news I read

memes in infosec I - Eve and Mallory are missing, presumed dead

Things I've seen that are encouraging. Bruce Schneier in Q&A: Q: We've also seen Secure Sockets Layer (SSL) come under attack, and some experts are saying it is useless. Do you agree? A: I'm not convinced that SSL has a problem. After all, you don't have to use it. If I log-on to Amazon without SSL the company will still take my money. The problem SSL solves is the man-in-the-middle attack with someone eavesdropping on the line. But I'm not convinced that's the most serious problem. If someone wants your financial data they'll hack the server holding it, rather than deal with SSL. Right. The essence is that SSL solves the "easy" part of the problem, and leaves open the biggest part. Before the proponents of SSL say, "not our problem," remember that AADS did solve it, as did SOX and a whole bunch of other things. It's called end-to-end, and is well known as being the only worthwhile security. Indeed, I'd say it was simply responsible engineering, except for the fact that it isn't widely practiced. OK, so this is old news, from around March, but it is worth declaring sanity: Q: But doesn't SSL give consumers confidence to shop online, and thus spur e-commerce? A: Well up to a point, but if you wanted to give consumers confidence you could just put a big red button on the site saying 'You're safe'. SSL doesn't matter. It's all in the database. We've got the threat the wrong way round. It's not someone eavesdropping on Eve that's the problem, it's someone hacking Eve's endpoint. Which is to say, if you are going to do anything to fix the problem, you have to look at the end-points. The only time you should look at the protocol, and the certificates, is how well they are protecting the end-points. Meanwhile, the SSL field continues to be one for security researchers to make headlines over. It's BlackHat time again: "The point is that SSL just doesn't do what people think it does," says Hansen, an security researcher with SecTheory who often goes by the name RSnake. Hansen split his dumptruck of Web-browsing bugs into three categories of severity: About half are low-level threats, 10 or so are medium, and two are critical. One example... Many observers in the security world have known this for a while, and everyone else has felt increasingly frustrated and despondent about the promise: There has been speculation that an organization with sufficient power would be able to get a valid certificate from one of the 170+ certificate authorities (CAs) that are installed by default in the typical browser and could then avoid this alert .... But how many CAs does the average Internet user actually need? Fourteen! Let me explain. For the past two weeks I have been using Firefox on Windows with a reduced set of CAs. I disabled ALL of them in the browser and re-enabled them one by one as necessary during my normal usage.... On the one hand, SSL is the brand of security. On the other hand, it isn't the delivery of security; it simply isn't deployed in secure browsing to provide the user security that was advertised: you are on the site you think you are on. Only as we moved from a benign world to a fraud world, around 2003-2005, this has this been shown to matter. Bruce goes on: Q: So is encryption the wrong approach to take? A: This kind of issue isn't an authentication problem, it's a data problem. People are recognising this now, and seeing that encryption may not be the answer. We took a World War II mindset to the internet and it doesn't work that well. We thought encryption would be the answer, but it wasn't. It doesn't solve the problem of someone looking over your shoulder to steal your data. Indeed. Note that comment about the World War II mindset. It is the case that the entire 1990s generation of security engineers were taught from the military text book. The military assumes its nodes -- its soldiers, its computers -- are safe. And, it so happens, that when armies fight armies, they do real-life active MITMs against each other to gain local advantage. There are cases of this happening, and oddly enough, they'll even do it to civilians if they think they can (ask Greenpeace). And the economics is sane, sensible stuff, if we bothered to think about it: in war, the wire is the threat, the nodes are safe. However, adopting "the wire" as the weakness and Mallory as the Man-In-The-Middle, and Eve as the Eavesdropper as "the threat" in the Internet was a mistake. Even in the early 1990s, we knew that the node was the problem. Firstly, ever since the PC, nodes in commercial computing are controlled by (dumb) users not professional (soldiers). Who download shit from the net, not operate trusted military assets. Secondly, observation of known threats told us where the problems lay: floppy viruses were very popular, and phone-line attacks were about spoofing and gaining entry to an end-point. Nobody was bothering with "the wire," nobody was talking about snooping and spying and listening [*]. The military model was the precise reverse of the Internet's reality. To conclude. There is no doubt about this in security circles: the SSL threat model was all wrong, and consequently the product was deployed badly. Where the doubt lies is how long it will take the software providers to realise that their world is upside down? It can probably only happen when everyone with credibility stands up and says it is so. For this, the posts shown here are very welcome. Let's hear more!...

The difference between 0 breaches and 0+delta breaches

Financial Cryptography - Thu, 2010-07-29 05:29
Seen on the net, by Dan Geer: The design goal for any security system is that the number of failures is small but non-zero, i.e., N0. If the number of failures is zero, there is no way to disambiguate good luck from spending too much. Calibration requires differing outcomes. Ive been trying for years to figure out a nice way to describe the difference between 0 failures, and some small number N0 like 1 or 2 or 10 in a population of a million. Dan might have said it above: If the number of failures is zero, there is no way to disambiguate good luck from spending too much. Has he nailed it? Its certainly a lot tighter than my long efforts ... Once we get that key piece of information down, we can move on. As he does: Regulatory compliance, on the other hand, stipulates N==0 failures and is thus neither calibratable nor cost effective. Whether the cure is worse than the disease is an exercise for the reader. An insight! For regulatory compliance, Id substitute public compliance, which includes all the media attention and reputation attacks....

Is governance the answer to system failure?

BankerVision - Wed, 2010-07-28 05:44

Over at Management Matters, guest blogger Steve Burrows writes of high profile systems failures at Tesco and Barclays in the UK:These instances, two major private sector failures of customer-facing IT in a week, show us not only that the private sector is not immune to IT failure, but that our biggest corporates with effectively unlimited IT resource working to their own objectives and timescales still don't get IT governance. In both cases one has to ask what went wrong? Where was the testing? Who oversaw it? Who authorised the go live decisions? It seems the private sector still has some lessons to learn about delivering major IT projects successfully, hopefully it will do so more quickly and with less pain than the public sector. Steve, I don't know about you, but I am yet to work in any large organisation where the problem was a lack of governance. Systems failures don't happen because of governance, or the lack of it.  They happen because large systems which connect to other large systems are simply too complex for anyone to be sure of what's going to happen when you turn them on.
Yes, I know that the answer to this is testing. But the real problem is this: getting certainty that things will work out the way they are supposed to requires that you duplicate your production environment down to the very last server, the very last item of data, and find a way to realistically replicate actual user behaviour at the scale the system is supposed to handle. To get 100% certainty, the test environment has to duplicate real life in every detail, and that costs. I don't know any large processing operation that can afford to do this, actually. Most can barely afford to keep their production systems going.
Since you can't be certain whats going to happen when you turn on a new system, management is expected to make a decision on go-live given the incomplete  information they have to hand. Sometimes they know enough that there is a pretty low level of risk of something going wrong. Other times they don't but because of internal pressures, they take the chance anyway. Great IT management isn't scared to take a risk when they assess all the benefits versus all the potential things that can go wrong.
Great IT managers also make mistakes in their risk assessment from time to time too. 
The role of governance is to provide the information that managers need in order to make their risk decision about a system. Like all information collection activities, it is subject to declining marginal returns. The more you have, the more it costs for incrementally less surety. There is a point at which the additional risk you eliminate by adding a new process or a new reporting regime is more expensive than the downside it is supposed to mitigate. 
But there is another dimension to the go-live decision, and that is the non-IT pressure that managers are subjected to. Sometimes, the business downside of failing to go-live at a particular time is so significant that it justifies the risk of things going wrong, even if you don't have surety of the system. Neither Steve nor I know what really went wrong at Tesco and Barclays, but it is reasonable to guess this: those IT managers would have been under substantial pressure to get those systems out the door, and they took a calculated risk.
Steve goes on to imply that this kind of risk taking is management incompetence:The reputations of all IT workers are demeaned by such failures, the governance and management failings that allowed these errors to occur bring us all into disrepute by association. The harm suffered due to IT failings in large corporates not only affects them and their customers, it taints all of us in the IT profession, fairly or otherwise.I don't for a moment suggest that it is acceptable that major systems fail. Nor do I think taking stupid risks is sensible management. But since every change to a major IT system is an exercise is risk assessment, things are going to go wrong from time to time. It is simple to blame management when things go wrong, but not so simple to come up with a solution that reduces the chance of failure to zero in a way that's affordable.
Actually, if such a solution existed, I think we'd all have deployed it by now. Steve, if you know something that the rest of us don't, now is the time to share.
In the meantime, the answer is not to have more  governance, it is to have proportional governance, and invest in long term complexity reduction.  Complexity reduction not a complete solution, of course, but what it does is reduce - over time - the amount of information you have to get before you can safely take a decision to go live.

