Security

Because we host a web application, we are focused on web security. We've locked down the perimeter. We can see from our log files that there is a great deal of malicious activity out there.

Internally we have centrally controlled anti-virus. We have automated patching. We have an intrusion prevention system and we even have a remote security monitoring service.

But technology is not enough. We have to instill a culture of security in all our staff.
Consider these scenarios - which is more likely?

1. Someone breaks through two locked steel doors watched by surveillance cameras. They then break into a locked server cabinet and unbolt computers. They have time to get away with massive heavy servers.
   
2. Someone nicks an unattended computer bag in the food court.
   

1. A file is infected at work on a fully patched fire-walled and virus protected computer.
   
2. A file is infected while taken home and used on an unsecure computer shared with teenage children.
   

1. Confidential data is stolen by sophisticated hacker geniuses that break into the network.
   
2. Confidential data is disclosed on 'draft' paper copies sent out with the recycling.
   

People's behaviour can jeopardize security despite the best technology. Security has to be everyone's responsibility. People can be the biggest liability but they can also be the greatest defense.

Without the full support and engagement of staff, the IT department risks building a Maginot line of defense that can simply be walked around. Here's a map of the original pre-WWII Maginot line. Where do you suppose the attack came?

The Price of an Invisible Hand

The 'invisible hand' of capitalism should naturally provide funding to projects and businesses that are likely to be profitable and create more value for society. Businesses that create 'value' produce real products and services that people are willing to pay for. These businesses do useful things and they do them at a cost that customers are willing to pay for.

But how much are we paying for this 'invisible hand'?

Financial services comprise over 20% of GDP - not so invisible. It's a very important sector - essential for everyone. We all need it like water and electricity, but do we have to pay 20% for it? Are we getting value for money?

I've found two great quotes:

The first one is from President Andrew Jackson in 1832 addressed to a bankers:

“Gentlemen, I have had men watching you for a long time, and I am convinced that you have used the funds of the bank to speculate in the breadstuffs of the country. When you won, you divided the profits amongst you, and when you lost, you charged it to the bank. You tell me that if I take the deposits from the bank and annul its charter, I shall ruin ten thousand families. That may be true, gentlemen, but that is your sin! Should I let you go on, you will ruin fifty thousand families, and that would be my sin! You are a den of vipers and thieves. I intend to rout you out, and by the eternal God, I will rout you out.”

The second quote is a bit of dialogue from Tom Wolfe's "Bonfire of the Vanities". This is an apt explanation of finance addressed to a child - but it works for me!:

"Daddy doesn't build roads or hospitals, and he doesn't help build them, but he does handle the bonds for the people who raise the money."

"Bonds?"

"Yes. Just imagine that a bond is a slice of cake, and you didn't bake the cake, but every time you hand somebody a slice of the cake a tiny little bit comes off, like a little crumb, and you can keep that."
Judy was smiling, and so was Campbell who seemed to realize that this was a joke, a kind of fairy tale based on what her daddy did.

"Little crumbs?" she said encouragingly.

"Yes," said Judy. "Or you have to imagine little crumbs, but a lot of little crumbs. If you pass around enough slices of cake, then pretty soon you have enough crumbs to make a gigantic cake."

If banks - and other financial entities - were more closely regulated or even partially nationalized, it would probably lead to a slight impairment to the efficient flow of capital. But would this not be worth it if we could avoid situations like the one we now find ourselves in? And after all, 20% of the economy is not an 'invisible' hand.

Why Was the CMBX Ever Interesting?

I became interested in the CMBX through my curiosity about the future of commercial real estate. Would the real estate crisis spread to commercial owners?

Why the CMBX? It's a long story:

The first thing to do in assessing the expected future performance of an industry is to look at publically traded companies. They report their performance and projections. The collective reaction by the market is reflected in equity prices. It's pretty easy to see what people think is going to happen in publically traded companies.

The problem is that a large percentage of commercial real estate is not held in public companies. There are listed REITs but there is also a vast amount owned by private companies and investors.

If you can't see a market assessment of risk in equity prices, you can look at debt. The yield on bonds tells you something about risk. The higher the return, the more investors are being compensated for the potential risk of default.

The problem with debt is that this market has not been very liquid since the crisis began. There are very few real estate companies that have been issuing new debt during this period. At current low prices, these bonds do offer good cash flow returns.

