July 17, 2008
SEC starts to investigate Bear Stearns. Or does it?
If you read the last few days' posts on the crisis market sometimes but erroneously known as Banking (and you should check up on Lynn's comments on CDOs to see more detail) then you might be forgiven for thinking that the job of the regulators is to ride into town and clean up all the dirty games: subprime, CDOs and toxic mortgages. It could be that way, but the truth is more complicated.
The Bear Stearns affair is illustrative of the dilemmas. At one level, it's just another dirty chip in a card game where seedy reputations are being made, and dirty cards are being played, to mangle the metaphors. At another level, it is indicative that the problem is far more systemic than just another failed bank to be rescued.
In short, this story was about a major bank in the US that very nearly folded its cards. At the time, Bear Stearns went through its "Barings moment" when the bad news of its impending bankrupcy turned up late Friday. By next Monday, however, instead of collapsing, a white knight rescuer in the form of Goldman Sachs JP Morgan, a top-tier investment bank, turned up to offer a charitable price of $2 per share.
Bear-Stearns itself was major because it handled the biggest chunk of securities settlement. That is, the boring back-office task of swapping money for shares, or owners for owners, depending on how you look at it. Which brings to mind that if the major back-end settlement bank failed, this could clog the markets. Can you say systemic risk ?
Alan Greenspan can say that with authority, and this was what prompted his fabled rescue of another major player, LTCM (for Long Term Capital Management) back in the late 1990s. When LTCM was rescued from its too-big-to-comprehend positions, the financial world sucked much breath between collective teeth. Weren't we supposed to be passed the notion of rescuing failed financial players? Wasn't the Barings failure a wake-up call that we should take our risks and carry them too?
Was LTCM really that big?
In the event, Alan Greenspan proved to be the supreme player of poker: The Fed didn't spend any money on the deal, and instead fingered the banks who were to share the risk. A strong implication was that the big financial players (such as Morgan and Goldman) were in deep for the profits, and they should pay up for the losses. History suggests that he more or less got it right, or right enough, even to the extent of a few rebels who short-sold him and had to be punished later on.
For LTCM, the collective breath was slowly let out as the news and rumours trickled in as to how deep it was.
Because of its core role in settlements, Bear Stearns may have been the same, or maybe not. The financial brethren collectively drew breach in, but early fears of systemic risk were quickly replaced by cries of "rip-off!" Just exactly how did Goldman Sachs JPMorgan manage to engineer a bargain-basement price for a key player and competitor? After some huffing and puffing, the price went up to $10, which tells us something about the real value here.
Just maybe, the regulators have now moved to ask those questions:
BOSTON, July 16 (Reuters) - Dozens of hedge funds and broker dealers are scrambling to send reams of e-mails and trading records to U.S. regulators probing suspected stock price manipulation, several sources at hedge funds said.The U.S. Securities and Exchange Commission recently sent subpoenas to more than 50 firms concerning trading in investment banks Bear Stearns, which was rescued in March, and Lehman Brothers Holdings Inc (LEH.N: Quote, Profile, Research), whose shares have been hurt badly by rumors about its financial health, said four sources, who have seen the documents but were not authorized to speak about them publicly.
Among those receiving subpoenas was investment bank Goldman Sachs Group Inc (GS.N: Quote, Profile, Research) and prominent hedge fund firms SAC Capital Advisors LLC and Citadel Investment Group. All three were named in a recent article about the Bear collapse in Vanity Fair.
Is this good news? On the surface, it sounds like hard dealing. Finally, the regulators are riding into town. Hip hip hooray!
But a few things are disquieting, and cheers may be premature. Firstly, the regulators were already in on the deal, so they were already in-the-know. If they are now investigating a game they were in on, this looks no good: Either they were duped, or they were players.
Secondly, the SEC has no particularly good reputation for these sorts of investigations (remember Lazio, mutual funds, etc?). It is an agency that is thought to be understaffed, under-missioned, under-enforced and generally turns up to the party after the barn has burnt to the ground. Indeed, perhaps minded by the SEC's record as a political hired-gun, Congress is musing on the possibilities of a UK-style super-regulator, and/or handing that power to the Federal Reserve.
Thirdly, subpoenas are a two-edged sword. Although they might feed information to the issuer of the subpoena, they also shut down the information for anyone else. It's as simple as the players saying to everyone and anyone "we have no comment on running cases;" they've been handed a get-out-of-jail card at least as far as investigative reporting goes. Likewise, the subpoena is a club that can just as easily be wielded within an investment bank or hedge fund as against any outsider; it's a licence to martyr any whistleblower who might accidentally have a momentary attack of morals. Not only that, the information is now likely to be locked down within the SEC's investigation department, which would typically protect it fiercely for several years in a real investigation, and as long as it takes for the heat to die down in a political paid-favour.
Fourthly, of the investigations I have seen, the good ones are done quietly, with surgical strikes for information. A subpoena is sent only after other tools have been exhausted because it raises the stakes in the game so high. To send 50 out at once is about as surgical as carpet-bombing.
The overall sense then remains. The Bear Stearns affair smells, and rumour has it that the Brothers Lehman were seen washing at the same laundry. Who else? IndyMac? It might be a coincidence, but there is no end to the bad news for the USA Federal investigative and regulatory arms in recent years.
Which brings us to the point of the article, and the lesson as to why financial cryptographers read and understand the financial markets. The financial regulators promote a model of independent and fair regulation, but this is simply not the case. Briefly, sometimes, we experience periods in history where regulators do strive to stand apart and to regulate lightly and fairly. For the benefit of more than the incumbents. But more often than not, the regulators are the best heeled but least well-equipped players in a rigged game, always on the back foot, and operating to a steady series of political favours which will generally make matters worse.
With the retirement of Greenspan, and the political assassination of Spitzer, the USA markets are now normalising towards a stability of chaos. For financial cryptographers, then, it is important to understand that the structure of the market is dominating, and the regulators are players in that structure, not fair policemen, or designers of that structure. Enter that game at your peril, and if you do, understand it better than they do.
Addendum: of course, not getting the names right doesn't help understanding at all... JP Morgan bought Bear Stearns, not Goldman Sachs.
Mystified by subprime? ask the Telegraph...
Mystified by how 'sub-prime' debt engulfed Wall Street's smartest and now threatens the wider global economy? BigMac points to the Telegraph's comic strip, which might help explain how the story started:
 |
The credit crisis explained in black and white. |
Click to The Telegraph for partial comic strip |
Or to here for the fuller adult version... |
Or to here for the original slide show... |
... to which a comment on BoingBoing says: |
| "I have it on good sources that this was actually made at Countrywide Financial" |
| which explains why no-one wants their name on it! |
Also see The Economist on Freddie and Fannie: it's turtles all the way down!
July 16, 2008
Why do Banks lend poorly in the sub-prime market? Because they are not in Banking!
In a response to yesterday's post on the fall of the US dollar, Gunnar points out that incentives being out of alignment is no stranger to the banking world:
Interestingly enough Charlie Munger identified much the same themes (not all the particulars) way back in Wesco Financial's 1990 letter:Granting the presence of perverse incentives, what are the operating mechanics that cause widespread bad loans (where the higher interest rates do not adequately cover increased risk of loss) under our present system? After all, the bad lending, while it has a surface plausibility to bankers under cost pressure, is, by definition, not rational, at least for the lending banks and the wider civilization. How then does bad lending occur so often?It occurs (partly) because there are predictable irrationalities among people as social animals. It is now pretty clear (in experimental social psychology) that people on the horns of a dilemma, which is where our system has placed our bankers, are extra likely to react unwisely to the example of other peoples' conduct, now widely called "social proof". So, once some banker has apparently (but not really) solved his cost-pressure problem by unwise lending, a considerable amount of imitative "crowd folly", relying on the "social proof", is the natural consequence. Additional massive irrational lending is caused by "reinforcement" of foolish behavior, caused by unwise accounting convention in a manner discussed later in this letter. It is hard to be wise when the messages which drive you are wrong messages provided by a mal-designed system.
In order to understand what is going on in the market for banks, I think there is something that is extremely important to bear in mind. And this is:
banks are no longer in banking
In other words, it is more or less a myth these days that banks engage in banking, so whatever we think about banking, we shouldn't apply it to banks. How can this be? Well, let's get the theory straight: The concept of banking is this:
A market in which intermediaries borrow from the public on demand and lend to the public at term.
So, these intermediaries take on a risk between "demand deposits" and "term loans" that is captured in the interest rates and is protected by security. Etc etc. "Term" here means a long time, long enough such that there is no easy way to predict the economic future. This is a highly significant risk, and what causes banking to be different.
However, with the invention of securitization in the 1970s or so, while the intermediaries (sometimes known as banks) still borrowed from the public on demand, and created loans at term, they then went on to sell those term loans to the public. Banks are no longer lending at term, or more precisely are no longer exposed to the ramifications of term, themselves. They therefore enter into these term loans at little risk to themselves. Hence, although they are still styled as banks, and are regulated as "in banking", they are not actually engaging in the trade of banking. To be doing banking, you must engage in both sides of the equation; that special risk by being on both sides is the reason for the special subsidy and regulation of banking. Securitization removes that risk.
Hence, banks are now encouraged to do as many loans as possible, without worrying about the term risks. That is someone else's problem. Do I hear subprime ?
So while Charlie Menger's comment that there is a herd effect and a sociological effect that drives bad lending, the answer is much simpler. There is no dilemma, as banks don't need to lend wisely, they simply aren't at risk.
Having said that, it is going to take another decade or so for regulators and the public to wake up to this state of affairs. The banking subsidy is a licence to make money, and no bank wants to lose such a franchise, especially now that they've got out of the risky business of banking. It'd be a crime to let the easy money go!
Mystified by how 'sub-prime' debt engulfed Wall Street's smartest and now threatens the wider global economy? The Telegraph's comic strip may help explain how the story started.
July 15, 2008
The sorry tale of the US Dollar's long downwards spiral -- how did this happen?
Oil, geopolitics, those pesky Russians, irrational Bay Area exuberance, the drums of war, Sir Alan's folly, the cheeky Chinese, the conceit of monetarism, or, that inept circus known as the Bush Administration? We all know the dollar is collapsing, but what we don't know is (a) why, and (b) where to? JPM sent news last month of the latest RBS brief that says, in brief, to hell in a handbasket:
The Royal Bank of Scotland has advised clients to brace for a full-fledged crash in global stock and credit markets over the next three months as inflation paralyses the major central banks."A very nasty period is soon to be upon us - be prepared," said Bob Janjuah, the bank's credit strategist.
