I have worked at two startups now where we made the fatal mistake of being profitable. If you make this mistake then the investors will swoop in and demand you spend more on marketing and AWS infrastructure, because we're scaling up to 5 billion users of course.
Of course we started spending all the money on new people and AWS, and soon there was no money.
At one point we were dumping like $15K a month on AWS for a dozen unnecessary over-engineered toys that nobody was using. This is the real cost of AWS.
I'd love to see Amazon's data on money invested vs actual user traffic for small startups, that's got to be some of the most interesting and valuable data on earth. Forget companies, I'll bet Jeff is sitting around predicting when entire industries rise and fall weeks before anyone else based just on this data.
AWS or not, investors invest for the sole purpose of spending money with the hope of finding a unicorn. If an investor just wants to sit on their money, they can do that without giving it to a company.
Then those investors are stupid. Hope is not a strategy. But more likely is this take is wrong. Also sounds to me like GP maybe missed another consideration: architecting your application in such a manner that scaling is straightforward (not easy, straightforward, there is a difference).
Using AWS as an example, at one of the businesses I worked at, we used Kinesis as an event bus. One shard handles 2MB/sec of output. This worked pretty well for thousands of messages a second, we even got up to the 100's of thousands by compressing the payload of the event message. After that, you can employ any number of strategies that work easily, such as shading and adding additional streams, and use a lambda to pipe the output of one stream to another. It scaled up to millions of messages by essentially pushing buttons in the AWS Console.
Take a look at your architecture. More than likely, outside of a FB/Google/Netflix traffic scenario there is probably an easier and more straightforward architecture you can use that scales to your realistic use cases. Worry about the billions when you get there, which you yourself probably wont at that point because you would have exited, or moved into a higher role most likely by now.
On the other side of the spectrum, AWS's extensive cost report metrics via tagging are great for big companies.
I can now show exactly which departments and dev teams are driving all the costs, and on what (CPU, storage, network). In a way that I never could for on-prem stuff.
...sure, as long as they tag their resources properly.
The closest I got to an org that did this well was a big company that ran Cloud Custodian in all their AWS accounts and if you launched an EC2 instance, it would terminate it immediately with extreme prejudice if it didn't have values for three required tags, one to identify the "owner" individually and two for accounting purposes.
The only problem with that is there's no mechanism to make sure that the values of the cost centers values were correct. There was a bit of a scandal when one group (who presumably just copied and pasted a bunch of CloudFormation from another group's repo) was running 5 figures a months of infrastructure under the other group's billing codes.
ALSO, as many have said, bandwidth is a big part of the cost, and at this time it's nearly impossible to do showback/chargeback on bandwidth. There may be a way to do it using Flow Logs by correlating IP addresses to instances and using those tags, but I've never heard of someone doing this successfully.
AWS cost reporting is far from great.
Its hard to learn current(daily) charges; RI is completely hidden and only visible in the final bill, blended; there's no way to limit the spending and the detailed reports are in csv, not user-readable.
Yes, there aren't great AWS provided tools, but the data is there. We happen to use Cloudability, though I'm sure there are other good tools, maybe even free ones.
A startup being able to spend 400k/month on AWS should also be able to employ somebody to keep an eye on the AWS cost and look for possible optimizations. If that's not the case I wouldn't blame AWS for the spent money.
No blame was on AWS. The TAMs tried to help fix things but no one was listening. Many times I was the only person meeting the 2-3 TAMs we had on the account.
I have many stories about this startup. The idea is great. If the startup succeeds it will be in spite of how its being managed technically
Not sure what the monthly revenue was but I do know there were several multimillion dollar deals every 6 months or so.
Problems come from many areas... like the fact it was in the data management space and the 1500 or so i3's running Cassandra plus the hybrid cloud approach of front end in AWS talking to APIs in GKE which talked to backends in AWS because cool technologies you know.
No architecting was done. Build this and put it in the cloud. The team from RU didn't even know about autoscaling groups and when I tried to bring them in I ran into resistance.
I have many examples of "opportunities to optimize" from this place, needles to say my stress level is much lower not being there.
If you're taking money from investors and you're interested in being profitable, then you're going to sacrifice growth for the sake of profitability:
- Let's not hire for this idea because it eats into our burn
- Hmm, let's hold off on launching this feature until we have more data
Investment $ means taking risks (within reason) to maximize shareholder value.
If the company you worked for was profitable, then they could've structured a leveraged debt payoff to the investors to get them off the cap-table. Unless the company took so much money that the investors owned 60%+ and they unanimously do not agree about being profitable, then this is something that can be passed as a board resolution.
It sounds like the founders at your company were just inexperienced.
Dude. A bunch of billionaires just got away with completely tanking the economy and getting bailed out for it. Zero people ever even talked about the possibility of anyone going to jail. Everyone got their bonuses. Nobody suffered any consequences. Literally nobody.
If you think anyone cares about any conflict of interest among the investing class you're beyond naive, you're just delusional.
That would require amazon gathering customer information and possibly GDPR data on the usage of all of it's customers, which is a thing amazon doesn't do, and you don't want your cloud providers doing.
One does not follow from the other. Many countries are vastly reducing carbon while not investing in nuclear at all. We're already at the point where the carbon impact of energy production is negligible in many areas, there are much bigger fish to fry if you're truly concerned about carbon.
Yes, you can still reduce carbon footprint if you're not investing in nuclear. You can invest in renewables, energy efficiency, or reduce emissions in other industries.
But closing working nuclear reactors always leads to higher emissions. You can replace nuclear with renewables, but that means these new renewables would otherwise replace more fossil fuels.
