![]() ![]() Yes, compared to other parts of California (even other parts of my metro area) that's not too bad, but $120-150/mo (sometimes a little more in mid-late summer) is still a noticeable hit on the budget. base winter usage for the 2 of us is normally <90 gal/day), $40+ for garbage collection and recycling, and $60+ for sewer service. So my typical city utility bill is about $20-50 for water (after retrofitting all the fixtures to minimum flow, getting water-efficient washer/dishwasher, nuking the lawn for drought-tolerant plants, etc. Then, the treatment plant got dinged for releasing ammonia in its outfall the fix is costing about $10 billion (including upsizing the plant for growth) - and the ratepayers, not the developers, have to pay for that. After several major spills, the city was forced to hook up to the regional system, with the treatment plant about 30 miles away (40 as the pipeline runs). The result is that most of us are using less water and paying more for it, for the benefit of the people in the new section of town where the developers were supposed to find their own water source but bought the city off to use the "surplus" generated by the water meters. ![]() Key point was using a state law as an excuse to add and start reading all the meters. Instead of fighting for big government $$, just get the right thing done.Ĭlick to expand.We've had a certain amount of that where I live. That for very low costs keeps our systems safe. (I guarantee you this is a rampant problem in companies.)Īlternatively, I think major software companies should open “government & critical infrastructure” wing. Secure, stable, auditable remote access is just as necessary if we are really going to secure systems like this. Microsoft learned this with virus protection, that is couldn’t keep punting to 3rd parties. “Premium” such as integration with AD, 2 factor, and easy patching / updates being locked away in $$ enterprise subscriptions may drive revenue, but also encourages hacking, workarounds, and vulnerabilities. And the resistance of it being a fundamental part of the OS means we end up with shoddy and cheap workarounds to get the needed functionality. Lots of non-tech people use / require it. Remote access SHOULD be a system level and common feature. May not be a popular take hear, but I see this as part of a fundamental issue with Operating Systems. You can't have Fort Knox security for the price of an ADT alarm panel. What does need to happen is aligning our expectations of security with the investment we're willing to make to achieve it. Office buildings aren't fortresses, and nobody considers it a scandal if the security guard at the front desk fails to stop armed intruders. That's OK - business leadership makes business decisions, and deciding that security is too expensive makes sense in a lot of cases. As long as IT is focused on being fast, flexible, and ever cheaper, we're not going to deliver security. Look at any even moderately secure physical facility and you'll find multiple layers of checkpoints, actual people (guards) whose sole job is to be part of the overall security system, limitations on who can use which parts of the facility and when, special construction techniques, etc.Īctual security is difficult, inconvenient, and expensive. Not that that's unique to information security. The resulting system, if implemented, is going to be admin-intensive to keep it in a secure configuration. Any system that has completed a TSSEC EAL4/5 evaluation, for instance, it's likely to be technologically out of date, foreign to most users, and only certified in a limited configuration. The problem, IMHO, is that secure systems need to be simple enough to understand and static enough to audit, not composed on the fly of code from dozens+ vendors. It's not as if building secure systems is a mystery - we've had decades of academic research and industry experience. It's going to take money to fix, and not just salary dollars for infosec professionals. None of them were interested in actually being the person who has to close the holes they find. I've worked with heaps of excellent penetration testers of the years. It challenges their brains constantly and keeps the reward center of the brain triggering. The really, REALLY talented people who could actually make a difference in defense are often socially awkward, not good in meetings with management, condescending of non-InfoSec people, and they also bore easily.Įrgo, a lot of them end up as pure white hat hackers/penetration testers. Both can be boring at times, and both are constantly being asked to burn time on stuff that doesn't *actually* improve security/reduce risk. That's called the InfoSec industry and it's struggling to find candidates just to fill the roles that already exist.Įven worse, the people who are actually A) Talented and B) Not just interested in penetration testing are extremely rare.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |