The Market Ticker
Commentary on The Capital Markets- Category [Technology]
2017-07-06 14:54 by Karl Denninger
in Technology , 368 references
[Comments enabled]  

This is an interesting article sent to me by a reader; it's ~6 months old, but there's a hell of a lot of truth in there.

So, at the end if the line, on average, it looks like you are probably getting somewhere about 3¢ worth of actual ads seen by actual people for every dollar you spend on display advertising.

The funny part of this analysis (read the whole thing; it's amusing) is that the overhead is utterly ridiculous.  Sixty percent is "absorbed" before a single pixel reaches a single screen.

You know a so-called "industry" is nothing other than a giant fraud-filled theft ring when that sort of number shows up.  Nobody gets away with absorbing 60% off the top without either using a gun or a scam somewhere -- usually both.

I used to oversee the entire ad budget at MCSNet; one of the pleasures of being a reasonably-small corporation is that the CEO sees basically everything that gets spent and someone has to justify that spend to said CEO before it happens -- without exception.

Further, we basically never dealt with any sort of "agency."  There were a few exceptions, but not many.  I recognized those as pure overhead, of course, as they didn't get me anything for the money spent.  The only argument you could make to me as such an agency was that you'd save one of my people (perhaps me) a great deal of time -- which has value, of course.  Few were able to make that pitch work.

Here's what I found from my years in the Internet business: Radio, carefully targeted, worked and was worth the money spent.  Local shows of any sort were usually worth the money spent (and thus we did a lot of them.)  Virtually nothing else returned enough on a provable basis to be worth the investment notwithstanding the claims of all the people trying to get us to buy ad space in their media.

I suspect when you get down to it essentially all video ads are worth zero on an ROI basis.  They cost too much to produce and run, never returning enough in profit (not sales) to cover their expense.  "Display" ads (e.g. through things like adsense) work in some cases.  Any sort of "aggressive" advertising does not work at all (e.g. pop-unders, pop-ups, etc) and pisses off more customers than it gains by a good margin, so it actually does you harm to use them or be associated with any property on the web that does.

This leaves aside the utterly-insane claims of what counts as a "viewed impression", which I found shocking.  50% of the pixels in view for one second counts as an "impression"?  Since when can you identify a specific product and/or brand in 1 second with half of whatever image obscured, and what would lead anyone to conclude that you should pay for such an "impression"?

You gotta be kidding me.

So why does a company like Facebook, which exists only because it claims such "ads" have value, in fact exist?  Well, to be blunt, there are a lot of suckers in the corporate world.

They "believe" that if their competitors buy an "ad" on a platform like this they have to as well.

For..... what, exactly?

See, my philosophy as a marketer is that if someone else wants to waste millions of dollars on a thing that gets them no sales (and certainly not enough profit to make back the millions of dollars they spend) I should let them do it and tattoo them with my materially lower cost of operation, which means I can beat them on price, the quality of what I sell or the Holy Grail of business: BOTH.

It stuns me that this hasn't sunk into the consciousness of marketing managers at our nation's businesses, both large and small.  Advertising that cannot provably bring in more gross profit than it costs to run with all costs accounted for is idiotic to purchase and further when it comes to being a Board Member or executive buying same violates your fiduciary duty to the firm's shareholders!

It's one thing to experiment with various forms of marketing -- you have to do that.  The world is always changing and so is the media.  What works in one place or on one day may not in a different place or on a different day.  But the numbers put forward in this link are damning, and the overhead alone makes the overall picture essentially impossible to pencil out.


In short these digital media systems appear to exist simply to justify their own existence; the fact that they deliver alleged "advertising" is not the point, it's a side effect that just happens to be necessary to justify being there while grabbing 60 cents of every dollar off the top.

When you boil it all down the entire so-called "internet ad ecosystem" is a scam and thus all the firms that are connected to and dependent on it have an actual intrinsic value of zero.

We'll see how long it takes before all the modern-day Pets.coms have their moment of market recognition.

Good luck Zuckerpig and friends.  You're gonna need it.

View this entry with comments (opens new window)

2017-06-27 13:21 by Karl Denninger
in Technology , 188 references
[Comments enabled]  

We have yet another "ransomware" game going on globally.

Let me point out that this is driven by idiocy in corporate America.

Ransomware attacks only work because the computers in question are not properly backed up, they do not have a decent plan to keep data safe, they are interlinked including the ability for data to be corrupted "on storage" (such as "in the cloud") and the entire bubble economy in tech is based on more, not less, of this.