> Many countries are vastly reducing carbon while not investing in nuclear at all
In this case we are talking about shutting down a plant that could potentially run for 4-5 more years without decommissioning. I suspect the difference will be made up by coal/gas.
https://www.forbes.com/sites/davekeating/2019/02/01/germany-...
“Coal, the most emissions-intensive fossil fuel, now provides more than 42% of Germany’s power according to the International Energy Agency – a proportion that has been growing since the nuclear decision. The result is that Germany’s carbon emissions have been growing, while their neighbors’ has been declining.”
>I suspect the difference will be made up by coal/gas.
Well, it doesn't seem that it is being offset by coal, given that while it has been offline, the UK has also had the longest run of not burning coal for power since industrialisation.
Hunterston is a 1 GW power station and while it has been offline the UK has installed 2 GW in new capacity of offshore wind, if you are looking for what is making up the difference, perhaps start there.
Was the offshore wind only installed because the nuclear plant was taken offline? I’d assume the wind generation capability would have been installed anyway...
“Although a significant share of coal-powered energy has been replaced by renewable sources such as solar and wind power, the largest power source in Britain remains natural gas, a carbon-emitting fossil fuel.”
Replace "cities" with "any organization that is not tech first" and you'll still find hundreds of win 7/vista/xp machines that have never been patched, and ad-hoc network closet/cloud hybrid rigged solutions for everything.
There is literally no way to fix all this dumb fragile infrastructure without a massive government program that accepts responsibility for doing so. You need thousands of smart people going through every machine, all the software, all the systems. These people are never going to work for Baltimore or for Maersk, not in a million years.
Instead let's create a new government agency or pivot the NSA from it's dumb paranoid reactionary posture to more of a proactive NIST-style advisory role on best practices, have them hack everything domestically and start fixing things as their core mission. Make sure nobody at state or DHS or justice can subvert this new agency, they need to stand on equal footing with any company or agency.
Then hopefully pillage all the miserable smart people who are currently working at mega corps and agencies who actually want to do positive, meaningful work for a change.
Problem solved someone hire me to advise on their political campaign.
Advising companies that they can and should fix things is actually the easy part. Getting things fixed in a way that makes companies happy is actually incredibly difficult. You're proposing a government agency get its hands dirty fixining thousands upon thousands of bizarro line-of-business applications and mission-critical excel macros. Convincing companies to update what they see as systems that "work just fine" tends to be a Herculean task even when you can make a business case for taking on the expense and risk.
Telling a company "The government says you have to patch and is offering to do it for you" seems like it might not go over quite as well as you might hope. I can already see the first thought - "Do they actually care if all my systems work the way I need them to afterwards?". Having worked in Information Security and offered to fix things for people, my experience is that entities going for this is extremely rare, even when it's just the next department over.
As for the NSA, well, getting them into a proactive posture is a wonderful idea! It's such a good idea that the US government decided you were right decades ago. And acted accordingly. This tends not to make the news, so many people are understandably ignorant. For example, the NSA publishes information assurance best practices: https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-standa...
>Convincing companies to update what they see as systems that "work just fine" tends to be a Herculean task even when you can make a business case for taking on the expense and risk.
>Telling a company "The government says you have to patch and is offering to do it for you" seems like it might not go over quite as well as you might hope.
I think a better idea is to have the new agency play an advisory / supplemental role but otherwise place the burden of fix on the company itself. It just needs teeth for entities unwilling to adequately resolve their IT failures.
The EPA will bring suit to companies polluting illegally. Why shouldn't a government agency bring suit to companies or cities risking a leak of hundreds of millions of social security numbers, for example?
> The EPA will bring suit to companies polluting illegally. Why shouldn't a government agency bring suit to companies or cities risking a leak of hundreds of millions of social security numbers, for example?
Maybe at first we could try an in-between solution. I hate to water things down but maybe a scheme like a USDA Prime Beef label[0] would be more likely
to actually pull off?
If there was a NIST Certified logo on one bank/app/merchant/site that asks for personal info, and not another, I would be much more likely to go with the NIST one. Obviously credit agencies and gov systems need to go first.
>In the United States, the United States Department of Agriculture's (USDA's) Agricultural Marketing Service (AMS) operates a voluntary beef grading program that began in 1917. A meat processor pays for a trained AMS meat grader to grade whole carcasses at the abattoir. Such processors are required to comply with Food Safety and Inspection Service (FSIS) grade labeling procedures. The official USDA grade designation can appear as markings on retail containers, individual bags, or on USDA shield stamps, as well as on legible roller brands appearing on the meat itself.
A hypothetical regulatory regime to mandate and enforce patching and other good practices?
It's worth thinking about. It might also be worth considering if we think there's a good way to get there without doing more harm than good. Congress is not always known for their high-quality technical regulatory work.
Agreed. HIPPA is not exactly a promising precedent.
Regulation would almost certainly lag at least a couple years behind and end up making software and IT maintenance much more expensive without making it that much more secure. I don’t think I like this idea, but imagine if marketers for more robust, secure IT solutions were legally allowed to show you how they can spy on you as a part of an ad. That opens up a huge can of worms that is probably best left closed, but I think it’d act like steroids for getting people to upgrade their insecure stuff.
What is your concern with HIPAA? There have been occasional breaches in covered entities, but overall the rules have significantly improved security and privacy in healthcare.
I spent years as a infosec consultant specialized in major healthcare companies, and my experience is completely the opposite. It is absurdly easy to be 'compliant' with the HIPAA security rule yet still have abysmal security.
The biggest issue IMO with the HIPAA SR is that it is first and foremost a legal matter that involves legal teams, and is not very good at being a technology matter that effectively prescribes security to security teams. Most of the HIPAA-motivated companies I worked with spent more effort getting their legal counsel to build a HIPAA litigation shield (via intercepting and carefully massaging the wording of security assessments) than they did getting their security teams to actually improve anything.
