion v. Darwin argument to computer security. Darwin argued that diversity was good for the species as a whole, because singular threats would wipe out singular species. The monoculture critique can also be seen as analogous to Capitalism v. Communism, where the former advances through creative destruction, and the latter stagnates through despotic ignorance.

A lot of us (including me) looked at the monoculture argument and thought it ... simplistic and hopeful. Yet, the idea hangs on ... so the question shifts for us slower skeptics to how to prove it [3]?

Apple is quietly wrestling with a security conundrum. How the company handles it could dictate the pace at which cybercriminals accelerate attacks on iPhones and iPads.

Apple is hustling to issue a patch for a milestone security flaw that makes it possible to remotely hack - or jailbreak - iOS, the operating system for iPhones, iPads and iPod Touch.

Apple's new problem is perhaps early signs of good evidence that the theory is good. Here we have Apple struggling with hacks on its mobile platform (iPads, iPods, iPhones) and facing a threat which it seemingly hasn't faced on the Macs [4].

The differentiating factor -- other than the tech stuff -- is that Apple is leading in the mobile market.

IPhones, in particular, have become a pop culture icon in the U.S., and now the iPad has grabbed the spotlight. "The more popular these devices become, the more likely they are to get the attention of attackers," says Joshua Talbot, intelligence manager at Symantec Security Response.

Not dominating like Microsoft used to enjoy, but presenting enough of a nose above the pulpit to get a shot taken. Meanwhile, Macs remain stubbornly stuck at a reported 5% of market share in the computer field, regardless of the security advice [5]. And nothing much happens to them.

If market leadership continues to accrue to Apple in the iP* mobile sector, as the market expect it does, and if security woes continue as well, I'd count that as good evidence [6].

---

[1] #1 security tip remains good: buy a Mac, not because of the security but because of the threats. Smart users don't care so much why, they just want to benefit this year, this decade, while they can.

[2] Perhaps because Dan lost his job, he gets fuller attention. The full cite would be like: Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman, Bruce Schneier, "CyberInsecurity: The Cost of Monopoly How the Dominance of Microsoft's Products Poses a Risk to Security." Preserved by the inestimable cryptome.org, a forerunner of the now infamous wikileaks.org.

[3] Proof in the sense of scientific method is not possible, because we can't run the experiment. This is economics, not science, we can't run the experiment like real scientists. What we have to do is perhaps psuedo-scientific-method; we predict, we wait, and we observe.

[4] On the other hand, maybe the party is about to end for Macs. News just in:

Security vendor M86 Security says it's discovered that a U.K.-based bank has suffered almost $900,000 (675,000 Euros) in fraudulent bank-funds transfers due to the ZeuS Trojan malware that has been targeting the institution.

Bradley Anstis, vice president of technology strategy at M86 Security, said the security firm uncovered the situation in late July while tracking how one ZeuS botnet had been specifically going after the U.K.-based bank and its customers. The botnet included a few hundred thousand PCs and even about 3,000 Apple Macs, and managed to steal funds from about 3,000 customer accounts through unauthorized transfers equivalent to roughly $892,755.

Ouch!

[4] I don't believe the 5% market share claim ... I harbour a suspicion that this is some very cunning PR trick in under-reporting by Apple, so as to fly below the radar. If so, I think it's well past its sell-by date since Apple reached the same market cap as Microsoft...

[5] What is curious is that I'll bet most of Wall Street, and practically all of government, notwithstanding the "national security" argument, continue to keep clear of Macs. For those of us who know the trick, this is good. It is good for our security nation if the governments do not invest in Macs, and keep the monoculture effect positive. Perverse, but who am I to argue with the wisdom in cyber-security circles?

Are we spending too little on security? Or are we spending too much??

Luther Martin asks this open question:

---

Ian,

I have a quick question for you based on some recent discussions. Here's the background.

The first was with a former co-worker who works for the VC division of a large commercial bank. He tells me that his bank really isn't interested in investing in security companies. Why? Apparently foreach $100 of credit card transactions there's about $4 of loss due to bad debt and about only $0.10 of loss due to fraud. So if you're making investments, it's clear where you should put your money.

Next, I was talking with a guy who runs a large credit card processing business. He was complaining about having to spend an extra $6 million on fraud reduction while his annual losses due to fraud are only about $250K.

Finally, I was also talking to some people from a government agency who were proud of the fact that they had reduced losses due to security incidents in their division by $2 million last year. The only problem is that they actually spent $10 million to do this.

So the question is this: are we not spending enough on security or are we spending too much, but on the wrong things?

Luther

memes in infosec I - Eve and Mallory are missing, presumed dead

Things I've seen that are encouraging. Bruce Schneier in Q&A:

Q: We've also seen Secure Sockets Layer (SSL) come under attack, and some experts are saying it is useless. Do you agree?

A: I'm not convinced that SSL has a problem. After all, you don't have to use it. If I log-on to Amazon without SSL the company will still take my money. The problem SSL solves is the man-in-the-middle attack with someone eavesdropping on the line. But I'm not convinced that's the most serious problem. If someone wants your financial data they'll hack the server holding it, rather than deal with SSL.

Right. The essence is that SSL solves the "easy" part of the problem, and leaves open the biggest part. Before the proponents of SSL say, "not our problem," remember that AADS did solve it, as did SOX and a whole bunch of other things. It's called end-to-end, and is well known as being the only worthwhile security. Indeed, I'd say it was simply responsible engineering, except for the fact that it isn't widely practiced.

OK, so this is old news, from around March, but it is worth declaring sanity:

Q: But doesn't SSL give consumers confidence to shop online, and thus spur e-commerce?

A: Well up to a point, but if you wanted to give consumers confidence you could just put a big red button on the site saying 'You're safe'. SSL doesn't matter. It's all in the database. We've got the threat the wrong way round. It's not someone eavesdropping on Eve that's the problem, it's someone hacking Eve's endpoint.

Which is to say, if you are going to do anything to fix the problem, you have to look at the end-points. The only time you should look at the protocol, and the certificates, is how well they are protecting the end-points. Meanwhile, the SSL field continues to be one for security researchers to make headlines over. It's BlackHat time again:

"The point is that SSL just doesn't do what people think it does," says Hansen, an security researcher with SecTheory who often goes by the name RSnake. Hansen split his dumptruck of Web-browsing bugs into three categories of severity: About half are low-level threats, 10 or so are medium, and two are critical. One example...

Many observers in the security world have known this for a while, and everyone else has felt increasingly frustrated and despondent about the promise:

There has been speculation that an organization with sufficient power would be able to get a valid certificate from one of the 170+ certificate authorities (CAs) that are installed by default in the typical browser and could then avoid this alert ....

But how many CAs does the average Internet user actually need? Fourteen! Let me explain. For the past two weeks I have been using Firefox on Windows with a reduced set of CAs. I disabled ALL of them in the browser and re-enabled them one by one as necessary during my normal usage....

On the one hand, SSL is the brand of security. On the other hand, it isn't the delivery of security; it simply isn't deployed in secure browsing to provide the user security that was advertised: you are on the site you think you are on. Only as we moved from a benign world to a fraud world, around 2003-2005, this has this been shown to matter. Bruce goes on:

Q: So is encryption the wrong approach to take?

A: This kind of issue isn't an authentication problem, it's a data problem. People are recognising this now, and seeing that encryption may not be the answer. We took a World War II mindset to the internet and it doesn't work that well. We thought encryption would be the answer, but it wasn't. It doesn't solve the problem of someone looking over your shoulder to steal your data.

Indeed. Note that comment about the World War II mindset. It is the case that the entire 1990s generation of security engineers were taught from the military text book. The military assumes its nodes -- its soldiers, its computers -- are safe. And, it so happens, that when armies fight armies, they do real-life active MITMs against each other to gain local advantage. There are cases of this happening, and oddly enough, they'll even do it to civilians if they think they can (ask Greenpeace). And the economics is sane, sensible stuff, if we bothered to think about it: in war, the wire is the threat, the nodes are safe.