A report by the bank's research team warns that the S&P 500 index of Wall Street equities is likely to fall by more than 300 points to around 1050 by September as "all the chickens come home to roost" from the excesses of the global boom, with contagion spreading across Europe and emerging markets.
Heady stuff! The essential problem is that the US economy, and/or the government, and/or the Americans, has overspent.
The old story is the inflation one: too many dollars washing around causes too much investment, and then a little inflation, and a little more and a little more and a lot more ... until the government decides to put the brakes on because the lenders want more than can be returned. But the brakes take a few years to change the pace, and a few more years of pain and a few more years of rebuilding. By the time all the damage is repaired, we have forgotten where it came from, so nobody really believes this stuff anyway, and we're ready to live the good times again! It's our turn! Hysteresis being a wonderful thing, we enter what is quaintly called the Austrian Business Cycle, and the economy bounces around like a yoyo from generation to generation.
Except: supposedly with the death of Keynes and the rise of the Austrians and the new enlightened central banking age, we were supposed to be passed all that. What went wrong? That is what is flumoxing the fundamentalists amongst us. What we know is that we've never been here before, and like other complicated stories, there are *many factors*. Here's my attempt at listing the forces:
1. The 1990s Internet/tech boom caused a massive jolt to business, in effect a "productivity shock" albeit upwards. Productivity was kicked upwards in those areas effected. This released additional value into other areas, which had the effect of releasing additional investment into other areas. In a sense, the overall effect was inflationary, because the existing money stock was being used more effectively.
2. Because of the climb in productivity, the economy grew rapidly. This meant an increased demand for money, which central banks were happy to accomodate. However, because of the release of value, this also had the effect of increasing the supply of money. More inflation.
3. Around 2000, when most households in the USA had acquired their obligatory new-age accessory, the PC, the wheels came off the Internet boom. Which should have been expected to put an end to the general boom in the economy. Predictably, Alan Greenspan boosted up money creation to soften the blow.
4. In comes Bush: "Cry Havoc! and let slip the dogs of war!" Which unleashed the wildcats of spending. Well, maybe..., opinions might be divided on what the causes where, but the fact remains that this President has doubled the national debt of USA from 2001 to now, and that's one big achievement that we can all be proud of.
5. Which, as war talk inevitably does, leads to the observation that certain countries were targetted, and nobody has any clue what the metric was. If you know, please write in, with evidence if possible. Which, more importantly, resulted in an explosion of that old disease: Fear, Uncertainty and Doubt. In this case, monetary FUD meant that those who *might* be targetted worried about their over-dependency on that ultimate class of financial oil: the dollar.
 |
| Gold went up . . . . |
5.b Sometime around 2002-2003, countries started shifting out of the dollar. Slowly. Gently. Pretending not to. Refer to cartel and game theory to understand the theatre here. Either way, the shine was off, especially for those at the nexus of confusion: Islamic, oil-exporting, non-USA trade partners such as Libya, Iran, Iraq.
6. Which was extraordinarily lucky for Europe, as just around the right time, the Euro burst into life, giving a currency of impeccable (Bundesbank) anti-inflation credentials. The Bundesbank was located in Frankfurt. The ECB is located in Frankfurt, too. This is no accident. So, countries found it relatively easy to justify shifting a large part of their reserves to Euros. Slowly, Gently, Pretending Everything But.
7. Which meant all this dollar surplus went washing back to the US, at around the same time as the Bush administration was borrowing more, spending more, warring more. It may never be officially confirmed, but the Fed was on the case by 2003, and managing the process of absorbing a more than normal homeward bound flow of dollars. Not a happy picture. Monetarily speaking, although the tech boom was over, the money boom carried on, and there wasn't a darn thing the Fed could do about it, because those darn foreigners insisted on buying real assets in paper dollars. Hello, housing boom.
8. The dollar went down. Consistently, from around 2001. Which would have been fine, all things being equal, as this just means we buy less Airbuses, more Boeings, etc, until it all balances out.
9. However, as the dollar was the trading currency of the world, things were decidedly not equal. By fiat of Bretton Woods, as it were. Monetary policy has never really considered wholesale redemptions by the world's customers, so it was an open question as to what would happen. In this case, those wiley Europeans, those cunning Chinese, those devilish Japanese, and even the happy go lucky Aussies ... all decided to *help the Fed*. And, help in this case, turned out to be letting their currencies go down as well. Which means, they issued more money, and inflated under the umbrella, while the Fed was swallowing more, while the Bush administration was borrowing more. In essence, this meant the real corrections were delayed and hidden, because the currency markets were more or less in balance.
10. Not so real assets: Gold went up. Housing boomed. Dollars went down, and the other nationals went downish, enjoying the chance, because they won profit by their favour to the Fed. And, what happens when everyone inflates at the same time?
11. Commodities first, but then foodstuffs, and finally ordinary stuff went up in price. Tech stuff still continued going down because the tech machine was still rolling, if not booming. Stuff that was made in the new wunderfabrik of China went down in price, as that vast empire of cheap labour opened up. In sum, nobody noticed that the central banks, all of them, were stealing the bounty of the lowering dollar, the tech productivity shock, and the China export trade. So much for the vaunted anti-inflation reputations.
12. Hence, in short summary, the military expenditures took over from the tech bubble. The dogs-of-war chased dollar-holders who went scurrying across to the Euro, creating a dollar bubble which underwrote the housing bubble. All hard assets boomed around the western world. Everything boomed in the US, except fiscal balance.
