Monday, December 10, 2012

Boehner should give Obama what he asks for

There are a lot of media outlets who are saying that Obama won the election, so the House should give him what he wants.  These same people had no problem with the Congress not giving Bush what he wanted on Social Security reform or Reagan what he wanted on spending reform, so I think it's a bunch of opportunism.  But that's not how I'm approaching this.

The number one classic blunder, possibly surpassing starting a land war in Asia, and certainly going against a Sicilian when death is on the line, is agreeing to closed door negotiations reported by a hostile media.  The Republican leadership should never have agreed to closed door negotiations and given their involvement should extricate themselves as quickly as possible.  As Jonah Goldberg notes, watching this budget debate is like trying to follow a cricket match based only on selective leaks to a hometown press of one of the teams coming from the players.

From a technical perspective, though, even if the whole thing happens in the open this cannot produce a good outcome from the perspective of Republicans in the House.  I don't mean by that it can't help them politically, that's unlikely too, but not where I'm going.  The perspective of the Republican leadership (which I agree with) is that the fiscal path of the United States can only be saved by massive reduction of the federal government, most especially in entitlement spending.  This is one way I'm certain that the accusations that the Republicans are trying to sabotage the economy and blame the President are false.  The Republicans really believe that tax increases will destroy the economy and that continued spending at 24% of GDP is going to cause a debt melt down.  You can tell they believe that because that's what they do if they're in control.

There are numerous reasons they can't possible get this, but most important in this context is that a failure to reach a deal will be seen as caused by intransigence on the part of the Republicans rather than the President.  If John Boehner agreed to massive tax increases written by Harry Reid in exchange for a 2% reduction in Medicare spending and the bill didn't pass the press would cover it as failing because Republicans were holding the whole thing hostage for a Medicare reduction.  The second major reason is that because of how taxation and budgeting works in Congress a tax increase will happen but a budget reduction is only a promise on the part of Congress that when they actually write the budget it will be what they promise it is now.  I'm not sure they have ever actually followed through.

So given these choices I basically see three choices for the Republicans in Congress:

  1. Negotiate strenuously, fail to get what you want, we go over "the fiscal cliff" and Republicans get blamed
  2. Negotiate strenuously, get what appears to be some set of spending reductions that we'll never actually get in exchange for tax increases we will (I'm actually doubtful this is possible.  My personal opinion is that the Democrats are currently sufficiently insulated from the consequences of a failure to reach a deal that they don't even need to agree to spending cuts they don't want that won't actually materialize).  The taxes don't bring what the Democrats say they will and Republicans get blamed for the fiscal shambles because they didn't agree to what was asked for.
  3. Get the Democrats to write a bill, have the Republicans who wanted to make a deal vote present, Tom Price and the solid conservatives can vote against it, but let it pass.  
I think, as do many Republicans, that option 3 is going to cause a near catastrophic collapse of the economy within a couple of years as we either experience massive inflation from the Fed buying all of our bonds or bonds stop selling because nobody believes we can cover the debt, which is why they don't want to do it.  But, under the Republican operating assumptions options 1 and 2 also lead to a near catastrophic collapse of the economy, they just give people an opportunity to say the reason it happened is that we didn't give the Democrats everything they wanted.

I'll note there is a problem with this plan.  I'm being extremely cynical, but I'm not sure I'm cynical enough.  Option 3 presumes the Democrats would actually put down in legislative language what they say they want.  If what they really want is to go over the fiscal cliff and blame Republicans for it they might not be willing to even put down a list of demands on paper for the Republicans to pass.  If that's the case, though, I still think Republicans can do better damage control if they start (preferably last month) vocally asking for proposals so that they can at least claim when the press starts talking about their intransigence that they would have passed anything given to them, but they didn't have anything to pass.  I don't think this would actually work, but some people might listen.

I should note, the original idea for this came from John O'Sullivan in an interview he did with Peter Robinson, but he didn't go into the depth I do here.  Maybe he did somewhere else but I haven't seen it.

Thursday, November 8, 2012

Give Federalism a chance?

There's a lot of talk about yesterday's presidential election, but I don't want to talk about that.  What I find interesting are the ballot measures.  Here are the ones that are even mildly interesting:

  • Three states, Colorado, Washington, and Oregon, decriminalized some for of marijuana usage as a state matter.  It's still against Federal law
  • Three states, Maine, Maryland, and likely Washington, endorsed gay marriage.  31 states had previously officially rejected endorsing it.
  • Two states, Maryland and Rhode Island, extended legalization of gambling while one, Oregon, rejected it.
  • One state, Missouri, explicitly disallowed their Governor from legislating on health exchanges
  • One state, Montana, required parental notification of abortions
  • One state, California, voted to keep the death penalty

I find these interesting not because of the content, but because it shows that we still want Federalism.  The most interesting to me are the marijuana bills.  Those states are reliable votes on federalizing just about anything, yet the actually bothered to put on the ballot and pass a measure to decriminalize something that's already against federal law.  Why bother?  I would bet a large percentage of the people who voted to decriminalize at the state level drug use that's still a federal crime think Missouri's rejection of Obamacare at the state level is insane.

But why?

Why must everything be a federal issue?  Why can't some states have the death penalty (even for minors) and others not?  Why can't some states have legal marijuana and not others?  

I'm so tired of hearing about how horrible it is we're a divided country.  I can tell you how we can stop being a divided country:

Let the people in Washington have their legal marijuana and gay marriage, but don't make the people in Georgia endorse gay marriages established in Washington.  Let Massachusetts have their government run healthcare, but Texas stay with private healthcare.  I understand that some things, even some very important things, must be handled at the Federal level.  There may be serious issues with parts of Sarbanes-Oxley, but I'll admit it had to be done at the Federal level.  (And, conveniently, it has to with the regulation of interstate commerce, which was already a Federal power)  But huge chunks of what makes us a divided nation (Carbon emissions, health care, abortion, gay marriage, drug control, speed limits, drinking ages, the death penalty...) don't have to be national issues.

So if Montana and Washington State both agree that there shouldn't be one national standard, why can't we go back to not having one national standard?

Thursday, October 25, 2012

Bayonets and Submarines

The debate earlier this week contained this exchange:
ROMNEY: Our Navy is old -- excuse me, our Navy is smaller now than at any time since 1917. The Navy said they needed 313 ships to carry out their mission. We're now at under 285. We're headed down to the low 200s if we go through a sequestration. That's unacceptable to me...
OBAMA: But I think Governor Romney maybe hasn't spent enough time looking at how our military works. You mentioned the Navy, for example, and that we have fewer ships than we did in 1916. Well, Governor, we also have fewer horses and bayonets, because the nature of our military's changed. We have these things called aircraft carriers, where planes land on them. We have these ships that go underwater, nuclear submarines.

