Posts tagged ‘security’

Towards Better, More Reliable Home Wifi -- Ditch the Products Meant for the Home

For years I have been struggling with a variety of commercial home wifi products.  I have been plagued by issues -- either they had poor range or they had to be reset every day or so or they did not play well with various extenders I needed to cover my house.  I have a one story house that sort of sprawls all over the place and is hard to cover, particularly since our internet connection to Cox Cable is all the way at one end of the house and some of the house has a cinderblock core just to make signal transmission even harder.

So my company had a contractor wiring up a customer location we manage and they were using a commercial product from Ubiquiti Networks.  I wondered why a commercial product would not work just as well in my home.  This Ars Technica article discussed how much better he thought the commercial products from Ubiquiti were than most consumer grade products.  I figured maybe the problem would be cost, but perusing the Unifi product line on Amazon, it seemed priced a bit higher than consumer products but not unreasonably so (also compare the Amazon star ratings for the Unifi products to consumer alternatives -- you will not see ratings this high).

I was a little intimidated that the setup would be hard but it was manageable if you know even a little bit about network addresses and how they work. And this video is absolutely fabulous -- I can tell you that if you follow along with this guy your system will work at the end of it.  Once it was running, the software is way easier to navigate than my old consumer products.

So several months ago I installed a Unifi system in my house with 6 access points (including on my patio and in my garage), a security gateway (the router, I think), a main switch, a couple of satellite switches, and the cloudkey which helps manage the whole thing.  I paid extra for the PoE switches (power over ethernet) so I could run the access points without having to plug them into an outlet and so in the future I could add PoE video.

What I like:

  • Reasonable cost
  • Setup not difficult if you follow the video
  • Rock-solid reliability
  • It reaches everywhere, with a single SSID so it acts as one seamless large wifi zone.
  • Ability to access the system remotely to check on status
  • Access points work via PoE so they mount on the wall or ceiling really cleanly and look great
  • Really good information about my network, not only every device and its IP and status, but also its bandwidth use and exactly how it is connected in the network tree (ie via such and such switch).

The only problem I have had so far is a moderately arcane one that took me a while to diagnose.  I use this system with my Sonos music system and I have a number of Sonos boxes around the house.  Most of these are wired, and so do not use the Sonos wired peer-to-peer mesh.  However, the Sonos boxes were trying to create wireless network amongst themselves that essentially created loops in my network where storms of traffic ran in circles.

This is where I had a learning opportunity.  Apparently network equipment has something called Spanning Tree Protocol (STP).  Basically through a priority and cost system, it allows you to specify preferred pathways and prevent data from looping.  But Sonos uses a really old version of this that does not play well with Unifi.  I will say that this is not just a Unifi problem as I had this exact same problem at another location with Sonos and the Google mesh wifi system.  At least with Unifi, there were STP settings I could play with (Google mesh wifi is a nice little plug and play product but forget it if you want to tweak anything at all).   As is usual nowadays for any known problem, the Internet has a bunch of articles on Unifi and Sonos compatibility issues.  Eventually by tweaking the STP priorities of the Unifi switches and simply turning off the wifi in Sonos units where I did not need the mesh wifi capability (a nearly undocumented feature that is revealed here) I got it all playing nice together.   I will add that though Sonos is a product I love (because my wife can actually reliably use it), their tech support never identified this problem -- they said they saw evidence of loops but would not admit that the Sonos peer-to-peer networking was helping to cause them.

Orren Boyle Smiles

I just cannot understand how politicians can be called "populist" for favoring a few hundred thousand domestic steel workers and steel company equity holders over 300 million domestic consumers who depend on low-cost steel for their jobs or buy steel products.  But there seems to be something about the steel industry that causes folks who normally would scream about corporate welfare to just roll over.

At noon, Donald Trump will sign an executive order calling for a probe whether imports of foreign-made steel are hurting U.S. national security. The order will revive a decades-old, rarely used law to explore imposing new barriers on steel imports, in this case aimed loosely at China.

Trump will sign the memorandum related to section 232 of the Trade Expansion Act of 1962 at an event in the White House that will include leadersd of several U.S. steel companies; the law will allow the president to impose restrictions on imports for reasons of national security. Trump’s directive will ask Ross to conduct the probe “with all deliberate speed and deliver the results to the president with his recommendations."

An official cited by Reuters sad that there are national security implications from imports of steel alloys that are used in products such as the armor plating of ships and require a lot of expertise to create and produce.

Why do I suspect the national defense argument is a total sham?

Update:  “For every steelworker, there are 60 workers in steel-using industries,” said Lewis Leibowitz, a Washington attorney who has worked on trade cases involving steel in the past. “You need competitive steel prices for those industries to be competitive and to export.”  source:  WSJ

When Government Picks Winners, It Mostly Chooses Losers

In an article for Cato mocking the Obama Administration for creating energy technology forecasts that run to the year 2300, Pat Michaels wrote:

Consider the case of domestic natural gas. In 2001, everyone knew that we were running out. A person who opined that we actually would soon be able to exploit hundreds of years’ worth, simply by smashing rocks underlying vast areas of the country, would have been laughed out of polite company.

Energy statists on the Left today are trying to get rid of coal-fired electricity generation in this country (due to climate concerns).  But one thing that few people remember is that a significant reason we have so much coal-fired electricity generation in this country is that energy statists on the Left in the 1970's mandated it.  I kid you not:

The Powerplant and Industrial Fuel Use Act (FUA) was passed in 1978 in response to concerns over national energy security. The 1973 oil crisis and the natural gas curtailments of the mid 1970s contributed to concerns about U.S. supplies of oil and natural gas. The FUA restricted construction of power plants using oil or natural gas as a primary fuel and encouraged the use of coal, nuclear energy and other alternative fuels. It also restricted the industrial use of oil and natural gas in large boilers.

