Archive for September, 2008

Good post from Jeff Atwood about cross-site request forgery (CSRF) attacks. One thing that comes to mind is that this is an example of the best kind of security exploit – one where the exploit depends on the target system doing the right thing. A Web server is meant to respond to URL requests, and determine its response according to the browser credentials and any arguments passed in with the URL.

A CSRF attack essentially consists of arranging things so that users cause this to happen without being aware of it; for example, placing an object on some other Web site that carries a link to the target URL, or a button that causes an HTTP POST to a target URL as well as whatever it’s meant to do. As a refinement, you could so arrange things that the request was passed through something you control, so you can snarf the credentials and perhaps also the reply.

Rough; but it’s precisely the fact that you can do this sort of thing that lets you do all sorts of Web-application magic. What happens when you call a third-party API (or even just an image hosted somewhere else) from within the browser? That’s right, the user loads your Web page and incidentally loads the third-party service’s URL with their browser credentials.This is how the feed in my sidebar (on TYR 2.0) gets there. Oh noes, no YouTube or embedded GMaps, or a whole lot of other useful stuff.

Oh well, enough of that. Does anyone know of a Firefox extension or similar that lets me submit comments I leave on other people’s blogs to a service like I specifically don’t want a blogging tool, I just want to keep the comment URL, the URL of the related post if separate (i.e. haloscan style), and the text of the comment, and perhaps some tags.

What have we here? Via Spencer Ackerman: David Wurmser, trying to sketch the wiring in his head on a really big piece of paper.

The spider chart was meant “to create a strategic picture, and that strategic picture is the foundation of policy change,” Wurmser said. “It helped you visualize, because if you saw, say, twenty relationships between X and Y, and twenty between Y and Z, then there’s at least a suspicion that Z and X are interacting through Y.” A map like that could bring insight, but there were perils in surmising too much.

Suppose X and Y were Dick Cheney and Colin Powell. Twice they served in senior posts under presidents named Bush. In the early 1990s, they worked at the same address and were spotted together on international flights. They communicated frequently, encrypting their secrets….

That’ll have been back when they still trusted him with the felt tip pens, I suppose. It reminds me a lot of this post from last August, regarding surrealism, rolling news, and TV anchor Glenn Beck’s “methodology”, which seems to have been identical to Wurmser’s.

The problem with this sort of semi-random links-and-ties analysis is twofold – not only is your brain predisposed by millions of years of evolution to impose patterns on raw data, which means you’re bound to find pattern if you look for it, but the spurious ones we inevitably perceive come from somewhere. Specifically, they come from our preconceptions, prejudices, and perhaps most of all, from the ones we don’t want to admit to. Just as you’d only dump the whole logs from a computer program to trace a bug, you don’t free-associate in order to make plans.

So as well as generating lots of time-sucking, budgetivorous false positives, this kind of thinking actually tends to make us behave even more stupidly, because it strengthens all the least rational forces within us.

I really mean this, by the way, and I’d love to hear from anyone who has comments about its potential implementation.

Oh bloody fuck. He’s at it again. George Osborne is in his white coat, on the stage, flogging his snake oil. All he needs now is a gospel choir. I think we’ve pointed this out before, but here goes. The Bank of England was nationalised in 1946. It’s part of the State. The money in it is as much public money as the money in the Treasury. It is fundamentally dishonest to pretend that you can take the assets of a failing bank onto the Bank’s balance sheet without any cost to the Government budget.

And George Osborne thought the Bank’s balance sheet was composed of public money back in the autumn of 2007. We were told that the loans to Northern Rock were regrettably unavoidable but also a terrible risk taken with our money. Here he is at ToryKennel:

“The question we now ask of the Chancellor is simple: has he been honest with taxpayers about the risks that they face, and has he told the whole truth? …[snip]

The Chancellor will not tell us the size of the facility, when he expects it to be repaid or the terms of the repayment, even though much of that information is an open secret in the City. Indeed, the Governor of the Bank of England wants to publish the letter that he sent to the Chancellor to set out those terms.

