Saturday, August 05, 2006

Theft of sensitive information

A bit of a diversion from the standard environmental stuff today...

I've been seeing more and more news items involving stolen laptops that contain people's personal information, social security numbers, etc.
This absolutely blows my mind, especially given the companies that have been involved...
The Veterans Administration. ING Financial Services.. These are companies/agencies that should know better.

Fact #1- Laptops are rediculously easy to steal because of their mobility and reasonably small size, and even easier to fence for a quick buck.
Fact #2- The average computer user barely knows how to safeguard their own personal information from being stolen and used fraudulently. Why would they be trusted with someone elses?
Fact #3- Even if the laptop in question isn't physically stolen, there are plenty of ways to break into either a data stream or the hard drive itself by exploiting vulnerabilities in the Operating system, or by sniffing unencrypted packets out of the air when the owner is using wireless at Starbucks.

Given these three facts, why on earth would any systems administrator allow sensitive information to ever leave the doors of the office??
The answer? There are plenty of sysadmins out there who have never given any serious thought to their information access policies, or have been shot down by people above them who wanted their people to be able to work remotely and weren't willing to spend the money necessary to implement proper controls.
What scares me is that the government hasn't stepped in to fix this problem yet. I guess maybe some senator has to be victim of an identity theft before it becomes his concern.

To that end, I propose the following rules:
Treat the social security number like classified information. The government has plenty of spook agencies that know how to deal with classified information, and even more government contractors that have this down to a science. There should be a required Information Security training course for people who access things like social security numbers to make sure that they are aware of proper handling procedures for sensitive data like this.

The general rule of thumb for classified information? Background checks for anyone that needs to access it to do their job, so that you catch people who might misuse it before they do so. Information access is on a need to know basis. If you don't need access, you don't get access. This includes use of partial numbers, such as last 4 digits. Storage restrictions- This data must be stored in an encrypted, password-protected form. It can not be copied in whole or in part from the secure location(s) that it is stored in except for backup purposes. Any need to access the data for analysis or manipulation must be done by linked access, so that the data only leaves it's storage area in encrypted form, and only exists on the user's local machine in encrypted form, so they (or anyone else) can't directly get to it. When they disconnect from the network, it stays on the network, and not on the laptop that they tote home with them, or the USB drive attached to their keyring that has all of their work files on it, or other removable media. If they need to be able to access the data from outside the office, proper procedure should be followed, such as using a server that is only reachable using an encrypted Virtual Private Network, a SecurID token, and a password, so that this isn't something your average hacker can find his way into.

Further restrictions on the use of such information. If you don't NEED to have a system key off of the social security number, you can't use the social security number. Basically, except for things involving a person's finacial records, the SS# is not to be used as an identifier. Any user who is being asked for their SS# as a login to a website, or otherwise suspects that a company or person is not observing proper security measures in handling the SS# can report the asking party to the FTC's Identity theft folks for investigation and prosecution.

To ensure that this is immediately followed, penalties will be stiff. Depending on how egregious the violation (number of people compromised, willful vs. accidental, individual vs. corporate), fines can range from a few dollars to a few thousand dollars, assessed on a per-violation basis. This will add up very quickly when you're dealing with a database that is accessed every day, or with a huge database.
If an employee violates existing company policy and takes information home that they shouldn't have, like in the case of the VA person earlier this year, the company will be held partially responsible, since they obviously had a hole in their policy that provided opportunity, but the individual will be held personally responsible as well, for civil and criminal penalties. This seems harsh, but if people believe that they will not have anything worse happen to them than that they lose their jobs, and the company will take all of the heat, there's not much disincentive there. If they are worried about going to jail, and being in debt for the rest of their life because of fines, they might think twice about bending or being ignorant of that particular set of rules.

Sunday, July 30, 2006

What would you do with $35 billion?

$35 billion (that's billion with a B) in 90 days....
Roughly extended to the entire year that is somewhere north of $100 Billion!
There's lots of stories on the same topic right now, but here's my take on it.

People get outraged when they see repeated huge profits at their (perceived) expense. Welcome to capitalism. The oil companies have found a way to make huge amounts of money by continuing to do what they do - take advantage of the fact that the government and the people in this country haven't figured out yet that this isn't a short-term spike. There's no incentive for them to dramatically increase production and supply to reduce gas prices or crude prices (where they have control over it) because that means they won't make as much money, and they have little control over demand in India and China, or the unrest that is present in most of the oil-producing areas of the world. So we continue to ride on the razor edge between expertly played capitalist supply and demand and price-fixing. Occasionally we hear about an inquiry into alleged price-fixing, or some half-baked idea about giving everyone a rebate that equals about 1-2 tanks of gasoline, but no one's really doing anything about it except complaining, yet.

The way I see it, we're missing a significant opportunity to dramatically increase our funding of alternative energy and improving our infrastructure for existing alternative fuels without impacting the US deficit.
Problem #1: There's not nearly enough money being invested in alternative energy to produce results as quickly as they are needed.
Problem #2: Nearly every biofuel that is available now is suffering from an infrastructure problem. Detroit's building E85 vehicles like crazy, but there's few stations outside of the Midwest where it's readily available, so most of them will use straight petrol. Biodiesel, same basic problem. Even if the distribution channels were resolved, there's a production scale problem.. none can be made in sufficient quantity to fuel all of the vehicles that can support it with little or no modification.
Problem #3: Oil companies don't want us to find a cheap alternative to oil because it's their bread and butter.
Problem #4: Oil companies don't like independent station owners selling biofuels at their branded stations, because they usually are from an independent source. The main objection is that they can't vouch for the quality of the fuel because they didn't produce it, and it stands to dilute their brand quality if it's crap. This is a valid argument, but one that is fairly easily solved.
There's also question of liability if someone puts the wrong type of fuel into their car and ends up trashing it, but that's a junk argument.. The oil company isn't liable today if some moron puts diesel into their unleaded-fuel-only machine, why would these be any different?

Solution: Force the oil companies to provide alternatives to standard gasoline. Maybe they have to subsidize them with their profits to start with, but the idea is to force them to refocus on some less profitable areas now while they have the cash to cover it, so that as we shift away from oil, they don't just fade into obscurity.
BP and Chevron have both had ad campaigns in the past that seem to imply that they're funding alternative energy research to some extent, but here's what I would do:
All oil companies would be required to provide at least one pump every 25 square miles (where gas stations currently exist) for E85 and Biodiesel. Doesn't matter which company, in areas where there's multiple stations, they could work out an agreement to balance the costs. In company-owned stations, this is straightforward, but since many stations are independently owned, the company providing the gasoline and diesel would be required to fully fund the addition of all equipment needed to support this set of pumps, including permits, tanks, inspections, etc. This would also mean that they'd have to provide the fuel, or buy it from a third party and certify its quality.
In order to ensure that it would sell, they would be required to absorb some percentage of the costs to make it competitive with the existing petro-products and give people an incentive to use them. They would not be permitted to pass this cost on to the independent station operators. This is especially important for something like E85 that actually reduces fuel economy while decreasing the amount of gasoline burned. This means that it would be in the oil companies' best interests to decrease the costs of production. Maybe that pushes them into lobbying to eliminate the tariffs on importing ethanol, or funding research into a hybrid sugar cane that can grow in the Midwest, or finding a way to actually make ethanol from switchgrass, cornstalks, and other biomass economically, or all of the above. I'd bet that the market for used fryer oil and other vegetable oils jumps too...
While I'm not convinced Ethanol will ever become a viable alternative, this at least gives it a fighting chance to let market forces decide instead of propping it up with subsidies and CAFE loopholes. On the diesel side, once the supply problem is solved, it's even feasible to switch to a biodiesel blend and phase out straight petrodiesel altogether, since most diesel engines can burn biodiesel with almost no modifications. Different blends would be available based on time of year and climate, since biodiesel is more temperature sensitive than petrodiesel. Couple that with some lobbying to ensure that all new diesel engines can run on up to 100% biodiesel, and existing ones have retrofit kits available from the maufacturer, as well as ensuring that consumers and large commercial interests are compensated for any modifications to their vehicles to support biodiesel, and you can make that switch for an immediate reduction in petrodiesel use.

