It’s been a while since I’ve talked about Clickjacking, with only a few exceptions here and there. Mostly because I haven’t seen it much in the wild - at least not yet. But there’s still a lot of research out there to be done. I got an interesting email the other day that talked about a way to use parameter pollution (or a mix of URL parameters and POST) to create a condition where you can defeat CSRF tokens:

The technique, found by Lava Kuppan describes a scenario where a mix of CSRF, parameter pollution and Clickjacking can defeat CSRF tokens in JSP and (sometimes) in ASP.NET. It’s worth a read. I did briefly mention using CSRF to pre-populate fields that may be necessary to create a Clickjacking scenario during Jeremiah and my brief talk at the world OWASP in New York. But this takes it to a new level, where you can pre-load information in such a way that it will actually defeat the application logic in the process. Anyway, cool stuff by Lava.

1. Myth: If you get more “efficient” at IT, you will get a more “efficient” organisation. Reality: The more cost you take out of IT, the worse it is for users and customers. Optimising your cost  base to the point, for example, where users have a PC that is orders of magnitude less capable than their delightful home consumer experience will just cause them to bring their own laptops to work. Then they’ll break all your security rules in order to use them. And what are you going to do about it? Fire them?

2. Myth: You must have IT security people who must approve everything you do in order to secure the organisation and manage your risk. Reality: Most Some IT security people don’t have much understanding of the new stuff they’re asked to adjudicate on. They just make it up as they go along. The worst ones can’t be bothered to keep up because it involves too much work, and anyway,  they always have the ability to just say “no”. This doesn’t manage your risk, all it does is slow you down.On the other hand, count your blessings if you have been lucky enough to get a security group that know how to show you what you can do to do new things safely and efficiently.

3. Myth: High quality on-time and on-budget delivery are the development objectives and this will make you an IT leader. Reality: Who cares about whether you’re an IT leader or not from a development perspective? Superb delivery is a waste of time if what you’re delivering is crap in the first place. Forgive me the arrogance, but my observation is that many traditionalists don’t get the way the new world is changing as a result of technology, so what makes you an IT leader is if you can help them understand that, actually, what they’re trying to build is rubbish.

4. Myth: Most IT projects fail or are late, so we have to improve our failure rate to be successful. Reality: Causing any change whatsoever to happen is a success, since everything is optimised around stopping change in an IT organisation. If improving the “success rate” means doing less new stuff, then you’ve got a big fail coming up when your organisation fails to adapt because IT stopped it doing so. All in the name of improvement.

5. Myth: Governance is the key to discipline and control in an IT organisation. Reality: Governance is like a virus. It grows as swiftly as possible to consume all available resources, and then declares success when there are no project failures. Usually, this will be because there are no projects, or at least, none that have much way of progressing. Why does this happen? Because Governance is a licence for people without much capability to drive change themselves to get in the way of those who can and declare that they’re “part of the journey”.  ‘Tis a rare Governance person who knows when not to govern.

What other sacred cows do you have in your IT-Shop?

Hooh, boy.

There’s a nice spat a-brewing between two people I hardly know, but nevertheless consider friends. The Epicurean Dealmaker offered some thoughts on financial reform, and in particular “resolution authority”. Yves Smith took exception. TED took exception to her exception taking. I suspect the sparks have just begun.

Me, I’m a lovah not a fightah, so I’ll split the difference. TED is right that constructive ambiguity and discretionary power are prerequisite to an effective, non-public-raping resolution regime. But Yves is right to take him to task for leaving things there, because whatever gets writ in the ex post memoirs, there are predictable and repeatedly observed incentive problems that prevent regulators from using discretionary authority until it’s too late (and then they whine to stenographers about how powerless they were). Read Michael Pomerleano and Andrew Sheng, or watch Richard Carnell, or check out l’il ol me. To be fair to TED, I know he is cognizant of these incentives; elsewhere he has offered ideas on how to change them. (See e.g. his reformist manifesto. I believe TED has also proposed adopting the Singapore model, conjuring an extraordinarily well-paid, independent regulatory caste that would be structurally resistant to capture and could recruit talent competitive with Wall Street’s finest. But I can’t find that link.)

TED is right on here:

Ms. Smith appears to advocate “root and branch reform” of the system, which makes her, by definition, more radical than me. As befits my nature as an investment banker, I am a pragmatist and an incrementalist. I think the prospect of true root and branch reform of the domestic financial system—not to mention the global one with which it is inseparably interconnected—is such a vast and daunting task to undertake in our current sociopolitical environment as to be unlikely at best. Notwithstanding the theoretical attractions of radical reform—which I personally would favor, by the way—I would much rather cobble together a partially effective, imperfect resolution authority today than wait the ten or twenty years serious reform might take… Sympathetic or not, however, I would also like to caution Ms. Smith. Like many radical reformers, I suspect she would be surprised how little common ground she has with other would-be radical reformers. It is always a revelation to discover, as revolutionaries always have, just how little agreement you have with your peers when it comes to deciding just exactly which roots and branches of the ancien régime need to be trimmed.

As, um, a proponent of root-and-branch reform, these are the questions that keep me up at night. For the record, I think we will end up with root-and-branch reform, but I fear we’ll get it hard and painful following a much more serious crisis that we have already failed to avert. I think the Great Financial “Panic” of 2008 has shrunk into another LTCM or Enron, a moment we will someday look back upon and wonder why we failed to deal with problems that were so fucking obvious, but for now all we hear is “It worked!” I’m a middle-aged Jewish guy who thinks and writes about finance, makes much of his living as a speculator, and avoids honest work. The tail risk I worry about is that I’ll get to see the sort of financial reform I advocate from a wonderful vantage high atop a lamppost.

But that is precisely why I want to take issue with TED here:

Like many other econobloggers opining on the state of affairs in the world of finance, Ms. Smith has gotten into the nasty habit of using the term “banksters” to refer to members of the financial services industry. (It is in the title of yet another post of hers today.) The overarching metaphor behind this coinage—which, I emphasize again, is neither original nor limited to Ms. Smith—is that commercial bankers, investment bankers, insurance company employees, and presumably everyone else in the financial industry are uniformly engaged in a vast, intentional, and irredeemably criminal enterprise. Ms. Smith reinforces this metaphor often, including in the post dissected herein (with the crack of “financiers [looting] taxpayers”), and implicitly in the title of her new book, ECONNED.