It has since come out in numerous news sources that we actually have more bayonets than in 1916, that they were used in Iraq and Afghanistan, that we used horses actively in Afghanistan, and that we had submarines in 1916 (As did the Germans in sinking some of our ships leading up to our entry into WWI).

The most common response I've seen to this is that it's pedantic and misses the forest for the trees.  I disagree.  It would be pedantic to point out that Romney said 1917 (because by 1917 we had built more ships for WWI) and Obama would have been technically accurate about bayonets if he had also said 1917 (we drastically increased the size of the Army, and thus the number of bayonets, after entry into the war).

The problem with Obama's statement isn't the minor facts, it's that he's using the minor facts to show that his knowledge of modern combat is far superior to either Romney or the Defense Review Board that asked for more ships, thus the dismissive introduction about spending time looking at how the military works.  If Obama had spent the time he claims Romney needs to spend on "looking at how our military works" he would know that every one of our Marines still carries a bayonet, is trained to use them, and have used them in recent conflicts.  Worse his ignorance is practiced.  This isn't a line he came up with on the fly, he had prepared this response knowing that the question would be asked.  He could have justified his decision to hold the number of ships down by some example of how he believes we can adequately project power with the 285 ships we have, but he didn't.  He made a premeditated decision to instead portray Romney as a backwards ignoramus who is stuck in the days when we used bayonets and horses, not understanding that we still use bayonets and horses.

Wednesday, October 17, 2012

Obama's one point plan

In the debate last night President Obama accused Governor Romney that
Gov. Romney doesn’t have a five-point plan, he has a one-point plan. And that plan is to make sure that folks at the top play by a different set of rules.

I disagree with this characterization of Governor Romney's plan, but I'm more interested in Obama's plan:

  • Special rules for the GM bankruptcy to reward politically connected creditors over senior creditors
  • Over 1200 special exemptions to healthcare rules
  • Special loan and grant deals to politically connected green energy firms, several of questionable legality (such as the subordination of the US loans to Solyndra under private loans)

Who wants to have different sets of rules again?

Romney would have let GM go bankrupt. Obama did.

In last night's debate Obama came back to one of his favorite campaign talking points: Romney would have just let GM go bankrupt.  While it's true that Romney would have done so, and said he would in speeches, I'm not clear why it's interesting.  GM went bankrupt and Obama supported it.

The first sentence of the Wikipedia article on the GM restructuring (which is accurate):
The General Motors Chapter 11 sale of the assets of automobile manufacturer General Motors and some of its subsidiaries was implemented through section 363 of Chapter 11, Title 11, United States Code in the United States Bankruptcy Court for the Southern District of New York

There are serious questions surrounding how the bankruptcy was handled.  For instance whether TARP repayments could legally be used to bailout automakers, or whether the Federal government actually has the power to subordinate higher priority creditors in order to make sure that union pensions continue to get funded, but Romney and Obama agree that the whole thing should be handled through Chapter 11.  We know that because Romney said so and Obama handled it through Chapter 11.

Tuesday, September 18, 2012

My Dream Cabinet

I've been thinking lately about what cabinet members I'd like to see in a Romney administration.  I'll first note that I'm not that worried about the Senate.  Obama has already demonstrated that you can make recess appointments while the Senate is actually in session, so Romney should be able to just make them all as recess appointments his first weekend.

Secretary of State : John Bolton.
Secretary of the Treasury : Thomas Sowell
Attorney General : Andrew McCarthy
Department of Defense : ???

The rest of them I'd prefer to just get rid of, but I'd love to see comments on good candidates anyway.
Also, it's not a cabinet position, but I'd love to see Ann Coulter as Press Secretary.

Oh, forgot one:

Secretary of Homeland Security : Bruce Schneier

Wednesday, August 15, 2012

More debate debates

story came out late yesterday that a group of Democrats had written the "Commission on Presidential Debates" requesting that they not bring up the Simpson-Bowles recommendations in debates.  This evidently comes after a group of Republicans had written requesting they ask specifically which parts of Simpson-Bowles they agree with.

I have thoughts on whether or not the National Commission on Fiscal Responsibility and Reform (the formal name of the Commission Obama put Simpson and Bowles in charge of) is actually relevant in the Presidential debates, but that's not my real issue here.  My real issue is that a private corporation initially established by the heads of the parties is accepting suggestions from individual congressmen on what the American people should or should not hear about during the Presidential debates.

Can we not get back to a format where candidates lay out their own cases and try to rebut the other side without the circus of 3 debates plus 1 vp debate, one of which is a "town hall" where questions are selected by a biased, but supposedly impartial, selector from the general public, all moderated by biased, but supposedly impartial, journalists?

Mr. Lincoln, do you prefer boxers or briefs?
Mr. Douglass, you have setup land grants to favor railroad expansion in Chicago.  As President, will you continue to support the railroads?

Tuesday, August 14, 2012

Traffic Shaping, part 2

A few days ago I bragged about my beautiful flow control on my home network.  Things were much better than before, but they weren't as good as I thought.

Backups hummed along at 95% of max line speed and interactive traffic usually responded in a half second or so.  But not everything was well in the Federalist household.  You see sometimes in the evenings if the kids are good we have "screen time."  When this happens my wife usually watches something on Hulu on her laptop, some of the kids watch Netflix on the Wii, and others might watch YouTube on a desktop.  When that happens everything pauses and has to wait to buffer and interactive latency shoots up to an unacceptable 2-3 seconds.  This vexed me so I went into my router looked around.  Problems, but no obvious solutions.  The backup traffic is way over its allocated bandwidth and the normal traffic is nowhere close to its allocated traffic.  Traffic shaping is supposed to fix this, and in my testing it did.  So I did what any geek would do, I started noodling with stuff.  Raise txqueuelen on the vlan.  Lower txqueuelen on the vlan.  Raise it on the physical device.  Lower it on the physical device.  Change burst lengths on the classes.  Nothing helped.

Then I started Googling and found the answer.  I consulted probably a dozen sites on using Linux traffic shaping before I wrote the first script, but they all missed something critical.  They said to measure your bandwidth with different sites and figure out what your actual upstream bandwidth is and use that as your cap.

Your DSL company provisions exactly the bandwidth they said.  I know, you've never gotten within 90% of the advertised bandwidth.  I haven't either.  That's their fault, but it's not because they're lying, it's because they're inefficient.  And only when you understand exactly how can you traffic shape DSL properly.

The maximum length of a TCP/IP packet on an ethernet frame is 1500 bytes (excluding jumbo frames, because they don't apply here.)  Ethernet sticks a 14 byte header plus some padding on that, but Linux's traffic shaping modules are clever enough to figure that out, so you don't have to worry about it (which is why if you watch your stats, even if you set your max well below the capacity of your line you can never sustain it).  But DSL is actually PPP, so it sticks another 8 byte header inside the ethernet frame, lowering the max per packet to 1492 (but not the size of the transfer).  It's actually potentially worse than that because there could be other information stuck either inside or outside the ethernet packet but this isn't really the cause of the problem, and it's virtually impossible to get your DSL provider to tell you what the DSL packet really looks like, so I'll pretend it's just 8 bytes.

So you have 1492 bytes being transmitted from your router and 1500 bytes leaving the modem.  But DSL isn't ethernet.  It's being carried over the same line that carries the voice traffic, and that uses ATM.  So that the small packet voice traffic doesn't have to compete with huge data packets, ATM uses fixed 53-byte cells with 48-bytes of payload.

So we take our 1514 bytes (1500 plus the ethernet header) and divide it into 31 cells of 48 bytes (with 5 byte headers) and one with 26 bytes (padded to 48 bytes, with a 5 byte header).  Now our router sent 1492 bytes in data (which it counted as 1492+14), which takes up 32*53=1696 bytes.  Meaning we get to use about 88% of the bandwidth outbound from the modem.  This is where those numbers from our speed test came from.

But that's the maximum length of an ethernet frame (which also happens to be the easiest thing to speed test with).  What about the minimum?  The minimum TCP/IP packet is 20 bytes for the IP header plus 20 bytes for the TCP header and no payload for 40 bytes.  This happens to be what an ACK looks like, which happens to be pretty much the only thing you send back to a streaming video provider while you're watching a video.  When we packetize that for DSL/ATM we take 40 bytes, add an 8 byte PPP header and a 14 byte ethernet header for 62 bytes.  Then we divide that up into one frame of 48 bytes and one frame of 14 bytes, each with a 5 byte header.  So our router counted our 40 byte packet as 54 bytes, but it really took 106.  That means every single ACK that netflix, hulu, youtube, etc. are throwing takes twice as much DSL bandwidth as the router accounted for.  You don't notice this normally because ACKs are small and they're only sent roughly once per round-trip-time to the other side (on DSL, over 100ms) so on a single connection we're talking maybe 10kbits per second.  With multiple continuous downloads (which is what streaming video looks like when observed as raw bandwidth) we're adding 40k, but counting it as 20k.  Again, this wouldn't normally be a problem, but we were letting the low priority traffic use all the available bandwidth so now suddenly we're asking the DSL modem to send 400k per second on a 384k link and it's throwing stuff away randomly, causing retransmits and latency and all that stuff we were trying to avoid.

So we could fix this by lowering the bandwidth cap on the router to half our provisioned bandwidth.  It would be obtuse beyond belief, though, because then on large packets that make up most of our bandwidth by volume we're wasting half the already small pipe.  It ends up linux comes to our rescue again.  The htb qdisc (which I was already using) or the stab function on traffic control (which isn't available on the version of OpenWRT I'm using) provides both for a way to add additional overhead to the packet and to even to account for waste on different frame sizes later.

So now I have a new script that provides a full 384kbit outbound but sets "overhead 8" and "linklay atm" to tell linux how the DSL modem is going to mangle the traffic.  I've also gotten rid of the Wii rules and replaced them with a rule that just prioritizes all ACKs, which I suspect will give me high priority streaming video without having to actually identify streaming video (and as a bonus keep downloads downstream bound instead of upstream).  I'm sure I'll find faults with this, but in my testing it performs beautifully.  Even with uploads running at 97% of capacity I'm seeing latency numbers that look like an idle pipe.

EDIT: This ended up not working out as well as I want, so I ended up upgrading the router to kernel 2.6 and using the stab function to recompute packet size on enqueue and it's worked out fantastically.  In my test last night I was running netflix, hulu, and youtube simultaneously on three different computers while running an unrestricted upload with the bulk traffic flag set.  None of the videos paused at all and latency on ssh traffic was about 5% above an idle link.  I've updated the script above to the new 2.6 one.

Tuesday, August 7, 2012

Passwords or "You're not paranoid if they're really out to get you"

After writing my first two posts on backups I was wondering if I was overly paranoid having not just a primary and backup storage, but primary and three separate backups.  This story convinced me I'm not. The writeup is excellent and you should read all of it.  I'll wait.

This is an excellent example of why you shouldn't trust somebody else's security model even to be what they claim it is.  If you have the either the account and password for a CrashPlan account or access to the system itself, you can delete all its CrashPlan backups.  These particular hackers don't appear to have cared what was actually on the laptop they were deleting, but I feel a whole lot more comfortable having a semi-recent copy of my data offline and recoverable even if CrashPlan's security is compromised.

I'll note, this is not a screed against CrashPlan's security.  As near as I can tell it's about as good as anyone else's.  I would have required a separate authentication on the system to delete the backups from the cloud (and no, setting "require account password to run CrashPlan desktop" is not sufficient.  I've set that and turned the network off, it's authenticating against a locally stored hash which means it can be bypassed using the locally stored credentials), but even if it were implemented exactly how I want, I still wouldn't trust it.

The author concludes "My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing."  I disagree. The problem isn't password-based security mechanisms.  Brute forcing a password is a terrible way to hack an account.  Even a weak password would take days on a badly configured service.  A horrible password (say a dictionary word, a single digit, and a single special character from the top row of the keyboard) would take 8 hours at 10 attempts per second, which ought to prompt any reasonable service to go into lockdown.  The problem is with the non-password methods we've developed to make resetting your too-secure password easier.

Apple's security failings are unforgivable.  Maybe ten years ago I could forgive Apple for using the last four digits of a credit card as some sort of secure PIN.  If they used the full number I would think it unacceptable, but forgivable.  Pretty much every modern system prints the last four as an insecure verification.  The reason Apple used the last four digits is that Payment Card security standards don't let them publish the entire number outside the secure area.  In other words, the full number is important security information, but you can publish the last four digits to your customer service personnel because they're not sufficiently identifying to pose a risk to the customer's identity.  But if they're not sufficiently identifying enough to compromise the customer's identity by publishing them, why does Apple think they're sufficiently identifying to give away the user's account?  Apple's posture is that you have a password for your account, but if you don't have that they'll take your less secure "security questions", and if you don't have those they'll take a matter of public record and a number that's probably printed on a dozen receipts you threw in the trash or left in the gas pump.  Amazon's is worse from an authentication point of view, but not as comprehensive.  You don't need to authenticate yourself at all to add information to the account, and that information can be used to authenticate yourself afterwards.  These are both absolutely boneheaded setups that should have been caught immediately.

I currently consider Google the Gold Standard for current internet security.  ING actually has more security and I want to consider it first.  A quick perusal of the forums will show you all sorts of people trying to bypass ING's security system.  ING requires security questions just to get to the password entry dialog if you're at an IP they don't recognize, they only accept numeric passwords (because they're less likely to be your wife's name) and they have a custom interface for entering them that makes it basically impossible for a browser to cache it.  I don't mind this for my bank account, but it would be extremely annoying for the Photoshop user forum.  (I, in fact, think autocomplete disabling is vastly overused)  I've forgotten my ING password before; it doesn't matter if you know your security questions, they won't even ask.  They snail mail you a new password to your registered mailing address in a completely nondescript envelope that doesn't even say ING on it.  This takes days, but you have to admit it's a lot harder to surreptitiously sort through a victim's USPS mail than it is to guess their first car (and it has the side benefit that going through somebody else's mail is a felony even if they fail to actually take over your account).

The problem with this, like most information security problems, is that people are willing to trade security in the abstract for convenience in the immediate.  Only the most computer savvy are going to be as forgiving as Mr. Honan and say "shame on me for poor security" when they lose all pictures of their kid, but they're not going to use an email service that locks them out for a week when they forget their password, either.  My problem with Amazon and Apple isn't that they weren't up to ING's level of annoyingness, it's that they made it impossible to be secure.

As I said before, Google is probably the best at this.  The interesting thing about Google is that they know almost nothing about you (yeah, I know, Google knows everything, but when you set up your account they didn't ask for a mailing address, a credit card, or even your real name) but they realize that you probably use your Google account for a lot of stuff and you might use your Gmail address for password recovery on various things, so it's important that they not give away your account.  It's sort of ironic that the goal of the Amazon and Apple hacks were to get to a Google account.  Amazon and Apple both knew vastly more about him than Google.  They could, like ING, have paper mailed reset credentials to his billing address, but they were the entry point because they were far easier to nuts to crack than Google.  And if he had had two-factor on Google they would have been insufficient.  The vandals could have ordered thousands of dollars of merchandise, but they couldn't have gotten into his email.

Google basically has two levels of security.  With the default level of security you login with a only a password.  With two-factor security there is additionally a smart-phone app that generates time-based tickets and a sheet of paper with backup tickets in case your phone dies.  When you setup your account they ask you for up to three ways to retrieve a lost password:  a cell phone, an email, and a security question (which you can choose).  If you have two-factor authentication you have to enter a code from either your phone or that piece of paper to execute a retrieval (and the phone doesn't count as a retrieval option).  If you can't do this then they make you go through a drawn out process of answering questions based on the contents of your account, preferably from an IP from which you have used gmail in the past.  Despite all this, they should still be better.  When I got back from a business trip to RedHat's headquarters recently I had notices in my inbox that Google had noticed suspicious source IP's logging in while I was away (from RedHat's headquarters).  If Google were suspicious of the fact that a reset request was coming for Mr. Honan's account from an IP he had never used they could have prevented his Google account from being taken over (though the most important damage, at Apple, would already have been done).

So what lessons can we draw from this?

For companies:
  1. State why you use security questions.  I care whether you're like ING and you might need a security question to access the account from an unknown location or if you're just using it for password resets.  Offer reasonable suggestions for them ("What year and model was your first car?" versus something more likely to be on the internet like "What's your pet's name?") but allow the user to type in his own.  I usually make this random gibberish, because I'd usually rather destroy an account than have it compromised, but if I set one I want it to be extremely complicated.  "What's your 10th grade math teacher's last name and the name of the street where you lived in 1995?"  Don't require them, but make it clear that it's going to be a pain to reset a password without them.
  2. Preferably require both the security question and a retrieval email to reset the password.  Ebay does this.  I'm much more comfortable with you sending a password reset to my registered email after I've entered the model of my first car than only one of them.
  3. If somebody doesn't know their password and can't access the standard retrieval mechanisms, be very suspicious.  They've already gone a long way to proving that they're not who they're claiming to be; don't trust them just because they know a billing address or a matter of public record (cough, Apple).  There was a comment on the original article that somebody was really happy with Amazon that they reset his AWS password with only his billing address after he forgot his password and entered gibberish as his security code, but in retrospect he's pissed.  He should be.  It should be hard to recover a password if you don't have the recovery options.  My preference would be send them a password reset via USPS to their registered mailing address.  If you don't have a credit card on file use a human to process it (Apple and Amazon both did this) and require something that only the account owner would know (neither Apple nor Amazon did this) the list of folders in your email, for instance.
  4. Track where your users login from.  Treat logins from unusual locations differently.  This doesn't necessarily mean deny them, but certainly be suspicious.  If somebody is trying to read their email from Nevada when they're usually in South Carolina, they might be on a business trip.  If they're trying to change the shipping address on a package and reset the password on the account, maybe you should require more authentication from them.
  5. Don't disable credential caching.  This is controversial and I'm somewhat torn about it.  I realize the number of browser based attacks out there, but lets face it the options for your average user isn't a super-secret password they cache in their browser or the same password they remember.  If you're lucky it's a decent random password that gets cached or the same password they use for their schnoodle owner's forum (which happens to be "schoodle07" because they got their schnoodle in 2007).  
For users:
  1. All the normal stuff about good passwords and bad passwords.  A good password is complicated, random, and only used once.  "d1pU{x,0D.2," is a great password if you're going to store it in your browser's credential's cache anyway, "gawkier729'acted" is almost as good and easier to remember if you're going to be typing it in. (Well, actually they're both horrible, because I already used them, but you get the idea.)  
  2. If you're asked for a security question, understand how they're going to be used, preferably by testing it, and set it to random gibberish if it's sufficient to reset your password.  As I said above in #2, I'm good with a security question being required to send a retrieval email.  I'm not okay with me having to enter a 30 character password every time I login when the actual security of the account is limited to around 300 models of cars I could possibly have owned as my first car (assuming a Ferrari is really a valid first car).  To get a feel for just how insecure that is, there are 46 normal keys on a keyboard (26 letters, ten numbers, ten punctuation marks) which shifted gives you 92 possibilities.  Which means a 2 character password (92**2) is about 30 times more secure than all models of car ever made.  Last names fare a bit better, but you're still well under 3 characters worth of entropy.  Luckily most sites use email recovery instead of questions.
  3. Your bank account password is not the most important password you have, the email account for your bank account's reset is.  The author of the original email recommends this be a distinct email.  I'm not sold on that: if you do that and don't check it then you don't get reset notices which is just as problematic, plus since places like Amazon use the primary account email for resets you also don't see notices that something has been purchased on your accounts.  What is completely necessary is making sure that the account to which your recovery passwords are sent is completely secure.  That means it needs a hard to guess password that's not used anywhere else, a recovery email that's just as secure, recovery questions that are impossible to figure out from public record, and be somewhere where they're not going to give it away without cracking that.
  4. The login for your various accounts should not be identical to your primary email address.  There's really no reason for you to use your primary email address for your Amazon account.  Gmail (and some other email providers) gives you the option of appending random strings to your email address and still having it delivered just like normal email (in fact, it's easier to filter this way).  If your email is, your Amazon account can be and it will go to your gmail account just like normal, your browser will most likely just cache it, and it's much harder for somebody to get Amazon to reset your account because they now have half a million email addresses to try (26 letters to the fourth power.  This is not true if your Amazon account is  That's better than, but only maginally)  This has the side benefit that when somebody sells your address to spammers they likely aren't smart enough to figure this out so you can figure out who it is by what suffix they used.
  5. Don't trust anybody else with something you can't recover if they screw up.  That's how I started this.  I read an article a while ago about some hacker who was supposedly just a system or so away from hacking computers with nuclear launch capabilities.  I was horrified that a system with nuclear launch capabilities was internet connected.  I would never willingly allow a company to remotely take down my desktop and I do my best to secure it, but I'm smart enough to know that if it's connected to the internet, it's open to attack.  The copy of it sitting in a drawer is a great deal harder.
  6. Don't trust Apple, at all.  This may seem unfair but this isn't a normal hack.  It's a major, fundamental flaw in their entire user security posture.  You might think I'm being unfair in not giving Amazon the same treatment, but I'm not.  I went into Amazon after this and tried to ship to another address using my current credit card.  You can't do it.  Amazon was boneheaded, and they should fix it, but the extent of the compromise is that they gave out the contents of his Kindle and what every gas station prints on your receipt.  Apple gave away the contents of an email account and allowed a hacker to erase a laptop using only information printed on that gas station receipt.

