They have no moving parts (unless you use trackers) and they take advantage of "free" energy that will be here as long as the earth is habitable.
I'm always amused that engineers miss the giant fusion reactor in the sky.
I'm still waiting for quantum tunneling junctions. These are solid-state devices which are currently researcher voodoo: you can make one, but most of its surface is useless. Boeng has confirmed they work, just that you make one the size of a quarter and you get a few square micrometers of useful area.
A quantum tunneling junction has something like 55% carnot efficiency for any given temperature drop at any absolute temperature which doesn't physically damage the material. It's similar to a peltier junction, which has 8% efficiency. Essentially, a peltier junction has electrons shifting more or less easily across a junction when a voltage potential is applied, which may cause them to release or absorb heat. A quantum tunneling junction has electrons crossing a dielectric when a voltage potential exists across two plates; the electrons have higher probability of crossing if they have higher energy, so "hot" electrons (absorb photons, i.e. thermal energy) move more-frequently, cooling one side and heating the other.
Cute. What can we do with it?
Ever filled a scuba tank?
When you compress a gas, it releases heat. release the gas elsewhere and it absorbs heat (gets cold). In fact, if you chill the tank enough and open it, you won't get any pressure: you freeze N2 into liquid N2 and now the N2 doesn't contain enough energy to produce force, thus pressure. Boiling is just molecules moving so forcefully they shove fluid out of the way and escape the vessel (buoyancy in a boiling liquid only occurs because the molecules in the bubble have enough energy to push the liquid away, making a low-density region that happens to be in the gas phase; add gravity and the low-density region is pushed to the surface by the heavy liquid).
So set up two compression chambers. Feed from a pump run off an engine; power the engine off this chamber. Use electricity from a battery (charged from an alternator off the engine) to run a quantum tunneling junction and pull heat emitted and from the atmosphere into the compressed air vessel.
Engineers like to point out here that you can't run a heat engine off a heat pump that shares its reservoir. They're talking about the atmosphere being the heat reservoir.
It's not an ideal reservoir.
You're emitting cold air into the atmosphere: the engine expands the air, which absorbs heat and spits out expanded (cooled) air. That air exits at a lower temperature than the air being pulled into the compression vessel, as well as the air from which the quantum tunneling junction is driving heat into the vessel. You're not injecting the cold output (engine exhaust) into the reservoir from which the heat pump (QTJ) is drawing--that is: the temperature of the exhaust isn't averaged with the atmosphere at point of contact with the heat pump.
Second, the atmosphere is heated by the sun.
Not only is the atmosphere big and capable of absorbing a huge amount of cold exhaust before your heat-engine-slash-heat-pump consumes the energy in its shared vessel and finally runs dry, but it's being fed energy from an external power source.
That external energy prevents the atmosphere from averaging its temperature out (in which case, it would already be at a temperature by which you can't run this machine). The heat from the sun is changing the entropy in the atmosphere, essentially playing the part of Maxwell's Demon--a thought experiment about exactly what I describe, with the mistake of not accounting for the work that the little cretin sitting on the gate expended to sort out hot particles from cold particles. The "demon" is being fed from the sun.
I've described nothing more than a Rube Goldberg machine that achieves solar power generation.
Whether you can build one is another matter; but the theory isn't totally-unsound, at least not for the reasons most engineers immediately cite.
Honestly, I don't understand photovoltaic installations. Parabolic dish collectors with a sterling engine were like 34% efficient and what in the hell is this?!
You can get higher efficiency off thermal because you can get 100% of the light (you know, thermal) as energy. The most-efficient sterling engine ever built hit 38.5% thermal efficiency or 77% of carnot. At 73% efficient light redirection, you're looking at over 28% total thermal efficiency.
The only way you're beating a 73% efficient reflector feeding a 38.5% efficient sterling-driven generator is to make transparent solar cells capturing different bands. Current cells are doped with split-band crystals which excite in multiple bands; if you absorb those bands and transmit the unabsorbed bands, you can use a different material for the next layer down, which absorbs one of the transmitted bands. In other words: capture 19% of the thermal energy as electricity in the first layer, and 15% of the thermal energy (18.5% of what was transmitted) in the second layer. 34%.
Such a cell would be enormously-difficult to construct and have high costs. Maybe next decade.
Yeah, over three months when I got to my last job I started working 10 hour days, going home and working remotely, studying 5 new technologies, forgetting to eat until like 9pm, forgetting to shower, etc. Manager told me to slow down. Eventually, I came home, collapsed, cried for a while, then crawled into bed and slept 14 hours; I woke up feeling fantastic.
I wonder what kind of infosec degree you could have gotten pre-2002.
My decades around hackers and nerds allows me to intuit that she is a manager and not a true technical person. Just from her stupid haircut.
You could also intuit that I'm a politician from my $800 suit. I'm also my Campaign Committee's chair, treasurer, accountant, chief technology officer, Web designer (could you tell?), content writer, speech writer, publicist, campaign strategist, information security officer, lawyer, and secretary.
I happen to like train wrecks. Why work at a place that's well put together when you could be rebuilding a nation? I've pushed back against management, pointed out enormous operational flaws, and gotten myself counseled for saying unpleasant things about the state of an employer here and there when they'd rather I just do what they tell me. They eventually get back in line, and the organization straightens itself out--to miraculous effect. Sitting around and coasting is boring.
Why wouldn't you want to work for a disaster employer?
Perhaps the most attractive thing about being a Congressman is I get to tell all my coworkers--you know, Congress--exactly what's wrong and keep telling them long after they're tired of hearing it, and the only people who can actually fire me are the voters. Nobody can complain to HR that I'm "not a team player" because I'm annoying. Sure, you still need to play by the rules of human behavior and get buy-in, be diplomatic, and all that; but so does everyone else. In a corporation, the moment they get bored of the game, they start ignoring you, then realize you're impossible to ignore and start complaining to management; in Congress, they have to let you talk, then deal with the Media telling the whole goddamned country what you said, and then they have to deal with their own constituents. You can actually keep pushing on the issues that need to be pushed when doing so can get you buy-in, without worrying that one or two of the people you're never going to win over will call your manager to complain.
If you want to do that but you aren't going for officer of some legislative body, go for officer of some hilariously fucked-up corporation. If you want to be boring, get a job somewhere that doesn't need you to straighten their shit out.
Nah I'm campaigning basically all the time. Net Neutrality is actually a difficult issue because it's like... should we have a law against murder?... yes, what the hell do you even say to that? The policy position on Net Neutrality is pretty much "Yes, this is important." It's really hard to articulate why it's important (all of the points for it are sort of weak and fuzzy, yet the only points against it are that some businesses can strangle the market and impede progress so as to avoid having to function in that new, more-demanding market).
The best I've got is that the invisible hand of the market is self-serving (this is a good thing) and so large, powerful players will uniformly remove choice and leave consumers with a false choice (this is a bad thing, hence why the invisible hand needs to be forced away from the forbidden paths, even though it's best left to figure out itself the best path to traverse otherwise and the best way to traverse said path).
I don't buy it. She's been in technical positions for a long while and the only black spot on her record is she strongly-defended cloud computing by talking about both the new opportunities to offload many of the security concerns to the provider (who can do it better) and to institute new security controls (because cloud computing lets you fuck up royally if you really want to). What shot down Equifax? A simple, traditional failure to patch a vulnerable piece of software--cloud, local bare metal, or VM.
If they had been using e.g. Edge Hosting in Baltimore to host their custom application, this would have never happened. Edge Hosting leverages AWS and all that in the back-end; they provide security in front of all that with a lot of Trend Micro stuff (IPS, firewalls, etc.) as well as good use of AWS infrastructure. You tell them what your custom application does, their engineers work with you to figure on how to make it run, they handle the administrative work of keeping it running, you give them code updates. They track security vulnerabilities, write automation scripts to deploy them across all assets for all of their clients, do rounds of test releases, and then push them out.
A cloud hosting provider like that would have been proactive in moving to protect all customers from a threat--something Mauldin believed was a great new opportunity while everyone was decrying cloud computing as an enormous mistake for anyone who doesn't want to lose control over their data and their security.
Instead, Equifax's own administrators were responsible for managing their own software. They got behind in patching. This isn't a CISO-level mistake; this is an operational problem. CISO-level mistakes are broad, overarching strategy problems, and apparently their broad, overarching strategy let them sail along happily while Home Depot, Target, Sony, and Ashley Madison got hacked repeatedly over the past decade. One tiny, tiny breach and their entire database gets sucked out the pinhole.
What could Mauldin have done in the past three years to cause this kind of failure of security--the simplest kind of neglect way down at the administrative level, where somebody didn't get around to putting in a patch? I doubt she cut down the company's patching policy from "Patches must be deployed by $RULES" to "Whatever, patch when you get around to it." The smoking gun is apparently that she has a degree in music, and so must be incompetent.
Mauldin kind of scrubbed herself from the Internet and made her Linked-In profile private after the breach. She has given interviews in which she discussed at length the evolution of the CISO role from a simple evolution of InfoSec engineering to a broad strategic role of organizational risk management.
Thing is, I'm good on risk management—a lot better than most professionals in my field, because risk is a broad topic that doesn't just include things like security vulnerabilities and e-mail spoofing but rather an entire operational process of qualitative analysis from individual and organizational experience, identification of qualitatively-important risk, ranking of the probability (frequency of occurrence) and severity (cost) of those risks, and registering of risks and their mitigations and contingencies. Risk is a huge component of project management and even has its own business component (yes, you can have a Chief Risk Officer) which tracks risks such as market opportunities and threats to business operations.
I'm also pretty decent with infosec stuff because I can take an adversarial position using both my technology background and my risk management background. I understand the practices and the products in place--firewalls, intrusion detection systems, things like CISCO AMP which track file movement through a network and look for anomalies, vulnerability management, patch management, password controls, encryption, the like--just fine. None of that bothers me.
What I never got was theory.
If you start talking about the deep computer science theory and the modeling structures behind risks, you lose me. Quickly. I understand role-based access control; I've also read the published standard for role-based access control, and the damned thing is full of discrete math and high-level mathematical concepts that I just don't grasp. You need a dual bachelor's in mathematics and compsci to be in that stuff. What I understand is simple: users should be attached to roles; roles should grant permissions; and the granting of roles as such assures that we don't grant you permissions which you don't need AND that you don't simultaneously have permissions which circumvent security controls (we can notate which combinations of roles create conflicts of interests).
