Trusting Strangers -- Why Certificate Authorities are like Credit Rating Agencies

My list of causes of the banking crisis isn't quite the same as everyone else's. For me it generally boils down to moral courage. Because I have none myself, I can recognise that it was missing in plenty of differnt places.

• "Spineless non-Execs" rather than "Wicked Banker" and
• Fannie and Freddie for not making it plainer that they were lending on this stuff in response to government fiat rather than thinking it was any good, and
• Rating agencies for closing down credit discussion on the grounds that if it was good enough for Fannie and Freddie it must be A+ at least, and 
• Bankers (aha) for closing down credit discussion on the grounds that the securities were rated A+ by an independent rating agency, and .
• Bankers (yes!) for saying that as everyone else was making fortunes:
  
  
  • writing liar's mortgages at tempting rates, and securitising them on
  • lending to doomed ventures, and securitising them on
  • buying A+ securities that somehow pay three points over base, and securitising THEM on
  they had better do the same, or the shareholders would kick their arses, and
• Shareholders for kicking the arses of anyone who missed these amazing opportunities
• and you know who else? Lying or self deluding borrowers. That's us.

Oh. I'm ranting. Let me get this back on track. Check out the credit rating agencies. They're right in the crux of this. Their business is to turn more or less synthetic securities (anything from a strip or a mortgage bundle right down to a plain bond -- anything that's denominated in money rather than equity) into a capital "I" Investment. The fairy dust they sprinkle to do this is their rating. They form an opinion on the ability of the borrower to pay as advertised. That's not whether it's a good investment or the right investment for you, or whether the issuer will craftily exploit the early redemption terms or whatever. The rating is just Moody's or S&P's opinion on whether the coupons and face will be redeemed on the published dates. Ratings go from AAA which is supposed to be a dead cert  down to ccc -- and you'll never get an agency to agree a correlation between the rating and a percentage probability.

Because of a long history of grade inflation, pretty much anything that can't make at least an A is called junk and a lot of investors aren't allowed to touch it.

Sometimes the agencies rate because they want media attention or because their franchise demands that they have an opinion on some popular issue. More often, they rate because the issuer pays to get a rating needed to get the issue away. You can't buy a particular grade, but the agencies will advise on how to get it,  and if you're an investment bank there's such a thing as being a good customer of the rating agency..... I don't really need to spell this out. Suffice to say that the investor (the technical term is "victim", these days) has no contract with the agency. If Moody's were to rate a bundle of Motown mortgages as A -- and some agencies were doing that -- and it defaults, then the owner of the bond, who trusted the rating, has no come back to Moody's when the bond defaults. It was the agency's published opinion, no more and no less. You relied on it at your own risk.

Now I expect that at some point you could say it was negligence, and of course rating agencies are controlled by financial regulators, but my point is a little different. Because there's a very fine parallel to this in the world of Internet security. The whole technical paraphernalia of X.509 has one purpose: to tell you, reliably, that the certificate authority has certified that the far end is the correct user of a name. You are trusting the certificate authority to do the necessary diligence, to refrain from certifying incorrect users, to guard their private key. (You are also, in effect, trusting them to do things they definitely do not do, like ensuring that the sites they certify can keep track of their private keys -- that's why the system is mad.) For ordinary users, this trust is a matter of default -- it's installed with the browser. Sites pay CAs for certificates because CAs pay browser authors to install their keys. The free-rider is the user, and that's a bad thing. No payment == no contract == no rights. As the rating agencies have shown us.

I Got Spywared

I ought to go into detail about this, but it's late so I think I'll go straight to the takeaways:

• Don't browse as an admin. Resolving this has taken about fifteen hours over three days. I would rather have spent that time asleep. You can resolve a lot of LUA issues in fifteen hours. The problem here is that Firefox needs to be used as an admin to update, and I wanted 3.06 ....
• It can happen to you. I was using Firefox, I didn't click on anything I was aware of, and the MS Antispyware 2009 installer ran. Arguably it's time to get into Noscript -- I've always put that off because I can't face setting up the exclusions.
• It took me a long time to figure out what was going on. I was able to dump the overt spyware without too much difficulty, but the blocking of anti-malware domain names and the re-writing of Google search results in Firefox and IE to go via windows click dot com had me puzzled. It wasn't the hosts file: they've moved on -- it's device drivers now. I needed to get clear understanding becuase I couldn't get any tools to run -- of course.
• I needed help to figure out what device drivers were the problem. I found it at www.myantispyware.com which appears to be a guy called Patrik publishing instructions. God bless him. His advice didn't quite fit the condition of my machine -- no surprise after all the work I'd done -- but it gave me the names of the files to remove, and that did the job.
• Everyone needs a boot disk. I could have used my Backtrack key, or anything else that could mount NTFS to write, but I had a copy of the Ultimate Boot CD for Windows so I tried that. It was slow to boot, but easy to use. If I wasn't really comfortable in Linux, UBCD would be my first choice. Without it, I would have had to follow Patrik's laborious instructions , and I might have chosen to re-install instead.
• Everyone needs a fabulous hosts file. I got the Winhelp2002 version -- it seems pretty comprehensive.
• Wow! A lot of competent sounding people discuss malware in terms of removal, detection utilities etc. This seems insane to me -- it's really a question of not being admin. This is my first in years, and I don't have any of those tools.

