From the conclusion of a great article on the role of Collateralized Debt Obligations (CDO’s) in Wall Street’s self ongoing self-destruction:

John Gutfreund did violence to the Wall Street social order—and got himself dubbed the King of Wall Street—when he turned Salomon Brothers from a private partnership into Wall Street’s first public corporation. …He and the other partners not only made a quick killing; they transferred the ultimate financial risk from themselves to their shareholders. It didn’t, in the end, make a great deal of sense for the shareholders. (A share of Salomon Brothers purchased when I arrived on the trading floor, in 1986, at a then market price of $42, would be worth 2.26 shares of Citigroup today—market value: $27.) But it made fantastic sense for the investment bankers.

From that moment, though, the Wall Street firm became a black box. The shareholders who financed the risks had no real understanding of what the risk takers were doing, and as the risk-taking grew ever more complex, their understanding diminished. The moment Salomon Brothers demonstrated the potential gains to be had by the investment bank as public corporation, the psychological foundations of Wall Street shifted from trust to blind faith.

No investment bank owned by its employees would have levered itself 35 to 1 or bought and held $50 billion in mezzanine C.D.O.’s. I doubt any partnership would have sought to game the rating agencies or leap into bed with loan sharks or even allow mezzanine C.D.O.’s to be sold to its customers. The hoped-for short-term gain would not have justified the long-term hit.

The former President of the MIT Blackjack Team has weighed in on the current financial crisis, and it’s a doozy.

The mathematics of probability that govern the trade-offs of risk and reward are fundamentally counter-intuitive.

The reason that societies ban pyramid schemes outright, instead of relying on the market to make them unprofitable, is that most people trust their intuition, and their intuition leads them astray. If you were to wait for the market to run its course on a pyramid scheme, the losses could devastate a whole country, as Albanians found out a few years ago.

I don’t know that I necessarily agree with his conclusion–I think it’s impractical as well as politically infeasible. But I strongly suggest you read on, if only for his supremely eloquent explanation of what a Martingale is and what the implications are for the current financial crisis around the globe if he’s correct.

From Harper’s Index:

Number of members of the rock band Anthrax who said they hoarded Cipro so as to avoid an “ironic death”: 1

There is nothing I can add to this.

(h/t BoingBoing)

Bob has raised some really good points, so I’m going to throw my own thoughts on the pile here.

First, while we, as corporate citizens, talk about cost, we’re really talking about “need” versus “want.” For example, with email,

The time when an enterprise can afford to supply email from internal system has left us.

Sure, once upon a time the only way to have email was to run the servers yourself. But not any more. Unless a company has some regulatory or contractual reasons why email data cannot be put at risk of third-party access (in which case, it’s probably airgapped), then it can be moved to The Cloud. It’s about “need” versus “want.” Companies need email. They want to have it in-house. Even if many large entities now have it pseudo-in-house, meaning they pay for the servers and the people, but it’s all outsourced.

All if which is a long-winded way of asking, “So why are we still paying for a Very Large (==”Enterprise”) version of a departmental mail server? Why not just go buy it as a service? We can get the exact same set of eatures, for a lot less money if we’re willing to be honest with ourselves about how much of keeping things “in house” is about control and passed off as risk management. Sure, we’re going to ask a bunch of very responsibility-averse decision makers to now accept risks that they ignore/live in denial of (i.e. accept) today. But making the senior leadership feel better about themselves should not be why a company exists. In theory, they’re paid the big bucks because they’re the least afraid of these decisions. In reality, I’d argue they’re walking examples of Loss Aversion in action just like everyone else, aggravated by the fact that the losses would be direct and personal but the gains would be to the company.

Similar arguments can be made for most of the services Bob listed. Throw in the fact that if these things go away, the people go away with it, and making the hard decisions become that much harder since very few people are going to voluntarily to make themselves redundant or reduce their budget and prestige, even if they know it’s the Right Thing to do.

The enterprise need to change how it provides services to the desktop.  What services do the users really need from us and how can we continue to provide them?

Internet/Intranet Web Services

More and more of the services we use are based on the big bad Internet standard W3C.  The enterprise needs to deliver these services with out proprietary tools that limit what computing systems they can be run on.    see: http://www.anybrowser.org/campaign/.  Oh and maybe we should start moving some of this out of our costly data centers and on to systems like Amazon EC2.

Email

The Internet community has developed email standards that serve millions of accounts.  IMAP/POP and SMTP deliver email to client computers with lowest cost and in the most effective manner.  The time when an enterprise can afford to supply email from internal system has left us.  Tools such as Gmail/Postini or Zimbra can deliver email without the need for any infrastructure or staff.  Just move the MX record folks.