Categories: news I read

How Hits Work - Don't Bother with Radical

BankerVision - Thu, 2010-07-22 05:59

As an innovation person, I'm always startled when I see a product or service which turns into a huge, overnight hit. Especially one which comes from nowhere.
The reason I'm startled is that innovation academics have long used a thing called diffusion theory to explain how new ideas get adopted by populations. The long and short of it is, you find a small group of people who aren't risk averse and who are willing to try a new thing, and they tell their experiences to like-minded people who are more risk averse. The positive feedback from the first adopter influences the next to adopt, and so on. This process builds up until you get to the tipping point, where everyone adopts the new thing en-masse. Wikipedia explains this in more detail.
My surprise comes from the fact that this whole process takes time. Sometimes, lots of time. So, when it happens overnight, something else must be going on. Hit products - which I'll define here today as ones where you get mass adoption without the slow build up from diffusion - shouldn't happen.
Of course, hit products do happen. And I have the germ of a theory as to the reason.
My key observation is this: breakthrough, radical innovations are never hits. Hits happen when a previous breakthrough is incrementally improved over time, and then shifted sideways into an aligned problem space where they cause a revolution. In all the cases I've been able to find so far, this seems to be true.
Let me give you a historical example: the steam engine.
The steam engine was initially not very much use. It was invented in Greece in the first century AD - a boiler with two spouts on an axel. When the steam came out of the spouts it made the whole thing turn. Not very efficient. The breakthrough: the first time ever a motive force was created that wasn't human or animal.
Some 1500 years later, a steam engine that could pump out shallow mines was invented. It was also not very efficient - the cost of fuel was greater than paying people to bail out the holes.
40 years later, a more efficient engine came along that could do deep mines. It was till expensive, but cheaper than using humans or animals. Steam pumps started to spread.
A few years after that a highly efficient engine was designed, one light enough to move around. Stephenson, the father of the railway, put an engine on rails and used it to tow loads. Then he opened a commerical railway between two cities in England.
Almost overnight, the world changed as railways exploded across the world. 
The diffusion process occurred ordinarily for steam - it just happened in the space of pumping water. When Stephenson moved the pump into an aligned problems space - mechanical motive force for transport - there was no need for diffusion processes because they'd already happened somewhere else. 
There are so many examples of this. Vacuum tubes, invented by Edison, hardly used until they found a home in commercial radio. Polaroid film, an optical oddity until it was used in sunglasses and instant photography. 
What about the hits of today?  
iPad: an incremental improvement of iPhone (the bigger screen) moved into the aligned space of media consumption even though previously tablet adoption was low. Avatar, the movie: just another sci-fi until James Cameron incrementally improved 3D (full depth perception, not just objects flying at you) and moved in into mainstream cinema. Previously, 3D was a gimmick. Google: an incremental improvement on search (better results) moved into the aligned space of contextually relevant online advertising. Before that, ads were about replicating paper.
Now, if this is true, what is the lesson for innovators?
Don't invest in radical innovation - look, instead, for incremental improvements that can be moved sideways and turned into revolutions. Wait for someone else to do the breakthroughs, then build a business by leveraging the diffusion process they've paid for in an aligned space.
Perhaps that's controversial, but I've not found an example yet that refutes this line of thinking. I'd be grateful if anyone can give me some examples that does.

Categories: news I read

Petabytes On the Cheap

ha.ckers - Wed, 2010-07-21 18:24

37 posts remaining…

With all the talk about cloud computing I thought it would be interesting to post this article. It turns out you can create a single chassis that contains around 67 terabytes in it for $7,867. That’s pretty incredible, and most interestingly, if you follow the link, you’ll see the cost breakdown compared with other alternatives which it pretty much blows away. It almost doesn’t make any cost sense to outsource your storage to the cloud with those cost savings. It really can be cheaper to bring it in house.

Now there are some down-sides, and they primarily have to do with high availability. There’s a good article explaining some of the potential downsides although id told me, “port multiplier doesn’t matter there, even 2-1 oversubscribed they are fine for doing what they are meant to” so take the criticism with a grain of salt and do your own fact checking. Either way, the cost savings are so dramatic, this could be an evolutionary step and I bet things will get a lot more solid down the road to elevate the issues of availability. So it might be premature to jump into this kind of storage for those massive databases you’re supporting, but given a little time and increased density I bet this technology makes a huge difference in cost down the road.

As a side note, for you people who were around for a while, I did some quick math - it would take just north of 46.5 billion floppies to equal that one 4U box. Also, as a fun fact most smart-cell phones these days are faster than the machine that we started ha.ckers.org on. Amazing how times have changed!

Some Possible Insights into Geo-Economics of Security

ha.ckers - Wed, 2010-07-21 14:59

38 more posts left…

I first started thinking about this when I talked to a friend from Vietnam a year or so ago regarding his CISSP. Once upon a time it was nearly impossible to find someone in Vietnam with a CISSP. At first I thought he was making some sort of joke about the usefulness of the certificate, but for some things in Vietnam it’s really a hot commodity. It turns out that the cost of living there makes a CISSP almost totally not worth it. Even though it’s expensive in the United States (where I live) respective to the wages in Vietnam it’s weeks or even a month worth of work. Therefore the rate at which a certificate would be awarded is less, not because of skill, know-how or anything else. It’s purely economics. Slowly that has changed and more people now have it than before in Vietnam, but it’s still not equal as a percentage compared to the USA, for instance, from what I was told.

That got me thinking about other issues that are relatively the same. For instance SSL/TLS certificates. Buying a certificate to allow for transport security is a good idea if you’re worried about man in the middle attacks. Yes, that’s true even despite what I’m going to tell you in my Blackhat presentation where Josh Sokol and I will be discussing 24 different issues of varying severity with plugins and browsers in general. But when you’re in another country where the cost of running your website is a significant investment compared to the United States, suddenly the fees associated with the risks are totally lopsided. So this may be why you might see a lower adoption rate of certificates in certain regions. More importantly there really is no long term reason the security industry can’t create a free certificate authority (over DNSSEC for instance) that provides all the same security or more even without the costs - therefor making it a more equal playing field.

Lastly I started thinking about bug bounties and how they work almost opposite. Unlike security, where the cost is high for playing, hacking can be much more lucrative based on your geo-economic situation. For instance, a $3000 bug bounty for something that takes two weeks to work on equates to a $78k a year job if you can be consistent. In the United States for a skilled researcher that’s barely worth the time. But in a country where the average income is closer to $10k a year, something like this might highly incentivize researchers to focus on attack verses defense, which few can afford. Anyway, I thought it was an interesting concept that may play out entirely different in reality, but it was a fun thought exercise.

Using an Introducer to get a First Meeting

BankerVision - Mon, 2010-07-19 05:24

The following is another excerpt from my work on how the vendor relationship looks from the buy-side.


Because direct approaches often fail to get a first meeting, some enterprising firms have spotted an opportunity. They establish themselves as “horizon scanners” or “futurists” and offer to give you free advice about the shape of the things to come. Their value proposition, they say, is to bring the latest and greatest organisations in front of you, providing a curation service that means you don’t have to invest much time in such things yourself. This is inherently attractive, of course, because on the buy side you are always wondering whether there is a a killer tool or service available that competitors have that you don’t.


The problem is that such firms are really fronts for getting the first meeting. Their business model is not to horizon scan for the buy-side, but to sell access to the first meeting to the sell-side.


Now, customers aren’t dumb. After the first session or two, they recognise what they’re getting is a set of meetings with vendors who have paid for the introductions. It is incredibly false, and incredibly time wasting. Almost immediately, the introducer firms get blacklisted.


But here’s the problem with such firms. The product they sell is first meetings, and their currency in any buy-side situation is incredibly tenuous, because customers always see through them very quickly.


Their response is they network throughout an organisation, usually getting a single meeting, but very few more. You often hear people complaining in serial fashion about how much time they waste, and how they are never left alone after agreeing to that first, deadly meetup.


When you sell meetings for a living, of course, you are highly motivated to get as many as possible to sell. Consequently, they take being a serial pest to a whole new level.


Advice to vendors trying to get in the door via an introducer: we will likely be so annoyed by the introducer and their octopus-like procession around our organisations that anything you have will seem insignificant by comparison. Undoing the damage they cause (and which you are associated with) will take ages, and likely render a major sale impossible in whatever timeframe you have available before you get fired.

Categories: news I read

Flash Camera and Mic Remember Function and XSS

ha.ckers - Mon, 2010-07-19 00:42

39 more posts left…

Just a quick post as I head into the ramp up to Blackhat where I won’t be writing posts. Jeremiah and I spent a lot of time trying to break the Flash settings manager a few years back but one thing that I never mentioned was the way in which Flash’s settings are very often scoped to the domain rather than the app. Although currently allowing Flash access to camera and microphone isn’t all that common, if it ever did become common using XSS would be a pretty interesting tactic. Once access is allowed and remembered, an XSS included object could theoretically end up with the same privileges.

Clearly XSS is bad in of itself, but once settings are permanently remembered, even on a site that has no other sensitive information on it (a free video-game site for instance) something like this could allow an attacker to do some nasty spying. In general applications should never allow access to camera and microphone permanently by default. Thankfully, I don’t think there are a lot of apps out there that request mic and/or camera access so the attack surface may be small. But if that were to change I’m sure if an attacker were creative they could combine CSS history hacking + hidden iframe + XSS + camera and microphone app to spy on quite a number of people who had selected the “Remember” option.

The nice thing about this attack is if it fails it doesn’t create a modal dialog alerting the user to the fact that they were under attack (one of the many perils of not using modal dialogs). So the moral of the story is even if your app contains no sensitive data, you need to be extremely careful of XSS. Oh, yeah and Flash may want to allow the web sites in question to remove the “Remember” function from their apps in future versions.

Perspectives: the difference between the 1990s money guys and the 2000s p2p guys

Financial Cryptography - Sat, 2010-07-17 02:03
And, only because I wrote it in the same thread as Zookos post, here is a retrospective on how the 1990s payments startup guys saw life, as compared to the 2000s p2p generation. On 18/06/10 12:27 PM, Serguei Osokine wrote: In fact, I thought that this was exactly the hint that Zooko was dropping with his question about MN history. Was kind of surprised to read all the serious history descriptions that followed - though enjoyed them anyway... :) :) Maybe to add to your surprise, there was a serious history! Perhaps a little more background will help. In the late 1980s, a guy called David Chaum invented a cryptographic form of cash which he called digital cash. His invention was a variation of the RSA formula that allowed a transfer of something from one person to another, that a third party could prove as valid, but not track the transfer. This allowed the third party to be an issuer of value, and users to transfer coins without being traced....

NewGenDosh: Flattr

Financial Cryptography - Sat, 2010-07-17 01:29
Editors note: Zooko writes in p2p-hackers forum, and editor gladly copies: That there is also a new generation of interesting payment systems including The Love Machine and Flattr. I think Flattr is very interesting. Founded by founders of The Pirate Bay, they do several things that are very promising: 1. The marginal cost to you of clicking on someones flattr me button is zero. This is due to the scheme of subscribing to Flattr.com with a monthly fee and then at the end of the month your money gets split among everyone whom your clicked on. This is the most promising solution to the problem of mental transaction costs. 2. The pitch is that this is a way to express love to people. #9829; $ 3. Look: content! It is very easy to find things to love on the flattr.com web site. This has a lot in common with the tipping feature that we advertised as a future feature of Mojo Nation (e.g. it features prominently in the write-up of Mojo Nation in The Economist). (Inside Evil Geniuses For A Better Tomorrow we called that feature the Pay Lars button, in honor of a certain musician who had publicly criticized Napster for depriving him of well-earned income.) From a historical perspective Flattr is a fascinating example of the evolution of ideas. The founders of The Pirate Bay are probably intimately familiar with BitTorrent, but as far as I know, they are unfamiliar with anonymous Chaumian digital cash. I wouldnt be surprised if they got the idea for Flattr from their experience with BitTorrent and basically observing that there was a hole in BitTorrent where micropayments could go. :-) Does anyone know the inside story on how they got the idea for Flattr? Regards, Zooko...

Optimising return on influence

BankerVision - Thu, 2010-07-15 05:45

In almost all organisations there is an authority asymmetry. The number of people who are empower to say "no" is usually much greater than those who are empowered to say "yes". This is because organisations are much more comfortable with staying the same than agreeing to changes. Empowering people to say "no" is a safe option.
It is also true to say that more often than not the  number of people you might have to influence to get something done is significantly greater than the amount of time available to do the influencing. This is why innovators often fail to get much done.
Consequently, its necessary to optimise the return on influence.
For an innovator, there is almost no upside available influencing those with the power to say "no", because the best possible outcome is ambivalence, which is not especially helpful. On the other hand, there is every chance they actually will say "no". Optimising return on influence means the best strategy is keeping your innovation under-the-radar from the nay-sayers as long as possible.
On the other hand, influencing someone with the authority to say "yes" might still get you a negative response, but at least you'll have the chance to move forward. It is a much better value proposition.
How do you tell the difference?
Here's a litmus check which almost always works. The person who controls the money is able to say "yes". Everyone else can only say "no".

