I have come here to bury Equifax, not to praise or slam it. Unlike tobacco companies, it's misdeeds aren't industry wide and it can't just raise prices to cover the civil penalties it's about to incur. Unlike AIG, it doesn't threaten to take a major investment bank down with it. And unlike VW, it isn't considered an essential part of any country's economy. Nor will the blame game ever stop at the two recently cashiered CIO and CSO.

There are only two ways I see Equifax surviving. The first is if it "persuades" Congress to shelter it similar to the way Congress sheltered gun manufacturers. I'm not sure it has that sort of bribe money handy. The second is through a Johns-Manville type bankruptcy, where it creates a trust to pay off victims. But this isn't a situation where they can file a "tidy" prepackaged bankruptcy. So once they file, what form the restructuring or liquidation takes is anyone's guess.

So given that I believe Equifax must die, what can the rest of the tech industry learn from it? Here are my thoughts.

Patch Management

A lot of people are slamming Equifax for not patching their system once the vulnerability became public. But so-called "best practices" for Patch Management strongly suggest a delay before deployment, just in case the cure is worse than the disease. You can find the NIST document on the subject here.

That document is little changed from its 2005 predecessor, while the nature and severity of threats has changed immensely. As a result, corporate security groups have grown both in size and visibility. Inevitably with such growth, process replaces common sense in decision making. So while the NIST document does state, "in some operational environments, such as virtual hosts with snapshot capabilities enabled, it may be preferable to patch without testing as long as the organization is fully prepared to roll back the patches if they cause usability or functionality problems," suggesting such action becomes a career-limiting move.

I'm willing to bet that the patch for this particular vulnerability was "in the pipeline" at Equifax. Nor, from my experience, is a two month delay anything unusual in a large company. All that process, meetings, and documentation take time, after all, and any patches outside of a scheduled deployment "window" requires even more approvals.

While it's easy to say that this mindset should change, history shows us that it's nearly impossible. Large organizations are never going to be as nimble as a start-up, let alone as nimble as a small group of "bad guys." So while Equifax should have been able to reduce the window of vulnerability to, say, 2 weeks instead of 2 months, I fear that window will always exist.

Open Source Software

The software bug which gave the "bad guys" access to Equifax was in an open source project called Apache Struts. It was one of two critical software bugs found in that project so far this year. The source code for Struts is available online, for free, for anyone who cares enough to look at it. The bad news is that there is no way to hide weaknesses from "bad guys" with the skill to find them. But that also means there is no way to sweep weaknesses "under the rug," and no incentive for a developer to hide them. It is one of the axioms of open-source software that this benefit outweighs the risk, since bugs get detected and fixed sooner.

Whether open-source software in general is more or less secure than proprietary software is a continuing debate. But I think these Struts exploits show a weakness in the open-source assumptions. Struts is, shall we say, a "mature" offering. It's widely used, but there's no real excitement or positive "buzz" about it in technological circles. There's not a lot of "egoboo" or career advantage in contributing to the Struts project anymore. The combination of widespread adoption, source code access and developer ennui makes it an ideal target for hackers.

Speaking in generalities, software developers seek out the "latest and greatest" technology, while management types will often preferred "tried and true" solutions to reduce risk. Both viewpoints are valid, but like every product, software has a shelf life. With commercial software, the need to move off of stale software can be enforced by the vendor discontinuing support or simply going out of business. But I think the industry has to pay more attention to these "stale" open source efforts as well.

Beyond the Exploit

Through the CVE-2017-5638 exploit, the "bad guys" obtained the ability to execute arbitrary commands on Equifax's public facing servers. This is never good, but everyone knows it can happen. Once again, there are a series of "best practices" for such systems, and I have little doubt that Equifax's CIO thought they were using them. And indeed, the "best practices" do guard against a variety of once-common threats.

But here's the thing. The exploit could only give unlimited access to the attacker if it was running with administrative, or "root" privileges. Those "best practices" state that server-side software should run under an account with as few permissions as possible. Nor should any of those commands allowed access to other systems except through a controlled number of paths, and none of those paths should have allowed access to large quantities of data at a time.

