Munger Interview with Stanford Law

One more Berkshire note, here is an excerpt from a must read interview with Charlie Munger from Stanford Law.

Grundfest: As we look at the current situation, how much of the responsibility would you lay at the feet of the accounting profession? 

Munger: I would argue that a majority of the horrors we face would not have happened if the accounting profession developed and enforced better accounting. They are way too liberal in providing the kind of accounting the financial promoters want. They’ve sold out, and they do not even realize that they’ve sold out. 

Grundfest: Would you give an example of a particular accounting practice you find problematic? 

Munger: Take derivative trading with mark-to-market accounting, which degenerates into mark-to-model. Two firms make a big derivative trade and the accountants on both sides show a large profit from the same trade. 

Grundfest: And they can’t both be right. But both of them are following the rules. 

Munger: Yes, and nobody is even bothered by the folly. It violates the most elemental principles of common sense. And the reasons they do it are: (1) there’s a demand for it from the financial promoters, (2) fixing the system is hard work, and (3) they are afraid that a sensible fix might create new responsibilities that cause new litigation risks for accountants.  

This situation is very comparable to what happens in when auditors interview infosec. Auditor asks -do you have a firewall? Infosec says yes. Check.

Its too bad but assumptions of yesteryear lead to building things on shaky foundations

Omaha recap

For the second year in a row I attended the Berkshire Hathaway (NYSE:BRK.A) annual meeting, aka Woodstock for Capitalists. This year the group included John Steven, Richard Bejtlich and Andre Durand. You can read Richard's "False Precision" and Andre's "Buffet the Anti-Trump" notes. Here are some of mine:

* First off Warren Buffett and Charlie Munger answered questions for six hours and only presented one slide. (The slide as you might expect was pretty interesting it showed a T bill they purchased in Dec 08 that paid out a *negative* yield in April 09)

* One theme throughout was simplicity. If you need a computer to figure it out then just put it in the "too hard" pile, plenty of money to be made with lower risk doing things you can understand. (one quote I keep on my security checklists is from Buffett - "the sign above the players' entrance to the field at Notre Dame reads 'Play Like a Champion Today.' I sometimes joke that the sign at Nebraska reads 'Remember Your Helmet.'  Charlie and I are 'Remember Your Helmet' kind of guys. We like to keep it simple.)

* Munger said a lot of the new regulations wouldn't be needed if accountants had simply done their job

* Buffett said if he ran a business school there would be two courses 1) how to value a business 2) how to think about markets. You can get most of this from Ben Graham's Intelligent Investor. Instead MBAs are trained on fairy tales like efficient market theory which leads to madness like excess leverage, derivatives and all the rest. As Buffett said "I would have to have to teach efficient market theory. You stand up in class the first day facing all these eager fresh young minds, and you say 'well everything is priced perfectly', what do you do the rest of the semester?"

After the big meeting on Saturday, I spent Sunday morning listening to Tom Gayner and Steve Markel from Markel, I wrote up the notes here. One thing I neglected in the earlier post was Gayner's comments on being careful about bi-modal outcomes. He gave the example of several financial companies and said, well they are trading in single digits now, and there is tremendous upside if they come out Ok. But you don't know what will happen and there is a bi-modal outcome problem where they could be worth $50/share and you could make 8-10x your money or they could be worth zero. It struck me that many of our security architectures have bi-modal outcomes - either things work perfectly or they break wide open, instead we should strive for defense in depth.

Got an IQ of 155? Sell 30 points

Got back yesterday from Omaha trip to Berkshire Hathaway annual meeting aka Woodstock for Capitalists. There were many takeaways, I am going to blog here about the last event we attended and will fill in other details in future posts.

The last event we did was Sunday am, a breakfast hosted by Markel (NYSE:MKL). Markel is a Richmond, VA based specialty insurance company, they actually offer data breach protection now among many other things. Anyway, they follow the Berkshire model -write conservative policies, and invest the float. We got to see their CEO and CIO answer questions for two hours on all manner of investing questions. They have been compounding book value at ~ 20%/year going back to the 80s by following simple processes. I was struck by how often simplicity came up throughout the weekend. Buffett said on Saturday "if you are investor with an IQ of 155 then sell 30 points to someone else, you don't need them." 

The most interesting part of the Markel breakfast for me was hearing firsthand what their CIO Tom Gayner had to say about investing. He has four basic rules of investing:

1. Invest in businesses that are profitable and earn good returns on total capital (w/o excessive leverage!). This seems basic but its important to remind yourself of its primacy (simplicity in action...also recall that avoiding leverage is important not just in the business you are investing in but also its customers)

2. People running the company must have talent *and* integrity. One without the other does you no good.

3. Reinvestment dynamics - best business in the world is one that makes good return on capital and can reinvest it to make the same or better rate - that's a compounding machine.

4. Fair price - a business that meets the first 3 criteria & as an outside shareholder earn the same sort of return the business would. Be on the same side of the table as management.

Finally there was this "I hope you notice the elements we describe didnt talk much about geopolitics, interest rates, the economy, commodity, oil, gold prices, etc" All important but you have no control over them. (just like threats vs vulnerabilities)

This approach has led Gayner and Markel to a very successful decade plus track record. Its also led them to "boring" companies like Pepsi and Diageo. However, I also noticed that SAP (NYSE:SAP) was in their portfolio. They have 0.8% invested in tech, didn't do the math but I guess SAP is the bulk of that. I have always been struck that despite being the 2nd or 3rd largest software company in the world you never hear about people investing in SAP and yet here it is in a value investor's portfolio next to the usual dowdy brands that value people love.

I got the chance to talk to Mr Gayner at the end and said " I am a software guy and was surprised to see SAP in your portfolio, we always joke that it stands for Shut up And Pay. Once you get it in it runs your business and you can't get it out. Can you comment on why you selected a tech company?"

Gayner said "I think you just answered your own question."

He had heard a bunch of people at companies complaining about their SAP implementations, when he asked them what they were going to do about it, the answer was - send another check to Germany. So he jumped in. Value investing is pretty simple.

Good video of a similar talk by Markel and Gayner here.

Buffett Q&A

Notes from Warren Buffet Q&A at Emory, some highlights

"Did you hear they called off the Wall Street Christmas Pageant this year? They had trouble finding three wise men…and a virgin."
...
Emory:
How do you think about value?

Buffett:
The formula for value was handed down from 600 BC by a guy named Aesop. A bird in the hand is worth two in the bush. Investing is about laying out a bird now to get two or more out of the bush. The keys are to only look at the bushes you like and identify how long it will take to get them out. When interest rates are 20%, you need to get it out right now. When rates are 1%, you have 10 years. Think about what the asset will produce. Look at the asset, not the beta. I don’t really care about volatility. Stock price is not that important to me, it just gives you the opportunity to buy at a great price. I don’t care if they close the NYSE for 5 years. I care more about the business than I do about events. I care about if there’s price flexibility and whether the company can gain more market share. I care about people drinking more Coke. 

I bought a farm from the FDIC 20 years ago for $600 per acre. Now I don’t know anything about farming but my son does. I asked him, how much it cost to buy corn, plow the field, harvest, how much an acre will yield, what price to expect. I haven’t gotten a quote on that farm in 20 years.

If I were running a business school I would only have 2 courses. The first would obviously be an investing class about how to value a business. The second would be how to think about the stock market and how to deal with the volatility. The stock market is funny. You have no compulsion to act and a bunch of silly people setting prices all the time, it is great odds. I want the market to be like a manic depressive drunk. Graham’s Ch. 8, in the book Intelligent Investor, on Mr. Market is the most important thing I have ever read. Now think about the NYSE. You have thousands of companies to choose from. For me, that universe has shrunk because I need to put large dollar amounts to work. Attitude is much more important than IQ. You can really get into trouble with a high IQ, i.e. Long-Term Capital. You need to have the right philosophical temperament.

...