Suddenly, after nationalisation, this statement became inoperative. The Bank of England had become a kind of charitable institution, nothing whatsoever to do with the Government, devoted to acting as a hospice for dying banks. Strangely, its Governor appeared unaware of this change.

Of course, this is a teachable moment about the Tories and the voluntary sector. As Boris Watch wisely points out, they are obsessed by the idea that Britain is full of charities who all have inexhaustible resources of their own, topped up regularly by squadrons of flying ponies. Poor old Gideon; what a nasty surprise to learn that the Bank is a public sector agency staffed by Daniel Davies’ past colleagues and notably deficient in ponies.

Further, does the Bank even have the capital to digest a whole failed bank on its own hook, without having to turn to the Treasury, or print money? Well, we could always look at the sodding books, couldn’t we? Bringing the Bradford & Bingley’s mortgage book (about £41bn) onto the Bank’s balance sheet would imply a Bank with one-and-a-half times the current level of assets, but no more capital than it presently has. Its current net worth is only about £2bn. Now, B&B’s liabilities were about £51bn, of which £22bn was made up of deposits, which have been taken over by Banco Santander; so for the rest, assets exceeded liabilities by some £12bn. However, for public sector accounting purposes, net debt/credit is defined as liabilities less liquid assets, and the whole point is that the mortgages are far from liquid. To put it simply, the Bank of England would have had a negative net worth several times as great as its existing capitalisation.

We would have successfully replaced an actually quite well capitalised bank with a desperately undercapitalised central bank. This isn’t that big a problem; central banks are weird financial institutions anyway. But the vast bulk of the Bank’s assets are loans to other banks, as you’d expect, and the last thing we want it to do under current circumstances is to stop lending to other banks.

Now, the whole point of this crazy exercise is to save the Treasury’s books. But it’s literally insane – and inane – to behave as if the taxpayer was on the hook for some sort of huge debt. The problem isn’t on the liability side of the banks’ balance sheets; it’s on the asset side. Now, how bad do you think the problem is? Shall we assume that the housing market will go down 50% from the peak, a crash of epic proportions? Well, that would still leave the Treasury sitting on £20.5bn worth of assets (or a bit less than one-third of the Bank of England’s assets), with no hurry to liquidate them. And the Treasury has essentially got it for nothing. It’s also fundamentally dishonest to pretend that literally every mortgage at the B&B is worthless.

However, Osborne insists on arguing that the total numbers involved are incredibly high, and also that the Bank of England’s puny capital base is sufficient to handle them without cost to the general Government budget.

I notice that Vince Cable, as usual, is talking sense.

Vince Cable, the Liberal Democrat Treasury spokesman, said that ideally a private buyer would have been found for B&B, but he recognised that part-nationalisation was the “only other way forward”. Mr Cable said the deal could even benefit taxpayers. “They have got a lot of bad loans, they have got the buy-to-let mortgages, they have got the self-certified mortgage arrangements,” he said.

“But it may that in the long-term, having acquired this for virtually nothing, the Government will be able to sell it and perhaps either cover itself of probably even make a profit.” Mr Cable contrasted the situation with that in the US, “where the taxpayer is actually paying to buy up bad loans.” He said: “here the Government is effectively getting them free, and depending on the competence with which they are managed, it may prove to be a relatively successful deal for the taxpayer.”

Not so Osborne. From the same article:

George Osborne, the shadow chancellor, said: “I don’t think the taxpayer should pick up the bill that really should be borne by the City.

“What is really being saved here are not the depositors or the jobs – it is the large institutions that lent lots of money to Bradford & Bingley and made money out of that when times were good, and now that times have turned down, are asking every single person in the country to pay more in their taxes to bail out this bank. “Under nationalisation, the taxpayer steps in and says ‘We are going to give you your money back’. I’m not sure that’s fair.”

The bill *has* been borne by the City; the shares have gone to zero, the bank has been broken up. In fact, the “large institutions” lose out badly, if by that he means the major clearing banks; they ended up stuck with most of the £400m in new shares issued a couple of months ago, which are now worthless.