Tuesday, July 31, 2012

Traffic Shaping (or a chance to show off my Visualization Porn)

On Friday I had some spare time so I rebuilt my home traffic shaping to better support my online backups.  CrashPlan has three features that are really nice for not totally annihilating your home network while it's doing online backups.  These each have their pros and cons.

The first is you can only run backups at certain times (e.g. when everyone is asleep anyway).  There are two problems with this: 1) Sometimes either me or my wife wants to watch Netflix at 3AM.  And 2) If I just got back from vacation and have 20GB to backup (not unheard of) it's going to take a week running full-bore all the time.  Cutting this back to 6 hours a day is going to make it take a month.

The second option is to limit the outbound bandwidth.  This is what I had been doing (and, in fact, what I had been doing with my home-grown online backups before using crashplan).  You can limit to using say, 2/3 of the upload pipe and then you're only adding 1/3 of the time to backup and most things work normally all the time.  The problem with this is that once you start using the rest of the upload pipe the internet stalls and nothing works.

Lets say I have a 300kbps upload (Yes, I know I could do better, but I generally don't need better, I'm cheap, and for the purposes of this example it doesn't matter. If I had 100Mbps upstream I could fill it.) and I have CrashPlan limited to 200kbps.  I then start doing something that requires around 70kbps of upload space.  Things are still working fine.  Then at the 10 minute mark something starts an upload (lets say I've decided to print some pictures to Costco) that requires another 100kbps.  Backups will reduce their usage a little because of the packet loss, but the internet is now completely unusable.  (Don't worry, that's not the visualization I teased about)

I could, of course, combine the above two options and only run at 2/3 of the bandwidth only during off course, but then backups would take forever.

The third option is that CrashPlan can set the IP ToS field on your backups.  By default this doesn't do anything.  I have an OpenWRT router sitting just inside my DSL modem and in theory it handles interactive traffic first, then unflagged traffic, and lastly high-bandwidth traffic.  In reality, though, the outbound network from the router is 100Mbps so it just throws everything down the 100Mbps network until it overflows the DSL modem's outbound buffer and then the DSL modem throws things away randomly without consulting the ToS.

The solution, then, is to force the router to shape the network. You can see my config here.  I started by classifying outbound traffic on my network into three categories:
  • Interactive -- traffic with the "lowest latency" bit set in the IP ToS.  This is mainly ssh traffic (including ssh traffic within my VPN back to work).  When I'm working on some remote system I want as little latency as possible
  • High Volume, Low Latency -- currently google voice and video chat.  I'd like to add netflix, but it's hard to identify.  This is stuff where reducing the bandwidth considerably could drop the connection
  • Normal -- everything that didn't get categorized
  • Bulk -- traffic with the "highest bandwidth" bit set in IP ToS.  This is (that I know of) CrashPlan, scp, and rsync over ssh

Next I used HTB to set up "token buckets" for each class.  Interactive gets 50k (which it will never use), High 100k, Normal 100k, and bulk 20k.  After all classes are serviced any bandwidth left (up to 330kbps, which is artificial, but close to my real max) gets handed out in priority order (interactive, high, normal, and then finally bulk, though bulk is rate limited to 95% of the connection).

Finally, I setup Stochastic Fair Queueing under each class so that even within a class a single connection couldn't shut everything else down.

Having set this up on Friday, I got a chance to test it on Saturday when I got called in to do a bunch of work while on a video conference.  I ended up running backups (with no internal rate limit), a video conference, a photo upload to Costco (gratuitously), and an interactive login to my work machine and I had about 500ms delay in my typing for work.  Then I got the idea to keep stats on it and that's what generated my Visualization Porn:

click for big

Left is kbits, bottom is minutes elapsed, sampling is every 5 seconds.  I've done some mangling of the high data because Google Video chat is a UDP service so instead of self-scaling like everything else the router just dropped a bunch of its packets on the floor and the numbers I was collecting were for packets enqueued, not packets actually sent, but for the most part this is just a stack of the four values.

What's going on here is that at around 20 minutes I started the video conference; when I did that, the high class started using all sorts of traffic, but the bulk stream dynamically resized to keep total network usage constant.  I don't know what happened at 40 minutes, but you can see that the higher-priority video stream had to reduce its bandwidth to make nearly 100k available for normal traffic.  You can also see I did an upload at around 157 minutes (the green area), which got to use the full 300k.

I'm quite happy with the ability of the more interactive sessions to take place with so little latency, but I'm almost as impressed with the rate backups scale back up.  Except for the dip at around 30 minutes, the network was 95-100% utilized the entire sample period, despite massive and rapid shifts in bandwidths for particular services.

As I type this my backups are humming along at 288kbps, my wife is watching a Netflix movie, and my interactive traffic has no noticeable lag at all.  Traffic Shaping is a beautiful thing.