I talked to Barack in Aug.“I have good news & bad news. The good news is that the economy will be terrible, so you’ll definitely get elected...The bad news is that the economy will be even worse at inauguration. Obama asked, “Do you think it’s too late to throw the election?”

Berkshire 2008 Annual Letter

Berkshire Hathaway annual letter for 2008 is out. I found this section particularly informative as it relates to mixed incentives and attempting to gain some assurance whilst dealing with complexity:

Derivatives 
Derivatives are dangerous. They have dramatically increased the leverage and risks in our financial 
system. They have made it almost impossible for investors to understand and analyze our largest commercial banks and investment banks. They allowed Fannie Mae and Freddie Mac to engage in massive misstatements of earnings for years. So indecipherable were Freddie and Fannie that their federal regulator, OFHEO, whose more than 100 employees had no job except the oversight of these two institutions, totally missed their cooking of the books. 

Indeed, recent events demonstrate that certain big-name CEOs (or former CEOs) at major financial 
institutions were simply incapable of managing a business with a huge, complex book of derivatives. Include Charlie and me in this hapless group: When Berkshire purchased General Re in 1998, we knew we could not get our minds around its book of 23,218 derivatives contracts, made with 884 counterparties (many of which we had never heard of). So we decided to close up shop. Though we were under no pressure and were operating in benign markets as we exited, it took us five years and more than $400 million in losses to largely complete the task. Upon leaving, our feelings about the business mirrored a line in a country song: “I liked you better before I got to know you so well.” 

Improved “transparency” – a favorite remedy of politicians, commentators and financial regulators for 
averting future train wrecks – won’t cure the problems that derivatives pose. I know of no reporting mechanism that would come close to describing and measuring the risks in a huge and complex portfolio of derivatives. Auditors can’t audit these contracts, and regulators can’t regulate them. When I read the pages of “disclosure” in 10-Ks of companies that are entangled with these instruments, all I end up knowing is that I don’t know what is going on in their portfolios (and then I reach for some aspirin). 

For a case study on regulatory effectiveness, let’s look harder at the Freddie and Fannie example. 
These giant institutions were created by Congress, which retained control over them, dictating what they could and could not do. To aid its oversight, Congress created OFHEO in 1992, admonishing it to make sure the two behemoths were behaving themselves. With that move, Fannie and Freddie became the most intensely-regulated companies of which I am aware, as measured by manpower assigned to the task. 

On June 15, 2003, OFHEO (whose annual reports are available on the Internet) sent its 2002 report to 
Congress – specifically to its four bosses in the Senate and House, among them none other than Messrs. Sarbanes and Oxley. The report’s 127 pages included a self-congratulatory cover-line: “Celebrating 10 Years of Excellence.” The transmittal letter and report were delivered nine days after the CEO and CFO of Freddie had resigned in disgrace and the COO had been fired. No mention of their departures was made in the letter, even while the report concluded, as it always did, that “Both Enterprises were financially sound and well managed.” 

In truth, both enterprises had engaged in massive accounting shenanigans for some time. Finally, in 
2006, OFHEO issued a 340-page scathing chronicle of the sins of Fannie that, more or less, blamed the fiasco on every party but – you guessed it – Congress and OFHEO. 

The Bear Stearns collapse highlights the counterparty problem embedded in derivatives transactions, a 
time bomb I first discussed in Berkshire’s 2002 report. On April 3, 2008, Tim Geithner, then the able president of the New York Fed, explained the need for a rescue: “The sudden discovery by Bear’s derivative counterparties that important financial positions they had put in place to protect themselves from financial risk were no longer operative would have triggered substantial further dislocation in markets. This would have precipitated a rush by Bear’s counterparties to liquidate the collateral they held against those positions and to attempt to replicate those positions in already very fragile markets.” This is Fedspeak for “We stepped in to avoid a financial chain reaction of unpredictable magnitude.” In my opinion, the Fed was right to do so. 

A normal stock or bond trade is completed in a few days with one party getting its cash, the other its 
securities. Counterparty risk therefore quickly disappears, which means credit problems can’t accumulate. This rapid settlement process is key to maintaining the integrity of markets. That, in fact, is a reason for NYSE and NASDAQ shortening the settlement period from five days to three days in 1995. 

Derivatives contracts, in contrast, often go unsettled for years, or even decades, with counterparties 
building up huge claims against each other. “Paper” assets and liabilities – often hard to quantify – become important parts of financial statements though these items will not be validated for many years. Additionally, a frightening web of mutual dependence develops among huge financial institutions. Receivables and payables by the billions become concentrated in the hands of a few large dealers who are apt to be highly-leveraged in other ways as well. Participants seeking to dodge troubles face the same problem as someone seeking to avoid venereal disease: It’s not just whom you sleep with, but also whom they are sleeping with. 

Sleeping around, to continue our metaphor, can actually be useful for large derivatives dealers because 
it assures them government aid if trouble hits. In other words, only companies having problems that can infect the entire neighborhood – I won’t mention names – are certain to become a concern of the state (an outcome, I’m sad to say, that is proper). From this irritating reality comes The First Law of Corporate Survival for ambitious CEOs who pile on leverage and run large and unfathomable derivatives books: Modest incompetence simply won’t do; it’s mindboggling screw-ups that are required. 

Two important takeaways for infosec. First regulation and auditing cannot solve structural problems, this is why we need to be asset focused not auditor focused in infosec. Secondly you can "secure" your link from point a to point b, but its whom the other end is sleeping with that counts, so improving security on the method and data is equally important as the channel. Buffett is one of the best examples we have in thinking about risk, and there is a lot to learn from his writing and actions.

When Markets Collide

One of my favorite Motley Fool analysts is Bill Mann, yesterday he wrote an article on China that re-set a number of the investing thesis themes in the current global situation:

Things are so bad in China that its gross domestic product growth rate may fall from double digits to the dowdy level of 8%. Eight percent, by the way, is a level at which the United States is unlikely to ever grow again. It can't. Our economy is simply fully developed. Thus the sobriquet "developed economy." I know, not exactly catchy.

..

All of the headlines show China sitting at a crossroads. But the reason I have faith in China is that it has historical proxies. Since 1970, with the exception of a few OPEC members, only four economies have made the transition from emerging to developed markets (meaning their per-capita incomes exceed $15,000 per year): Taiwan, Singapore, Hong Kong, and South Korea.

These four economies have two things in common. First, they have few natural resources; and second, they are dominated by Chinese values and the traditional Chinese work ethic. Mainland China is different only because it got a later start.

Also, China reportedly has currency reserves $1.6 trillion. That means that China has a better balance sheet than the US, plus 1.6 trillion beats minus 12 trillion if you are scoring at home.

Given that the Chinese stock market is down 70% in the last year, its an interesting time to look at Chinese stocks. A few weeks back Mohamed El-Erian made the bull case for buying the MCSI Emerging Markets index which gives you exposure to the BRICs plus a lot of other countries.

Speaking of El-Erian, his book "When Markets Collide" was just voted Best Business Book of the Year. If we could have voted for a book that we wished everyone had read in 2007 he would have won that too, he said 

“When I wrote the book, I thought I was writing about the future. When it was going to press, I thought it was about current affairs. Now I wish it was about history.”

This part below reminds me a lot of 1995 security architectures used to defend 2008 integrated applications

The present crisis had been triggered because the international financial system had undertaken activities that had “far outpaced the ability of the infrastructure to sustain them”, said El-Erian.

And it was not just the markets that could not cope with their own changes, but governments as well. Significant weaknesses had been exposed “from the firms, to the regulatory agencies, to governments, to multilateral oversight”.

“Turbocharge that with financial innovations, which history tells us we tend to overproduce and overconsume, and it’s inevitable that you will get a series of market accidents,” he said.

