2016 – Ryan Brooks

New Host!

Posted on December 29, 2016Leave a comment

I’ve finally moved to a VPS on DigitalOcean, from my previous (free) shared hosting. I did this for a couple of reasons: first, while my hosting was free for a year with my domain name, that year was almost up. To renew my hosting for the second+ year, I would have needed to pay $38.88/year; while that’s a decent price, I looked at my options and decided that moving to DigitalOcean wouldn’t cost much more (around $30 more across the year, since I use the weekly backups option), would give me much more control over my server (now I get SSH access!), and would centralize all of my VPS instances in the same place (I’ve used DigitalOcean for several years to host various projects).

Of course, as with so many things, this migration wasn’t sparked by a simple glance at the calendar. While I’ve intended to move my host for the last month or two, the timing was decided by my messing up a WordPress upgrade on the old site at the beginning of December. I used the automatic updater, ignored the warnings about making sure everything was backed up first,^[1]I didn’t actually ignore this warning. I had a backup plugin configured on the site; I figured I could probably roll back if I really needed to. and told it to apply the new version. When WordPress exited maintenance mode, I was locked out of the administration dashboard. The public part of the website was still up and running, but the backend was locked off. Since I was entering finals week at my university, I decided to just let it be until I had some time to come back and fix it. Worst-case, I had backups I could restore from, and I’d been meaning to migrate my site anyway.

Of course, things didn’t work out that way. When I finally had some time on Christmas Eve, I discovered that a complete backup hadn’t been made in months.

Turns out, if you don't verify that your backups are working properly, they might not be a viable restore medium.

— Ryan Brooks (@kc0wir) December 24, 2016

Yes, I committed the cardinal sin of not verifying the state of my backups. Apparently I’d screwed something up with their configuration, and I’d never tried to restore from them before and hadn’t noticed until I needed them. At this point, I decided that if the backups weren’t working, there was no point in trying to recover on a host that I was going to be abandoning within a month, and I spun up a WordPress droplet on DigitalOcean to hold the rebuilt site.

But I've been meaning to move my hosting over to a VPS on @digitalocean for a while now, and this is a perfect opportunity to do that.

— Ryan Brooks (@kc0wir) December 24, 2016

I still had copies of all the content that was on the site, so I’d be able to restore everything without much trouble. Some copy/pasting and time would be required, but I could get everything back to the way it was without too much trouble. But before I did all of that, I thought “what if I’m overlooking something really simple with the old site?” I did a little searching, and apparently W3 Total Cache, which I used to create static pages for my site and decrease load times, can cause problems with WordPress upgrades. I disabled that via FTP,^[2]If you’re in a similar situation, just renaming the plugin folder to something else– w3-total-cache to w3-total-cache123, for example– will disable it reloaded the site, and I was able to access the admin area again. Turns out the simple steps that you should take before completely rebuilding everything are actually worth it.

And of course, while I move from one host to another, I solved my original problem. C'est la vie.

— Ryan Brooks (@kc0wir) December 24, 2016

Since I had already spun up and started configuring my new site, I decided to press onwards. My task was made considerably easier by my being able to access WP Clone on the original site, which let me move everything from my old site to the new one in just a few minutes. I redirected the nameservers to DigitalOcean, and ran a few last checks before calling the bulk of my work done.

The next day, when I was tidying up some loose ends and preparing to get SSL set up, I realized that my email no longer worked– my email server resided on the same server that hosted my old website, which meant I needed to find a new solution.

And we're mostly back online. Email is still acting up, but we're close to being done.