Categories: news I read

The stickiest price

Interfluidity - Wed, 2010-07-14 01:19

Here’s a question for the macroeconomists.

“Sticky prices” are the foundation of “Great Moderation” monetary policy, the core justification for why we have inflation stabilizing central banks. As the bedtime story (or DSGE model) goes, if only prices were perfectly flexible, markets would always clear and the great equilibrium in the sky would prevail and all would be right and well in the world. Hooray!

Unfortunately there are… rigidities. Shocks happen (economists are bashful about that other s-word), and prices fail to adjust instantaneously. Disequilibrium persists or oscillates and all kinds of complex dynamics occur, because the system, once outta whack, doesn’t get back in whack very quickly. Disequilibrium is followed by its terrible twin distortion, which shrieks through the night, ravaging the villagers with suboptimal resource utilization, most especially suboptimal utilization of the villagers themselves who are let to starve because their wage expectations are too damned sticky.

If my tone betrays a certain disdain for this account, that is because, in my view, central bankers have used it to harm people and blame the victims. The policy regime that we have crowed over from Volcker through Bernanke and Trichet “naturally” led to the conclusion that (1) central banks should stabilize inflation, so that predictable price adjustments are mostly sufficient to keep things in equilibrium; and (2) that central banks ought to focus especially on stabilizing the stickiest prices, leading to distinctions between overall and “core” inflation. Among the stickiest prices, of course, is the wage rate. In practice, from the mid 1980s right up through 2008, the one thing modern central bankers absolutely positively refused to tolerate was “inflation” of wages. God forbid there be an upcreep in unit labor costs, implying that a shift in the income share away from capital and towards workers. Central banks jack up interest rates right away, because what if the change in relative prices is a mistake? We wouldn’t want that to stick, oh no no no no no. But when the capital’s share of income shifted skyward while deunionization and globalization sapped worker bargaining power? Well, we learned the meaning of an asymmetric policy response.

Even today, now that it has all come apart, economists maintain a laser-like focus on the stickiness of wages. Why can’t Greece compete? Because its “cost structure” has grown too high. In English, that means people expect to be paid too much. The solution is “adjustment”: workers’ real wages must be reduced to restore competitiveness. American economists, following in the footsteps of Milton Friedman, trumpet the glory of floating currency regimes, with which one can reduce the wages of a whole nation of workers with a single devaluation (and without the workers having much opportunity to object). The Greeks, of course, must suffer, because they are part of a fixed currency regime, and workers and employers are unable to organize the universal wage collapse that would be good for them in the way of vegetables at the dinner table.

Now, not all economists are heartless. Left economists love workers. They urge governments to devalue if possible, to chop the broccoli into chocolate cake and hope that nobody gags. These economists rail against the fixed exchange rates, because nominal wages cuts usually occur only alongside the human tragedy of unemployment. They beg governments, if they can, to just borrow money and pay workers their accustomed wages (to do some important thing or another) and hope that things work out well.

But it is always about the workers. Workers are the core problem. Macroeconomic policy, as a practical matter, is mostly about finessing “rigidities” associated with workers’ stubborn wage expectations.

Yet there is an even stickier price in the economy, a price economists have mostly ignored although it is at least as ubiquitous as wages. The price of a past expenditure, the nominal cost of escaping a debt, is fixed in stone the moment a loan is made and then endures in time, perfectly rigid, while the economy fluctuates around it. It is certainly a price, but can only be made flexible via bankruptcy — a disruptive institution, rarely modeled by macroeconomists, and rarely deployed at scale. Surely, the price of manumission must be as nimble as the price of petrol if the economy is to keep its equilibrium while being battered and buffeted by shocks.

This is an odd way of putting things, but no great insight. Everyone knows that we are loaded to the gills with debt, the real burden of which has grown as the business cycle turned. Disinflation has left us teetering on the edge of mass default and deflationary spirals, distortion, depression, destruction. The holograph sputters to life and Princess Leia implores, “Help us Obi-wan Bernanke, you’re our only hope.”

So, macroeconomists: For at least 40 years sticky wages have been a central concern, perhaps the central practical concern, of your profession. (In the models, yes, it is abstract goods prices that are sticky. But in practice, it was always and obviously about sticky wages.) You justified ending Bretton Woods gold convertibility and moving to a floating-rate regime specifically in terms of frictions associated with innumerable downward wage adjustments. Your central triumph was “beating” the inflation of the 1970s. You pretended that was a painful but technocratic exercise in monetary policy, but the durability of “price stability” had everything to do with Reagan’s breaking of union power and a free-trade regime that put pressure on the wages of all but the special. (Economists are very special, of course.) Back in the Great Moderation, central bankers chose not to emphasize the role of these political choices in explaining their “success”. It was all about targeting the interest rates cleverly, just like the DSGE models say. It was “scientific”, “independent”.

Don’t worry! I’m with you. I think unions are a poor means of supplying labor bargaining power, and wish them good riddance. I am proglobalization and free trade, or would be, if we had sense enough to subject our free trade to a balance constraint. I’ll keep your secrets. We’ll keep telling the little people that all we do is interest rates and blame whatever went wrong on Wall Street.

But here’s my question. Looking forward to the next thirty years, after we have decisively defeated wage rigidity by ensuring that the unemployed are numerous and miserable, don’t you think we should devote just a bit of our attention to tackling that other sticky price? As we reduce the bargaining power of labor, perhaps we should think about the bargaining power of creditors as well, so that if we get ourselves into a pickle where the “cost structure” of honoring debts is high, we have technocratic and politically acceptable means of managing the burden of loan contracts just as we’ve developed mechanisms to control wages.

In the 1970s and 80s, we threw away an international monetary regime and revamped the practice of central banking in order to give leaders the tools to push down hard on any upward creep in sticky wages. (Notice how there is never any talk of having Germany raise, rather than Greece reduce, its wages to “restore balance”?) Our new monetary system also made the price of escaping of some debt less sticky, specifically debt owed to international creditors foolish enough to lend in borrowers’ now-unredeemable currency. And that has helped, a lot! We’d be living in Mad Max USA already if dollar debts could be redeemed for anything other than more dollars.

But the job is not done. Domestic creditors, and international creditors who lend in their own money, still have sufficient bargaining power to make past prices stick, regardless of whether those prices remain appropriate. If renegotiating down labor contracts is hard, renegotiating down millions of debt contracts via bankruptcy is nearly impossible. Perhaps debts should be enforceable only in a pseudocurrency whose convertability to current dollars is routinely adjusted as a policy variable by the wise, technocratic central bank. Perhaps we should develop less disruptive means than bankruptcy for writing down or equitizing onerous debt. Perhaps since sticky-priced debt contracts have less rigid near substitutes called “equity”, macroprudential policy should heavily favor the latter. Put Trichet and Bernanke in a room together, and let ‘em figure it out. They’re brilliant, both of ‘em. Surely they can come up with something. But do they want to? Do they, as their models suggest, think that any pervasive sticky price is dangerous, or is it only uppity workers that trouble them?

A naive noneconomist might imagine that consistently suppressing one sticky price while assiduously supporting an even stickier price is not a way to avoid distortion, but a means of introducing it.