In a Robert Garigue sense, in computer security our infostructure (users, apps and data)  are outpacing our infrastructure-centric security models

VC and IPO Outlook

Forbes interviews venture capitalist Charlie Harris. He is the Chairman of Harris and Harris (NASDAQ:TINY) a venture capital fund which is focused on funding nanotech companies. He is bullish looking forward from today for a couple of reasons

1. We have an eight year back log of good companies and ideas due to a poor IPO environment, we have had an eight year drought in IPOs but still lots of good ideas out there.

2. Clean tech theme has a lot of room left to grow

3. The recent financial crisis has revealed and removed a lot of risks

4. The best businesses are started in times of economic distress. Dislocation equals opportunity. Companies that start during financial distress have tremendous discipline to survive.

Somewhat surprisingly for a person with 100% of his fund invested in nanotech, he does not see nanotech as the leader of a next IPO bookm. He seems to see nanotech as an enabling technology (my words not his) so you will see nanotech enabling clean fuel, cancer drugs and so on, and these individual spaces could boom, but not an "all things nanotech" type boom.

Stop Me if This Sounds Familiar

My favorite book from last year was Charlie Munger's "Poor Charlie's Almanack", there are so many fascinating parts in the book I can't go into them all here. Charlie Munger is Warren Buffett's partner at Berkshire Hathaway (BRK.A, BRK.B), the book is a collection of a number of his speeches, and serves as a great backdrop for today's events, an  investing education, and a way to think through complex problems ("invert! always invert!"). It goes without saying that I think you should buy this book. 

Chapter Three is a collection of Munger's unscripted remarks at Berkshire Hathaway and Wesco annual meetings. The below sections were transcribed by Whitney Tilson,  from annual meetings around the 2003-4 time period, and are pretty interesting given our current financial predicament.

Warnings About Financial Institutions and Derivatives

Risks of Financial Institutions
The nature of a financial institution is that there are a lot of ways to go to hell in a bucket. You can push credit too far, do a dumb acquisition, leverage yourself excessively---its not just derivatives [that can bring about your downfall].

Maybe it's unique to us, but we're quite sensitive to financial risks. Financial institutions make us nervous when they're trying to do well.

We're exceptionally goosey of leveraged financial institutions. If they start talking about how good their risk management is, it makes us nervous.

We fret way earlier than other people. We've left a lot of money on the table through early fretting. It's the way we are -- you'll just have to live with it.

Derivatives
The system is almost insanely irresponsible. and what people think are fixes aren't realy fixes. It's so complicated I can't do it justice here - but you can't believe the trillions of dollars involved. You can't believe the complexity. You can't believe how difficult it is to do the accounting. You can't believe how big the incentives are to have wishful thinking about values and wishful thinking about ability to clear.

People don't think about the consequences of the consequences. People start by trying to hedge against interest rate changes, which is very difficult and complicated. Then, the hedges make the [reported profits] lumpy. So they use the new derivatives to smooth this. Well, now you've morphed into lying. This turns into a Mad Hatter's Tea Party. This happens to vast, sophisticated corporations.

Somebody has to step in and say, "We're not going to do it - it's just too hard."

I think a good litmus test of the mental and moral quality at any large institutions [with significant derivative exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.

It's easy to see [the dangers] when you talk about [what happened with] the energy derivatives - they went kerflooey. When [the companies] reached for the assets that were on their books, the money wasn't there. When it comes to financial assets, we haven't had any such denouement and the accountings hasn't changed so the denouement is ahead of us.

Derivatives are full of clauses that say if one party's credit gets downgraded then it has to put up collateral. It's like margin - you can go broke [just putting up more margin]. In an attempt to protect themselves, they've introduced instability. Nobody seems to recognize what a disaster of a system they've created. It's a demented system. 

In engineering people have a big margin of safety. But in the financial world, people don't give a damn about safety. They let it balloon and balloon and balloon. It's aided by false accounting. I'm more pessimistic about this than Warren is.

Accounting for Derivatives
I hate with a passion GAAP [Generally Accepted Accounting Principles] as applied to derivatives and swaps. JP Morgan sold out to this type of accounting to front-end revenues. I think it's a disgrace.