Now, I am all for the charms of expedient exaggeration. (Although mine tend to be limited to sarcastic and humorous uses, rather than bitter and humorless character assassination.) It can be funny, and it can emphasize important points. But uniformly and universally excoriating millions of people who work in finance as gangsters, thieves, looters, and con men is just fucking dumb. It’s like saying all management consultants are morons, or everyone from Iowa is a hick. While there certainly must be examples of moronic management consultants and hayseed Iowans among the myriad constituents of each of those groups, no honest or intelligent person would believe all of them are that way. Why, then, do so many bloggers writing today tar the entire finance industry with the same tired, thoughtless old brush?

These casual, unthinking insults would not bother me if I did not think they lower and coarsen the important conversation we are having in society and the blogosphere about financial reform. Sure, investment banking has its fair share of crooks, but we are no different than the rest of society. Some of us, closer to the top and more successful, perhaps, probably do have a more highly developed sense of entitlement and aggressiveness than your average bear. But we are not criminals. We work the system, hard, to advance our own and our families’ personal and professional interests, but 99.9% of us are not out to rape and pillage the commonfolk of their daily bread. To think otherwise is just plain stupid.

I myself don’t use the term “banksters”. And I sympathize with TED. I like financial industry professionals, personally. I enjoy meeting bankers. They are usually smart, interested in the arcane crap I’m interested in, and assholes of the sort that I enjoy sparring with. Bankers are great fun, and they are not bad people.

But we are who we are collectively as well as individually. Large organizations can and do evolve to do evil things while isolating people individually from illegal or morally uncomfortable acts. That capacity can confer tremendous advantages over smaller, more personal and accountable, collectives. It’s harsh, but we don’t get a pass just because the particular lever we are paid to pull only shifts a cog in a vast machine whose overall function we don’t control. As moral agents, it is not enough to follow the law and let pecuniary incentives guide us. We have to take responsibility for the behavior of the collectives to which we belong.

We are all dirty. Seven years ago I supported a war that has been responsible for hundreds of thousands of deaths, and that has not achieved any of the positive ends I thought it would achieve. That was a moral error I’m not sure I deserve to have survived, and I’m a terrible hypocrite, because I don’t live like Mother Theresa to atone, but carry on as a comfortable American. I won’t point a finger at anyone and claim moral superiority.

But I am responsible, and it’s important that I know I am responsible. We all have an obligation, not to self-flagellate like monks, but to be aware of the systems in which we are situated, and to work a bit, at the margin, to correct them. Obviously, so long as there are badly skewed incentives, a bit at the margin won’t be enough. I won’t hold a grudge against some mid-level banker who put together crap CDOs because everyone was doing it, and who knew housing would collapse?, and it was very lucrative. But neither will I abstain from using words like “fraud” and “looting” to describe organized practices which, innocuous act by innocuous act, do in fact serve to extract wealth from many and distribute it to a well-organized, well-placed few. And if you work in the industry and that makes you uncomfortable, it should make you uncomfortable, even if your accuser is a hypocrite and morally reprehensible himself. We can and should make better rules and fix perverse incentives in the financial system. But we won’t be able to design a game so perfect that self-interested amoral agents plus an invisible hand ensure decent outcomes. We need industry participants to take responsibility for the organizations and practices in which they participate, and to take an active, serious role in policing those practices. That will require a cultural shift, an understanding that actions that are legal and profitable can be illegitimate and disreputable, and should be avoided even if competitors will profit from your scruples. If context makes that impossible, if behaving well implies that you’ll be fired or your firm will go bust, you (like Chuck Prince!) must try to alter that context.

Calling out misdeeds by hard names helps. Words like “looting”, “theft”, “fraud”, and “scam” are fair descriptions of a lot of common practices, even if some of the perpetrators worked 18 hour days putting together pages 120 through 237 of mind-numbing prospecti and meant only to earn a living.

Yves and TED and I all derive sustenance, one way or another, from the financial industry. Many, perhaps most, people with significant savings in the US, nearly all workers whose pension will support a financially comfortable retirement, are beneficiaries of practices that involved shifting wealth from others to us by means of questionable legitimacy. Many of us profited from asset bubbles; we extracted rewards from price signals that harmed the real economy rather than guiding smart decisions. This is not just about “them”. It is about us. We, the savers, the affluent, educated, hard-working “core” of American society have become thieves, or at best unwitting beneficiaries of theft. We ought to be uncivil to ourselves for that, and we ought to be trying to ensure it never happens again. Both Yves and TED are doing a good job, doing more than their parts to make sense of what’s happened and agitate for something better. But as for the people watering down derivatives reform, defending bank gigantism, shoving the CFPA into a cubicle six sub-basements beneath Ben Bernanke’s ass, well, I’m glad as hell to have people like Yves calling them out as “banksters”.

Well another RSA Conference has come and gone. Lots of vendor noise about their product being the only secure one on the market, and other nonsense, as is to be expected. Although I did notice a bit of realism this year. It did seem like everyone had eaten a big helping of humble pie, which was refreshing. Even the sales guys weren’t making as hard as a pitch as I’m accustomed to. So all in all, it was a good time. Lots of drinking, lots of good conversation, and I even managed to sneak in and see Jeremiah’s presentation on the top 10 new webappsec vulns from 2009 (how he managed to fit that all into 50 minutes still boggles the mind). I didn’t make it to as many parties as I would have liked to this year - maybe I’m getting old, or maybe I started drinking too early. Either way…

One notable quote was from Howard Schmidt who said, “There is no cyberwar,” but I don’t think he ever defined what a cyberwar would look like - so I don’t know how we’ve decided we aren’t in the midst of one. Maybe he’s absolutely right and we aren’t in the middle of anything like a war (just the low rumble of espionage), but I’d like to hear his definition one way or another so that I can know when I should start being outraged.

Click to enlarge

But I wanted to do a quick writeup on the RSA Conference registration computers themselves, while I was thinking about it. For some reason, my entire life, I have just assumed programmers think the same way I do. Then I am always annoyed to find out they don’t. Physical security is tough, don’t get me wrong, but kiosks are one of those things you really need to be careful to protect from physical tampering and logical attacks. Anyway, I was sitting there waiting for one of the pages to load, and it was taking forever. Because there was no onscreen indicator that it was waiting, I started wondering if the form was even working at all, or if there was some dumb JS error or something else that would cause the page to never load. So I clicked on one of the links at the top in the navigation and it gave me a “Diagnose Connection Problems” error and worse yet, it popped out of the Kiosk mode. Never a good sign. It looks like they’re protecting the application from most classes of attacks simply by disallowing outbound network access. Let’s assume there were no way around that for a second (and I’m not convinced of that, incidentally).