— Ryan Brooks (@kc0wir) December 25, 2016

While I have been meaning to setup my own email server sometime soon, I wasn’t confident in my ability to get it up and running quickly, and email is one of those vital services I depend on working 100% of the time. In years past, I would have simply used Google Apps^[3]Which is now G Suite, but that sounds silly. to host my email, but that is no longer the free option it once was. Luckily, I found a solution thanks to Ian Macalinao at Simply Ian, which is to use Mailgun as a free email server. Mailgun is designed to send out massive email blasts for major companies, but they also offer a free tier for people and companies that are sending out fewer than 10,000 emails per month. I send out a fraction of that number, so this was perfect for me (and their mass email prices seem quite reasonable, so I might even use them for that if the need ever arises). Ian handily provided a set of instructions for how to setup the proper routing, and, while some of the menu options have changed, I was able to get my new email up and running within a few minutes.

Well, I have email up and running, but ssl still isn't working. Going to give the letsencrypt tool another shot before trying something else

— Ryan Brooks (@kc0wir) December 25, 2016

So I’d managed to get both the site and my email up and running, but I still couldn’t get SSL up and running. For those that don’t know, SSL stands for Secure Sockets Layer, and it’s what powers the little green padlock that you see on your address bar when you visit your bank, or PayPal, or this website. I wrote an explanation on how it works a while back, and I suggest checking that out if you want to learn more.
One of the benefits of hosting my website on a VPS is that I don’t need to use the major third-party SSL providers to get certificates saying my server is who it says it is; I can use the free and open Let’s Encrypt certificate authority instead. Unfortunately, I just couldn’t get the certificate to work correctly; the automated tool was unable to connect to my server and verify it, which meant that the auto-renewal process wouldn’t complete. I could have generated an offline certificate and used that, but the certificates only last ninety days and I wasn’t looking forward to going through the setup process every three months.^[4]It’s a pretty straightforward and simple process, I just know that I would forget about it at some point, the certificate would expire, and the site would have issues. If I can automate that … Continue reading I tried creating new Virtual Hosts files for Apache, my web server, but that just created more of a problem. Eventually, I figured out that I had misconfigured something somewhere along the line. Rather than try to figure out which of the dozens of edits I had made was the problem, I gave up and just reverted back to a snapshot I had made before starting down the rabbit hole.^[5]Snapshots are essentially DigitalOcean’s version of creating disk images of your server. I absolutely love snapshots; they’ve saved my bacon more than once, and I try to always take one … Continue reading After reverting to back before my virtual hosts meddling, I was able to successfully run the Let’s Encrypt tool, generate my certificate, and secure my site.

…that was my own fault. Turns out I didn't actually need to rewrite all of Apache's virtual hosts, and I probably shouldn't have tried.

— Ryan Brooks (@kc0wir) December 26, 2016

At least, I shouldn’t have tried without reading *all* of the documentation first. 🙂

— Ryan Brooks (@kc0wir) December 26, 2016

Lesson learned!

Photo credit Torkild Retvedt.

References[+]

References
↑1	I didn’t actually ignore this warning. I had a backup plugin configured on the site; I figured I could probably roll back if I really needed to.
↑2	If you’re in a similar situation, just renaming the plugin folder to something else– w3-total-cache to w3-total-cache123, for example– will disable it
↑3	Which is now G Suite, but that sounds silly.
↑4	It’s a pretty straightforward and simple process, I just know that I would forget about it at some point, the certificate would expire, and the site would have issues. If I can automate that issue away, I would much rather do that.
↑5	Snapshots are essentially DigitalOcean’s version of creating disk images of your server. I absolutely love snapshots; they’ve saved my bacon more than once, and I try to always take one before I embark on any major system changes.

Posted on July 16, 2016Leave a comment

Ars Technica did a nice job of creating an impartial write-up on why Hillary Clinton used an external email server, and how it was actually used. It sounds to me like there’s an institutional history of using private email to conduct business, largely due to obstructive or incompetent IT services (in fairness to the State Department IT team, there are likely a number of complicated policies and legal requirements that they’re trying to work around, which is difficult). Still, that’s not an excuse to use a home server to manage official communication– if you must use your own email address, at least use something like Google Apps or Microsoft Exchange Online, where you have teams of people professionally managing the email environment. [[Of course, there is still the issue of all email traffic being unsecured and transmitted in plaintext. But you could use a PGP solution to reduce risks there.))