Isn’t it time macroeconomists stopped beating down wages and turned their attention to the stickiest price?

Related — elsewhere:

Related — here:

Categories: news I read

Preventing 2006

Interfluidity - Sat, 2010-07-10 23:21

Brad DeLong periodically reproduces the following bit from Keynes:

While some part of the investment which was going on in the world at large was doubtless ill judged and unfruitful, there can, I think, be no doubt that the world was enormously enriched by the constructions of the quinquennium from 1925 to 1929; its wealth increased in these five years by as much as in any other ten or twenty years of its history….

Doubtless, as was inevitable in a period of such rapid changes, the rate of growth of some individual commodities could not always be in just the appropriate relation to that of others. But, on the whole, I see little sign of any serious want of balance such as is alleged by some authorities. The rates of growth [of different sectors]… seem to me, looking back, to have been in as good a balance as one could have expected them to be. A few more quinquennia of equal activity might, indeed, have brought us near to the economic Eldorado where all our reasonable economic needs would be satisfied….

It seems an extraordinary imbecility that this wonderful outburst of productive energy [over 1924–29] should be the prelude to impoverishment and depression. Some austere and puritanical souls regard it both as an inevitable and a desirable nemesis on so much overexpansion, as they call it; a nemesis on man’s speculative spirit. It would, they feel, be a victory for the mammon of unrighteousness if so much prosperity was not subsequently balanced by universal bankruptcy. We need, they say, what they politely call a ‘prolonged liquidation’ to put us right. The liquidation, they tell us, is not yet complete. But in time it will be. And when sufficient time has elapsed for the completion of the liquidation, all will be well with us again.

I do not take this view. I find the explanantion of the current business losses, of the reduction in output, and of the unemployment which necessarily ensues on this not in the high level of investment which was proceeding up to the spring of 1929, but in the subsequent cessation of this investment. I see no hope of a recovery except in a revival of the high level of investment. And I do not understand how universal bankruptcy can do any good or bring us nearer to prosperity…

I won’t comment on the “wonderful outburst of productive energy” Keynes attributed to the late 1920s. But I do have an opinions about the quinquennium from 2004 to 2008.

It was stupid. We were profoundly stupid. We mismanaged resources catastrophically, idiotically. We substantially oriented our economy around residential and retail development that was foreseeably excessive and poorly conceived. We encouraged ordinary consumers, rather than entrepreneurs, to take on debt, and let the credit thus created serve as the kitty in a gigantic casino of egoism. We saw the best minds of a generation destroyed by madness, glutted hysterical in suits, dragging themselves through the Street at dawn, looking for an angry bonus. We accelerated the unraveling of physical, social, and intellectual infrastructure that took a century to build and that we will desperately need some day, perhaps quite soon. We celebrated our stupidity. Based on some back-of-the-napkin theorizing, we turned virtues like planning and prudence into cost centers, and eliminated them. We idolized “the market” while at the same time reorganizing it so it would tell us exactly what some privileged groups found convenient to hear.

I am sure someone will shout “20/20 hindsight”. That’s bullshit. Everything I am saying now was obvious five years ago, and lots of smart people knew and understood it. Some of us even bought into “arbitrage” fairy tales and tried to profit from getting our views “impounded into market prices”. We learned to take a different Keynes quote seriously, the one about markets remaining irrational longer than you can remain solvent. [Shlieffer and Vishny's famous coinage, "the limits of arbitrage" is not strong enough, because it suggests that efficient arbitrage is the norm subject to some exceptions and limitations. It is more accurate to view efficient arbitrage as the unusual special case, in bond markets as well as in equity markets.]

John Hussman, in an excellent weekly note, has a very mean quote:

The true debate in economics is…between economists who care about the productivity of resource allocation and those who only pay lip service.

That is harsh, but not wrong. I’d draw the lines a bit more mildly, and say that the core argument is between people who think we are in a financial crisis that has engendered an economic crisis, and others (like me) who think that the financial crisis is the outgrowth of longstanding and continuing economic mistakes.

Don’t worry. Even if you think the economic problems preceded the financial crisis, you still get to be mad at bankers. I feel about the financial sector the same way I would feel about my morphine dealer after looking down to find piranha feeding between my ribs. It’s worse than that. It’s like you pay some guy to find the best swimming holes in the Amazon and not only is he clueless, but he anesthetizes you so you don’t notice when he screws up and he eventually starts taking kickbacks from the fish. The financial sector failed three times. First it screwed up real capital allocation, throwing money at housing and consumer lending rather than finding and funding projects that would situate us well going forward. Then it failed again by seeming to succeed, when a good financial system would quickly render poor investment decisions unmistakably noxious. It’s best not to find yourself swimming among piranha in the first place, but if it happens, you want the very first nibble to hurt like hell. Finally, the financial sector failed by keeping itself rich and its creditors whole, which, despite protestations to the contrary, amounts to a failure at an institutional level to understand how badly it fucked up and make corrections going forward.

If “malinvestment” (and related maldistribution) is at the root of our problems, does it follow that austerity is the solution going forward? Not at all. Past poor investment is a sunk cost, our task now is to maximize the usefulness of resources that we still have. Failing to use perishable resources, especially resources that decay with disuse, is terribly dumb. “Stimulus” and “austerity” are both simpleminded and poorly specified strategies. In theory, we have two overlapping systems, a financial system and a political system, whose shared purpose is to make information-dense decisions about how best to use or conserve our resources. It’s not clear how we should make these decisions when both systems seem badly broken. But you go to the future with the institutions you have, not the institutions you might want or wish to have at a later time.

As we evaluate financial reform and political change, we should keep in mind that it is not 2008 that we must struggle to prevent. It’s 2006 that was the worst of times, the piranha were feeding while we splashed and giggled in our water wings.

Some notes: If you didn’t catch the references, I’ve mutilated quotes from the Alan Ginsberg poem Howl and from former US Defense Secretary Donald Rumsfeld in the text, and sourced them only via links. Regarding my own experience trying to help “arbitrage away” the credit bubble, I was short US equities from around 2005 until late 2008. The market was irrational until I was almost, but not quite, insolvent. Eventually I took a decent profit, but it was sheer luck that the market didn’t remain irrational just a bit longer and force me from my positions at a terrible loss.

Update History:

  • 13-July-2010, 7:40 a.m. EDT: Added missing “what” as in “exactly what some privileged groups found convenient to hear”.
Categories: news I read

Why did I upgrade to iPhone 4?