13. Which all came to a close when the oil shock hit. The shock was triggered by the boys-own adventures of Bush and his chums in the great game (a euphemism for interference and manipulation in the Middle East). However, be careful: we have to factor in around 50 years of manipulation of the oil supply industry, which caused an imbalance waiting to collapse. This supply-side manipulation can be seen in new oil fields like Alaska, there is so much oil washing around there that some say that if it were fed to the US market, the prices would drop to around zero and Kissinger's fabled contracts with the sheikhs would collapse. Which would collapse the dollar. Apparently, if there's anything that Washington fears more than an open market in Middle Eastern democracy, it is an open market in oil.
14. Never minding the source of the shock, it was the straw that broke the camel's back: Cash that was previously washing around from other sources was sucked up by the new demands on oil (which feeds into practically every other sector of the physical goods economy) and this caused the investment, housing and other booms to break. Then, the fundamentalists (those traders who believe in long term trends and numbers) started to take a good hard look at the real numbers, and people got scared. "Withdraw from everything!" ...
Fundamentalists knew the USA economy was out of balance in around 2000, when the tech bubble burst ... something should have happened then, but to our surprise, nothing much happened (unless you had a tech job, that was pretty dire). What caught us out is how many other factors were involved, how deep the USA trap was, and how long it took for these huge, massive imbalances to come home to roost. If it is any comfort, this is going to be as well studied as the Great Recession, for the same reasons: the monetary authorities and the governments got it all wrong.
Here we are, staring at recession. It's hard to recommend what to do, but it should be to reduce dependency on the US dollar, anyway you can. Whatever you have in mind, do it quickly.
The sorry tale of the US Dollar's long downwards spiral -- how did this happen?
Oil, geopolitics, those pesky Russians, irrational Bay Area exuberance, the drums of war, Sir Alan's folly, the cheeky Chinese, the conceit of monetarism, or, that inept circus known as the Bush Administration? We all know the dollar is collapsing, but what we don't know is (a) why, and (b) where to? JPM sent news last month of the latest RBS brief that says, in brief, to hell in a handbasket:
The Royal Bank of Scotland has advised clients to brace for a full-fledged crash in global stock and credit markets over the next three months as inflation paralyses the major central banks."A very nasty period is soon to be upon us - be prepared," said Bob Janjuah, the bank's credit strategist.
A report by the bank's research team warns that the S&P 500 index of Wall Street equities is likely to fall by more than 300 points to around 1050 by September as "all the chickens come home to roost" from the excesses of the global boom, with contagion spreading across Europe and emerging markets.
Heady stuff! The essential problem is that the US economy, and/or the government, and/or the Americans, has overspent.
The old story is the inflation one: too many dollars washing around causes too much investment, and then a little inflation, and a little more and a little more and a lot more ... until the government decides to put the brakes on because the lenders want more than can be returned. But the brakes take a few years to change the pace, and a few more years of pain and a few more years of rebuilding. By the time all the damage is repaired, we have forgotten where it came from, so nobody really believes this stuff anyway, and we're ready to live the good times again! It's our turn! Hysteresis being a wonderful thing, we enter what is quaintly called the Austrian Business Cycle, and the economy bounces around like a yoyo from generation to generation.
Except: supposedly with the death of Keynes and the rise of the Austrians and the new enlightened central banking age, we were supposed to be passed all that. What went wrong? That is what is flumoxing the fundamentalists amongst us. What we know is that we've never been here before, and like other complicated stories, there are *many factors*. Here's my attempt at listing the forces:
1. The 1990s Internet/tech boom caused a massive jolt to business, in effect a "productivity shock" albeit upwards. Productivity was kicked upwards in those areas effected. This released additional value into other areas, which had the effect of releasing additional investment into other areas. In a sense, the overall effect was inflationary, because the existing money stock was being used more effectively.
2. Because of the climb in productivity, the economy grew rapidly. This meant an increased demand for money, which central banks were happy to accomodate. However, because of the release of value, this also had the effect of increasing the supply of money. More inflation.
3. Around 2000, when most households in the USA had acquired their obligatory new-age accessory, the PC, the wheels came off the Internet boom. Which should have been expected to put an end to the general boom in the economy. Predictably, Alan Greenspan boosted up money creation to soften the blow.
4. In comes Bush: "Cry Havoc! and let slip the dogs of war!" Which unleashed the wildcats of spending. Well, maybe..., opinions might be divided on what the causes where, but the fact remains that this President has doubled the national debt of USA from 2001 to now, and that's one big achievement that we can all be proud of.
5. Which, as war talk inevitably does, leads to the observation that certain countries were targetted, and nobody has any clue what the metric was. If you know, please write in, with evidence if possible. Which, more importantly, resulted in an explosion of that old disease: Fear, Uncertainty and Doubt. In this case, monetary FUD meant that those who *might* be targetted worried about their over-dependency on that ultimate class of financial oil: the dollar.
|
| Gold went up . . . . |
5.b Sometime around 2002-2003, countries started shifting out of the dollar. Slowly. Gently. Pretending not to. Refer to cartel and game theory to understand the theatre here. Either way, the shine was off, especially for those at the nexus of confusion: Islamic, oil-exporting, non-USA trade partners such as Libya, Iran, Iraq.