However, adopting "the wire" as the weakness and Mallory as the Man-In-The-Middle, and Eve as the Eavesdropper as "the threat" in the Internet was a mistake. Even in the early 1990s, we knew that the node was the problem. Firstly, ever since the PC, nodes in commercial computing are controlled by (dumb) users not professional (soldiers). Who download shit from the net, not operate trusted military assets. Secondly, observation of known threats told us where the problems lay: floppy viruses were very popular, and phone-line attacks were about spoofing and gaining entry to an end-point. Nobody was bothering with "the wire," nobody was talking about snooping and spying and listening [*].

The military model was the precise reverse of the Internet's reality.

To conclude. There is no doubt about this in security circles: the SSL threat model was all wrong, and consequently the product was deployed badly.

Where the doubt lies is how long it will take the software providers to realise that their world is upside down? It can probably only happen when everyone with credibility stands up and says it is so. For this, the posts shown here are very welcome. Let's hear more!

---

[*] This is not entirely true. There is one celebrated case of an epidemic of eavesdropping over ethernets, which was passwords being exchanged over telnet and rsh connections. A case-study in appropriate use of security models follows...

PS: Memes II - War! Infosec is WAR!

The difference between 0 breaches and 0+delta breaches

Seen on the net, by Dan Geer:

The design goal for any security system is that the number of failures is small but non-zero, i.e., N>0. If the number of failures is zero, there is no way to disambiguate good luck from spending too much. Calibration requires differing outcomes.

I've been trying for years to figure out a nice way to describe the difference between 0 failures, and some small number N>0 like 1 or 2 or 10 in a population of a million.

Dan might have said it above: If the number of failures is zero, there is no way to disambiguate good luck from spending too much.

Has he nailed it? It's certainly a lot tighter than my long efforts ... Once we get that key piece of information down, we can move on. As he does:

Regulatory compliance, on the other hand, stipulates N==0 failures and is thus neither calibratable nor cost effective. Whether the cure is worse than the disease is an exercise for the reader.

An insight! For regulatory compliance, I'd substitute public compliance, which includes all the media attention and reputation attacks.

questioning infosec -- don't buy into professionalism, certifications, and other silver bullets

Gunnar posts on the continuing sad saga of infosec:

There's been a lot of threads recently about infosec certification, education and training. I believe in training for infosec, I have trained several thousand people myself. Greater knowledge, professionalism and skills definitely help, but are not enough by themselves.

We saw in the case of the Great Recession and in Enron where the skilled, certified accounting and rating professions totally sold out and blessed bogus accounting practices and non-existent earning.

Right. And this is an area where the predictions of economics are spot on. In Akerlof's seminal paper "the Market for Lemons," he predicts that the asymmetry of information can be helped by institutions. In the economics sense, institutions are non-trading, non-2-party market contractual arrangements of long standing to get stuff happening. Professionalism, training, certifications, etc all are slap-bang in the recommendations.

So why don't they help? There's a simple answer: we aren't in the market for lemons! There's one key flaw: Lemons postulates that the seller knows and the buyer doesn't, and that simply doesn't apply to infosec. (Criteria #1) In the market for security, the seller knows about his tool, but he doesn't know whether it is fit for the buyer. In contrast, the salesman in Akerlof's market assumed correctly that a car was good for the buyer, so the problem really was sharing the secret information from the seller to the buyer. Used car warranties did that, by forcing the seller to reveal his real pricing.

The buyer doesn't really know what he wants, and the seller has no better clue. Indeed, it may be that the buyer has more of a clue, and at least sometimes. So professionalism, certification, training and warranties isn't going to be the answer.

Another way of looking at this is that in infosec, in common with all security markets (think defence, crime) there is a third party: the attacker. This is the party that really knows, so knowledge-based solutions without clear incorporation of the aggressor's knowledge aren't going to work. This is why buying the next generation stealth fighter is not really helpful when your attacker is a freedom fighter in an Asian hell-hole with an IED. But it's a lot more exciting to talk about.

Which leads me to one controversial claim. If we can't get useful information from the seller, then the answer is, you've got to find it by yourself. It's your job, do it. And that's really what we mean by professionalism -- knowing when you can outsource something, and knowing when you can't.

That's controversial because legions of infosec product suppliers will think they're out of a job, but that's not quite true. It just requires a shift in thinking, and a willingness to think about the buyer's welfare, not just his wallet. How do we improve the ability of the client to do their job? Which leads right back to education: it is possible to teach better security practices. It's also possible to teach better risk practices. And, it can be done on an organisation-wide basis. Indeed, this is one of the processes that Microsoft took in trying to escape their security nightmare: get rid of the security architecture silos and turn the security groups into education groups [1].

So from this claim, why the flip into a conundrum. Why aren't certifications the answer? It's because certifications /are an institution/ and institutions are captured by one party or another. Usually, the sellers. Again a well-known prediction from economics: institutions to protect the buyer are generally captured by the seller in time (if not in the creation). I think this was by Stiglitz or Stigler, pointing to finance market regulation, again.

A supplier of certifications needs friends in industry, which means they need to also sell the product of industry. It's hard to make friends selling contrarian advice, it is far more profitable selling middle-of-the-road advice about your partners [2]. "Let's start with SSL + firewalls ..." Nobody's going to say boo, just pass go, just collect the fees. In contrast:

In short, the biggest problem in infosec is integration. Education around security engineering for integration would be most welcome.

That's tough, from an institutional point of view.

---

[1] Of course, even for Microsoft, bettering their internal capabilities was no silver bullet. They did get better, and it is viewed now that their latest products are more secure. FWIW. But, they still lost pole position last week, as Apple pipped Microsoft to become the world's biggest tech organisation, by market cap. Security played its part in that, and it is something of a rather stellar prediction that it still remains better /for your security/ to work with a Mac, because apparent Mac market shares are still low enough to earn a monoculture bounty for Apple users. Microsoft, keep trying, some are noticing, but no cigar as yet :)

[2] E.g., I came across a certification and professional code of conduct that required you to sign up as promoting /best practices/. Yet, best practices are lowest-common-denominator, they are the set of uncontroversial products. We're automatically on the back foot, because we're encouraging an organisation to lower its own standards to best practices, and comply with whatever list someone finds off the net, and stop right there. Hopeless!

Why the browsers must change their old SSL security (?) model

In a paper Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL_, by Christopher Soghoian and Sid Stammby, there is a reasonably good layout of the problem that browsers face in delivering their "one-model-suits-all" security model. It is more or less what we've understood all these years, in that by accepting an entire root list of 100s of CAs, there is no barrier to any one of them going a little rogue.

Of course, it is easy to raise the hypothetical of the rogue CA, and even to show compelling evidence of business models (they cover much the same claims with a CA that also works in the lawful intercept business that was covered here in FC many years ago). Beyond theoretical or probable evidence, it seems the authors have stumbled on some evidence that it is happening:

The company’s CEO, Victor Oppelman confirmed, in a conversation with the author at the company’s booth, the claims made in their marketing materials: That government customers have compelled CAs into issuing certificates for use in surveillance operations. While Mr Oppelman would not reveal which governments have purchased the 5-series device, he did confirm that it has been sold both domestically and to foreign customers.

(my emphasis.) This has been a lurking problem underlying all CAs since the beginning. The flip side of the trusted-third-party concept ("TTP") is the centralised-vulnerability-party or "CVP". That is, you may have been told you "trust" your TTP, but in reality, you are totally vulnerable to it. E.g., from the famous Blackberry "official spyware" case:

Nevertheless, hundreds of millions of people around the world, most of whom have never heard of Etisalat, unknowingly depend upon a company that has intentionally delivered spyware to its own paying customers, to protect their own communications security.

Which becomes worse when the browsers insist, not without good reason, that the root list is hidden from the consumer. The problem that occurs here is that the compelled CA problem multiplies to the square of the number of roots: if a CA in (say) Ecuador is compelled to deliver a rogue cert, then that can be used against a CA in Korea, and indeed all the other CAs. A brief examination of the ways in which CAs work, and browsers interact with CAs, leads one to the unfortunate conclusion that nobody in the CAs, and nobody in the browsers, can do a darn thing about it.

So it then falls to a question of statistics: at what point do we believe that there are so many CAs in there, that the chance of getting away with a little interception is too enticing? Square law says that the chances are say 100 CAs squared, or 10,000 times the chance of any one intercept. As we've reached that number, this indicates that the temptation to resist intercept is good for all except 0.01% of circumstances. OK, pretty scratchy maths, but it does indicate that the temptation is a small but not infinitesimal number. A risk exists, in words, and in numbers.

One CA can hide amongst the crowd, but there is a little bit of a fix to open up that crowd. This fix is to simply show the user the CA brand, to put faces on the crowd. Think of the above, and while it doesn't solve the underlying weakness of the CVP, it does mean that the mathematics of squared vulnerability collapses. Once a user sees their CA has changed, or has a chance of seeing it, hiding amongst the crowd of CAs is no longer as easy.

Why then do browsers resist this fix? There is one good reason, which is that consumers really don't care and don't want to care. In more particular terms, they do not want to be bothered by security models, and the security displays in the past have never worked out. Gerv puts it this way in comments:

Security UI comes at a cost - a cost in complexity of UI and of message, and in potential user confusion. We should only present users with UI which enables them to make meaningful decisions based on information they have.

They love Skype, which gives them everything they need without asking them anything. Which therefore should be reasonable enough motive to follow those lessons, but the context is different. Skype is in the chat & voice market, and the security model it has chosen is well-excessive to needs there. Browsing on the other hand is in the credit-card shopping and Internet online banking market, and the security model imposed by the mid 1990s evolution of uncontrollable forces has now broken before the onslaught of phishing & friends.

In other words, for browsing, the writing is on the wall. Why then don't they move? In a perceptive footnote, the authors also ponder this conundrum:

3. The browser vendors wield considerable theoretical power over each CA. Any CA no longer trusted by the major browsers will have an impossible time attracting or retaining clients, as visitors to those clients’ websites will be greeted by a scary browser warning each time they attempt to establish a secure connection. Nevertheless, the browser vendors appear loathe to actually drop CAs that engage in inappropriate be- havior — a rather lengthy list of bad CA practices that have not resulted in the CAs being dropped by one browser vendor can be seen in [6].

I have observed this for a long time now, predicting phishing until it became the flood of fraud. The answer is, to my mind, a complicated one which I can only paraphrase.

For Mozilla, the reason is simple lack of security capability at the *architectural* and *governance* levels. Indeed, it should be noticed that this lack of capability is their policy, as they deliberately and explicitly outsource big security questions to others (known as the "standards groups" such as IETF's RFC committees). As they have little of the capability, they aren't in a good position to use the power, no matter whether they would want to or not. So, it only needs a mildly argumentative approach on the behalf of the others, and Mozilla is restrained from its apparent power.

What then of Microsoft? Well, they certainly have the capability, but they have other fish to fry. They aren't fussed about the power because it doesn't bring them anything of use to them. As a corporation, they are strictly interested in shareholders' profits (by law and by custom), and as nobody can show them a bottom line improvement from CA & cert business, no interest is generated. And without that interest, it is practically impossible to get the various many groups within Microsoft to move.

Unlike Mozilla, my view of Microsoft is much more "external", based on many observations that have never been confirmed internally. However it seems to fit; all of their security work has been directed to market interests. Hence for example their work in identity & authentication (.net, infocard, etc) was all directed at creating the platform for capturing the future market.

What is odd is that all CAs agree that they want their logo on their browser real estate. Big and small. So one would think that there was a unified approach to this, and it would eventually win the day; the browser wins for advancing security, the CAs win because their brand investments now make sense. The consumer wins for both reasons. Indeed, early recommendations from the CABForum, a closed group of CAs and browsers, had these fixes in there.

But these ideas keep running up against resistance, and none of the resistance makes any sense. And that is probably the best way to think of it: the browsers don't have a logical model for where to go for security, so anything leaps the bar when the level is set to zero.

Which all leads to a new group of people trying to solve the problem. The authors present their model as this:

The Firefox browser already retains history data for all visited websites. We have simply modified the browser to cause it to retain slightly more information. Thus, for each new SSL protected website that the user visits, a Certlock enabled browser also caches the following additional certificate information:

A hash of the certificate. The country of the issuing CA. The name of the CA. The country of the website. The name of the website. The entire chain of trust up to the root CA.

When a user re-visits a SSL protected website, Certlock first calculates the hash of the site’s certificate and compares it to the stored hash from previous visits. If it hasn’t changed, the page is loaded without warning. If the certificate has changed, the CAs that issued the old and new certificates are compared. If the CAs are the same, or from the same country, the page is loaded without any warning. If, on the other hand, the CAs’ countries differ, then the user will see a warning (See Figure 3).

This isn't new. The authors credit recent work, but no further back than a year or two. Which I find sad because the important work done by TrustBar and Petnames is pretty much forgotten.

But it is encouraging that the security models are battling it out, because it gets people thinking, and challenging their assumptions. Only actual produced code, and garnered market share is likely to change the security benefits of the users. So while we can criticise the country approach (it assumes a sort of magical touch of law within the countries concerned that is already assumed not to exist, by dint of us being here in the first place), the country "proxy" is much better than nothing, and it gets us closer to the real information: the CA.

From a market for security pov, it is an interesting period. The first attempts around 2004-2006 in this area failed. This time, the resurgence seems to have a little more steam, and possibly now is a better time. In 2004-2006 the threat was seen as more or less theoretical by the hoi polloi. Now however we've got governments interested, consumers sick of it, and the entire military-industrial complex obsessed with it (both in participating and fighting). So perhaps the newcomers can ride this wave of FUD in, where previous attempts drowned far from the shore.

US officials move to infect Populace with 5T00P.1D virus -- google, bombs, Mozilla, oil & barrels of stupidity

A wave of stupidity is flooding through the USA mediawaves. Here's an example:

A cyberattack disabled US cell phone networks, slowed Internet traffic to a crawl and crippled America's power grid Tuesday -- all in the interest of beefing up US security. Dubbed "Cyber ShockWave" and organized by the Bipartisan Policy Center (BPC), the event was held at a Washington hotel room transformed for the day into the White House Situation Room, where the president and his advisers typically meet to address national emergencies.

In the simulation, former top US officials debated how to respond as the power grid in the eastern United States was virtually shut down by a stealth cyberattack and a pair of bombings, cutting electricity to tens of millions of homes.

This is an "exercise" conducted by something called the Bipartisan Policy Group. The confusion between officialdom and lobbying could be forgiven, because it was intentional. Consider this list of Washington DC rock stars:

• Fran Townsend, former president George W. Bush's one-time Homeland Security advisor
• Charles Wald, a retired general and the former deputy commander of US European Command
• Michael Hayden, a former CIA director, ex-Homeland Security chief Michael Chertoff
• former Director of National Intelligence John Negroponte, former deputy CIA director John McLaughlin
• Joe Lockhart, former president Bill Clinton's press secretary ...

Then we have the amazing spectacle of Google complaining about being attacked by China!? Is there -- can there be -- any credence to this story? To me, it doesn't pass the laugh test, it is clearly a propaganda story with a hidden message. A little clicking and we find this:

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Oh. 2 activists... that's two, the number between one and three ... gmail accounts of alleged activists. Not hacked but probed. This is below underwhelming, this is quintessence of underwhelming, the very quantum of underwhelming!