I did have some clients that saw HIPAA as only a foundation and guidelines for truly improving their security, but that was more a matter of the company actually caring about security, and not because the HIPAA security rule is actually effective.
There will always be some organizations that do the minimum necessary to check some sort of "compliance" checkbox. However you can't deny that overall the healthcare industry as a whole has better security and security controls than they would if HIPAA had never been enacted.
I absolutely do deny that. Of the many healthcare companies I worked at, small 50-200 people shops and massive F500 companies and everything in between, I don't think HIPAA* made any kind of material difference in their security maturity.
The companies that were actually good at security merely used HIPAA as a starting point, and sometimes had to divert resources away from actual security efforts just to meet redundant HIPAA audits. They would just as easily get by with any of the other myriad of security frameworks out there.
The companies that were bad at security either: 1) mostly ignored HIPAA because in many cases it's easier to just buy insurance to cover the cost of a breach, 2) viewed HIPAA as a legal matter and got lawyers involved, who many times actively impeded security infrastructure efforts (fines are less for a HIPAA breach if you "weren't aware" you were doing anything wrong, which leads to companies intentionally avoiding security assessments or altering them to read "everything is fine!" even when they know it's not), or 3) viewed HIPAA as a checklist and once they achieve HIPAA compliance, they think their security is good enough and stop investing in it (hint: achieving HIPAA compliance does not mean you have good security. not even close).
I certainly do contend that HIPAA has not benefited the security of the healthcare industry as a whole. IME, it may have very well hurt it.
* - I'm speaking specifically of the HIPAA security rule and it's effect on organizations' security maturity. In other areas, like patient privacy and disclosure rules, it does seem to have had an effect closer to what is intended.
I'm not sure doing anything different or better would have a material difference in how much a breach will cost let alone the need to have insurance companies to cover them. Yes it's a lot of buggyman auditing and such, but in the end a breach is a breach and companies will do anything they can do downplay the cost. At least with the rules there is a workflow and process to go through when the breach happens.
When all is said and done it's really the organization. I don't know how many bigcorps I've been at that were just totally inept. The existence or not of HIPAA would not change their ineptness.
I’m not sure if we can really confirm HIPPA’s effectiveness that readily; we don’t live in a non-HIPPA world, so we can’t compare the outcomes.
If hospitals faced zero consequences for losing customer data, then yeah, things would probably be worse. But HIPPA is two things: a set of mandatory requirements and a grounds for suing hospitals that lose/misuse data. I think the latter thing is effective, but the former is not.
With respect to the EPA, its worth pointing out they'll only punish significant point sources.
For example a sewage treatment plant dumping raw untreated sewage will get punished. However a city with a major homeless problem where many thousands poop on the street will not be punished for a larger release of untreated raw sewage.
Its kinda similar with major organizations and IT. If there's a policy with the correct checkboxes and strong sounding speeches and firmly worded emails were produced by executives, it doesn't matter if there's some individual unpatched Win95 machine running mission critical tasks, even if there's thousands of those supposedly isolated individual case systems.
Because we as a society have yet decided that it's bad. Just like we used to not think environmental pollution was bad, or at least with stunting businesses.
The SEC (before it was neutered) may be a better model. It's a group of hackers that investigates government and industry infrastructure for problems. They can warn parties if they find an issue, and if the issue isn't fixed, this group could bring civil, and maybe even criminal, proceedings against the parties.
> It's such a good idea that the US government decided you were right decades ago.
Perhaps, but it is hardly a universal belief that they have the balance right.
It is hard to pick a starting point to get in to this discussion, because it has been going on for a long time and is really complicated, not to mention largely classified. Perhaps one that dovetails into the encryption debate will be as good as any:
I don't know why you got downvoted. I know plenty of companies with modern tech that absolutely suck at security. Security is just hard, and it's not easier just because you're a tech company.
By comparison, if you spend billions of dollars on a modern building, I can still probably break into it with just a can of compressed air. I doubt the design plans for the building included "mitigate compressed air attacks", and it's the same with every other kind of organization.
> Security is just hard, and it's not easier just because you're a tech company.
We're not talking about everyone having Red Teams here. We're talking about keeping up to date with regards to Patch Tuesday, or even just having an OS that still actually gets patches. That'll get us 80-90% of the way to decent security:
> “Almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began,” Microsoft warned. “Despite having nearly 60 days to patch their systems, many customers had not. A significant number of these customers were infected by the ransomware.”
Do you know how many versions of how many operating systems across how many different platforms and products my company uses? Hundreds of variations, maybe thousands. Only a few groups have a solid handle on regular patching, and that's because of how hyper-standardized their systems are.
Even if an OS has automatic patching, you can't just immediately apply patches without going through an SDLC and QC process. And not every group even has those processes defined. Even if they do, you still need to address critical business problems before security ones.
> Do you know how many versions of how many operating systems across how many different platforms and products my company uses?
What OSes besides Windows, macOS, Linux, Solaris, AIX, HP-UX, z/OS, mobile (Andriod, iOS)? SCADA stuff perhaps?
And how many of those operating systems are targeted by worms and ransomware?
I know when I used to admin Solaris and IRIX machines we were worried a lot less about attacks than the Windows desktop folks. An nmap of the systems showed SSH open and one or two other services, which meant very few vectors for attack.
The fact of the matter is that by securing desktops, one probably takes care of 80% of a company's attack surface. Next take care of your Windows servers, which is another 10%. Then go after Unix-y servers and things like printers, HVAC, IPMI, etc (which should be VLANed off).