It’s also interesting to see that the NSA basically shot down any possibility of her getting a secured mobile device; I would have thought that providing the Secretary of State– the person who comes fourth in the presidential line of succession– with secure communications at all time would be a priority for them.

You can read the full story here.

Uncertainty, the Fed, and the Economy

Posted on May 29, 2016Leave a comment

The New York Times published this opinion piece recently, discussing the Fed’s continuing decision to delay raising rates. While the entire article is interesting, I believe that the final paragraph is the most insightful:

Adding to the frustration is that Fed policy is not to blame for the economy’s underperformance. Congress bears much of the blame because of its tightfisted federal budgets when more government spending is needed to offset feeble spending and investment in the private sector. Still, sound policy making by the Fed requires answering to conditions as they are, not as policy makers might wish they were.

Right now, we should be spending money to stimulate the economy– cutting back is incredibly short-sighted, and could seriously damage the economy. We should look back at other economic downturns from the past– the Great Depression, for example, was ended not by restricting government spending, but by massively increasing it (and by abolishing the gold standard, which let to the restriction in the first place)– and learn from them. Economists have studied recessions for many years, and the Fed has done an admirable job in regulating the U.S. economy through this entire mess. Politicians, however, often don’t understand the data, or are politically unable to make the best long-term policy. For this reason, they should seek to reduce uncertainty in U.S. markets.

Economic uncertainty is a larger problem in the United States than we may care to admit. John C. Williams, President and CEO of the Federal Reserve Bank of San Francisco, gave a 2012 speech in which he said that uncertainty was one of the largest problems facing the U.S. economy today:

By almost any measure, uncertainty is high. Businesses are uncertain about the economic environment and the direction of economic policy. Households are uncertain about job prospects and future incomes. Political gridlock in Washington, D.C., and the crisis in Europe add to a sense of foreboding. I repeatedly hear from my business contacts that these uncertainties are prompting them to slow investment and hiring. As one of them put it, uncertainty is causing firms to “step back from the playing field.” Economists at the San Francisco Fed calculate that uncertainty has reduced consumer and business spending so much that it has potentially added a full percentage point to the unemployment rate.

Obviously, with unemployment at 5.0% today, having uncertainty raise the unemployment a full percentage point is no small matter. And on average, economic uncertainty is increasing—according to data collected by Scott Baker, Nicholas Bloom and Steven J. Davis in “Measuring Economic Policy Uncertainty” over at PolicyUncertainty.com, economic uncertainty has been trending upwards for the past fifteen years.

Obviously, this trend is heavily influenced by the 2008 recession, but I find it interesting that it may be beginning to rise again. This is possibly a result of the fluctuating oil markets, combined with the slowdown of China’s economy; but no matter the cause both the Fed and the government should seek to reduce uncertainty and continue to promote stability in the economy.

Listing image by William Warby.

References[+]

References
↑1	When he gave that speech, the unemployment rate was at 8.3%, and the Economic Uncertainty Index (EUI) was at 178.3; today the latest numbers for the EUI place the United States near 98.3. I was unable to find any data correlating the EUI with specific unemployment rates, so at this time I cannot estimate how much of our present unemployment is a result of uncertainty in the economy.

Hacking the Hackers

Posted on April 19, 2016Leave a comment

Have you ever heard of Hacking Team? It’s an Italian company specializing in “digital infiltration” products for governments, law enforcement agencies, and large corporations. Simply put, they sell hacking tools.

You might think, given their business model, that they would monitor their own security religiously. Last year, however, they were hacked. Majorly hacked. “Hundreds of Gb” of their internal files, emails, documents, and source code for their products were released online for all to inspect, as were their unencrypted passwords. ^[1]By the way, here’s some advice: if you are in security (or anything, really, this isn’t security-specific) you should really make sure your passwords are more secure than … Continue reading Also released was a list of their customers, which included the governments of the United States, Russia, and Sudan—the last being a country controlled by an oppressive regime that has been embargoed by the E.U. ^[2]As an Italian company, this means that they were technically violating the embargo.