One glance and it's gone. If you read more, the contradictions just keep rolling in. Apparently it is related to copyright theft, or, no it's not. Related to a concerted attack on 30 big companies, or not. It's caused by a horrifying new technique called "man-in-the-mailbox" or it's caused by phishing, or a virus, not. It's China, or it's Taiwan! It's a school, or it's the Red Army?

What's going on? What is curious is why a group so historically sensible and focussed as Google fell to such a stupidity as announcing this in a blather of hype. Well, read a bit further:

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

Ah. So, google are under pressure from the Chinese government. This is *nothing* to do with cyber-hacks, activist, freedom of speech, intellectual property, APTs, and everything to do with the access to the Chinese market. On terms appropriate to Google. They needed a casus belli to convince someone (shareholders? own employees?) of the need to rattle sabres, and a hack is a great catch-all. But, in the process of feeding the media craving for new heights in gullibility, google might have drunk a little too deeply of the kool-aid, because they then negotiated with the NSA to cut a secret deal; if there is ever a sign that it's all over for independence, that's the one!

Google approached the NSA shortly after the attacks, sources said, but the deal is taking weeks to hammer out, reflecting the sensitivity of the partnership. Any agreement would mark the first time that Google has entered a formal information-sharing relationship with the NSA, sources said. In 2008, the firm stated that it had not cooperated with the NSA in its Terrorist Surveillance Program.

Sources familiar with the new initiative said the focus is not figuring out who was behind the recent cyberattacks -- doing so is a nearly impossible task after the fact -- but building a better defense of Google's networks, or what its technicians call "information assurance."

Getting out of China, to maintain independence, then signing up with the NSA, doesn't present a consistent message. I love the quote about how they don't want to break any laws on spying on Americans...

Back to China. The rhetoric has spread further than expected. Over in Mozilla's groups, the anti-China faction has stirred up another little hate campaign over a Chinese CA called CNNIC.

With this background in mind, let's unpack the Mozilla debate. What set off the debate was the addition of the China Internet Network Information Center (CNNIC) as a trusted CA in Firefox. CNNIC is not part of the Chinese government but many people assert that it would be willing to act in concert with the Chinese government.

To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' "secure" web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site. The Chinese citizen would be fooled by the fake Gmail site (having no reason to suspect anything was wrong) and would happily enter his Gmail password into the impostor site, giving the Chinese government free run of the citizen's email archive.

Which offends them mightily, because CNNIC is likely to follow the Chinese government's rules on ... well, everything, as did a veritable stampede of popular western companies (Microsoft, Sun, Cisco, Skype spring to mind, and don't forget google who did, and don't and won't and might stop and want to take their bat and ball and go home). The problem for Mozilla is, CNNIC seems to offend them in more or less legal ways, in more or less policy ways, and in more or less the ways of every other view we can objectively apply.

The crime, after all the evidence is assembled (not a single credible fact that I have seen), is pretty thin, and as thin as the accusations levelled against every other CA from time to time.

But, this matters not at all if the real objective is popular manipulation (propaganda, by some). Note the clear linkage above from google to gmail to Mozilla... What might be called governance and protection of 250 million users in Mozilla technical circles might also politely be called nationalism by others.

But. Silly as it is, the message meshes in nicely with the current global geopolitical aspirations of some in Washington, at top. Back to the silk-dress appeal for pork-barrel funds by the "BPG":

An operation dubbed "Cyber ShockWave" has spanked the U.S.'s cyberdefenses -- hypothetically. Under the scenario organizers dreamed up, virus-infected smartphones spread malware to their owners' PCs. From there, the attackers DDoSed telecommunications networks into submission, brought down electrical grids and bombed a gas pipeline. The verdict: America's cyberdefenses are wanting.

What's the connection between the Mozilla skirmish, the Google retreat, and the unaffiliated-affiliated NGO above?

These are all the same war, the war on China. And, the battleground isn't anywhere near China (indeed they are probably as bemused as anyone else), it's happening in the American media. Although Mozilla do not think they are political and although Google would like not to be political, both of these agents are being dragged into an anti-China rhetoric by a much more media-savvy player, anciently called the military-industrial complex, at times called "the hawks," more recently called the Neocons, and now wielding the pathetic title of Bipartisan Policy Group:

"You're going to see planes being grounded now. You're going to see trains not moving," said Fran Townsend, former president George W. Bush's one-time Homeland Security advisor, who was promoted to Homeland Security secretary for the simulation.

The "cabinet members" debated how to respond to the situation and what advice to give the president, with suggestions ranging from calling out the National Guard, nationalizing the power companies and retaliating once the attackers' identities were known.

"If this is an attack on the United States the president, as commander-in-chief, has the authority to use the full powers at his disposal," said former deputy attorney general Jamie Gorelick, playing the role of the US attorney general.

"We're in good shape from a command and control standpoint," said "Secretary of Defense" Charles Wald, a retired general and the former deputy commander of US European Command. "We can take action offensively if we know where to go," Wald said. "Problematically, we don't know where that is."

That crowd doesn't know the difference between a bit and a bomb, but they don't need to because the warfront is the media front, and they certainly know a thing or two about using the media to prepare you for their next big adventure. You might thing this is a small thing, but the propaganda just keeps on rolling. The British version of the NSA, called GCHQ, is also infected:

"A successful cyber attack against public services would have a catastrophic impact on public confidence in the government, even if the actual damage caused by the attack were minimal," [Cheltenham spy agency's new Cyber Security Operations Centre (CSOC) says].

The warning forms part of a preliminary "horizon scanning" report produced by the new unit, which is scheduled to begin operations next month. Its job will be to continually monitor internet security, producing intelligence on botnets, denial of service attacks and other digital threats to national security.

Such a level of FUD has rarely been seen outside the information security industry and wartime. This is awful news for just about everyone. What most of these players want is to shake China down. Google wants "in" on comfortable USA competition rules, where it gets the preferential treatment that allows its business model to shine. No bad thing for the Google shareholder, but the Chinese government wants to reserve that market for a local player (for obvious & easy reasons):

In the last two decades, China's economic reform programs and its citizens' entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

Google wants a piece of that action, plain and simple. Mozilla wants "in" on far more vague grounds that can't really be tied down, but they probably feel an interest in preserving the ability of activists in China to browse securely. Given my crypto history, it should be no surprise that I'm sympathetic to that argument as are many readers, but China isn't. If we think of it in legal terms, this puts Mozilla squarely against the current anti-democratic, anti-freedom-of-speech laws of one quarter of the planet. As google said:

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech.

Meanwhile, the last-war-generals in Washington DC want "in" to China on a geophysical control basis, whereas the Chinese government wants to reserve the supply of commodities to itself. That is, China has a long term strategic mission of securing the supply of commodities to its industries. Washington DC disagrees. Hence, we find a lot of strange bedfellows all agreeing on the same objective, but for wildly different reasons.

At this point, most readers will think I'm short a few marbles. All can I say in my defence is this: the rise of China in the thought-processes of the Washington DC set is pretty easy to see, if you look. It's been there for at least a decade to my knowledge; it pops up in any serious scandal from Middle East, looking eastwards to some watery point well west of Japan. You'll have to take it on faith that when you're in a tussle with China, suddenly you'll find an 800lb gorilla in the room as your ally. Slashdot knows it, from many examples here's just one:

While I don't disagree that we could do more in the area of computer security, one needs to look closely at the affiliations of the people running this "exercise."

They're both loyal Neocon insiders. John Negroponte [wikipedia.org] is the former Bush Director of National Intelligence. Michael Chertoff [wikipedia.org] is the former Director of Homeland Security, and co-author of the Patriot Act. And both of these positions were just the last in a string of appointments by Bush/Cheney.

And as career neoconservatives, they've been at the forefront of fearmongering and prevarication in order to lead the US to war and erode civil liberties. These are not opinions, these are well-documented facts [google.com].

The neocons are a one trick circus; this is just their newest pony. If you've been paying attention the past nine years, how can you possibly doubt that this is anything else?

A gorilla you really don't want in your living room, because the cost of the alliance is probably a house re-build. The danger lurking within is this: the hawks' theory is that China will take over the USA militarily sometime in the next few decades. Whatever you think about geopolitics (last 20 years of small proxy wars, etc) this has led a not-insignificant group within the Beltway into wanting a war of some form with China. Their theory is that they have to do it now or soon, or else it will be too late.

And this may explain the flush of rhetoric out of Washington DC: the hawks are scared they are running out of time for a war, and for that, the next step is simple: they have to swing the American public behind them, into a bellicose, anti-China mood (recall how they did this with Iraq 2).

Which brings us back to the cyber-war nonsense. This is the perfect cassus belli because there is no embarrassing evidence to show they are lying; indeed we can't even get it right or clear or agreed in the open market because the electrons won't sit still after the attack. As cassus bellis go, it's got more mileage than historical ones such as Iraqi nukes or Saddam's mate Osama or the North Vietnamese torpedoe boats in the Gulf of Tonkin, because in the end, the physical evidence spoke up.

From now on in, cyber-war will be a central plank of the war on China. The only problem is, it's a lie, a casus belli, and it's more or less unprovably false and unprovably true and very very scary, all at the same time. The American Public are being set up, again. Same as it ever was, but this time the entire Internet, security, communications and interactions world is being dragged in.

That effects every one of us. This time it's personal.

(As an aside, the hawks' strategy is doomed to failure. It worked in Iraq 1 & 2 because of many factors that were easily predictable. Arguably, it failed or worked in Talibans 1, 2. It failed in Iran, but there's still hope. Unlike Iraq & Iran, who supply lots of *commodity* oil, and Afghanistan which supplies commodity opium, China supplies manufactured goods to USA. If oil or drugs slow down, the price goes up, and the market adjusts. The traders love that, it's called volatility.

On the other hand, if Walmart is emptied, we've got bigger problems, nobody benefits from that. But this easily predictable failure of strategy won't stop the hawks, possibly because their experience in economics is limited to slopping at the pork-barrel trough. As far as policy goes, this is the same stupid crowd that chose to hollow out its nearest and dearest southern neighbour in the so-called _war on drugs_. The stupidity virus has gone deep.)

the most magical question of all -- why are so many bright people fooling themselves about the science in information security?

It has been clear for a long time that information security was more about perception than any other factor than was good for it, a concept I tried to turn into a theory in the market for silver bullets, based on some solid thinking by others on the economics of insufficient information. Here are some random snippets that seem to anecdotally support that security is dominated by perception.

Gunnar reports on Google who were apparently subject to a cyber-attack by China. I didn't notice, probably because it doesn't pass the laugh test, but he collects all this security-blog-o-sphere stuff into a nice package:

Of course cyberattacks and the other issues raised by Google as rationale have been around for a long time, so why did they choose now as the time to threaten to pull out? ... First, we know that Google has been getting its butt kicked by Baidu.com. Baidu's search market share in 3Q09 was 77%. ... Google was in need of some positive PR to correct its worsening image (especially in Europe, where concerns about privacy are mounting on a daily basis). Google.cn is the goat that would be sacrificed ... It's no surprise than NSA is getting interested in the story. One doesn't need to know much about US politics to realize that framing this as a national security issue is going to make Google's case for US government's pressure on China much stronger ... No wonder Google has been hiring all those smart policy types with government experience ...

While Google is bandying around the phrase "national security" as a commercial weapon, Bruce Schneier is earning lots of airmiles by talking not about security but about what he calls *magical thinking*: TSA rules to make you safer from the last attack:

Of course not, the attacks are designed to get through whatever we're doing. The liquid bombers used liquid so now we screen liquids. This is a powder bomber using powders. They will look at what we do and do something different. There's sort of a bit of magical thinking about the last hour, its not a more dangerous hour, its the hour this guy happened to choose. I am not sure why the next guy can't choose the first hour or a different material or maybe even not an airplane. Focusing on the tactic might make us feel a little better but its not going to make us any safer.

Or, what military types refer to as fighting the last war, or, building the Maginot Line. Which would support the notion that the real enemy that TSA is fighting is the home front, and perception is the weapon of choice.

Adam has a nice collection of the latest TSA madness, including this quote:

'It became necessary to destroy the town to save it,' a TSA major said today. He was talking about the decision by allied commanders to shock and awe the public regardless of civilian casualties, to rout al Qaeda.

Which I can't tell if it is a spoof or not, but it seems to be on point. Here is more evidence of the perceptional nature of security: news that Microsoft's browser had a flaw in it has finally caused governments to sit up and do the unthinkable: warn people not to use a Microsoft product.

Nobody would ever notice if a government said "we don't use Linux because of security issues" or "we don't permit Apple because of ..." Microsoft's browbeating of the press and governments has been so successful that for 2 decades, nobody dare say "don't use Microsoft." Remember "Nobody every got fired for buying IBM?"

Which unfortunately has been a great loss to Microsoft (as it was to IBM) because it hid the danger from them, too, until 1992. Now they are facing the long-term decline, shackled with their chains of past insecurity. Perception-wise, they will probably never be able to shake off the the real public opinion, now that it's shifted, even with the great work listed at bottom.

Too late for their future shareholders, but maybe their past shareholders had the right idea? Markus Kuhn reports on a placebo bomb detector for the BBC, and discovered it is testably indistinguishable with any other random appliance purchased at the local Dixon's (consumer electronics store):

There is no way in which this device could be programmed to distinguish the many different substances that the ADE651 manufacturer claimed it could, not to mention that any useful interaction with such an LC circuit would require a transmitter antenna, a power source, and lots of other components that the ADE651 appears to lack.

These things sell for around 40,000 sterling each, in quantity, and the Iraqi government swears by them. OK, whatever. Compelling proof ... that the power of the placebo is essential to unlock the minds of the (human) bomb detectors that do the real job? You be the judge. What has not as yet been answered to me is why the TSA has not purchased them -- if they are America's department for magical thinking, why not purchase such things?

The devices contain no power source (”powered by the user’s static electricity”, no battery), resemble very much a dowsing rod, and generally leave much to be desired regarding a plausible operating principle or performance in repeatable double-blind trials. There are several such military dowsing rods on the market.

And they won't contribute to global warming! So real security (where "real" means, we have evidence that this is how people think, act and purchase) is as much about placebo devices as anything else. Here's the most magical question of all: why is an entire generation of crypto/security/geeks fixated on the technical workings of a device? Insisting that it operate to lab specs? When all the evidence from the field indicates that it doesn't matter much if at all?

Here's another outstanding example: Last month there was a series of crypto break news in GSM phones. Here's a summary from emergentchaos's Mordaxus.

Orr Dunkelman, Nathan Keller, and Adi Shamir have released a paper showing that they've broken KASUMI, the cipher used in encrypting 3G GSM communications. KASUMI is also known as A5/3, which is confusing because it's only been a week since breaks on A5/1, a completely different cipher, were publicized. So if you're wondering if this is last week's news, it isn't. It's next week's news.

(Except it's last month's news.) OK, joking aside, so what? GSM phones use encryption to stop the papparazzi recording your love-chat, stop neighbours hearing your shopping list, and spoofers stealing GSM minutes. As long as they do that, why aren't we happy with a 40 bit crypto response to the 20 bit crypto threat?

(In 1994 numbers, etc, just add water for 16 years of crypto-flation.)