Most people would probably say that security is good enough. Any attack I could mount would be useless because I couldn’t exfiltrate the data off of that machine. Oh, but it’s not that simple. For that application to work it must be able to contact the site in question (the registration portal). That portal has access to a database. As such, the database itself is essentially dual-homed (on the Internet and on this Kiosk intranet). So all I should need is some JavaScript malware to steal people’s information as it pretends to register them, and instead log the data into my database fields. I can be somewhere else and check the records in the database for my account, and poof - I have access to whatever data I wanted to log. I can get JavaScript execution by simply typing it into the URL bar and just like magic, I have a way to steal conference registrant’s information. And there’s the cookies and any other tampering I might be able to do in the config options in IE. It’s definitely NOT a huge deal, but rather just another example of how it’s incredibly complex to build a truly secure browser based kiosk system that can defend against determined attackers. No identities were stolen in the making of this post. Now, back to work!

I've posted the latest chapter of my ongoing online book- this time the new material is on the Three Key Questions for innovators. 

I've also fixed the broken page turns on the last chapter (don't know how I missed that) on Managing Technologists.

Wednesday morning, I attended a Roosevelt Institute conference, on the theme “Make Markets Be Markets“. It was an enjoyable affair, with a bunch of smart, well-known speakers saying things I broadly agree with, mostly on financial reform. A wrinkle I had not really expected was how frequently, and rather charmingly, the name of the gentleman after whom the Institute is named would be invoked. FDR, and the 1930s generally, were very much with us that morning.

I have much to spout on the subject of financial reform; I am several posts in arrears on that. But by the end of the conference, I was fascinating myself with a little thought experiment.

Suppose the good guys win. Better yet, suppose they had never lost. Suppose banks had never ventured beyond conservatively prudent lending; that there had been no housing, internet, or credit bubble. Forlorn cul-de-sacs surrounded by mouldering homes were never cut from the Arizona desert. Webvan and pets.com were rejected straight off by investors rather than soaring against all reason then dying in an unreasonably sudden collapse.

In a world without bubbles and, let’s not mince words, in a world without fraud in substance if not in law, would we, or how could we, have enjoyed two decades of near “full employment” and apparent growth? Without all the internet companies that were forseeably destined to fail, without all the housing construction, without all the spending by employees whom we know now and should have known then were not actually participating in economic production, without all the spending by people feeling rich on stock or housing gains that would eventually collapse in their or someone else’s arms, what kind of economy would we have built?

These are not questions that answer themselves. They are unknowable counterfactuals.

But we do know something about the 1930s. In 1930, Keynes famously proclaimed “we have magneto trouble”, with the implication that the then incipient depression was due to a kind of remediable, technical failure. Less famously, Keynes was wrong. The post-war economy that finally put paid to the Great Depression was an economy different in kind from that of the go-go 1920s. One piece of that was financial sector reform: there were the securities acts and the FDIC and an astonishing forty years without major banking crises. But there was also a new age of mass production and mass unionization in the US (the so-called “Fordist era“), and the vast existential project of reconstruction in Europe. The Bretton Woods system fixed exchange rates and was intended explicitly to prevent the sort of unbalanced international capital flows that preceded the Great Depression. The postwar United States had an agricultural sector that was largely centrally planned, Fannie Mae and Social Security, and especially the Wagner Act which put the coercive power of the state behind exclusionary labor cartels, but which more than any other single thing made possible mass affluence based on income rather than credit. These were radical, inconceivable changes, combining “socialist” central-planning and redistribution with “fascist” collusion between the state and large corporations in support of national aims. Keynes was right, of course, that the “resources of nature and men’s devices [were] just as fertile and productive” in 1945 as they had been in 1929. But the “delicate machine” we had “blundered in control of” was replaced, not repaired. The new model mixed the technologies of the original gizmo with very novel and foreign elements in a design influenced both by the history of the Depression and an emerging great-power conflict. (See this excellent piece by the Roosevelt Institute’s Mike Konczal.)

It is entirely unclear that, absent these changes, the US economy would have “recovered”, even with financial sector reform and the deleveraging of household balance sheets. Sure, depressions never last forever, but it is plausible that the US would have fallen into a spiral of booms and busts and class warfare absent the political choices that defined the postwar economy. And note that they were political choices — a “free market” never would have delivered and sustained for decades a pervasively unionized workforce. They were, for better and for worse, the work of Franklin Delano Roosevelt.

I don’t mean to underplay the importance of financial sector reform. A continually malfunctioning financial sector has brought the American economy to underappreciated ruin and left us with an overhang of unfulfillable promises that may engender conflict for decades. Further, the financial sector has generated the rump of a crony capitalist class which threatens to set us on the Argentine path. We have to fix the financial sector.

But we cannot fix the financial sector without addressing the problems and contradictions which we depend upon financiers to paper over. This never was just a financial crisis. It was, and is, an economic and political crisis, and we are only a very short way down the path towards resolving it.

p.s. While I do favor restrictions on international capital flows, I don’t favor (I’m actually quite hostile to) unionization as a means of delivering widespread affluence. I am not arguing that we should rehearse the political bargains of the mid-20th century. I am arguing that we had better come up with new bargains, that excising the tumors of parasitic finance is necessary but nowhere near sufficient to getting us out of the trouble we’re in.

In the dark ages, your position in an IT organisation was determined by how many systems and people you controlled. This was a useful proxy for money, of course, but the real deal was how big an impact things had when they went wrong. If you were “mission critical”, boy were you safe in your position.

In the middle ages, your position in an IT organisation was determined by how many important relationships with the business you were in charge of. The more directors, and executive directors, and board members rank and file in IT had to get your permission to talk to, the more important you were. This was the age of IT relationship management. Only the specially anointed ones could be trusted to give the “right messages” to the business, and they made sure to reinforce their absolute control of the lines of communication.

In the current age, your position in an IT organisation is directly proportional to how much change you can cause to happen. And people who are seen to be able to “get things done” get asked by everyone around the place to do just that.

This, of course, is very unnerving to the middle ages hierarchy, whose modus operandi (if they wish to ensure they retain their positions) is to make sure no change happens unless they have personally agreed that its “the right thing for the business”. They have to have this say-so, of course, because otherwise, they don’t have any position at all.

And it is doubly unnerving for the dark ages hierarchy, who try to stop all change because they are there to “protect service” or “managing uptime”. For these people, retention of their positions is determined by how good they are at saying no to everything.

Here is an interesting diagnostic question: how happy are you with your prospects for progression in your IT organisation? If you feel stuck at the bottom of the heap, struggling always to get noticed, I bet you work in a dark ages IT hierarchy. Those are places where longevity of service is the only way to progress.

On the other hand, if you’ve got a quite good manager, who cares about you, thanks you for your efforts,  but despite everything can’t offer you very much progression you’re likely to be stuck in a middle ages IT hierarchy somewhere. They can’t offer you very much progression, by the way, because it would imply giving up control of some relationships, and that would imply reducing their own positions. Here, your progression is determined by how quickly those above you resign.

My suggestion if you work in either of these kinds of organisations is to take a gamble. Take a gamble on driving change no matter what your managers think. The worst thing that can happen is you’ll be fired. But, lets face it, if you’re wanting a big career in IT, you’ll be leaving anyway for an organisation that wants what you have... is there any downside here, really?

Last week, I attended a speech by Chris Anderson, author of the the Long Tail, and more recently, of Free. In his spare time, he’s also the Editor of Wired.

The speech was not about, however, Wired, or Free, or Long Tails – he was talking all about Open Source Hardware, which is this astoundingly interesting trend which is doing the same for atoms as the previous digital version did for software.

His point was just as the economic barriers to creating digital products have dropped to practically nothing, the barriers – economic mainly – to doing real atoms are dropping to nothing as well.

He started out by explaining how, over the course of the last few years, he’d created a group of enthusiasts who build unmanned aerial vehicles, complete with sensors, GPS, and every other thing that a typical military version has. This group now produces components for others to make UAVs, and they’re in constant evolution. The current generation, apparently, is very sophisticated.

Everyone contributed their time and expertise for nothing, including the world’s pre-eminent expert on model plane GPS, who apparently (according to Chris) dropped out of high school and then proceeded to get a pH.d level education using little more than Google.

All the tools they use are open source, including the printed circuit board layout software, the CAD, and simulators they use before starting to make real hardware.

Then, came the interesting part, and it was about turning all these designs into real atoms.

As it happens, its simple these days, apparently, to manufacture practically anything. For example, there’s the MakerBot (pictured) which is a kit you can build (also open source!) that can extrude anything in plastic, supposing you give it a design.

Chris talked about how he and his kids dreamed up some new device over the holidays to do something-or-other, and how they just modelled the whole thing in three-d, and then hit print. Then he explained how his kinds just assumed that being able to print out any object was quite a normal thing, and they were already being frustrated with the limitations of plastic extrusion.

I checked MakerBot Industries, the group who’ve been working in this machine, and the kit is only $900 USD. That’s a pretty amazing price for a device that can make, well, almost anything.

The discussion then moved on to more active components, and how simple it is just to upload electronics designs to firms that could do small, one off runs of boards and components. For practically no money. We’re talking dollars per unit here.

Even at the manufacturing stage, things are changing. Apparently, there are now sites in China where you can upload your designs (which you’ve prototyped and made work, obviously, using things like MakerBot and the other tools) and they’ll give you, 24 hours a day, an immediate price to manufacture a set quantity of product in a certain time frame. In fact, the sites he showed me enabled Chinese manufacturers to bid against each other for the work.

If anyone is interested, I’ve got the list of the sites, but as am on a plane right now, can’t list them off the top of my head.

You can see where this is going.

With the barriers to entry for companies making new physical products falling, everything becomes about talent and innovation, rather than control of industrial age assets such as finance and manufacturing capacity. This is a world shift we’ve already seen in digital products, obviously. Now we have it for physical ones as well.

The latest chapter is now available at the Little Innovation Book. The latest material covers the priorities of CIOs, and why IT organisations are so resistant to change. It also explains a few strategies innovators can use to help get things started when technology organisations are involved.

In honor of the USPO’s decision to allow Facebook’s patent for social feeds I decided to patent XSS. Please pay up. You know who you are. Thank you.

CIO Magazine were interested enough in the discussion about our approach to using unconference and crowd sourcing methods to do IT strategy, that they asked us for a write up for their magazine. Its published here, for any of you who are interested in a few more details about what we did.

There’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?

There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers - but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable - or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.

The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they lose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.

So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you - I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.