I'm like that with compsci in general. For example: modern compilers build programs such that anything with an on-stack buffer or an alloca() call gets a canary value generated from a random value (picked at process initialization) XOR against the return pointer on the stack, requiring a complicated read, compute, and rewrite of two pieces of data (you can't just start writing above the canary to avoid clobbering it) to pull off a stack-based buffer overflow. I don't fully-grasp how the random devices generate random data--there are data sources and algorithms, e.g. some shove it through a PRNG or through AES as a PRNG--and I sure as hell don't understand the compiler's parser or its optimizer (these days, optimizers operate on a static single assignment tree, which is at least approachable if you want to learn how they work).
The stack is a protected area anyway: can't execute it as code. You can even achieve this on a 486-SX if you want: just mark the Read[=execute]-Write pages as SUPERVISOR and have the kernel force a DTLB load when something tries to read/write the page. When you continue the program, the MMU will check the data translation lookaside buffer and say, "Oh, this is data pointed at [physical page]." It doesn't cause a fault until you try to execute the page, or until it falls out of the DTLB cache. If you try to execute it, it's not in the ITLB (instruction TLB), and the kernel looks at the general protection fault and just kills the program for attempting to execute a non-executable page.
... I was more interested in computer innards and easy-to-follow logic than piles and piles of mathematics and complex theory. I'm more engineer than scientist.
A recouperating CAES setup is far-superior to battery storage: Far less cost--as in city-scale battery storage cost over 300x what the two leading-edge technology CAES stations cost per megawatt hour stored, while the CAES had better power output. Not bad for technology that's not exactly new, but is just barely entering real-world deployment. Thing is you can get a Tesla powerwall battery pack up and running in an hour; you can't get a city-scale CAES installation running in less than a year.
No, they don't generate electricity; neither does a diesel generator that's run out of fuel. You're going to have trouble keeping the power on, overgenerating and not using, wasting fuel, and the like. You're going to have trouble with the power going out because you're low on fuel. You're going to have trouble with solar and wind not always supplying steady power, even though we can stand either up in a day. The big ass batteries solve that.
If they rebuild PR's power grid on some large solar-wind installation, maybe we can reclaim the batteries and get them a CAES installation later. Whatever. Point is it works now and gives us a quick way to make unstable power more-stable.
I don't know. I need to answer for the things I say, so I'm even shy of simplifying claims about complex processes because they can imply odd things in simplified form.
I structured the Universal Benefit in my Universal Social Security framework as a dividend from the economy: every adult holds one equal share in the United States economy, and receives an equal proportion of the Universal Benefit’s tax rate—which I’ve proposed at 15%.
Although the taxes are higher than I'd hoped. I've got plans for that, too:
Minimum Rate — The rate resulting in a benefit half-way between the CPI-adjusted cost-of-living increase, and no lower than 10%; [...]
[...]If the Minimum Rate is above the current Universal Benefit tax rate, then the Social Security Administration must not adjust the Universal Benefit tax rate.[...]
[...]The Social Security Administration may, at its discretion, reduce the Universal Benefit tax rate by any rate between the Mandatory Minimum Adjustment and that which achieves the Minimum Rate. For example: if the Minimum Rate 14.9% coming from 15%, then the Social Security Administration may set any rate between 14.975% and 14.9%.
That will eventually lower the tax rate (at every tax bracket and on businesses) by 5%, and it will guarantee at least half of the productivity growth distributed without adjustment in any given year is distributed after adjustment. I need to stipulate that the COLA figure is continuous across years without adjustment: if the economy is down and COLA is higher than the benefit, then the next year's COLA is based on the current year's COLA figure and not on the current year's actual benefit. We rebase to the actual benefit when the economy catches back up--when the benefit exceeds the cumulative COLA.
The whole idea is to make sure no reduction in tax rate results in a reduction in buying power of the benefit year to year--the buying power must always grow. Americans deserve a fair share of productivity gains; after all, we gain productivity by laying people off, and don't we owe you compensation for the risk?
I'm running for election in my own district. Going to meet with the Young Democrats Club tomorrow evening, although they have a speaker already; trying to get more Facebook likes and more than two Crowdpac donations (or they can write checks). After a month I have over a hundred followers, two donations, and I'm starting to run into strangers on the street who recognize my name.
One of my early acts as a Representative in the Congress of the United States will be to meet with FCC representatives to discuss the structuring of a Net Neutrality bill, charging the Commission with protecting Net Neutrality and leaving the details of how to do so up to the Commission. The language must be clear enough that operating in bad faith against the principles of Net Neutrality will make the Commissioners and Chair liable for impeachment.
Actually, the cost of the infrastructure to protect against this is likely under two million dollars if done correctly. The consumer devices would total $2.844 billion at $18 per consumer, although many of us like the $50 Yubikey 4 devices (these each store thousands of FIDO U2F credentials).
It would take maybe 4 months of a single $120,000 programmer's time to integrate FIDO security with a CRA's Web-based authentication platform, or $40k per CRA (the change is something our own programming team here would implement in a couple days and spend a couple weeks testing). The banks literally need a $6 USB cable at each teller to connect to a FIDO device.