On top of that, each company would be required to invest some percentage (maybe 10 to 25%) of their annual profits on funding alternative energy research. Think of what an annual injection of $10-25B on top of the existing government and private-sector funding would do to jumpstart alternative energy research and development! If they're smart, they'll keep that in-house, like BP Solar, so that they can eventually benefit economically from that research, but even if they don't, this would be a big deal.
Yes, I realize that what I'm suggesting is not capitalist supply and demand. We all know that straight capitalism, unchecked, crushes the competition, rapes the environment, and takes all of the little guy's money in its pursuit of a dollar. This sort of tweaking to use the engine driving capitalism to improve our energy prospects just makes good sense - much more so, I think than trying to do it just through government subsidy.

Monday, July 24, 2006

Building codes

I've just come back from 2 weeks of vacation in 2 different locations - lucky me. However, a thought struck me when I was staying at both places...
Why is it that we don't have simple energy savings written into the building code everywhere?
Every time I went to take a shower in location #1, it was quite obvious that the hot water pipes weren't insulated. I had to run the water at full hot for 30-45 seconds before actually getting any hot water. Imagine the energy wasted reheating all of that water. A few dollars of styrofoam pipe wrap insulation when the place was built could have significantly reduced it, but unless the owner requests that the builder have this done, it's not required by code, so no luck.

Then, in location #2, I'm pretty sure that the builder was absent the day they went over "heat rises, cold falls" and undersized the AC on the 3rd floor, which since the house was an upside-down, this was the kitchen/living room, where people congregate and the most heat is generated. Consequently, the AC ran non-stop the entire time we were there. A few simple tweaks in the way that the 3 zones of AC were set up in this house would have made a significant difference in the amount that each unit needed to run to maintain comfort.
Then, the house had an elevator, which was really neat. However, there were two recessed floodlights that were providing the light inside the elevator car. There was no way to turn them off when they were not in use, and they weren't even CFLs, so they ran their incandescent selves 24 hours a day. This house was built a YEAR ago, and no one thought to use energy saver bulbs?

These are good examples of little things that should be done differently in building homes where possible. Many energy saving things can not easily be retrofitted into an existing house without incurring a large additional cost, but new construction should be held to a higher standard via the building codes. Since they have to purchase items like appliances, HVAC, lighting, insulation, etc, the incremental cost of requiring Energy Star or energy saving items would be low, and would make little impact on a house that's costing multiple hundred thousand dollars to build.

Ideally, a conservation think tank or the EPA would come up with a series of guidelines for the minimum, moderate, and maximum energy savings in new construction and major remodels. All builders would be required to comply with the minimum, which would be things such as using CFLs where incandescant lights are not needed, insulating to the recommended max R value for the region, insulating all hot water pipes and HVAC ducts, and recommending Energy Star appliances. Moderate would include using a 90-95% efficient HVAC and hot water system, insulated windows, and all energy saving light fixtures. It would also include replanting trees to replace any that were taken out during construction, and taking advantage of minor design changes to improve energy use, such as taking advantage of northern/southern exposures, shade, and convection patterns to reduce space heating/cooling needs. Maximum would include solar installations for electricity and hot water/heat, or ground-based heat pump, or a small wind turbine, or a green roof, as well as extensive use of renewable building materials.
There are green builders out there doing this today, especially in custom homes, but the vast majority are still looking for the fastest, cheapest way, and aren't going to be inclined to figure this out for themselves. If a combination of a mandate for minimums and guidelines that are easy to implement come out, a builder can make the moderate and maximum items an option or package on their semi-custom houses, just like colors, carpet, and whether or not you get the sun room and the family room option. Standardizing in this way allows a builder (and the consumer) to take advantage of bulk-purchase deals and reusable design elements similar to the way that they build most houses today - a limited range of options based on an existing design.