Last Friday, the person claiming responsibility for the attack, “Phineas Phisher”, came forward with details about how they did it. It’s worth reading through if you’re interested in security; if you’d like an explanation geared more towards the layperson, Ars Technica has a pretty good write-up/summary of the attack.

I was particularly struck by how they gained access to the network. According to Phineas,

Hacking Team had very little exposed to the internet. For example, unlike Gamma Group, their customer support site needed a client certificate to connect. What they had was their main website (a Joomla blog in which Joomscan didn’t find anything serious), a mail server, a couple routers, two VPN appliances, and a spam filtering appliance… I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit… I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device.

Basically, to avoid detection, Phineas discovered a unique vulnerability ^[3]These unique vulnerabilities are called a “zero-day” in computer security circles, because the hackers find it before the company maintaining the software or device does— so once the … Continue reading in one of their embedded devices (likely one of their routers), figured out how to use it to get into the rest of the network using that vulnerability, and then carried out the attack through that piece of hardware without anybody noticing. No matter your feelings about the attack, this is an impressive feat.

References[+]

References
↑1	By the way, here’s some advice: if you are in security (or anything, really, this isn’t security-specific) you should really make sure your passwords are more secure than “P4ssword”, “wolverine”, and “universo”. Use a passphrase instead.
↑2	As an Italian company, this means that they were technically violating the embargo.
↑3	These unique vulnerabilities are called a “zero-day” in computer security circles, because the hackers find it before the company maintaining the software or device does— so once the company finds it, they have zero days to mitigate damage.

Orchids at the Missouri Botanical Garden

Posted on March 27, 2016Leave a comment

The Missouri Botanical Garden’s Orchid Show ended today. I went on a date there yesterday to visit the Garden and see the show. ^[1]Luckily, my girlfriend didn’t mind my bringing my camera along. I honestly didn’t know that there were this many different types of orchid; there were one or two hundred different varieties on display, and the Botanical Garden boasts more than 3,200 different species of orchid in their collection.

I took quite a few close shots of the orchids, and I’ve included my favorites below. I’ve made slight adjustments to try to bring out their colors, and to emphasize their structures, but I’ve tried to keep everything as true-to-life as is possible.

While at the Garden, I also took a walk through the rest of their grounds. While I put my camera away for much of it, I did get a few nice shots of various plants and trees.

I had an awesome time taking photos and walking around. It was a little crowded, but still pretty nice. I don’t really make it over to the Garden as much as I would like to, but hopefully I’ll have a chance to visit another time or two during spring break.

References[+]

References
↑1	Luckily, my girlfriend didn’t mind my bringing my camera along.

What is asymmetric cryptography?

Posted on March 1, 20162 Comments

Whitfield Diffie and Martin Hellman were jointly awarded the 2015 ACM A.M. Turing Award today. Their 1976 paper, New Directions in Cryptography, essentially created asymmetric cryptography. Today, asymmetric cryptography secures our online communications—from PGP-secured texts, emails, and files, to TLS and SSL-secured websites (including this one). So how does asymmetric cryptography work, and how is the Diffie-Hellman key exchange more secure than older methods of encryption?

Symmetric encryption

Symmetric encryption relies on a key ^[1]Essentially, a key is a piece of really complicated math. shared between two or more people. A message is encrypted using this key, and can then be decrypted by the same key held by somebody else. Think of it like the front door of a house. Alice has a key to the door, so she can lock and unlock the door. Bob also has a key, so he can also lock and unlock the door. In fact, anyone with a copy of that key can both lock and unlock the door whenever they want. In the case of a message, this means that anyone with the right key can encrypt (lock) the message, or decrypt (unlock) the message.

