Finance is a Virus

Working as a computer programmer, as I do, it is perhaps inevitable that I should see in every aspect of life an analogy with computers. If I were a gardener, perhaps I would see everything in terms of “as ye reap, so shall ye sow”. This doesn't mean, however, that the insights gained this way aren't accurate. Recently, I have been considering the parallels between a computer and a nation with a monetary economy, and it has led me to some troublesome considerations.

Consider:

A computer is a system for manipulating and creating information. It keeps track of what information is where, allows new information to be entered and evaluated, and provides tools for creating new information using the information which already exists. But, a computer isn't information, and the bits in the computer are not information either; the bits in the computer are just used to represent the information. Merely creating more bits does not guarantee that any more information is being created, no matter what part of the computer is generating them. Experts in the study of computers, however, use a very specific definition of 'information' that can make this distinction hard to spot, since by the technical definition almost any creation of bits is considered to represent information. This, while the opinion of experts, is incorrect.

A monetary economy is a system for manipulating and creating wealth. It keeps track of what wealth is where, allows new wealth to be imported and evaluated, and provides tools for creating new wealth using the wealth which already exists. But, a monetary economy isn't wealth, and the money in the monetary economy is not wealth either; the money in the monetary economy is just used to represent the wealth. Merely creating more money does not guarantee that any more wealth is being created, no matter what part of the monetary economy is generating them. Experts in the study of economics, however, use a very specific definition of 'wealth' that can make this distinction hard to spot, since by the technical definition almost any exchange of money is considered to represent wealth. This, while the opinion of experts, is incorrect.

In case the point isn't obvious, the two paragraphs above are nearly identical except for the following substitutions:

There are two reasons to notice all this. One is that it is important to keep in mind the distinction between the thing you really need to care about (information/wealth) and the thing you use to represent it (bits/money). One good way to evaluate the usefulness of a computer program is to measure how much information it produces. However, measuring the information produced by a program is much harder than measuring the number of bits it produces. Unless they're completely random, then mathematically they could be said to represent information, in a very technical (and mostly useless) sense. We need to know how much actual human-useful information is present.

We could measure how often the user runs the program. This is not as effective as we might wish, however, because many of the programs in a computer are never started by the user, yet are often running. They don't produce any bits/information for the user directly, but they take bits/information from one program, process them somehow, and send them to another. This can be a useful thing, in the same way that a financial institution taking money from one person and giving it to another might be useful, but it does make an evaluation of its real usefulness harder to measure.

You could try to measure this in a better way by seeing how often a program is called on by other programs. Whether it's the user clicking on a link or typing into a command line, or some ongoing process that causes one program to call another, this might seem a decent way of knowing which programs are actually useful.

The problem is, that in recent decades we have seen the rise of “malware”, an entire class of malevolent program that includes viruses, trojan horses, spamware, and so forth. These programs manipulate either the user, or other programs in the computer (e.g. the browser) to cause them to call on the malware program, make copies of it, and otherwise do its bidding. If you just measure a program's worth (how much real information it creates) by how often the user or other programs call on it, you might think malware is very valuable. In fact, it is of negative value; it generally subtracts from the usefulness of the computer.

Exercise for the reader: translate the above paragraphs into analogous ones discussing the monetary economy. What word or phrase would we use to replace the word “program”?

When we buy a new computer (or wipe its hard drive clean and re-install the OS), we end up with a clean slate for a limited time. Typically, however, malware will quickly arrive. What can be done, and who can do it?

In theory, the job of detecting/preventing the arrival of malware is the operating system's. In some cases, this works (e.g. Linux has had a fairly low level of malware infection, and until recently Mac as well). However, once we have a very widespread OS (e.g. Windows), there are more sources of malware to infect it, and the OS alone is not able to do this well. Why not?

Essentially, malware is created to attack the weakest point of the system. When this is the OS, that is what they will be designed to attack. When this is the browser, they will be designed to attack that. In every case, though, “attack” is probably not the right word. Really, they manipulate and exploit their target (including when the target is the user, as when the email has a link that persuades the user to click on it). Malware does not crack open the computer case and burn itself into the hard drive with an electron beam; it persuades the computer (or the user) to copy itself in by exploiting the computer's OS (or browser or browser plugin or whatever) in a way that the designers had not thought of or intended.

What is the equivalent of “OS” or “operating system” in a (nation with a) monetary economy? What is the equivalent of “browser”, the program that gets attacked whenever it is more vulnerable to manipulation than the OS?

In that case, there are a couple of methods of defense. One, is to install an anti-malware program (usually just called “anti-virus” since viruses were the first kind of malware to become a widely known problem). These typically work in one of a few ways:

  1. they are able to recognize malware that has previously been found to be harmful, and are on the lookout for that
  2. they are able to recognize patterns that describe many previous programs which were found to be harmful

Option 2 is better than option 1, but harder to pull off, because it is more likely to run into the problem of “false positives”, in which something that is not actually malware is treated as if it were.

Exercise for the reader familiar with Turkish history: describe the pattern of malware which the Turkish OS was trained to detect and eliminate, and give your opinion on whether or not it suffered from false positives. Bonus question: answer the same question for U.S. History.

One general principle for keeping, for example, servers free of malware is to install only the minimum feature set desired for that server. Every new feature, whether the ability to upload and download files or the ability to compile and run programs or the ability to open an ssh session, is also a way of opening a new vulnerability to malware. Why is this? Because malware is using the very same features intended for one use, in some other (malevolent) manner, and the more features, the more possible exploits. If the server can only do two things (e.g. receive a request for an image, and serve up that image), then it is very hard to manipulate to do anything else. If it can establish an ssh or sftp session, compile and run Java programs, act as a proxy server for others, and do a whole range of other things, then the number of ways in which malware can potentially manipulate it is higher for the same reason. If it can do more things, it can be manipulated in more ways, for good or for ill. Also, it becomes increasingly complex, since the interaction between all these things has to be considered (e.g. it can upload images, and it can run programs, so now we have to make sure we don't upload something we thought was an image and then run it as a program). The complexity comes not only from the number of things the server can do, but the number of combinations of things it can do, which increases exponentially as we add capabilities.

Exercise: can you think of an institution in which the number of potential actions is greatly increased in recent decades? Is there evidence that these additional products or services have opened the gate to increased manipulation for malevolent ends?

Perhaps the worst kind of malware, because it is the hardest to remove after infection, is the so-called “rootkit”. In this kind of malware, the program gains effective control over the OS itself. To quote from the wikipedia article on anti-virus software as of 29 Oct, 2011: “Rootkits are also difficult to remove, in some cases requiring a complete re-installation of the operating system.”

Exercise: what would the equivalent of a 'rootkit' be in a (nation with a) monetary economy? What would be the equivalent of a complete re-installation of the operating system? How would you know that other methods were ineffective, and it was time to reinstall the OS?