If existence is turtles all the way down, then when it comes to technology and linked infrastructure, John Robb’s latest thought is Cyberhreats all the way down. There’s no good way to excerpt it, so you’ll have to just go read it. But that’s not a Bad Thing.

Still, as you read them, consider that these statements also apply to each component of the infrastructure with generally only syntactic tuning. Within a government or corporate entity, the same framework holds true. Within a business unit. Within a department. On a workstation. Within an application. Within a .dll or .so. etc.

AIG was a ponzi scheme for risk transfer and, IMHO, should be treated accordingly. We (meaning myself and the rest of the current and future taxpayers of the United States) should no more be bailing out AIG and its counterparties than we should be bailing out Bernie Madoff and his institutional counterparties.* And it, if the hints in the Institutional Risk Analyst article are to be believed, there is a paper trail to prove this.

I read yesterday (I forget where, I’m sorry to say) that the Madoff investigation is now widening to include his institutional counterparties who, basically, were either incompetent to possess their licenses or knew he was running a fraud but decided to ignore it so long as he continued to produce excessive returns.

Anyway, where I started was with a pair of fairly technical articles about risk transfer and re-insurance that summarize quite nicely what was really going on with AIG in particular and risk layering in general with regards to reinsurance and Credit Default Swaps during the past five years. Eventually, the transferred-but-not-really risk blew up and took everyone left holding it along with it.

Robert Waldman set me off about all this by leading me to this article, “AIG: Before CDS, There Was Reinsurance”

One of the first things we learned about the insurance world is that the concept of “shifting risk” for a variety of business and regulatory reasons has been ongoing in the insurance world for decades. Finite insurance and other scams have been at least visible to the investment community for years and have been documented in the media, but what is less understood is that firms like AIG took the risk shifting shell game to a whole new level long before the firm’s entry into the CDS market.

In fact, our investigation suggests that by the time AIG had entered the CDS fray in a serious way more than five years ago, the firm was already doomed. No longer able to prop up its earnings using reinsurance because of growing scrutiny from state insurance regulators and federal law enforcement agencies, AIG’s foray into CDS was really the grand finale. AIG was a Ponzi scheme plain and simple, yet the Obama Administration still thinks of AIG as a real company that simply took excessive risks. No, to us what the fraud Bernard Madoff is to individual investors, AIG is to the global financial community.

As with the phony reinsurance contracts that AIG and other insurers wrote for decades, when AIG wrote hundreds of billions of dollars in CDS contracts, neither AIG nor the counterparties believed that the CDS would ever be paid.

As Waldman cogently observes in his post

Contingent liabilities appear on published balance sheets (I mean Q-10s) at market value and without details. So on the assets side, a CDS has an effect which depends on its notional value and on the liabilities side at it’s market value.

Now I’d guess that regulators can detect and disallow regulatory benefits from positions which exactly cancel by definition. However, different CDSs can be very close substitutes without being identical. If I buy and write CDS on similar tranches of similar pools, I am not running (or insuring) much risk. If one counts at nominal value and one at market value, can I claim that I am insuring a lot of risk ?

No. And don’t let anyone convince you differently because they’re an “expert.” While I’m generally a fan of expertise, I’m an even bigger fan of evidence, and the evidence of unmanaged risk has now been spread across the front page of the paper for six months.

* While I’m moderately sympathetic to the individuals who lost money when Madoff’s fraud unwound, they ultimately need to realize that they were victims of their own greed. Excessive returns always come with excessive risk. In this case, the risk happened to be that the ponzi scheme would end before they pulled their money out. Just because they didn’t know the nature of the risk does not entitle them to be made whole beyond what can be recovered from Madoff and his wife, cronies, etc. I can only think of one case (the guy who tried to get the SEC to investigate Madoff) where anyone said, “This guy is beating the market so much that he can’t be on the level.”

As to participants in the banking system, I’m even less sympathetic. Nationalize, re-capitalize as-necessary, wipe out the equity holders. Again, you didn’t hear them crying when they were seeing excessive returns while things were going well. And I include myself in the group who will be hurt by this move–I still own a few shares in my former employer.

Here in my fair city of Chicago, the a 75-year franchise for the operation of 36,000 parking meters was recently sold to “Chicago Parking Meters, which is part of a joint venture led by the financial services giant Morgan Stanley” for $1.2 billion dollars.