As a further irony, and absolutely typical of government regulation, this regulation banning oil and gas fired plants because oil and gas seemed to be running out was really trying to fix a problem caused by another regulation.   The government had caps on oil and gas prices through the 1970's that artificially reduced supplies.  Once these price regulations were removed, we suddenly had an oil and gas glut in the 1980's and the FUA was eliminated in 1987.  Watching regulators chase their tails in energy policy over the last 40 years would be comical if the effects of their repeated mistakes were not so dire.

The Terrorists Have Won

Security wall going up around the Eiffel Tower

The city of Paris is planning to build a permanent barrier around the Eiffel Tower and its two adjacent ponds in order to beef up security, replacing temporary protective structures that had been up as a result of recent terror attacks. It’s estimated that the structure, which will be bulletproof and able to stop vehicles, will cost the city 20 million euros (about $22 million). ...

Work on the perimeter is scheduled to start this fall, although plans are subject to approval. Once the project is complete, you’ll no longer be able to stroll leisurely under the massive steel tower, as you’ll first have to pass through a security checkpoint involving a metal detector and ID check before you can get up close to the base.

Nothing more romantic than a moonlight stroll under the Eiffel tower... and getting frisked by the French equivalent of the TSA.

By the way, if the Conservatives in this country need a better euphemism for their Mexican wall, here is a suggestion from the French:

While reports have said the wall be made of glass, Paris‘ deputy mayor Jean-François Martins wouldn’t confirm that to be true in a press conference last week — however, Martins did say, “It’s not a wall, it’s an aesthetic perimeter,”

If only the East Germans had been so clever with words, they might have won the Cold War.

My Favorite Description To Date of the Problems and Appeal of Trump

Scott Alexander has a great article on the problems with Trump's approach to economics.  I want to begin, though, with an analogy he uses at the end because it is the best single framework I have seen about understanding Trump's appeal:

Suppose you’re a hypercompetent billionaire in a decaying city, and you want to do something about the crime problem. What’s your best option? Maybe you could to donate money to law-enforcement, or after-school programs for at-risk teens, or urban renewal. Or you could urge your company full of engineering geniuses to invent new police tactics and better security systems. Or you could use your influence as a beloved celebrity to petition the government to pass laws which improve efficiency of the justice system.

Bruce Wayne decided to dress up in a bat costume and personally punch criminals. And we love him for it.

I worry that Trump’s plan for his administration is to dress up in a President costume and personally punch people we don’t like, while leaving policy to rot. And I worry it’s going to work.

Basically, Trump is acting like a small state governor, focusing his economic efforts on getting the Apple factory to come to town

So based on these two strategies, we are in for four years of sham Trump victories which look really convincing on a first glance. Every couple of weeks, until it gets boring, another company is going to say Trump convinced them to keep jobs in the United States. The total number of jobs saved this way will never be more than a tiny fraction of the jobs that could be saved by (eg) good economic policy, but nobody knows anything about economic policy and Trump will make sure everybody hears about Ford keeping jobs in the US. Every one of these victories will actively make the world worse, in the sense that these big companies will get taxpayer subsidies or favors they can call in later to distort government priorities, but nobody’s going to notice these either.

It seems appropriate to end this with a bit of Bastiat:

In the economic sphere an act, a habit, an institution, a law produces not only one effect, but a series of effects. Of these effects, the first alone is immediate; it appears simultaneously with its cause; it is seen. The other effects emerge only subsequently; they are not seen; we are fortunate if we foresee them.

There is only one difference between a bad economist and a good one: the bad economist confines himself to the visible effect; the good economist takes into account both the effect that can be seen and those effects that must be foreseen.

Yet this difference is tremendous; for it almost always happens that when the immediate consequence is favorable, the later consequences are disastrous, and vice versa. Whence it follows that the bad economist pursues a small present good that will be followed by a great evil to come, while the good economist pursues a great good to come, at the risk of a small present evil.

Bank of America is Protecting Merchants Who Lose Credit Card Data By Hiding Their Names

My small business has a Visa account with Bank of America so that our managers can have the ability to charge small expenses.  My personal corporate card is part of that account.  At least twice a year, I get the dreaded call from the bank telling me my card number was part of a data breach and I have to get a new card.  And then I have to spend hours and hours updating a zillion online accounts with new numbers, and I face weeks and months of past due notices from accounts I forgot to change.

I am willing to accept Bank of America's explanation that some merchant outside their system caused the breech.  So each time I ask the obvious question, "who was the merchant so I can stop doing business with them?"  And every single time Bank of America refuses to tell me.  For reasons beyond my reckoning, Bank of American and apparently the Visa system have a vow of Omerta in which they protect security-deficient retailers from scrutiny.  It is infuriating.  In a free society, we should not need the government to hold merchants accountable for data privacy, we should be able to do it ourselves as customers.  Apparently I am not the only one who is similarly frustrated by this.

Does anyone know of any Visa issuers that are more transparent about the sources of data breaches?  Is Amex better on this than the Visa/MC system?

Update:  From a Senior Fraud Analyst at Bank of America:

I am responding to an email you sent to us regarding the data compromise situation that keeps happening with your corporate card.

I do understand the frustration you experience.  We are not provided specific details about where the compromise occurred.  The compromise could have happened sometime in the past and it may not be limited to one specific merchant or processing center.  I do understand that  you not wanting to use the card at the site of the compromise, but keep in mind that when a merchant or processing center is compromised they likely took measures to improve their security, the continued compromises could be coming from different processing centers or merchants and not the same place each time.

