I’ll be attending the next open meeting of the Jericho Forum in Seattle, Washington next Thursday and Friday. Feel free to join us if you’re in the area and interested in attending. Our generous hosts at Boeing (who are very involved in the Jericho Forum) have even arranged access to the Museum of Flight, which I’m told is a Good Thing if you’re even a little bit of an aviation geek.

Also, I’ll be giving a presentation on “Client Security in the Deperimeterized World” and facilitating a discussion session on Thursday morning. Hopefully I’ll have good insights to report back with afterwards.

So Second Life got hacked:

On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it.

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords and encrypted payment information.

No unencrypted credit card information is stored on the database in question. Unencrypted credit card information has not been compromised.

A news story puts the scope of the breach at 650,000 accounts.

Let’s read into the story a little bit.

First, we now know a little bit about the Second Life team’s risk management priorities. They encrypted (hashed, most likely) user passwords. By making this decision, they declared that they were more concerned with account security than incremental performance gains they might have derived from not encrypting them.

Still, even though Second Life handled the passwords responsibly, they still are paying the price for losing them–they will probably lose at least a few on-the-fence customers and also have to bear the increased cost of supporting 650,000 people all trying to change their passwords at once. Long-term, this is the Right Thing.

Second, we know that they care about protecting their revenue stream. I’m guessing they were PCI-Compliant since they encrypted credit card information. That’s also a Good Thing since it means that they aren’t going to be put out of business by lawsuits or the “Death Penalty” from Visa or Mastercard (even if that is, to a certain extent, killing the goose that lays the golden egg).

Third, we know that they have some concerns that at least some portion of the password database is vulnerable to (probably) dictionary attacks. John the Ripper would probably make pretty quick work those ~650,000 accounts, especially if the hashed passwords weren’t salted or weren’t salted with a large enough salt (random value included with the hashed password to prevent a single dictionary attack against the entire list).

Finally, we know that Linden cares less about protecting their customers than they do about their ability to get paid, even if those customers are also an integral piece of the revenue stream. I suspect this is more a case of the floor for compliance being the ceiling for effort than anything else–no law or industry legal agreement requires them to encrypt the data, so they didn’t. They did not perceive risk associated with losing that information, and I suspect that this will be what eventually hurts Second Life when all is said and done.

Interestingly, Second Life seems to have missed a significant tenant of their value proposition–that they provide a place where people really do have second lives. And that’s the real risk in this whole incident. Certainly there could probably be some fraud and account abuse in all this, but I would hope that Linden Labs has or is putting processes and tools in place to identify and make those affected “whole” again.

I strongly suspect, however, that their willingness to accept risk to people’s Identities will be the long-term impact of this incident. After all, I have to suspect that there’s going to be a tendency to self-censor (for better and worse) what people feel willing to do with their second life if they can’t be certain that it won’t be tied back to their first one.

I have to state that I’ve never spent any time in Second Life, but that’s only because I’m a recovering addict (you’re never recovered) of Evercrack addict and a couple of other MMORPG’s–the actual concept fascinates me. As such, I firmly believe it’s best for me if I just stay away from Second Life.

Nevertheless, I know from some experience that some people are very different on-line than in real life, for better and for worse. In the limited confines of an MMORPG, that can create significant problems. In the nearly unlimited scope of Second Life, while most of what goes on is pretty innocuous, I’ve read some things (no links–I’m offline as I compose this) in the past that leads me to believe that some people do things there that they’d just as soon not be tied to in their First Life.

Conscience is the inner voice that warns us somebody may be looking
-Henry Mencken

So what’s on the mind of people at the CIA these days?

CIA counterterrorism officers have signed up in growing numbers for a government-reimbursed, private insurance plan that would pay their civil judgments and legal expenses if they are sued or charged with criminal wrongdoing, according to current and former intelligence officials and others with knowledge of the program.

The new enrollments reflect heightened anxiety at the CIA that officers may be vulnerable to accusations they were involved in abuse, torture, human rights violations and other misconduct, including wrongdoing related to the Sept. 11, 2001, attacks. They worry that they will not have Justice Department representation in court or congressional inquiries, the officials said.

The anxieties stem partly from public controversy about a system of secret CIA prisons in which detainees were subjected to harsh interrogation methods, including temperature extremes and simulated drowning. The White House contends the methods were legal, but some CIA officers have worried privately that they may have violated international law or domestic criminal statutes.

If only one person in an otherwise rational group transfers risk, it’s probably paronoia. But when a group of rational people all decide to transfer that same risk, it probably means they see a vulnerability.

I would have been prouder to see a story about how CIA officers where managing risk of prosecution for torture by avoiding the risk, but that’s between them and their commander. Actually, I want to believe that at many of those officers did avoid the risk and we simply don’t hear about it because Doing The Right Thing is not news.

I wonder if the policy pays if someone is sentenced to prison? How about executed? Those threats are in-scope under War Crimes law.