But the plan has gotten off to a rocky start.

Chicago is sending out its own mechanics–and billing the private company now responsible for operating parking meters in the city–in a belated effort to catch up on a torrent of problems that include broken meters and inaccuracies in signage about parking rates and enforcement, officials said today.

I’m not a fan of selling off infrastructure or future cashflows for those sorts of time periods, but I guess Mayor Daley couldn’t find my number when he was asking around for opinions.

Regardless, I’d noticed that the meters in front of my house had gone from being basically 100% utilized, 24-by-7 to 25% utilized or less. I didn’t think too much of it until I noticed the new stickers on the front which informed me that the price to park had been quadrupled from $0.25/hour to $1.00 an hour. Hey, I thought, The demand curve is real after all. I should blog about that. Good Econ 101 example there. But I never got around to it.

Then something funny happened. I tried to park at a couple of meters and noticed that they were flashing “Out of order.” I didn’t think too much of it. Then, I had a couple of experiences where I saw that every meter around an intersection was “Out of order,” with either a quarter or other object jammed in them. Perhaps I’m showing my pessimistic/security paranoid side, but I thought, What are the odds that every meter at this intersection is out of order? I wonder if someone is sabotaging them?

Now, though, I find that this is just Hanlon’s Razor in action

The concessionaire is working “as quickly as possible'’ to fix meters that are jammed with coins because they were not emptied, Ed Walsh, spokesman for the Chicago Department of Revenue, said Wednesday.

They quadrupled rates, and even with the decreased demand, they still can’t keep them emptied. I wonder if they even considered the risk of having meters knocked off-line due to inadquate coin storage capacity?

Clay Shirky has a great essay up, “Newspapers and Thinking the Unthinkable.”

Back in 1993, the Knight-Ridder newspaper chain began investigating piracy of Dave Barry’s popular column, which was published by the Miami Herald and syndicated widely. In the course of tracking down the sources of unlicensed distribution, they found many things, including the copying of his column to alt.fan.dave_barry on usenet; a 2000-person strong mailing list also reading pirated versions; and a teenager in the Midwest who was doing some of the copying himself, because he loved Barry’s work so much he wanted everybody to be able to read it.

One of the people I was hanging around with online back then was Gordy Thompson, who managed internet services at the New York Times. I remember Thompson saying something to the effect of “When a 14 year old kid can blow up your business in his spare time, not because he hates you but because he loves you, then you got a problem.” I think about that conversation a lot these days.

Gives new meaning to “Killing them with kindness.”

Obviously, there’s the Business Risk aspect of this all–when your biggest fans are the worst enemies of your business model, you’ve got a serious problem. The problem with the model is probably that it’s based scarcity, and scarcity is no longer the basis of a business model for anything but physical commodities.

Now, I’m starting to wonder what the next business model to succumb to the Marginal Cost Of a Copy Approaches Zero. I’m going way out on a limb, but I think the next model will be basic IT services.

What?!, you’re probably thinking. Work with me here. The incremental cost of adding a row to a database has been essentially zero for some time. When I was working in online dating, the cost of adding a new user was close enough to zero that it almost wasn’t meaningful to try to accurately measure it (too many variables to wind up with a value that was both meaningful and accurate except at the highest aggregate levels). We effectively had a fixed cost which we then distributed across our subscriber base.

Gmail, Yahoo mail, and Hotmail email all brought a similar cost model to email. As the cost of adding an account fell, the variety of options for generating enough revenue fell with it. I think I pay less than five dollars per year for email hosting of my domain, and that’s for something like 25GB of storage and unlimited inboxes. The key is that email hosting is no longer costs enough that I consider it worth tracking.

The challenge today is not about finding the next digital asset or service whose marginal cost-per-copy is zero at one copy. It’s about determining how to manage the risk that it happens in some way that your firm is not well-positioned to adapt to (or, more honestly for most firms, attempt to prevent), either because it’s taking money out of your pocket as a provider or costing you competitive advantage because your competitors are better able to take advantage of the situation than your firm.

Extra credit to all of those who know where “][” comes from, even if it has only the most tenuous relationship to this post.
Photo from Boston Globe’s “Big Picture”

In case you don’t read Dilbert, yet do read this blog (a quite small number, I’m sure), this week he’s having fun with “Risk Management Software.”

Mozilla is worried about life when Google no longer needs them

Google accounts for more than 88% of Mozilla’s revenue, which totaled $75 million in 2007. And as Mozilla wins over users of Internet Explorer, it helps Google grab share in the lucrative Web search market. Firefox has about 22% of the browser market, making it by far the strongest competitor to Internet Explorer, which maintains a 67% share, according to Net Applications.

How much longer this pairing can last has been called into question since September, when Google introduced its own Web browser, Chrome.

Now I’m guessing that Google won’t walk away from owning the default search option on 22% of browsers (as are most of the people the story talked to), but if you’re Mozilla, you still have to have a contingency plan in place for losing 88% of your revenue overnight.

A revenue monoculture is just as risky as any other kind of monoculture.

Cory Doctorow is in love with an app for his Android G1 smartphone which shim’s the dialer of android devices to make calling card calls without him having to dial the entire series of numbers to get the cheap rates:

…today I downloaded my first game-changing app: Android Calling Card, which auto-dials any cheapo calling card you buy down at the corner store, and the PIN, and then any number from your address book, automagically. It supports multiple cards (the cornershop card-array is very country specific — Eastern Europe, USA, China, and other nations all have their own cards) and unobtrusively shims itself into the phone’s built-in dialer app.

I just used it for an hour-long overseas conference-call — the kind of thing that used to cost me £20 or £30 — and the total cost was £0.51!

Of course, I wonder how far behind it the malware version which shims the dialer to route your call through Tunesia or some other hyper-expensive billing fraud channel is. And what are our options (if any) to protect ourselves against it?

The Electronic Frontiers Foundation (of which I’m a member) has a new Surveillance Self-Defense Guide which includes a Risk Management Primer. They define Risk Management as:

Security Means Making Trade-Offs to Manage Risks

Security isn’t having the strongest lock or the best anti-virus software — security is about making trade-offs to manage risk, something we do in many contexts throughout the day. When you consider crossing the street in the middle of the block rather than at a cross-walk, you are making a security trade-off: you consider the threat of getting run over versus the trouble of walking to the corner, and assess the risk of that threat happening by looking for oncoming cars. Your bodily safety is the asset you’re trying to protect. How high is the risk of getting run over and are you in such a rush that you’re willing to tolerate it, even though the threat is to your most valuable asset?

That’s a security decision. Not so hard, is it? It’s just the language that takes getting used to. Security professionals use four distinct but interrelated concepts when considering security decisions: assets, threats, risks and adversaries.

They go on to explain the rest of the relevant concepts as well as how to put them all together effectively and appropriately. I might have a few quibbles with a bit here or there, but I still highly recommend this as an accessible overview of Information Risk Management.

This is the view from my window today, March 1st.

The forecast was for “a.m. flurries” but not only am I reminded that March is still a long way from spring, but also that weather is one of the few forms of forecasting or uncertainty that most people make any effort to understand, and even then their understanding is frequently incorrect.

Pop quiz: what does a 40% chance of rain mean?

Someone should explain to the fine folks at Central Command that after the documents are on wikileaks is not the most effective time to turn off the server. http://oneteam.centcom.mil is down as I write this. It seems they shut the whole box down, not just the Web server off-line.

Wikileaks says:

February 27, 2009

WIKILEAKS EDITORIAL

Wikileaks has cracked the encryption to a key document relating to the war in Afghanistan. The document, titled “NATO in Afghanistan: Master Narrative”, details the “story” NATO representatives are to give to, and to avoid giving to, journalists.

An unrelated leaked photo from the war: a US soldier poses with a dead Afghani man, in the hills of Afghanistan The encrypted document, which is dated October 6, and believed to be current, can be found on the Pentagon Central Command website “oneteam.centcom.mil”: [UPDATE Fri Feb 27 15:18:38 GMT 2009: the entire Pentagon site is now down–probably in response to this editorial]

http://oneteam.centcom.mil/isc/Shared%20Documents/NATO%20Master%20Narrative.doc

The encryption password is progress, which perhaps reflects the Pentagon’s desire to stay on-message, even to itself.

I fight this same fight every day in my job and we have no better luck than CentCom. We just don’t get to shut down the servers when people screw up.