24 posts left…

When I told one of my guys about the double DNS rebinding attack, he said, “Well it’s a good thing I use perspectives.” So that was my clue that I had better get familiar with the plugin if people are seriously relying on it for security. In the process we found a number of potential issues. For those of you who aren’t super clued in about this tool it was originally designed to handle situations where governments are tapping people using things like Packet Forensics where a valid certificate authority is being used to man in the middle someone or a group of individuals.

First of all it’s easy to detect perspectives for a man in the middle. Perspectives sends a lot of HTTP traffic, which the attacker can easily read and figure out is related to perspectives. That may not seem important, because if an attacker knows that a user has it installed what can they really do? We’ll come back to this.

Embedded content is not verified by perspectives, only the parent window. Because most websites (even HTTPS) use third party service providers, caching servers or whatever for static content, the attacker will simply MitM’s the “static” servers serving up CSS, JavaScript or objects that are dynamic content once rendered. By modifying the response and including active content, anything that can be seen by the DOM is still accessible to the man in the middle. Kinda defeats the purpose of perspectives…

Using the fact that an attacker knows that someone is using perspectives (which they can determine by forcing someone through an SSL/TLS link), the attacker can simply MITM only the embedded content. Of course there are changes a user can make to the settings and options to reduce this risk, but like all options, they’re probably not changed often and the defaults really aren’t good.

Lastly, I tried perspectives against the double DNS rebinding issue, and unfortunately instead of the huge pop-down that would actually alert someone to the problem, because the attack uses a valid cert from a nearby sub-domain that perspectives has probably seen before it only gives the small warning that most people probably wouldn’t notice unless they were really paying attention.

25 posts left…

One of the issues Josh and I talked about at Blackhat was how the SSL certificate warning message can be used to gain information about a user’s behavior and how that can be used against the user. Let’s say a man in the middle causes an error via proxying a well-known owner/subsidiary. For example let’s say https://www.youtube.com/ which most technical people know belongs to Google and which, incidentally causes SSL/TLS mismatch errors because it’s mis-configured. Experts who see such an error and investigate will think it’s just a dumb (innocent) error. Non-experts will click through immediately, because they always do when they see such things.

By measuring the wait time the attacker can know which type of user the victim is - a technical one, or a novice. If the user is a novice the attacker knows they don’t have to worry anymore - they can deliver their snake oil cert later if the user goes through it “quickly” because that user’s behavior will most likely stay the same. Of course figuring out the timing might be a bit tricky because really new users will be awfully confused by cert warnings and will seem “slow” I’d bet. Anyway, something to investigate further.

26 posts left…

The fact that IE8 doesn’t delete cookies upon telling it to (at least in my testing) until browser shut-down isn’t just bad for usability (and ho boy is it annoying when you’re testing) but it has other interesting privacy implications. Generally I tell people not to set the same cookie more than once. That makes it harder to use old XMLHTTPRequest bugs to download the cookie (which may otherwise be protected using HTTPOnly). But what if the cookie weren’t sensitive, but rather used for tracking?

If a site sets a unique cookie and the user clears cookies in IE8, that doesn’t mean that IE8 doesn’t keep sending the cookie (it’s retained in memory) - which means the site still gets it. If the site is trying to track the user they can simply keep setting the exact same HTTP cookie with an “expires” in the future to make it persist after the browser closes and voila! Even though the user thinks they cleaned their cookies, not for a moment was the cookie removed in IE8. Could be useful for banner advertisers or companies that need to do large scale tracking of users.

Irans Bushehr nuclear power plant in Bushehr Port: An error is seen on a computer screen of Bushehr nuclear power plants map in the Bushehr Port on the Persian Gulf, 1,000 kms south of Tehran, Iran on February 25, 2009. Iranian officials said the long-awaited power plant was expected to become operational last fall but its construction was plagued by several setbacks, including difficulties in procuring its remaining equipment and the necessary uranium fuel. (UPI Photo/Mohammad Kheirkhah) Click onwards for full sized image:...

27 posts left…

This was one of the more complex issues Josh Sokol and I talked about during our presentation at Blackhat. Let’s say there’s an SSL/TLS protected website (addons.mozilla.org) that an attacker knows that the victim is using. The attacker is a MitM but let’s say that addons.mozilla.org has no security flaws in it whatsoever. Let’s also say that there’s another subdomain called mxr.mozilla.org that has the following attributes: It has no important information on it (otherwise the attacker would be content with attacking it instead), it’s vulnerable to XSS, it doesn’t care about host headers and uses a wildcard cert for *.mozilla.org. How can an attacker use that to their advantage?

The victim requests the IP for addons.mozilla.org for which the attacker modifies the responding DNS TTL to 1 sec (and all subsequent DNS traffic to that domain). The victim logs into addons.mozilla.org (gets cookie). Doing login detection can help determine that the user is authenticated but it’s important that the attack doesn’t start before this, otherwise the attack will fail.

The attacker firewalls off the IP to addons.mozilla.org and forces user to the XSS URL at:
https://addons.mozilla.org/mozilla-central/ident?i=a%20onmouseover%3Dalert(’XSS’)%20a (notice that the hostname is wrong as it should be mxr.mozilla.org because that is where the XSS lives). Note that this WAS a real XSS in mxr, but has been fixed, and to make it work it would require the user to mouse over it, so you’d have to do some clickjacking or something, but let’s just pretend that all wasn’t a problem, and/or that there was an easier XSS.

The victim requests the IP for addons.mozilla.org again but this time the attacker responds to the DNS request (with 1 second TTL) with the IP address of mxr.mozilla.org (not addons). The user connects to the mxr.mozilla.org IP address sending the wrong host header - the reason this works is because the wildcard SSL/TLS cert allows for any domain and the mxr.mozilla.org website doesn’t care about host headers. The victim runs the XSS in context of addons.mozilla.org even though they’re on the mxr.mozilla.org IP. That sounds bad (maybe useful for phishing) but there’s worse the attacker can do.

The attacker can give up if addons.mozilla.org doesn’t use HTTPOnly cookies because the attacker can just steal the cookie from JavaScript space. But let’s assume that addons has no flaws in it, including how it sets cookies. In that case the attacker just rebinds again. For lack of a better term we called this “double DNS rebinding.”

The attacker firewalls off IP for mxr.mozilla.org and un-firewalls off the addons.mozilla.org IP. The victim’s browser re-binds and requests DNS for addons.mozilla.org again. The attacker delivers the IP for addons.mozilla.org. The victim’s cookie is sent to addons.mozilla.org and the JavaScript is now in context of addons.mozilla.org. The victim runs BeEf shell back to attacker, which allows the attacker to see the contents of the user’s account and interact as if they were the user.

We talked with a few people in various places about how likely this is, and although it worked on one of the two sites we checked we think the likelihood that it will work on SSL/TLS enabled sites is pretty low. It has to be wild card, has to have HTTP Response splitting/XSS, etc… and has to ignore the host header. We guesstimate that it’s probably between 2-4% of SSL/TLS protected sites that would be affected by this, although, in reality there’s not a lot of risk here because this has a lot of moving parts - there are certainly easier exploits out there. But the interesting part is this is yet another reason that all sub domains should be considered in scope when you’re talking about something sensitive sitting behind authentication beyond just breaking in and stealing the cert outright.

Incidentally when I told the Mozilla guys about this, they said, “Why would we have checked for XSS in mxr? There’s nothing important on there… It’s all public information.” followed by, “Well, it’ll be fun checking for XSS on all our sub domains now.” That’s a good idea anyway for phishing, but checking for host headers is an easier short-cut in the short term. I wouldn’t worry about this attack, because it’s unlikely, but it was interesting coming up with the use case.

28 posts left….

This is a continuation of the first post where we described how you can use cookies to DoS certain portions of the website. After our speech one of the Mozilla guys came up to us and described another attack that arises from this. Let’s say when a user logs in it sets a cookie that is 200 bytes long, and when they log out it re-sets the same cookie to 50 bytes. Well if the attacker can set a cookie with a particular path to a single image on the site, for instance, they can use JavaScript to check with an onerror event handler to see if the image has loaded.

By combining the over-long cookie (minus 50 bytes) a logged in state will cause the image to fail to load, where as a logged out state will allow the image to load just fine. In this way an attacker can tell cookie states as long as the cookies are variable width and there aren’t other cookies muddying the waters. Interesting attack, I thought!

29 posts left…

One of the things Josh Sokol and I talked about in our presentation at Blackhat was a way to use over-sized cookies to cause a DoS on the site. The web server sees the overlong cookie and stops the request from completing. This is not new and has certainly been discussed before. However, one thing that wasn’t discussed is that using the path an attacker can selectively cause the website to stop displaying portions of the site. For instance, if the attacker wants to shut down /javascript/ or /logout.aspx or /reportabuse.aspx or whatever, they can by setting an overly-long cookie for that particular path.

Setting cookies on the target sub domain would require something like header injection/Response splitting, XSS, or a MitM attack. It should be noted though that it doesn’t have to be on the target sub domain - it can be an exploit in another sub domain because cookies don’t follow the same origin policy if the cookie is scoped to the parent domain. In this way an attacker could turn off Clickjacking prevention code (deframing scripts), or turn off other client side protections or parts of the site that are bad from an attacker’s perspective. The only real solution to this is for all browsers to start making the absolute maximum size of cookies smaller than the smallest that web servers will allow (Apache was smaller than IIS by default for instance).

Last Monday, I had the privilege to meet up with a bunch of bloggers and Treasury officials for what might be described as a “rap session”. The meeting was less formal than a previous meeting. There were no presentations, and no obvious agenda. Refugees from the blogosphere included Tyler Cowen, Phil Davis, John Lounsbury, Mike Konczal, Yves Smith, Alex Tabarrok, and myself. Our hosts at Treasury were Lewis Alexander, Michael Barr, Timothy Geithner, Matthew Kabaker, Mary John Miller, and Jake Siewart. You will find better write-ups of the affair elsewhere [Konczal, Lounsbury (also here), Smith, Tabarrok]. Treasury held another meeting, with a different set of bloggers, on Wednesday.

It is bizarro world for me to go to these things. First, let me confess right from the start, I had a great time. I pose as an outsider and a crank. But when summoned to the court, this jester puts on his bells. I am very, very angry at Treasury, and the administration it serves. But put me at a table with smart, articulate people who are willing to argue but who are otherwise pleasant towards me, and I will like them. One or two of the “senior Treasury officials” had the grace to be a bit creepy in their demeanor. But, cruelly, the rest were lively, thoughtful, and willing to engage as though we were equals. Occasionally, under attack, they expressed hints of frustration in their body language — the indignation of hardworking people unjustly accused. But they kept on in good spirits until their time was up. I like these people, and that renders me untrustworthy. Abstractly, I think some of them should be replaced and perhaps disgraced. But having chatted so cordially, I’m far less likely to take up pitchforks against them. Drawn to the Secretary’s conference room by curiosity, vanity, ambition, and conceit, I’ve been neutered a bit. There’s an irony to that, because some of the people I met with may have been neutered, in precisely the same way and to disastrous effect, by their own meetings and mentorings with the Robert Rubins and Jamie Dimons of the world.

Obviously the headline act was Timothy Geithner. Off the record (or “on deep background”), Geithner is entirely different from the sometimes stiff character who appears on television. He is fun to argue with, very smart, good natured, and intellectually wily. As Yves Smith quipped afterwards, Geithner “gives good meeting.”

Despite that, our seminar was an adversarial affair. We began by relitigating financial reform. Officials began by talking up the buzz of activity occasioned at Treasury by the Dodd-Frank Act — putting together the Financial Stability Oversight Council, “standing up” the CFPB — with the happy implication that good and important things were happening. We peppered them with skeptical questions. Mike Konczal asked what sort of metrics they would use to judge the success of the bill. (That’s a hard problem, they said.) It’s well and good that folks at Treasury are made busy by the Act, but is it having any effect on the behavior of banks? (There’s been some movement on overdraft protection, and banks are raising capital.) As Alex Tabarrok has already reported, Tyler Cowen asked the excellent question of how the Act has changed regulators’ incentives, of why we should believe that regulators won’t intervene next time as they did this time, bailing out bankers and creditors at the expense of taxpayers. Resolution authority was their answer. Regulators’ incentives were fine the first time around, but they simply didn’t have the tools they needed to take the appropriate actions, to chart a middle course between generous bailouts and catastrophic unwinds. I’m very skeptical of that account.

I was pleased that, thanks to both Tyler Cowen and Yves Smith, we had a solid discussion of derivative clearinghouses. I am a big fan of standardized derivative exchanges and clearinghouses, and trade on them frequently. But I’m very fearful of the degree to which we will rely upon them under the new regime. Like a gas under pressure, the financial sector pushes and prods for places where high returns can be earned at someone else’s risk. During the last cycle, that included banks, shadow banks, and the GSEs, which earned profit on huge asset portfolios cheaply levered by virtue of perceived state guarantees (that were ultimately ratified). In theory, financial reform will firm up those weak spots, reducing permissible leverage and increasing its cost as resolution authority makes non-bailout of creditors credible. Suppose that actually happens. Then clearinghouses will stand out as institutions that are much too big to fail, and whose ultimate creditors (derivative traders) do not and cannot monitor creditworthiness. Clearinghouses are cleverly structured, so that the “members” through which clients trade are exposed to one another’s losses and do monitor each other’s financial health. But it is easy to imagine scenarios where it is in all members’ interest to allow a product to be undermargined. Regulated, highly leveraged financial institutions rationally accept “negative skewness“, arrangements that are profitable for them almost all of the time, but that fail catastrophically when something breaks. During long periods of stable profitability, an institution builds a track record to persuade regulators that risks are minimal and capably managed. The institution is permitted to take ever greater risks, and distribute ever greater profits to investors, while times are good. When, eventually, a catastrophic failure occurs, losses exceed the capital of the firm and are shifted elsewhere, usually to taxpayers. An undercapitalized and undermargined clearinghouse is a great vehicle for this sort of game, as low margins attract fee income from speculative trading, and members can trade on their own exchanges as a means of acquiring the cheap leverage that regulation might otherwise prevent. I’ve skimmed the relevant section of Dodd-Frank, and as far as I can tell, the hard and fast rules governing “derivatives clearing organizations” are very weak. We will be depending upon the discretion of regulators.

Gap risk and liquidity risk are kryptonite to clearinghouses. Yves Smith pointed out that clearing credit default swaps in particular could prove very challenging. These contracts sometimes “jump to default”, creating large losses very quickly for the protection sellers. If a clearinghouse were to insist on margins large enough to cover sudden jumps to default, the contracts would probably become unattractive to investors. If it does not, then a systemic shock that impairs many credits simultaneously could take down the clearinghouse.

Treasury officials had clearly thought about these issues. They pointed out, correctly, that despite formally concentrating risk, clearinghouses are better than bilateral trades, because in practice derivative markets engender systemic, not just bilateral, risk anyway and at least with a clearinghouse one can track, manage, and regulate that. Ultimately, their answer was that once we put this extra transparency in place, we just have to trust regulators to regulate well. In response to Yves’ skepticism of clearing CDS, one official suggested that regulators will insist on adequate margins, and if that renders some products uneconomical then so be it. I’ll believe that when I see it.

A disappointing moment in the conversation on financial regulation was when several officials suggested that increased capital requirements in and of themselves would do much of the work of solving bank incentive problems. I hope they were just trying snow us with this, because if they believe it, it suggests that they haven’t thought very carefully about how well aligned the incentives of equityholders, bank managers, and traders are at highly levered institutions. All three groups benefit by putting creditors’ resources at risk and earning outsize profit against limited costs (loss of equity value or loss of a job). Under the new regulation, our “strong” capital requirements will probably permit banks to be levered at least 15 times poorly measured common equity. That’s not nearly enough to tilt shareholder incentives decisively towards capital preservation. Shareholders would have to work very hard to oppose the interests of managers and traders. One official wondered aloud why bondholders failed to discipline banks, in order to prevent this sort of misbehavior. I’ll leave that one dangling as an exercise for readers.

