Just a geek who lives in Olympia, WA with my wife, son, and animals, writing fiction that he hopes will make the world a better place someday.
195 stories
·
2 followers

Political Appeal and Innumeracy

1 Share

U.S. federal spending in 2016 was roughly $4 trillion, and revenues were slightly over $3.4 trillion, leaving a deficit of around $600 billion. Out of total spending, $2.6 trillion was mandatory spending on programs such as Social Security, Medicare, and Medicare. Spending on these programs cannot be cut without major changes in federal law, and since 77% of all Americans oppose such cuts, it’s highly unlikely that major cuts will occur any time soon. Then add to that some $260 billion in mandatory payments on the federal debt, and essentially 72% of federal spending cannot be effectively cut, at least at present. That leaves $1.1 trillion in discretionary spending, that is, spending that can be increased or decreased by Congress.

Unhappily, the vast majority of Americans have no real understanding of even these basic numbers, especially Fox News viewers, 49% of whom declared in a recent poll that cutting “waste and fraud” would eliminate “the national debt” [which now stands at $14.4 trillion]. A number of polls over the year have shown that most Americans believe that 25% of the federal budget goes to foreign aid [it’s less than one percent], and that five percent of all federal spending goes to PBS and NPR [in fact, roughly a tenth of one percent does].

The real numbers are more daunting. The largest component of discretionary spending is defense, and while the DOD “official” budget is slightly under $600 billion, various contingency funds and defense activities funded in other forms and by other agencies [for example, the Coast Guard is funded by the Treasury Department], brought the total annual cost of U.S. defense much higher, as high as $900 billion, according to some sources, but even assuming $600 billion for defense, that leaves $500 billion for everything else, including agriculture, energy, education, transportation, federal lands management, national parks, environmental protection, veterans benefits, welfare payments, and a whole lot more.

Trump’s proposed tax cut would reduce federal revenues by $500 billion, according to the Tax Foundation, on top of that $600 billion deficit, so even if he could persuade Congress to cut non-defense discretionary spending by 50% — in essence gutting most federal agencies, the deficit would increase to nearly $900 billion, and that doesn’t count the additional spending he’s proposed for infrastructure spending – which initial estimates suggest range from $500 billion to over a trillion dollars, over ten years, or $50 billion to $100 billion a year.

Proponents of the Trump plans claim that all the new investment and jobs will increase tax revenues, and some probably will, but not anywhere close to enough to deal with the federal deficit that increases the national debt – and the interest that must be paid on it – each year.

Based on a 2014 study by Standard & Poors, if Congress were to pass a $50 billion a year infrastructure bill, that legislation would create an additional 1.1 million jobs. Construction workers make an average of around $35,000 a year, and, under the best estimate of the Trump tax plan, those million workers would pay around $4,000 in federal income taxes each, thus adding up to an additional $4.5 billion. Economists like to point to the multiplier effect, i.e., how many additional jobs are created by one new job. According to the IMF, under present conditions, the multiplier effect is hovering around one, one additional job created somewhere in the economy for each new job created by investment. So… fifty billion dollars of infrastructure investment might create somewhere over two million jobs and possibly add $10 billion in tax revenues while costing $50 billion. Even if the multiplier effect is five times as much as the IMF says, the infrastructure proposal is at best a break-even proposition, and, as such, might be a good idea. BUT… it won’t do much for reducing the current deficit, let alone the increase in the deficit that will be occurring as a result of more federal spending on defense, and the likely coming increase in interest rates.

The other bottleneck in increasing jobs is the mismatch between available workers and the available jobs. According to research from human resources consultancy Randstad Sourceright, a survey of more than 400 U.S. executives found a skills gap impacting their businesses. Four-fifths of those executives said that a shortage of sufficiently skilled workers will affect their companies in the next 12 months. Complaints of hard-to-fill factory jobs are backed up by Bureau of Labor Statistics data: 324,000 manufacturing spots were open in November, up from 238,000 a year earlier.

Another problem that the Trump approach doesn’t address is that jobs creation isn’t equal. Right now, employees of high-tech companies receive almost 12% of all employee compensation, but there are only seven million of them and the average salary is close to $105,000, more than double the salary of the average industrial or manufacturing employee, or triple that of a construction worker. In addition, the tech industries are only adding about 200,000 employees a year. That doesn’t do much for the nearly 15 million unemployed or underemployed Americans, or the roughly three million college graduates each year. The largest numbers of jobs are in the lower paid service industries, and all the investment money putatively freed up by the tax cuts will be going to tech-heavy companies, and those jobs comprise less than 5% of total U.S. employment.

Massive tax cuts, more defense spending, a major infrastructure initiative… all to be paid for by new jobs and cuts in such federal programs as PBS, NPR, the Endowments for the Arts and Humanities, foreign aid, and the like? The numbers don’t add up, even if the political appeal does, perhaps because most Americans don’t seem to understand the numbers, or care to.

Read the whole story
Share this story
Delete

WSTC Seeking Input Through 1/18

1 Share
Here's an opportunity to have your voice heard:
The Washington State Transportation Commission would like to get your input on how our transportation system is working and ways to improve it. The survey is open until January 18. It includes questions about priorities for funding, like bigger highways vs. bike/ped infrastructure, and takes just a few minutes to complete.
Read the whole story
Share this story
Delete

Deck the halls with neoliberal capitalism!

1 Share


Deck the halls with neoliberal capitalism!

Read the whole story
Share this story
Delete

Grunt Work

1 Share

Last week one of my readers posted election turnout statistics, which revealed an interesting pattern – that Republican voters turned out with about the same numbers in every presidential election over the last twelve years, but that Democratic votes varied dramatically, apparently based on the “appeal” of the candidate, and particularly the appeal to African-Americans.

But it wasn’t just candidate appeal that affected turnout. With lawsuits recently upheld by the Supreme Court that restricted the ability of the Justice Department to monitor state election procedures, a number of states “consolidated” polling locations and reduced voting hours, and such restrictions have been shown to reduce minority voter turnout far more than they did Republican turnout, which is exactly what they were designed to do.

Such state acts have been currently held to be legal, but I’d hold that they’re scarcely moral, not that morality counts in elections. Only votes do.

And that gets down to the bottom line. Republicans have been working hard for years on a state-level strategy designed to create a political system more to their liking. They’ve gerrymandered Congressional districts so that Democrat voters are concentrated in fewer districts, which is the principal reason why the House of Representatives is overwhelmingly Republican. What also tends to get overlooked is that getting elected to the House gains an aspiring politician visibility and the ability to fundraise, and if there are more Republican representatives in a state’s delegation, then the Republicans have better odds in eventually electing more senators from that state.

What they’ve done is perfectly legal, but it takes time, effort, and money, all of which Republicans have, and have used effectively over the past decade and even longer, while much of the Democratic constituency is far shorter on all three.

The other factor is cultural change. Like it or not, we now live in a “celebrity” culture, and the key factor in celebrity is the ability to relate to people through the mass media. Bernie Sanders and Donald Trump could do this with their supporters, Hillary Clinton much less so.

In terms of the 2016 election, although it was far from obvious at the beginning, what this meant was that the Democrats were at what I’d call a structural disadvantage from the start, in that all the election-year “ground game” and organizational skills in the world would be hard-pressed to meet the Republican challenge without a “popular” candidate, and especially hard-pressed once they nominated Clinton.

What I’m saying is not an “excuse” for Democrats. What I’m saying is that Democrats have gotten out-organized, out-funded, and out-maneuvered. Democrats, and this includes others with the same concerns, such as the Black Lives Matter movement, have tended to focus on protests and lawsuits, but in the end votes count. No matter how necessary, or how worthy legal and political change may be, in our system that requires changing the laws. Changing the laws requires changing the lawmakers, and changing the lawmakers requires getting more votes at state and local levels… and working at that year after year after year, not just in an election year.
If you get enough votes, even the Electoral College comes your way.

And, as the old saying goes, the proof is in the pudding.

Read the whole story
Share this story
Delete

Regulation of the Internet of Things

1 Share

Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the "Internet of Things" and increased regulation of what are now critical and life-threatening technologies. It's no longer a question of if, it's a question of when.

First, the facts. Those websites went down because their domain name provider ­- a company named Dyn —­ was forced offline. We don't know who perpetrated that attack, but it could have easily been a lone hacker. Whoever it was launched a distributed denial-of-service attack against Dyn by exploiting a vulnerability in large numbers ­— possibly millions — ­- possibly millions -­ of Internet-of-Things devices like webcams and digital video recorders, then recruiting them all into a single botnet. The botnet bombarded Dyn with traffic, so much that it went down. And when it went down, so did dozens of websites.