Calendaring

Calendaring is an interesting problem.  The enterprise seems to think that Notes or Exchange can deliver the goods, yet neither of these can deliver free/busy to the extended family that is our supply chain.  Since standards such as CalDev are not deployed, we have to fall back to something like Salesforce.com and Google Calendar or Zimbra to fix this now.

Instant Messaging

Instant Messaging is both the bane and the boon for end users, we hate it but we have to have it.  What works out in the real world: XMPP / Jabber.  You can put your own in and link out or just use what is out there depending on your needs and fears.

Desktop applications such as word processing, data management, etc..

The desktop software industry would make you think that you have to run Windows so that you can have the applications you need.  While I am a bit of a Mac fan boy mostly due to a bit of ego and the enjoyment of fine hardware the software that Apple supplies fills the needs of many many individuals.  The only issue for Mac in the 2009 enterprise is the fact that we have to run on the existing hardware that we cannot afford.  While there are some who  actually need Microsoft Office as well as some who need Photoshop, the vast majority do not.  Open Office is the great wedge we have to fill this gap.  Open Office is also a big stick and being a large software package it needs significant support.  Systems like Google Docs are now good enough for most work and the collaboration tools they provide go way beyond anything commercially available.

File storage

There are two major needs for file storage: First is for end users to keep stuff around for others and to share.  Second is for backup of local data.  While it is a grand vision to keep all of your data in the Cloud with Google Docs, Dropbox, or Backpack; users will make files and want to manage and keep them.  The enterprise must provide services to manage that data.

Computing to support the above items

As you can see from the above list of services the actual desktop does not really matter that much.  If it supports a standards based browser such as Firefox, an email client like Thunderbird and some sort of networking you are in the the pink.  Today the key is the cost of ownership and what you need to support that desktop are where you get hit!  What do we really need to do in the enterprise, Count-em, Authenticate-em, Update-em. We have to stay away from targeted solutions that limit the OS we are using.  Looking at the existing hardware in the enterprise we are limited to something that is x86 based.  In the final analysis Linux is the right tool for the time.  You need very little to be a Linux shop:  LDAP, SYSLOG, maybe SAMBA, and wine for the needy.  For now, no viruses, no spyware, etc.; how much money and time does that save?

Pull down Ubuntu 8.10 and install it!  Start a project to really save money in your enterprise!  The savings here are real as are the productivity gains, the improved user satisfaction, and complexity reduction.  Overcoming the inertia and thinking differently about your services is hard.  The morass of legislation along with corporate governance rules may scare some off of this but simplifying your environment and freeing up resources to improve the speed of the enterprise is the goal here.

If you do this please help by contributing resources to the community.  It pays you back instantly!

- Bob

Courtesy of Heise, we learn details of flaws that researchers have found in the storm worm botnet.

The whole article is interesting, but I found this most interesting:

Using this background knowledge, they were able to develop their own client, which links itself into the peer-to-peer structure of a Storm Worm network in such a way that queries from other drones, looking for new command servers, can be reliably routed to it. That enables it to divert drones to a new server. The second step was to analyse the protocol for passing commands. The researchers were astonished to find that the server doesn’t have to authenticate itself to clients, so using their knowledge they were able to direct drones to a simple server.

What kind of savant goes to all the trouble of building a worm as sophisticated as Storm and then leaves out authentication? This sort of thing is why I still hold out hope for the future of computing–the Bad Guys can make just as serious dumb moves as the rest of us.

The current enterprise infrastructure is expensive, designed and based on the need to preserve the status quo rather than deliver optimal services. Thinking in terms of services we must deliver, the platform becomes less and less relevant. Look at the percentage of services we can get from the Cloud (both external and internal), the platform becomes nearly irrelevant.

We have to “buy” the most cost-effective platform. Microsoft Windows is not cost effective — it requires its own set of services just to provide a minimal platform. No, it will not all go away with Linux, but many of them do, or become a much smaller problem and require a lot less engineering & architecture to provide required services.
Change happens in volatile times.  This is a volatile time…

Bob

Courtesy of Twitter admins and famous users, we get another example of poor passwords leading to a breach:

An 18-year-old hacker with a history of celebrity pranks has admitted to Monday’s hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama’s, and the official feed for Fox News.

The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he gained entry to Twitter’s administrative control panel by pointing an automated password-guesser at a popular user’s account. The user turned out to be a member of Twitter’s support staff, who’d chosen the weak password “happiness.”

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

“I feel it’s another case of administrators not putting forth effort toward one of the most obvious and overused security flaws,” he wrote in an IM interview. “I’m sure they find it difficult to admit it.”

I tend to agree with him. Twitter had not implemented basic authentication controls. My preferred list:

1) Never share or disclose passwords. This is completely unnecessary on modern systems and the only reason it happens is because admins don’t know how to manage access to privileged resources. If the admins request an exception for shared passwords (you have a policy of no password sharing, right?), the solution is to get better admins.

Human nature, followed closely by Phishing, are the obvious failures here. Human nature won’t change, but it remains a significant user and technology issue.

2) Enforce password complexity. This is difficult with public Web sites, I realize, but admins should at least have a policy requirement to do so. You can check this by running a cracker such as John The Ripper against your internal database. It’s quite fast and will produce a reasonable level of confidence in password strength pretty quickly.

3a) Limit login attempts–lock out accounts after a suitable number of attempts–it could actually be pretty high if combined with complexity.
and/or
3b) Monitor logs for brute-force login attempts. But do so automatically, including a reactive control to disable or otherwise block the login attempt. And review the incidents.

Passwords rely on a few simple controls, and can be quite effective if they are all followed. If they are not, however, then you wind up on 27bstroke6.

For all the two-factor fans in the house, I recently had to have some folks fired for performing out-of-band (voice) disclosure of SecureID values to bypass remote access restrictions (I caught them by reviewing access logs after I suspected they were at-risk for misbehavior, btw), so don’t try to hide behind that.

Similarly, Smart Cards, to quote a friend of mine at the Department of Defense, “are only as smart as the General’s picture on the front of it.” People tend to either leave the card in the machine (unifying it with door systems helps with this) or at least store it in their laptop bag if they have a laptop, in which case it’s worse-than-useless in a lost laptop scenario.

Also, strong authentication mechanisms tend to have some sort of graceful degradation built in, which can be an easy branch of the attack tree as well.

The key thing to realize is that no authentication mechanism is a perfect preventative control. You need compensating controls like log analysis to actually have any confidence that your beautiful technology hasn’t been bypassed by some clever people.

One final thought–why was admin functionality incorporated into the user-side of a public Web site in the first place? The best way to manage the risk of an admin account compromise is to avoid it by not having it publicly accessible in the first place!

I’ve been meaning to post this for a while. From the Economist, it’s the definition-ish of Recession vs. Depression:

THE word “depression” is popping up more often than at any time in the past 60 years, but what exactly does it mean? The popular rule of thumb for a recession is two consecutive quarters of falling GDP. America’s National Bureau of Economic Research has officially declared a recession based on a more rigorous analysis of a range of economic indicators. But there is no widely accepted definition of depression. So how severe does this current slump have to get before it warrants the “D” word?

A search on the internet suggests two principal criteria for distinguishing a depression from a recession: a decline in real GDP that exceeds 10%, or one that lasts more than three years. America’s Great Depression qualifies on both counts, with GDP falling by around 30% between 1929 and 1933. Output also fell by 13% during 1937 and 1938. The Great Depression was America’s deepest economic slump (excluding those related to wars), but at 43 months it was not the longest: that dubious honour goes to the one in 1873-79, which lasted 65 months.

I include this for reference since, as the Economist notes, the word “depression” keeps popping up and, from what I can tell, most people have nothing more solid than half-remembered black and white photos of bread lines from History or Economics 101 to define depression in their own minds.

Here is a list of the 500 worst (most frequently chosen) passwords:

From the moment people started using passwords, it didn’t take long to realize how many people picked the very same passwords over and over. Even the way people misspell words is consistent. In fact, people are so predictable that most hackers make use of lists of common passwords just like these. To give you some insight into how predictable humans are, the following is a list of the 500 most common passwords. If you see your password on this list, please change it immediately. Keep in mind that every password listed here has been used by at least hundreds if not thousands of other people.

There are some interesting passwords on this list that show how people try to be clever, but even human cleverness is predictable.

Dating myself a bit, I’ll admit that my favorite is “8675309.” Also, I was surprised that “123456″ edged out “password” for the #1 spot and that we didn’t see any outright profanity until #9.

No explanation on the source of the data or the frequency counts, so pretty limited usefulness, but it’s still interesting. I’d love to see the dropoff from a frequency graph of this. It’s taken from the book “Perfect Passwords: Selection, Protection, Authentication, and the blurb on Amazon says they authors analyzed over two million passwords to get their list.

(h/t BoingBoing)