I got my first scooter when I was 15 years old. It was a 49cc Honda Spree that I bought off my older brother (who did all the parental convincing work) once he got his automobile drivers license and I rode it like a maniac, as boys are wont to do when they are in their teens but never got in an accident on it. I sold it after a year or two and periodically rode other people’s small motorcycles or scooters over the years, again accident-free. This spring, I bought myself another scooter, a mint green 150cc Stella (pictured) to replace my car now that I’m back in downtown Chicago. On Saturday, during the group ride of the Chicago Slaughterhouse scooter rally, my luck finally ran out and I was involved in a scooter accident.

My first scooter vs. scooter accident (or, as someone else described it, “scooter-on-scooter crime”) was all over, including the cleanup, in a matter of maybe two minutes. It was unfortunate but could easily have been much worse.

The ride included a run up almost the entire length of Lakeshore Drive, exiting at Foster. After exiting LSD, I was the first person to stop at the light at Marine Drive, the first light after you go under LSD. I had only been stopped for a couple of seconds when I heard what I now realize was The Other Guy’s tires skidding. He then clipped me on (I’m pretty sure) my left side as he went by and it felt like I got body-checked off my scooter onto my right side.

At that point, he completely lost control and went down, sliding past me for another 30 feet or so. The Other Guy (who shall remain anonymous, and he was a really nice guy, very apologetic, scraped up/shaken up a lot more than I was) said he didn’t see the light until it was too late to stop, then clipped me after he slammed on his brakes.

Other than a VERY sore right shoulder and some minor scrapes on my right elbow & bruises down the right side of my body, I’m fine. I didn’t really go down that hard since I was stopped when he hit me. Damage to my scooter was limited to the front fender & the right side cowl rail (full repairs will be ~$300, including parts & labor–mostly labor to remove the front forks).

I don’t know exactly who stopped to help, since I was busy making sure I was OK and everyone had helmets on so I couldn’t really see faces. Nevertheless, I’d like to thank everyone who stopped and lent assistance. The other riders had the intersection blocked almost immediately and were helping out with making sure we were OK and getting us out of traffic before I even really realized what had happened.

The experience has definitely made me re-prioritize buying and wearing a proper motorcycle jacket and other safety gear. If I’d been wearing a jacket, I’d have come away with only a single bruise on my knee. For The Other Guy, it would have made an even bigger difference since he had a lot more speed to convert into road rash.

Lessons Learn-able:

1. Safety Gear should be a maximum priority for all riders
   That includes more than just a helmet. While I’ve felt that a helmet was essential since I got my first scooter (when I was still young and thought I was bullet-proof), I’ll now expand the essential equipment list to include at least a riding jacket and a pair of gloves.

   In retrospect, I cannot explain why I was willing to mitigate the risk of cracking my skull open but accept the risk of bruising my muscles & scraping my skin off the rest of my body. Perhaps it has to do with the fact that I used to street skate and went down hard several times, sometimes with a lot of road rash, sometimes with none. This time around, though, it seems like it hurt a lot more than it did back then. This may just be a side effect of being Not Young.

2. Familiarity with your scooter makes a difference
   The Other Guy had only had his scooter for about 24 hours. He was not a new rider, but he was new to that scooter. That can’t have helped when things got exciting. It also must have made it suck even more to bang it up while it still had the “new” on it.

   Knowing my scooter didn’t make a difference in the accident, since I was blindsided, but I do believe that familiarity has helped me get over the shock of being in an accident. I know that every motorcycle and scooter dealer has stories of people who lay down their new bike in the first day or two and then never ride again.

3. Urban Riding is harder
   I think that people underestimate the difference in difficulty factor of urban vs. suburban or rural driving & riding. Living in closer proximity to Wrigley Field than I might really have chosen if I had it to do over, I can now spot the suburbanites in traffic just by the way they drive. They are much more likely to be in Information Overload and miss traffic clues which I would consider “obvious,” then have to react quickly as a result (e.g. stop signs & traffic lights, pedestrians/cyclists/skaters, vehicles entering & leaving the flow of traffic from street parking or alleys, double-parkers, car doors opening, cabs making pickups, etc.)

   Be aware of how familiar you are or aren’t with the environment you’re riding in. The first step to managing risk is realizing you’re at risk.

4. Rally riding is harder than normal riding
   When riding as part of a large group, there’s generally an incentive to push yourself to keep up with the group, especially if you’re not on familiar territory. This makes the Urban Riding risk worse, too. When we exited LSD on Foster, I was in no hurry to push my luck because I know that part of town pretty well, knew how to get to our destination, and also realized the ride would be over in just a few blocks. The other was from out-of-town, though, so he was maybe more focused on keeping up/not getting lost than I was (I’m guessing here, since I didn’t ask). I do know that he did not know how to get to Scooterworks since he asked me if I knew and how far it was.

Riding a motorcycle or scooter creates an interesting set of risks to be managed and (mostly) accepted. Wearing a helmet and safety gear goes a long way towards minimizing injury at low speeds or if a car isn’t involved. Since I mostly ride as transportation in downtown Chicago, I operate in traffic but at speeds of 30-35mph or less, usually more like 15-20mph, which, along with propery safety gear, helps mitigate the risk of serious injury if I do get in an accident.