Friday, July 20, 2012

BC/DR (Part 2): Or, why I left Time Machine

If you read my last post, it might surprise you to find I'm in the process of abandoning Time Machine.  I still think Time Machine is a great product.  In fact, I not only think it is vastly superior to what's probably the most common "backup" mechanism: RAID, and the even more common lack of a backup at all, I think there are areas where it outshines pretty much every other backup system out there.  Specifically, if you boot a Mac off of a Mac install disk, it will ask you if you have a Time Machine backup you want to restore and just do the restore work for you.  I don't know of any other consumer backup solution that has a bootable restore procedure and it's getting to be impossible to find an enterprise solution that can do this.  It's almost impossible for me to overstate how much this lowers your RTO.

Steps to restore from a backup with Time Machine:
1) Install replacement hard drive and stick OS CD in drive
2) Hit "Yes, I want to restore from Time Machine" in boot.
3) Done (I should note I haven't tried this)

Steps to restore from a backup with pretty much anything else:
1) Install replacement hard drive and stick OS CD in drive
2) Install OS
3) Probably install OS patches since your CD is too out of date to run backup software
4) Install backup software
5) Do restore
6) Fix all the stuff that's now broken because the restore libraries aren't compatible with the OS libraries the restore was missing

But for all that, the Pro/Con matrix on Time Machine is still slanted heavily Con for me:

Advantages of Time Machine

  • Backups are stored as normal OS files and thus can be read like normal files
  • Backup/restore software comes with OS, so there's no separate install and restore is extremely easy
  • Setup is nearly trivial, restore is easy and well segregated.  Even respects OS permissions and allows non-admin users to self-restore
  • Self maintains versioning and cleanup

Disadvantages of Time Machine

  • Only runs on Mac
  • You can't change the retention policy
  • De-duplication is done at the file level, not the block level, so if you import 30G of HD video into iMovie and then change the event names (which changes the folder names), Time Machine will create brand new copies.
  • It can't verify a backup is correct, and if one isn't correct, it can't fix it.

My home system has been running Time Machine for 2 years.  I just went and ran diff -qr between the current filesystem and the last Time Machine backup.  There are several files with different contents and a couple of monitor profiles from May of this year that are missing.  None of these particular files are the end of the world, but the problem isn't that these files have incorrect versions, it's that they've managed to keep inaccuracies for months and I didn't know.  Not even that, now that I know it's wrong the only way for me to fix it is to modify the real files so that it will catch the change.  There is no command to have Time Machine scan the entire filesystem and compare what's there to what it thinks is there.  This, to me, is a deal killer.

The system I'm currently building has three parts:

  1. complete, bootable copy of my main hard disk in a USB/SATA enclosure.  In this case I'm particular about the disk.  It's the same as the actual main disk, so if it were removed from the enclosure it could be a drop in replacement for the real hard disk.
  2. second internal disk with a local CrashPlan backup
  3. CrashPlan+ backup to the cloud

This is a relatively expensive strategy (about $150 up front for the disks plus $3 per month for cloud storage), but it gives me several things:

In a disk or total failure, I have a bootable, reasonably recent image.  This speeds up recovery tremendously.  Except for a total, catastrophic, and immediate failure while I'm updating the USB backup, I should only have a gigabyte or so to fetch from a real backup (either local for a disk failure or the cloud for a catastrophic one).  Let's say the house burns down.  My recovery procedure is to go to work and fetch my USB disk, build a new computer around it.  Boot, then recover the rest from CrashPlan.  RPO: nearly immediate.  RTO: about long as it takes to get a replacement computer.

I'm not trusting the cloud.  CrashPlan+ is cheap for online backup (about $3 per month), but I don't trust it.  Lets say CrashPlan loses my backups while my house is burning down.  Admittedly, this seems unlikely, but I've seen reports from most of the cloud services that data has been lost for some small number of users.  My recovery goes back a couple months (more recently if I've dumped a bunch of pictures in and felt like I needed a backup).  RPO: a couple months.  RTO: getting a new computer.

I'm not trusting a disk that's offline.  Like above you can generally trust a disk sitting on a shelf, but you never know for sure until you actually run the restore, which is too late if it's failed.  If I lose the disk entirely I have to rebuild from install DVDs and then get the data from crashplan (which is $150 to have them ship it to me on a replacement disk).  RPO: immediate.  RTO: get a computer plus a day or so.

I'm not yet committed to this and would certainly accept suggestions on better or cheaper ways to do it. I insist at least on having a bootable copy, preferably offsite and a recent snapshot, also preferably offsite.

Disaster Recovery and Business Continuity (part 1)

This has been entirely a political blog lately, but that's more because I haven't really had any personal stuff to relate than because it's really intended to be purely a political blog.  Today, though, I want to relate something that might have a more immediate impact on people's lives (and that happens to relate closely to my profession):  computer backups.

A decade and a half ago it was bizarre beyond belief that I backed up my personal computer.  These days it's still probably the minority of people who actually backup their computer, but most people at least think it's a good idea.  Even among people who have backups, though, most of the strategies aren't that well thought out.  For instance all major desktop OSes these days support RAID out of the box, so I wouldn't be surprised to find that there's a significant percentage of people who are relying on a disk mirror (two disks that get written simultaneously) for backup.  If you're doing that then you're probably never going to lose all your data (as opposed to your next door neighbor who just has one disk.  He's probably going to suffer complete loss at some point) but you have a badly designed system for a desktop.

RAID is not a substitute for a backup.  If the server gets hacked or somebody accidentally removes stuff that needs to be there or the stars align just wrong and bad data gets copied to the good disk, you're still up a creek.  So server admins also make backups.  And they ship them offsite in case the whole building gets destroyed.

Now maybe that's too much work for a home user.  After all, if your whole house burned down the last thing you're going to be thinking about is recovering your family pictures from two years ago, right?  Hmm, I don't know about you, but if I could take one thing out of my house it would be my family pictures.  So why not do it now so that we don't have to worry about it while it's burning down?

There's two things you need to know about Disaster Recovery (DR) planning:

Recovery Point Objective (RPO) - How far back from an "event" (computer being destroyed) do we have to go on recovery.

Recovery Time Objective (RTO) - How long does it take to get back up and running.

I'm going to consider three scenarios for computing our efficacy: File deletion, Single Disk failure, and Total and Catastrophic failure (house burns down).  Let's take a simple RAID first:
no recoveryRPO: immediate
RTO: immediate
no recovery

As you can see, RAID is very well situated to handle a disk failure, but if you accidentally deleted all the pictures you took in 2008 when you meant to delete something else you can never recover.

Another strategy would be to get a USB disk, make a copy to it every week and store it in your office (assuming that's not your house):

RPO: one week
RTO: one day
RPO: one week
RTO: one day
RPO: one week
RTO: time to build a new computer

As you can see in this case making a copy of the disk and sending it offsite every week causes us to lose a week's work (or irreplaceable pictures if we've erased our memory card) but as long as we know the drive is good when we send it offsite we at least have a backup, even if our house burns down we can recover.