Your security on the Internet depends on the security of millions of Internet-enabled devices, designed and sold by companies you've never heard of to consumers who don't care about your security.

The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they're things like cars, home appliances, thermostats, lightbulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require. These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades.

An additional market failure illustrated by the Dyn attack is that neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don't care. They wanted a webcam —­ ­ or thermostat, or refrigerator ­— ­ with nice features at a good price. Even after they were recruited into this botnet, they still work fine ­— ­ you can't even tell they were used in the attack. The sellers of those devices don't care: They've already moved on to selling newer and better models. There is no market solution because the insecurity primarily affects other people. It's a form of invisible pollution.

And, like pollution, the only solution is to regulate. The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDoS attacks. The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure.

It's true that this is a domestic solution to an international problem and that there's no U.S. regulation that will affect, say, an Asian-made product sold in South America, even though that product could still be used to take down U.S. websites. But the main costs in making software come from development. If the United States and perhaps a few other major markets implement strong Internet-security regulations on IoT devices, manufacturers will be forced to upgrade their security if they want to sell to those markets. And any improvements they make in their software will be available in their products wherever they are sold, simply because it makes no sense to maintain two different versions of the software. This is truly an area where the actions of a few countries can drive worldwide change.

Regardless of what you think about regulation vs. market solutions, I believe there is no choice. Governments will get involved in the IoT, because the risks are too great and the stakes are too high. Computers are now able to affect our world in a direct and physical manner.

Security researchers have demonstrated the ability to remotely take control of Internet-enabled cars. They've demonstrated ransomware against home thermostats and exposed vulnerabilities in implanted medical devices. They've hacked voting machines and power plants. In one recent paper, researchers showed how a vulnerability in smart lightbulbs could be used to start a chain reaction, resulting in them all being controlled by the attackers ­— ­- that's every one in a city. Security flaws in these things could mean people dying and property being destroyed.

Nothing motivates the U.S. government like fear. Remember 2001? A small-government Republican president created the Department of Homeland Security in the wake of the Sept. 11 terrorist attacks: a rushed and ill-thought-out decision that we've been trying to fix for more than a decade. A fatal IoT disaster will similarly spur our government into action, and it's unlikely to be well-considered and thoughtful action. Our choice isn't between government involvement and no government involvement. Our choice is between smarter government involvement and stupider government involvement. We have to start thinking about this now. Regulations are necessary, important and complex ­— ­- and they're coming. We can't afford to ignore these issues until it's too late.

In general, the software market demands that products be fast and cheap and that security be a secondary consideration. That was okay when software didn't matter —­ ­ it was okay that your spreadsheet crashed once in a while. But a software bug that literally crashes your car is another thing altogether. The security vulnerabilities in the Internet of Things are deep and pervasive, and they won't get fixed if the market is left to sort it out for itself. We need to proactively discuss good regulatory solutions; otherwise, a disaster will impose bad ones on us.

This essay previously appeared in the Washington Post.

Read the whole story
Share this story
Delete

Decrypting an iPhone for the FBI

1 Share

Earlier this week, a federal magistrate ordered Apple to assist the FBI in hacking into the iPhone used by one of the San Bernardino shooters. Apple will fight this order in court.

The policy implications are complicated. The FBI wants to set a precedent that tech companies will assist law enforcement in breaking their users' security, and the technology community is afraid that the precedent will limit what sorts of security features it can offer customers. The FBI sees this as a privacy vs. security debate, while the tech community sees it as a security vs. surveillance debate.

The technology considerations are more straightforward, and shine a light on the policy questions.

The iPhone 5c in question is encrypted. This means that someone without the key cannot get at the data. This is a good security feature. Your phone is a very intimate device. It is likely that you use it for private text conversations, and that it's connected to your bank accounts. Location data reveals where you've been, and correlating multiple phones reveal who you associate with. Encryption protects your phone if it's stolen by criminals. Encryption protects the phones of dissidents around the world if they're taken by local police. It protects all the data on your phone, and the apps that increasingly control the world around you.

This encryption depends on the user choosing a secure password, of course. If you had an older iPhone, you probably just used the default four-digit password. That's only 10,000 possible passwords, making it pretty easy to guess. If the user enabled the more-secure alphanumeric password, that means a harder-to-guess password.

