Formulas for Disaster — Now Even Better!

October 18, 2009

Back in late May and early June I wrote a series of posts (“Formulas for Disaster, Parts 1, 2, 3, and 4), about some of the factors that may have contributed to the most recent Wall Street meltdown.  One of the problems I mentioned there was the statistical modeling process used to estimate the risk, and the value, of collateralized debt obligations [CDOs].   There is some significant evidence that questionable assumptions in the process led to a systematic under-estimation of risk, and a corresponding over-estimation of value, by the large financial institutions that traded and held them.  This is one illustration of what I perceive as a core problem: the industry’s ability to construct novel instruments considerably outpaced the ability of its managements to understand them sufficiently.

Now Prof. Andrew Appel, of the Center for Information Technology Policy at Princeton, has a blog post at “Freedom to Tinker” about a new paper that argues that there is another fundamental problem with these derivative securities.  A conventional argument in favor of the creation and use of CDOs is that they can improve efficiency in the capital markets, by allowing investors’ preferences to be matched more closely even though the sellers of CDOs have information that the buyers do not.    The working paper [PDF], by Sanjeev Arora, Boaz Barak, Marcus Brunnmeier, and Rong Ge, argues that the structure of CDOs makes it possible for the seller to “rig” the creation of CDO pools, so that some pools are much riskier than others (= contain a significantly higher proportion of default risk).   More importantly, they show that detection of such rigging, even after the fact when losses are known, appears to be a computationally-infeasible problem; that is, if the seller rigs the pools, it is effectively impossible to prove the manipulation, even after all the evidence is in.  (Technically, they are arguing that the detection is an NP-complete problem.)   As Prof. Appel puts it:

Trading in derivatives brought down Lehman Brothers, AIG, and many other buyers, based on mistaken assumptions about the independence of the underlying asset prices; they underestimated the danger that many mortgages would all default at the same time. But the new paper shows that in addition to that kind of danger, risks can arise because a seller can deliberately construct a derivative with a booby trap hiding in plain sight.  [Emphasis in original]

The working paper does suggest, in Section 5, an approach to designing CDOs that might mitigate the threat of pool rigging, although the authors are careful to note that they have only explored the issue in the simplified analytical context used in the paper, and that it is not clear how to apply this particular insight to the real world.

I’m sure that quite some time will pass before the last word is written about the recent Wall Street debacle;  there will doubtless be more work done on the specifics of some of these issues.  However, it seem to me that it is fair to draw one basic lesson from what we have learned so far:  it is entirely possible for the financial services industry to develop products whose complexity exceeds its competence to manage or even understand.  To suppose that an unfettered laissez-faire approach to rule-making will automagically produce good results is a leap of faith that I am personally unwilling to make.

More on Firefox Plug-In

October 18, 2009

The plot thickens!  Mozilla has now put Microsoft’s “stealth” Firefox plugin (that I wrote about most recently yesterday) on its “block list”, to prevent its being installed, and to disable it for users who may have already installed it.  Many Firefox users (on Windows) may have gotten a pop-up message like this:


According to Microsoft, if the user has applied one of the security patches released earlier this week, the MS09-054 update for Internet Explorer, the plugin should be safe.  (Microsoft had previously admitted that the plugin effectively added an Internet Explorer vulnerability to Firefox.)

Mozilla, in their “Security Blog” post on the action, says that they cleared the removal action with Microsoft before putting the block list entry in place.

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately.

The vulnerability introduced to Firefox by the plug-in was a severe security risk.  I accept that Microsoft in good faith thinks that their patch repaired the flaw, but I would still deep-six the plugin.  Its only value is to enable the use of content written to be exclusive to Internet Explorer, which you can probably live without.  (I have been using Firefox on Linux for 6+ years, and seem to be getting along OK.)

PC World also has an article on this.

Update Sunday, October 18, 13:00

There is also a Slashdot discussion thread on this, and a “Security Fix” blog posting by Brian Krebs at the Washington Post.

Update Monday, October 19, 10:58

There is also an article at Ars Technica about this kerfuffle.  According to the article, Mozilla has blocked all versions of the plugin, because they can’t tell the patched from unpatched versions:

Adding the plugin to a blocklist seems reasonable in light of the risk that this security vulnerability poses to users, but it’s a very blunt weapon. Microsoft apparently doesn’t properly maintain version numbers in the plugin, so Mozilla has no way to selectively target the block to the insecure version.

As I said earlier, I don’t think the function provided by the plug-in is a great loss; but wouldn’t it be nice if the vendors could all agree to abide by standards?

%d bloggers like this: