Bret Piatt

A common security technique is to classify attackers by IP addresses or reverse DNS lookup and blacklist the bad ones.  This technique has been falling in popularity with the increased usage of DHCP and NAT for Internet access and cloud computing will be its death knell.

Cloud computing allows attackers to rapidly switch IP addresses for as low as $0.015 per switch or per hour of using the address.  Right now only a few clouds exist so it isn’t quite the wild west yet but over the next 2-5 years we’ll see the thousands of dedicated hosting providers all switching to offer cloud services.

So what this means to the IT security world is you have some time to think about this and get it right using the few clouds out there now.  “Getting it right” may require more than just individual enterprises coming up with a way to solve it for them.  We really need to get together as an Internet community and discuss this in the broader scope of entity identification.  I use the term “entity” because we need a way to identify systems and individual users.

We're going to digital ID, the train is leaving the station

Identity and access management has always been viewed as an enterprise or site specific issue — this needs to change.  The recent Twitter hack is an example of how out of control identity and access management has become.  Understanding and documenting all of the application interactions around identity management in an enterprise is something few if any have a firm grasp on.  We’ve finally reached the point that implementing an Internet wide “digital identity” with a centralized identity and access management architecture similar to the domain registration/SSL certificate heirarchy.

OAuth and OpenID are a good place to start the discussion as they have the proper frameworks but they lack a centrally managed authority or list of authorities to manage identification and authentication.  Major “trust” providers on the Internet need to get together and solve this: VeriSign, Google, Microsoft, Ebay/Paypal, Banks, and major Internet Service Providers (AT&T, Verizon, Comcast, Cox, Time Warner, etc.).

Major Web 2.0 players have large directories of people but they don’t have a real trust relationship — just because you have a Myspace/Facebook/Twitter account doesn’t mean I should trust the e-mail you send me but if Chase Bank says you have a bank account with them and you’re sending me an e-mail I’m much more likely to trust it.  With the appropriate identity management if you’re sending spam I can flag that and Chase will tie it to your “digital identity” which is tied to your “real identiy” provided when you created that bank account.  It will be much more difficult to create new identities than it is today and we’ll see a significant decrease in “wild wild west” type behavior on the Internet.

The secondary benefit is consumers will also start to take security more seriously as they won’t want to waste time getting the “spammer” flag removed from their digital identity because their system was hacked (similar to disputing things on your credit report if the system works out properly).  They’ll also prioritize security in their buying decisions forcing system vendors to take it more seriously.

A tertiary benefit will be a reduction in misleading activities that lead to horrible events like the Myspace teen suicide because people won’t create fake identities to hide behind.  Some may say this is part of the “fun” of the Internet as it allows them to escape from their day to day lives.  That type of fun isn’t good for both parties involved — typically part of the fun is misleading other people such as the recent case of the lady that pretended to be a 15 year old kid with cancer.  “Fake identity” activities like this should be restricted to a place like Second Life where everyone knows people are pretending.

As private industry and a world society I hope we can take care of this ourselves before it gets so out of control Congress tries to figure out how to do it and we end up with some horrible mess of a “National ID and Digital Identity Act” that looks at it only from the perspective of the USA and makes it very difficult for non-US citizens to do anything online (as most of the major Internet properties are US based) creating a whole new barrier for 3rd world citizens to overcome.

If “Big Government” is more wasteful, less efficient, and generally just not a good idea why is “Big Business” more efficient, more profitable, and generally able to succeed without groundbreaking nimble new inventions?

So what do the failed “Big Businesses” have in common with the inefficient “Big Government”?  We have the “all in” style risk based bonus systems in the financial sector — this falls in both the accountability and corruption buckets.  Outside the financial sector we have many of the major corporations of the post-war era that have had to file bankrupcy due to lack of accountability over their workers because of the union shield.

Both of those paradigms exist in the federal government.  Elected representatives “know” if they take care of people they’ll get rewarded when they leave office.  This is similar to the financial sector problem as the represenatitive spends/takes risks with other people’s money and if it goes well stands to gain huge personal benefit.

On the other side of the coin the federal government is more unionized than any other industry.  Even non-union employees in government aren’t going to be eligible for performance related bonus plans.  Nobody is held accountable to perform above a baseline minimum, nobody is asked to do their best.

So how do we fix this?  The same way we fix other places where we have a lack of accountability and corruption.  Use existing laws or put better ones in place to enforce transparency and honesty.  Pushing the spending from federal down to state just spreads out the corruption, localizes it, and makes government less efficient overall for the same reasons small business is less efficient than big business.

Term limits don’t fix the “all in” mentality, they may perhaps make it worse as representatives know they have a short time to push through their “payday” legislation.  People that pass legislation need to be ineligible to recieve financial benefit from it.  This make may it very difficult to go from Congress back to the private sector but I’d rather pay them a congressional salary pension for life than encourage them to spend $100B of our money so they can get a $20M paycheck after they’re out of office.

The union issue is more complicated.  In a utopian society people would do their best each day regardless of an “incentive pay for performance” plan.  We sadly don’t live in utopia so people with no incentive often do the minimum required.  The best way to fix this is any job with a measured baseline of performance needs to be automated.  If it is too complicated to automate then people deserve some sort of performance incentive.  We don’t have to fix this overnight, let the current generation of workers finish out their careers and phase them out moving foward.

If we don’t address both accountability and corruption we will end up bankrupting our country.  In some states now people are paying > 50% of their income in “income tax” (NY and CA), start adding on property tax, sales tax, gas tax, and all of the other taxes and up to 2/3rds of some people’s earnings are going to taxes.  We also have some of the highest corporate tax rates in the world incenting businesses to evaluate opportunities to move to other nations.  Raising taxes isn’t the answer, we’re running out of room to do it — futher increases run the risk of decreasing federal revenues as income earners will look for opportunities elsewhere.

Our government is run by a jealous and power hungry group of individuals.  They want to be worshiped for taking care of everyone.  They put their faces on money, they build temples and monuments in their honor.  They don’t like the fact that when people are in need they turn to something other than them.  For many in America, they turn to God, and God warns them:

“You shall have no other gods before me. You shall not make for yourself a graven image, or any likeness of anything that is in heaven above, or that is in the earth beneath, or that is in the water under the earth; you shall not bow down to them or serve them; for I the Lord your God am a jealous God, visiting the iniquity of the fathers upon the children to the third and the fourth generation of those who hate me, but showing steadfast love to thousands of those who love me and keep my commandments.” (RSV Exodus 20:3-6)

Does this mean if you believe in God you can’t look to our elected leaders to help?  As long as they’re helping out of duty and service, receive the help.  If they’re helping out of a desire to be worshiped then you may be punished along with them for taking their false gifts.

^“1For I do not want you to be ignorant of the fact, brothers, that our forefathers were all under the cloud and that they all passed through the sea. ²They were all baptized into Moses in the cloud and in the sea. ³They all ate the same spiritual food ⁴and drank the same spiritual drink; for they drank from the spiritual rock that accompanied them, and that rock was Christ. ⁵Nevertheless, God was not pleased with most of them; their bodies were scattered over the desert.  ⁶Now these things occurred as examples to keep us from setting our hearts on evil things as they did. ⁷Do not be idolaters, as some of them were; as it is written: “The people sat down to eat and drink and got up to indulge in pagan revelry.” ⁸We should not commit sexual immorality, as some of them did—and in one day twenty-three thousand of them died. ⁹We should not test the Lord, as some of them did—and were killed by snakes. ¹⁰And do not grumble, as some of them did—and were killed by the destroying angel.  ¹¹These things happened to them as examples and were written down as warnings for us, on whom the fulfillment of the ages has come. ¹²So, if you think you are standing firm, be careful that you don’t fall! ¹³No temptation has seized you except what is common to man. And God is faithful; he will not let you be tempted beyond what you can bear. But when you are tempted, he will also provide a way out so that you can stand up under it.  ¹⁴Therefore, my dear friends, flee from idolatry. ¹⁵I speak to sensible people; judge for yourselves what I say” (1 Corinthians 10:1-16)

When our country was founded giving 10% to the church was very easy.  We had few taxes to pay to the government and in times of need people looked to their family, their neighbors, their community, their church for assistance.  This didn’t give the elected officials the power and worship they desired so over time they’ve collected more and more taxes to solve more and more problems.  People are then be thankful for the government and the officials that take care of them.