Here’s a little extra for you (hey, I had a Halifax savings account when I was a little boy and they had branches in Dales villages); Osborne, and the entire Tory party, were very horrified by the bill for the nationalisation of Northern Rock because they claimed it contained provisions for the takeover of more banks, and only an evil socialist plot might explain this, as this would never be needed again. Clearly, when Gideon says they’re all being alarmist, it’s time to go short.

Update: The numbers in an earlier version of this post were based on B&B plus NR assets and liabilities, which was far from clear in the text. I’ve recast it to take account only of B&B. You can, of course, add the NR numbers…

stupidity tax

I’m relatively laying off US presidential politics this year, unlike in 2004 (and aren’t you glad?), but this sticks out: John McCain gambling serious money, and apparently considering casino execs his “friends”. Long before the point that he gambles with them and apparently wins, which is bad enough, you’ve got to wonder, haven’t you? They’re not your friends…

Piracy Drivel Watch

Just to note that one issue of the Sun this week managed to rehash the much debunked pirates will knifecrime our asylums!!! story, yet again. It’s still drivel, of course; after all, here are those excitingly amoral Frenchmen, about to wire their pirates up to the ship’s power bus….or not. The latest lot are heading for France and their trial, like the others.

In other news, this is only going to end in tears.

OK, someone’s left an armed UAV in the changing rooms. Is it you, Harrowell? No? Speak up? America? Turkey? Italy? Well, it would be interesting to ask somebody how many Predators the RAF possesses at the moment, compared to a few weeks ago.

Relatedly, this is wrong:

Pakistan, Afghanistan, nuclear proliferation and trans-national Islamic terrorism are now fully enmeshed. They are one and the same, and a failed state, Pakistan, is the linchpin to them all.

No. Not you either, John. Pakistan isn’t a failed state in any reasonable sense of the term; it’s misgoverned, frequently with the assistance of the Western alliance in various forms, it has problems. but its systems function, its economy has been doing well, it is well able to defend its borders and it is making this very clear – 7.62mm clear.

PPB says that it was getting there just before Musharraf’s coup and it’s only offensive to say so if you’re Nawaz Sharif. But that’s not the point; the problem is that the US is horribly likely to behave in Pakistan as in Somalia if the failed-state meme takes hold. And nothing makes states fail like the perception of state failure – it’s very like a bank in that sense. Nobody can afford this in a country with (as everyone, hackneyedly, clichedly says) nuclear weapons, with the Indian and Chinese dimensions, with the coast on the tanker routes, and the MSR to Afghanistan.

Of course, it’s a crappy cliche to assume that the Pakistani military elite doesn’t keep the nukes very close. But cliche seems to drive policy here. Pakistan doesn’t need gap shrinkers, assault ships, setting up the precinct or any other Thomas Barnett bollocks. What it needs is respect, and specifically respect for civilian government.

But don’t imagine that there won’t be people who want to burn shit down. For example; I don’t believe this, even though Sean Taylor’s Not a Good Day to Die was good. Note the total lack of direct evidence. Gordon Brown was apparently in Washington over the last couple of days, so he had the opportunity to take my advice; but then, as a comment says, you want to talk to America, but what phone number do you call?

This is sick, but perversely reassuring. With the great miscarriages of justice of the 70s, the first phase was that the judge, the cops, the Home Office, and all right-thinking people agreed, and nobody took seriously that the victims might be innocent. This lasted a long, long time; but then we passed into the second phase, when the cops and the government spin doctors concentrated on bullying those of the victims who had been released, and those people who dared to say they were innocent. It was an important stage in the evolution of resistance; dissent was suddenly worth punishing.

Not that this helped very much, and it won’t help Jim Bates much. But the sheer stupid desperation here is telling. They arrested him for possessing the hard disk they’d given him to examine; brilliant, PC Brains. We’ve discussed Bates before; it’s worth pointing out that absolutely none of the facts of the cases he was involved in depend on his credentials. Nullius in verba, right? They didn’t here; they didn’t here.

But if Bates is guilty of possession, then the obvious conclusion is that…so are the police! Perhaps they should arrest themselves?

