If you tell enough stories, perhaps the moral will show up.


Trusting Strangers -- Why Certificate Authorities are like Credit Rating Agencies

My list of causes of the banking crisis isn't quite the same as everyone else's. For me it generally boils down to moral courage. Because I have none myself, I can recognise that it was missing in plenty of differnt places.

  • "Spineless non-Execs" rather than "Wicked Banker" and
  • Fannie and Freddie for not making it plainer that they were lending on this stuff in response to government fiat rather than thinking it was any good, and
  • Rating agencies for closing down credit discussion on the grounds that if it was good enough for Fannie and Freddie it must be A+ at least, and 
  • Bankers (aha) for closing down credit discussion on the grounds that the securities were rated A+ by an independent rating agency, and .
  • Bankers (yes!) for saying that as everyone else was making fortunes:

    • writing liar's mortgages at tempting rates, and securitising them on
    • lending to doomed ventures, and securitising them on
    • buying A+ securities that somehow pay three points over base, and securitising THEM on
    they had better do the same, or the shareholders would kick their arses, and
  • Shareholders for kicking the arses of anyone who missed these amazing opportunities
  • and you know who else? Lying or self deluding borrowers. That's us.
Oh. I'm ranting. Let me get this back on track. Check out the credit rating agencies. They're right in the crux of this. Their business is to turn more or less synthetic securities (anything from a strip or a mortgage bundle right down to a plain bond -- anything that's denominated in money rather than equity) into a capital "I" Investment. The fairy dust they sprinkle to do this is their rating. They form an opinion on the ability of the borrower to pay as advertised. That's not whether it's a good investment or the right investment for you, or whether the issuer will craftily exploit the early redemption terms or whatever. The rating is just Moody's or S&P's opinion on whether the coupons and face will be redeemed on the published dates. Ratings go from AAA which is supposed to be a dead cert  down to ccc -- and you'll never get an agency to agree a correlation between the rating and a percentage probability.

Because of a long history of grade inflation, pretty much anything that can't make at least an A is called junk and a lot of investors aren't allowed to touch it.

Sometimes the agencies rate because they want media attention or because their franchise demands that they have an opinion on some popular issue. More often, they rate because the issuer pays to get a rating needed to get the issue away. You can't buy a particular grade, but the agencies will advise on how to get it,  and if you're an investment bank there's such a thing as being a good customer of the rating agency..... I don't really need to spell this out. Suffice to say that the investor (the technical term is "victim", these days) has no contract with the agency. If Moody's were to rate a bundle of Motown mortgages as A -- and some agencies were doing that -- and it defaults, then the owner of the bond, who trusted the rating, has no come back to Moody's when the bond defaults. It was the agency's published opinion, no more and no less. You relied on it at your own risk.

Now I expect that at some point you could say it was negligence, and of course rating agencies are controlled by financial regulators, but my point is a little different. Because there's a very fine parallel to this in the world of Internet security. The whole technical paraphernalia of X.509 has one purpose: to tell you, reliably, that the certificate authority has certified that the far end is the correct user of a name. You are trusting the certificate authority to do the necessary diligence, to refrain from certifying incorrect users, to guard their private key. (You are also, in effect, trusting them to do things they definitely do not do, like ensuring that the sites they certify can keep track of their private keys -- that's why the system is mad.) For ordinary users, this trust is a matter of default -- it's installed with the browser. Sites pay CAs for certificates because CAs pay browser authors to install their keys. The free-rider is the user, and that's a bad thing. No payment == no contract == no rights. As the rating agencies have shown us.


I Got Spywared

I ought to go into detail about this, but it's late so I think I'll go straight to the takeaways:

  • Don't browse as an admin. Resolving this has taken about fifteen hours over three days. I would rather have spent that time asleep. You can resolve a lot of LUA issues in fifteen hours. The problem here is that Firefox needs to be used as an admin to update, and I wanted 3.06 ....
  • It can happen to you. I was using Firefox, I didn't click on anything I was aware of, and the MS Antispyware 2009 installer ran. Arguably it's time to get into Noscript -- I've always put that off because I can't face setting up the exclusions.
  • It took me a long time to figure out what was going on. I was able to dump the overt spyware without too much difficulty, but the blocking of anti-malware domain names and the re-writing of Google search results in Firefox and IE to go via windows click dot com had me puzzled. It wasn't the hosts file: they've moved on -- it's device drivers now. I needed to get clear understanding becuase I couldn't get any tools to run -- of course.
  • I needed help to figure out what device drivers were the problem. I found it at www.myantispyware.com which appears to be a guy called Patrik publishing instructions. God bless him. His advice didn't quite fit the condition of my machine -- no surprise after all the work I'd done -- but it gave me the names of the files to remove, and that did the job.
  • Everyone needs a boot disk. I could have used my Backtrack key, or anything else that could mount NTFS to write, but I had a copy of the Ultimate Boot CD for Windows so I tried that. It was slow to boot, but easy to use. If I wasn't really comfortable in Linux, UBCD would be my first choice. Without it, I would have had to follow Patrik's laborious instructions , and I might have chosen to re-install instead.
  • Everyone needs a fabulous hosts file. I got the Winhelp2002 version -- it seems pretty comprehensive.
  • Wow! A lot of competent sounding people discuss malware in terms of removal, detection utilities etc. This seems insane to me -- it's really a question of not being admin. This is my first in years, and I don't have any of those tools.


Extreme Hedging Porn

This is the butt end of a willow post. Now I do know that willow roots if you put it in the ground, but I needed a post and this one had a handy crook to hold down the benders. I figured it would be all right because it was going in upside down. There is no way at all that a cutting -- even willow -- could ever root successfully with its vascular arrangement the wrong way up. 
One year on, you can see the crook -- three foot from the ground -- is fresh and green and sprouting new shoots.


I Am My Own Regulator

We've all seen stories like this, and they're getting more common. I first noticed it when the NHS lost crown immunity back in, ooooh, 1986. One branch of government regulates another, finds a breach and issues compliance requirements. The more deranged cases actually have one office fining another. The only person punished is the taxpayer, as the overall costs of goverment rise. In theory, careers suffer, but in fact the civil service requires a consistent record of egregious failure to have any effect on an officer's final pension.

The absurdity does get media attention, sometimes, but the level of comment is muted compared with the gross mentalness of the situation. I think the problem is that the only reasonable conclusion to draw is rather unfashionable: there are things that are unsuitable, by nature, by structure, to be done by the government.

If Brent PCT had been a private insurer or HMO, the costs would be borne -- in a fair setup -- by the shareholders. Fair is the challenge here of course, but it's a question of reasonably hard-nosed negotiation when the contracts are let. "Fair", in this context pretty much means that regulatory consequences fall on the owners of the supplying firm. The dividend reduces, and the board decides whether the problem is severe enough to be worth fixing or insuring against or whether it was better just to take the hit. If the shareholders don't like that choice, they sell out, the price drops and the bag-holders sack the board.... And if the regulation is too hard to be borne, the supplier walks away and society gets a lesson in realism.

There's nothing available, structurally, to deliver the same result from a public sector supplier. Basically, all you can do is dock the pay of the managers, and watch your remaining sliver of talent in the civil service wither away. Except, you'll never succeed in touching their pay, and no-one who makes choices, no executive, will ever be motivated by any sharper spur than the desire to avoid a moderately difficult interview.


Burning the Evidence

Today, in pursuit of my ever-doomed goal of getting on top of my filing, I burnt a mountain of receipt slips and cheque books -- stuff that just won't shred -- from the nineties.

Burning documents isn't easy. You can't mound them up in a grate and set light to them -- I tried. Nor can you dump them on to a little fire -- they just put it out. Two approaches that have worked for me:

  1. Dump them on to a huge blazing bonfire. You'll need to keep turning until all the paper is gone, and you'll need to add plenty of branches or whatever to keep up the supply of hot coals. Maske sure you don't end up the next day with a pile of ashes with sheaves of unburned documents in the middle.
  2. Start small in a grate. Once you have a flame, pile on a few sticks of kindling. Let that blacjken and go for another layer of paper. Repeat until the flames are stable enough to add logs. Keep the fire mixed until the paper is all gone, then burn logs for a while to make sure.
The problem is that the pages stick together, and one way or another you have to counteract that.


Spam Counter - 2009 Jan: 850

850 -- Rolex and Canadian Phamacy