Now here we are 200+ years later with over half of our income going to the government.  Giving 10% to the Lord is now much more difficult as you’ve already had so much taken from you.  And why should you give to the Lord now?  If you need something you don’t have to ask God or your church community for it.  The government is there to take care of you with “public assistance”.

The difference between being helped by your neighbor or your community and a government entity is if your neighbor helps you, you’re inclined to try and return the favor.  If you get help from a non-descript government entity there is nobody to return the favor to.

The government doesn’t make money on its own.  The help you recieve from it is really from your neighbor or somebody else’s neighbor and we need to treat that assistance with the same respect and gratitude.  Don’t take more than you need, greed is one of the seven deadly sins; and repay what you are given when you can.

Government should focus its energy on matters of the state — our national defense, our military, and laws to maintain order among society.  The social and entitlement programs that make up much of our debt should be sold to the private sector and they will run more efficently and take better care of the people looking for assistance.

A quick first step could be changing the charitable donation tax laws.  Instead of it being a deduction after 2% of your gross income it should be a tax credit up to 10% of your gross income starting from the first dollar you make.  Capital will find its way quickly into the hands of organizations looking to help their fellow man and they’ll spend it right away.  It won’t go into an entitlement trust fund to sit not contributing to the economy.

The idea of a social safety net is great, nobody wants to see others homeless, hungry, and in need.  The drawback is it eliminates the need for people to really give it their all.  If you could go to work and take an entry level job, if it pays you the same as the safety net – why do it?

This does have an upside.  True entrepreneurs can risk everything without fear of being left with nothing.  If they go bust, wait a few years again building up another nest egg and try again.  Just like buying a lottery ticket, you keep swinging for the fences until you get it and if not the safety net isn’t a bad place to be until then.

For tech related Web 2.0 style startups with access to utility style computing they may not even have to wait between attempts.  As long as the safety net gives them enough money for Internet access, food, and shelter they can keep trying idea after idea without the need to wait between ventures.  Eventually one of those ventures pays off and they skip right over the middle class.

It is horrible for marginal entrepreneurs because they won’t commit everything to success as they know they have a safety net to catch them.  This may cause businesses on the edge to fail as the thoughts of 100 hour weeks trying to save your business sounds worse than relaxing on the safety net.  This is where the safety net robs people of success, if given no other option for support they would have overcome.

When the safety net put you in a shelter or a public housing development most people were willing to work as hard as they needed to improve their quality of life.  If the safety net moves up to saving the $800k home of a bus driver most people will be perfectly happy relaxing on the safety net not trying to improve their life or if they do try for improvement they’ll swing for the fences.

Through this the middle class workforce will slowly be eliminated and in order to attract people to the jobs that really keep everything running we’ll have to start paying significantly more.  While on the surface this sounds good dramatic shifts in the average wage will cause hyper-inflation.

Inflation isn’t just the government printing money increasing the money supply.  A significant increase in the velocity of money is how we’ll end up in hyper-inflation, not through the printing of money alone.  If the M3-M2 money only fractionally changes hands each year it doesn’t have a lot of purchasing power; it doesn’t drive the prices of goods and services.  If those large pools of investment dollars now have to be paid out to workers in salarys to attract personnel capable of performing the job M1 and M2 will increase as the average worker doesn’t save — they spend what they make.

So if you are in control of those M3 dollars do you spend them on higher salaries to attract workers, knowing it will lead to hyper-inflation, causing your fortune to diminish in purchasing power? Or instead, do you instead let the economy fail causing deflation as unemployment increases and the M2 supply decreases which in turn increases the power of your fortune?