This past Thursday, former Fed chairman Alan Greenspan testified about his role in the economic crisis before the House Oversight and Government Reform Committee headed by Rep. Henry Waxman. While a vocal chorus of critics, including at least two economics Nobel Prize winners, contend Greenspan is largely responsible for the market collapse, Greenspan thus far maintained he was entirely without blame. Yet his congressional testimony sounded, at times, unexpectedly contrite. The parts I found most interesting:
Alan Greenspan: Uncritical acceptance of credit ratings by purchasers of these toxic assets has led to huge losses. It was the failure to properly price such risky assets that precipitated the crisis. In recent decades, a vast risk management and pricing system has evolved, combining the best insights with mathematicians and finance experts, supported by major advances in computer and communications technology. A Nobel Prize was awarded for discovery of the pricing model that underpins much of the advance in derivatives markets. This modern risk management paradigm held sway for decades. The whole intellectual edifice, however, collapsed in the summer of last year, because the data inputted into the risk management models generally covered only the past two decades, a period of euphoria. [...]
I made a mistake in presuming that the self-interest of organizations, specifically banks and others, were such is that they were best capable of protecting their own shareholders and their equity in the firms. [...]
I found a flaw in the model that I perceived is the critical functioning structure that defines how the world works, so to speak.
Chairman Waxman: In other words, you found that your view of the world, your ideology, was not right, it was not working.
Alan Greenspan: Precisely. That’s precisely the reason I was shocked, because I had been going for 40 years or more with very considerable evidence that it was working exceptionally well.
The Times has a summary, and a complete preliminary transcript is available from the Committee website, which includes the prepared statements that were delivered. If you’re looking to figure out more of how the crisis came to be, skimming the transcript is a good place to start. And the Times’ Bits blog has a fascinating post putting Greenspan’s comments about risk management systems in context. In short, computers don’t help if you lie to them.
I have three observations about Finland: it’s cold, expensive, and there are little naked people in the headboard of my hotel bed. (Stay classy, Radisson SAS.)
I was in Helsinki last week to deliver the keynote at T2, a phenomenally organized little security conference that attracts some very smart people. At less than a hundred attendees, it’s a much more intimate and social conference setting than I’m used to, and I just had a blast.
My talk on the bitter and miserable tale that is desktop security was two hours long, which is about double the length of my usual keynotes. In preparing the presentation, I pulled together a lot of material that I had floating around in various places, and I’ve decided to turn the result into a longer essay on desktop security in lieu of posting my slide deck directly. Until I do so, let me share a few conference highlights.
Outpost24‘s Jack Louis and Robert E. Lee, two American expats now living in Sweden, gave an amusing demo of their sockstress TCP/IP state table attacks, which have been getting some attention lately. They’re working with vendors and didn’t make public any technical details of the attacks, but the attacks do look Very Serious. They also look rather misunderstood. This isn’t Yet Another Connection Flood or a SYN cookie problem. The demo brought a fully-patched XP machine to a complete freeze in about three minutes with only 30-40 (malicious) connections per second, and network utilization at the victim floating around 0.1% of 100Mbit/s. I have several ideas about what’s happening and hope to independently verify some of the attacks in the lab, but at first glance, these guys have only scratched the tip of the iceberg in what’s a rather unpleasant class of attacks. We’ll probably be dealing with this mess for a good, long while.
Sockstress demo. Pinball on the victim machine starts lagging and then comes to a total standstill with the rest of the OS in a few minutes.
The Pirate Bay‘s founder, TiAMO, gave a talk with Toolcrypt‘s olleB about IPETEE, their idea for a mass-deployed, application-transparent opportunistic encryption system to prevent wide-scale passive wiretapping on the Internet. The original proposal made me very uneasy, being an obviously amateur design with highly questionable design choices; I spent some time talking to the guys, and as I suspected, they’ve done neither protocol design nor crypto before. Luckily, they’re quite sharp and very good sports, and after several conversations, I think I’ve convinced them to consider making IPETEE just a zero-configuration transparent (D)TLS/AES-CTR implementation with null certificates. It looks like this can be massaged into addressing their threat model and design requirements fully, and might actually make a pretty neat system.
Yes, this man runs the website that continues to have great success pissing off the world’s most powerful media lobbies. He’s also great fun to drink with.
Finally, the Finnish security giant F-Secure is headquartered a subway stop away from the conference hotel, and their research chief Mikko Hyppönen kindly invited me over for a tour of their lab. F-Secure does a lot of excellent malware research work, and a look at their backend tools paints a frightening picture. They currently operate a 17TB malware archive consisting of about 14.5 million samples — managed, of course, through a Python web frontend. They’re receiving 50 thousand malware samples a day, of which 15-20k are unique, and have some frightening visualizations including a real-time overlay of viral infections and botnets within Google Earth. I also took a look at their cell phone malware testing lab which, through a partnership with Nokia, is able to simulate a real GSM “red” network for securely examining malware which sends SMS or MMS messages, or otherwise requires cellular connectivity.
Execution flow visualization for the Bagle worm. Boxes are subroutines; they start blue and turn red when invoked.
And how do they keep the cell phone viruses they’re examining from spreading wirelessly? They do all the testing in a walk-in Faraday cage, of course! “35 GHz, stops everything,” Mikko tells me excitedly, then for a split second sounds crestfallen: “Except radar.” (I have it on good authority that Apple isn’t planning to add a radar dish to the next version of the iPhone, so Mikko has little immediate cause for concern.)
T2 is an excellent conference, and I had a great time with some very fun people — if you can attend, I recommend it wholeheartedly.
The T2 speakers’ dinner, at the excellent restaurant Lappi.
LAPTOP Magazine interviews Andy Tung, director of U.S. Sales for MSI, who sell between 150-250 thousand of their MSI Wind subcompact notebooks (“netbooks”) a month. Money quote:
We have done a lot of studies on the return rates and haven’t really talked about it much until now. Our internal research has shown that the return of netbooks is higher than regular notebooks, but the main cause of that is Linux. People would love to pay $299 or $399 but they don’t know what they get until they open the box. They start playing around with Linux and start realizing that it’s not what they are used to. They don’t want to spend time to learn it so they bring it back to the store. The return rate is at least four times higher for Linux netbooks than Windows XP netbooks. … But we are working on some of the issues with the SUSE Linux and even continue to explore other flavors of Linux. We have discussed Ubuntu with a Mac OS type of look and feel. We are talking to different suppliers to figure out the best user experience.
When “the best user experience” means making the best Apple knockoff, there’s going to be… a hard time meeting expectations.