Run your "backups" to the cloud?  That's nice -- how fast is your connection and their throughput if you have to restore every machine in the office?  Will it take hours, days or weeks?

That assumes it works too.  When was the last time you verified that?

I know the answer for myself: I verified that my backup system worked this week.  How?  I ran a restore to my laptop.  It took 20 minutes from a cold start off a USB key to being back where it was on a "new" disk.  I didn't do this "in extremis", I did it as part of my regular prove-up that the infrastructure I constructed still works.

That's what competent IT departments do.

Further, I have multiple backup versions available, so if I have to go back to an earlier copy due to some sort of infection I can.  I can also go back to just before the bad thing happened, copy off any changes somewhere else, then restore the earlier one if I have reason to suspect there's a latent problem and then layer over that.

On my servers I can literally go back to a snapshot taken a few hours ago, a few days ago, or a few months ago at any time within seconds.  A full restore of those systems takes quite a bit longer just due to the size of the data store involved but provided the hardware is ok I can revert on a snapshot basis in seconds, making a corrupt file or even entire corrupt filesystem a minor, no-big-deal annoyance.

If you have me install infrastructure in your office I can put that same capability on your network.  Now a "ransomware" attack means nearly nothing other than a (moderately severe) annoyance since once we determine in which hour and which day it hit I can simply revert the snapshot to the one prior to that time and your files are all back to where they were before they got encrypted.  Then we restore the system in question from load media and you're back in business inside of 20 minutes.  Yes, the file you were editing at that moment in time is destroyed, but everything else is fine. We then talk about the recommendation to ****can the idiot who was downloading porno or whatever on his work computer and got infected by doing so, and yes, I can usually figure out who it was.

If your enterprise cannot do this then your IT people have traded off your corporate data security for some ****headed "buzzword" like "cloud."

For this they should be stuffed in the career wood chipper -- feet first -- and if your firm is publicly traded it should be a zero as should those public companies that have advanced and promoted such stupidity.

How many times does this have to happen before the stupid stops?

Apparently the answer is "at least once more."

View this entry with comments (opens new window)

2017-06-26 14:03 by Karl Denninger
in Technology , 316 references
[Comments enabled]  

If you do and you have not verified that your vendor has patched this through a BIOS microcode update (you would have had to load said update) go into the BIOS and turn off hyperthreading immediately.

Yes, this will cost you some performance.

If you don't you are running a small but real risk of likely random but possibly malicious data corruption/destruction.

The problem will only occur under certain heavy-load situations but you cannot predict those and if you get bit by it the results are undefined -- which means possible random data destruction that then gets written to your disk(s).

I'm unaware of a realistic means of using this to break into your machine but crafting a malicious executable that attempts to run the instructions that cause the problem in a tight loop would not be all that difficult and the possible consequences include a system crash or, much worse, silent corruption of data that winds up being written back to disk.

This is not a joke folks -- it's a serious microcode bug, arguably far more serious than the infamous Pentium "floating point" problem in that it can impact anyone, at any time, in any workload whenever the CPU gets busy.  In addition since it cannot be accurately predicted or mitigated by user code (e.g. an operating system, etc) there is no fix other than to shut off the hyperthreading capability until your system vendor provides a microcode fix.

You've been warned.

BTW, these are the latest two revisions of Intel chips so if you have a new(ish) machine you are probably at risk.

View this entry with comments (opens new window)

2017-06-25 07:00 by Karl Denninger
in Technology , 380 references
[Comments enabled]  

What won't stop?

Out-of-scope data collection, correlation and sales.

In other words forced divulging of data from you, or about you, for other than the purpose you reasonably both expected and agreed to.

Let's take Android.  You turn on maps, which is a Google-provided program to get you from "X" to "Y".  That Google would use your location during that time to provide you not only that service but also possibly ads related to where you are is reasonably-foreseeable and something that makes sense you'd agree to in order to get the requested service.

But now let's look at the other side.  You have a weather application on your phone.  That application has ads.  The ads are context sensitive so (for example) knowing that you're near a sub shop it might show you an ad for that.  Fine, thus far.

But not so fine when Google pops up a prompt to review that sub shop should you set foot inside when you didn't use Maps, or any other Google software that could have reasonably known that.

Oh, and you can't turn that off either -- that is, you're forced to allow one company to have access in order for anyone else to.  Google ensures this by not allowing you to "gate" applications so they only have access an can run when in the foreground (e.g. visible on the screen) -- but they sure will gate their Youtube app so you can't listen to the audio associated with a video being played unless you are physically watching it (and thus can see their ads!)