BankerVision - Wed, 2010-07-07 08:01

I hate to admit it, but I have an iPhone 4. I didn't stand in the queue to get one, at least. But I didn't need to upgrade, and I did it anyway. 
Apple, on their website, described iPhone4 like this: "This changes everything. Again".
The fact is, there is not a single feature in this new handset that I'd consider as game-changing as Apple does. A gyroscope? Please. Front facing camera - it make me look fat. HD Video and 5 megapixels? I hate taking photos and leave that to the better half. Multitasking? I'd already gotten so used to not having it, that now I do, I've forgotten how to use it. Glass case? Clumsy me, just wait till I drop it. 
So actually, I'm siting here now with the thing in my hand and wondering what was going through my brain when I decided to upgrade. I still don't really know. 
But I do know this: once you turn it on and see the screen you get it.
What you don't realise when you stare at a typical computer display all day is how much poorer it is compared to, say, paper. We're all used to this, of course so we don't even think about it.  But the moment you read text on the iPhone, you're hooked. It is painful going back to a traditional display after that. I'm sitting writing this on my laptop, and all I can think about is the pixels I can see on the "s" I just typed.
You don't see pixels on the iPhone any more.
I'm finding myself reading actual books on the thing now, something I would never have even contemplated just a few days ago. I'd read my feeds and stuff on my phone, but actual reading for pleasure? Never.
Anyway, this has changed my expectation for all my electronic devices. I was thinking about getting an iPad, but won't until it has a screen like iPhone. In the next year or so, I'll probably upgrade my laptop, but certainly won't be doing so until it has a screen like iPhone. 
Maybe I won't even update my appliances at home like the microwave unless they have such a screen. Even the vacuum cleaner  has a screen, and now I want it with resolution like on my phone. 
I'm joking about the appliances. At least, I think I am.
But for my real work tools, I'll switch manufacturers and operating systems if they'll give me a screen I can use instead of paper. The difference in the experience when you have to read all day makes that much difference.
My own response is interesting to me. I thought I'd care about the features, and the fit and finish, and other stuff that Apple are known for. Actually, all I care about a commodity component that is extremely replicable by Apple's competitors. 
It is interesting, isn't it, that even when you think about innovation all day, you can still be surprised to discover something you'd written off as incidental to the main game, turns out to be the most important thing of all.

Categories: news I read

Kickstarter and task markets

Financial Cryptography - Mon, 2010-07-05 04:55
Back in 1997 I wrote about task markets, where people would propose an idea, collect funds, and when 100% was reached, the contract would be made. Now Kickstarter is more or less doing it. Heres one of their contracts: A year ago, I began writing poems to strangers on the internet. I would keep a specific person in mind: a blogger, a penpal, a sort-of-lover. Then Id set a timer for 5 minutes and let the thoughts pour out, unfiltered. The 5 Minute Poems were sent through email, published immediately on my blog or written in Gchat. They were slices of mind. Internet Intimacy. Poetry as communication. Some of the people I corresponded with were also living in New York City, but some of them were in Texas, Paris, Melbourne, London. The poems filled the hours at the height of insomnia when my head was stuck in strange frequencies. The year-long experiment amassed enough poems to fill a chapbook. Instead of traditional publishing methods, I want to do something more organic. I want to get the book into the hands of the readers, friends and strangers who inspired it. I am using Kickstarter to raise the funds needed to self-publish the book and get it the hands of the people who want to read it. Now, when I did it, I also built the software and tested it out. The reason I stopped was because of the money. It wasnt that I didnt have enough, but the money -- whichever money one had -- wasnt efficient enough. Transactions cost too much money, and innovative ideas like this used several transactions ... and often had to be unwound. People dont like losing money that way. So several of these ideas popped up and faded away (it seems). My guess is that the payments ate away at them like a cancer. Consider using credit card, and hitting the CC 6 months after the transaction... whos picking up the cost of mistakes there? This site however solves the problem by just collecting pledges. So it is entirely a credit operation. When is my credit card charged? If this project is fully funded on August 11, 01:00am EDT your credit card will be charged along with all the other backers of this project. So my card is only charged if funding succeeds? Yes! Thats part of what makes Kickstarter special. If a project isnt fully funded, no one pays anything. And therefore likely works by assuming that pledges can disappear at the end of the day, but as long as a good percentage come through, the margins can make the rest work. Our fee is 5%. Kickstarter collects 5% from the project creator if a project is successfully funded. Why has it taken so long? Well, the money system is so damn inefficient over the net that everything else has to be very good. If we had efficient monies, wed have done this 10 years ago, and another 1000 ideas as well. Big question then is, why is the money so damn inefficient? Well, you know the answer to that already, otherwise you wouldnt be here :)...

I like it when

BankerVision - Wed, 2010-06-30 04:46
I like it when I discover that people are trying to get their hands on the talent in my teams.
It is nice when they ask if I mind first, but even if they don't, I still like it.
It is far better to have a team that everyone wants than one no-one care about.
Or even worse, one that no-one knows exists.
Categories: news I read

Rob Parenteau gets sectoral balances right

Interfluidity - Tue, 2010-06-29 16:44

Note: This post will only format decently in a browser window opened very wide. The equations will probably be garbled in an RSS reader.

First and foremost, I owe Rob Parenteau a big apology. Parenteau is the originator and first user of the clever term “Austerian”, which I erroneously attributed to Mark Thoma. Thoma never claimed parentage. I first encountered the term on his blog and a quick Google search turned up no antecedents, so I went with that. But Google does not index everything. I apologize for the error, and thank Marshall Auerbach who first pointed it out to me.

Parenteau’s contributions go far beyond a catchy neologism, however. I recommend his most recent post at Naked Capitalism, which is the best use of the “sectoral balances approach” to economic analysis that I have seen in the blogosphere.

The “sectoral balances approach” (frequently attributed to Wynne Godley) decomposes financial stocks and flows by virtue of a tautology. Every financial asset is also some entity’s liability. The sum of all financial positions is by definition zero. So we can write:

NET_WORLD_FINANCIAL_POSITION = 0 [0]

Suppose that, quite arbitrarily, we divide the world into a “foreign” and a “domestic” sector. Then we have:

NET_FOREIGN_FINANCIAL_POSITION + NET_DOMESTIC_FINANCIAL_POSITION = NET_WORLD_FINANCIAL_POSITION = 0 [1]

NET_FOREIGN_FINANCIAL_POSITION + NET_DOMESTIC_FINANCIAL_POSITION = 0 [2]

Suppose that, again arbitrarily, we decompose the domestic economy into a public and private sector:

NET_PRIVATE_DOMESTIC_FINANCIAL_POSITION + NET_PUBLIC_DOMESTIC_FINANCIAL_POSITION = NET_DOMESTIC_FINANCIAL_POSITION [3]

Substituting into our previous expression, we get

NET_FOREIGN_FINANCIAL_POSITION + NET_PRIVATE_DOMESTIC_FINANCIAL_POSITION + NET_PUBLIC_DOMESTIC_FINANCIAL_POSITION = 0 [4]

We can also write this in terms of changes or flows. Since the sum above must always be zero, it must be true that any changes in one sector are balanced by changes in another:

ΔNET_FOREIGN_FINANCIAL_POSITION + ΔNET_PRIVATE_DOMESTIC_FINANCIAL_POSITION + ΔNET_PUBLIC_DOMESTIC_FINANCIAL_POSITION = 0 [5]

Two of the flows in the equation above have conventional names, so we can rewrite:

CURRENT_ACCOUNT_DEFICIT + ΔNET_PRIVATE_DOMESTIC_FINANCIAL_POSITION + CONSOLIDATED_GOVERNMENT_SURPLUS = 0 [6]

Rearranging…

ΔNET_PRIVATE_DOMESTIC_FINANCIAL_POSITION = -CURRENT_ACCOUNT_DEFICIT + -CONSOLIDATED_GOVERNMENT_SURPLUS [7]

ΔNET_PRIVATE_DOMESTIC_FINANCIAL_POSITION = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT [8]

This decomposition has been quite prominent in the blogosphere. I first encountered it in conversation with the always excellent Winterspeak, and associate it with the “Modern Monetary Theorists” or “chartalists”. But it’s been used widely, very recently for example by Martin Wolf.

The usual argument goes something like this: In the aftermath of a terrible credit bubble, in most countries, the private sector is desperate to “delever”, or reduce its indebtedness, which is equivalent to increasing its net financial position. As a matter of pure arithmetic, equation 8 must always be in balance. If the private sector of a country is to force the left-hand term positive, the country must either run a current account surplus (e.g. by exporting more than it imports) or else its government must run a deficit. Some countries may “export their way” to financial health, but not all can, since every current account surplus must be matched by a deficit elsewhere. If we put “beggar thy neighbor” strategies aside and set the current account to zero, any improvement in the financial position of the private sector must be offset by a deficit of the public sector.

This is true by definition. Once the terms have been defined, there is nothing to argue about. If we want the financial position of the private sector to improve (defined as increasing total financial assets less liabilities), and we consider a country whose external account is in balance or deficit, then the public sector must run a deficit.

However, a thing can be true but still misleading. The catch is an assumption, that an increase in the net financial position of the private sector is a good thing, something that we should encourage or at least accommodate. This is where Parenteau is great. He decomposes the domestic private sector into a household and business sector:

Δ(NET_HOUSEHOLD_FINANCIAL_POSITION + NET_BUSINESS_FINANCIAL_POSITION) = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT [9]

ΔNET_HOUSEHOLD_FINANCIAL_POSITION + ΔNET_BUSINESS_FINANCIAL_POSITION = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT [10]

(Note that “business” here means any non-household private entity that could have a financial position. It would include, for example, non-profit organizations.)

Let’s try to come up with better names for ΔNET_HOUSEHOLD_FINANCIAL_POSITION and ΔNET_BUSINESS_FINANCIAL_POSITION.

ΔNET_HOUSEHOLD_FINANCIAL_POSITION is just net household financial income.

NET_BUSINESS_FINANCIAL_POSITION is, by definition, all business financial assets minus all business liabilities (including shareholder equity). On a business’ balance sheet, “all business liabilities (including shareholder equity)” is necessarily the same as “total business assets”. So we can write:

NET_BUSINESS_FINANCIAL_POSITION = BUSINESS_FINANCIAL_ASSETS – BUSINESS_FINANCIAL_LIABILITIES_AND_EQUITY [11]

NET_BUSINESS_FINANCIAL_POSITION = BUSINESS_FINANCIAL_ASSETS – TOTAL_BUSINESS_ASSETS [12]

NET_BUSINESS_FINANCIAL_POSITION = -(TOTAL_BUSINESS_ASSETS – BUSINESS_FINANCIAL_ASSETS) [13]

NET_BUSINESS_FINANCIAL_POSITION = -BUSINESS_NONFINANCIAL_ASSETS [14]

Now use our new definitions to rewrite equation [10]:

NET_HOUSEHOLD_FINANCIAL_INCOME + Δ(-BUSINESS_NONFINANCIAL_ASSETS) = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT [15]

NET_HOUSEHOLD_FINANCIAL_INCOME – ΔBUSINESS_NONFINANCIAL_ASSETS = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT [16]

NET_HOUSEHOLD_FINANCIAL_INCOME = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT + ΔBUSINESS_NONFINANCIAL_ASSETS[17]

Now we can tell what I think is a much more informative story. It is not the “private sector” whose financial position needs to improve. Businesses exist to increase the value of their liabilities to shareholders and creditors. They do not “delever” by reducing the sum of those liabilities. “Leverage” properly refers to the ratio between different sorts of liabilities, debt versus equity, not the total quantity of claims. In a good economy, the financial indebtedness of business entities will be increasing, as the value their real assets grows! Growth in the “net private sector financial position” could come from an increase in household income (yay!) or a decrease in the value of real business assets (yuk!). We certainly shouldn’t make policy decisions based on promoting or accommodating such an ambiguous outcome. Instead, we should craft our policies to be consistent with what we actually want, which is household financial income. (Note that this analysis necessarily excludes nonfinancial income, such as unrealized gains or losses on the value of a home.)

Reviewing equation [17], there are three ways a nation can improve the financial positions of its household sector. It may (i) run a current account surplus, usually by exporting more than it imports; (ii) have the government run a deficit, improving household financial position by having the government run a deficit, or (iii) increase the value of business nonfinancial assets. Approach (i) can’t work for everyone, of course. Assuming external balance, it is obvious (at least to me) that approach (iii) is ideal. Parenteau, I think, agrees:

Remember the global savings glut you keep hearing about from Greenspan, Bernanke, Rajan, and other prominent neoliberals? Turns out it is a corporate savings glut. There is a glut of profits, and these profits are not being reinvested in tangible plant and equipment. Companies, ostensibly under the guise of maximizing shareholder value, would much rather pay their inside looters in management handsome bonuses, or pay out special dividends to their shareholders, or play casino games with all sorts of financial engineering thrown into obfuscate the nature of their financial speculation, than fulfill the traditional roles of capitalist, which is to use profits as both a signal to invest in expanding the productive capital stock, as well as a source of financing the widening and upgrading of productive plant and equipment.

What we have here, in other words, is a failure of capitalists to act as capitalists. Into the breach, fiscal policy must step unless we wish to court the types of debt deflation dynamics we were flirting with between September 2008 and March 2009. So rather than marching to Austeria, we need to kill two birds with one stone, and set fiscal policy more explicitly to the task of incentivizing the reinvestment of profits in tangible capital equipment.

So what is the role of approach (ii), which stimulus proponents and MMT-ers frequently advocate? Note how Parenteau phrases things: because “capitalists [fail] to act as capitalists”, because businesses are not increasing the value of their nonfinancial assets, fiscal policy must be employed to avoid “debt deflation dynamics”. Here we reach the formal limits of the sectoral balance approach. This style of analysis gives us no insight into the dynamics or distribution of financial positions within any of the categories we have carved out.

Nevertheless, consider the following (counterfactual) thought experiment. Imagine that the NET_HOUSEHOLD_FINANCIAL_POSITION is negative, and that people go nuts in a harmful way when they are formally insolvent. Suppose also that the current account cannot be brought to surplus, and that businesses cannot expand the value of their nonfinancial assets in a short time frame. Under these conditions, by running a deficit, government could create financial income for households until their net financial position turns positive and people stop behaving like antisocial lunatics. In this scenario, fiscal policy does nothing to change the real asset position of the economy. But by shifting around financial assets and liabilities, government alters the behavior of agents in the economy in a manner that improves future performance, increasing overall wealth.

In real economies, people may well behave in ways that are harmful to the economy when their financial positions are very tenuous, although their actions are more likely caused by illiquidity than lunacy. But in real economies, some people have strong financial positions while others have weak financial positions, and the sort of intervention described above would be useless if the income created by a stimulus went primarily to households that were not financially stressed. Government funds spent purchasing goods and services from existing firms, or deficits created by income or payroll tax cuts, go first to people who are already employed, or who already have financial claims on businesses, and these may not be the most stressed groups. Designing a “good” stimulus where the object is to alter the character of real behavior by shifting financial variables is well beyond the scope of this post, but it would necessarily involve distributional questions and complex behavioral assumptions. If you target a stimulus to the deeply indebted, you may improve their behavior, but damage the behavior of others who feel aggrieved that prudence went unrewarded. If it was me, I’d make flat transfers unrelated to income or employment status, so that on the one hand the program seems “fair” — the prudent benefit along with the bankrupt — yet on the other hand it is guaranteed to improve the financial position of even the worst-situated households.