It’s possible to break symmetric encryption ^[2]It’s also possible to break asymmetric encryption, or any encryption, though it takes time. Perhaps one of the most famous examples is from World War II, when the Allies were struggling to crack encrypted Nazi communications. The encryption was created with a key that changed daily, and through the use of the Enigma machines. The cryptography was eventually broken, but largely through the skill of the codebreakers, poor operating practice from some of the German operators, and the capture of key tables and hardware by the Allies.

Asymmetric encryption

Asymmetric encryption, in contrast to symmetric encryption, uses a pair of keys to encrypt messages. One of the two keys is made public to everyone, and one is kept private (the two types of keys were called, cleverly enough, the public key and the private key, respectively). Messages encrypted with the public key can only be decrypted using the private key ^[3]Basically, the message is sent through a mathematical formula that only works one way… unless you have the incredibly complicated and unique formula that comprises the private key., which ensures that the contents of the message can’t be read by anyone except the holder of the (hopefully secure) private key. So if Alice wants to send an encrypted message to Bob, she starts by finding his public key. She then encrypts her message using that, and sends it to Bob. When Bob receives it, he uses his private key to decrypt the message. If he wants to respond, he can encrypt his reply using Alice’s public key, and the cycle continues. Since the public keys are usually published or exchanged in a way that lets each party be confident that it belongs to whomever they are sending it to, this ensures that the identity of the recipient can be verified. Alice knows that only Bob can unlock her message, and Bob knows that only Alice can unlock his.

This is commonly used on websites that are secured by SSL/TLS (including this one). Pretty much every major website is secured via SSL, and browsers will display a green padlock in the address bar of secured sites. This serves two purposes; it will prove that the website belongs to whomever it purports to belong to, and it encrypts traffic between your computer and the website so that it can’t be read by attackers, your ISP, or others who may have a vested interest in what you do.
This works in exactly the same way that the messages between Alice and Bob did. When you visit a website secured with SSL, your browser and the server exchange public keys. The server encrypts traffic to you using your public key, which your browser decrypts. And your browser encrypts traffic to the server using the server’s public key, which the server decrypts. Anyone trying to listen in on the conversation your browser and the server are having will hear nothing but random gibberish. There’s one additional thing that your browser does to ensure that it’s not talking to a fake server that’s pretending to be the real website: it takes the public key presented by the server, and it compares it to a repository of public keys. If it matches, it’s the real server. If it doesn’t, it could be an imposter– and somebody could be listening in.

So the next time you’re wandering around the web, take a minute to appreciate that little green padlock in the corner of your screen, and think about the incredibly complicated math that underpins security on the internet. It works invisibly to keep your communications safe, secure, and most importantly—private.

I’m not a cryptographer or a security specialist, just somebody who enjoys reading and learning about security. If you think I left out something important, please send me an email so I can fix it.

References[+]

References
↑1	Essentially, a key is a piece of really complicated math.
↑2	It’s also possible to break asymmetric encryption, or any encryption
↑3	Basically, the message is sent through a mathematical formula that only works one way… unless you have the incredibly complicated and unique formula that comprises the private key.

Email server admins are underappreciated

Posted on January 27, 2016Leave a comment

Today I reconfigured a server I maintain for the Office of Residential Life and Housing. It broke yesterday because of a database issue, but I’ve taken this as an opportunity to rebuild and improve it with an included email server. I have it mostly up and running now, but it’s been a long, slow process that took far longer than I expected it to (as a sidenote, this would have been far easier if the backups I had were up-to-date. Always check your backups!)

Building an email server is more difficult than I expected. I almost expected to just run sudo apt-get install postfix and have an email server up and running; sure, it would need some configuration, but I’d be able to start sending and receiving mail almost immediately. And yes, that might be true if I installed something like Mail-in-a-Box or iRedMail, but I decided that that was too easy, jumped into the deep end, and immediately started configuring a mail server using Postfix, Dovecot, MySQL, and Spamassassin (and would have been instantly lost if it hadn’t been for this awesome guide). So I spent twelve hours copying and adapting code to my purpose, rewriting databases, adding users, restarting when I messed up.