Let's imagine just one example of patching a remote hole in a Windows server. First, you have to stage a duplicate of an old server with a new patch, which can take days. A production environment may need significant development effort just to integrate the patch, which takes days. Then run all tests and QC processes against it, which can take days. Then you can deploy it during a maintenance window. This is 1-2 business weeks.
Now multiply that times 1,000 different combinations of versions of Windows, applications, networks, platforms, and so on.
You're not just patching "servers", anyway. You're patching bare metal machines, hypervisors, AMIs, container images, software packages, plugins, network applications, security policies. Often vendor platforms don't even have a patch available so you have to implement a custom workaround, if one exists.
One could write an entire book about this subject. Please believe me, it's not simple.
That approach might have made sense 10 years ago but it's no longer tenable now that the threat environment has escalated. Organizations will now have to roll out patches immediately even at the risk of disrupting mission critical operations.
There is literally no way to fix all this dumb fragile infrastructure without a massive government program that accepts responsibility for doing so. You need thousands of smart people going through every machine, all the software, all the systems. These people are never going to work for Baltimore or for Maersk, not in a million years.
Why not? Just 80 years ago, people would have laughed at you if you told them that computer techs would have stores everywhere, every 1st world household would have more than one, and that most office jobs would require some form of basic computer literacy. Just 150 years ago, cars everywhere, owned by most everybody, with everybody capable of taking a 100 mile trip on a whim, would have sounded like Utopian pie in the sky fiction. I'm sure someone said there's no way the everyday Joe and Suzy would be able to maintain a car. In the Ford Model A days, some people would hang a bulb of garlic under the hood to "cure" their car.
A few things could happen, analogous to the progress made by cars and also analogous to what's happened so far with computers: 1) The "packaging" will change, so that higher levels of security maintenance will be greatly simplified and more accessible. (Which might mean that everything is administered centrally to an even greater extent. i.e. Stadia and O365. Maybe O365 over something like Stadia?) 2) Security tools will advance. (SSH vs. Telnet, HTTPS vs. HTTP, and TFA have raised the bar for an exploit.) 3) The culture will become more computer savvy.
It's understandable that you're frustrated, because this sort of progress is going to have a generational component, which is orders of magnitude slower than technological progress.
Smaller cities don't have the financial wherewithal to competently run internet-facing services. Usually the best administered parts of a city are in police departments where sworn officers are filling IT roles, aided by injections of grant-driven projects done by consultants. That's not a good situation for anyone. The winning move is not to play.
I regularly hire people from cities and school districts due to some unique aspects of my workplace and benefits that makes it a smart move for them. We routinely take folks in senior tech or director roles and drop them into entry level titles -- and they are very happy to get significant raises.
End of the day, the "fix" is to dump money into rolling out modern solutions. Every user-facing city IT function should be delivered on an iPad or Chromebook.
"...dump money into rolling out modern solutions."
Yep. Ongoing maintenance and pro-active replacement is a cost. A cost that needs to be solidified as an ongoing expense. A lot of the people in leadership positions see technology as a one-time cost. ("I still have the computer I bought 10 years ago at home! It works just fine. Why do we need to buy new computers?")
I volunteer at my son's school and the overall security/integrity of the place is 10x better than it was a few years ago. That's because of Chromebook, and Google's management model of paying a fixed cost to manage the device for the life of the device.
Usually the best administered parts of a city are in police departments where sworn officers are filling IT roles, aided by injections of grant-driven projects done by consultants. That's not a good situation for anyone. The winning move is not to play.
How about turnkey police department SaaS, delivered over a separate network over low orbit satellite connections? That will be separate from the public-facing police SaaS apps.
> Then hopefully pillage all the miserable smart people who are currently working at mega corps and agencies who actually want to do positive, meaningful work for a change.
Oof, if you think being a smart technical person working at a megacorp is worse than being a smart technical person working for a government agency... I have no idea what your model of the world and labor market is.
> Instead let's create a new government agency or pivot the NSA from it's dumb paranoid reactionary posture to more of a proactive NIST-style advisory role on best practices
It's similar to working in infosec though. You do the pen tests, you find and identify the vulnerabilities and write up your report.
Then its up to the municipal entity to put whatever your recommendations are in place to fix what they found. I have a large number of friends in the community who say they can do the work and identify issues, but often times, they come back six months or a year later and stuff they highlighted as critical fixes were still not taken care of.
It's the old, "You can lead a horse to water. . " saying, right?
The real issue is how you implement these fixes on a continuous basis to keep the network safe?
"There is literally no way to fix all this dumb fragile infrastructure without a massive government program that accepts responsibility for doing so."
Regulation and/or software liability. So far, they can ignore security with it rarely costing them anything. In a few industries, ignoring safety will cost a lot. So, they spend a fraction of that cost on preventing the overall cost. It might also be a requirement of even selling the product. Basic stuff like memory safety, login practices, updates, and so on being a requirement could get the bar way up. It was done before under TCSEC with DO-178C doing it now for safety. A whole market of safe products formed.
Alternatively, people do a strong push in courts to hold companies liable for any time their computers are used to attack a 3rd party. The folks suing and experts testifying focus on the core practices that prevent most problems. The argument is professional negligence. We stay on them until the risk-reward analysis for information security has executives making sure it gets done with specific stuff in the lawsuits addressed. Since that stuff is 80/20, then it solves about 80% of the problems. The new incentives might also make it easier to convince them to partly or wholly use systems like OpenBSD, QubesOS, and Genode.
Although I favor regulation, I think the lawsuit strategy should get a lot of experimentation first. It doesn't require a change in government. Just good lawyers. :)
> You need thousands of smart people going through every machine, all the software, all the systems. These people are never going to work for Baltimore or for Maersk, not in a million years.