As I noted above, however, the downside is that downtown is inherently a much more threat-dense environment than the suburbs. Lots more variety in the ways you can injure yourself if you’re not careful, so the risk probably doesn’t go down (if at all), just shifts itself from low-frequency, high impact to higher-frequency, lower-impact.

Regardless, I think it’s strange that if I’m on a motorcycle or scooter, I’m not leagally required to to have any protective gear but a pair of goggles or sunglasses, whereas if I’m driving a car I have a multitude of safety features like airbags, daytime running lights, anti-lock brakes, and am required by law to wear a seatbelt.

I wonder at the illogic of it all, but accept the risk just the same.

I originally posted most of this to the ChiScooterList mailing list

Living in Chicago, one of second tier of real estate bubble cities, was part of why I decided to go “short the real estate market.” I also didn’t like where we lived and I felt that credit was being extended to people who were not creditworthy (especially given factors like declining real income and negative savings rates), so selling and moving had both quality-of-life reasons and risk management benefits.

Now, the evidence is starting to pile up that I might have been on to something. Calculated Risk points us to a story in BusinessWeek, “Nightmare Mortgates“:

The option adjustable rate mortgage (ARM) might be the riskiest and most complicated home loan product ever created. With its temptingly low minimum payments, the option ARM brought a whole new group of buyers into the housing market, extending the boom longer than it could have otherwise lasted, especially in the hottest markets. Suddenly, almost anyone could afford a home — or so they thought. The option ARM’s low payments are only temporary. And the less a borrower chooses to pay now, the more is tacked onto the balance.

The bill is coming due. Many of the option ARMs taken out in 2004 and 2005 are resetting at much higher payment schedules — often to the astonishment of people who thought the low installments were fixed for at least five years. And because home prices have leveled off, borrowers can’t count on rising equity to bail them out. What’s more, steep penalties prevent them from refinancing. The most diligent home buyers asked enough questions to know that option ARMs can be fraught with risk. But others, caught up in real estate mania, ignored or failed to appreciate the risk.

There was plenty more going on behind the scenes they didn’t know about, either: that their broker was paid more to sell option ARMs than other mortgages; that their lender is allowed to claim the full monthly payment as revenue on its books even when borrowers choose to pay much less; that the loan’s interest rates and up-front fees might not have been set by their bank but rather by a hedge fund; and that they’ll soon be confronted with the choice of coughing up higher payments or coughing up their home.

(emphasis mine)

What’s saddest to me is that anyone is surprised by any of this. When history is written, the real estate bubble is going to look more like a giant asset-backed Ponzi Scheme than anything else. The initial investors were able to get their cash out as more and more people, driven by anecdotal tales of friends who made fortunes in housing and press releases from the National Association of Realtors about how housing prices only go up. Once the pool of credit-worthy applicants for the scam started to run thin, higher-risk loan products were cooked up and pushed out into the world to keep the party going.

Now evaluating this from a risk assessment perspective, let’s distill it out.

1. Option ARMS “might be the riskiest and most complicated home loan product ever created.”
   The people taking on Options ARMS tend to be people who either cannot qualify for “traditional” (30 year fixed) mortgages, are so blinded by greed (We can afford it, we’ll just use an Option ARM), or actually believe the NAR tripe about, “You should buy all the house you can afford.” Which leads to…
2. People buying Option ARMS are not, I strongly suspect, people with a firm understanding of the intricacies of complicated loan products. I would love to see a survey how many people with an Option ARM understood just how risky these notes were when they signed on. In that same survey, I would also ask how many of those people understood that under the revised US Bankruptcy code, you can no longer just mail in the keys and walk away from a house.
3. Hidden Agendas and “plenty more going on behind the scenes they didn’t know about.”
   Bruce Schneier specifically places the question of what hidden agendas people might have when managing risk in Secrets and Lies. Here, the loan officers and brokers were being incented (paid) to give preference to a high-risk loan product. Who would have me believe that they didn’t emphasize the upside (”low payment!”) over the downside (”your payment will double and you could lose your house!”)? The final nail in the hidden agenda coffin comes if you consider that the people “selling” these loans are brokers, so they’re not stuck holding the trash in the case of a default, meaning that they have no disincentive against selling people a note that they will default on.

Another way to look at it is through my Three Question model:

1. Does this solve a problem I have?
   Yes. I want to own a house but can’t afford one. An Option ARM lets me buy the house I want when I otherwise couldn’t.
2. Does this solution actually solve my problem?
   No. I still can’t afford a house, but the Option ARM makes it look like I can…for a while. Then, reality kicks in and now I can’t afford a house any more. At this point, it’s forclosure time and I’m now in worse shape than I was before from an access-to-credit perspective.
3. Is this a cost-effective solution to the problem?
   It seems to be up front, and if all I’m shown is the up-side (”Now I can afford a house!”), then it might seem to be. But throw in the Hidden Agenda, and it’s game over. It’s not a cost-effective solution, but the people with the expertise to tell me that are being paid extra commissions to keep their mouth shut.

What’s the end state? As BusinessWeek says:

The option ARM is “like the neutron bomb,” says George McCarthy, a housing economist at New York’s Ford Foundation. “It’s going to kill all the people but leave the houses standing.”