It will be interesting to see the response from the GSM Association. They have the opportunity to show leadership. If they recognize that this is a real problem, reassure us that it's not a catastrophe, and show that they're taking it seriously, then this can be an all-around good thing for them and us.

We're all adults (well, okay, most of us are adults and act like adults some of the time), and if we know that there will be an upgrade in a few years, then that's great. We lived through the WEP issues. We are living through the SSL evil proxy issues. This is less acute than either of those. But we need to have some assurance that in a few years, we'll just get wireless devices with a safety net.

I don't mean to pick on mordaxus here, but this typifies an entire security industry: absolute obsession with an apparent security rating (measured in bits of crypto strength) and an almost willful blindness to the environment of choice. Let's list how safe we are because of GSM's fine security design:

• All phones provide the complete and perfect location and relationship tracking device for all citizens [one, two, three, four], and we told on great authority that we should be worried when they aren't so good at tracking, according to Kuhn's colleague Richard Clayton,
• the conversation is only encrypted over the airwaves to the nearest base station (which has minimal security in it, if those "buy your own base-station" adverts are correct),
• Phones are probably programmable over the air via various techniques (undocumented, elusive, insert your conspiracy theory here about advice to take out your battery when attending a secret meeting, etc etc), and
• The entire infrastructure doesn't really have a lot of security, and that's purposeful.

What is the "real problem" that Mordaxus expects them to spot? What catastrophe? It's not as if we need to speculate here, we actually have real evidence: We know that when they were broken 12 years ago by Lucky Green ... nothing happened. It didn't change our security situation one iota.

Their challenge is to have a response before this news metastasizes into a common perception that 3G crypto is worthless.

Right. If we have no security argument, we also are left arguing on perception.

There are some out there that think they can use psychology to assess our current security thinking. Perhaps they can answer the most magical question of all: why are the world's top security sellers so quick to damn a crypto algorithm that has lost of few bits, like MD5, when the world's top security buyers are happily purchasing Placebo devices with 5km ratings? Or Cell-phones with 40 bit crypto? And, apparently happy with their choice?

Let's face it. Security thought as a science is failed, it is all marketing, all perception, all religion. The good news is that this meme seems to be finally getting some traction in the scientific community: "So Long, and no thanks for the Externalities: The Rational Rejection of Security Advice by Users" by Cormac Herley, who works for, of all people, Microsoft Research. Finally, we have the paper that says what we all knew:

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives.

Read that if you think there is a place for science in information security. On the other hand, if you think information security is something else, better off to go read something on creative journalism, public relations, politics, marketing, ...

Bowles case is more evidence: Britain takes another step to a hollowed-out state

In the very sad story of the Justice System as we know it, a British courts has ruled the beginning of the end.

He went to jail this week, protesting his innocence. Speaking to The Times, he said: "There are no missing millions, there's no villa in the Virgin Islands, there has been no fraud. I am not allowed to earn any money, my assets were restrained so I couldn't use them to defend myself - it's a relentless, never-ending, vicious, cruel and wicked system.

Of course, all mobsters say that. So what was the crime?

Bowles was convicted by a jury in June of cheating the Revenue of £1.2 million in VAT but sentencing had been adjourned on three previous occasions. He had been found guilty of failing to pay VAT on a BIG land sale and diverting money due to the taxman to prop up Airfreight Express, his ailing air-freight company.

Now we have come full circle, and the evidence is presented: the Anti-money-laundering project of the OECD (known as the Financial Action Task Force, a Paris-based body) is basically and fundamentally inspired by the desire to raise tax. Hence, we will see a steady progression of government-revenue cases, occasionally interspersed with Mr Big cases. This is exactly what the OECD wanted. Not the mobsters, murderers, drug barons and terrorists pick up, but:

Bowles is a divorced, middle-aged company director from Maidenhead who has been transformed from successful entrepreneur to convicted fraudster.

A businessman, from the very heartland of English countryside. Not a dangerous criminal at all, but someone doing business. Not "them" but us. POCA or Proceeds of Crime Act is now an important revenue-raising tool:

It was not suggested that Bowles, who has no criminal record, had used the money to fund a luxury lifestyle. Nevertheless, when the Revenue began a criminal investigation into his affairs in 2006 all his assets were frozen under the powers of the Proceeds of Crime Act.

Bowles was required to live on an allowance and rely on legal aid for his defence rather than pay out of his own resources. Defence lawyers claimed that preparation of Bowles's defence case was hampered further because his companies' financial records were in the hands of administrators.

The accounts were not disclosed until a court hearing in February this year, at which point Bowles sought permission to have a forensic accountant examine them to determine the VAT position. He was refused a relaxation of the restraint order to pay for a forensic accountants' report. The Legal Services Commission also declined to fund such a report from legal aid.

After the court was told that the records "could be considered by counsel with a calculator" the trial went ahead. Bowles was cleared of two charges but found guilty of a third.

It works this way. First the money is identified. Then, the crime is constructed, the assets are frozen, legal-aid is denied, and the businessman goes to jail. By the time he gets out of that, he probably cannot mount a defence anyway, and rights are just so much confetti. This stripping of rights is a well-known technique in law, as only 1 in 100 can then mount a recovery of rights action, it is often done when the job of the prosecutor is more important than rights.

Let's be realistic here and assume that Bowles was guilty of tax fraud. His local paper certainly thinks he was guilty:

A tax cheat from Maidenhead who dodged paying £1.3m in VAT has been jailed for three-and-a-half years. ... The court heard between October 2001 and July 2006 Bowles failed to submit VAT returns to HM Customs and Excise (HMCE) and then HM Revenue & Customs (HMRC). The VAT related to the sale of land for commercial development in Cardiff worth £7.5m.

Following an HMRC criminal investigation Bowles, from Sandisplatt Road, was charged on three counts of 'cheating the revenue'. Peter Avery, assistant director, HMRC Criminal Investigations, said: "This sentence will serve as a deterrent to anyone who thinks that tax fraud is a risk worth taking."

Firstly, this is quite common, and secondly, tax is the most complicated thing in existence, so complicated that most ordinary lawyers don't recognise it as law by principle. It's the tax code, it's special. It's actually very hard not to be guilty of it, when you have a fair-sized business (whoever heard of a value-added-tax on a land sale?)

But even assuming that the guy was guilty, there was rather stunning evidence to the contrary, which underscores the point that this was revenue raising, not the bringing down of a Mr Big:

A financial report has since been prepared, free of charge, by a firm of chartered accountants. A draft copy was presented to the judge two months ago and a full version handed to him this week. Its analysis concludes that rather than owing tax, Bowles's companies had actually overpaid their taxes.

The report stated: "In our opinion, none of the evidence points to Philip Bowles fraudulently evading or concealing VAT due to HMRC ... It would have been reasonable to conclude that no fraud has taken place."

Lawyers for Bowles claimed in court that matters were compounded by a failure to explain VAT law properly. They alleged the jury were wrongly informed that companies in the same group could not assign tax liabilities and credits between each other.

When a firm of *chartered accountants* utters _an opinion_ over finances, this is a legally imposing evidence. It is given a special status in court, in that the court may rely on it, and so might all others; this special status is awarded for the purposes of public companies that need to impress others such as creditors and shareholders that the company is sound. This form of reliance is not available outside the accounting profession, and only available in an accounting context (e.g., when a firm of accountants audits a certification authority, we do not get a special right to rely on it without further ado).

When a firm of chartered accountants does this for free, this is beyond surprising, this is a shock. The natural order of things is now upset. When the accountants are working for free, this might mean that the professions are mounting a last-ditch effort to preserve the Justice System in Britain, as I predicted:

It took 20 years to hollow out Mexico, we have a bit longer in other countries, because the institutions are staffed by stiffer, better educated people.