With 94,725 bank branches and $6 USB cables at each of three teller stations, you're talking about $1,705,050 of cables. Each teller is sitting in front of a computer already, and they're using Web-based applications to navigate accounts these days. Add the $40k per CRA and you've got $1,825,050. That leaves $174,950, plus any bulk discounts the banks get on cables, to leverage additional programmer time for more QA on the back-end.
Do note that the CRAs aren't the only ones who need software changes: the banks need their online banking forms and other automated software to pass the FIDO challenge through to the client as well, or else the CRAs need an app that lets you authorize a hard credit check via FIDO over a side channel (a likely initial transition). Still, we can get there with just changes to the CRA software on their end, and with an opt-in transition period where you can but aren't required to force each CRA to deny any hard credit check that doesn't get a FIDO authentication from you (the CRAs must do so if requested).
Training for this takes about 15 minutes and, let's face it, we can fit that into the downtime the tellers have during the slow periods. We can make that zero cost.
Identity theft cost $16,000,000,000 in 2016, versus $2,000,000 of one-time bare-minimum infrastructure costs and $2,844,000,000 of one-time consumer-end costs. The devices themselves are rugged and can last over a decade (because of their duty cycle--plugged in only when in use--they should be able to last longer than you), but let's say four years. That's $711,000,000 per year: identity theft costs 22.5 times as much. If people didn't lose their physical security devices or drop them in the toilet more-frequently than an average once per ten years, it'd be $284,000,000 per year or 1/56 the cost of identity theft.
Note that these devices have practical use otherwise, as easy 2FA on your Google and Facebook accounts. They're a type of thing consumers might actually buy and use anyway (consumers DO actually buy and use them, just not on the scale I describe).
So, yeah, I am preparing an act of Congress to hit the House floor the moment I begin my term.
I've just been having a slight amount of trouble getting contributions to my campaign, and am running entirely on my own time and money--I estimate I can fund maybe half what I need in the extreme, but only am going in about 1/4 (and it's accounted as a loan, so if my campaign is far over-funded I can withdraw what I've contributed from whatever contributions remain at the end--so if people give me a million dollars, in the end, they're helping pay for my house as well as my Congressional victory. I make no apology for this; the campaign comes first).
Well. I've been at this for a month, too, so there's that. It's not even election season.
They've been around since 1899 and this is the first major breach. A huge legacy company that went to Internet-based services, and this is their first major breach. That's pretty amazing.
You won't get perfect security. Everything that allows access into itself will get hacked.
Equifax gets hacked, but you have a hardware device which Equifax uses to identify you? That device doesn't share a secret, but instead accepts a challenge and returns a response signed using a non-revealed private key? Well, looks like the hacker got nothing they can use to positively identify themselves to you.
Hacker may have changed the public keys associated with your account? Okay, drop all public keys, tell all users they can't open new credit accounts until they walk into their bank and physically present identification so the bank can re-associate their hardware FIDO device to Equifax, TransUnion, and Experian.
Done. It'll get hacked to hell and it won't matter much. You have to hack the FIDO device, which has a much smaller attack surface, a narrow window of attack (only when it's plugged in), and is generally difficult to actually attack anyway. It's such a small amount of code you can actually make it provably-secure--you can make every interaction possible defined. Hacking or stealing the FIDO device gets you ONE person's key, and they can call in to their bank and have that canceled.
The likelihood of an actual attack is near-zero, and the severity is near-zero because your contingency is you call your bank and cancel your trusts with the CRAs and then everything except opening new credit accounts works until you walk into a bank and re-establish trust.
The 3 might actually be my next car, since the Chevy Volt (2013) cost me $12,000 and the only other option for a nice upgrade is a Bolt or a 2017 Chevy Volt. The single advantage the Volt has over the 3 is its horrible value-holding, meaning I can get a 2017 in 2019 or so for maybe $15k in near-new condition.
Security keys can't be duplicated. They're made with military-grade hardware that costs like $5 and resists fault injections and physical assault, so retrieving the key is impossible with current technology.
I recommended the same thing for identity theft (YouTube). That involves legislation allowing regulation which drives the current consumer-grade (i.e. affordable) technology into requirement without requiring an act of Congress every time the current technology becomes obsolete and vulnerable.
Where's the Maryland Senator stand on this? I'm not running for Senate (my primary policy interests fall on the House Ways and Means Committee--yes that is an insane amount of power), just curious.
That's the thing: everyone thinks their pet project is going to be super-popular for some reason, without considering the stakeholders. If you want the whole world to use it, then the whole world is your stakeholders.
Occasionally you see this mentality leak when people mention end users being too stupid to know what's good for them and so sticking to Windows (check out RMS). You also see people try to factor the stakeholders in with things like Wine, XPDE, Steam for Linux, and even the installers that boot from Windows instead of repartitioning your disk (low-risk). Nobody's trying to get buy-in in general.
Slashdot Mirror
They have no moving parts (unless you use trackers) and they take advantage of "free" energy that will be here as long as the earth is habitable.
I'm always amused that engineers miss the giant fusion reactor in the sky.
I'm still waiting for quantum tunneling junctions. These are solid-state devices which are currently researcher voodoo: you can make one, but most of its surface is useless. Boeng has confirmed they work, just that you make one the size of a quarter and you get a few square micrometers of useful area.
A quantum tunneling junction has something like 55% carnot efficiency for any given temperature drop at any absolute temperature which doesn't physically damage the material. It's similar to a peltier junction, which has 8% efficiency. Essentially, a peltier junction has electrons shifting more or less easily across a junction when a voltage potential is applied, which may cause them to release or absorb heat. A quantum tunneling junction has electrons crossing a dielectric when a voltage potential exists across two plates; the electrons have higher probability of crossing if they have higher energy, so "hot" electrons (absorb photons, i.e. thermal energy) move more-frequently, cooling one side and heating the other.
Cute. What can we do with it?
Ever filled a scuba tank?
When you compress a gas, it releases heat. release the gas elsewhere and it absorbs heat (gets cold). In fact, if you chill the tank enough and open it, you won't get any pressure: you freeze N2 into liquid N2 and now the N2 doesn't contain enough energy to produce force, thus pressure. Boiling is just molecules moving so forcefully they shove fluid out of the way and escape the vessel (buoyancy in a boiling liquid only occurs because the molecules in the bubble have enough energy to push the liquid away, making a low-density region that happens to be in the gas phase; add gravity and the low-density region is pushed to the surface by the heavy liquid).
So set up two compression chambers. Feed from a pump run off an engine; power the engine off this chamber. Use electricity from a battery (charged from an alternator off the engine) to run a quantum tunneling junction and pull heat emitted and from the atmosphere into the compressed air vessel.
Engineers like to point out here that you can't run a heat engine off a heat pump that shares its reservoir. They're talking about the atmosphere being the heat reservoir.
It's not an ideal reservoir.
You're emitting cold air into the atmosphere: the engine expands the air, which absorbs heat and spits out expanded (cooled) air. That air exits at a lower temperature than the air being pulled into the compression vessel, as well as the air from which the quantum tunneling junction is driving heat into the vessel. You're not injecting the cold output (engine exhaust) into the reservoir from which the heat pump (QTJ) is drawing--that is: the temperature of the exhaust isn't averaged with the atmosphere at point of contact with the heat pump.
Second, the atmosphere is heated by the sun.
Not only is the atmosphere big and capable of absorbing a huge amount of cold exhaust before your heat-engine-slash-heat-pump consumes the energy in its shared vessel and finally runs dry, but it's being fed energy from an external power source.
That external energy prevents the atmosphere from averaging its temperature out (in which case, it would already be at a temperature by which you can't run this machine). The heat from the sun is changing the entropy in the atmosphere, essentially playing the part of Maxwell's Demon--a thought experiment about exactly what I describe, with the mistake of not accounting for the work that the little cretin sitting on the gate expended to sort out hot particles from cold particles. The "demon" is being fed from the sun.
I've described nothing more than a Rube Goldberg machine that achieves solar power generation.
Whether you can build one is another matter; but the theory isn't totally-unsound, at least not for the reasons most engineers immediately cite.
Honestly, I don't understand photovoltaic installations. Parabolic dish collectors with a sterling engine were like 34% efficient and what in the hell is this?!
You can get higher efficiency off thermal because you can get 100% of the light (you know, thermal) as energy. The most-efficient sterling engine ever built hit 38.5% thermal efficiency or 77% of carnot. At 73% efficient light redirection, you're looking at over 28% total thermal efficiency.
The only way you're beating a 73% efficient reflector feeding a 38.5% efficient sterling-driven generator is to make transparent solar cells capturing different bands. Current cells are doped with split-band crystals which excite in multiple bands; if you absorb those bands and transmit the unabsorbed bands, you can use a different material for the next layer down, which absorbs one of the transmitted bands. In other words: capture 19% of the thermal energy as electricity in the first layer, and 15% of the thermal energy (18.5% of what was transmitted) in the second layer. 34%.
Such a cell would be enormously-difficult to construct and have high costs. Maybe next decade.
Hell it's about time. I put this up as soon as this happened. FIDO is the way to go for validation.
Yeah well, nobody up there is doing it right.
Yeah, over three months when I got to my last job I started working 10 hour days, going home and working remotely, studying 5 new technologies, forgetting to eat until like 9pm, forgetting to shower, etc. Manager told me to slow down. Eventually, I came home, collapsed, cried for a while, then crawled into bed and slept 14 hours; I woke up feeling fantastic.
I wonder what kind of infosec degree you could have gotten pre-2002.
My decades around hackers and nerds allows me to intuit that she is a manager and not a true technical person. Just from her stupid haircut.
You could also intuit that I'm a politician from my $800 suit. I'm also my Campaign Committee's chair, treasurer, accountant, chief technology officer, Web designer (could you tell?), content writer, speech writer, publicist, campaign strategist, information security officer, lawyer, and secretary.
I happen to like train wrecks. Why work at a place that's well put together when you could be rebuilding a nation? I've pushed back against management, pointed out enormous operational flaws, and gotten myself counseled for saying unpleasant things about the state of an employer here and there when they'd rather I just do what they tell me. They eventually get back in line, and the organization straightens itself out--to miraculous effect. Sitting around and coasting is boring.
Why wouldn't you want to work for a disaster employer?
