Canary in the Coal Mine - Day

Sunday, May 7, 2017

10:13AM

"If you’ve got people who don’t even have addresses, let alone credit ratings, how do you sell them energy? Well, that’s easy. You design a meter which will dispense electricity when you type in a twenty-digit magic number. The cryptography that makes that work is what I worked on. You can get your twenty-digit magic number if you’re in downtown Johannesburg by going up to a cash machine and getting it printed out on a slip and your account debited. If you’re in rural Kenya, you use mobile money and you get your twenty-digit number on your mobile phone. It really is a flexible and transportable technology, which is an example of the good that you can do with cryptographic mechanisms."

"This is an example of network effects. We now understand that they’re absolutely pervasive in the IT industry. It’s why we have so many monopolies. Markets tip because of technical reasons, because of two-sided markets, and also for social reasons. About ten years ago, I had a couple of new research students coming to me, so I asked them what they wanted to study. They said, “You won’t believe this, Ross, but we want to study Facebook privacy.” And I said, “You what?” And they said, “Well, maybe an old married guy like you might not understand this, but here in Cambridge all the party invitations now come through Facebook. If you’re not on Facebook, you go to no parties, you meet no girls, you have no sex, you have no kids, and your genes die out. It’s as simple as that. You have to be on Facebook. But we seem to have no privacy. Can that be fixed?” So they went away and studied it for a few months and came to the conclusion that, no, it couldn’t be fixed, but they had to be on Facebook anyway. That’s the power of network effects. One of the things that we’ve realized over the past fifteen years is that a very large number of the security failures that afflict us occur because of network effects."

"Back in the early 1990s, for example, if you visited the Microsoft campus in Redmond and you pointed out that something people were working on had a flaw or icould be done better, they’d say, “No, we’re going to ship it Tuesday and get it right by version three.” And that’s what everybody said: “Ship it Tuesday. Get it right by version three.” It was the philosophy. IBM and the other established companies were really down on this. They were saying, “These guys at Microsoft are just a bunch of hackers. They don’t know how to write proper software.”

But Bill had understood that in a world where markets tip because of network effects, it’s absolutely all-important to be first. And that’s why Microsoft software is so insecure, and why everything that prevails in the marketplace starts off by being insecure. People race to get that market position, and in the process they made it really easy for people to write software for their platform.They didn’t let boring things like access controls or proper cryptography get in the way."

"Once you have the dominant position, you then put the security on later, but you do it in a way that serves your corporate interests rather than the interests of your customers or your users. You do it in such a way that you lock-in your customer base, your user base. Once we understood that, that was a big “aha” moment for me back in 2000 or 2001. It became immediately obvious that understanding network economics in detail was absolutely central to doing even a halfway good job of security engineering in the modern world."

"Twenty years ago, I could find everything about you that was on the World Wide Web, and you could do the same to me, so there was mutuality. Now, if you’re prepared to pay the money and buy into the advertising networks, you can buy all sorts of stuff about my clickstream, and find out where I’ve been staying, and what I’ve been spending my money on, and so on. If you’re within the tent of the intelligence agencies, as Snowden taught us, then there is very much more still. There’s my location history, browsing history, there’s just about everything."

"Conflict also comes in. If I’m, let’s say, the Chinese government, and I’m involved in a standoff with the American government over some islands in the South China Sea, it’s nice if I’ve got things I can threaten to do short of a nuclear exchange.

If I can threaten to cause millions of cars in America to turn right and accelerate sharply into the nearest building, causing the biggest gridlock you’ve ever seen in every American city simultaneously, maybe only killing a few hundred or a few thousand people but totally bringing traffic to a standstill in all American cities— isn’t that an interesting weapon worth developing if you’re the Chinese Armed Forces R&D lab? There’s no doubt that such weapons can be developed."

"All of a sudden you start having all sorts of implications. If you’ve got a vulnerability that can be exploited remotely, it can be exploited at scale. We’ve seen this being done by criminals. We’ve seen 200,000 CCTV cameras being taken over remotely by the Mirai botnet in order to bring down Twitter for a few hours. And that’s one guy doing it in order to impress his girlfriend or boyfriend or whatever. Can you imagine what you can do if a nation-state puts its back into it?"

https://www.edge.org/conversation/ross_anderson-the-threat

(comment on this)

6:43PM

"Government bonds, for all governments including the US government, have never been paid back, with ONE exception (in 4500 years of capitalist history). As soon as the governments get into trouble, losses are imposed on creditors immediately, and often repeatedly. Since states survive, on average, less than 2 centuries, the default rate on government bonds (including government bonds of global hegemons), over all of history, is about 2.8%.

Therefore any government-issued bond that pays less than 2.8% interest is a net-negative investment.

Even the corollary, that government debt is safer than large company issued debt is wrong. Large companies only have default rates of 2.5%. The difference is even larger in the US because the US of course defaulted in practice when Nixon killed the Gold standard, and so did most if not all governments worldwide. Companies that had issued bonds at the time, most paid them back just fine. Same with WWII. After world war 2, a lot of large company debt was actually transferred back to the owners, whereas even the German state did not even repay it's postwar debts.

Even in cases where it's incredibly ridiculous and morally wrong, governments don't pay back debts. Take for example the German debt to Greece from WWII. The Germans decided not to pay it back, and Greece had no way to enforce this. They still don't, and now that Germany can impose monetary limits on Greece, they still don't see any need whatsoever to pay back their owed debts. And yes, the German debt to Greece FAR exceeds what Greece would need to get out of their crisis. Even now, the German state is not willing to even forgive Greek debt to the amount they still owe the Greeks."

(comment on this)
Previous day (Calendar) Next day