Equifax is doomed to become a case study of "insecurity by design." Border security alone is never sufficient; for a high-profile target like a credit reporting agency, it has to be though of at every step of the process. For example, putting a database "behind the inner firewall" is useless if the DMZ machines can make arbitrary queries. Sanitizing inputs to prevent "little Bobby Tables" attacks is well and good, but once you reach a certain risk level, further measures are needed.

While the gory details will come out in due time, I strongly suggest that anyone with a large store of valuable or sensitive data take a very hard look at how that data can be accessed.


I just got back from my annual check-up, so by current standards that makes me qualified to chime in on the great health care controversy, right? Well, no, but here goes anyway.

Read more... )
I rented this lens for a weekend and came away with some generally favorable impressions.

Photos, Self Justification, and Photo Geekery... )
About a week ago, someone asked me why I hadn't written much about the election.  Truth be told, there's not a lot worth saying.

Read more... )
This is a brain dump, which I'm posting so I don't think about it while I should be enjoying the world for the next 10 days or so.

Read more... )
First a caution. I'm not offering any opinions on "gun control" or 2nd amendment rights here. If you want to discuss those issues, find another soapbox.

As part of this week's "Now is the time" executive actions, the White House released a memorandum entitled "Memorandum -- Promoting Smart Gun Technology" The concept of a "smart gun" seems great in theory. However... )

I guess it's that time again.  Everyone seems to be asking, "Why can't we build a high speed rail network?"  In at least three different venues, I've seen people either asking that question or linking to articles such as the one from Brookings claiming it's due to a lack of political will.

Here is my take. )

This is not a post about gun laws.  It's about memes.  If you want to debate gun laws, please do so elsewhere.

The following Meme was shared by some of my Facebook friends, having gotten it from those bastions of integrity, Occupy Democrats and/or Being Liberal:

First the Meme )

Now the Analysis )

In summary, not a single assertion of the meme is more than half-true.  No matter where you stand on the issue, posting a meme like this one doesn't persuade anyone and provokes the usual (and equally bogus) knee-jerk reactions.  For anyone who actually pauses to think about the meme, it just comes off as dishonest and silly.

I sometimes wonder how people pick their villains.  The California drought is, to my mind, a great example of this.

At least in my circles on Facebook and other places, the favorite villain in this saga is Nestlé.  They are, by their own account, drawing 725 million gallons of water a year for their 5 California Bottled water plants, which is actually more than the oft-quoted figure of 400 million gallons.  They then have the audacity to sell this water to willing buyers for a handsome profit.  Oddly enough, those buyers are also mainly in California, and most of those buyers have ready access to tap water.  So it's safe to assume that each gallon of water sold by Nestlé and consumed in California means that a reduction in consumption of just under one gallon of tap water.

That doesn't mean bottling water in California, is, well, a wash.  According to the bottled water trade group, it takes 1.4 gallons of water to produce a gallon of bottled water.  I believe that the actual number should be higher, since it doesn't such things as the water consumed by workers at the plant.  It also requires more energy to move water by truck or rail than by pipeline.  And when you're done with the product, you're left with a bottle.  Recycling a plastic bottle does keep it out of a landfill, but from what I can tell it actually takes more water to recycle a water bottle than to produce the same amount of "virgin" plastic.

So it's pretty clear that on the supply side, bottled water is an ecological loser, especially in a drought area like California.  But given that people are freely chosing to buy the stuff even when tap water is readily available, what are the alternatives?  Does it really make more sense from an overall environmental standpoint to send water by, truck, train or boat, from, say, Fuji, France, Maine or even the Olympic Peninsula?  So if Nestlé is evil (and at least for this essay, I'll accept that they are), it's the same evil as a drug pusher.  They are selling a product which people buy and consume far more than is rational for them to do so.

How about other beverage companies?  Budweiser has two mega-breweries in California, MillerCoors has one as well, and there are perhaps 500 other smaller breweries.  Beer is water intensive; not counting water used to grow hops or grains it takes about 4 gallons of water to produce a gallon of beer.  All of the major soft-drink companies have bottling plants in California as well, and it takes about 2 gallons of water to produce a gallon of soda.  Wine?  I'd rather skip that one for now; it raises the ugly issue of agricultural versus urban use.  So if Nestlé is evil, why isn't there the same rancor about other drink companies?