The conversation next turned to housing and HAMP. On HAMP, officials were surprisingly candid. The program has gotten a lot of bad press in terms of its Kafka-esque qualification process and its limited success in generating mortgage modifications under which families become able and willing to pay their debt. Officials pointed out that what may have been an agonizing process for individuals was a useful palliative for the system as a whole. Even if most HAMP applicants ultimately default, the program prevented an outbreak of foreclosures exactly when the system could have handled it least. There were murmurs among the bloggers of “extend and pretend”, but I don’t think that’s quite right. This was extend-and-don’t-even-bother-to-pretend. The program was successful in the sense that it kept the patient alive until it had begun to heal. And the patient of this metaphor was not a struggling homeowner, but the financial system, a.k.a. the banks. Policymakers openly judged HAMP to be a qualified success because it helped banks muddle through what might have been a fatal shock. I believe these policymakers conflate, in full sincerity, incumbent financial institutions with “the system”, “the economy”, and “ordinary Americans”. Treasury officials are not cruel people. I’m sure they would have preferred if the program had worked out better for homeowners as well. But they have larger concerns, and from their perspective, HAMP has helped to address those.

Phil Davis, who made clear that his remarks were from the perspective of bank investors, thought Treasury was doing far too little to defuse the housing problem. He pointed out that even if the financial reform bill is beautifully crafted, its full implementation will take up to three years, during which the banking system will remain in peril, largely because of tenuous mortgages. He suggested that Treasury help pay down the mortgages of struggling homeowners until the remaining loan was solid. In exchange, Treasury would retain an equity claim on the home, from which in a good scenario taxpayers might be able to recover much of the cost of the program when the houses are eventually sold. A senior Treasury official gave the proposal a sympathetic hearing, but opined that exchanging a government claim against a homeowner for a bank’s claim against a homeowner in order to solidify bank balance sheets was not the best use of limited budgetary and policy implementation capacity. (For a change, I agreed with the Treasury official on this one.)

From HAMP, we segued briefly to a discussion of the GSEs. I got excited when one Treasury official explained that his inclinations were “minimalist”. I imagined winding down the GSEs, eliminating the mortgage interest rate deduction, cutting away the vast web of pernicious subsidies to home-lendership. My hopes were quickly deflated. By “minimalist”, the official meant parsimonious in terms of changes to the existing system. In a nutshell, he proposed insisting, by regulatory fiat, that future GSE’s borrowing costs be kept at a level appropriate to a private firm with no Federal backstop, implicit or otherwise. He thought there would be a continuing role for some kind of government guarantees of mortgages, but suggested this guarantee could be made more limited. (I think the idea would be to put private players — the Re-GSEs or originating banks — on the hook for a first loss.) In the spirit of Tyler’s question about regulatory incentives, I thought this proposal entirely naive. Over time, regulators would not succeed at forcing a substantial above-market spread on politically powerful private actors. (Well, private with respect to the upside, not if the downside, of their activities.) Further, the suggestion reflects an inadequate view of how creditors limit firm risk-taking. In the private sector, creditors do not only charge a higher spread for risk, but they participate in governing firms and constrain behavior directly via bond covenants. The name for bond covenants when imposed by a public sector creditor is “regulation”. Ultimately, this “minimalist” approach to managing the GSEs amounts to nothing more or less than keeping the existing system and proposing that it be better regulated, including specific regulatory suggestions that are foreseeably unlikely to withstand industry pressure. No offense to its very smart proponent, but this was a non-idea dressed up as reform.

I did express my skepticism to Mr. Minimalist. Unlike some of his colleagues, he was smart enough, or honest enough, to acknowledge that even with stronger capital ratios, it is naive to rely on the private capital structure of large, complex financial firms to enforce good behavior. So what is to be done, if not to regulate them as best we can? Almost as an aside, he noted that some people thought we should limit “size”, but that he couldn’t see how that would get at the problem, and had rejected the approach. Had there been time, I would have been glad to school him. “Size”, of course, stands in for and trivializes the notion of structural rather than supervisory regulation, an approach that many of us pushed desperately, only to be met by a wall of dismissal from Treasury and Congressional leaders. [*]

Perhaps Treasury officials really can’t see how limiting “size” might help. But I don’t think that’s right. These are very, very smart people. I think they understand the merits of the structural approach to financial regulation, but view the transition costs as simply too large to bear. But that begs the question of costs to whom, and whether (per the HAMP conversation above) it is wise to conflate the health of status quo financial institutions with the welfare of the economy as a whole.

Finally, our conversation turned to the current macroeconomic doldrums. Thankfully, there was none of the “let’s look on the bright side” chipperness of Timothy Geithner’s recent New York Times op-ed. Treasury officials didn’t downplay how bad things are. They did point out that considering the headwinds the economy faces, things are a bit better than they might be. The account went roughly like this: Last year, after the doldrums of March, the economy grew faster and performed better than most would have forecast. But recently it encountered two obstacles, one expected, the other an unexpected near cataclysm. The spurt of GDP growth due to post-panic inventory restocking was always going to end. But a sovereign debt crisis in Europe strong enough to shake confidence and financial markets in the US was not expected. Taking all that into account, things are a bit better than they might have been. One Treasury official pointed out that if we could return to the path of consensus growth forecasts from just before the troubles in Europe, we would have two or three difficult years ahead of us yet, but would be on a decent path. I took this as a kind of optimistic but plausible thought experiment on where we might be going.

I’m not going to belabor the obvious critique of this account, that it focuses too much on statistical growth and financial market performance and too little on employment (which, in the optimistic thought experiment, would follow statistical growth with a lag). Also, if we are enumerating headwinds to current GDP growth, I would have included the tailing off of Federal stimulus, a factor I don’t recall officials emphasizing.

I was impressed that Treasury officials had a pretty good understanding of the impediments to growth going forward. They understood that the core problem preventing business expansion isn’t access to capital but absence of demand. But I got the sense that, as they see things, they are boxed-in on that front, paralyzed and hoping for the best. When someone asked about monetary policy, an official said he really couldn’t comment on behalf of the Fed, but then proceeded to comment anyway, that in a very sharp downtown the Fed would have (presumably unconventional) ways to intervene, but that we were probably near the limits of what the central bank would do on the economy’s current path. Regarding their own bailiwick, an official perceptively pointed out that the set of spending programs Congress seems capable of delivering and the set of programs the public would consider wise and legitimate seem not to intersect. All of this resonated well with me: I view the current macro-sluggishness as a function of insufficient demand, yet stand with the hypothetical public in being hesitant to support “stimulus” and “jobs” programs that strike me as haphazardly targeted and sometimes wasteful or corrupt.

What ought a Treasury official do under these circumstances? Mike Konczal suggested that Treasury had latitude to stimulate without Congressional approval, pointing out that only a small fraction of the funds allocated to HAMP had been spent, and that with some cleverness the remainder could serve as a piggy bank. He was openly astonished when he was told that despite the tiny uptake thus far, according to Treasury’s extrapolations and accountings, at least $40 of the $50 billion allocated to HAMP would be used by the program and the funds were therefore already spoken for.

My suggestion was that Treasury should take the lead from Congress and propose a “two-year guaranteed income program”. If I were writing a proposal, I’d offer a lot of detail and caveats, but during a short meeting with scarce air-time, that was the sound-bite I came up with. As regular readers know, I think the government ought to be transferring equal sums of money to all adult US citizens irrespective of tax or employment status. That’s a form of stimulus that seems fair on face, that doesn’t pick winners and losers or skew the direction of the economy, and is plainly not corrupt. “Guaranteed income program” can be interpreted in lots of different ways, though, and I have no idea how Treasury officials took this. In any case, the quick response was to say it wouldn’t pass Congress, as though that were that. Later on, I suggested officials should push it anyway, and “go down, or up, with the ship”.

Putting aside the merits and demerits of my own proposal, under the present circumstance, where things are going badly and officials believe that some forms of policy activism would be wise but are politically impossible, how ought public servants behave? Is it too much to ask, as I did, that officials choose good policy and push it, even if that means tilting at windmills in ways that could erode political capital and be harmful to their careers? One can make the case, as I suspect Treasury officials would, that policy idealism makes the best into the enemy of the good, and results in less achievement than a more pragmatic approach. Sometimes that might be true, but I think it is dead wrong right now. We are currently trapped in a political dynamic under which the contours of what is conventionally possible are so terribly straitened, and so terribly corrupt, that “achievements”, like health care reform, even when they are incremental improvements in policy, are painful blows to the public’s sense of the potency and legitimacy of government. We have a President who campaigned under the slogan “Yes we can!”, but then governed by cutting deals with status quo interest groups and limiting options to what powerful lobbies could live with. I was not lying when I said at the beginning of this piece that I like the people at Treasury personally. I have no great wish that they should lose their jobs. But for the good of the country, I do think they should come up with what they think would be the best economic policy imaginable and push it on its merits, publicly and unapologetically, even if it costs them their positions, and even though I might be horrified by what they’d choose. (Despite all the conversation, I have absolutely no idea what they would choose.)

Amid the talk about flagging demand, blogger John Lounsbury had the courage to “drop a stink bomb”, as he put it. He said that in his view, the United States needed to move from a consumption to a production oriented economy, and that we ought to use the tax system to get there, increasing taxes on consumption and reducing taxes on capital. I agree with John that the US economy needs to shift so that it produces as much value as it consumes (see below) but I’m entirely unenthusiastic about this sort of tax policy. John’s proposal amounted to a full U-turn from our how-to-inspire-demand conversation, but the Treasury official with whom we were speaking didn’t miss a beat. He nodded sympathetically, and said that while he couldn’t discuss specifics of what the deficit commission was doing, they were doing good work. I left with a serious case of heebie-jeebies about what the deficit commission might be up to, but no details at all.

Despite my disagreement with John regarding tax policy, I share his concern that the US economy has habitually failed to achieve a “sustainable pattern of specialization and trade”, as Arnold Kling likes to put it. The most obvious reflection and enabler of this, I think, is the United States’ large, structural trade deficit (which recently spiked). I asked Treasury officials what they intended to do about this, keeping in mind that the problem runs much deeper than our bilateral relationship with China, as well as the importance of avoiding distortionary protectionism, unfair discriminatory policies, or trade wars. Alex Tabarrok (who fascinates me as a writer, but spoke far too little at the meeting) pointed out that Treasury had done a good job so far at avoiding conflict over trade and resisting pressure to impose foolish barriers. He is right about that, but Treasury has also done little thus far to address the structural imbalance. The trade deficit did decline briefly during the recession, but given its quick resurgence, that seems to have been a mechanical effect of the pause in economic activity rather than a sustainable change in trade patterns.

A Treasury official agreed enthusiastically about the importance of finding more sustainable patterns of trade. But he characterized trade balance as a medium-term issue that might resolve itself over time, especially if China (which he described as the “anchor” of a whole block of trade partners) allows its exchange rate to appreciate. He suggested that although the issue is important, we could worry about other things for now and save trade balance for later if it fails to self-correct.

I disagreed. I think that the trade imbalance makes stimulus both intellectually and politically difficult to defend (including my own “guaranteed income program”), because the pattern of business expansion we would stimulate would continue to overproduce domestic services and underproduce tradable goods relative to the patterns of production we will require when unsustainable international flows cease or reverse. In Austrian terms, I think demand stimulus in the context of continuing trade deficits will lead to malinvestment and another dangerous recession when what can’t go on forever stops. Rather than reinforcing patterns of investment that will have to be reversed, we should begin to wean ourselves of unbalanced trade flows, so that investors find it profitable to bolster the sectors we will require in order to pay for current consumption with current production. Unfortunately, it did not sound as though nondiscriminatory tools for enforcing trade balance, such as capital controls or “import certificates“, were anywhere on Treasury’s radar screen.

Overall, as I said at the start, the meeting was a lot of fun. I spend a lot of time around universities, and our meeting resembled nothing so much as an unusually lively seminar. Unfortunately, just like an academic seminar, I left with the feeling that there were a lot of bright ideas and brilliant people, but nothing much was going to come of it all, at least not anytime too soon.

[*] No one claims that limiting “size” alone, defined as market cap or balance sheet assets, would be sufficient to solve any problem. One dollar of equity can pull the whole universe into a financial black hole if it is sufficiently leveraged. But proponents of structural regulation understand that status quo large financial firms simply cannot be regulated, either privately by equity and debt holders or publicly by civil servants. As discussed above, when a firm is highly leveraged, equity holders switch from sober stewards of capital to risk-loving looters of creditor wealth. When a firm’s creditors are formally guaranteed, or when as a group they are sufficiently large, interconnected, and incapable of bearing losses, creditors also switch sides, ignoring risk and seeking yield on the theory that the social costs of forcing them to eat losses would be far higher than the fiscal cost of bailing out the bank. The entire private capital structure of systematically important financial firms wants to maximize risk-taking while minimizing regulatory costs, looting the public purse and splitting the proceeds between creditors, shareholders, managers, and other employees. Relying on “market discipline” for this sort of firm cannot work. Relying on public sector supervision ignores resource asymmetry and political constraints, as well as the information and incentive problems faced by even smart, well-intentioned regulators. Large, complex, leveraged and interconnected financial firms simply cannot be regulated, by the private or public sector. Without regulation they quite rationally maximize stakeholder wealth in a manner that happens to be socially and economically destructive. The only way around this is to change the incentives of all stakeholders, and that could only happen by placing them in a different kind of firm. We have to limit the size and composition of firms’ creditor base, so we can be sure losses to creditors would be socially and politically tolerable. (We do this already, or try to, with hedge funds.) We have to limit the scale of firm exposures, including on-balance-sheet, off-balance-sheet, and synthetic exposures, so we can be sure that the cost of nonperformance to counterparties would also be tolerable. Less obviously, we have to limit the scale of economic exposures relative to the number of independently responsible asset managers, so that no asset manager manages so much money that one or a few years of performance-based compensation would leave them set for life. The incentives of managers at small, nonprestigious banks are much better aligned with the long-term viability of their firms than hot-shots at glamour banks, who flit between high-paying gigs and hope to get their “fuck you money” fast. We have to limit the scope of operations at individual banks, because a complex bank is a bank that can’t be regulated, publicly or privately.

Also, small banks rationally allocate capital differently than very large banks. Big banks seek economies of scale to exploit. They trawl through vast streams of systemized data looking for patterns that can be widely applied to inform lending and investment decisions. Smaller banks seek out advantage based on local information and specific relationships. These are distinct strategies, and banks of different size will find different approaches adaptive. Lions and house cats are superficially similar, but thrive in different ecological niches. Large banks cannot effectively exploit local information, because local information is usually “soft” — that is, difficult to quantify and objectively verify. Lending based on soft information is inherently discretionary and prone to abuse, and large banks find it difficult to discipline the qualitative instincts of thousands of loan officers. Conversely, large bank employees find it impossible to defend inevitable failures, when, ex post, investments look to have been based on glorified hunches. (Small bank loan officers would have gotten buy-in up front from senior management, so failures get more sympathetically reviewed.) Further, most businesses will find it difficult to form credible relationships with very large banks, while small banks can have a real stake in an individual client’s success. But small banks can’t do what big banks do, as they lack sufficient data to mine client-order flow or tease out subtle relationships between FICO scores, patterns in checking and credit-card behavior, and loan performance. Small banks and large banks set about the task of allocating financial capital very differently. If you take a Hayekian view of capital allocation, small banks are likely to do a superior job.

(Small banks will do a better job in aggregate, even though those that fail will be found to have made more ludicrous and scandalous mistakes. Also, while most large-bank strategies are pathological, there is a well-known pathological small-bank strategy, “herding” or “information cascades”. In a small-bank-centric world, regulators would have to penalize copycat behavior, for example by taxing or increasing regulatory capital requirements when banks choose to invest in asset classes that are already overrepresented in the aggregate banking sector portfolio.)

Update History:

• 22-August-2010, 10:00 p.m. EDT: Removing some excess verbiage: “less achievement overall” → “less achievement”, “in policy terms” → “in policy”. Removed some unnecessary commas. Fixed use of the word “diffuse” where “defuse” was intended, many thanks to Nemo for pointing this out!
• 22-August-2010, 10:55 p.m. EDT: “There’s some irony to that” → “There’s an irony to that”

30 posts left…

There are a lot of web based exploits that can be really tricky to spot if you’re talking about a WAF. Multiple encoding issues, obfuscation and the like… Well, one attack in particular I think is actually pretty easy to detect programmatically (in most cases). In the case of HTTP Parameter Pollution the attacker has to double up on the parameters. So something like: ?a=1&b=2&a=3. If the WAF sees the same parameter (in this case “a”) supplied twice it’s pretty easy to understand that either there was something screwed up or it’s an attack. Either way, it’s worth reporting, and possibly even blocking if you know your site isn’t built like this.