I love this assumption that anyone smart or anyone good would automatically be working for another company or at another job. Not only is that just screwy off the top (assumes that smart people automatically can move and relocate to the most desirable job - even geographically) but it also assumes that anyone with any skills would never ever work in that type of situation to begin with. [1] Maybe there are good people that are working there but a government situation like the city of Baltimore is not chock full of the type of money required to actually fix a problem like that or ever Maersk management does not view it as a priority in any way. You know not every job is in a startup that has been VC funded and can afford to lose money ditto for a traditional company such as Maersk. Noting of course that the 'best and the brightest' that work for some of the 'top companies' are kind of screwing up frequently. Not to mention MSFT 'top' designed much of this hackable code at one point.
[1] Attorneys are often like this as well the halo of a top firm means if you are operating out of a storefront you must be stupid in some way otherwise you'd be working at one of the top shiny law firms.
Have the NSA attack domestic systems and make the ransom fixes for the the vulnerabilities they just exploited! haha, might just be crazy enough to work
This will only be a solution if it addresses the "business critical application, vendor has gone out of business, no source code available" case.
Which ultimately comes down to "Who's going to pay for a more secure replacement?" & "Who's going to assess heavy-enough fines to force the replacement risk scales in favor of doing something?"
You just described where I work (small manufacturing company) when I started.
It's taken me 18mths to significantly improve our security posture and I still have a bunch of stuff I need to do (I was hired as a programmer but I couldn't in good conscience leave it as it was).
> government program that accepts responsibility for doing so.
We already have that.[0] But it doesn't do any good, because it's purely advisory, but they need regulatory and enforcement power. We need an SEC for cybersecurity. Obama put Rod Beckstrom in charge of the National Cybersecurity Center, and that was great, but he resigned after a year because there was no funding behind it. It had been limping along since, but Trump deleted the position about a year ago.
The point is, if we want to fix this problem, we need the political will to hold people accountable instead of just telling people to not do stupid things. IT and Legal are cost centers in 99% of organizations, the difference is that if Legal and IT tell the C-suite "We need to do X or else bad things will happen" Legal gets listened to but IT doesn't. This is because if Legal's "do X" fails, the outcome is an expensive lawsuit, but the outcome of IT's "do X" is a blog post about their continuing commitment to the safety and security of their customer's privacy.
Every municpality I've worked for runs a majority of their systems on the IBM System i (iSeries, AS/400)
IBM is very slow to update any of the tools for Windows that are included with these systems. Ditch the green screens, use the IBM EasyAccess or whatever they call it on Windows, you just saved some $.
Now, there are database tools and admin utilities that are also included in this. Most of them don't work with anything after Windows XP, so you're in a position where you can't upgrade to securable versions of Windows, because you'll lose IBM access.
Oh let me rush to defend my favorite platform, the iSeries.
The platform, regardless of which, is not to blame. It is the laziness of most IT shops which either don't have any process in place or only pay it lip service.
iSeries machines (AS/400) serve many different client interaction methods, from green screen, web services, ODBC, NodeJS via Qshell, and more. If employed properly the iSeries has some of the best security in the industry, reason why many are used by banks all over the world, hospitals, the gambling industry, and more. Failure occurs for the same reason it does anywhere else, not having a process in place and following it.
As for currency with what is available today, iSeries access is facilitated through a JAVA based client which works on Windows, OS X, and Linux. It is the same java application throughout and even provides ODBC access through java drivers and for windows you can opt into a subset of windows exe/dlls. There is a full blown web service hooked to it as well that runs on the server as needed. It is up and down fully SSL too.
We can partially blame every software vendor that’s ever existed. In 10 years we will be blaming Google for applications that only run on outdated versions of Chrome because the API the developer used only existed in Chrome and wasn’t accepted into the standard and then was removed a few years later.
I don't think much of anyone makes stuff for old Chrome versions given how aggressive Chrome is about auto-updating. Chrome doesn't have any official options to disable auto-updating as far as I know.
“Make sure nobody at state or DHS or justice can subvert this new agency, they need to stand on equal footing with any company or agency.”
That’s going to be a problem. It’s a zero sum with power in dc and if you can solve that you will be fixing more problems than domestic info sec weakness.
Why am I not surprised that the comment saying no need for government intervention is the one comment that's downvoted?
While I typically believe smaller government is the answer, I would personally welcome a regulatory framework that gives me confidence in both my own organization and every other one as well.
It wouldn't ruin my business, it'd just be another line item in my budget.
(Forgot to respond to part about a government organization to get secure products out. Here's response to that.)
It's been done before. It was the Walker Security Initiative. It resulted in some of the most secure products the market ever produced. A combination of lobbying for insecure products to be bought and NSA's actions destroyed what little there was to the market. Bell describes it:
Just found a link with examples of what they were doing. I haven't read this one fully, though. Linking it mainly because it talks about CSI and how market was responding.
Note: I don't think KeyKOS itself came from that community. It was from capability-security field. KeySAFE extension was driven by TCSEC requirements, though.
Note: Although not first attempt, Trusted Xenix was first attempt at securing UNIX that made it to market. Available from 1990-1994 I think. Coincidentally, OpenBSD starts in 1994 to go even further.
Anything short of admitting "we fundamentally screwed up, and are rethinking the poor decision to pair this engine with this airframe" as well as "we are reviewing all our design processes and how the FAA oversees every step of the process" is unacceptable. MCAS is just the horrific bloody bandage that is peeling away, it's not actually the problem here.
This probably won't happen of course, all they seem to want to do is fix as little as possible as quickly as possible while denying they ever knew anything.
If I were someone powerful like a pilot union leader I would start throwing conniption fits in public and refuse to let my people fly on Max's at all.