All of which brings me to golf.  According to the Washington Times (not exactly a liberal rag), each 18-hole golf course consumes (conservatively, naturally) about 90 million gallons of water a year.  So Nestlé uses about as much water as eight golf courses.  The article also states that there are about 860 golf courses in California.  So as an industry, golfing uses about 100 times the California water as Nestlé.

Golf should be an easy target.  It's a recreation of the well-to-do; the average golfer has a household income of $95,000 and spends about $3000 a year on the game.  The people who play it are predominately white (~87%) and male (~78%).  Nor do golf course operators exactly endear themselves to the general populace; threatening to sue local artists for offering a painting of a tree for sale is not a way to win friends.

So hence my bewilderment.  While I understand the need for simple "answers" for such complex problems as the politics of water, why are so many electrons spent vilifying Nestlé when there are so many attractive alternative villains out there?
I'm buying a new car.  Today I wanted to order replacement license plates so I could retire 12-year old, beat-up ones when I take delivery.  Massachusetts offers them at a fairly modest $10 per plate.  They also offer ordering by phone.  So I called to place an order.  The automated system told me the wait time would be over an hour and offered a callback service.  I elected this option and was told the call would come in "over an hour."

Just under 2 hours later, I did get a callback.  But apparently it was not possible to place an order for 2 replacement plates. Instead, I had to place two orders -- one for each (identical) plate. The agent required me to read off my credit card number once for each order, then read off the CVV once for each order, then gave me a confirmation code for each order and then made me listen to the identical boilerplate language about receiving a temporary in 3-5 days and the plates arriving in 4-6 weeks.  In other words, the transaction took more than twice as long as it should have and probably resulted in the Commonwealth paying higher transaction fees to the bank.

I refuse to believe that this sort of thing happens by accident or neglect.  This had to be a deliberate decision by RMV management.  I'm willing to bet it was justified by some concerns over accidentially overcharging people.  But all it really does is create busy work for the agents.  That means that the RMV has to hire more agents and more people to manage them.  In other words, bureacratic empire building at its finest.

So if you wonder how come the Massachusetts RMV had to raise fees last year to close a $53 million budget gap or why the queues are so long, I think I found part of the answer.
Today we have yet another politician proposing a law which would try to legislate "good" behavior by U.S. citizens, criminalize personal choices, and have a disporporationate impact on the poor, minorties, and the disabled.  Only this time, it's President Obama who is "floating" the idea.

I refer to the suggestion President Obama made in Cleveland that voting should be mandatory as it is in Australia.  My guess is that a law requiring people to report to a polling station on Election day would be held constitutional on the same grounds that compulsory jury duty is constitutional.  But I also believe that any attempt to require people to actually cast votes once they get there would be a first amendment violation.  I exercise my right not to vote for any listed candidates in a given "race" with some frequency.

But constitutionality aside, I think it's a colossally stupid idea.  As the President himself stated, the violators of this new law would likey be "young, lower income, and skewed towards immigrant and minority groups."  They are the ones who would be paying the fines and for whom the fines would hurt the most.  President Obama also opined this would counteract the effect of money in campaigns.  My guess is that exactly the opposite would occur. If someone doesn't feel it's worth their effort to vote now, does anyone really thing that because they are forced to vote, they will suddenly feel it's worth the much greater effort to actually learn about the candidates?  If not, then the half-truths, attack ads, and vague promises that define political advertising today will become of even greater importance.  Short of repealing the 1st amendment, getting "money out of politics" is a fantasy.

If this country is serious about improving our shameful voting turnout, it's time to use the carrot instead of the stick.  Reasonable ideas include switching elections to the weekend, universal mailing of post-paid ballots for early voting, requiring employers to give 2 hours paid time a year for voting, and working with search engine companies like Google to ensure people can find candidate websites quickly and easily.

With our current dysfunctional government, of course, both Obama's ideas and mine have exactly zero chance of passing.  So other than making himself a target of scorn, I'm not sure what President Obama was trying to accomplish with this idea.
UAQ, of course, stands for Unasked Questions.  No one asked me, but I have read the now infamous letter and am prepared to answer them anyway.

Q:  Did the GOP senators who signed this thing commit treason?
A:  No.  Treason against the United States is defined in the constitution.  This doesn't even come close.