6. Which was extraordinarily lucky for Europe, as just around the right time, the Euro burst into life, giving a currency of impeccable (Bundesbank) anti-inflation credentials. The Bundesbank was located in Frankfurt. The ECB is located in Frankfurt, too. This is no accident. So, countries found it relatively easy to justify shifting a large part of their reserves to Euros. Slowly, Gently, Pretending Everything But.
7. Which meant all this dollar surplus went washing back to the US, at around the same time as the Bush administration was borrowing more, spending more, warring more. It may never be officially confirmed, but the Fed was on the case by 2003, and managing the process of absorbing a more than normal homeward bound flow of dollars. Not a happy picture. Monetarily speaking, although the tech boom was over, the money boom carried on, and there wasn't a darn thing the Fed could do about it, because those darn foreigners insisted on buying real assets in paper dollars. Hello, housing boom.
8. The dollar went down. Consistently, from around 2001. Which would have been fine, all things being equal, as this just means we buy less Airbuses, more Boeings, etc, until it all balances out.
9. However, as the dollar was the trading currency of the world, things were decidedly not equal. By fiat of Bretton Woods, as it were. Monetary policy has never really considered wholesale redemptions by the world's customers, so it was an open question as to what would happen. In this case, those wiley Europeans, those cunning Chinese, those devilish Japanese, and even the happy go lucky Aussies ... all decided to *help the Fed*. And, help in this case, turned out to be letting their currencies go down as well. Which means, they issued more money, and inflated under the umbrella, while the Fed was swallowing more, while the Bush administration was borrowing more. In essence, this meant the real corrections were delayed and hidden, because the currency markets were more or less in balance.
10. Not so real assets: Gold went up. Housing boomed. Dollars went down, and the other nationals went downish, enjoying the chance, because they won profit by their favour to the Fed. And, what happens when everyone inflates at the same time?
11. Commodities first, but then foodstuffs, and finally ordinary stuff went up in price. Tech stuff still continued going down because the tech machine was still rolling, if not booming. Stuff that was made in the new wunderfabrik of China went down in price, as that vast empire of cheap labour opened up. In sum, nobody noticed that the central banks, all of them, were stealing the bounty of the lowering dollar, the tech productivity shock, and the China export trade. So much for the vaunted anti-inflation reputations.
12. Hence, in short summary, the military expenditures took over from the tech bubble. The dogs-of-war chased dollar-holders who went scurrying across to the Euro, creating a dollar bubble which underwrote the housing bubble. All hard assets boomed around the western world. Everything boomed in the US, except fiscal balance.
13. Which all came to a close when the oil shock hit. The shock was triggered by the boys-own adventures of Bush and his chums in the great game (a euphemism for interference and manipulation in the Middle East). However, be careful: we have to factor in around 50 years of manipulation of the oil supply industry, which caused an imbalance waiting to collapse. This supply-side manipulation can be seen in new oil fields like Alaska, there is so much oil washing around there that some say that if it were fed to the US market, the prices would drop to around zero and Kissinger's fabled contracts with the sheikhs would collapse. Which would collapse the dollar. Apparently, if there's anything that Washington fears more than an open market in Middle Eastern democracy, it is an open market in oil.
14. Never minding the source of the shock, it was the straw that broke the camel's back: Cash that was previously washing around from other sources was sucked up by the new demands on oil (which feeds into practically every other sector of the physical goods economy) and this caused the investment, housing and other booms to break. Then, the fundamentalists (those traders who believe in long term trends and numbers) started to take a good hard look at the real numbers, and people got scared. "Withdraw from everything!" ...
Fundamentalists knew the USA economy was out of balance in around 2000, when the tech bubble burst ... something should have happened then, but to our surprise, nothing much happened (unless you had a tech job, that was pretty dire). What caught us out is how many other factors were involved, how deep the USA trap was, and how long it took for these huge, massive imbalances to come home to roost. If it is any comfort, this is going to be as well studied as the Great Recession, for the same reasons: the monetary authorities and the governments got it all wrong.
Here we are, staring at recession. It's hard to recommend what to do, but it should be to reduce dependency on the US dollar, anyway you can. Whatever you have in mind, do it quickly.
July 11, 2008
wheretofore Vista? Microsoft moves to deal with the end of the Windows franchise
Since the famous Bill Gates Memo, around the same time as phishing and related frauds went institutional, Microsoft has switched around to deal with the devil within: security. In so doing, it has done what others should have done, and done it well. However, there was always going to be a problem with turning the super-tanker called Windows into a battleship.
I predicted a while back that (a) Vista would probably fail to make a difference, and (b) the next step was to start thinking of a new operating system. This wasn't the normal pique, but the cold-hearted analysis of the size of the task. If you work for 20 years making your OS easy but insecure, you don't have much chance of fixing that, even with the resources of Microsoft.
The Economist brings an update on both points. Firstly, on Vista's record after 18 months in the market:
To date, some 140m copies of Vista have been shipped compared with the 750m or more copies of XP in daily use. But the bulk of the Vista sales have been OEM copies that came pre-installed on computers when they were bought. Anyone wanting a PC without Vista had to order it specially.Meanwhile, few corporate customers have bought upgrade licences they would need to convert their existing PCs to Vista. Overwhelmingly, Windows users have stuck with XP.
Even Microsoft now seems to accept that Vista is never going to be a blockbuster like XP, and is hurrying out a slimmed-down tweak of Vista known internally as Windows 7. This Vista lite is now expected late next year instead of 2010 or 2011.