If the debt market is stuck then perhaps the market for insurance default would be a good proxy for the health of the commercial real estate sector. After all, it turns out that the ABX index (a similar index for residential mortgage default CDSs) predicted the mortgage crisis several months in advance.

Now, the problem with the CMBX is that rather than simply tracking the price that bond holders pay for insurance, it has become an investment vehicle for hedge funds and others to speculate and bet against the issuers of the debt. This speculation is in turn hurting and distorting the actual debt market.

Finally, recent developments such as the bankruptcy of Lehman Brothers and the trouble at AIG mean that the issuers and dealers of the Credit Default Swaps are themselves in trouble. Are investors willing to buy derivatives when the 'counter-party' may suddenly disappear?

At this point I wonder if the CMBX index is related to conditions in the real estate sector at all. It might just be a speculator distorted, meaningless red line.

Credit Default Swaps and the CMBX

The Lehman Brothers bankruptcy was not expected. Many people thought that even if there was not a government bailout a take-over or sale might be a solution. If they were not able to spin off assets, then they might be acquired by another bank. As it turned out, there were no suitors and they are now in bankruptcy protection without any hope for recovery.

The lack of faith in the bank could be seen in the steadily declining share price in the months leading up to the failure. It could also be seen in the price of Credit Default Swaps (CDS) issued on Lehman debt. CDSs are like insurance policies that are taken out on a companies ability to pay debt obligations. As the risk of default increases, the price of the coverage increases. Here is a nice chart I found on Bespoke's blog:

Lehman's share price falls and the cost of insuring the company's debt increase at the same rate.

Does this work for the CMBX index and real estate prices? To test this I have taken the spread for the CMBX index and overlaid the Dow Jones Composite REIT Index . We can see that the lines do appear to mirror each other. When equity goes up the price of CDSs goes down and vice versa.

In terms of relative valuation then, derivatives and actual equity prices are telling the same story. What is really interesting here is the spread. On a basket of AAA rated real estate backed bonds, the CMBX spread is around 200 basis points over LIBOR. This is a BIG spread. Lehman CDS were in this range in July...

Tested: Chrome, I.E. and Firefox

I've used Chrome for a couple of days now and it is working very well. One of the features claimed by Google is that it is 'faster' than other browsers. How can you test that claim?

My first test involved opening four identical tabs in each browser and testing the load and refresh speeds. I have to say that this test was inconclusive. All of the browsers were equally quick in opening and refreshing pages. The results were hard to measure as the load times were often less than one second. This type of test is not reliable because the response rate depends on not only the browser but also the speed of the server and the connection across the web.

My next test looked at the use of systems resources. How much memory and processing power did the browsers consume? Using task manager, I compared the browsers with the same four tabs open:

Browser	Mem Usage	CPU
Chrome	174,076 K	5 - 15%
Firefox	121,436 K	2 - 5%
I.E.	161,260 K	0 - 1%

(the chrome browser showed up as seven chrome.exe instances - I added these up)

The results here are mixed. Firefox uses the least amount of memory while I.E. puts the least load on the CPU. Chrome is using a lot of processing power even when nothing is happening!

The third test was more rigorous. I used an online tool for testing the speed of JavaScript functions. You can try it yourself at SunSpider. This tool makes the browser repeatedly perform a wide range of JavaScript functions and then gives a total score in milliseconds. Here are the results on my machine:

Browser	Score
Chrome	3,023.8ms
Firefox	4,282.4ms
I.E.	41,118.8ms

There is a huge difference! Chrome is 40% faster than Firefox and an incredible 13 times faster than I.E. at performing the same functions. During the test, I.E. caused the processor to hit 100% for long periods while the other browsers at most used 30%.

Chrome is clearly optimized for JavaScript which is not surprising as this is the technology that Google Docs and other sites of theirs such as Google Reader rely on. Chrome will allow Google to deploy much richer web based applications that will be quick and responsive.

Another feature that Google has introduced is 'Application Shortcuts' you can now easily create icons on your desktop or the start menu that take you to your favorite web applications. Now a web app will look just like a locally installed program.

Google's strategy here is clear. Chrome will facilitate and support the adoption of web based applications and minimize the advantages of locally installed software. The clear target here is Microsoft Office. Interestingly, Google has so far only bothered to release Chrome for Vista and XP… hmm… I think we are going to see some very interesting competition!