My email back in response:

This is how banks invite regulation on themselves.  If Visa and the large credit card issuing banks were more transparent with customers about retailers that create data breaches, customers could take their own action to police irresponsible parties by taking their business elsewhere.  Ditto merchant processors -- we businesses could easily shift our merchant processing accounts.  But instead, by creating this sort of rule of Omerta where you protect the irresponsible party from public disclosure, people feel helpless.  It is in that environment that folks like Elizabeth Warren can create so much havoc with regulation.

By the way, please do not tell me to be comfortable that the offending merchants have already tightened up their security.  It has been nearly 18 months after the requirements that merchants accept chip cards to avoid extra liability and half the stores I visit still have the chip card slot on their credit card machines disabled.  No retailer is going to stop being irresponsible until you banks stop protecting the bad ones.  Look what happened at Target - they got a lot of bad publicity from their breach but you can be damn sure they were one of the first that were accepting chip cards.

Are You In Control of Electronic Payments from Your Checking Account?

If your business is like mine, a lot of folks to whom I owe money are insisting on the ability to automatically remove the money I owe them each month from our checking account (via an electronic process known as ACH, which is slower but much cheaper and easier to use than the old wire transfer method).  At first, any loan I took out insisted that the lender be able to automatically withdraw my payments.  Then my workers compensation company.  Then certain vendor accounts.  And of course my merchant processing companies are constantly shoving money in and out of my bank accounts.

In retrospect, I was far too sanguine about this situation.  What finally caused me to abandon my sense of security was a libel lawsuit filed by one of my vendors over a bad review I wrote of their product [I won't mention the name here but I am sure anyone can figure it out with a simple search].  Anyway, I realized that this company, who was suing me for untold bazillions of dollars, actually had the right to freely jack whatever they wanted out of my checking account.  What is worse, this same company is being sued by many companies for trying to take an arbitrarily high final payment out of their accounts at contract termination.  Eeek!  And this does not even include the possibility of outright fraud.  I have ACH tools where if I have your bank's name and your account number, I could pull out money from your account without your ever knowing about it until you see it missing.  I presume criminals could do the same thing.

Something had to be done, and it turned out that my bank, Bank of America, has something called ACH positive pay wherein nothing gets ACH'ed out of my accounts without my first approving the payments.   I check a screen each morning and in 60 seconds can do the approvals for the day.  They also have a very easy to use rules system where one can set up rules such that payments to certain vendors or for certain amounts don't need further daily approvals.

I presume most major banks have a similar product.  It cost me some money but I feel way safer and encourage you to look into it if you are in the same situation.

Thank God We Have Unionized Government Workers and Not Some Damn Private Company

The TSA, which apparently stands for Theater of Security Absurdity, apparently is completely useless:

According to a report based on an internal investigation, "red teams" with the Department of Homeland Security's Office of the Inspector General were able to get banned items through the screening process in 67 out of 70 tests it conducted across the nation.

The test results were first reported by ABC News, and government officials confirmed them to CNN. Mark Hatfield, acting deputy director, will take over for Melvin Carraway until a new acting administrator is appointed. It was not immediately clear Tuesday where Carraway would be reassigned.

Fortunately, the TSA has been successful in creating accountability-free sinecures with stupendous pension and benefit plans for thousands of people who apparently learned the security trade from Sargent Schultz.

My Friend Jon is Having a Bad Week

$10 million in diamonds get accidentally thrown away, then stolen out of the trash by the security guard.  

To me, this proves that crazy stuff can happy to anyone.  Jon is as bright and hard-working as anyone I know.  He is also entirely trustworthy and honorable in a business that often lacks these qualities.  The thief apparently sold one large stone, about 10 ct., to someone in the same building** who then cut it down to 9 ct. and resold it.  There would be no reason for a dealer to cut down an already cut stone, since it substantially reduced the value, unless he knew the stone to be stolen and was purposely trying to disguise the stone for resale.  Its like a thief robbing your house and selling your TV to your neighbor, who changes the label so you won't recognize it when you come over.

 

** all of the major diamond dealers in New York seem to work in just 2 buildings on Fifth Avenue.

Dear Conservatives: This Is Why We Hate All Your Civil Rights Restrictions in the Name of Fighting Terror

Because about 5 seconds after they are passed, government officials are scheming to use the laws against non-terrorists to protect themselves from criticism.

Twenty-four environmental activists have been placed under house arrest ahead of the Paris climate summit, using France’s state of emergency laws. Two of them slammed an attack on civil liberties in an interview with FRANCE 24....

The officers handed Amélie a restraining order informing her that she can no longer leave Rennes, is required to register three times a day at the local police station, and must stay at home between 8pm and 6am.

The order ends on December 12, the day the Paris climate summit draws to a close....

Citing the heightened terrorist threat, French authorities have issued a blanket ban on demonstrations – including all rallies planned to coincide with the climate summit, which Hollande is due to formally open on Monday.

This justification is about as lame as them come:

AFP news agency has had access to the restraining notices. It says they point to the “threat to public order” posed by radical campaigners, noting that security forces “must not be distracted from the task of combating the terrorist threat”.

Note that the police had absolutely no evidence that these folks were planning any violence, or even that they were planning any particular sort of protest.  This was a classic "round up the usual suspects" dragnet of anyone who had made a name for themselves protesting at green causes in the past.

Postscript:  Yes, I know that these protesters and I would have very little common ground on environmental issues.  So what?  There is nothing more important than supporting the civil rights of those with whom one disagrees.

And yes, I do have the sneaking suspicion that many of the very same people caught up in this dragnet would cheer if I and other skeptics were similarly rounded up for our speech by the government.  But that is exactly the point.  There are people who, if in power, would like to have me rounded up.  So it is important to stand firm against any precedent allowing the government to have these powers.  Else the only thing standing between me and jail is a single election.

Update:  Think that last bit is overly dramatic?  Think again.  I can guarantee you that you have some characteristic or belief that would cause someone in the world today, and probably many people, to want to put you up against the wall if they had the power to do so.  As proof, see:  all of history.