It's not as though Vista is a dud. Compared with XP, its kernel—the core component that handles all the communication between the memory, processor and input and output devices—is far better protected from malware and misuse. And, in principle, Vista has better tools for networking. All told, its design is a definite improvement—albeit an incremental one—over XP.
Microsoft tried and failed to turn it around, security+market-wise. We might now be looking at the end of the franchise known as Windows. To be clear, while we are past the peak, any ending is a long way off in the distant future.
Classical strategy thinking says that there are two possible paths here: invest in a new franchise, or go "cash-cow". The latter means that you squeeze the revenues from the old franchise as long as possible, and delay the termination of the franchise as long as possible. The longer you delay the end, the more revenues you get. The reason for doing this is simple: there is no investment strategy that makes money, so you should return the money to the shareholders. There is a simple example here: the music majors are decidedly in cash-cow, today, because they have no better strategy than delaying their death by a thousand file-shares.
Certainly, with Bill Gates easing out, it would be possible to go cash-cow, but of course, we on the outside can only cast our augeries and wonder at the signs. The Economist suggests that they may have taken the investment route:
Judging from recent rumours, that's what it is preparing to do. Even though it won't be in Windows 7, Microsoft is happy to talk about “MinWin”—a slimmed down version of the Windows core. It’s even willing to discus its “Singularity” project—a microkernel-based operating system written strictly for research purposes. But ask about a project code-named “Midori” and everyone clams up.By all accounts, Midori (Japanese for “green” and, by inference, “go”) capitalises on research done for Singularity. The interesting thing about this hush-hush operating system is that it’s not a research project in the normal sense. It's been moved out of the lab and into incubation, and is being managed by some of the most experienced software gurus in the company.
With only 18 months before Vista is to be replaced, there's no way Midori—which promises nothing less than a total rethink of the whole Windows metaphor—could be ready in time to take its place. But four or five years down the road, Microsoft might just confound its critics and pleasantly surprise the rest of us.
Comment? Even though I predicted Microsoft would go for a new OS, I think this is a tall order. There are two installed bases in the world today, being Unix and Windows. It's been that way for a long time, and efforts to change those two bases have generally failed. Even Apple gave up and went Unix. (The same economics works against the repeated attempts to upgrade the CPU instruction set.)
The flip-side of this is that the two bases are incredibly old and out-of-date. Unix's security model is "ok" but decidedly pre-PC, much of what it does is simply irrelevant to the modern world. For example, all the user-to-user protection is pointless on a one-user-one-PC environment, and the major protection barrier has accidentally become a hack known as TCP/IP, legendary for its inelegant grafting onto Unix. Windows has its own issues.
So we know two things: a redesign is decades over-due. And it won't budge the incumbents; both are likely to live another decade without appreciable change to the markets. We would need a miracle, or better, a killer-app to budge the installed base.
Hence the cold-hearted analysis of cash-cow wins out.
But wait! The warm-blooded humanists won't let that happen for one and only one reason: it is simply too boring to contemplate. Microsoft has so many honest, caring, devoted techies within that if a decision were made to go cash-cow, there would be a mass-defection. So the question then arises, what sort of a hybrid will be acceptable to shareholders and workers? Taking a leaf from recent politics, which is going through a peak-energy-masquerade of its own these days, some form of "green platform" has appeal to both sides of the voting electorate.
June 30, 2008
Cross-border Notarisations and Digital Signatures
My notes of a presentation by Dr Ugo Bechini at the Int. Conf. on Digital Evidence, London. As it touches on many chords, I've typed it up for the blog:
The European or Civil Law Notary is a powerful agent in commerce in the civil law countries, providing a trusted control of a high value transaction. Often, this check is in the form of an Apostille which is (loosely) a stamp by the Notary on an official document that asserts that the document is indeed official. Although it sounds simple, and similar to common law Notaries Public, behind the simple signature is a weighty process that may be used for real estate, wills, etc.
It works, and as Eliana Morandi puts it, writing in the 2007 edition of the Digital Evidence and Electronic Signature Law Review:
Clear evidence of these risks can be seen in the very rapid escalation, in common law countries, of criminal phenomena that are almost unheard of in civil law countries, at least in the sectors where notaries are involved. The phenomena related to mortgage fraud is particularly important, which the Mortgage Bankers Association estimates to have caused the American system losses of 2.5 trillion dollars in 2005.
OK, so that latter number came from Choicepoint's "research" (referenced somewhere here) but we can probably agree that the grains of truth sum to many billions.
Back to the Notaries. The task that they see ahead of them is to digitise the Apostille, which to some simplification is seen as a small text with a (dig)sig, which they have tried and tested. One lament common in all European tech adventures is that the Notaries, split along national lines, use many different systems: 7 formats indicating at at least 7 softwares, frequent upgrades, and of course, ultimately, incompatibility across the Eurozone.
To make notary documents interchangeable, there are (posits Dr Bechini) two solutions:
- a single homogenous solution for digsigs; he calls this the "GSM" solution, whereas I thought of it as a potential new "directive failure".
- a translation platform; one-stop shop for all formats
A commercial alternative was notably absent. Either way, IVTF (or CNUE) has adopted and built the second solution: a website where documents can be uploaded and checked for digsigs; the system checks the signature, the certificate and the authority and translates the results into 4 metrics:
- Signed - whether the digsig is mathematically sound
- Unrevoked - whether the certificate has been reported compromised
- Unexpired - whether the certificate is out of date
- Is a notary - the signer is part of a recognised network of TTPs
In the IVTF circle, a notary can take full responsibility for a document from another notary when there are 4 green boxes above, meaning that all 4 things check out.