Of course the normal caveats for non-standard parameter delimiters apply (hopefully the WAF could be developed to understand those delimiters in a perfect world). Not to mention the fact that even last week I saw a site that did Parameter Pollution on itself because of shoddy programming (and probably a lot of cutting and pasting by the developer). There could also be cases where some parameters come in on the URL field and others are POST parameters, so that would need to be taken into account as well for systems that don’t care and accept it all as a big pool of parameters. Lastly, I doubt many attackers are actually using Parameter Pollution (yet), but it should be easy enough to catch in most cases.

There appears to be a wave of something going through the infosec industry. There are reports like this: In the past month, weve had several customers at work suddenly insist that we make modifications to their firewalls and/or load balancers to redirect *all* incoming HTTP traffic to HTTPS (which of course isnt always entirely sane to do on proxying devices, but they apparently dont trust their server admins to maintain an HTTP redirect). Most of them cited requirements from their PCI-DSS auditors. One apparently was outright told that their redirects were a security problem because they presented an open socket on port 80, and they needed to be refusing all HTTP to their servers at the firewall. I think we gave them sufficient wording to convince their auditor that blocking access to the redirect itself wasnt going to do anyone any good. Then, there have been long discussions circulating around the meaning of this hypothesis in security design: there is only one Mode, and it is Secure Which, if I can say in small defence, is an end-point, a result, an arrival that does not in the slightest hint at how or why we got there. Or by what path, which by way of example is the topic of this very blog post. The Electronic Frontier Foundation has announced and pushed a new experimental browser plugin to take browsing on that very path towards https://www.eff.org/https-everywhere/more and pervasive HTTPS: HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS. And Jeff Hodges, Collin Jackson and Adam Barth have published an Internet Draft called Strict Transport Security based on this paper, which in essence tells anyone who connects to the insecure HTTP service to instead switch across to the secure HTTPS service. Now, leaving aside whether these innovations will cause a few confusions in compatibility, site-redesign and access, all common ills that we would normally bow and scrape before, ... it would seem that this time there is some emphasis behind it: As well as the EFF plugin above, Paypal and NoScript have adopted STS. As Paypal was at one time the number 1 target for phishing-style attacks, this carries some weight. And as NoScript is allegedly used by practically all the security people on the planet, this could be influential. A few words on what appears to be happening here. In the Internet security field is that the 800lb gorilla -- breaches, viruses, botnets, phishing,... -- it seems that outsiders like EFF, Paypal and PCI-DSS auditors are starting cleaning up the field. And in this case, theyre looking for easy targets. One such target was long identified: turn off HTTP. Yup, throw another bundle of tinder on that fire thats burning around me ... but meanwhile, switch all HTTP traffic to HTTPS. In an ideal world, every web request could be defaulted to HTTPS. Its a simple thing, and an approximate first step towards the hypothesis of there is only one mode and it is secure. Switching to HTTPS for everything does a few things, obvious and subtle. 1. the obvious thing is that the user can now be seriously expected to participate in the watch the padlock protocol, because shes no longer being trained to ignore the padlock by the rest of the site. The entire site is HTTPS, thats easy enough for the users to understand. 2. The second thing that the notion of pervasive HTTPS does is to strip away some (not all) of the excuses for other parties. Right now, most decision makers almost totally ignore HTTPS. Browser manufacturers, server manufacturers, CAs, cartels, included. It is all compliance thinking, all eyes are turned elsewhere. If, for any circumstance, for any user, for any decision maker, there is a failure, then there is also an easy excuse as to why not. Why it didnt work, why Im not to blame, why someone else should fix their problems. Probably, there are more excuses than we can count (I once counted 99...). However, if the PCI-DSS auditors make HTTPS the normal and only mode of operation, that act will strip away a major class of excuses. Its on, always on, only on. Waddya mean, it went off? This means the security model can actually be pinned on the suppliers and operators, more of the time. At least, the outrage can be pinned on them, when it doesnt work, and it will have some merit. 3. The third thing it does is move a lot of attention into the HTTPS sphere. This is much more important, but more subtle. More attention, a growing market, more expectations means more certs, more traffic, more reliance on the server cert, etc. But it also means more attention to client certs, more programmers, more admins, more more more ... Which will elevate the use of HTTPS and its entire security model overall; which will hopefully get the people who can make a difference -- here Im thinking of Mozilla and Microsoft and the other browser security UI production teams -- to put a bit more effort and thinking into this problem. Some would say they are working hard, and I know they are. But let me put this in context. Last I heard, Jonathan had a team of 2-3 programmers working on Firefox security UI. (And, yes, thats a set-up for a correction, thanks!) This team is so tiny that we can even know their names.... Let me know and Ill post their names :) Yet, this security UI is protecting the online access of probably 100 million people across the planet. And the current viewpoint of the owning organisation is that this is a backwater that isnt really important, other areas are much more important. (Just to point out that Im not picking on Mozilla unfairly: Microsoft is no better, albeit more clear in their economic reasoning. Google probably has one person, Opera may have one too. Konqueror? Apple wont say a thing...) (Prove me wrong, guys! Ya know ya want to! :)...

31 posts left…

There are quite a few different methods of performing MITM attacks, but one in particular kinda struck my fancy early on when I was thinking about airpwn. In the case of airpwn and similar exploits the attacker may be able to listen to the packets being transmitted but they aren’t able to block them, so instead it comes down to a game of beating packets to their source and origin. I don’t know what the prevalence of use of any sort of MITM is, but in this case there are a few things you could do to detect.

Anyway, if you receive double the DNS replies, or double ACK responses for instance, that could indicate that someone is trying to beat another packet back, which is why you’ll end up with two. Of course, figuring out which one is real isn’t straight forward (the bad guy may have just been slow, so it’s the first one that’s real). And there may be other things the bad guy can do like immediately forward a RST packet to the server you’re trying to connect to to quash the double ACK, so this may have some limits of utility.

Perhaps someone could think of another ingenious way to use that information or think of other clever methods of detection based on something similar for the other classes of MITM (like acting as a proxy, or re-routing traffic, etc…). I’m sure someone somewhere has already thought about and posted about this concept, but I wasn’t able to find anything in a cursory search. Maybe it’s new, maybe not, but I still thought it was interesting, even if limited.

32 Posts left…

Just a quicky post on how in Firefox you can detect proxies using image tags. Firefox (and possibly other browsers but I first saw it in Firefox) use [ ] to denote IPv6 (I believe that’s it’s original intention anyway) but it also works in IPv4.

Something as simple as http://[123.123.123.123]/img.jpg?unique_id embedded into a page could be used to see if the user is using a proxy, which, as far as I’ve seen - at least using Apache’s proxy, doesn’t understand that syntax and therefore won’t fetch the image. This does give false positives when using something that blocks cross domain requests, and robots that try to stay on the same domain. Anyway, this might be helpful to someone.

As I wind down to 33 posts left until my 1000th and last post, I thought I should spend a little time talking more introspectively about how our community has changed over the years.

When I got started in security I had around the 130th hacker website on earth. We were all linked together with the second webring ever made (for those of you who recall webrings), which is how I know. Incidentally webring was made by a guy in his basement as a college experiment. Bronc Buster got in touch with the guy, which is why we were the second. It was called the Fringe of the Web. Back then sharing knowledge was hard to do. Search engines didn’t exist (DMOZ was really it). No one really trusted one another. No one really knew much because there weren’t many help files or docs being published back then either. I think a lot of people felt like there was a strong possibility they’d land themselves in jail if they were too outspoken about security. For you to get any better you had to do the research yourself because there weren’t many people around to help (at least in my case there weren’t). That was especially true for me because what I was interested in wasn’t being a good sys-admin or network guy and all the docs were about operating system security, firewalls and memory corruption. People were pretty unhelpful with a lot of RTFM, even though the manuals hadn’t been written yet. Installing Debian on my Gateway2000 with my crapola Mitsumi CD ROM for which there were no drivers yet written was my burden alone to figure out. Instead I was interested in this whole newfangled web thing - which almost no one knew anything about. Defacements were the norm - cybercrime was myth reserved for wild eyed paranoids and movies. Let’s call this the dark ages of computer security.

Later the industry dramatically expanded, and instead of there being just north of a hundred sites talking about security, suddenly you’re seeing security related articles and blogs on mainstream press. There are tens of thousands of sites talking about it. There is more new code and ideas being passed around than ever before. No one really feared jail time anymore, which was the only major consequence of publishing code that anyone could come up with. Enter script kiddies and sites devoted to helping people learn about computer security. Cybercrime was just taking off, and everyone realized that this was turning into a business. Companies start acquiring security and we get cool titles like CISO and CSO and we even have our own certifications. We finally had use cases and anecdotes for everything we had been talking about for all these years. Linux starts being sold on commercial desktops. It was the hay-day of computer security. Let’s call this the enlightenment.