Even at the Margin With Capital Charges Sunk, Light Rail Economics are Awful

A reader and frequent contributor sent me this:

When 120,000 people head to downtown Orlando for the big July 4 fireworks show at Lake Eola, none will be getting on SunRail.

It’s not running.

Central Florida’s $1 billion commuter-rail line usually only operates Monday through Friday, and while a few special weekend events in recent months have booked the train, one of the biggest gatherings of the year won’t.

Fireworks at the Fountain, in addition to the sky show, will feature more than 25 vendors, live music and children’s activities.

But Orlando city staff researched the addition of SunRail service, but found it wouldn’t work, said Cassandra Lafser, the city’s public information officer.

“Several factors contributed to this decision, including safety, availability and costs,” Lafser said in a prepared statement.

“The city’s concerns included: total train capacity, safety and security, hours of operation, pedestrian wayfinding and transport operations between the downtown stations and Lake Eola, and funding availability.”

So, even in a situation where capital costs are sunk and can be ignored, an incremental decision to operate the train on a very heavy commuter day makes no economic sense.  You want to know why?  Because it makes no economic sense Monday through Friday either.  Light rail never pays back any of its capital costs, but the vast majority of light rail loses money operationally at the margin as well.

Question: Name An Activity The Government is Better At Than the Private Actors It Purports to Regulate

I am serious about this.  We saw in an earlier story that the government is trying to tighten regulations on private company cyber security practices at the same time its own network security practices have been shown to be a joke.  In finance, it can never balance a budget and uses accounting techniques that would get most companies thrown in jail.  It almost never fully funds its pensions.  Anything it does is generally done more expensively than would be the same task undertaken privately.  Its various sites are among the worst superfund environmental messes.   Almost all the current threats to water quality in rivers and oceans comes from municipal sewage plants.  The government's Philadelphia naval yard single-handedly accounts for a huge number of the worst asbestos exposure cases to date.

By what alchemy does such a failing organization suddenly become such a good regulator?

Update:  On the topic of cyber security competence or lack thereof, there is this:

In mid-May, the Federal Bureau of Investigations lost control over seized domains, including Megaupload.com, when the agency failed to renew a key domain name of its own. That domain, which hosted the name servers that redirected requests for seized sites to an FBI Web page, was purchased at auction—and then used to redirect traffic from Megaupload.com and other sites to a malicious site serving porn ads and malware. Weeks later, those sites are still in limbo because somehow, despite a law enforcement freeze on the domain name, the name servers associated with Megaupload.com and those other seized sites were changed to point at hosts associated with a domain registered in China.

Yep, that is the lead government agency tasked with investigating hacking and cyber security breaches.

Your Government At Work

Statists believe in a kind of alchemy.  They will say that individual citizens cannot be trusted with, say, selecting their own health plan.  This must be entrusted to a government official who gained such lofty powers by ... being selected by the self-same citizens that couldn't be trusted to choose a health plan.  How is it that schlubs who cannot be trusted can be elected by the mass of schlubs who cannot be trusted, placed into a monopoly with guns and no competition, and miraculously suddenly be trusted?

As you probably know, the institution that demands ever more power because of external threats to our security and constantly bashes private companies for not being careful enough with privacy had most of its employee data  stolen by a group of Chinese hackers. After the hack was made public, the government claimed the hack was discovered due to their diligent internal security efforts.  This turns out not to be the case, and the reality is pretty damn funny:

At the time, OPM said the breach was discovered as the agency “has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks.”

But four people familiar with the investigation said the breach was actually discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services, which has a networks forensics platform called CyFIR. CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more.

Update:  Extra points for this one:

The breach has expedited plans by the Senate to vote on cybersecurity legislation, with Majority Leader Mitch McConnell (R., Ky.) saying Tuesday a vote now could be held in the coming days.

Mr. McConnell said he planned to use an annual defense policy bill currently on the Senate floor to advance the cybersecurity measure, which is aimed at responding to a growing prevalence of data breaches at large U.S. companies.

So the government gets breached because it is using outdated software major private companies have long-ago replaced or patched, and the reaction is to...place new demands on private companies?

The Problem with Email is That It's Free

Yeah, I know, free is always supposed to be better.  But the problem of spam is caused entirely by its being free.   Here is an example:

According to the indictments, between 2009 and 2012 Nguyen and Vu hacked at least eight email service providers -- the companies that collect your data under slightly more legitimate circumstances -- to steal marketing data containing over a billion email addresses. After that, they worked with Da Silva to profit from the addresses by sending spam with affiliate links for a company he controlled, Marketbay.com.

At least according to the DoJ, all of that work netted around $2 million in affiliate marketing fees.

We don't have any idea how many emails they sent to each of these billion addresses.  But let's say they sent 10 spams to each (probably a low guess).  That is 10 billion spam emails for a net revenue of $2 million, or around $.0002 per email sent in revenue.

Long ago I proposed that (and I am not sure how to do this technically) emails should cost $0.001, or a tenth of a cent, to send.  For you and I, say if we sent 200 emails a day (an email copied to 5 people would be 5 emails for this purpose) it would cost us 20 cents a day or about $75 a year, not much more than we pay for security software and updates.  But if you could make it work, spam would be reduced drastically.  No way there is any profit in sending an email for $.001 for an expected return of $.0002.

I have no idea in the current structure of the Internet how one would even do this.  The charge would have to come from the receiving end, somehow refusing to deliver it if it does not get payment information.  However, anyone who is going to steal a billion email addresses could likely hack the payment system.

I was going to call this tragedy of the commons, but that is not really quite right.  Tragedy of the commons is sort of related to free public resources, but is more of an issue of lack of property rights than of the zero price.

@kevindrum Finds Absolutely Ubiquitous Feature of Regulation to be Mysterious

Kevin Drum simply does not understand why Wall Street might be piling into broadband stocks despite proposed "tough new regulations."  He posits a number of hypotheses -- that Wall Street expected the rules to be worse than they turned out to be.  But this can't be it because the hundreds of pages of rules are still a secret.  He also hypothesizes there might be some nefarious secret loophole buried in the rules Wall Street knows about but we don't.

This is crazy!  How can a reasonably bright person like Drum who writes about the political economy not understand the issue of regulatory capture?  Seriously, I have always figured that the Left, which has a seemingly infinite appetite for regulation, must favor regulation because they find the benefits to out-weight the crony-ist downsides.  Is it really possible Drum is unfamiliar with the downsides altogether, or is he just being coy?

Here is what regulation, particularly utility-style regulation, tends to do -- it locks in current business models and competitors.  It makes it really hard for new entrants to challenge incumbents with innovative new business models or approaches, because regulations have been written based on the old business model and did not take the new one in account.  So a new entrant must begin business by getting regulators to allow their new model, which never happens because by this time incumbents have buildings full of lobbyists aimed at the regulatory process.  Go ask Tesla and Uber and Lyft about how easy it is to enter a heavily regulated business even with a superior new business model.

This is particularly true in the technology world.  The biggest threat to incumbency is someone with a new technology or approach to the technology.  Don't believe me?  I suggest you go to the offices of Netscape or AOL or Lycos or Borders or Circuit City or Radio Shack and interview them about the security of their multi-billion dollar businesses in the face of new online technologies.  At best, regulators put a huge speed bump in the way of competitors, costing them time and money to get their alternative business model approved.  At worst, regulators block new competitors altogether.

I will give you a thought experiment.  Let's say these exact same rules were adopted in the year 2000, when AOL and Earthlink dial-up ruled the internet access world.  Would cable and satellite and DSL have grown as quickly?  I can see the regulators now -- "hey, all the rules specify phone dial up.  There's nothing here about cable TV.  Sorry [Cox, Comcast, whoever] you are going to have to wait until we can write new rules.

The other thing that happens with utility-style regulation is that companies in the business tend to get their returns guaranteed.  Made a bad investment in a competitive market?  Well good luck getting customers to pay extra to bail you out from your bad decision when they have other options.  But what happens when your local power company wastes $10 billion on a nuclear plant that never opens -- it gets built into your rate base!

In the cast of broadband, they are locked in what business school students would see as a classic supply chain battle.  Upstream companies like Netflix supply content via downstream broadband companies.  Consumers are only willing to pay a certain amount for this content, so the upstream and downstream fight a lot over who gets what share of that consumer $.    This happens everywhere in the business world, from Cable TV to oil refining to selling TV's at Wal-Mart.  There is a real danger that broadband will lose this fight in the future -- but not now.  Regulated industries never die, they appeal to their regulators for help.

As of yesterday, Wall Street is looking at broadband companies and realizing that they are now largely immune from competition and some level of minimum returns are likely now gauranteed forever.  Consumers should hate this, but what's not to love for Wall Street?

Postscript:  Kevin Drum describes the new regulation this way:  "Basically, under Wheeler's proposal, cable companies would no longer be able to sign special deals to provide certain companies with faster service in return for higher payments."  This is a bit like describing the Patriot Act as a law to force people to take their shoes off at the airport.  Yes, it does that narrow thing, but it does a LOT else.  The proposal is hundreds of freaking pages long.  It does not take hundreds of pages to do the narrow little niche thing Drum (like most neutrality supporters) wants.

This Administration has cleverly taken this one tiny concern people have and have used it as an excuse to do a major regulatory takeover of the Internet.  This is a huge Trojan Horse. But I have already ranted about the details of that and you can read that here.

Thinking of the Gracchi Brothers Today

It is with mixed emotions that I greet this day.  Frequent readers will know that I long for a system of much more open immigration.  I don't think that the US Government should be limiting who can and cannot seek work or live within the US borders (setting rules for citizenship and receipt of benefits are different matters).  So I would like to see many long-time immigrants legalized today (and in fact I likely have friends and acquaintances who will benefit, though it's always been a bit awkward to ask them about immigration status).

However, I would MUCH rather see a rational process implemented than these once a decade amnesties we seem to go in for instead.

I also worry that Obama is taking these actions for all the wrong reasons, seeking to add 5 million Democratic voters rather than trying to help 5 million people who are seeking prosperity.  The reason I suspect this is that he is also seeking higher minimum wages that will likely make it harder for these folks to find work, likely something he has promised to his union allies so they won't freak out.  I have always said that Republicans want immigrants to work but not vote and Democrats want immigrants to vote but not work.

But I am much more worried about the un-Constitutional process that is going to be followed.  Of course, this is not the only Executive power grab over the last two presidencies, but it is a big one and one of the first where the President has admitted he doesn't have the power but is going to do it anyway.

Around 133BC, Tiberius Gracchus was ticked off that the Roman Republic would not consider necessary land reform.  I am going to oversimplify here, but in their conquests the Romans had grabbed a lot of new territory and by law that land was supposed to be parceled in small sections to lots of individual land holders.  Instead, powerful men (many of whom were in the Senate) grabbed the lion's share of this land for themselves in huge estates.   Gracchus rightly saw this as unfair and a violation of law, but it was also a threat to the security of the nation, as independent landowners who bought their own weapons were the backbone of the Roman army.  The shift of agriculture to huge estates staffed with slaves was not only forcing a shift in the makeup of the army (one which would by the way contribute to the rise of despotic generals like Sulla and Caeser), but also was creating social problems by throwing mobs of unlanded poor on the cities, particularly Rome.

Anyway, the short version is that Tiberius Gracchus had good reason to think these reforms were important.  But traditionally they would have to be considered by the Senate first, and he was too impatient to wait that process out, and besides (probably rightly) feared the Senate would find a way to kill them.   He was so passionate about them that he violated the (unwritten) Roman Constitution by ignoring the Senate and setting new precedents for using his position as Tribune to pass the new laws.  It was absolutely the prototype for a well-intentioned bypassing of the Constitution.  I won't go into detail, but Tiberius was killed at the behest of some Senators, but his brother picked up his mantle 10 years later and did some similar things.  Which is why we talk of the Gracchi brothers.

In the near term, the results were some partial successes with land reform.  However, in the long-term, their actions really got the ball rolling on what is called the Roman Revolution.  A hundred years later, the Republic would be gone, replaced with a dictatorship.  Step by step, the precedents often set initially with only the best intentions, were snatched up and used by demagogues to cement their own power.  In later years, what gave emperors their authority was a package of powers granted to them.  One of the most important was "tribunition" power.  In essence, the tribunition power included many of the powers first exercised aggresively by the Gracchi brothers.  More than just starting the ball rolling on the Revolution, they pioneered the use of powers that were to be the core of future emperors' authority.

Sorry for the Downtime

Had some sort of attack running all weekend against one of my more minor web sites.  Hostgator found the attack and changed our security rules, and for now we should be fine.  Sort of violating the security through obscurity rule of thumb since this was a very obscure site they were attacking.

Site Issues

Well, we had just a mess of problems here.  We have had off and on DOS attacks for a week or so, and then last night I managed to embed some oddball code in a quotation in one of yesterdays posts that caused other heartache.

After a lot of debugging, I am hoping all is well again.  I have changed the caching and security options at Incapsula, which I use as a gateway for traffic.  For many of you, you will see substantial performance improvements but at the cost of some caching which may delay your comments showing up by 10 minutes or so.

The Real Money in the Climate Debate

I have yet to meet a skeptic who reports getting any money from mysterious climate skeptics.  A few years ago Greenpeace had a press release that was picked up everywhere about how Exxon was spending big money on climate denialism, with numbers that turned out to be in the tens of thousands of dollars a year.

The big money has always been in climate alarmism.  Climate skeptics are outspent a thousand to one.  Here is just one example

It sounds like the makings of a political-action thriller. The National Geospatial Intelligence Agency (NGA) has awarded Arizona State University a five-year, $20 million agreement to research the effects of climate change and its propensity to cause civil and political unrest.

The agreement is known as the Foresight Initiative. The goal is to understand how climate-caused disruptions and the depletion of natural resources including water, land and energy will impact political instability.

The plan is to create visually appealing computer models and simulations using large quantities of real-time data to guide policymakers in their decisions.

To understand the impacts of climate change, ASU is using the latest advances in cloud computing and storage technologies, natural user interfaces and machine learning to create real-time computer models and simulations, said Nadya Bliss, principal investigator for the Foresight Initiative and assistant vice president with ASU's Office of Knowledge and Development.

I can tell you the answer to this study already.  How do I know?  If they say the security risks are minimal, there will be zero follow-up funding.  If they say the security risks are huge, it will almost demand more and larger follow-up studies.  What is your guess of the results, especially since the results will all be based on opaque computer models whose results will be extremely sensitive to small changes in certain inputs?

Postscript:  I can just imagine a practical joke where the researchers give university officials a preview of results.  They say that the dangers are minimal.  It would be hilarious to see the disappointment in the eyes of all the University administrators.  Never in history would such a positive result be received with so much depression.  And then the researchers would say "Just kidding, of course it will be a catastrophe, it will be much worse than predicted, the badness will be accelerating, etc."

AZ Corporation Commission's Completely Inadequate Response to My Critique on their Site Security

A while back I wrote about my concerns about the total absence of any security at all in the Arizona corporate annual reporting system

I started the annual reporting process by just typing in the name of my company and getting started.  There was no password protection, no identity check.  They had no way of knowing I had anything to do with this corporation and yet I was answering questions like "have you been convicted for fraud."  The potential for mischief is enormous.  One would have to get the timing right (an annual report must be due before one can get in) but one could easily open the site on January 1 and start entering false information in the registrations for such corporations as Exxon and Wal-Mart.

See for yourself.  Here is their web site.

I showed how one could open and file the report for a company like Wal-Mart, changing all their officers names, and confessing to all sorts of imagined corporate crimes

Again, note what I am saying.  This is not the result of hacking.  This is not lax security I figured out how to evade.  This is the result of no security whatsoever.  I simply went to the link above, clicked on the Wal-Mart Associates link, and then clicked on the annual report link.  I know from doing my own registration that there is a signature page at the end, but all you do is type in the name of an officer and a title -- data that is right there on the site.  It's like asking you for a password after the site just listed all the valid passwords.

The head of the Arizona Corporation Commission wrote me back. Here is here email in its entirety:

Dear Mr. Meyer:

Thank you for your email regarding the Corporations Division.  The Arizona Corporation Commission is the repository for all business formation documents for corporations and limited liability corporations.  We are in full compliance with state statutes.

Submitting false documents to alter another’s corporate structure or status is a crime and carries a Class 4 or Class 5 penalty.  The Commission or the aggrieved business entity may refer the false filing to the Attorney General’s office for prosecution.  Additionally, the individual business entity may pursue a civil cause of action.  The Commission only accepts on-line charges for a few services such as name reservation or to order a certificate of good standing, and the online payment process is completely secure.

Even though the Commission’s existing security measures comply with the state law and are similar to most other states and other Arizona governmental entities like the County Treasurer’s Office, the Commission is looking at implementing new technology to allow for the online submission of additional services – such as the filing of original Articles of Organization and Articles of Incorporation.  We do intend to provide password protected security features when that new technology is offered to the public.