It's bonkers, and the accountants sold out. Everyone caved, adopted loose [accounting] standards, and created exotic derivatives linked to theoretical models. As a result, all kinds of earnings, blessed by accountants, are not really being earned. When you reach for the money, it melts away. It was never there.

It [accounting for derivatives] is just disgusting. It is a sewer, and if I'm right, there will be hell to pay in due course. All of you will have to prepare to deal with a blowup of derivative books.

Likelihood of a Derivatives Blowup
We tried to sell Gen Re's derivatives operations and couldn't, so we started liquidating it. We had to take big markdowns. I would confidently predict that most of the derivatives books of [this country's] major banks cannot be liquidated for anything like what they're carried on the books at. When the denouement will happen and how severe it will be, I don't know. But I fear the consequences could be fearsome. I think there are major problems, worse than in the energy field, and look at the destruction there.

I'll be amazed if we don't have some kind of significant [derivatives-related] blowup in the next five to ten years.

I think we're he only big corporation in America to be running off its derivative book.

It's a crazy idea for people who are already rich -  like Berkshire - to be in this business. It's a crazy business for big banks to be in.

You would be disgusted if you had a fair mind and spent a month really delving into a big derivative operation. You would think it was Lewis Carroll. You would think it was the Mad Hatter's Tea Party. And the false precision of these people is just unbelievable. They make the worst economics professors look like gods. Moreover, there is depravity augmenting the folly. Read the book F.I.A.S.C.O., by law professor and former derivative trader Frank Partnoy, an insider account of the depravity of derivative trading at one of the biggest and best-regarded Wall Street firms. This book will turn your stomach.

These are very blunt warnings from a legendary investor over many years, yet no one listened. It does explain why it is so hard for Infosec to make its case for building margins of safety into the system.

Speaking of Infosec, the biggest break through idea I have found in the second edition of Ross Anderson's Security Engineering is his focus on incentives. We have traditionally modeled Infosec as a set of policies, mechanisms, and assurance. Anderson introduces the concept of incentives which explains a lot of what we see in terms of Infosec decision making on a day to day basis. Echoing Mr. Munger

You can't believe how big the incentives are to have wishful thinking about values and wishful thinking about ability to clear....This happens to vast, sophisticated corporations.

Innovators, Imitators and Idiots

Charlie Rose interviews Warren Buffett:

Charlie Rose:  
And so when you look at where we are going, there seems to be two issues that are apparent to me at least, risk and leverage.  We just lost sight of risk and leverage of what was appropriate?

Warren Buffett:  
Yeah.  Again, because it pays off for a while.  You know, you can lose leverage, and it's the only way a smart guy can go broke.  If you owe money, you can't pay them out.  You just pay for everything, you do smart things, you eventually get very rich.  If you do smart things and use leverage and do one wrong thing along the way, it could wipe you out, because anything times zero is zero.  But it's reinforcing when the people around you are doing it successfully, you're doing it successfully, and it's a lot like Cinderella at the ball.  I mean you know at midnight everything is going to turn to pumpkins and mice; right?  But if the evening goes along, I mean, you know, the guys look better all the time, the music sounds better, it's more and more fun, you think why the hell should I leave at quarter of 12.  I'll leave at two minutes to 12.  But the trouble is, there are no clocks on the wall.  And everybody thinks they're going to leave at two minutes to 12.

Its effectively the job of leadership to know when to take the punch bowl away and to have the credibility to do this. This is also the risk-reward balance that infosec must try to strike, part of the answer is differentiating risk and uncertainty. As our current financial situation shows, its a hard thing to pull off

Charlie Rose:  
And should wise people have known better?

Warren Buffett:  
People should always know better.

Charlie Rose:  
Yeah.

Warren Buffett:  
I mean people -- people don't get -- they don't get smarter about things that get as basic as greed and you can't stand to see your neighbor getting rich.  You know you're smarter than he is, and he's doing these things, you know, and he's getting rich, and your spouse is getting unhappy with you because you aren't doing -- pretty soon you start doing it.  And so you get what I call the natural progression, the three Is.  The innovators, the imitators, and the idiots.  And that's what happens.  Everybody just kind of goes along.  And you look kind of silly if you disagree.  I mean, you know, you could have these crazy Internet valuations in the late 1990s, but they prove themselves out in the market.  The next day they were selling for more than they were the day before, and people said, you know, you're crazy if you don't get in on this.  So it's very human.  Now, with housing it's something even more dramatic than that, because most people aspire to own their own home.  And if you really think that houses prices are going to go up next year and the year after, you feel if I don't buy it this year, I'm going to have to buy it next year.  That's not true of an Internet stock.  But it's true of a home.  And when somebody makes it very easy for you to do it by saying you don't really have to put up my money, you can lie about your income a little, or we'll give you 100 percent mortgage, you're going to do it, because everybody that's done it has been proven right.  You have what they call social tools, and, you know, you're going to feel like an idiot if you didn't do it, because the house cost more.

And this is why its hard to pull off. There is a lot of human emotion and envy (*). I think the point Buffett raises about innovators, imitators and idiots is a useful one for infosec. We see all kinds of new projects and technologies that have risks and rewards associated with them, its helpful to categorize these under innovation (high risk but possible game changer), imitators (so called best practices), and idiots (sheep mode - blind risk acceptance). We can get some traction here to use these concepts to understand what to do when assessing say the architectural and oeprational risk of a system.

Finally, we should always spend some time to consider infosec decisions in a broader long term economic context and this is also true of our current financial crisis

Warren Buffett:  
Oh, I think confidence will come back.  I will tell you this.  This country is going -- be living better ten years from now than it is now.  It will be living better in 20 years from now than ten years from now.  The ingredients that made this country, you know, the miracle of the world -- I mean we had a seven for one improvement in the average American standard of living in the 20th century.  Now, we had the great depression, we had two world wars, we had the flu epidemic.  You know, we had oil shock.  You know, we had all these terrible things happen.  But something about the American system unleashed more and of a potential to human beings over that hundred years so that we had a seven for one improvement in -- there's never been any -- I mean, you have centuries where if you've got a 1 percent improvement, then it's something.  So we've got a great system.  And we've got more productive capacity now than we ever have.  The American worker is more productive than he's ever been.  We've got more people to do it.  We've got all the ingredients for a sensational future.  It's just that right now the athlete's on the floor.  But we -- this is a super athlete.

Again, we want to look at risk events in a broader, long term context. In Buffett's words its - "be fearful when others are greedy and greedy when others are fearful." As the world panics and Jim Cramer is melting down on TV, Buffett is quietly writing checks with both hands, buying $3B of GE, $5B of Goldman, $6.5 of Wrigley/Mars and so on. Uncertainty is one thing, it could be 6 months it could be 5 years until this thing turns around, but risk is another - you hedge your risk with price and long term advantages, i.e. moats. People will still eat candy in a bad economy.

* Buffett's partner Charlie Munger calls envy the stupidest of the seven deadly sins, because only you feel bad, there is an upside to all the others. He said you can pay someone on Wall St $2 million a year and they will be perfectly happy until they find out someone across the hall is making $2.1 million and then they will be miserable. Which is an insane way tolive.

Assets Good Until Reached For

A few months back Minyanville wondered whether this subprime mess would end up as a cancer or a car crash. Guess we know the answer now. The question is - should we be at all surprised? Some smart folks have been warning for a long time. Warren Buffett famously called derivatives financial weapons of mass destruction.

Charlie Munger, as he is wont to do, went a bit further (from 2004):

I think a good litmus test of the mental and moral quality at any large institution [with significant derivatives exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.

They have many other statements in the same direction, based on their own experience from buying companies that used deriviatives where they were unable to to unwind the books and figure out who owed who. At the last Berkshire Hathaway annual meeting someone asked Charlie Munger what we could learn from past blow ups about the present crisis

It was a particularly foolish mess. We talked about an idiot in the credit delivery grocery business, Webvan. Internet based delivery service for groceries -- that was smarter than what happened in mortgage business. I wish we had those Webvan people back.

