Sunday, February 21, 2010

The Next CDO

I am going to make a bold prediction. I am going to predict the next big fiasco. It does not take a lot of thought to figure out what will become a problem. You just have to be able to divest yourself from the matter. For example, collateralized debt obligations, or CDOs, were a great fiasco. Very few people understood how they were set up. They were mystery financial vehicles developed to allow people to invest or gamble more money. The problem with CDOs is that they contain layers and layers of risk without adequate risk ratings. And there were no adequate risk ratings because the creators buried it within the CDOs and risk assessors had insufficient information to make the assessment. So they hummed along for several years until the housing market started to change dramatically with the housing crisis, which then set off the financial crisis because some much financing was in CDOs, based on mortgages. Had it not been for the housing crisis, CDOs and their cousins might likely have stuck around for years soaking up the money of ignorants and the unwitting public.

So you see, it does not take much to create a disaster. All you need is a mysterious vehicle or process in which a large part of the nation becomes invested passively. Then when something goes wrong, all hell breaks lose. It is the causing of the disaster that is difficult. Setting one up is easy as pie.

Thus my prediction for the next crisis will be digital information. I do not mean the information on your home computer or on your flash drive. I mean the data in the internet, or cloud, or whatever term floats your boat. Consider that data for a moment. Where is that data, exactly? When you type in a Google search, for instance, what happens? Your computer connects to your internet service provider (ISP), which routes you to a Google server, which then does the search and returns the results to you. When you check your mail you are routed to the mail server of whichever client you use (yahoo, google, hotmail, etc) which has your email on its drives. It reads this data and sends it back to you. All the information that is out there is on a physical drive somewhere. In fact, it may be on several drives in different places, given the redundancy that is rationally required for data storage.

So where are these drives? And how well encrypted is it? Take your bank account. For online banking, most people are concerned with whether the web page is an encrypted page (with https, for example), or if they are using an unencrypted wifi connection. They are typically not worried about whether the server where their bank account information is stored is secure or not. They take that for granted. They should not, but they also have no choice. Locations of servers are usually kept very confidential, though it may not take a lot to figure out where they are hidden. After all, if you have hundreds of drives on 24/7, you need a lot of power to keep those drives cool and from overheating. So a nondescript building using a lot of power is usually very suspicious for a server site. And how secure are the drives? Aside from the physical security of locks, guards, and cameras, there is also likely to be encryption preventing unsolicited handling of the information. Yet not all server sites are created equal. Some are more secure than others. How secure is the server that holds your sensitive information? Do you know? No, you do not. You can only hope it is secure because the website tells you it is.

And that is where I predict the next crisis will occur. Anything that cascades down and affects the function of the servers will cause a myriad of problems with both access and possibly protection of information. This could be anything from a power crisis to another real estate crisis to a magnetic crisis (not all Faraday cages are created equal). This crisis could be prevented, but it would take the owners of these servers to take the necessary precautions to protect them, which they have little to gain from if there are renting them out. Google surely takes server protection very seriously, given its stake in the future of the internet. Users could come together to demand a standardization in server security, but it is doubtful that will change anything.

So even if you are on the lookout for phishing and disreputable websites, know that even your trusted companies may be using servers that leave your information at risk of theft or even loss.