Wednesday, July 12, 2006

Distributed Solar

Wal-Mart today had a meeting with Al Gore where they talked about sustainability. Wal-Mart has announced some pretty lofty goals with regards to reducing energy consumption and waste. http://www.walmartfacts.com/FactSheets/Sustainability_Fact_Sheet_FINAL-WM.pdf

Some of the things that they list are things that I have previously said to myself, "why is it that..", so I figured this was as good of a time as any to mention one or two, even at the risk of sounding unoriginal, but hey, I never said every one of my ideas would be original.

Not too long ago, I was flying into a reasonably sized city. As we made our approach, I enjoyed the aerial view, as I always do. However, I was struck by the rediculous amount of flat-roofed buildings of significant size that are in your average town. Big-box retailers like Wal-Mart, Target, Lowes, etc, strip malls, regular malls, warehouses, manufacturing facilities, you name it. All of them with the same general design..low buildings with lots of square footage of flat, usually metal roofs. I thought to myself, "why is it that we don't have solar panels or green roofs on every single one of these buildings?"
If a company the size of Wal-Mart were to cover the roof of every building it had with PV solar panels, there would be literally billions of square feet of otherwise useless space generating free, renewable energy. My guess is that with the most efficient PV panels around, a building of that size would be energy neutral on all but the cloudiest of days, even with an electronics department full of televisions and all of the computers and registers. And if any company on the planet can reduce the price of deploying solar panels due to increasing the scale, it's Wal-Mart.

This would lead to a trickle-down effect, as more businesses did the math and realized that in addition to the brownie points that they'd win with those of us that were concerned about their impact on the environment, it may actually be cost-effective as well.
This is where something like solar power (or wind power, where there's steady wind and a willing community) makes a lot of sense. It's a lot harder to get traction for residential solar because of its cost and payback time, and it's not really viable as a replacement for your local power plant because most houses barely posess enough square footage to generate the proper power to break even.
Commercially, the economies of scale make it a better proposition, especially somewhere like a warehouse, where the vast majority of the space is not actively consuming power at any given time, or at least is consuming much less power per square foot than a home or office building.
Get to a critical mass point of distributed solar deployment, and you could conceivably distribute the load of a region over all of the solar panels with excess capacity, and idle all of the non-renewable power generation until nightfall. Do this on a much larger scale, and couple it with improvements in the national tranmission grid, and you can take advantage of the timezones to use power from sunlight in California to light my kitchen during dinner on the east coast instead of my local power company firing up the coal boiler.

I hope Wal-Mart makes good on its claims. Big business support for alternative energy and sustainable use of resources has a much larger effect overall than all of the early-adopter individuals that are doing everything they can.

Sunday, July 09, 2006

Introduction

As most people do, I get ideas reasonably often about all sorts of different subjects. Things I hear about in the news, programs I watch on television, articles I read in newspapers and magazines, experiences I have, etc. often start me thinking, which can be dangerous, but sometimes also leads to (at least for me) interesting conclusions.
I realized after mulling the idea for a while that it might make sense to blog some of those ideas. I don't know that they're especially unique, or that anyone will care what I think, but perhaps someone out there will either agree or set me straight for missing an important point.

The ideas I seem to be having more and more often lately are ways to improve the hole that we seem to be digging for ourselves in terms of our use of natural resources. I don't consider myself an environmentalist, per se. My interest lies more in the area of what I guess I'll call practical environmentalism. One person doing everything they possibly can to be "green" will not make an appreciable difference in the environment, unless they're perhaps leader of a large country or a multi-national corporation. However, I'm of the belief that there's an awful lot of little, easy things that everyone can do that when taken as a whole, start to make a significant difference.
Many of the posts to come are going to be "why don't more people do..." with relation to this general theme. I can guarantee that I'll sit down to the keyboard more than occasionally and put out something that is not related to the environment, but that's why it's my blog. :-)