Anything short of admitting "we fundamentally screwed up, and are rethinking the poor decision to pair this engine with this airframe"
Can you cite the basis for this often-expressed sentiment? There's absolutely no reason why a properly-designed and -vetted MCAS system wouldn't have been a perfectly acceptable solution to any handling irregularities caused by the engine configuration.
The idea was fine. The fault was 100% in the implementation.
It's not impossible to make it work, and in the future I'd expect more and more automated systems in planes for sure.
But you have to recognize the whole engine hack is just a convoluted workaround to avoid as much pilot training as possible. The entire goal of the project seems to be to avoid ever training pilots for as long as possible. It's a brand new plane, the newest plane on the market, and the first thing you need to do to take off is turn off the cabin air conditioning. Why? Because that's what we had to do 50 years ago in the first 737.
God forbid this plane startup any way besides turning off the cabin air conditioning. If we changed that, we'd have to... gasp retrain pilots!
The problem with training pilots for a new machine isn't the training itself but rather, that a pilot is rated for one machine type only. If the MAX had a different type rating, MAX pilots would no longer be rated for the non-MAX 737. There are some larger US carriers which are 737 only, partly so that all pilots are trained for all of the machines. Having to split the fleet into two types would have a huge impact on business. Most likely these carriers would avoid getting any MAX as long as possible.
I don't know what is the correct answer to the problem, but clearly good safety regulations are trapping some carriers and Boeing. Sooner or later Boeing will have to build a true successor to the 737 (and I guess, they now wish they had sooner)
>The problem with training pilots for a new machine isn't the training itself but rather, that a pilot is rated for one machine type only.
Citation needed. I've never heard this before, except for some other person on a message board, and I've been involved with aviation and known pilots with multiple type ratings.
If you're arguing that MCAS was "properly designed and vetted," you're the only voice crying in that particular wilderness.
Boeing's implementation will be a mainstay in engineering ethics classes for the next 100 years, right next to the Therac-25 and the Kansas City Hyatt.
They are truly innovative in the sense that they finally exposed the fact that much of tech startup funding is just a ponzi scheme by pushing it all the way to the IPO with no plan to ever make money. That's a new thing, usually only microcap companies were able to pull off that scam in the past.
Get out between series A/B if you want maximum return, the only losers in these phony companies that never make money are the last round of investors who get left holding the bag.
And if you're an employee looking at stock options in a startup just say no. Stop surrendering real money for fictional money. Get a higher base salary instead. Employees with equity plans are always at the bottom of the list to get paid out.
SoftBank’s Fund was one of the last investors and poured billion in at a $48B valuation. So they won’t make a lot of money percentage wise but at worst they’ll make a small profit. Otherwise they could make over a billion or two profit from their investment. The other last investors got in at higher valuations. So if Uber drops more they’ll lose out. Though even they won’t lose a ton of money percentage wise.
I hope after the utter trainwreck that is Foxconn in Wisconsin every local government is being more skeptical of these corporate welfare deals.
I'm really tired of seeing fancy corporate lawyers outfox local politicians over and over again, somehow always getting a new record-breaking welfare incentive plan while structuring the contracts such that they have a hundred loopholes and never have to actually do anything for the money. This keeps happening at small and large scales all over the country, and it needs to stop.
Foxcon's Wisconsin plans, tv panel manufacturing, then turned into a spread out series of research centers never seemed believable.
The Wisconsin Republicans stopped bragging about the details the last election....but still tried to make it more difficult for the state to get out of after the election...
I wonder how severe the backlash is going to be, not just for Google but all the tech giants. Our anti-trust laws were mostly written around monopolies abusing pricing power to rip off consumers, but with the intersection of data and hosting and analytics and everything else the potential to abuse people is far greater than just raising prices. And they have expanded their ability to profile and experiment on individuals worldwide, regardless of whether you create a Google account.
I wonder what "use" means here. Is it now illegal for them to log your traffic at all? I think that would be the ideal way to phrase the law, you can't even write to a logfile/dbms much less do anything with that data unless the user opts in.
This is a totally valid move in my opinion, as well as just circumventing the trainwreck of a healthcare system to seek treatment overseas.
If congress continues to be negligent in its duties then this is really the only viable path forward for many people. If a large enough percentage of people bail on their student loans/medical debt then eventually dozens of predatory banks and "medical billing" companies will go out of business and then we can actually start to change things.
By "dozens of predatory banks" and "medical billing companies" you mean "the federal government" (who is owed 92% of student loan debt) and "hospitals and doctors offices" right?
Absolutely. I am excited by the prospect of hospitals shutting down and doctors being unable to find a job, it's long overdue for them to finally come back down to earth. I can't imagine a quicker way to reform healthcare than that. It's probably our best case scenario right now with a non-functional government.
Student loans are a bit more complicated, but yes absolutely I expect to see massive defaults hurting the federal balance sheet and for schools who failed their students to start shutting down. This isn't a bad thing, it's healthy.
Student loans would presumably not be given if the degree program isn't able to get you a "good" job after finishing it.
Nothing wrong with getting a worthless degree: if you are into art you should get an art degree. However you should first get a good job that pays your bills and pay for that degree from your own fun money. As a society I help with your basic education because the value of everybody knowing how to read and do math makes it worth it.
>Student loans would presumably not be given if the degree program isn't able to get you a "good" job after finishing it.
Er, that's pretty much how we got here, they have been and are being given. Government-backed student loans have no requirement that they be spent on degrees that are lucrative.
>If a large enough percentage of people bail on their student loans/medical debt then eventually dozens of predatory banks and "medical billing" companies will go out of business and then we can actually start to change things.
