% fortune -ae paul murphy

Moody's Ooops! signals random crunch

Here's a bit from a May 20/08 Financial Times report under the title Moody's error gave top ratings to debt products:

Moody's awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models, a Financial Times investigation has discovered.

Internal Moody's documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower.

News of the coding error comes as ratings agencies are under pressure from regulators and governments, who see failings in the rating of complex structured debt as an integral part of the financial crisis. While coding errors do occur there is no record of one being so significant.

Moody's said it was "conducting a thorough review" of the rating of the constant proportion debt obligations derivative instruments conceived at the height of the credit bubble that appeared to promise investors very high returns with little risk. Moody's is also reviewing what disclosure of the error was made.

The products were designed for institutional investors. In the recent credit market turmoil, those who still hold the products will have suffered some paper losses while others who have bailed out have lost up to 60 per cent of their investment.

I don't know the nature of the error made at Moody's but its consequences have to have quite a lot of people on Wall street asking nervous questions about their own exposure to this type of hidden computer risk.

Among the more important of these is a class of error related to the non random behavior of pseudo random number generators - a problem much like phishing and spam: something everybody has known about for years but which nobody has wanted to really face up to and fix.

There have been peripheral outbreaks of consequences associated with this problem - the latest being Debian's unhappy misadventure with publicity over predictable key generation and the longest running being Microsoft's perennial commitment to fix the problem for almost every OS they've released since Xenix - as most recently expressed in their absolute commitment to the SP3 server parity patches for XP.

The nature of the problem is simply that pseudo-random number generators don't produce strings of random numbers; producing instead sequences that are fully predictable from knowledge of the seed number the process starts from.

The reason this problem is a killer threat to financial managers is that they depend heavily on Monte Carlo simulation for financial instrument valuation - and because those methods all depend on random number generators it's reasonable to argue that faulty generators have to produce faulty results.

The usual contrary argument is that what's important is that the random numbers produced fit the expected distribution - which they do - and not whether given the first three or four and an understanding of the generator's internal workings it's possible to predict the rest of the series - which is how the exploits work.

Monte Carlo simulation is used for financial instrument valuation because it's a lot easier to run the simulation and observe the outcome than it is to directly compute predicted outcomes if the process covers more than one time period and the outcome in at least one step depends on two or more distributions - the finance industry's very own variation on the n-body computational problem. The theory behind this depends however, on the randomness with which future values are chosen and, because the determinism built into the random number generator used in the first step fully predicts the outcomes found in subsequent steps, the process as a whole can be seen as fully determined by the random number seed or seeds used - and because that means that practice doesn't implement theory, the whole exercise becomes a kind of magical mathematical distraction hiding the belief that the future simply extends the past.

On the positive side, Moody's public trauma and the subsequent lawsuits will probably lead to an increased willingness to face reality on the random number problem -meaning that new, deep pockets, markets are likely to open for products, like hardware based "sufficiently random" number generators, for use with risk assessment and financial valuation software.

And the bottom line? The bottom line is that nobody actually knows whether getting the numbers right would make a measurable difference - but lots of people will be scurrying for cover when the lawsuits on this start to fly.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.