In the dark ages of computer security no one released code because they feared jail. In the enlightenment everyone released vulns because they wanted to make a name for themselves and prove their skill. So where does that leave us today? Let’s take an example of a hypothetical young web application and browser security guy (think me but just starting out) with no background or history in the industry. We’ll call him “Todd.”

Let’s say Todd releases a browser vuln that is useful against a good chunk of browsers, but it’s an architectural flaw and one that won’t be fixed for many years to come because if it is fixed it’ll break other things. It’s not a desktop compromise type issue, it’s just allows attackers to harm most websites in some obscure way (think the next version of CSRF or XSS or Clickjacking or whatever). Todd, not knowing what to do or who to talk to releases the vuln to make a name for himself and to help close down the hole, because he thinks that’s the right thing to do. Here are some possibilities:

• The Vendor is pissed at Todd for releasing the vuln and not telling them first - especially since there’s no fix. You evil vulnerability pimp you!
• The press asks the simple question, “Why did you release this when you knew there was no fix?” to which Todd has no good answer except he thought he was doing the right thing by letting people know - and then the press mis-quotes him.
• The blackhat community is pissed because they have been using something similar (or not) but either way they know this cool trick has a limited lifespan now thanks to Todd. More importantly they’ll try to hack Todd for releasing it. There will be much fist shaking and cursing of Todd’s name the day the vuln gets closed too.
• The elite crowd are annoyed because they don’t think Todd should have gotten any publicity. The elite kernel level bug is way sexier (and it may very well be) and takes more skill (quite possible as well), but Todd knows nothing about the politics of the industry - he’s just interested in his stuff. They may try to hack and drop Todd’s docs to shut him up. There’s only so much limelight to go around, after all. Incidentally, I don’t think most guys who work on these types of vulns are like this, but it only takes a few to deter someone new like Todd.
• There’s a slim chance someone might offer him a 9-5 job - as long as the vendor isn’t one of their clients.

Now let’s take the flip side - what if he wants to sell it:

• The vendor won’t pay for an architectural bug - only full machine compromises please!
• The blackhats won’t pay for it, because it doesn’t give them a shell.

So where does that leave Todd? It’s not in his best interest to release the vuln, because of the externalities of negative pressure, and no one is buying either. How does Todd make a name for himself? More importantly, how does he survive? Why on earth would Todd give up his vuln for free? He knows he could do some major damage with it, but the elite aren’t impressed so he doesn’t even get clout. Perhaps there’s a slim chance the vendor might hire him in gratitude? That’s a long shot and a waste of a great find for the chance at a 9-5 in the boiler room. Instead why wouldn’t Todd say screw it entirely and either stop doing the research and find something else to do or become bad and make some real cash? The chilling effect is in full swing. We are quite squarely headed towards another information security dark age. Sure there are a lot of good documents (if dated) on the web still. The bulk of advisories are from vendors these days, so you’ll still be up on yesterday’s news and patch management will be your life. Private conversations will always continue, but it won’t ever be like the enlightenment again unless something changes. I spoke with two large vendors about this and they acknowledged their part in it and that indeed they offered no good solution for someone like Todd who hadn’t already established himself - except the vague hope of some consulting arrangement.

I spoke with one guy who buys vulns and I asked him who his buyers were, out of curiosity. I was expecting him to say some large software retailers, but he said, “No, no, not at all. Most of my buyers are consulting companies.” I was confused. It turns out that there are a slew of consulting companies that will fail a pen-test with a client, but they can’t show the client that they found nothing, so they’ll whip out a ready-made 0day, impress the client and then they can go on the speaking circuit about their amazing find. Call me naive but it never even occurred to me that this industry could be that messed up. If you see someone speaking at a conference about some memory corruption flaw but they can’t seem to explain their own vuln the way you’d expect them to - you may have found one of these consultants.

I think this is important because as my tenure comes to a close in the blogging world, I feel like there are a lot of very talented people who will never get to see their day in the sun and as an unfortunate consequence of this vulnerability market some talentless people will. I know several people have completely packed up and decided to get out of the industry entirely because of how things are shaping up. I fear that the way things are headed it will be harder and harder for someone to rise to the top, without retribution from their peers. There is a whole new generation of people who are lining up to replace guys like me who are joining a very corrupt and preservationist industry. They may not have thick skin and may not survive what is in store for them. I’ve talked to over a dozen security folks who tell me the same story. These individuals worry about the security community’s reaction to anything these individuals say publicly more than they worry about actual bad guys committing crime. Is it too late to fix, or is it even worth fixing? Or would you argue that this is the best it’s ever been? I’d be curious to hear what people think.

Niall Ferguson spoke a few weeks ago at something called the CIS, supposedly a right-wing thinktank in Australia. Hes well known for his Ascent of Money series, which is the thing you buy on DVD if you want to tell your Mum about economics and the way the world works. Hes also that rarest breed in economics - hes not an economist at all, hes a historian. His speech is here. Its a very big video download (26Mb), it seems, so Ill post this *after* my download else Ill never see it. Also, see it on vimeo directly which might work better....

Why is it there's such a high failure rate in innovation efforts? 

Why is it I run around talking about our (the departments) 10% success rate on new ideas and think that's a good performance?

And why is it that other organisations are thrilled when they get even one new thing out the door?

I think the answer is we've all programmed ourselves to think this innovation thing is hard, and since it is hard, you should only be successful some of the time.

I also think all this programming we're giving ourselves has become something of a self-fulfilling prophesy.

I mean, the reality of large organisations is that most of the preconditions for success are already present. There is never a lack of great ideas, for example. Ideas are bubbling around everywhere, and all you have to do is collect them. Neither do large organisations lack people who want to get things done: getting magic to happen is really a question of linking them up and giving them permission to do things.

Most importantly though - large organisations are paying more than lip service to their desire to be more innovative. In the last week, for example, I learned that two more banks have started new innovation programmes complete with massive budgets.

So why, why, why does this stuff keep failing?

My experience at Lloyds with Innovation Market, and more latterly at the DWP where we've built largely the same thing (we call it IdeaStreet) suggests part of the answer, to me at least.

Innovation is a social activity.  People want to talk and share. They want to co-create. If you want people - of their own free will - to give you innovation, you must create a system that lets them link up with each other independently of any central effort and concentrate on the things they care about.

Why? I suspect potential innovators don't want to be little islands of greatness, trying to push uphill against the combined weight of everyone else trying to make things stay the same. That's very hard work; probably too hard most of the time, when you also have to do a day job.

When you have this situation, you only get innovation in the presence of individual heroics by very special, very rare people. Most organisations have too few of them to ever get reliability out of their innovation efforts. And, at the very best, you're only going to get one or two really meaningful things before your heroes burn out.

This, then, is the cause of all the failure: all those little islands having to push against the big corporate machine. You hear so many stories where even those at the top of organisations can't get anything done because all the machinery at lower levels frustrates their innovation efforts.

I say, if even those at the top of an organsiation can't mandate innovation, then you have little choice but to start innovation from the bottom up.

That's why building social innovation systems are important.  People down the pecking order are very powerful agents for change when they band together to do something.  And its the reason why central innovation efforts that only invest in big game changing things usually fail.

Twan asks whether this is an interesting change in the business model of Apple: As first reported by Near Field Communications World, a trade publication, Apple recently hired Benjamin Vigier, an expert in the mobile payments industry who works with a technology called near field communication. According to his LinkedIn profile, Mr. Vigier is now Apple’s product manager for mobile commerce. Before joining Apple he worked with a company called mFoundry, developing mobile payment services for PayPal and Starbucks, and also worked on a project called the mobile wallet. So are Apple moving into payments? Possibly, but there are several caveats to that. Firstly, Apple keep a closed-shop policy, so we wont ever hear it until it is done. Secondly, given the space and people and so forth, it is probably as likely or more likely that Apple is investigating the NFC space: Near field communication, or NFC, acts like the standard R.F.I.D. chips that are used to scan passports or credit cards today. When an NFC chip is placed within a short range of an NFC reader, the two gadgets can send small pieces of information back and forth. This can be used to perform simple credit transactions, or could be used to pass information between two gadgets. This isn’t the first person hired at Apple with knowledge and experience in NFC. According to people familiar with Apple’s recent hiring, who asked not to be identified because they were not authorized to speak for the company, Apple has recently hired other phone engineers with experience and knowledge of NFC and similar mobile technologies. If one was keen on speculating, the facts to look at might be these: A barrage of NFC-related Apple patent applications have been published over the last few months. They cover a wide range of potential NFC application areas and include: An NFC-based mobile payments service that lets consumers make payments to merchants and other consumers via a credit or debit card, directly from their bank account or using credit stored in their iTunes account. The iPay, iBuy and iCoupons patents, describing a comprehensive mobile payments, mobile commerce and mobile marketing business based around an NFC-enabled iPhone. Products+, an NFC-based product marketing and promotions application. An airline ticketing and boarding pass application that describes an unmanned, automated airport ticketing and baggage counter kiosk and introduces the concept of an automated security checking process where users of the iTravel app could process themselves through the security clearance system and check themselves in at the boarding gate. The Grab Go patent, designed to make it easy for customers to transfer files between devices such as the Mac, iPhone and Apple TV. An NFC-enabled iPod, games controller, TV and iPhone. An NFC-based concert, entertainment and sports venue ticketing application that includes exclusive bonus features for users of Apples service. Which adds further weight to a thrust into all sorts of NFC areas. Personally, Id speculate that lots of ideas are being researched, and infrastructure is being built internally. Meanwhile, the leading conceptual ideas are being patented (FWIW), but this doesnt imply those ideas will happen. Its simply a land-grab based on giving the company substantial room to manouver when something does roll out. Those are more expansive views, from the outside. From a more directed approach, there are also pluses and minuses for payments. Heres some analysis: Firstly, it is a long-standing and well-known plea that we want payments on our mobiles, much more than we want them on our desktops. This is practically dogma in the payments sector. Secondly, and to counterbalance that, the reason we want it on our mobile/cell/handy/pocket platform is only partly the enormous convenience factor of pocketable money. Its also because there is a presumption that a pocket platform is secure. Of course, this is a relative statement, as is all talk of security. Its more secure than the average desktop (be it Windows, Mac or Linux) ... but a lot of that is because of the multi-application approach adopted by ones desktop ... and the iPocket stuff from Apple is all multi-application! So the question is, how secure is the iPhone for this sort of thing? Not very. And not enough for payments, or not enough for hard payments. Maybe enough for soft payments, ones that are reversible when found heading to strange places and strange people. Or one-way payments. Thirdly, does Apple want to play at being a bank? Surely not .. recall the response that Microsoft got in the mid 1990s when Bill Gates said something like we only want to take a penny out of each dollar ... The banks moved swiftly to close that one out. But times have changed since then, several things have happened. The explosion of payment systems didnt quite happen. Europes conceptual lead faded away before the fearmongering of banks, which unintended consequence (fading away, not fearmongering) finally caused the regulators to finally rewrite the eMoney directive in favour of experimental approaches to money. And, coincidentally, open up the real payments market by means of the PSD, which Dave mentions came into force November last year. Meanwhile, during Europes lost two decades, Paypal did happen, and the results were unimpressive in terms of competition policy -- fees on order of 10 times higher than open competitors! Also, the reputation of banks right now is pretty weak, due to their basic failure of governance in the financial crisis, and the seismic shifts in banking are fundamentally moving against them if they want to claim ownership of all money business. Meanwhile, payments did emerge in the games sector over the last decade. WoW, SL, etc, many tried and many more or less succeeded to create internal payment mechanisms to do what payments are supposed to do, provide value accounting for trades between people. From there, it spread across to the social network sector. The model then that has emerged is that if you do a payments business within your community, this is ok ... but outside, opening it to the public, thats not ok, thats going to face stiff competition from the grumblers. Whereas, inside payments can be snobbishly ignored as game play, not serious. Is Apple a social network? A game? Yes, it can be seen that way. Is this still a good idea? ApplePay? iBites? That depends on who you ask. If its just the techheads who built great apps like the ones Apple is famous for, then no, its too far from core business. Payments is not just technical business and great UIs. If however Apple can assemble a diverse team, along the lines of the FC7 thesis, then Apple has some of the breadth to support that team. In a way that Microsoft hasnt and google didnt. Cautiously, Id say Apple is well-placed to do this, and can do it. If it helps any, I can suggest that doing payments is a lot of fun, a great challenge, and even if you fail, its experience that will stand good for the future. Good luck, guys....

34 posts until the end… Oh, and happy Monday. It’s time for a little story.

Once upon a time there were some hill-billies living in the deep south. They had virtually nothing. They made their moonshine, and lived the most meager of lifestyles. They were in deep poverty. They made do with their hooch and stories. They worked hard - 8 hours per day at the local sweatshop, but they were happy enough. Then one day, an advocate for minimum wage increase saw what the hill-billies were living in and how they were living their lives. It made the advocate angry and they went to go fight the local sweatshop to increase their wages. The advocate wanted to make sweeping changes and would use the hill-billies as a case study on how much a little extra money can improve someone’s living standard to further the advocate’s cause.

Eventually, after intense scrutiny, the sweatshop realized that they had indeed been paying too little for any decent standard of living and decided to give all their minimum wage workers a rate increase, which included our friends the hill-billies. So now you’re thinking to yourself, the hill-billies got a home-loan or used the money to pay for school or something else productive, right? No… what happened was that the hill billies had always been happy with what they had, and the increase in money allowed them to stop working as much and make the same amount. They continued to make their moonshine and lived happily within their means…

The moral of the story is that about a year ago I reached an inflection point in my career of 15 years in security. I realized that with every major innovation the security community comes up with, the general public and vendors alike figure out a way to abuse that innovation or work around it to do what they originally wanted to do again (think firewalls and tunneling over port 80). It feels like we’ve been battling to protect people, but the people don’t want to be protected if it means changing. They’re happy with the status quo. Of course, there’s always fear of the unknown, and fear of insecurity is a key driver of spending (think anti-virus). One thing’s for sure though, you can’t change the nature of the hill-billies, so why are we trying? Our only path to success is empowering people to do what they want, without getting in the way. The words “No” and “Can’t” have to leave our vocabulary when it comes to what consumers and developers and companies want to do. Now, the trick is: how do we build security that no one notices is there?

Twentieth Century monetary policy can be understood very simply.

One can imagine that, prior to the 1980s, the marginal unit of CPI was purchased from wages. That made managing inflation difficult. In order to suppress the price level, central bankers had to reduce the supply of wages. But reductions in aggregate wages don’t translate to smooth, universal wage cuts. For institutional reasons, attempts to restrain aggregate wages generate unemployment. Prior to the 1980s, central bankers routinely had to choose between inflation or recession.

Then came the “Great Moderation”. The signal fact of the Great Moderation was that the marginal unit of CPI was purchased from asset-related wealth and consumer credit rather than from wages. Under this circumstance, central bankers could fine-tune the economy without disruptive business cycles. When resources, especially humans, were under-employed, expansionary monetary policy could be used to inflate asset prices and credit availability, until increased expenditures on consumption goods took up the economy’s slack. When inflation threatened, contractionary monetary policy restrained asset price growth and credit access, reducing the propensity of the marginal consumer to spend. (“Asset-related wealth” includes speculative gains, the capacity to borrow against appreciated collateral, and the increased willingness of consumers to part with wages and savings due to a “wealth effect”.)

Regular readers know that I am not a fan of the Great Moderation. Central bankers and economists found it pleasant at the time, but sustaining that comfort required that cash wage growth be suppressed, that credit be expanded regardless of overall loan quality, that asset prices be frequently manipulated, as means to a macroeconomic end. In exchange for price stability and moderate business cycles, we mangled the price signals that ought to have disciplined capital allocation, we levered and impoverished American households, we transformed our financial system into a fragile and corrupt cesspool of self-congratulatory rent-seekers. I call that a very poor bargain. (I want to emphasize, because it always comes up, that it was not central bankers primarily that suppressed wages during the period. Globalization and declining union power did most of that work. But central bankers understood very well the importance of wage suppression, and emphasized their willingness, their “credibility”, to push back hard against any increase in the share of income accruing to labor.)

Still, if Great Moderation monetary policy sucked, pre-Moderation business cycles sucked as well. Is there a better way?