Perhaps the most attractive thing about being a Congressman is I get to tell all my coworkers--you know, Congress--exactly what's wrong and keep telling them long after they're tired of hearing it, and the only people who can actually fire me are the voters. Nobody can complain to HR that I'm "not a team player" because I'm annoying. Sure, you still need to play by the rules of human behavior and get buy-in, be diplomatic, and all that; but so does everyone else. In a corporation, the moment they get bored of the game, they start ignoring you, then realize you're impossible to ignore and start complaining to management; in Congress, they have to let you talk, then deal with the Media telling the whole goddamned country what you said, and then they have to deal with their own constituents. You can actually keep pushing on the issues that need to be pushed when doing so can get you buy-in, without worrying that one or two of the people you're never going to win over will call your manager to complain.
If you want to do that but you aren't going for officer of some legislative body, go for officer of some hilariously fucked-up corporation. If you want to be boring, get a job somewhere that doesn't need you to straighten their shit out.
Nah I'm campaigning basically all the time. Net Neutrality is actually a difficult issue because it's like... should we have a law against murder? ... yes, what the hell do you even say to that? The policy position on Net Neutrality is pretty much "Yes, this is important." It's really hard to articulate why it's important (all of the points for it are sort of weak and fuzzy, yet the only points against it are that some businesses can strangle the market and impede progress so as to avoid having to function in that new, more-demanding market).
The best I've got is that the invisible hand of the market is self-serving (this is a good thing) and so large, powerful players will uniformly remove choice and leave consumers with a false choice (this is a bad thing, hence why the invisible hand needs to be forced away from the forbidden paths, even though it's best left to figure out itself the best path to traverse otherwise and the best way to traverse said path).
In the English language, "Will" is the future-tense of "am". The past tense is "has" or "have".
I don't buy it. She's been in technical positions for a long while and the only black spot on her record is she strongly-defended cloud computing by talking about both the new opportunities to offload many of the security concerns to the provider (who can do it better) and to institute new security controls (because cloud computing lets you fuck up royally if you really want to). What shot down Equifax? A simple, traditional failure to patch a vulnerable piece of software--cloud, local bare metal, or VM.
If they had been using e.g. Edge Hosting in Baltimore to host their custom application, this would have never happened. Edge Hosting leverages AWS and all that in the back-end; they provide security in front of all that with a lot of Trend Micro stuff (IPS, firewalls, etc.) as well as good use of AWS infrastructure. You tell them what your custom application does, their engineers work with you to figure on how to make it run, they handle the administrative work of keeping it running, you give them code updates. They track security vulnerabilities, write automation scripts to deploy them across all assets for all of their clients, do rounds of test releases, and then push them out.
A cloud hosting provider like that would have been proactive in moving to protect all customers from a threat--something Mauldin believed was a great new opportunity while everyone was decrying cloud computing as an enormous mistake for anyone who doesn't want to lose control over their data and their security.
Instead, Equifax's own administrators were responsible for managing their own software. They got behind in patching. This isn't a CISO-level mistake; this is an operational problem. CISO-level mistakes are broad, overarching strategy problems, and apparently their broad, overarching strategy let them sail along happily while Home Depot, Target, Sony, and Ashley Madison got hacked repeatedly over the past decade. One tiny, tiny breach and their entire database gets sucked out the pinhole.
What could Mauldin have done in the past three years to cause this kind of failure of security--the simplest kind of neglect way down at the administrative level, where somebody didn't get around to putting in a patch? I doubt she cut down the company's patching policy from "Patches must be deployed by $RULES" to "Whatever, patch when you get around to it." The smoking gun is apparently that she has a degree in music, and so must be incompetent.
Mauldin kind of scrubbed herself from the Internet and made her Linked-In profile private after the breach. She has given interviews in which she discussed at length the evolution of the CISO role from a simple evolution of InfoSec engineering to a broad strategic role of organizational risk management.
Thing is, I'm good on risk management—a lot better than most professionals in my field, because risk is a broad topic that doesn't just include things like security vulnerabilities and e-mail spoofing but rather an entire operational process of qualitative analysis from individual and organizational experience, identification of qualitatively-important risk, ranking of the probability (frequency of occurrence) and severity (cost) of those risks, and registering of risks and their mitigations and contingencies. Risk is a huge component of project management and even has its own business component (yes, you can have a Chief Risk Officer) which tracks risks such as market opportunities and threats to business operations.
I'm also pretty decent with infosec stuff because I can take an adversarial position using both my technology background and my risk management background. I understand the practices and the products in place--firewalls, intrusion detection systems, things like CISCO AMP which track file movement through a network and look for anomalies, vulnerability management, patch management, password controls, encryption, the like--just fine. None of that bothers me.
What I never got was theory.
If you start talking about the deep computer science theory and the modeling structures behind risks, you lose me. Quickly. I understand role-based access control; I've also read the published standard for role-based access control, and the damned thing is full of discrete math and high-level mathematical concepts that I just don't grasp. You need a dual bachelor's in mathematics and compsci to be in that stuff. What I understand is simple: users should be attached to roles; roles should grant permissions; and the granting of roles as such assures that we don't grant you permissions which you don't need AND that you don't simultaneously have permissions which circumvent security controls (we can notate which combinations of roles create conflicts of interests).