J. Jerich

Executive Director

Arizona Corporation Commission

I had no doubt that submitting a false annual report for Wal-Mart would be illegal.  Duh.  However, it is just incredibly naive that this is the sole extent of the Commission's security, to prosecute people once the damage is done.  Can you imagine if Amazon had the same security policy - "we are getting rid of passwords because it would be illegal for you to buy something from someone else's account."  I wonder if the commissioners leave their doors unlocked at night, trusting in the threat of future prosecution to deter burglary and mayhem in their homes?

Arizona Corporation Commission Web Site is Criminally Insecure

Today I had to do my annual renewal of my corporate registration in Arizona.  As in most states, this involves a bit of information foreplay followed by the purpose of the exercise -- sending in a check to the corporation commission.

But here is the extraordinarily scary part -- I started the annual reporting process by just typing in the name of my company and getting started.  There was no password protection, no identity check.  They had no way of knowing I had anything to do with this corporation and yet I was answering questions like "have you been convicted for fraud."  The potential for mischief is enormous.  One would have to get the timing right (an annual report must be due before one can get in) but one could easily open the site on January 1 and start entering false information in the registrations for such corporations as Exxon and Wal-Mart.

See for yourself.  Here is their web site.  Below is a screen shot of the site letting me in to edit one of Wal-Mart's corporate registrations in Arizona:

click to enlarge

 

Again, note what I am saying.  This is not the result of hacking.  This is not lax security I figured out how to evade.  This is the result of no security whatsoever.  I simply went to the link above, clicked on the Wal-Mart Associates link, and then clicked on the annual report link.  I know from doing my own registration that there is a signature page at the end, but all you do is type in the name of an officer and a title -- data that is right there on the site.  It's like asking you for a password after the site just listed all the valid passwords.

If I disliked Wal-Mart, I could put all kinds of crazy garbage in here.  I did not go further, because I would have had to answer these questions to proceed and I had no desire to mess with another company's critical data, but if I had gone further I could have changed their mailing address, the names of their officers, etc. -- all I had to do was just pay the $60-ish registration fee for them and they would have a big mess on their hands to sort out.   If I had access to a fake or stolen credit card and a public computer, I could have done it all without any hope of being traced.

By the way, from my experience, this is not unique to Arizona.  This criminally lax behavior seems to be the norm in most states.

I have submitted this all as a complaint to the state, so far with no response.  If anyone in AZ knows how I can get someone's attention with this, let me know.

Windows 8 Even Worse Than I Thought

Up to this point, after some initial bad impressions trying Windows 8 briefly, I have avoided it like the plague.  However, my son needed a new laptop and the only ones that really met our requirements only came in Windows 8 flavors, so we bought one.

What an awful mess.  The system boots up into a tiled mess that looks like some cheesy website covered in moving gifs and viagra ads.  To make matters worse, nothing on this tablet-based interface is organized at all logically.  The interface is like the room of an ADD child that dropped all of his toys and books in random spots.  I am sure these tiles have some sort of navigation paradigm, but it is completely different from any used in past windows versions.  I could not, for example, figure out how to easily exit the store except to alt-tab out (there is no exit or quit option and right-click context menus which are one of the great advantages of windows over mac don't seem to work a lot of the time).  Again, I am sure there is some way to do it, but I have no idea what it is and no desire to learn new navigation commands.  Perhaps Microsoft intends that one use a gamepad instead of a mouse -- I would not be surprised at this point.

Unlike older versions of windows, windows update did not run automatically at first bootup.  I knew from past experience there were likely dozens of security patches I needed to install right away.  I hunted for quite a while just to find the windows control panel (so I could run windows update).  It was buried in a sub-menu of a toolbar on the right side of the screen that only pops up if you find a tiny (unmarked) spot in the corner of the screen with your mouse.   It amazes me that anyone thought replacing the start button with an unmarked spot on the screen was a good idea.

Of course, the control panel is called something entirely different now, but I did eventually find windows update and there were, as expected, over 70 security patches that needed to be installed.  But for some reason they would not download immediately, but kept giving me a message that they would be downloaded at some future indeterminate date.  I finally found a way to force them to download.

My next step was to get rid of the stupid application tile interface and get the computer to boot directly to desktop and get the old start button back.  This requires a free upgrade to windows 8.1, but there is no obvious way to do this, even through windows update.  I finally had to search the internet to find the link.  This sent me into the windows 8 app store.  What a total mess that is!  If anything, it is more poorly organized than the Apple app store.  Like the Apple store, it seems aimed at people who want to browse applications virtually at random rather than find something specific.  Incredibly, there is no search function.  Yes, I know, I have to be wrong about that, but I scrolled all over that damn storefront and cannot find a search box.

So I cannot actually find the Windows 8.1 upgrade.  The web site tells me that I should be presented with a prominent option to download it in the store, but I am not.  It is nowhere to be found.  I found an FAQ somewhere that suggested that I would not be offered the 8.1 upgrade if my 8.0 installation is missing certain patches, so I am going back to windows update to see if there is something I am still missing.

I was wrong about windows 8 -- I once wrote it was bad but perhaps not as bad as Vista or ME.  But it is.  This is the worst thing I have ever seen come out of Microsoft.  It is inexplicable that this company with such a strong market share in the business world could saddle its flagship OS with an interface more appropriate to an XBOX.

In the past, I have said that I would not want a desktop with a tablet interface.  But at the end of the day, I would not want a tablet with this interface.  Perhaps with hours of work, I will make this computer usable.  Who would have ever thought I would have longed for the day when I had to spend an hour with a new computer removing bloatware.  Now I have to spend a day trying to emulate the windows 7 experience on windows 8.

People have developed many hypotheses for the lingering recession.  Some say it was too small a stimulus.  Some blame the sequester.  I blame the Windows 8 launch, which I think has a lot to do with suppressing PC sales and thus much of the electronics and retailing sector.