It was absolutely awesome.

There’s something about taking the blank screen of a terminal, typing commands across it, and making something work. When you reload the page and it actually works the way you want it to, there is an immense feeling of satisfaction and accomplishment. You took something that was blank and empty, and turned it into something useful. There’s no feeling quite like it in the world.

That said, I’m totally using one of the ready-to-deploy email servers next time. Making something work is fantastic when you have the time to do that, but sometimes you just really need to have whatever you’re working on to be up and running.

_{Listing image by RobH, from Wikimedia. Used under the Creative Commons Attribution-Share Alike 3.0 Unported license.}

How Stories Drive the Stock Market

Posted on January 22, 2016Leave a comment

I came across this article today in The New York Times written by Robert Shiller. Shiller is a Sterling Professor at Yale University who studies macroeconomics, behavioral economics, and public attitudes regarding markets, so he’s very qualified to discuss the role of stories in our economy.

The general gist of the article, as I understand it, is that stock markets are driven as much by feelings and stories than they are by data and rationality. It underscores the need to critically inspect information that you’re given– it may be rooted in truth, but it could easily be influenced by emotion. It also underscores why economic predictions can be so difficult to get right, and why economics is a social science; our assumptions are rooted in the belief that people are rational actors who carefully make the best decisions possible, even though people are famously irrational. If we’re driven by stories and emotions, it’s much harder to predict people’s actions and reactions.

Listing image by Sam valadi, and used under the Creative Commons Attribution 2.0 license.

The Panic of 1907

Posted on January 18, 2016Leave a comment

The Panic of 1907 crippled the financial markets, brought ruin to banks and trust companies, all but bankrupted the Treasury of the United States of America, and required the intervention of J.P. Morgan to end. And it directly led to the founding of the Federal Reserve System in the United States, in 1913. I was researching the crisis this past semester while taking my History of American Economic Development class at the University of Missouri — Saint Louis (I took it with Professor Rogers, and I recommend it highly). I wrote my final paper on the crisis, though I ended up relying on just two primary sources. Immediately after the semester ended I found several others that would have been very useful in my research—I’m planning to go back and revise this to include them, but I haven’t done it yet.

The events leading to the panic began on October 14th, 1907, after a wealthy investor overextended himself while attempting to corner the market in copper.

F. A. Heinze lost more than $50 million dollars in under a day after investors realized what he was attempting, and the United Copper Company’s shares fell from $62/share to less than $15/share. (Federal Reserve Bank of Boston 3) On its own, this would have been disastrous for Heinze and other copper speculators, but would have little effect on other investors. Heinze, however, was the owner of the State Savings Bank of Butte Montana, which became insolvent almost immediately due to its holding large amounts of United Copper Company shares as collateral. Heinze was also president of the Mercantile National Bank—and once depositors learned of his financial peril, they rushed to withdraw their monies from that institution as quickly as was possible. Heinze was forced to resign his position from the Mercantile National Bank on the morning of October 17th, but the damage was done. Depositors began removing money from the Mercantile National Bank to deposit it in other banks in the area.

At this point, the panic had not yet truly begun. The financial markets were still feeling the effects of Heinze’s manipulations, and his banks were collapsing, but the overall system was still sound. And then it was discovered that one of the directors of the Mercantile National Bank, Charles Morse, controlled seven other New York banks and had been heavily involved in the copper speculation. He was removed from those banks, but depositors at those banks had already begun removing their money. (Tallman and Moen 4)

Next to fall was the trusts, starting with Knickerbocker Trust Company, the third-largest trust in New York. J.P. Morgan, widely seen as the last hope for the trust, decided to not provide aid—a decision which led to the trust paying out $8 million to its depositors during a period of three hours on October 22nd, and immediately suspending operations. Another trust, the Trust Company of America, was also hit hard and paid out $47.5 million of their $60 million of total deposits in a period of two weeks. J.P. Morgan, J.D. Rockefeller, and Secretary of the Treasury George Cortelyou deposited a combined $38 million into the trusts and banks to prop them up and allow them to continue operating. (Tallman and Moen 8)