What about approach (iii)? What could cause an increase in the value of business nonfinancial assets, improving household financial positions? Fundamentally, there are two ways: Businesses could borrow or use their own cash to purchase real assets from the household and government sectors (holding the public sector deficit constant), or else the value of existing business nonfinancial assets can somehow be made to increase. Parenteau suggests policies that would push businesses to purchase real assets. But note that any sort of increase in the valuation of business nonfinancial assets, including intangible assets, would be sufficient to improve the household-sector financial balance. That would include events as insubstantial as a pure inflation, but also real improvements in business productivity. Again, looking beyond where sectoral balances can take us, distribution matters. If “debt deflation dynamics” occurs primarily through households whose weak financial positions include few claims on businesses, then increasing the value of business nonfinancial assets might not help very much.

p.s. Edward Harrison offered a response to Parenteau’s piece that is very much worth reading. In particular, he focuses on the quality of business investment, a topic about which sectoral balance decomposition can tell us very little. Mechanically, low quality investment should improve the valuation of business nonfinancial assets less than high quality investment, and should therefore exert a drag on household financial balances. Harrison uses an Austrian (though not Austerian!) perspective to suggest that stimulus may reduce the quality of business investing, implying a trade-off between approaches (ii) and (iii) above.

[MMT Note] Agree or disagree, the “MMTers” are among the most interesting and provocative thinkers in the economics blogosphere. In addition to Winterspeak, I’d include Bill Mitchell, Warren Mosler, Scott Fullwiler (who occasionally writes at Economic Perspectives from Kansas City), Marshall Auerbach, and perhaps Parenteau himself in this group. I agree with much but not all of what the MMTers have to say. I have learned profoundly much from disagreeing and squabbling with them. I do hope that Kartik Athreya will someday have the pleasure.

Update 2010-07-01, 6:40 am EDT: For reasons I do not understand (my big fat finger?), this post “disappeared” for a few hours. It reverted from “published” to “draft” in WordPress. The post is back, and the comments seem to be intact, but my apologies to all for the disappearance!

Categories: news I read

Zombies and Standards

BankerVision - Mon, 2010-06-28 05:36

A very clever man who worked at Microsoft once explained the problems with the Windows operating system to me like this:
General Electric make nuclear reactors and they make domestic kettles. What they don't do is use the same technology for each.
A kettle is not the same thing as a nuclear reactor, obviously, and clearly, trying to create a standard way of boiling water, no matter the application is folly.
But Microsoft have spent years building forcing a figurative standard for water boiling on us, no matter the application, from gaming to high end servers.
And the result is that Windows is adequate, but not brilliant when you want to run home applications. And it is adequate, but not brilliant for business apps as well.
Microsoft is not the only company that's guilty of this attempt to standardise. All large companies do it, from banks (with their lowest-common denominator product sets), to retail (the same experience each time, no matter the customer).
Standardisation is a race to the bottom. Build the thing that suits the most people possible. Reap economies of scale. Deliberately design out anything interesting  to those at the edge of the curve. 
We are wedded to standardisation in big organisations because it makes it feel like we're in control. The thing is, we're not in control. In fact, we're in less control the more standardised we get.
The more standardised you make something, the more you force those who don't fit the lowest-common-denominator profile to go outside the standard. THey are forced to do so because they are creative, or high achievers, or want to make a difference. Standardisation is an attempt to make them mediocre, and they won't put up with it.
The tighter you lock something down, the greater the chance you'll force a break with the standard. The more you standardise, the narrower the band of people who are perfectly satisfied. People who aren't satisfied often take matters into their own hands.  You're less in charge as a result.
The only time standardisation really works is when you have either a zombie customer base or a zombie workforce. If it is your highest goal to achieve either, good luck to you, and have all the standardisation you want. 
But if you want to innovate, delight customers, and have happy employees, find a way for them to break the standard with safety and surety. Most people aren't zombies, and when they're given a choice to not be one, they'll usually take it.
That's why Apple is now a bigger company than Microsoft, by the way. 

Categories: news I read

Places to MITM

ha.ckers - Fri, 2010-06-25 20:54

40 posts remaining…

Just a quick thought for a Friday afternoon. For a while I did informal questionnaires to friends and family and people in general who aren’t hardcore security people about what they type in when they’re going to their bank. The following are the kinds of answers I’d get:

  • “I type in www.bank.com.”
  • “I type ‘bank’ and hit ctrl-enter”
  • “I type in http://www.bank.com”
  • “I type in bank.com and hit enter”

But almost never (twice out of dozens of people) I’d hear someone say, “I type in https://www.bank.com” with the “s”. So let’s just for a second think about all the problems with these. Let’s take “bank.com” as an example.

  • User types bank.com, which, depending on the browser is being sent on the wire as they type over HTTP for auto-complete
  • The browser corrects the URL to be http://bank.com/ and makes a DNS request for “bank.com”
  • The DNS server responds with an IP address
  • The user makes a request to bank.com’s IP address over HTTP
  • bank.com responds in unencrypted HTTP to the user’s browser and informs them that they should be speaking with www.bank.com, and redirects them there via a 301 or 302 redirect
  • User’s browser makes another DNS request for www.bank.com
  • DNS server responds with www.bank.com’s IP address
  • Browser makes an HTTP connection to www.bank.com
  • www.bank.com realizes that the user is connecting via HTTP and uses another redirect to send the user to https://www.bank.com (or often has a link on the page, asking the user to click it to log in which will take the user to HTTPS)
  • User’s browser re-connects to port 443 and begins negotiating - and at this point is encrypted (hopefully using strong crypto and there are no other issues…)

There’s a lot of places there than an attacker can get in the middle and mess things up. And sadly, this isn’t even close to everything wrong in real life. So while HTTPS is a good idea, in practice how people tend to get there is pretty flawed. The promise of STS, HTTPS everywhere and some of the settings within NoScript and so on… was to take that out of the user’s hands. Not that these aren’t all good ideas, but there are usability issues, and require that the user be somewhat informed of the issues in most cases - which they don’t tend to be.

gold coin under the hammer

Financial Cryptography - Fri, 2010-06-25 01:37
One for the gold crowd: Today one of 5 massive 100kg gold coins goes under the hammer in Vienna: The largest gold coin in the world — measuring 53 centimetres (21 inches) in diameter and weighing 100 kilograms (220 pounds) — will go on sale on June 25 in Vienna, auction house Dorotheum said on Friday. The Maple Leaf coin, which is listed in the Guinness Book of World Records and carries a face value of one million Canadian dollars (800,000 euros, 970,000 dollars), was minted in Canada in 2007. The auction price is expected to comfortably exceed the face value due to the current high price of gold. If mettled down, the gold would be worth around 3.9 million dollars (3.2 million euros). One side of the coin carries the carries the image of Queen Elizabeth II, the official head of state of Canada, while the other side bears three maple leafs, the national symbol. The coin was owned by Austrian investment firm AvW, which entered bankruptcy proceedings in May....
Syndicate content