Apple added two more security features on the iPhone. First, a phone could be configured to erase the data after too many incorrect password guesses. And it enforced a delay between password guesses. This delay isn't really noticeable by the user if you type the wrong password and then have to retype the correct password, but it's a large barrier for anyone trying to guess password after password in a brute-force attempt to break into the phone

But that iPhone has a security flaw. While the data is encrypted, the software controlling the phone is not. This means that someone can create a hacked version of the software and install it on the phone without the consent of the phone's owner and without knowing the encryption key. This is what the FBI ­ and now the court ­ is demanding Apple do: It wants Apple to rewrite the phone's software to make it possible to guess possible passwords quickly and automatically.

The FBI's demands are specific to one phone, which might make its request seem reasonable if you don't consider the technological implications: Authorities have the phone in their lawful possession, and they only need help seeing what's on it in case it can tell them something about how the San Bernardino shooters operated. But the hacked software the court and the FBI wants Apple to provide would be general. It would work on any phone of the same model. It has to.

Make no mistake; this is what a backdoor looks like. This is an existing vulnerability in iPhone security that could be exploited by anyone.

There's nothing preventing the FBI from writing that hacked software itself, aside from budget and manpower issues. There's every reason to believe, in fact, that such hacked software has been written by intelligence organizations around the world. Have the Chinese, for instance, written a hacked Apple operating system that records conversations and automatically forwards them to police? They would need to have stolen Apple's code-signing key so that the phone would recognize the hacked as valid, but governments have done that in the past with other keys and other companies. We simply have no idea who already has this capability.

And while this sort of attack might be limited to state actors today, remember that attacks always get easier. Technology broadly spreads capabilities, and what was hard yesterday becomes easy tomorrow. Today's top-secret NSA programs become tomorrow's PhD theses and the next day's hacker tools. Soon this flaw will be exploitable by cybercriminals to steal your financial data. Everyone with an iPhone is at risk, regardless of what the FBI demands Apple do

What the FBI wants to do would make us less secure, even though it's in the name of keeping us safe from harm. Powerful governments, democratic and totalitarian alike, want access to user data for both law enforcement and social control. We cannot build a backdoor that only works for a particular type of government, or only in the presence of a particular court order.

Either everyone gets security or no one does. Either everyone gets access or no one does. The current case is about a single iPhone 5c, but the precedent it sets will apply to all smartphones, computers, cars and everything the Internet of Things promises. The danger is that the court's demands will pave the way to the FBI forcing Apple and others to reduce the security levels of their smart phones and computers, as well as the security of cars, medical devices, homes, and everything else that will soon be computerized. The FBI may be targeting the iPhone of the San Bernardino shooter, but its actions imperil us all.

This essay previously appeared in the Washington Post

The original essay contained a major error.

I wrote: "This is why Apple fixed this security flaw in 2014. Apple's iOS 8.0 and its phones with an A7 or later processor protect the phone's software as well as the data. If you have a newer iPhone, you are not vulnerable to this attack. You are more secure - from the government of whatever country you're living in, from cybercriminals and from hackers." Also: "We are all more secure now that Apple has closed that vulnerability."

That was based on a misunderstanding of the security changes Apple made in what is known as the "Secure Enclave." It turns out that all iPhones have this security vulnerability: all can have their software updated without knowing the password. The updated code has to be signed with Apple's key, of course, which adds a major difficulty to the attack.

Dan Guido writes:

If the device lacks a Secure Enclave, then a single firmware update to iOS will be sufficient to disable passcode delays and auto erase. If the device does contain a Secure Enclave, then two firmware updates, one to iOS and one to the Secure Enclave, are required to disable these security features. The end result in either case is the same. After modification, the device is able to guess passcodes at the fastest speed the hardware supports.

The recovered iPhone is a model 5C. The iPhone 5C lacks TouchID and, therefore, lacks a Secure Enclave. The Secure Enclave is not a concern. Nearly all of the passcode protections are implemented in software by the iOS operating system and are replaceable by a single firmware update.

EDITED TO ADD (2/22): Lots more on my previous blog post on the topic.

How to set a longer iPhone password and thwart this kind of attack.

Comey on the issue. And a secret memo describes the FBI's broader strategy to weaken security.

Orin Kerr's thoughts: Part 1 and Part 2.

Read the whole story
Share this story
Delete
Next Page of Stories