Those stiffer, better educated institutions realise that we all are poorer when the justice system is used to raise revenue. Or perhaps they realise their turn is next?

Breaches not as disclosed as much as we had hoped

One of the brief positive spots in the last decade was the California bill to make breaches of data disclosed to effected customers. It took a while, but in 2005 the flood gates opened. Now reports the FBI:

"Of the thousands of cases that we've investigated, the public knows about a handful," said Shawn Henry, assistant director for the Federal Bureau of Investigation's Cyber Division. "There are million-dollar cases that nobody knows about."

That seems to point at a super-iceberg. To some extent this is expected, because companies will search out new methods to bypass the intent of the disclosure laws. And also there is the underlying economics. As has been pointed out by many (or perhaps not many but at least me) the reputation damage probably dwarfs the actual or measurable direct losses to the company and its customers.

Companies that are victims of cybercrime are reluctant to come forward out of fear the publicity will hurt their reputations, scare away customers and hurt profits. Sometimes they don't report the crimes to the FBI at all. In other cases they wait so long that it is tough to track down evidence.

So, avoidance of disclosure is the strategy for all properly managed companies, because they are required to manage the assets of their shareholders to the best interests of the shareholders. If you want a more dedicated treatment leading to this conclusion, have a look at "the market for silver bullets" paper.

Meanwhile, the FBI reports that the big companies have improved their security somewhat, so the attackers direct at smaller companies. And:

They also target corporate executives and other wealthy public figures who it is relatively easy to pursue using public records. The FBI pursues such cases, though they are rarely made public.

Huh. And this outstanding coordinated attack:

A similar approach was used in a scheme that defrauded the Royal Bank of Scotland's (RBS.L: Quote, Profile, Research, Stock Buzz) RBS WorldPay of more than $9 million. A group, which included people from Estonia, Russia and Moldova, has been indicted for compromising the data encryption used by RBS WorldPay, one of the leading payment processing businesses globally.

The ring was accused of hacking data for payroll debit cards, which enable employees to withdraw their salaries from automated teller machines. More than $9 million was withdrawn in less than 12 hours from more than 2,100 ATMs around the world, the Justice Department has said.

2,100 ATMs! worldwide! That leaves that USA gang looking somewhat kindergarten, with only 50 ATMs cities. No doubt about it, we're now talking serious networked crime, and I'm not referring to the Internet but the network of collaborating, economic agents.

Compromising the data encryption, even. Anyone know the specs? These are important numbers. Did I miss this story, or does it prove the FBI's point?

Google and Finance 2.0? Nope, sorry. They lack the competency of demythicalisation.

One of the interesting things about the financial system we built back in the late 1990s is that the design was pretty much spot on, and that keeps getting confirmed. I recently found out that the PKI infrastructure used the design in a CA-to-CA protocol, so they do know how to do it :)

Slowly, the knowledge inches its way up to the level needed to appreciate and duplicate the work of the early pioneers (insert long list of names here...). Over on the Harvard Business blog, Umair Haque muses on what "finance 2.0" would be like and looks at google.

Every day, you handle more searches than the NYSE handles trades — and that difference, I'm guessing, is about to hit an order of magnitude more. Every day, you connect people, businesses, and communities in deeper and tighter ways than besuited beancounters do. From my tiny perspective, it seems that you just might be in the best position of any organization in the world to take on Finance 2.0.

It's an inspirational question; and we know where the inspiration came from. But it is not exactly spot on. Google is a good fit for the market data side and search ("market"), as seen above. But not for the trade side, or more particularly the settlement side. If you know the difference, you're half way there. They *could be* a good fit because that side is just a matter of acquiring the right skills, the right mentality. But it takes a job of work and some tearing down of assumptions, because those things aren't easy to look up on wikipedia. Been there, spent the money, and only by luck and hard work did I figure it out. Not, I assure you, because "I'm smarter."

After money, the first great financial innovation was bills of exchange. What's interesting about bills of exchange is that they're just, well, information. Their example makes the point: money, debt, derivatives — all are just information.

Oh, big mistake, and this makes the point. Finance isn't "just information," it's information built on a foundation of transactions, which is built on a foundation of contracts, which is built on ... well, you get the point. And these many floors, each a foundation for the next, are widely and deeply misunderstood even, or especially in the building known as finance.

In my experience, when I talk to deep industry experts, they almost universally focus on the elevator ride and consequently bumble around with great authority in a 2 x 4m box within a huge edifice. I guess this point shouldn't be controversial, as we've now seen this great financial crisis, so we know that the industry is competitive with Hollywood when it comes to the mythology and starstruckedness.

Google Finance is nice. I like using it a lot. But if it created thick value — by really slashing search costs in finance — it would have prevented people, communities, and society from investing in toxic CDOs in the first place. It didn't. It's a pair of reading glasses, when what the world needs (to begin with) is the financial equivalent of an electron microscope.

What would a Googlier finance industry resemble? What would a more Googly set of capital markets look like? That's the $12 trillion dollar question. After all, markets are just search engines — remember?

See how people are getting closer? So much hope, still far from the solution, but getting closer. Given the amount of desire for solutions right now, there is an outside chance that the creativity needed could take off around 2015, where it didn't in 1995.

Let's get serious. Markets are just search engines, but only at one level of abstraction. This is where google fits, where information is searchable. At other abstractions they are exchanges of information, and this widely-studied topic is full of nuance, full of deception. Google doesn't fit here at all, and many have broken themselves on it.

What does it look like? It looks like financial cryptography; finance with a delicate touch of cryptography, but also larger doses of software, rights, accounting, governance stuffed in between. If you want to know what it looks like in more detail than a windmilling blog post, study Digicash for inspiration, AADS for the complications, Systemics for the transactions, the gold issuance business for the governance.

But beware; it's not about awesome, nor is it about marketing blah blah, nor is it about huge data capabilities. If anything, the core skill you need is demythologisation; the stripping away of fairy tales, until you can see the core.

What company is best for that? I have my views, but it ain't google.

FC: better than freedom?

The Economist writes:

Better than freedom?

Nov 12th 2009 | BAGHDAD
From The Economist print edition
Why Iraqis cherish their mobile phones

ASKED to name the single biggest benefit of America’s invasion, many Iraqis fail to mention freedom or democracy but instead praise the advent of mobile phones, which were banned under Saddam Hussein. Many Iraqis seem to feel more liberated by them than by the prospect of elected resident government.

In the five years since the first network started up, the number of subscribers has soared to 20m (in a population of around 27m), while the electricity supply is hardly better than in Mr Hussein’s day....

Good news for them! It gets better:

During recent years of civil strife, when many stayed indoors, mobile phones were the lifeline. They also became a tool of commerce. Reluctant to risk their lives by visiting a bank, many subscribers transferred money to each other by passing on the serial numbers of scratch cards charged with credit, like gift vouchers. Recipients simply add the credit to their account or sell it on to shops that sell the numbers at a slight discount from the original. This impromptu market has turned mobile-phone credit into a quasi-currency, undermining the traditional informal hawala banking system.

Practically every financial cryptographer I know has made this observation. Phones can be used to ship money. Mobile minutes are a fantastic demand base for money. They've been traded at face value for a long time. And, visiting banks is dangerous in some contexts, something we rich fat&happy westerners often forget.

This is pure financial cryptography: the turning of a simple technical architecture based on some security (some crypto) into a network capable of moving value for people. If there is any doubt left...

The market’s growing size is making some bankers wonder if phone credit should be traded on a public exchange. This may not be practical, but more regulation would be welcome. ... Prostitutes get regular customers to send monthly retainers to their phones, earning them the nickname “scratch-card concubines”, while corrupt government officials ask citizens for $50 in phone credit to perform minor tasks.

We got it all: markets to trade phone credit, crime, so we've crossed that GP thing, and booming trade where the worry-worts in government would normally blush and ban.

Of course, those same people will rant on about how this is promoting crime, and it must be banned.

Criminal rings are among the parallel currency’s busiest users. Kidnap gangs ask for ransom to be paid by text messages listing a hundred or more numbers of high-value phone cards. ... Viewed as cash substitutes, scratch cards have also drawn the attention of armed robbers. In one case, a gang emptied out the card storage of Iraq’s biggest mobile operator, Zain, which is based in neighbouring Kuwait.

Serious architects of money systems know that *all* such electronic systems also work to seriously track the crook (even the much-hyped DigiCash was not exactly as it seems). The notion that you can send a ransom over a phone is just press-headlines and FUD. Remember, the cell towers can track the phone bearer to 10m or so, so if you do that, it's because the police aren't doing their job.

Still, it remains popular political policy to shoot the messenger, as was done in Europe in the 1990s, and now is popular in other countries. But we've also learnt that when a need is big enough, even the normal worries are swept away:

Not to be left out of the bonanza, Iraq’s cash-strapped government now says it will sell a fourth mobile-operating licence, after raising $1.25 billion from each of the last three. That is less than its vast oil reserves promise to put into the state’s coffers but a lot easier to negotiate. And Baghdad is not the only place where mobile-phone commerce thrives. The UN says it has plans to deliver aid to Iraqi refugees in Syria in the same way.

Is the mobile phone better than freedom? Only when free enough to allow freedom to develop. In this case, financial cryptography is the general rubik, but economists would recognise the real linkage here: Free trade is freedom; the ability of Iraqis to avoid "going to the bank" when there's shooting outside is a life saver.

Literally, phone money saved their lives. In our fat&content western society, freed up payments won't save anyone's life, we're not in Mexico yet. But financial cryptography can shave a percentage point or two off of the price of *everything* because payments cost money and FC delivers those same things for a fraction of the costs.

And that you can take to the bank, or more importantly, back to the economy. Got a problem with growth? Install an FC plugin into your economy, and watch.

The War on Drugs moves to endgame: the War on US Americans

The decision to conduct a war on drugs was inevitably a decision to hollow-out Mexico. The notion of hollowing-out states is a time-honoured tradition in the Great Game, the way you control remote and wild places. The essential strategy is that you remove the institutions that keep places strong and stable, and bring them to a chaos which then keeps the countries fighting each other.

While they fight each other they are easier to control and extract value from. This is the favourite conspiracy theory behind the middle east and the famous Kissinger Deal: The Sheiks are propped up and given control of weak states as long as they trade their oil in dollars, and use the money to buy American goods. Of course we only speculate these details, and sometimes things look a little loose.

There are weaknesses in the strategy. Obviously, we are playing with fire when hollowing out a state ... so this is quite a lot of danger to the nearby states. (Which of course leads to the next part of the strategy, to play fire against fire and undermine an entire region.)

Which brings us to the War on Drugs and the decision to place Mexico into the role of hollowed-out state. John Robb points to this article:

Beheadings and amputations. Iraqi-style brutality, bribery, extortion, kidnapping, and murder. More than 7,200 dead-almost double last year's tally-in shoot-outs between federales and often better-armed drug cartels. This is modern Mexico, whose president, Felipe Calderón, has been struggling since 2006 to wrest his country from the grip of four powerful cartels and their estimated 100,000 foot soldiers.

So, quite obviously if one understands the strategy, don't do this nearby. Do it far away. Reagan's famous decision to do this must have been taken on one his less memorable days ... no matter how the decision was taken on Mexico, now Reagan's chickens have cross the border to roost in mainland USA:

But chillingly, there are signs that one of the worst features of Mexico's war on drugs - law enforcement officials on the take from drug lords - is becoming an American problem as well. Most press accounts focus on the drug-related violence that has migrated north into the United States. Far less widely reported is the infiltration and corruption of American law enforcement, according to Robert Killebrew, a retired U.S. Army colonel and senior fellow at the Washington-based Center for a New American Security. "This is a national security problem that does not yet have a name," he wrote last fall in The National Strategy Forum Review. The drug lords, he tells me, are seeking to "hollow out our institutions, just as they have in Mexico."

Quite what is going on in these people's minds is unclear to me. The notion that it "has no name" is weird: it's the standard strategy with the standard caveat. They overdid the prescription, now the disease bounces back stronger, more immune, with a vengeance! Further, I don't actually think it is possible to ascribe this as a deliberate plot by the Mexican drug lords, because it is already present in the USA:

Experts disagree about how deep this rot runs. Some try to downplay the phenomenon, dismissing the law enforcement officials who have succumbed to bribes or intimidation from the drug cartels as a few bad apples. Peter Nuñez, a former U.S. attorney who lectures at the University of San Diego, says he does not believe that there has been a noticeable surge of cartel-related corruption along the border, partly because the FBI, which has been historically less corrupt than its state and local counterparts, has significantly ratcheted up its presence there. "It's harder to be as corrupt today as locals were in the 1970s, when there wasn't a federal agent around for hundreds of miles," he says.

But Jason Ackleson, an associate professor of government at New Mexico State University, disagrees. "U.S. Customs and Border Protection is very alert to the problem," he tells me. "Their internal investigations caseload is going up, and there are other cases that are not being publicized." While corruption is not widespread, "if you increase the overall number of law enforcement officers as dramatically as we have| - from 9,000 border agents and inspectors prior to 9/11 to a planned 20,000 by the end of 2009 - "you increase the possibility of corruption due to the larger number of people exposed to it and tempted by it." Note, too, that Drug Enforcement Agency data suggest that Mexican cartels are operating in at least 230 American cities.

By that I mean, the drug situation has already corrupted large parts of the USA governance structure. I've personally heard of corruption stories in banks, politics, police and as far up the pecking order as FINCEN, intel agencies and other powerful agencies. As an outside observer it looks to me like they've made their peace with the drugs a long time ago, heaven knows what it looks like to a real insider.

So I see a certain sense of hubris in these writings. This feels to me that the professional journalist did not want to talk about the corruption that has always been there (e.g., how else did the stuff get distributed before?). What seems to be happening is that now that Mexico is labelled in the serious press (*) as hollowed-out, it has become easier to talk about the problem in mainstreet USA because we can cognitively blame the Mexicans. Indeed, the title of the piece is The Mexicanization of American Law Enforcement:

And David Shirk, director of the San Diego-based Trans-Border Institute and a political scientist at the University of San Diego, says that recent years have seen an "alarming" increase in the number of Department of Homeland Security personnel being investigated for possible corruption. "The number of cases filed against DHS agents in recent years is in the hundreds," says Shirk. "And that, obviously, is a potentially huge problem." An August 2009 investigation by the Associated Press supports his assessment. Based on records obtained under the Freedom of Information Act, court records, and interviews with sentenced agents, the AP concluded that more than 80 federal, state, and local border-control officials had been convicted of corruption-related crimes since 2007, soon after President Calderón launched his war on the cartels. Over the previous ten months, the AP data showed, 20 Customs and Border Protection agents alone had been charged with a corruption-related crime. If that pace continued, the reporters concluded, "the organization will set a new record for in-house corruption."

Well, whatever it takes. If the US-Americans have to blame the Mexican-Americans in order to focus on the real problems, that might be the cost of getting to the real solution: the end of Prohibition. Last word to Hayden, no stranger to hubris:

Michael Hayden, director of the Central Intelligence Agency under President George W. Bush, called the prospect of a narco-state in Mexico one of the gravest threats to American national security, second only to al-Qaida and on par with a nuclear-armed Iran. But the threat to American law enforcement is still often underestimated, say Christesen and other law enforcement officials.

* Mind you, I do not see how they are going to blame the Mexicans for the hollowing-out of the mainstream press. Perhaps the Canadians?