J.P. Morgan, who singlehandedly kept the Panic of 1907 from expanding — J.P. Morgan

Meanwhile, the stock market was in trouble. Brokers regularly borrow and lend money to buy and sell shares of stock, but by October 24th that borrowable money was in extremely short supply. It was only through Morgan’s convincing the banks to loan $25 million to the stock market that the stock market was able to make it through the day; the next day was even more of a struggle, with banks being more and more unwilling to lend. In fact, banks were extremely unwilling to lend to anyone, whether it be fellow banks or to the general public, leading to a shortage of currency in the economy. To add to the difficulty, the city of New York began running out of funds, and was unable to obtain more. Morgan loaned $30 million to the city, allowing them to continue operations. (Tallman and Moen 10)

The panic eventually ended by mid-November, when Morgan convinced the trust companies and banks to support each other during runs. But the situation showed the necessity of an organization dedicated to ensuring that panics were minimized and dealt with in the best way possible; relying on a single man such as Morgan to organize the response was impractical and foolhardy.

J.P. Morgan died on March 31st, 1913, which ended any chance of his being able to repeat his 1907 actions. In December of that year, Congress voted to approve the Federal Reserve Act, which established the United States Federal Reserve. Despite the intentions of its creators, the Federal Reserve was unable to prevent the Great Depression (though I believe that that’s more because of its reliance on the gold standard, which prevented it from printing money to pay off debts and bail out banks, than of anything else. There’s some evidence for this—when the gold standard was temporarily suspended, the economy immediately began to do better).

Looking back at the 1907 Panic, it’s clear that there were few regulatory oversights. Indeed, there was little government involvement at all—J.P. Morgan basically controlled the entire response, including controlling where the money was being allocated to fight the panic, and how it was handled in the press. The Treasury did place $37.6 million in the banks to help secure them, and supplied an additional $36 million to help alleviate runs on banks, but that expended their total power (after doing that, the Treasury’s working capital had dwindled to $5 million). (Tallman and Moen 8) This would indicate that the market can self-regulate to a degree, at least when getting out of a bad situation, provided there’s someone who is well-versed in how to allocate large sums of money to get things done.

Charles Morse, one of the bankers at the center of the Panic — Charles Morse

It’s also clear that allowing people who own or manage banks to engage in speculation with bank money, no matter how well-founded and reliable they believe it to be, is foolhardy. If Heinze and Morse had lost their own fortunes, it wouldn’t have caused a panic. It was only when it was discovered that they were using their banks to help finance their personal speculation that the bank runs started, and the panic took off. In addition, allowing one person to outright control three banks and heavily influence four others, as in the case of Charles Morse, does not seem like a particularly good idea for anyone involved. I believe that if that were to happen today people would probably be concerned about conflict of interest and moral hazard (and for very good reason).

All in all, the Panic of 1907 could have been much, much worse. Instead of bank runs, sensational headlines, and a nice story for the economics textbooks illustrating the need for a central bank to keep everything running smoothly, it could have ended in a huge economic downturn that could have heralded in the Great Depression somewhat earlier than it did (or at least a fairly major recession; the Great Depression was a worldwide event, not something that was restricted to the United States). Instead, due largely to J.P. Morgan’s acting as a central banker and lender of last resort, it lasted scarcely a month and served mostly as a warning for the perils of an unregulated financial system.

Works cited:

Federal Reserve Bank of Boston. “Panic of 1907.” n.d. The Federal Reserve Bank of Boston. PDF.

Tallman, Ellis and Jon Moen. “Lessons from the Panic of 1907.” Economic Review (1990): 2-13. PDF.

Note about references: While originally researching this paper, I was unable to find many other quality resources regarding the panic (at least, not many that were online). If you can recommend further resources, please contact me and let me know! I would love to revise this piece to include them.