I'm like that with compsci in general. For example: modern compilers build programs such that anything with an on-stack buffer or an alloca() call gets a canary value generated from a random value (picked at process initialization) XOR against the return pointer on the stack, requiring a complicated read, compute, and rewrite of two pieces of data (you can't just start writing above the canary to avoid clobbering it) to pull off a stack-based buffer overflow. I don't fully-grasp how the random devices generate random data--there are data sources and algorithms, e.g. some shove it through a PRNG or through AES as a PRNG--and I sure as hell don't understand the compiler's parser or its optimizer (these days, optimizers operate on a static single assignment tree, which is at least approachable if you want to learn how they work).
The stack is a protected area anyway: can't execute it as code. You can even achieve this on a 486-SX if you want: just mark the Read[=execute]-Write pages as SUPERVISOR and have the kernel force a DTLB load when something tries to read/write the page. When you continue the program, the MMU will check the data translation lookaside buffer and say, "Oh, this is data pointed at [physical page]." It doesn't cause a fault until you try to execute the page, or until it falls out of the DTLB cache. If you try to execute it, it's not in the ITLB (instruction TLB), and the kernel looks at the general protection fault and just kills the program for attempting to execute a non-executable page.
Honestly, it's power storage.
A recouperating CAES setup is far-superior to battery storage: Far less cost--as in city-scale battery storage cost over 300x what the two leading-edge technology CAES stations cost per megawatt hour stored, while the CAES had better power output. Not bad for technology that's not exactly new, but is just barely entering real-world deployment. Thing is you can get a Tesla powerwall battery pack up and running in an hour; you can't get a city-scale CAES installation running in less than a year.
No, they don't generate electricity; neither does a diesel generator that's run out of fuel. You're going to have trouble keeping the power on, overgenerating and not using, wasting fuel, and the like. You're going to have trouble with the power going out because you're low on fuel. You're going to have trouble with solar and wind not always supplying steady power, even though we can stand either up in a day. The big ass batteries solve that.
If they rebuild PR's power grid on some large solar-wind installation, maybe we can reclaim the batteries and get them a CAES installation later. Whatever. Point is it works now and gives us a quick way to make unstable power more-stable.
Uhhhhh, the plural of anecdote is data. Where do you think data comes from?
I don't know. I need to answer for the things I say, so I'm even shy of simplifying claims about complex processes because they can imply odd things in simplified form.
Then again, I'm an odd sort for a politician.
Well, we could have a share of ownership.
I structured the Universal Benefit in my Universal Social Security framework as a dividend from the economy: every adult holds one equal share in the United States economy, and receives an equal proportion of the Universal Benefit’s tax rate—which I’ve proposed at 15%.
Although the taxes are higher than I'd hoped. I've got plans for that, too:
Minimum Rate — The rate resulting in a benefit half-way between the CPI-adjusted cost-of-living increase, and no lower than 10%; [...]
[...]If the Minimum Rate is above the current Universal Benefit tax rate, then the Social Security Administration must not adjust the Universal Benefit tax rate.[...]
[...]The Social Security Administration may, at its discretion, reduce the Universal Benefit tax rate by any rate between the Mandatory Minimum Adjustment and that which achieves the Minimum Rate. For example: if the Minimum Rate 14.9% coming from 15%, then the Social Security Administration may set any rate between 14.975% and 14.9%.
That will eventually lower the tax rate (at every tax bracket and on businesses) by 5%, and it will guarantee at least half of the productivity growth distributed without adjustment in any given year is distributed after adjustment. I need to stipulate that the COLA figure is continuous across years without adjustment: if the economy is down and COLA is higher than the benefit, then the next year's COLA is based on the current year's COLA figure and not on the current year's actual benefit. We rebase to the actual benefit when the economy catches back up--when the benefit exceeds the cumulative COLA.
The whole idea is to make sure no reduction in tax rate results in a reduction in buying power of the benefit year to year--the buying power must always grow. Americans deserve a fair share of productivity gains; after all, we gain productivity by laying people off, and don't we owe you compensation for the risk?
I'm running for election in my own district. Going to meet with the Young Democrats Club tomorrow evening, although they have a speaker already; trying to get more Facebook likes and more than two Crowdpac donations (or they can write checks). After a month I have over a hundred followers, two donations, and I'm starting to run into strangers on the street who recognize my name.
2018 is going to be an interesting year.
One of my early acts as a Representative in the Congress of the United States will be to meet with FCC representatives to discuss the structuring of a Net Neutrality bill, charging the Commission with protecting Net Neutrality and leaving the details of how to do so up to the Commission. The language must be clear enough that operating in bad faith against the principles of Net Neutrality will make the Commissioners and Chair liable for impeachment.
Actually, the cost of the infrastructure to protect against this is likely under two million dollars if done correctly. The consumer devices would total $2.844 billion at $18 per consumer, although many of us like the $50 Yubikey 4 devices (these each store thousands of FIDO U2F credentials).
It would take maybe 4 months of a single $120,000 programmer's time to integrate FIDO security with a CRA's Web-based authentication platform, or $40k per CRA (the change is something our own programming team here would implement in a couple days and spend a couple weeks testing). The banks literally need a $6 USB cable at each teller to connect to a FIDO device.