Extreme Hedging Porn

This is the butt end of a willow post. Now I do know that willow roots if you put it in the ground, but I needed a post and this one had a handy crook to hold down the benders. I figured it would be all right because it was going in upside down. There is no way at all that a cutting -- even willow -- could ever root successfully with its vascular arrangement the wrong way up. 

One year on, you can see the crook -- three foot from the ground -- is fresh and green and sprouting new shoots.

Pussy Wussy is a LOLCat

I Am My Own Regulator

We've all seen stories like this, and they're getting more common. I first noticed it when the NHS lost crown immunity back in, ooooh, 1986. One branch of government regulates another, finds a breach and issues compliance requirements. The more deranged cases actually have one office fining another. The only person punished is the taxpayer, as the overall costs of goverment rise. In theory, careers suffer, but in fact the civil service requires a consistent record of egregious failure to have any effect on an officer's final pension.

The absurdity does get media attention, sometimes, but the level of comment is muted compared with the gross mentalness of the situation. I think the problem is that the only reasonable conclusion to draw is rather unfashionable: there are things that are unsuitable, by nature, by structure, to be done by the government.

If Brent PCT had been a private insurer or HMO, the costs would be borne -- in a fair setup -- by the shareholders. Fair is the challenge here of course, but it's a question of reasonably hard-nosed negotiation when the contracts are let. "Fair", in this context pretty much means that regulatory consequences fall on the owners of the supplying firm. The dividend reduces, and the board decides whether the problem is severe enough to be worth fixing or insuring against or whether it was better just to take the hit. If the shareholders don't like that choice, they sell out, the price drops and the bag-holders sack the board.... And if the regulation is too hard to be borne, the supplier walks away and society gets a lesson in realism.

There's nothing available, structurally, to deliver the same result from a public sector supplier. Basically, all you can do is dock the pay of the managers, and watch your remaining sliver of talent in the civil service wither away. Except, you'll never succeed in touching their pay, and no-one who makes choices, no executive, will ever be motivated by any sharper spur than the desire to avoid a moderately difficult interview.

Burning the Evidence

Today, in pursuit of my ever-doomed goal of getting on top of my filing, I burnt a mountain of receipt slips and cheque books -- stuff that just won't shred -- from the nineties.

Burning documents isn't easy. You can't mound them up in a grate and set light to them -- I tried. Nor can you dump them on to a little fire -- they just put it out. Two approaches that have worked for me:

1. Dump them on to a huge blazing bonfire. You'll need to keep turning until all the paper is gone, and you'll need to add plenty of branches or whatever to keep up the supply of hot coals. Maske sure you don't end up the next day with a pile of ashes with sheaves of unburned documents in the middle.
   
2. Start small in a grate. Once you have a flame, pile on a few sticks of kindling. Let that blacjken and go for another layer of paper. Repeat until the flames are stable enough to add logs. Keep the fire mixed until the paper is all gone, then burn logs for a while to make sure.

The problem is that the pages stick together, and one way or another you have to counteract that.

Spam Counter - 2009 Jan: 850

850 -- Rolex and Canadian Phamacy

Avoiding the Issues

I ought to write about Conficker. The Dear knows I've stuck my neck out on that one, pre-emptively saying that we weren't vulnerable to a large-scale infection. But I already did, and the fear I felt then made me patch then, and that's why I'm moderately sanguine now.
I ought to write about the City, and the limited scope for information security if the information guarded loses its value in an afternoon. But what do I know?
And I ought to write about the more mad son, who is doing such stuff lately.

I'm going to write about the sky.

Yesterday morning, it rained so hard that my coat pockets flooded with rain running down the sleeves I'd tucked into them. If you were waiting in a platform shelter for the Cannon Street service at about ten to seven, and you saw a man hoicking up the skirts of his coat to pour water out of waxed patch pockets, that was me.