It’s no good when the marginal unit of CPI is purchased from wages. That’s the bad old days. It’s no good when the marginal unit of CPI is purchased from asset wealth or consumer credit. That’s the Ponzi scheme that got us into our current troubles. So what kind of dollar should buy the marginal unit of CPI? Ideally, it should be something central banks can “fine tune” without provoking recessions or bubbles, and something that doesn’t involve a macroeconomic imperative to expanded indebtedness.

Here’s my proposal. We should try to arrange things so that the marginal unit of CPI is purchased with “helicopter drop” money. That is, rather than trying to fine-tune wages, asset prices, or credit, central banks should be in the business of fine tuning a rate of transfers from the bank to the public. During depressions and disinflations, the Fed should be depositing funds directly in bank accounts at a fast clip. During booms, the rate of transfers should slow to a trickle. We could reach the “zero bound”, but a different zero bound than today’s zero interest rate bugaboo. At the point at which the Fed is making no transfers yet inflation still threatens, the central bank would have to coordinate with Congress to do “fiscal policy” in the form of negative transfers, a.k.a. taxes. However, this zero bound would be reached quite rarely if we allow transfers to displace credit expansion as the driver of money growth in the economy. In other words, at the same time as we expand the use of “helicopter money” in monetary policy, we should regulate and simplify banks, impose steep capital requirements, and relish complaints that this will “reduce credit availability”. The idea is to replace the macroeconomic role of bank credit with freshly issued cash.

Of course we will still need investors. But all that transfered money will become somebody’s savings, and having reduced the profitability of leveraged financial intermediaries, much of that will find its way to some form of equity investing.

There are details to consider. Won’t this proposal render central banks almost immediately insolvent? After all, conventionally, currency is a liability of a central bank that must be offset by some asset, or the balance sheet will show a gigantic hole where the bank’s equity ought to be. But that’s easy to remedy. Central banks can just adopt an old accounting fudge and claim that policy-motivated transfers purchase an intangible asset called “goodwill”. But, you may object, fudging the accounts doesn’t alter economic realities. Quite so! But what are the economic realities here? Balance sheet insolvency is nothing more or less than a predictor of illiquidity. No firm goes out of business because it’s shareholder equity goes negative. Firms die when they are presented with a bill that they cannot cover. But a central bank with liabilities in its own notes can never be illiquid, since it can produce cash at will to satisfy any obligation. It is book insolvency, not intangible goodwill, that would misrepresent the economic condition of the bank. If the central bank does not pay interest on reserves (which it should not), currency’s status as a “liability” is entirely formal. Central bank accounts should be defined by economic substance, not by blind analogy to the accounts of other firms. The purpose of a central bank’s balance sheet is to present a snapshot of its cumulative interventions, not to measure solvency. Consistent with that objective, a placeholder asset that offsets the formal liability incurred from past transfers would render transparent the cumulative stock and net flow of policy-motivated transfers. [1]

Then there are more interesting problems, like how routinizing transfers from the central bank to citizens might reshape society. “Free money” would certainly carry consequences, both good and bad, foreseeable and unforeseeable. My suggestion would be that the central banks should make equal transfers to all adult citizens irrespective of income, job, or tax status. That would be simple to understand and administer, and it is “fair” on face. It has other good points. To the degree that transfers are motivated by wasteful idleness of real resources (e.g. unemployment), flat transfers are guaranteed to put money in the hands of cash-constrained people who will spend it. Flat transfers are much more effective stimulus than income tax cuts (much of which are saved), and more effective even than payroll tax cuts (because people with jobs are more likely to save an extra dollar than people without). Further, because such transfers would be broadly distributed, the information contained in the spending patterns provoked by such transfers is more likely to be representative of sustainable demand than other means of stimulus. Status quo monetary policy, in obvious and direct ways, distorts economic activity towards the financial assets and debt-financed durable goods. I hope it’s obvious by now why that’s bad. Transfers to the already wealthy (e.g. income tax cuts) amplify the influence of a relatively small group of people whose desires are already overrepresented in shaping patterns of demand.

There is also a kind of macro-level justice in combating depressions with flat transfers of cash. During booms, income inequality typically grows as workers and investors in “hot” sectors do very well. In theory, there’s a positive sum social bargain that encourages us to tolerate that inequality. If people are growing rich by performing activities that are genuinely of great value, even very unequal distribution of the new wealth may leave everybody better off, and the fact that people at the center of that production get rich provides a useful incentive for people to do great things. However, when booms are followed by great busts, it suggests that some of the apparent wealth created during the boom was in fact illusory. Ideally, we’d have a system where the producers of illusions lose their wealth when it is revealed that they had in fact produced nothing of value. But in a world where everything is liquid, where risks are easily transfered and apparent gains can be converted to cash on a moment’s notice, the relationship between quality of production and wealth-you-get-to-keep becomes murky. Episodes of illusory production end up causing aggregate pain, even while the illusionists keep their gains. Using flat transfers to combat the aggregate pain compresses the distribution of relative income, taking back some of the advantage that, in retrospect, was not well earned during the boom.

The most obvious hazards of monetary policy transfers have to do with dependency and incentives to work. If people grow accustomed to getting sizable checks from the central bank, that would change behavior. But not all changes are bad. For example, it may be true that many workers would be pickier about what jobs to take if government transfers generated incomes they could get by on without employment. Employers would undoubtedly have to pay people who work unpleasant jobs more than they currently do. But that’s just another way of saying that workers would have greater bargaining power in negotiating employment, as their next best alternative would not be destitution. That we’ve spent 40 years increasing the bargaining power of capital over labor doesn’t make it “fair”, or good economics. Supplementary incomes are a cleaner way of increasing labor bargaining power than unionization. Unionization forces collective bargaining, which leads to one-size-fits-all work rules and inflexible hiring, firing, and promotion policies, in addition to higher wages. If workers have supplementary incomes, employment arrangements can be negotiated on terms specific to individuals and business circumstances, but outcomes will be more favorable to workers than they would have been absent an income to fall back upon.

Still, it is possible that too many people would choose to “live off the dole”, or that people would come to depend upon income from the central bank, limiting the bank’s flexibility to reduce transfers when economic conditions called for that. So here’s a variation. Rather than distributing cash directly, the central bank could make transfers by giving out free lottery tickets. The winnings from these lottery tickets would constitute transfers from the central bank to the public. But the odds that any individual would win in a given month could be made small, in order to prevent people from growing dependent on a regular paycheck from government. Plus, it would be easier for the central bank to reduce the “jackpot” offered in its free lottery than to scale back payments that people have come to expect. If you buy the thesis that poor people experience increasing marginal utility to wealth, paying out large sums occasionally rather than modest sums frequently might be ideal.

I know this all sounds a bit crazy, a new normal under which central banks would print money to fund lottery payouts and then fake an asset on their balance sheets to offset the spending. But these are perfectly serious proposals. Futurama, baby.

[1] There is a theory that the value of a currency is somehow related to the strength of the issuing central bank’s balance sheet, so a currency issued against fictional “goodwill” would quickly become worthless. Suffice it to say that, with respect to non-redeemable fiat currencies, there is absolutely no evidence for this theory. There is no evidence, for example, that the purchasing power of the US dollar has any relationship whatsoever to the Fed’s holdings of gold or foreign exchange reserves. The assets of existing central banks are mostly loans denominated in the currency the bank itself can produce at will. You may argue that those assets are nevertheless “real”, because repayments to the central bank will be with money earned from real activity. But that assumes what we are trying to explain, that people are willing surrender real goods and services in exchange for the bank’s scrip. Perhaps fiat currency derives its value from coercive taxation by government, as the MMT-ers maintain. Perhaps the imprimatur of the state serves as an arbitrary focal point for the coordination equilibrium required for a common medium of exchange. I don’t know what makes fiat currency valuable, but I do know that the real asset portfolio of the issuing central bank has very little to do with it.

Related — here:

• Expand transfers, not credit

Im reading a govt. security manual this weekend, because ... well, doesnt everyone? To give it some grounding, Im building up a cross-reference against my work at the CA. I expected it to remain rather dry until the very end, but Ive just tripped up on this Risk in the section on detecting incidents: 2.5.7. An agency constructs a honeypot or honeynet to assist in capturing intrusion attempts, resulting in legal action being taken against the agency for breach of privacy. My-oh-my!...

Gunnar points to: I Love Gold:...