Now that particular example (which is really common) is just annoying, never mind costing you money (since the traffic to do that on the network you pay for yet you get nothing in return.)

But what happens when that data, which Google and dozens of other firms now have, is sold to a data broker who in turn uses it to set a risk profile for your health insurance and thus what you pay for it?

What about when it goes into your car insurance or homeowner's insurance pricing?

Or, that you did not go past a Best Buy means that Amazon charges you a higher price for something that you could have bought at Best Buy -- and might have, had you gone by there.

Think all of this is theoretical?

It's not.

It's happening.  All of it.  Right now, in real time.

And utterly none of that is something you reasonably expected to happen when you "gave consent" nor would you likely give consent if you knew in advance.

I'll give you an example.  My Android phone is idle right now.  I deliberately closed all of the apps, and force-closed everything in the app drawer.  Of course some of them immediately started back up.  I also blocked a lot of Google's stuff.

Nonetheless, look at this which is a tiny snippet of what goes on all the damn time:

09:32:34.368602 IP D5.Denninger.Net.47430 > Flags [P.], seq 1:518, ack 1, win 343, options [nop,nop,TS val 175172 ecr 359567624], length 517
09:32:34.395562 IP > D5.Denninger.Net.47430: Flags [S.], seq 3364819207, ack 4270951170, win 28960, options [mss 1460,sackOK,TS val 359567660 ecr 175168,nop,wscale 5], length 0
09:32:34.400981 IP > D5.Denninger.Net.47430: Flags [.], ack 518, win 939, options [nop,nop,TS val 359567665 ecr 175172], length 0
09:32:34.401909 IP > D5.Denninger.Net.47430: Flags [P.], seq 1:153, ack 518, win 939, options [nop,nop,TS val 359567666 ecr 175172], length 152
09:32:34.402726 IP D5.Denninger.Net.47430 > Flags [.], ack 1, win 343, options [nop,nop,TS val 175175 ecr 359567624], length 0
09:32:34.405302 IP D5.Denninger.Net.47430 > Flags [.], ack 153, win 343, options [nop,nop,TS val 175175 ecr 359567666], length 0
09:32:34.407235 IP D5.Denninger.Net.47430 > Flags [P.], seq 518:569, ack 153, win 343, options [nop,nop,TS val 175176 ecr 359567666], length 51

The traffic out of the WiFi interface (if it's on) is continuous and it's all encrypted.  I have no way to know what the **** is being sent or who the actual target is; being encrypted I can't see what is in the data payloads.  Akamai is a common "cloud" data aggregation and delivery system but the point remains -- what's being sent, to whom, and by what?  I have no way to know and no way, other than shutting off both cellular and WiFi, to stop it.

Then there's "markmonitor" -- which is the target of some of the traffic on  When did I consent to my device sending something encrypted to them?  Their claimed "business model" is "brand protection."  What are they snooping for and in which app did that get into my device?  This one I have been able to track down -- Google's apps are sending to them.  Why is Google snooping around in my device and what are they sending to a "brand protection" company?

10:08:34.540999 IP6 2600:8807:8600:ea1:c978:9379:2f6c:c861.41337 > Flags [.], ack 1, win 395, options [nop,nop,TS val 345828 ecr 3390397241], length 0

There are dozens -- if not hundreds -- of others.  Some are from apps, but that belies the problem as well: Is not Google responsible for that which is in their app store?  Is not Apple responsible for that which is in theirs?  They create the "ecosystem", they profit from the "ecosystem" they should be responsible for what the apps in said ecosystem do.

Some of the traffic is identifiable as legitimate and expected.  Transmissions going to and from "googleusercontent", for example, or the IPSEC communications necessary for WiFi calling to work.  If I actually use an app then obviously it may have to go get something from the network and that's legitimate too.

But this traffic is all happening on a device that is sitting idle and yet it is continually collecting and exchanging data with a lot of "someones" unknown and unnamed, for unknown purposes.

What's worse is that all of these companies -- Facebook, Google, Apple, Snap, etc -- do this sort of thing and yet claim that they "deidentify" you.  This is nonsense; anyone with more than a few bits of these data pieces from multiple sources can with a very high degree of certainty attach your name to said "anonymous" advertising numbers, and poof -- you are known with certainty and forever, personally.

Oh, and incidentally it's just a matter of time before some nefarious jihadi type group buys up and correlates some of this data and then uses it to target people they want to kill by group.  It would be utterly trivial, for example, to identify active-duty military personnel in this fashion -- or cops, firefighters, etc.