A wave of stupidity is flooding through the USA mediawaves. Here's an example: A cyberattack disabled US cell phone networks, slowed Internet traffic to a crawl and crippled America's power grid Tuesday -- all in the interest of beefing up US security. Dubbed "Cyber ShockWave" and organized by the Bipartisan Policy Center (BPC), the event was held at a Washington hotel room transformed for the day into the White House Situation Room, where the president and his advisers typically meet to address national emergencies. In the simulation, former top US officials debated how to respond as the power grid in the eastern United States was virtually shut down by a stealth cyberattack and a pair of bombings, cutting electricity to tens of millions of homes. This is an "exercise" conducted by something called the Bipartisan Policy Group. The confusion between officialdom and lobbying could be forgiven, because it was intentional. Consider this list of Washington DC rock stars: Fran Townsend, former president George W. Bush's one-time Homeland Security advisor Charles Wald, a retired general and the former deputy commander of US European Command Michael Hayden, a former CIA director, ex-Homeland Security chief Michael Chertoff former Director of National Intelligence John Negroponte, former deputy CIA director John McLaughlin Joe Lockhart, former president Bill Clinton's press secretary ... Then we have the amazing spectacle of Google complaining about being attacked by China!? Is there -- can there be -- any credence to this story? To me, it doesn't pass the laugh test, it is clearly a propaganda story with a hidden message. A little clicking and we find this: Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves. Oh. 2 activists... that's two, the number between one and three ... gmail accounts of alleged activists. Not hacked but probed. This is below underwhelming, this is quintessence of underwhelming, the very quantum of underwhelming! One glance and it's gone. If you read more, the contradictions just keep rolling in. Apparently it is related to copyright theft, or, no it's not. Related to a concerted attack on 30 big companies, or not. It's caused by a horrifying new technique called "man-in-the-mailbox" or it's caused by phishing, or a virus, not. It's China, or it's Taiwan! It's a school, or it's the Red Army? What's going on? What is curious is why a group so historically sensible and focussed as Google fell to such a stupidity as announcing this in a blather of hype. Well, read a bit further: These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China. Ah. So, google are under pressure from the Chinese government. This is *nothing* to do with cyber-hacks, activist, freedom of speech, intellectual property, APTs, and everything to do with the access to the Chinese market. On terms appropriate to Google. They needed a casus belli to convince someone (shareholders? own employees?) of the need to rattle sabres, and a hack is a great catch-all. But, in the process of feeding the media craving for new heights in gullibility, google might have drunk a little too deeply of the kool-aid, because they then negotiated with the NSA to cut a secret deal; if there is ever a sign that it's all over for independence, that's the one! Google approached the NSA shortly after the attacks, sources said, but the deal is taking weeks to hammer out, reflecting the sensitivity of the partnership. Any agreement would mark the first time that Google has entered a formal information-sharing relationship with the NSA, sources said. In 2008, the firm stated that it had not cooperated with the NSA in its Terrorist Surveillance Program. Sources familiar with the new initiative said the focus is not figuring out who was behind the recent cyberattacks -- doing so is a nearly impossible task after the fact -- but building a better defense of Google's networks, or what its technicians call "information assurance." Getting out of China, to maintain independence, then signing up with the NSA, doesn't present a consistent message. I love the quote about how they don't want to break any laws on spying on Americans... Back to China. The rhetoric has spread further than expected. Over in Mozilla's groups, the anti-China faction has stirred up another little hate campaign over a Chinese CA called CNNIC. With this background in mind, let's unpack the Mozilla debate. What set off the debate was the addition of the China Internet Network Information Center (CNNIC) as a trusted CA in Firefox. CNNIC is not part of the Chinese government but many people assert that it would be willing to act in concert with the Chinese government. To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' "secure" web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site. The Chinese citizen would be fooled by the fake Gmail site (having no reason to suspect anything was wrong) and would happily enter his Gmail password into the impostor site, giving the Chinese government free run of the citizen's email archive. Which offends them mightily, because CNNIC is likely to follow the Chinese government's rules on ... well, everything, as did a veritable stampede of popular western companies (Microsoft, Sun, Cisco, Skype spring to mind, and don't forget google who did, and don't and won't and might stop and want to take their bat and ball and go home). The problem for Mozilla is, CNNIC seems to offend them in more or less legal ways, in more or less policy ways, and in more or less the ways of every other view we can objectively apply. The crime, after all the evidence is assembled (not a single credible fact that I have seen), is pretty thin, and as thin as the accusations levelled against every other CA from time to time. But, this matters not at all if the real objective is popular manipulation (propaganda, by some). Note the clear linkage above from google to gmail to Mozilla... What might be called governance and protection of 250 million users in Mozilla technical circles might also politely be called nationalism by others. But. Silly as it is, the message meshes in nicely with the current global geopolitical aspirations of some in Washington, at top. Back to the silk-dress appeal for pork-barrel funds by the "BPG": An operation dubbed "Cyber ShockWave" has spanked the U.S.'s cyberdefenses -- hypothetically. Under the scenario organizers dreamed up, virus-infected smartphones spread malware to their owners' PCs. From there, the attackers DDoSed telecommunications networks into submission, brought down electrical grids and bombed a gas pipeline. The verdict: America's cyberdefenses are wanting. What's the connection between the Mozilla skirmish, the Google retreat, and the unaffiliated-affiliated NGO above? These are all the same war, the war on China. And, the battleground isn't anywhere near China (indeed they are probably as bemused as anyone else), it's happening in the American media. Although Mozilla do not think they are political and although Google would like not to be political, both of these agents are being dragged into an anti-China rhetoric by a much more media-savvy player, anciently called the military-industrial complex, at times called "the hawks," more recently called the Neocons, and now wielding the pathetic title of Bipartisan Policy Group: "You're going to see planes being grounded now. You're going to see trains not moving," said Fran Townsend, former president George W. Bush's one-time Homeland Security advisor, who was promoted to Homeland Security secretary for the simulation. The "cabinet members" debated how to respond to the situation and what advice to give the president, with suggestions ranging from calling out the National Guard, nationalizing the power companies and retaliating once the attackers' identities were known. "If this is an attack on the United States the president, as commander-in-chief, has the authority to use the full powers at his disposal," said former deputy attorney general Jamie Gorelick, playing the role of the US attorney general. "We're in good shape from a command and control standpoint," said "Secretary of Defense" Charles Wald, a retired general and the former deputy commander of US European Command. "We can take action offensively if we know where to go," Wald said. "Problematically, we don't know where that is." That crowd doesn't know the difference between a bit and a bomb, but they don't need to because the warfront is the media front, and they certainly know a thing or two about using the media to prepare you for their next big adventure. You might thing this is a small thing, but the propaganda just keeps on rolling. The British version of the NSA, called GCHQ, is also infected: "A successful cyber attack against public services would have a catastrophic impact on public confidence in the government, even if the actual damage caused by the attack were minimal," [Cheltenham spy agency's new Cyber Security Operations Centre (CSOC) says]. The warning forms part of a preliminary "horizon scanning" report produced by the new unit, which is scheduled to begin operations next month. Its job will be to continually monitor internet security, producing intelligence on botnets, denial of service attacks and other digital threats to national security. Such a level of FUD has rarely been seen outside the information security industry and wartime. This is awful news for just about everyone. What most of these players want is to shake China down. Google wants "in" on comfortable USA competition rules, where it gets the preferential treatment that allows its business model to shine. No bad thing for the Google shareholder, but the Chinese government wants to reserve that market for a local player (for obvious & easy reasons): In the last two decades, China's economic reform programs and its citizens' entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today. Google wants a piece of that action, plain and simple. Mozilla wants "in" on far more vague grounds that can't really be tied down, but they probably feel an interest in preserving the ability of activists in China to browse securely. Given my crypto history, it should be no surprise that I'm sympathetic to that argument as are many readers, but China isn't. If we think of it in legal terms, this puts Mozilla squarely against the current anti-democratic, anti-freedom-of-speech laws of one quarter of the planet. As google said: We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. Meanwhile, the last-war-generals in Washington DC want "in" to China on a geophysical control basis, whereas the Chinese government wants to reserve the supply of commodities to itself. That is, China has a long term strategic mission of securing the supply of commodities to its industries. Washington DC disagrees. Hence, we find a lot of strange bedfellows all agreeing on the same objective, but for wildly different reasons. At this point, most readers will think I'm short a few marbles. All can I say in my defence is this: the rise of China in the thought-processes of the Washington DC set is pretty easy to see, if you look. It's been there for at least a decade to my knowledge; it pops up in any serious scandal from Middle East, looking eastwards to some watery point well west of Japan. You'll have to take it on faith that when you're in a tussle with China, suddenly you'll find an 800lb gorilla in the room as your ally. Slashdot knows it, from many examples here's just one: While I don't disagree that we could do more in the area of computer security, one needs to look closely at the affiliations of the people running this "exercise." They're both loyal Neocon insiders. John Negroponte [wikipedia.org] is the former Bush Director of National Intelligence. Michael Chertoff [wikipedia.org] is the former Director of Homeland Security, and co-author of the Patriot Act. And both of these positions were just the last in a string of appointments by Bush/Cheney. And as career neoconservatives, they've been at the forefront of fearmongering and prevarication in order to lead the US to war and erode civil liberties. These are not opinions, these are well-documented facts [google.com]. The neocons are a one trick circus; this is just their newest pony. If you've been paying attention the past nine years, how can you possibly doubt that this is anything else? A gorilla you really don't want in your living room, because the cost of the alliance is probably a house re-build. The danger lurking within is this: the hawks' theory is that China will take over the USA militarily sometime in the next few decades. Whatever you think about geopolitics (last 20 years of small proxy wars, etc) this has led a not-insignificant group within the Beltway into wanting a war of some form with China. Their theory is that they have to do it now or soon, or else it will be too late. And this may explain the flush of rhetoric out of Washington DC: the hawks are scared they are running out of time for a war, and for that, the next step is simple: they have to swing the American public behind them, into a bellicose, anti-China mood (recall how they did this with Iraq 2). Which brings us back to the cyber-war nonsense. This is the perfect cassus belli because there is no embarrassing evidence to show they are lying; indeed we can't even get it right or clear or agreed in the open market because the electrons won't sit still after the attack. As cassus bellis go, it's got more mileage than historical ones such as Iraqi nukes or Saddam's mate Osama or the North Vietnamese torpedoe boats in the Gulf of Tonkin, because in the end, the physical evidence spoke up. From now on in, cyber-war will be a central plank of the war on China. The only problem is, it's a lie, a casus belli, and it's more or less unprovably false and unprovably true and very very scary, all at the same time. The American Public are being set up, again. Same as it ever was, but this time the entire Internet, security, communications and interactions world is being dragged in. That effects every one of us. This time it's personal. (As an aside, the hawks' strategy is doomed to failure. It worked in Iraq 1 & 2 because of many factors that were easily predictable. Arguably, it failed or worked in Talibans 1, 2. It failed in Iran, but there's still hope. Unlike Iraq & Iran, who supply lots of *commodity* oil, and Afghanistan which supplies commodity opium, China supplies manufactured goods to USA. If oil or drugs slow down, the price goes up, and the market adjusts. The traders love that, it's called volatility. On the other hand, if Walmart is emptied, we've got bigger problems, nobody benefits from that. But this easily predictable failure of strategy won't stop the hawks, possibly because their experience in economics is limited to slopping at the pork-barrel trough. As far as policy goes, this is the same stupid crowd that chose to hollow out its nearest and dearest southern neighbour in the so-called _war on drugs_. The stupidity virus has gone deep.)...