One backup strategy you'll encounter, which I actually like, is to get two external disks with firewire/eSATA/Thunderbolt enclosures (not USB, you want fast) and swap them in and out of a mirror while keeping the other one offsite.  This gets you the best of both of the above, but it still has a fatal flaw: it's unbelievably annoying to truck disks back and forth and thus isn't really going to happen.

For a long time I used a RAID on my home disks and a set of TR-3 tapes and later CDs for offsite backups, which is sort of like this.  It took about 10 CDs at the time and I managed to actually make a backup maybe once a year.  I had a process for building incrementals so I didn't have to do the full backup all the time, but I still never remembered to make one.

When I switched to a Mac, Time Machine revolutionized how I looked at desktop backups.  RAID was designed for systems that can't go down just because they lose a disk.  Chances are pretty good that if you lose your home desktop for a couple days while you go buy a new disk and do a restore, it's not the end of the world (and in fact you almost certainly don't, as every data center does, have either a complete set of parts to replace other failed components or a contract to have them couriered to you).   At any rate, you're probably not willing to pay $80 for an extra disk purely to take your RTO down from one day to immediate from a failure that happens roughly every 30-60 years on a single disk machine.  Time Machine makes incremental backups every hour (or on demand) and keeps them going back practically forever:

RPO: one hour
RTO: nearly immediate
RPO: one hour
RTO: time to purchase a disk
no recovery

This is a huge improvement over RAID because accidental file deletion is probably the most common failure state.  And that's really over-estimating the RPO.  If you just dumped pictures of your daughter's wedding in there you can force a time machine backup right-now and not delete the memory card until it finishes.  After I saw how this worked and started thinking about it I got rid of my RAID and started doing Time Machine plus a third disk offsite.  I have been using that for a few years, but I'm now thinking about the best architecture for the present.

Friday, June 29, 2012

Comments on NFIB v. Sebelius

So AFA (Obamacare) is legal because it's a tax. I've seen lots of opinions on this but nobody has brought up what I find to be the most interesting open question. To get to the question I'm interested in, I'd like to go over the history of the bill as it relates to this decision.

Both Congress and the President insisted at time of passage, and many of them still insist, that what the bill does is make it illegal to not buy healthcare with a fine if you disobey the law.  They did this for several reasons including the fact that they had promised not to raise taxes, that the bill couldn't make it back through the House (where tax bills must start) so it was less Constitutionally suspect starting in the Senate if it didn't contain taxes, and that behavioral economics make it more likely that people will avoid a fine than a tax.

The Supreme Court decided that Congress doesn't have the power to do this. But that's okay, that's not (according to the Supreme Court) what Congress and the President really did. The majority on the Court decided that what the bill really did (in spite of the text of the bill to the contrary) was add a tax on people who didn't buy insurance. This is Constitution because of the taxing power. But wait, where is the taxing power in the Constitution?
Article 1, Section 8 The Congress shall have Power To lay and collect Taxes, Duties, Imposts and Excises, to pay the Debts and provide for the common Defence and general Welfare of the United States; but all Duties, Imposts and Excises shall be uniform throughout the United States

Congress doesn't have the power to lay and collect taxes as a penalty for something it dislikes.  It can only do it to pay for things.  There's a long established ability to exempt people from taxes for arbitrary reasons (thus the mortgage deduction, credit card interest deduction, charitable deduction...) but to my knowledge there's never been a federal tax raised specifically to discourage behavior the feds don't like.

So clearly Congress could have written a bill that raised everyone's taxes by $1000 and then gave an exemption to those who purchased insurance.  The question is if that's actually what they did.  Congress argues they didn't.  The President argues they didn't.  The minority on the Supreme Court argues they didn't.  The US Attorney who argued for Obamacare argued it was a tax, but not that it was really a deduction.  Even the majority on the Court doesn't actually argue they did, but it's the only Constitutionally consistent way to interpret their decision.

I should note that lots of commentators (like the one above) think the fact that the people who favor the bill still argue that it's not a tax even though the only reason it's Constitutional is that the Court decided it is.  There's good precedent for that.  The Roosevelt administration argued in Helvering v. Davis that Social Security is just a tax, not actual contributions, which is the only reason it was declared constitutional, but there are still very few arguments that the government doesn't have an obligation to pay you back.

Thursday, May 3, 2012


When used on a speaker's platform, the flag, if displayed flat, should be displayed above and behind the speaker. When displayed from a staff in a church or public auditorium, the flag of the United States of America should hold the position of superior prominence, in advance of the audience, and in the position of honor at the clergyman's or speaker's right as he faces the audience. Any other flag so displayed should be placed on the left of the clergyman or speaker or to the right of the audience.

14 USC § 7(k)

It's not that hard.

Thursday, April 26, 2012

Student Loans

The student loan debate currently being pushed to the forefront by President Obama is like the rhetorical gift that keeps on giving.  I could write pages on the interesting facets of this, but I'll start with the basics:

In 2008 the Democrat controlled House and Senate passed, and President Bush signed, a law lowering the interest on Federally backed student loans from 6.8% to 3.4% for 5 years.  Those 5 years expire this year and so presently the President is going around talking to college campuses about how he wants to stop the Republicans from raising the interest rates and how he understands the plight of these poor college students having to pay on their student loans because he and the First Lady just paid off their loans 8 years ago.  Romney and the House Republicans (lead by Boehner) also want to extend the lowering, but Boehner wants to "offset" the cost by reducing the expenditures in Obamacare.

There are so many interesting quirks to this it's hard to see where to start, but I think I'll pick the fact that this shows us how invasive a "temporary" program is.  I didn't really follow this particular debate in 2008, but I'm sure there were 10 year budget projections showing what this cost, under the assumption that it only lasted 5 years.  But now, 5 years later, the debate isn't about lowering student loan income, it's about preventing it from going up.  Both politicians and commentators frequently take the sunset clauses on these "temporary" programs seriously.  They shouldn't.  If it was a good idea to lower student loan interest rates, it should have been done in perpetuity (the same is true for the Bush tax cuts).  The only difference between cutting student loan interest rates (or taxes) for 5 years and forever is that you get to debate it again in 5 years with a "temporary" program, and blame the other side for wanting to go back to the status quo ante (even though that's actually what you agreed to do when you created the program).