How do we know they haven't already done this and are simply deciding when to use said data?

We don't, but it's incredibly naive to believe they haven't thought of it or won't do it.  They both have and will, and when it happens it will be our fault for allowing this crap to go on for as long as it has.  It will be our willful and intentional blindness to ridiculous exploitation and abuse served up on the American population daily that will be directly responsible for these deaths, and they will number in the thousands "all at once", making 9/11 look like a Girl Scout convention.

Let me point out once again that I did not consent to some unknown thing sending data on me all the time on a literal second-by-second basis -- and not just once, but dozens of times which nearly all appear to be wildly "out of scope" to what I did consent to.

Not only does all of this trash my battery and cost me money it also costs me anything that might be considered "privacy" too, and there is no way for me to know what that data is, who it's being sent to or why.

There are a number of relatively simple mandates that could take care of a big part of this problem.  Not all of it -- but a large part of it.  Specifically, the law could require that:

  • "Bundling" of application permissions is barred as a matter of law.  In other words it is explicitly prohibited for a manufacturer of an operating system, phone or other device to "whitelist" their apps and force you to take them and their demands to be able to see and transmit data as a group.  The impact of this today is that it is functionally impossible for me to have a weather application able to "see" the GPS or network location data (to know where I am) without Google's apps also being able to see the same thing.

  • Permissions must be able to be set separately for "with focus" and "in background", defined as when not in focus on a granular, per-application basis. Objecting to a mapping application being able to see your location while you're actively looking at it is stupid -- obviously, it can't work without that capability.  The same capability when the app is not visible is another matter, and what's worse is apps that stick pieces of themselves in the background and run without your knowledge, often at startup and on a permanent, persistent basis.  The current "model" of permissions where you can "deny" location, for example, to a mapping program is one that Google (and Apple) knows is worthless.  Denying location to a map application makes it worth nothing, of course, but denying it location when not in the foreground would make it impossible for it to grab your location when not being actively used and send it to "whoever."

  • Denying the ability of an application to run in the background must be one of the supplied permissions.  Maybe you wish to let Facebook run in the background, and perhaps you do not.  Some things (like a message app) might require that ability in order to be useful but a whole host of apps are perfectly useful without this ability and yet they frequently register and use background components.  All of the benefit of that is for the app developer (and whoever he sells data to) and none of that benefit is for you.  The inability to prevent this is outrageous.

  • Permissions must include access to the network.  If an app cannot obtain location information, cannot scan data on the device and cannot transmit or receive information when it is not in the foreground then a huge amount of the current data mining becomes instantly impossible.

  • Users must be able to change (1) the resolvers used for DNS lookups and (2) firewall and host mapping tables.  My device, my decision on what it can talk to and under what conditions.  Right now both Google and Apple deny access to these parts of the system although both are present.  Both Linux and the base IOS kernel have packet filtering available and both also trivially use a file called "resolv.conf" to determine where name resolution takes place.  These must be under user control so that I can, for example, block all traffic to and from one of those above-identified places should I choose to do so.  This is my piece of hardware, I own it and I have the right to control how it operates.  Period.

  • System services (e.g. Google's internal "play" services, etc) must not be able to circumvent these constraints.  Right now they both can and do.  The background "services" (those things that run "headless") must inherit the permission of the requesting application or program.  In other words Google's "Play Services" may not obtain your location unless the requesting caller has permission to obtain it in the current context (e.g. background or foreground) nor may it on its own collect and transmit said data independently.

  • App developers, including device vendors, must be compelled to disclose what they collect and why they collect it before you consent to loading such an application or, in the case of a pre-loaded app, before or at first use but before any collection and transmission occurs.  They must be barred under criminal and civil penalty, from sale of such data "out of scope" to anyone and any sort of "blanket permission" must be barred. In other words if you collect data "to provide better advertising" to me then you can't sell it to anyone who does not have as the sole and only purpose of its use providing said better advertising.  If you, for example, sell it to someone who is using as part of producing a "Credit risk score" you get shut down, your executives go to prison and you're financially ruined.  The use of such language as "or any other legitimate business purpose" must be explicitly unlawful.