This seems to be working: Notaries are now big users of digsigs, 3 million this year. This is balanced by some downsides: although they cover 4 countries (Deustchland, España, France, Italy), every additional country creates additional complexity.
Question is (and I asked), what happens when the expired or revoked certificate causes a yellow or red warning?
The answer was surprising: the certificates are replaced 6 months before expiry, and the messages themselves are sent on the basis of a few hours. So, instead of the document being archived with digsig and then shared, a relying Notary goes back to the originating Notary to request a new copy. The originating Notary goes to his national repository, picks up his *original* which was registered when the document was created, adds a fresh new digsig, and forwards it. The relying notary checks the fresh signature and moves on to her other tasks.
You can probably see where we are going here. This isn't digital signing of documents, as it was envisaged by the champions of same, it is more like real-time authentication. On the other hand, it does speak to that hypothesis of secure protocol design that suggests you have to get into the soul of your application: Notaries already have a secure way to archive the documents, what they need is a secure way to transmit that confidence on request, to another Notary. There is no problem with short term throw-away signatures, and once we get used to the idea, we can see that it works.
One closing thought I had was the sensitivity of the national registry. I started this post by commenting on the powerful position that notaries hold in European commerce, the presenter closed by saying "and we want to maintain that position." It doesn't require a PhD to spot the disintermediation problem here, so it will be interesting to see how far this goes.
A second closing thought is that Morandi cites
... the work of economist Hernando de Soto, who has pointed out that a major obstacle to growth in many developing countries is the absence of efficient financial markets that allow people to transform property, first and foremost real estate, into financial capital. The problem, according to de Soto, lies not in the inadequacy of resources (which de Soto estimates at approximately 9.34 trillion dollars) but rather in the absence of a formal, public system for registering property rights that are guaranteed by the state in some way, and which allows owners to use property as collateral to obtain access to the financial captal associated with ownership.
But, Latin America, where de Soto did much of his work, follows the Civil Notary system! There is an unanswered question here. It didn't work for them, so either the European Notaries are wrong about their assertation that this is the reason for no fraud in this area, or de Soto is wrong about his assertation as above. Or?
June 15, 2008
Selling Security using Prospect Theory. Or not.
Bruce Schneier writes a good essay on Prospect Theory and how this effects selling of security. The basic story is that people accept a risk-free smaller gain, but gamble with a risky larger loss; our decisions are not symmetric, and do not follow "utility" or "expected value" lines. Given that we gamble big with losses, he closes the essay with:
How does Prospect Theory explain the difficulty of selling the prevention of a security breach? It's a choice between a small sure loss -- the cost of the security product -- and a large risky loss: for example, the results of an attack on one's network. Of course there's a lot more to the sale. The buyer has to be convinced that the product works, and he has to understand the threats against him and the risk that something bad will happen. But all things being equal, buyers would rather take the chance that the attack won't happen than suffer the sure loss that comes from purchasing the security product.Security sellers know this, even if they don't understand why, and are continually trying to frame their products in positive results. That's why you see slogans with the basic message, "We take care of security so you can focus on your business," or carefully crafted ROI models that demonstrate how profitable a security purchase can be. But these never seem to work. Security is fundamentally a negative sell.
One solution is to stoke fear. Fear is a primal emotion, far older than our ability to calculate trade-offs. And when people are truly scared, they're willing to do almost anything to make that feeling go away; lots of other psychological research supports that. Any burglar alarm salesman will tell you that people buy only after they've been robbed, or after one of their neighbors has been robbed. And the fears stoked by 9/11, and the politics surrounding 9/11, have fueled an entire industry devoted to counterterrorism. When emotion takes over like that, people are much less likely to think rationally.
Though effective, fear mongering is not very ethical. The better solution is not to sell security directly, but to include it as part of a more general product or service. Your car comes with safety and security features built in; they're not sold separately. Same with your house. And it should be the same with computers and networks. Vendors need to build security into the products and services that customers actually want. CIOs should include security as an integral part of everything they budget for. Security shouldn't be a separate policy for employees to follow but part of overall IT policy.
Security is inherently about avoiding a negative, so you can never ignore the cognitive bias embedded so deeply in the human brain. But if you understand it, you have a better chance of overcoming it.
Using Prospect Theory here is interesting, and finance theory also has something similar to say: companies close to big losses are encouraged to gamble more.
It is also more evidence that the sellers of security do not have an advantage in selling security: buyers do not believe the messages, and only buy due to external issues. Establishing that will knock-down the 'lemons' thesis that security is a market with a seller's advantage, and suggest that it is a market in silver bullets, with no advantage.
It is also more evidence in a trend I noticed a while back but have not adequately formalised (ftr, Bruce Schneier may have spotted it first from Counterpane's recent history). What happens when the security industry collapses and is no longer an industry in its own right? Who then does security? The rest of industry, that's who: security moves back from being a specialisation captured by the enlightened few to a general skill that all need. It's your job, do it.
But, there be dragons. As is well known for a long time: if buyers do not value the security, then general purpose suppliers do not supply it. Supplying something not wanted doesn't help sales, of course, and this is what Microsoft did throughout the 80s and 90s, until the famous memo a handful of years back. So even though the security pendulum is swinging away from the dysfunctional specialist priesthood back to the generalist skilled area, we already know that we have a problem with the demand side of the equation, and that side is also dysfunctional.