By the time I got back, in the dark again, the sky had cleared. I crossed the railway, went down the steps, and found myself stepping into water. I know that path and I know the floods so I walked into the spinney transformed into a river bed. The fields on the other side of the bridge were flooded out -- great smooth sheets shining in starlight. To the right, Venus decorated the old lady's land. On my left, a perfect reflection of Sirius and Orion. In the zenith, I counted six Pleiades.

When the path faded, the wading got deeper for a while, and I was trudging through the broad lay under that glossy, freezing, sky. As I looked up, a big orange meteor tore off Orion's belt and flashed twice as it headed straight down into the SE horizon.

Quite a night.

Lead vs Manage

A leader is judged on the performance of the team as he leads them. A manager judges himself on the performance of the team when he is not there to lead them. Prefer managers.

Spam Counter - 2008 December: 727

Still dropping. Maybe spammers take Christmas off. If the returns are as poor as we're told, that's not surprising.

MP3: All Right Now?

I had to draft one of my standard all-IT-staff circulars today. The removable media logs have started going to Risk and they read them with great delight, asking what Genesis\[album name]\[track name].mp3 could be. I think they know, really.

We don't block media types anywhere. Nothing says "*.mp3: DENY". There's plenty of business reasons to use media files. But it does mean the personal media files can flow through our systems.

It seems that Something must be Done. But the landscape has changed since the last time I sent out that note. It's possible, now, to be in possession of a legal MP3 of pretty much any track. I've been buying mine from Amazon. (And, yes, I checked, Genesis is on the list -- I just added Many too Many and Follow You Follow Me to my shopping basket.)

So why am I objecting? Personal use is legitimate, and these IT users have removable media access to do their jobs. I'm not entirely sure, but I think it's this:

• MP3s moving through work PCs raises the possibility of sharing. That's not OK, and it would be directors liability if it was happening.
• It's unnecessary. Decent media players are so cheap these days that if you can't work without music, you don't need to play it off your PC.
  
• And I just don't like to see IT types exploiting their extra privilege. We have rules about not using admin access for personal purposes, and while removable media doesn't directly arise from admin status, it's in the same sack as far as I'm concerned.

So I drafted something, but I haven't sent it out because there has been another change, and it's this. We've acquired some serious object access audit over the holiday, and one of the facilities is the file type search. This is my chance to locate the famous invisible media repository. Tomorrow I'm going to search for *.mp3 and we will see what we will see.

In the meantime, I see today that Apple are giving up on DRM, but the track price won't change. I couldn't help thinking of all the poor saps with their vast itunes collections of DRMed music suddenly devalued by Apple's Amazon-forced coup. Still, serves 'em right for buying overpriced music players that can't do .OGG....

Best Christmas Present

This is not a joke. It's as big as it looks, it locks and unlocks with the keys, and the flap swings to cover the keyhole. It was retrieved when the contents of a country house in the family were broken up many years ago and now I have it!

It's security theatre. It looks the business, but it fails against Kerckhoffs' principle-- offhand, in two ways: it's not convenient to use -- the keys would destroy my key-ring -- and of course that key is thoroughly guessable

Just for reference: this is the contents of the more mad son's Christmas list:
      December 25 2008 Thursday David's Christmas Presents
      Thomas the tank engine Percy and the Signal VHS
      Thomas the tank engine The Runaway VHS
      Thomas the tank engine Escape VHS
      Thomas the tank engine Thomas Gets Bumped Bumper Special VHS
      Thomas the tank engine Thomas's Christmas Party Bumper Special VHS
      Thomas the tank engine Rock n Roll VHS
      Thomas the tank engine Story and Song Collection VHS
      Thomas the tank engine Happy Holidays VHS
      Tots TV Bike Ride Bumper Special VHS
      Fun Song Factory 3 Party time at the Fun Song Factory VHS
      Fun Song Factory 2 VHS
      Tumble Tots Action Song Favourites [1996] VHS
      Tumble Tots The Action-Song Sing-A-Long VHS
      Tweenies Song Time Is Fab-A-Rooney [1999] VHS
      Maisy Maisy's ABC VHS
      Canon Digital Camcorder 35x and 1000x DVD Video
      Nikon Coolpix P50 Digital Camera 8.1 MP 3x optical zoom black (Upgrade with SD)
That's right. Fifteen videos (the "VHS" is not a misconception -- he wants tape cassettes) and two mid-range, top brand cameras.

We got him a Fuji S5700 which is cheap now and has quite a good video function (and is currently the best camera in the house), and Mrs U has had a trawl round the Maidstone charity shops for videos. We'll see how it goes.

Solstice

http://www.daylightmap.com

Spam Counter - 2008 December 13: 634

Can't put this on the graph, but one month on from McColo it's still falling.....