2014 Obamacare Headlines

Here are a few shoes that are left to drop for Obamacare:

  1. Millions complain about their doctor no longer being in-network
  2. Thousands of companies are finding it cheaper to drop coverage and pay Obamacare penalties than continuing to provide health care coverage under new rules
  3. Despite fewer exchange enrollments than expected, total Federal subsidy payments higher than expected
  4. Emergency rooms overflow with new Medicaid patients that no private doctor will take on
  5. Exchange-sold health policies, particularly the unsubsidized ones, were mainly bought by the old and sick
  6. Obama Administration works to bail out health insurers via a number of different avenues
  7. Small to mid-size companies are shocked as Obama Administration finally reveals new record-keeping requirements
  8. After 5 years of 3-4% growth, health care spending skyrockets in 2014
  9. ________ health insurance company dropping coverage in  ____(state)_______
  10. Hackers steal tens of thousands of names and social security numbers from health care exchange computers.

I will score myself as the year progresses to see how many of these we actually see.  I would not be surprised to see every one of these.

A Milestone to Celebrate: I Have Closed All My Businesses in Ventura County, California

Normally, the closure of a business operation or division is not grounds for a celebration, but in this case I am going to make an exception.  At midnight on December 31, I not only drank a toast to the new year, but also to finally getting all my business operations out of Ventura County, California.

Never have I operated in a more difficult environment.  Ventura County combines a difficult government environment with a difficult employee base with a difficult customer base.

  • It took years in Ventura County to make even the simplest modifications to the campground we ran.  For example, it took 7 separate permits from the County (each requiring a substantial payment) just to remove a wooden deck that the County inspector had condemned.  In order to allow us to temporarily park a small concession trailer in the parking lot, we had to (among other steps) take a soil sample of the dirt under the asphalt of the parking lot.   It took 3 years to permit a simple 500 gallon fuel tank with CARB and the County equivilent.   The entire campground desperately needed a major renovation but the smallest change would have triggered millions of dollars of new facility requirements from the County that we simply could not afford.
  • In most states we pay a percent or two of wages for unemployment insurance.  In California we pay almost 7%.  Our summer seasonal employees often take the winter off, working only in the summer, but claim unemployment insurance anyway.  They are supposed to be looking for work, but they seldom are and California refuses to police the matter.  Several couples spend the whole winter in Mexico, collecting unemployment all the while.  So I have to pay a fortune to support these folks' winter vacations.
  • California is raising minimum wages over the next 2 years by $2.  Many of our prices are frozen by our landlord based on past agreements they have entered into, so we had no way to offset these extra costs.  At some point, Obamacare will stop waiving its employer mandate and we will owe $2000-$3000 extra additional for each employee.  There was simply no way to support these costs without expanding to increase our size, which is impossible (see above) due to County regulations.
  • A local attorney held regular evening meetings with my employees to brainstorm new ways the could sue our company under arcane California law.  For example, we went through three iterations of rules and procedures trying to comply with California break law and changing "safe" harbors supposedly provided by California court decisions.  We only successfully stopped the suits by implementing a fingerprint timekeeping system and making it an automatic termination offense to work through lunch.  This operation has about 25 employees vs. 400 for the rest of the company.  100% of our lawsuits from employees over our entire 10-year history came from this one site.  At first we thought it was a manager issue, so we kept sending in our best managers from around the country to run the place, but the suits just continued.
  • Ask anyone in the recreation business where their most difficult customers are, and they likely will name the Los Angeles area.  It is impossible to generalize of course, because there are great customers from any location, but LA seems to have more than its fair share of difficult, unruly, entitled customers.   LA residents are, for example, by far the worst litterers in the country, at least from our experience.  Draw a map of California with concentric circles around LA and the further out one gets, the lower the litter clean-up costs we have.  But what really killed it for me in Ventura County was the crazy irresponsible drinking and behavior.  Ventura County is the only location out of nearly 200 in the country where we had to hire full-time law enforcement help to provide security.  At most locations, we would get 1 arrest every month or two (at most).  In Ventura we could get 5-10 arrests a day.  In the end, I found myself running a location where I would never take my own family.

And so I got out.  Hallelujah.

PS-  People frequently talk about taxes in California being what makes the state "anti-business."  That may be, but I guess I never made enough money to have the taxes really bite.  But taxes are only a small part of the equation.

Update:  Wow, reading this again, I left out so much!  An employee once sued us at this location for harassment and intimidation by her manager -- when the manager was her sister!  It cost me over $20,000 in legal expenses to get the case dismissed.  I had an older couple file a state complaint for age discrimination when they were terminated -- despite the fact that our entire business model is to hire retired people and the vast majority of our employees are 70 and older.  And how could I have forgotten the process of getting a liquor license?  I suppose I left it out because while tedious (my wife and I had to fly to California to get fingerprinted, for example), it is not really worse than in other places -- liquor license processes are universally bad, a feature and not a bug for the established businesses one is trying to compete with.   We gave the license up pretty quickly, when we saw how crazy and irresponsible much of the customer base was.  Trying to make the place safer and more family friendly, we banned alcohol from the lake area, and faced a series of lawsuit threats over that.

 

Masked Credit Cards

I wrote the other day about shifting to unique passwords for every single web site I visit (there were 300 I had to change!) to limit the damage from a data breach such as that at Adobe.  The irony was that to make this work, I adopted a password vault program to remember all these 300 strings of random characters.  Which means that I am putting a LOT of trust into one site, instead of a moderate amount of trust into multiple sites.

The same sort of approach is being investigated with credit cards, where intermediaries are providing masked credit cards with one-time numbers (hat tip to a reader).  In some ways Paypal has a masked approach where the transaction is settled off the retailer's site entirely, though I am not sure I am entirely comfortable with Paypal's security.