Pretty naive view of the way things work. The more likely outcome is that those in need will be denied service in the future, either medical or financial. Or do you think we should force employees and medical staff to service people who will not pay for said service? How will that work?
I realize the entire situation is a mess, but simply bailing on your obligations to "teach these people a lesson" will backfire. Case in point: you think the bank is hurt by your defaulting your $50,000 in obligations? They have a lien on your personal assets, and the number is insignificant to the size of their balance sheet.
How is this a valid move. You bought a service and failed to pay for it. How is this different from predatory payday loans. Sure it is on a larger scale, but do you agree that if you get a payday loan you can leave the country and not pay for it.
K-12 education is a right in the US, you get to go to school for free. College is, for better or worse, a paid for service. You chose to go and you signed the paperwork.
Medical is a bit different, you certainly didn't ask to have medical conditions (most of the time). So I can't bundle the healthcare system with the Educational systems when it comes to paying back debt.
Ending one of the fiercest lobbying fights in Washington, Congress voted Thursday to force commercial banks out of the federal student loan market, cutting off billions of dollars in profits in a sweeping restructuring of financial-aid programs and redirecting most of the money to new education initiatives.
The revamping of student-loan programs was included in — if overshadowed by — the final health care package. The vote was 56 to 43 in the Senate and 220 to 207 in the House, with Republicans unanimously opposed in both chambers.
Although private banks will no longer be allowed to make student loans with federal money, many will continue to earn income by servicing those loans.
The Congressional Budget Office said the direct-lending approach would save taxpayers about $61 billion over 10 years. Roughly $40 billion of the savings will be redirected to higher education. Education programs will get an additional $10 billion from the health care package.
But who pays? The fools who bought the loans, or the public who mostly paid theirs (if they ever took any to begin with)? I suspect that everyone will pay, despite a minority of people benefiting, that hardly seems just.
I don't think it's predatory, I think the lendee is a fool being led by the blind; but does that make it right for it to suddenly be everyone else's burden?
People make dumb decisions that affect only them all the time; when is it suddenly my business to subsidize people's personal mistakes? Are they even mistakes at all, if the debt is forgiven without prejudice? I don't want to live in a world where taking a loan you have no intention of paying is not a mistake.
Also, AFAIK a huge majority of student loans are held directly by the Federal government (which is the other reason I fear "forgiveness" is on the horizon); assuming you don't mean to call the Federal government a "predatory bank".
I'm not sure what sort of people you've run into, but I've never met a single person who ever took any loan out with no intention of paying on it.
The problem is "intention" and "ability" aren't inextricably linked. My brother has defaulted on his loan; he agonizes over it every single day. He has every intention of paying, but he's left with 32$ a month after rent, the cheapest, most basic of utilities, rice, beans, and the occasional leafy green, and health insurance. His apartment was 43 degrees during the winter because he couldn't afford to heat it.
32$ isn't going to pay down his debt, and there's nothing he can currently do to change that. I'm certain he'd LOVE to. There's nothing he wants more than to keep his current standard of living, but make enough money to pay his debt off (edit: and do note that his current standard of living _sucks_).
I find it a bit disconcerting that your mind immediately goes toward intention and doesn't even seem to consider ability. I'm certain there are those who take out loans with no intention to pay on them, but much like the welfare queen propaganda of the 90's, it seems like that specific problem is blown entirely out of proportion of the reality.
You're making a counterpoint to something I did not say.
I'm saying that taking the loan is no longer ever a mistake, because you can expect that you will never need to pay, if you wait long enough: hence "where taking a loan you have no intention of paying is not a mistake".
> the cheapest, most basic of utilities, rice, beans, and the occasional leafy green, and health insurance
I'm sorry to hear that, I suspect that I'll need to be housing my brothers some time in the next decade too, so I can feel that. Is there some problem with SNAP and Medicaid that's preventing him from taking them? Is housing just so costly where he lives that he's insolvent despite not being below the "poverty plus" lines for those programs?
Correct me if I'm wrong - I think I now see the disconnect we (or better put, I) had and I'm sorry I didn't see it before.
If there's no financial or legal penalties for discharging the loan debt due to bankruptcy, people may be more apt to go that route, disrupting the entire lending system.
If that's right, and I read the rest of your comment in that context, you're basically lamenting the fact that there's no outrageous material downsides for people being taken by duplicitous lenders and education institutions. And if that's also what you meant, then I agree; that's certainly a problem that would need to be solved as well if blanket debt forgiveness were to occur. That seems to be just as untenable a situation as the one we have now - and by my view, the situation we have now is wildly untenable and is going to hobble our entire country and economy for decades to come if we don't change _something_.
I'm going to stop riffing on "and if"s, though - that's just doubling down on the same mistake I made earlier. My apologies!
Yeah, sorry for not making it clearer at the outset. I'm coming from the perspective of somebody who is building a product to (among other things) help people prevent household debt from ruining their lives (starting here in Canada); and I've given out a lot of loans in the family to prevent debt spirals, so I definitely feel for people in this position.
At the same time, my personal experience is completely different. I was difficult in primary school, probably because of family issues. I dropped out effectively before high school, and started doing contract work (and eventually full time work at 17) on software. I got my start based on little more than natural confidence and many hours of reading Wikipedia and StackOverflow from about age 8, eventually on my first personal computer, which I bought at 14 with about 95% of the money (I always begged for cash instead of toys and hometown giftshop trinkets) I'd received in my life. After biking about two hours a day just for work (rain or shine, usually rain it seemed), I decided to leave home to be closer to work and farther from my mother, and I was lucky enough to have a friend who would let me crash on his couch for a few months.