The shock of the old

25 years ago today I was a three year old boy, living in a village in the Yorkshire Dales, from where you could see the golfball aerials at the NSA’s Menwith Hill base. Later, people I knew well would protest it for ages, and a man who was supposedly an engineer for LockMart there lived next door.

Via Charlie Stross, today is Stanislas Petrov day. As a Soviet air defence forces colonel, he was in charge of monitoring their satellite early warning system when it indicated five incoming missiles. But he was well aware of the system’s possible failings, and the strategy the US was expected to pursue – after all, what on earth would be the point of firing only five missiles, on a polar trajectory that the Molniya satellites would detect?

And so he declined to give the warning, knowing that if he was wrong, the radar line would light up with panic soon enough. The phones certainly did; they complained he hadn’t filled in the station log right, to which he said that he couldn’t because he’d had a phone in each hand all night. Of course, the radars didn’t go off because there were no missiles – when the ideologues and bureaucrats handed the issue to serious scientists, they worked out that it was an inherent flaw in the system’s design, connected with the unusual orbit of the satellites and rare conditions in the upper atmosphere. A false positive could have happened at any time.

That didn’t wash with the Karlo Rovskis; they sacked Petrov, who had anyway had a nervous breakdown (who wouldn’t?) not long afterwards.

Petrov’s heroic success was based on a few things; the first was his sound understanding of the machines. He didn’t need to ask the experts or believe the big computer. The second was that he understood the political and grand strategic situation. It made no sense to send five rockets. The third was that he feared what the buggers might do anyway; yes, it might be clear that nobody would send five rockets, and anyway the radars would give enough time to press the button, but who knew what the politicians (of every kind) would do under the effect of fear?

The fourth was that he acted, not letting the fools take the wheel. The Soviet Union was in the hands of a middle-ranking air force colonel, as in so many science-fiction horrorshows; but no-one could have been better. I can’t help but think of the lowborn Model Army men of the civil war; Colonel Hewson and Cornet Smith against the Duke of Godknows.

Ah, MEND – everyone’s favourite dark-globalisation guerrilla gang, whose strategy is based on the world oil market as they career around Nigeria in RIBs with six or so huge outboards and silly numbers of heavy machine guns, while God knows where their leader/committee/nameless mobile phone number is. You can see why the defence establishment loves to worry about’em; like the Vikings, the Hell’s Angels, the rappers and the Viet Cong at once. Never get out of the boat, as someone said. J-Ro is always mad keen on them; I reckon they’re far more classically Marxist, fighting for a better share of the resource export money.

But I think their campaign may be slipping. Here’s why.

Reuters Alertnet reports them issuing a wave of threats to foreign oil workers on the 13th of September. On the 14th, they declare an oil war. What else was going on at that moment? Hurricane Ike was certain to hit the US oil infrastructure in the Gulf of Mexico by the 10th or thereabouts – the landfall was on the 13th. It was the perfect moment for a global guerrilla group to hit the infrastructure of a major oil exporter. But the price of oil was dropping sharply; even threats to step it up further only had a marginal impact.

On the 21st of September, MEND announced a ceasefire; you’ll note that the reduction in supply they achieved was around 150,000 barrels a day. The day after this, the oil price jumped wildly; the best explanation for this is a classic bear squeeze, as that particular day was a witching (the last day to buy oil before the futures contract for that month expired).

So what’s going on? Here are the figures for US oil demand in the relevant period. The demand for oil fell by 1,400,000 barrels a day compared with the same week a year before, which was itself down on the year before. That is no small quantity. That’s not too far off half Iran’s exports, and it’s ten times the cut in output MEND can reliably achieve when its leaders call for it. This is interesting; strategy beats tactics, after all, and the power of the global guerrilla is meant to be based on a permanently hypersensitive infrastructure.

Part of this is due to international trade in fuel, of course; but although there’s apparently a queue of ships in New York waiting to unload, I haven’t spotted a consistent spike in product-tanker rates, as opposed to VLCC ones, yet.

Meanwhile, every wind turbine is a vote for independence from Russia.


Get every new post delivered to your Inbox.