Much food for thought.
June 07, 2008
Negroponte's judo flip on the PC industry
Sometimes we get to watch a structural change unfold before our eyes. The Intel 64bit mistake that let AMD in was one such; the Napster story another, and now, we are seeing the endings of another. Again against Intel, the OLPC, the so-called $100 laptop, has succeeded in creating a new segment. The Economist writes:
But in one respect the XO Laptop has undoubtedly made an impact: by helping to spawn a new market for low-cost laptops. Hardly any models costing $500 or less were available when the XO burst onto the scene, but now there is a wide selection of such machines, from familiar makers such as HP and Intel, and from relative newcomers such as Asus and Pioneer Computers. By raising the very possibility of a $100 laptop, the XO presented the industry with a challenge. Wayan Vota, founder of OLPCNews.com, an independent website that follows the project, calls the XO a “harbinger of an entirely new class of computers”.
Structure matters. In the market for PCs, there is a basic difference between the desktop and the laptop. Students of economics will realise that this distinction can act to discriminate between those who want to spend more and those who want to spend less. And so it is: in computer sales, the desktops inhabit the bottom end, and personal computing for the well-heeled is dominated by laptops.
In simple terms, if you can afford a laptop, you get a laptop. If not, you get a desktop. Again in economics-speak, this discrimination captures more of the consumer surplus (your spare cash), provides improved Hayekian information to manufacturers (what you really want), and ultimately leads to better and cheaper products for all.
This had the rather odd effect that although computers kept on getting better and better, laptops were not getting cheaper, only better. Indeed, those older models which were clearly suitable once and therefore would be adequate now, and cheaper, were instead being consistently stripped from the market. By common agreement, the bottom end laptop was scrubbed out.
This apparently breaks Moore's law, which implies that the same thing should get cheaper over time. Where's the cheaper laptop? Negroponte must have asked this very question, and known that given everything else we know about the computing industry, there should have been a cheaper laptop.
As described above, we know the reason there is none, but that stability is by consensus with the consumers and makers. There is nothing wrong with actually building one, and breaking the stability. And this is what Negroponte did: build something that was possible, but the market had avoided because of price discrimination reasons.
There are strong emotions about the OLPC. No matter what you think about the design, the OS, the choices, the sales or the cute green ears, one thing is clear: Negroponte succeeded in doing a judo flip on Intel, Asus and the other manufacturers, and creating the new segment. Once he had succeeded to the extent that he could sell them, other laws of competition kicked in, and the manufacturers were forced to follow.
Although the Classmate may have stolen some of the XO’s thunder in the developing world, another low-cost laptop has been a runaway success in the developed world. The tiny Asus Eee PC, little bigger than a paperback book and weighing less than a kilogram, sold more than 300,000 units in 2007 alone. It is now available in several versions: the most basic model, with a seven-inch screen, costs $299, and a new high-end model with a nine-inch screen costs $549. HP, the world’s biggest PC-maker, entered this new market in April with the “Mini-Note”, a small laptop weighing just over a kilogram. It too will cost under $500.All of these new machines are being aimed at consumers in the rich world, who like the idea of a computer that can be taken anywhere, as well as being sold for educational use in poor countries. The $100 laptop has been a success—just not, so far, in the way its makers intended.
In the end, the fate of the OLPC is less interesting, and discussions about whether the OLPC succeeded or not miss the point. The real point is that the segment is now created. Thanks to Nicholas Negroponte, students of business now have a new case study in market structure and price discrimination, and everyone else now has a cheap laptop.
May 10, 2008
What makes a Security Project?
Why is it that when you come across a good new thought, it is harder to deal with than an old, rehashed thought? I struggle with this all the time: E.g., blogs. my favourite ones are the writers that do original and new thinking. These guys nibble and munch at problems until they find answers. Then they bake solutions. These posts are so full of good stuff that I don't know where or how to respond. On the other hand, my unfavourite blogs are the ones that stick very clearly in the middle ground, express mildly polemic thoughts that a majority agree with and a minority already said, and seem to spend more time collecting and building popular support than anything useful.
Lots of good posts these days over at Gunnar's area, and I can't easily respond to them.
I see no evidence that [Sun] understand the need for writing secure code more so than Microsoft. In fact I see every evidence that Sun is several years behind Microsoft on software security. Let's do the list - Howard/Leblanc's work, threat modeling, software security patterns and practices, SDL, SecPal, BlueHat, OWASP guidance work and that is all before we get to identity stuff.
You won't see such an ... *opinion* from the popular fence sitters! Why is this? I think it is for several reasons. To say such a thing means you court disfavour with large companies, including the one you named, but also other companies who might realise you are likely to bark with more bite than other tame consultants.
Further, one has to think of the evidence to back up the opinion, and that's not always easy. I know because I tried to clarify this three years ago, while dealing with the question. When I sat and thought about why I thought some organisations weren't up to scratch, I had no easy answers. So I wrote down everything I could think of ... and then judged every organisation I knew on my list of metrics.
For once, then, I can respond to Gunnar, and in full wide-screen TV mode:
| Points -> | Source | Disclosure | Goal of Security | Security Czar | Audit Project | Risks & Threats | Crypto | Total Points | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Projects | read | open | compete | patches | weak- nesses | mistakes | espoused | ||||||||||||||