Q:  Did the GOP senators who signed this thing violate the Logan Act?
A:  By the exact wording of the Act, possibly.  Let's look at the operative clauses:

  • Directly or indirectly commences or carries on any correspondence or intercourse with any foreign government or any officer or agent thereof.  No question here.

  • With intent to influence the measures or conduct of any foreign government or of any officer or agent thereof.  I don't think they had any such intent.  Not because the senator's intentions were pure; this was purely a play in the ongoing domestic political game.  They didn't even bother to send it in Farsi.  But that's my opinion.

  • In relation to any disputes or controversies with the United States. It would take quite a stretch of interpretation to say that a reference to "nuclear negotiations" is a dispute or controversery.

So, yeah, with a lot of hand waving a case could be made for a prima facie violation.  But then there's that pesky thing called the 1st Amendment.  The Logan Acts dates to 1799 -- one year after the Alien and Sedition Acts made clear that the early Congress thought of the Bill of Rights as "sort of a guideline." This article from Slate gives a pretty good recap of the history of the Logan Act and concludes its a joke.  It's just not a particulary funny one.

Q:  Could the GOP senators be impeached for their actions?
A:  Almost certainly not.  While the language in the Constitution is vague, it's generally interpreted to mean that only Presidential appointees are subject to impeachement.

Q:  Did the GOP senators violate their oath of office?
A:  No.   The oath in the current form does not mention disloyalty to the President, nor does it require Congresscritters to act in the best interest of the Country.  That wasn't always the case, but the "Ironclad Test Oath" was repealed in 1884.

Q:  Was the Senators' letter factually correct?
A:  Mostly Correct:  I agree with Politifact's analysis.

Q:  Did the Senator's actions interfere with the last great hope for Whirled Peas or other such grandiose nonsense?
A:  No.  Do the people making this claim really think that if there was really a meeting of minds, this claptrap would have any effect? It is a 100% safe bet that the Iranian diplomats and advisers know more about our system of government than any of the 47 senators know about Iran's.  They know how the game is played far better than a 1st term Senator.

Q:  So you're saying that the GOP senators did nothing wrong?
A: Bzzzt.  Absolutely not. If one assumes that the letter was meant to be read by Iranian officials, it can only be read as incredibly arrogant and condescending. Reminding other countries how disfunctional and polarized our national politics have become is not illegal, but it is phenominally stupid.  The purpose of any treaty on nuclear technology is to convince Iran that having a nuclear weapons program is not in its best interest.  They will take a lot of convincing and a lot of work to keep them convinced.  If the Iranian government believes that the United States won't live up to their end of the agreement, they have no reason not to continue their development clandestinely.  In fact, even a moderate interpretation of the Quran gives them all the justification they need in verse 8:58.

Iran learned from their own and Israel's attack of the Iraqi Osirak reactor.  Stuxnet was also a fairly good object lesson; presumably they've taken that to heart as well. As a result, I doubt that either the U.S. or Israel could destroy the Iranian nuclear program with conventional forces.  If the GOP thinks that their constituency wants the USA or Israel to use a "big white one" against Iran, I pray that they realize their error in time.

The MBTA shut down all trains at 7pm yesterday.  There were no trains today and only a limited bus schedule.  For tomorrow, here's a rundown of what the MBTA is currently saying:

  • 70% of the regularly scheduled trips on the commuter Rail

  • Fewer cars and less frequent service on the Blue and Green lines

  • "Limited" Service on the Red and Orange lines

Users of the "T" and the taxpayers of Massachusetts are justifiably angry.  Current Governor Charlie Baker is a Republican. Dr. Beverly Scott, the CEO of the MBTA, is an appointee of his Democratic predecessor.  Add a strongly pro-Union 2nd-year Boston mayor to the mix and you have the ingredients of a truly ugly political battle.

The weather over the last three weeks has been unprecedented, but that's only exposed the long-standing problems.  So before taking sides in this troika, here are a few links and a few selected observations:

You can find an abbreviated report on the T's historical Income and Expenses here:


You can find a selection of T ridership statistics (aka The Blue Book) here:

Looking at the spreadsheets and first and last year of Blue Books, between FY2007 and FY2014:

  • Ridership as measured by unlinked trips is up 5%

  • Total Operating Costs are up 46%

  • Wages are up 27%

  • Fringe Benefits are up 26%

  • Outsourced Expenses are up 78%

  • Percentage Revenue from fares has dropped from 35% to 33%

  • Unless it's hidden in the "Materials, Supplies, and Services" catch-all, depreciation is not included in determining deficits or surpluses.

So as the debates and blood-letting play out over the next few months and the claims and counterclaims fly, remember those links and figures.  Dr. Scott has only been on the job since 2012, so all three of the players inherited this mess.  Perhaps Massachusetts pols should spend less time on an Olympic-sized ego trips and more time managing the day-to-day operations of the Commonwealth.

I just getting over a week-long cold, which, combined with two news stories, got me thinking about the Affordable Care Act, aka the ACA or Obamacare.  And about pizza, of course.

Read more... )

During an interview with Marcia Kramer of the New York Daily News, Sol Wachtler, the former New York State chief judge, once said words to the effect of “district attorneys now have so much influence on grand juries that ‘by and large’ they could get them to ‘indict a ham sandwich.’”  The quote entered popular culture via Tom Wolfe’s book The Bonfire of the Vanities and has been oft quoted in light of the failure to indict Darren Wilson for killing of Michael Brown.

I have no issues with the quote.  As others have pointed out, under current law there is no need for the prosecutor to present any exculpatory evidence and the legal grounds for indictment doesn’t even have to meet a preponderance standard.  The members of the grand jury are in effect conscripts for whom service is an intrusion into their daily lives and often a financial burden.  In the vast majority of cases there is little incentive for them not to accept the tale spun by the prosecutor.  Under these terms of engagement, I have little doubt that a zealous DA could have gotten a manslaughter indictment against Darren Wilson.

That said, grand juries actually have a tremendous amount of power should they choose to exercise it.  If they are interested in finding exculpatory evidence, they can wield the full subpoena power of the courts to obtain documents and question witnesses.  We’ll never know if they would have taken the initiative to do so in this case; the prosecution effectively did it for them.  I wouldn’t expect so many liberals to take issue with this.  After all, their argument amounts to demanding that the DA to control the flow of information to the citizens on the Grand Jury.

But let’s move from the safe house of theory back on to Reality Street.  Had Darren Wilson been brought to trial, absent a previously unseen video or a monumental act of stupidity on his part, in my opinion acquittal was all but certain.  As we saw with George Zimmerman, seven figure defense budgets buys a lot of reasonable doubt.  The trial would have taken money out of the pockets of taxpayers and well-meaning donors and put it into the pockets of high-priced lawyers and media outlets.  I also doubt that the protests against a not guilty verdict would have been neither any less emotional nor any less violent.

Perhaps, just perhaps, people should take an emotional step away from this tragedy and take the time to ask “why should a prosecutor be able to indict a ham sandwich?” In my opinion, the proper standard of proof before a grand jury should be a preponderance standard.  The State should have to demonstrate that it is more likely than not that a) a crime was committed, b) the accused committed the crime, and c) that at a trial, they could prove their case beyond a reasonable doubt.  The DA would still retain the advantage of being able to assemble and present a coherent story without facing organized opposition, and jeopardy would still not attach on a refusal to indict.  So I don’t think that’s too much to ask.  I guess that standard is too anti-law-and-order for most conservatives and too anti-government for most liberals.

So at least in my view, the current dreadful process resulted in a correct result.  Should new evidence arise, Darren Wilson can still be charged by a different grand jury at either the state or federal level.  But for now, the refusal to indict means that he does not have to endure, and Missouri doesn’t have to pay for a trial which the State is very unlikely to win.

In the last couple of week, you may have seen several stories about how the U.S. debt crisis is “over.”  Political flack Ambrose Evans-Pritchard even wrote a column in the Daily Telegraph entitled “America has conquered its debt crisis with incredible speed.”  Too bad it hasn’t.

Read more... )

First, a few ground rules. If your mind is already made up and doesn’t want to get confused, please don’t respond. I don’t care if you deny the basic science of the effects of CO2, expect a dues ex machina to fix it for mankind, or want to fine and jail people who disagree with a “set of facts that the majority of scientists clearly agree on.” Please, move on.

Read more... )
Page generated Oct. 23rd, 2017 03:59 am
Powered by Dreamwidth Studios