With 94,725 bank branches and $6 USB cables at each of three teller stations, you're talking about $1,705,050 of cables. Each teller is sitting in front of a computer already, and they're using Web-based applications to navigate accounts these days. Add the $40k per CRA and you've got $1,825,050. That leaves $174,950, plus any bulk discounts the banks get on cables, to leverage additional programmer time for more QA on the back-end.
Do note that the CRAs aren't the only ones who need software changes: the banks need their online banking forms and other automated software to pass the FIDO challenge through to the client as well, or else the CRAs need an app that lets you authorize a hard credit check via FIDO over a side channel (a likely initial transition). Still, we can get there with just changes to the CRA software on their end, and with an opt-in transition period where you can but aren't required to force each CRA to deny any hard credit check that doesn't get a FIDO authentication from you (the CRAs must do so if requested).
Training for this takes about 15 minutes and, let's face it, we can fit that into the downtime the tellers have during the slow periods. We can make that zero cost.
Identity theft cost $16,000,000,000 in 2016, versus $2,000,000 of one-time bare-minimum infrastructure costs and $2,844,000,000 of one-time consumer-end costs. The devices themselves are rugged and can last over a decade (because of their duty cycle--plugged in only when in use--they should be able to last longer than you), but let's say four years. That's $711,000,000 per year: identity theft costs 22.5 times as much. If people didn't lose their physical security devices or drop them in the toilet more-frequently than an average once per ten years, it'd be $284,000,000 per year or 1/56 the cost of identity theft.
Note that these devices have practical use otherwise, as easy 2FA on your Google and Facebook accounts. They're a type of thing consumers might actually buy and use anyway (consumers DO actually buy and use them, just not on the scale I describe).
So, yeah, I am preparing an act of Congress to hit the House floor the moment I begin my term. I've just been having a slight amount of trouble getting contributions to my campaign, and am running entirely on my own time and money--I estimate I can fund maybe half what I need in the extreme, but only am going in about 1/4 (and it's accounted as a loan, so if my campaign is far over-funded I can withdraw what I've contributed from whatever contributions remain at the end--so if people give me a million dollars, in the end, they're helping pay for my house as well as my Congressional victory. I make no apology for this; the campaign comes first).
Well. I've been at this for a month, too, so there's that. It's not even election season.
I'm actually a systems security engineer and their music major CISO was way, way above my level on infosec knowledge.
They've been around since 1899 and this is the first major breach. A huge legacy company that went to Internet-based services, and this is their first major breach. That's pretty amazing.
You won't get perfect security. Everything that allows access into itself will get hacked.
The solution is to not do it that way.
Equifax gets hacked, but you have a hardware device which Equifax uses to identify you? That device doesn't share a secret, but instead accepts a challenge and returns a response signed using a non-revealed private key? Well, looks like the hacker got nothing they can use to positively identify themselves to you.
Hacker may have changed the public keys associated with your account? Okay, drop all public keys, tell all users they can't open new credit accounts until they walk into their bank and physically present identification so the bank can re-associate their hardware FIDO device to Equifax, TransUnion, and Experian.
Done. It'll get hacked to hell and it won't matter much. You have to hack the FIDO device, which has a much smaller attack surface, a narrow window of attack (only when it's plugged in), and is generally difficult to actually attack anyway. It's such a small amount of code you can actually make it provably-secure--you can make every interaction possible defined. Hacking or stealing the FIDO device gets you ONE person's key, and they can call in to their bank and have that canceled.
The likelihood of an actual attack is near-zero, and the severity is near-zero because your contingency is you call your bank and cancel your trusts with the CRAs and then everything except opening new credit accounts works until you walk into a bank and re-establish trust.
The 3 might actually be my next car, since the Chevy Volt (2013) cost me $12,000 and the only other option for a nice upgrade is a Bolt or a 2017 Chevy Volt. The single advantage the Volt has over the 3 is its horrible value-holding, meaning I can get a 2017 in 2019 or so for maybe $15k in near-new condition.
USB-c FIDO keys.
Security keys can't be duplicated. They're made with military-grade hardware that costs like $5 and resists fault injections and physical assault, so retrieving the key is impossible with current technology.
I recommended the same thing for identity theft (YouTube). That involves legislation allowing regulation which drives the current consumer-grade (i.e. affordable) technology into requirement without requiring an act of Congress every time the current technology becomes obsolete and vulnerable.
Where's the Maryland Senator stand on this? I'm not running for Senate (my primary policy interests fall on the House Ways and Means Committee--yes that is an insane amount of power), just curious.
Bluetooth's transmission tower is like a meter from the receiver and has line-of-site and digital error correction.
Who listens to the radio outside their car? Does anyone actually own a radio anymore?
That's the thing: everyone thinks their pet project is going to be super-popular for some reason, without considering the stakeholders. If you want the whole world to use it, then the whole world is your stakeholders.
Occasionally you see this mentality leak when people mention end users being too stupid to know what's good for them and so sticking to Windows (check out RMS). You also see people try to factor the stakeholders in with things like Wine, XPDE, Steam for Linux, and even the installers that boot from Windows instead of repartitioning your disk (low-risk). Nobody's trying to get buy-in in general.