Even with the rather extreme subsidies here in Ontario, I couldn't really afford to take time to go to school; I could now, but I probably don't need to. That's basically why I feel that it would be unjust if I moved to the U.S. (I'm a citizen) and that started immediately with paying off other people's loans that the federal government gave out like candy, for something I couldn't even afford to buy if it were free.
> I'm sorry to hear that, is there some problem with SNAP and Medicaid that's preventing him from taking them? Is housing just so costly where he lives that he's insolvent despite not being below the "poverty plus" lines for those programs?
Nailed it! Seattle is not an inexpensive city. Before expenses he's actually doing quite well for himself, in theory - especially compared to federal poverty guidelines - for a college drop-out. But those guidelines that are probably pretty feasible in West Virginia or Kansas are so far beyond useless to someone in a larger metro, it's kind of insane.
So no dice on SNAP or expanded Medicaid (Apple Health, in WA). It's a shame because without the insurance premiums, he'd actually be able to make all of his loan payments, even without extending them or doing an IBR type thing.
I know it's probably not the first time you've heard this, but moving just slightly out of Seattle (I'm assuming the family ties are pretty damn important, I know it's a huge part of why I'm still in Ontario, so no big moves) could have a huge impact. I recently moved in to my mother's house because I don't want to live the ramen life again while working at a startup. She was, in turn, able to afford this place because it's in Hamilton, ON and not Toronto.
To my eyes, it seems that high-minded zoning and planning (especially insidious nonsense like minimum house sizes, lawn setbacks for bungalows that would be enough for a five-storey building), and the mindset comes with, have made and kept housing extremely expensive in major cities in the U.S. and Canada. I think you can do a lot better outside of Seattle, with the main bottleneck being transport time (and possibly not being able to stay with the same company).
I know it's a cliché, but I think a lot of people will find that they like the slightly-less-exciting life in a second-tier city once they're there; I know I prefer being in Hamilton to being in Toronto in many ways. On the flip side, I know somebody who seems to really prefer living in Seattle despite working in Redmond. These are, of course, the more privileged thoughts that you can have about where you live.
P.S. if you reply and don't see anything pop up; I'm probably not just ignoring you. Hacker News has this health-promoting but annoying feature of rate limiting submissions for a given user. When I hit my limit (which is often), it often takes about four hours (or possibly more, dunno) to clear.
Oh, I feel the move; we're actually from rural Appalachia. He came to Seattle because I'm here and I supported him financially for close to a year until he finally got his feet even remotely under himself. The wilds of Western PA are a rough place to get a start for anyone, and not having a college degree makes it even worse. He spent 4 years trying to find a job other than being a cook at a crusty hole-in-the-wall dive bar with no luck. I convinced him the opportunity was at least better out here, and he made the leap. His wage went up 230% from before and he's closer to 30 hours than the 18 he got previously, so it's far more lucrative, but the COL is also at least 400% more (you can rent an apartment where he lived prior for about 350-450$ a month). Without public transportation of any sort, though, you also need a car, insurance, gas, blah blah blah - and the ~550$ he made a month gross just wasn't going to cut it.
He really is better off here, but he'd REALLY be better off in a second tier city - exactly like you said. That's hard to pull off when you don't have a couch to crash on for a while while you get started, though. At this point he's tried literally every option besides hitch hiking and being homeless, and he isn't too keen to try that; at least now he has a roof and rice and beans, you know?
We could slice 10% (maybe less) off the military budget and pay for college for everyone, forever. This "who pays" nonsense is just that: nonsense.
I'm sure the Navy would find a way to make do with a mere nine aircraft carriers.
If you're worried about freeloaders getting welfare they don't deserve then slashing the insanely corrupt grifting that goes on every day in DHS/Defense should be your top priority.
> We could slice 10% (maybe less) off the military budget and pay for college for everyone, forever.
According to Wikipedia, 'the approved 2019 Department of Defense budget is $686.1 billion.' In the 2015–2016 academic year, colleges and universities spent $559 billion (https://nces.ed.gov/fastfacts/display.asp?id=75). So 10% of the military budget would pay for a little over 12% of collegiate spending.
That $559 billion is including all the money the government (states, mostly?) already gives to schools that they then spend. GP was talking about (I assume) covering tuition, which is estimated between $50 billion and $75 billion from the articles [0] I can find. That lines up with ~10% of the military budget.
Perhaps we could cut back on entitlements , too. That would bring bigger savings and help with the governmental fiscal responsibility thing. Lower debt would let people keep more of their money to spend on making their lives better.
Entitlements are exactly that. You, the taxpayer, paid for them, you are entitled to use them. How about we cut the things we pay for but aren't entitled to use, like the military.
Fun thing about "personal fiscal responsibility" is that almost everyone preaching about it when talking about entitlements have either never been poor in their lives or are grifters looking for acceptance from those who have never been poor in their lives.
I was very careful not to take on student debt. I personally chose a low-cost college and took as many first and second year required courses at a community college. I would be very angry if I had to bail out people who lived on The Farm, or in an Animal House frathouse for 6 years.
Because you’re attempting a highly sensitive action, we need to be sure it’s really you. At the moment, we can’t. Try again from a device you normally use (like your phone or laptop) or from the location you usually sign in from.
Learn more about verifying it's you."
No other option. Everywhere I try is the same.
Giving an Evil company like Google my data. How could I have been so naive and foolish.
Of course we started spending all the money on new people and AWS, and soon there was no money.
At one point we were dumping like $15K a month on AWS for a dozen unnecessary over-engineered toys that nobody was using. This is the real cost of AWS.
I'd love to see Amazon's data on money invested vs actual user traffic for small startups, that's got to be some of the most interesting and valuable data on earth. Forget companies, I'll bet Jeff is sitting around predicting when entire industries rise and fall weeks before anyone else based just on this data.