Over the past week, I’ve had the chance to reconnect with some of my Australian banking colleagues. Australia is very unusual from a financial services perspective – they were largely untouched during the global financial crisis, and my suspicion is this has made them a bit complacent.

Whilst the rest of the industry has started its thinking around the future of the industry, and in some cases, has started to modify itself, I couldn’t help but feel I was stepping back in time a bit last week. Nothing much has changed in Australia since I left it six years ago.

Mind you, not all that much has changed in the thinking of traditional banks here, either.

For example, everyone is still parroting on about “customer experience” and “customer relationship”. I say parroting because both of those terms imply something which just doesn’t exist in banks: a cultural imperative to put the needs of customers first.

Working in banks, it is never first about the customer. It is first about revenue and share of wallet. Anything a bank does in terms of relationship and experience is all about making more money under the guise of helping, and this sets up a relationship which is false. Its like the motor mechanic guy who says he wants to help you to your face, but actually cares about working out how to get as much money possible out of you for as little effort as possible. That situation feels false to customers, and when you translate it to banks, it feels just as false.

I mean, why not just admit to customers that you’re out to make money from them, and get rid of the falseness about it all? Banks aren’t there to help customers, they’re there to help shareholders. Would anyone really mind a bit of candour about this?

So I actually said all this to banking people when I was visiting last week, and most of them didn’t get it. Not only did they not get it, they didn’t even agree that their first imperative in all things was to make more money and reduce cost, not to service customers.

Theirs is the extremely dated view that “bank at centre of financial universe” is still appropriate today. It might have been the way things have been in the last several hundred years, but today things are changing.

Banks, today, should be aiming to be invisible, not the centre of all value. When you get a mortgage, the point is the house you’re buying, not the financial services product. You go to the bank as a consequence of house-buying, not because you want a multiple decade loan for its own sake.

Bankers should try embedding the loan into the house buying process so that the money part was as invisible as possible. Why is it even necessary that the bank has a brand on that, anyway? Loans are all about price, and you care about brand and stuff only if you’re going to have a “relationship”. That’s all part of the falseness, of course.

Clever institutions – including one in the UK -  are already starting to get the fact that the best strategic option is to integrate their stuff into things customers really care about, not be the centre of the universe themselves. If nothing else, it removes them from the falseness of their traditional approaches to customers.

Yes, that means giving up on owning the customer. Yes, it means giving up these dated notions that customers actually want a relationship with a bank beyond it working properly. And, yes, it means that the new game is courting people who will integrate your services, not those who will eventually be using them.

This last is the most important point, actually. I’m of the view that the bank that gets the largest number of organisations to integrate with them will win in a particular market. They’ll have a critical mass that makes it more attractive for more people to join up with them. Everyone else will be left in the dust to pick up crumbs.

Now, of course, in Australia, this is not going to happen any time soon. They haven’t had the burning platform the rest of us have had to make change. It is simple and easy to continue the way things always have.

But I will say this: the time is coming when a global major is going to show up and do this. It may not be soon, because there are bigger profit pools available right now. But it will happen, and they will be great at integrating businesses with them.  They are already working out they need to be invisible, not the centre of everything.

So, Australian Banks, if you want to play in this new world order, you need to start getting to this stuff soon. The problem you have is you don’t know how much time you have.

1. They don’t talk as much as you, because they know they got smart by listening.

2. They know lots of things other than what they’re specialised in. Theirs is the gift of a broad mind, constantly fed with the stimulant of being interested in what everyone else is doing.

3. They juggle home, work and personal interests with dexterity and never fall back on the tired old refrain about “work life balance”. And when they’re juggling, they somehow manage to seem 100% engaged with what they’re doing, on all fronts simultaneously, even though you know they’re taking appropriate steps behind the scenes to make sure their lives are perfectly, serenely balanced.

4. They probably do social media. Not always, but probably. It is not only another chance to listen, but one they use to ensure they can feed their brains with things they otherwise wouldn’t have come across.

5. Even when things go very badly wrong, they’ll be smiling. Smart people never get ruffled because their smart brains present them with alternatives faster than the bad stuff can happen.

6. They know they are usually the smartest person in the room, but they don’t spend their time dwelling on that. Instead, they take it as a personal challenge to see if they can make everyone else the smartest person in the room too.

7. If they are managers, they will make every effort to get people smarter, more connected and more popular than them in their teams. They’re not threatened because they know that smartness is synergistic. They also make sure that their smart people get to look smarter than them for the same reason.

8. They have hidden skills that never get rolled out until they’re needed. They don’t have any need to show their full capabilities for reasons of proving they’re better than others. 

9. They may or may not have expensive educations. You’d never know, just by being with them unless you had their CV in front of you.

10. They never, ever, under any circumstances, make you look stupid, even though it would be easy to do so. They’ve learnt through bitted experience that the only thing that happens when you make someone look bad is you look bad yourself.

… Speaking of Google, I got an email from TrainReq (the same fellow who allegedly hacked Miley Cyrus for those who don’t keep up to date on your tween idols). The email was regarding an exploit against Google Buzz. It’s yet another example of bad input validation/output encoding by your favorite advertising overlords at Google. As you can see, nothing up my sleeves:

Click here to enlarge.

There’s four things of note here. Firstly it’s on Google’s domain, not some other domain like Google Gadgets or something. So yes, it’s bad for phishing and for cookies. Secondly, it’s over SSL/TLS (so no one should be able to see what’s going on, right?). Third, it could be used to hijack Google Buzz - as if anyone is using that product (or at least you shouldn’t be). And lastly isn’t it ironic that Google is asking to know where I am on the very same page that’s being compromised? Why on earth does Google think its systems are secure enough to trust them with that kind of sensitive information? Yes, bad guys can figure out where you’re located if you allow that function. Chinese dissidents beware! But if you have something to hide, you must be a bad guy, right, Eric?

I’ve been waiting a while to do this post - several weeks actually since my original post. In that post, I applauded Google’s apparent interest in reigning censorship as “the first really truly non-evil thing I have seen Google do in years”. Since then, I thought it appropriate to give them some time to sift through the nuances of their blog post - you know, to give them the benefit of the doubt - of which I had many. I’m sure you remember just one month ago when Google was waxing on about how they were going to stop censoring:

We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.

Well, according to The Register:

Google Chief Legal Officer David Drummond never said his company would stop censoring hot-button issues such as the Tiananmen Square massacre of 1989.

If that theory is true Google is essentially saying, “You were too stupid to read our post properly because clearly, our post means that we aren’t able to do so legally, so we’re still going to censor.” If that’s true why would Google wait to clarify such an extremely well publicized fauxpas in their own wording? Maybe they missed all those flowers at the Chinese office. No, I don’t believe that The Register’s theory is true - I think Google sincerely intended to pull out or get more support from the Chinese. However, I believe that Google is being stonewalled by the Chinese government - and for good reason. Google’s demands are impossible to comply with. But we all know that Google and China have been talking for weeks and we haven’t seen any movement other than China’s response to Hillary Clinton saying that they don’t censor (and if anyone still needs proof, email me and I’ll give you instructions on how to see it in action).

Google hasn’t stopped censoring anything, and they haven’t pulled out of China. They asked for a “few weeks” to have those talks, and it has been a few. So now we have to ask the question - does Google actually care about the Chinese people, or is it all about making money for the shareholders. We know that Google censors elsewhere in the world, it’s not just China, yet they’ve not even made mention of those citizens of the other nations. So we have to make the logical connection that Google is just acting in their own self interest and this whole China thing is a distraction from several other major issues, and has nothing to do with the best interest of people who are being censored. So now the real question is did Google do what it sent out to do?

And, so yes bravo, Google. Well done. You snowballed everyone as you stall for time trying to figure out what you want to do with your failing Chinese division. You spanked the Chinese government for hacking into your systems while you drew fire away from your crappy security around your warrant-less wiretapping system that you built into Gmail. So yes, I would have to assess Google’s incredibly calculated decision as a success, but not for the people of China or other censored peoples around the world. It’s back to business as usual at the Googleplex. And so yes, Google, you can keep slinging your ads well into the future. But I have to ask - at what cost?

An article in the Dutch paper NRC Handelsblad reveals that A classified Dutch government report has revealed that criminals stole 341,956 passports, identity cards, visa stickers and drivers licences from European government facilities since 2000. OK! That would be 34k per year across Europe. It states that purchasers are willing to pay increasingly high prices for travel documents and passports,” the report states. Depending on the country and the type of document sought, prices are said to vary from 500 to 11,000 euros . Thats for documents based on stolen-as-blank European documents (which supports our rule of thumb: 1,000 euros for a good set). Later on the article gives one estimate of costs (to us) or profits (to crooks): “The damages incurred can amount to at least a hundred times the prices paid for these documents.” A couple of years ago, Dutch customs officials estimated that in the Netherlands alone, fraud committed using forged proof of identity cost three billion euros annually. If one guesses say a tenth of the numbers for Netherlands alone (finger in air, divide European numbers above by 11), then each year, 3000 good identity documents are selling into the Netherlands and chasing 3 billion euros of fraud. Thats 3 million bux per identity sale . Thats serious money. This is for the real item, and only the printing would give them away on inspection, which makes those numbers useful. Heres more information. To combat the abuse of stolen documents, customs offices protecting the Schengen area’s outer borders have the so called Schengen Information System (SIS) at their disposal. The SIS lists not only all persons and vehicles wanted by law enforcement in countries party to the Schengen treaty, but also contains data on all blank travel documents that were stolen or went missing from government facilities there. According to the Dutch police, the database contains 341,956 documents in all. However the SIS is not consulted with every entry into the EU. So the headline 3.4m over Europe, the 2000s decade, would be a floor rather than ceiling. Another remarkable pointer in the article: The report, entitled Report on Security norms for Diplomatic Posts, lists numerous European embassies and consulates that were robbed around the turn of the century by Eastern and Central European “crime syndicates”, bagging large numbers of passports and visa stickers in the process. The gangs “occasionally used extreme violence” to gain access to the “poorly secured” diplomatic posts, the report states. The gangster were privy to “know-how and techniques used by former intelligence agencies”. Netherlands, Spain, Austria and Portugal ... Vienna, Geneva, Lausanne, Brussels and other locations. The crime spree was kept under wraps at the time, but the thefts were recently confirmed by the foreign ministry at NRC Handelsblad’s request. Which would point the finger at organised crime. Which means it is serious, it is working, it is making money, and it isnt going away. Add to that observation the above 3 million profit number, and now we something serious: Thats a trend we can rely upon . Who are likely customers? The report lists the usual grab-bag of scumbags losers such as criminals, human traffickers and illegal asylum seekers, terrorist(s): Stolen Belgian passports were used by Abdessatar Dahmane and an accomplice in September 2001 to pose as journalists and gain access to Ahmed Shah Massoud, the leader of Afghanistan’s Northern Alliance, and kill him in a suicide bombing. And this odd one: Brazilian football star Leonardo Santiago was caught red-handed in 2000 when his Portuguese passport proved to be a fake. The 17-year-old darling of Rotterdam’s Feyenoord team had thus been able to circumvent the strict regulations that apply to all non EU-citizens playing for European football clubs. The story is by no means unique in European football. In recent years, law enforcement officials in France, Italy and Spain have caught dozens of Leonardos, playing for clubs like Inter Milan, Lazio Roma, AS Monaco and Saint-Etienne. Shouldnt that be caught red-footed ? Joking aside, what exactly is the harm here? Teams and players alike benefited from the fraudulent documents. In France and Italy, regulations only allow clubs to field a limited number of non-EU players. In the Netherlands, the same foreign nationals can only be signed if they are paid at least 503,000 euros annually. Exactly. One presumes there is no serious cost to society to fielding a footballer of the wrong colour in a game. Lumping mass entertainment in with serious crime is a misuse of police resources, and wed rather they be chasing those real criminals mentioned earlier, and now here: Police in Dubai have issued arrest warrants for 11 suspects they wantto question about the killing of a senior Hamas official in Dubai.The suspects include six men travelling on false British passports....

Both globally and within most nations, the patterns of consumption required to sustain existing social arrangements are inconsistent with the distribution of the fruits of production. Social and economic stability, therefore, depend upon redistribution for which there is no overt legal framework or political consensus. To square this circle, the financial and government sectors have evolved means of hiding redistribution in complex, continually improvised arrangements. Unsurprisingly, massive wealth distributions arranged in this way leave much to be desired, in terms of straight corruption (the financial and government sectors redistribute a lot of wealth to themselves), justice (e.g. wealth is redistributed to those who happen to speculate early in bubbles), and sustainability (the illusion of value behind the claims of those from whom wealth is taken may prove fragile, but “loss realizations” are socially disruptive if they are not carefully paced and allocated).

Neither financial nor political reform can succeed unless we overcome the social and economic contradictions we have relied upon the financial sector to literally paper over. Off-balance-sheet liabilities that hide the impairment of savers’ claims, whether in subprime mortgage-backed securities or sovereign entitlement programs are not aberrations. They are essential tools in the arsenal of social stability, the economic equivalent of military “black-ops”, things that must be done but must always be denied in order to protect the American (and European, and Chinese) way of life. Unless we define overt arrangements that overcome the contradictions between the organization of production and socially desirable patterns of consumption, each scandal and reform will necessarily be followed by some new technique or trick that delivers, however unjustly or corruptly, the wealth transfers upon which our societies depend. Our choices are to overtly align the fruits of production with patterns of consumption, to continue to employ accounting fictions and magic to pretend away the contradictions, or to undergo some form of collapse.

I’m sighing here, because I’ve just heard from an another very good IT professional who has decided their career will be immeasurably enhanced by doing a higher degree.

I’m sighing not because I don’t think there is value in higher degrees from an academic perspective, but because this individual thinks that anyone cares about the higher degree when it comes to what makes someone’s career take off.

There is this false expectation that “if I just get this MBA, I can get to the next level”.

Tied in with this false expectation is the thought that anyone in IT is going to get their career managed for them by their employers.

I have news. You will not have a boss long enough in IT for them to manage your career for you in any substantive way, and most large organisations are rubbish at long term talent management anyway. The fact is, long term IT professionals who don’t change jobs frequently enough get painted into a corner where their skills devalue over time. And IT organisations are full of people who know this, and who therefore  move every few years, making long term talent management pretty impossible.

Now, considering that a higher degree is going to take a few years to get, and everyone on the playing field who matters (and stopping you progressing) will be gone in a few years, how is the new piece of paper going to make any difference at all, really?

When people look at CVs, they don’t usually care all that much about the education, so long as there are signs there is some. They only care about what you’ve already done in your career to that point. Anyone can get a degree, after all, even a higher one.

But not everyone is able to make things happen. That’s especially true in IT, where we have optimised ourselves to make sure that change can only happen in extreme circumstances. “Protecting live service” – which is very laudable of course – has ultimately had the effect of making sure that only those with the largest sticks can make any difference.

A new degree does not give you a large stick. Hierarchical position is a large stick, or control of a budget is a large stick or the ear of someone important is a large stick. You get such sticks by doing stuff, not by having an advanced degree. People who can hand out sticks do so because the have worked out it is OK to trust you.

Really, there are only two times it makes sense to get further degrees, with all the attendant cost and time commitments.

The first is if you’re new to work, and you have no career history. Then, having that advanced degree is a nice CV stuffer that can help differentiate, but I do wonder if the personal ROI on maybe getting selected for a few extra interviews is really worth the extra years of study.

The second reason – really the only reason I think – is you’re interested in the content.

So often, good people with good jobs in IT go and get that extra degree, but not for either of these reasons. That’s why I sigh. Its such a waste for most people.

They’d be far better off cultivating people who can give them big sticks instead.