  • This must be applied to all consumer devices, not just phones.  If your television is running an app platform (all the new ones are) this must be applied there too, with the same granularity.  Your "smart speaker"?  Same.  Refrigerator?  Same.  Washing machine?  Same.  Cellphones are just the most-obvious and pervasive example of this problem so far, but are far from the only one.  As another example I have already had to block a crazy number of IP addresses and ports from being able to be hit from a couple of webcams I have here.  They're nice and inexpensive but by default try to send a hell of a lot of data to god-knows-who for god-knows-why.  Good thing I control the device between them and the Internet and thus can interdict and stop all of that traffic, right?  You can't do it with a phone because (1) it has WiFi in it and while you control your home WiFi you don't control it anywhere else and (2) you don't control any of the cellular infrastructure.  Thus, the capacity for user control and interdiction for a cellphone must be at the device level (the above bullet point.)

  • These changes must be retroactive and a duty to destroy all existing data collected and stored without said consent must be imposed.  None of what has gone on so far has been legitimate or with consent.  The only difference between******and sex is consent folks.

If these changes are not made now then these firms -- including all the big ones -- need to be shut down and criminally prosecuted right here, right now.

All of them, without exception.

Why?  Because all of them are grabbing data from you with no real consent as to what they're taking and the "big data" paradigm today means that they are using it beyond the scope of anything you did -- or could have -- reasonably consented to and understood.

If we don't demand and enforce this we will wake up one morning to find that a large swath of people have been targeted using these "technologies" and killed, or worse it will be used to map critical infrastructure and movement of people related to same, resulting in the death of millions all at once.

You've been fairly warned.

View this entry with comments (opens new window)

2016-10-31 07:00 by Karl Denninger
in Technology , 295 references

Give me a break.

A task force of more than 30 major technology and communication companies said they have made progress but have not found a solution to eliminate "robocalls" or automated, prerecorded phone calls, but a top U.S. regulator urged faster action.

Throw some people in prison and you'll get their attention.  Yes, right here in the US, and yes, I'm talking about carrier executives.  Why?  We'll get to that:

Wheeler wrote major companies in July urging them to take new action to block robocalls, saying it was the top source of consumer complaints at the FCC. Scam artists often times based abroad try to appear to call from a bank or a government phone to trick consumers into disclosing confidential financial or account information.

How do they "appear" to call from a bank or government phone when they're not in the United States?

Ah, now see, there's the fraud and the US carriers are complicit in it.

Along with a call setup request (from one carrier to another) comes some information, which includes the "originating" number.  The carriers do exactly nothing to validate that for other than 800 (free to calling party) numbers.

But they could very trivially prevent, for example, foreign calls from appearing with US numbers.

How?  Refuse to route a call that comes from the UK unless the "originating" number is in the correct format including the country code prefixfor example.

That would stop instantly any of these calls that are originating outside of the United States.

As for those within the United States the FCC has jurisdiction, and can require that one of two things be the case:

1. The "originating" number be the actual originating number.  This will be the appropriate setting for all individual lines; simply do not allow an overridden number from a consumer account -- period.

2. For those that are overridden require, under penalty of law, that the party overriding accept both civil and criminal legal responsibility for the authenticity of their override under existing criminal fraud statutes.

There are very good reasons to allow such an override on outbound calls.  For example, at MCSNet we had outbound trunks that were all "rolled up" into high-capacity circuits (at the time DS1s); each of those trunks had a "real" phone number, but it was unpublished.  We then had DID mapping for certain people who needed "private lines" and in addition we had our "main" number (312) - 803-MCS1 that would ring into the PBX on the next available trunk in the group.  If you dialed out from our PBX those trunks (set up for bidirectional signalling) were configured to show 312-803-MCS1 as the "originating" number even though technically it was not.  That's fine, because we owned the originating number, it was "real", and it really was our number.

It would not be difficult at all to require that all such entities that purchase service from a telco provider in the United States and wish to provide "originating number" overrides do so under a contractual requirement, carrying criminal criminal penalties for lying, that any such number they put through be truthful and belong to the actual originating party of the call.

If you were to do this and at the same time hold carriers criminally responsible for accepting "foreign" calls that have originating numbers that violate the country code format of the originating nation, a software check they could easily implement, this problem would disappear instantly.

Of course there are "telco providers" (such as the SIP folks) that would scream about such a requirement -- but let's face reality here.  Enabling fraud as a business model makes you an accessory before the fact and recognizing that along with appropriate criminal sanction would go a long way to draining this swamp -- quickly and permanently.

Instead we "accept" a bunch of handwaving nonsense that comes from the FCC and various telcos.

View this entry with comments (opens new window)

Main Navigation
MUST-READ Selection:
A One-Sentence Bill To Force The Health-Care Issue

Full-Text Search & Archives
Archive Access

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.