What can we learn from all this?

Well Dan Geer launched a revolution with his famous speech about risk management. He got the big picture part right on the security industry evolving into more risk management practices, however the examples we assumed that were right at the time, the financial industry are proving wrong. For one thing you can't manage a risk if you don't know the assets (back to Charlie Munger, emphasis added):

It is crazy to allow things to get too big to fail, run with knavery. As an industry, there is a crazy culture of greed and overreaching and overconfidence trading algorithms. It is demented to allow derivative trading such that clearance risks are embedded in system. Assets are all “good until reached for” on balance sheets. We had $400m of that at general re, “good until reached for”. In drug business you must prove it is good. It is a crazy culture, and to some extent an evil culture. Accounting people really failed us. Accounting standards ought to be dealt with like engineering standards.

So, yes it is about risk management, but if you build too many abstractions on top of your assets through derivative accounting and such you may find you don't have any assets when you need them. Don't fall in love with your abstractions, manage your assets.

There are some clear lessons for us in Information Security, err I mean Information Risk Management.

Margin of safety Its our job to manage risk, but this doesn't mean that we have to build layers and layer of abstraction on top of it. It also means that we help to design, build, deploy, and operate systems with margins of safety. Understanding the failure modes and accounting for this in design. Developers (because they are supposed to) and architects (because they haven't been properly trained) focus on functional requirements, building features, but on security not so much. There are many ways to improve security in a system and they are all inadequate by themselves, but we can help find cost effective improvements.

Don't fall in love with abstractions

If you have a 100,000 dekstops or 100,000 servers it hard to manage. You will need to automate and to do that you need to abstract, but you should also realize that its a drawing on a whiteboard not reality. You need abstraction assurance. 

Ian Grigg commented on an earlier post

There are distinct parallels between phishing / retail payments, and the bigger investment mess. In both cases, banks would argue these are core business. In both cases, they have applied risk-based security models, and accepted some loss. In both cases, they have the ability to apply substantial experience to the monitoring, allocating and absorbing risks and losses.

In both cases, they watched and did nothing as the risks started from low, and migrated upwards. Are we at the point where regulation has killed the ability of banks to apply their (arguable) one core skill, to whit, risk-based analysis? Are banks that far out of banking that they no longer have it?

So you have to remember that top down and bottom up need to be combined.

Design for failure

Dan Geer has also told the story that he sat in a large bank's risk management training, and the trainer said "you may wonder why this works so well. it works because there is zero ambiguity over who owns what risk." Dan's thought was - "in my field we have nothing but ambiguity." Turns out the second part was right, we have nothing but ambiguity over who owns what risk; unfortunately the financial people have much more ambiguity than they thought! So we do have a lesson here after all, and it this - when the thing you thought was true isn't, the failure mode is very ugly. Design for failure - add layers of protection.

Keep it simple.

They have some smart engineers at Google to be sure, but even they had incredibly basic errors in their SSO. I have seen other obvious fails like people signing WS-Security messages, and the recipient checks for a signature but not if they trust the signer! There are so many ways to shoot yourself in the foot in a loosely coupled systems, and we have so many abstractions layered on top of each other, part of the mantra of protecting assets has to be keeping it simple.

So that is my list, to do all these things it requires that Infosec get in the game, understand the use cases, understand the business value (it should be abundantly clear that you can't simply rely on "business people" to be "business experts"), and that you not lose sight of the asset amidst all the abstraction. Finally, the systems we build security on are very primitive, a firewall and SSL are fine, a seatbelt was fine in 1935 and its still fine today, but there are lots of other safety controls in cars. ABS, airbags, traction control, they all protect the assets far better than in 1935, that's what we need to build.

Anyone can make bad assumptions (assume you know who owns what risk) and its easy to make bad abstractions (the firewall protects the information system), but when you combine bad assumptions with bad abstractions you'll get assets that are good until reached for sooner or later