The second interesting thing is that the President's student loans dragged him down so much that he couldn't pay them off until just 8 years ago.  After he had bought a condo (and a house) and "should have been saving for [his children]".  Obama received a $100,000 advance for the publication of his first autobiography while he was still in law school.  For the last 5 of those years the Obamas were making well over $200,000.  For two of them they were making enough to be the "super rich" that aren't paying their fair-share of taxes.  There are two possibilities here, neither of them very favorable for the President. The first is that despite being "super rich" (by his own definition) he really didn't have enough money to pay off his student loans.  That eviscerates his argument (which he has been continuing to make at these taxpayer funded campaign speechs at Universities) that those over $250,000 are just throwing away money and need to be giving more in taxes.  The other is that, despite having an abundance of discretionary income, he chose not to pay off student loans because the opportunity cost favored keeping them.  I suspect this what really happened.  He had a student loan at around 6% (this is before the rates were lowered in 2008) and he could make more money on that money than he was paying in interest (and he certainly couldn't get a loan that low) so he didn't see any point in aggressively paying it off the way you would, say, a credit card.  This destroys his argument for artificially cutting the rate in half from what was already so cheap he chose to keep it around when he didn't have to.

The third, and most disturbing, interesting thing is the games the Republicans are playing here. When the Democrats created Obamacare they took some of the easier-to-cut sections of Medicare and slashed them to make the budget work.  I made the argument at the time that this was like renegotiating a mortgage that was going to bankrupt me and then turning around and spending the "savings" on credit cards.  This is exactly what Boehner wants to do here.  The Republicans have been arguing since it passed that we can't afford Obamacare.  And we can't.  Now we have a Republican Presidential candidate who has committed to dropping Obamacare completely, a Supreme Court case that many people consider likely to throw the entire bid out as unconstitutional, and a Republican Congress that says it's still unconstitutional and we can't afford it, but we can cut some of the money we don't have out of Obamacare and use it to pay for another bad idea.  Obamacare is a bad idea, and we ought to throw it out, but "saving" money by not funding certain care items while keeping the rest of the restrictions and regulations and then spending the "savings" on another bad idea is an even worse idea.

There are a bunch of other issues particular to the way student loans are subsidized and how this contributes to the rapid inflation of education costs, the fact that through this program a 25 year-old plumber gets to pay the bank 6% for the loan on his truck and tools and subsidize the 3.4% (higher risk profile) loan for the education of a 25 year-old lawyer, or the question of why the Federal government is involved in education funding at all, but I'm honestly not as interested in the standard issues with student loans as the politics of the rhetoric itself.

Tuesday, April 17, 2012


The internal effects of a mutable policy are still more calamitous. It poisons the blessing of liberty itself. It will be of little avail to the people, that the laws are made by men of their own choice, if the laws be so voluminous that they cannot be read, or so incoherent that they cannot be understood; if they be repealed or revised before they are promulgated, or undergo such incessant changes that no man, who knows what the law is to-day, can guess what it will be to-morrow. Law is defined to be a rule of action; but how can that be a rule, which is little known, and less fixed?

Another effect of public instability is the unreasonable advantage it gives to the sagacious, the enterprising, and the moneyed few over the industrious and uniformed mass of the people. Every new regulation concerning commerce or revenue, or in any way affecting the value of the different species of property, presents a new harvest to those who watch the change, and can trace its consequences; a harvest, reared not by themselves, but by the toils and cares of the great body of their fellow-citizens. This is a state of things in which it may be said with some truth that laws are made for the few, not for the many.

In another point of view, great injury results from an unstable government. The want of confidence in the public councils damps every useful undertaking, the success and profit of which may depend on a continuance of existing arrangements. What prudent merchant will hazard his fortunes in any new branch of commerce when he knows not but that his plans may be rendered unlawful before they can be executed? What farmer or manufacturer will lay himself out for the encouragement given to any particular cultivation or establishment, when he can have no assurance that his preparatory labors and advances will not render him a victim to an inconstant government? In a word, no great improvement or laudable enterprise can go forward which requires the auspices of a steady system of national policy.

But the most deplorable effect of all is that diminution of attachment and reverence which steals into the hearts of the people, towards a political system which betrays so many marks of infirmity, and disappoints so many of their flattering hopes. No government, any more than an individual, will long be respected without being truly respectable; nor be truly respectable, without possessing a certain portion of order and stability.

-- Federalist 62 (emphasis added)

Thursday, March 15, 2012

Nominating process

There's all sorts of talk right now about whether the slowed-down nominating process the Republicans put in place in 2008 was a good idea. I don't care. I'm more interested in the brokenness of the process in general. I'm pro electoral college (and, in fact, think we ought to have some of the electors sent there by state legislatures like we used to do with Senators) so it may come as a surprise that the non-representative nature of the nominating process really bothers me. The problem is that the electoral college was designed to give some relief to the less populace states in our federation on the choosing of the President. That makes sense. The nominating process doesn't seem designed at all.

At present nearly 10% of Romney's delegates are from territories that don't get to vote for President. I'm actually opposed to our permanently retaining territories that are never going to become states, but if the purpose of the nominating convention is to win the Presidency, do we really care what people who can't vote for President think? I'd be okay with in if they got some nominal vote, but the people of the Virgin Islands and the Northern Mariana Islands together get as many votes as New Hampshire (which, admittedly, has an oversized influence because of when it votes).

Only fourteen of the 60 States or districts who have primaries or caucuses are closed. In the rest either Democrats can help select the Republican representative (I'm sure they will have only the best interests of Republicans in mind) or you have to at least not be party affiliated. Though if you're in a semi-closed state the chance you're going to register with a party is pretty much zero. I would not only have closed primaries, I would require that you have been registered with the party for at least two 30 months.

California and New York, states where the Republican nominee is guaranteed zero electoral votes, are two of the three largest delegations to the convention (Texas is number 2). On top of that nearly half of the California and New York delegates (123 out of 261) come from districts that are 60% or more Democrat. According to Sean Trende at Real Clear Politics, 8 districts from Los Angeles County cast just barely more votes in the 2002 Gubernatorial primary as a single majority-republican district. Yet they would get 8 times as much influence in the nominating process. To make matters worse, California is an open primary, so nobody is checking whether the delegates from Nancy Pelosi's district even reflect the desire of the Republican who lives there. I'm not saying we shouldn't care about these people's voice in the primary, but we shouldn't care a lot more about Republican's in Nancy Pelosi's district than those in Paul Ryan's.

On the flip side, the current procedures give extra bonus delegates to majority Republican states. Unlike the issues with allocating delegates based on general-population district lines that in lots of cases were intentionally drawn to polarize towards one party or the other, I can see why this makes sense. The nominee is supposed to be somebody who represents the will of the Republican electorate, so it makes sense to give bonuses to majority Republican states. But the nominee is also supposed to be somebody who can actually win the Presidency. Given that the important thing is winning the electoral college in the fall, wouldn't it make sense to give similar (or even greater) bonus delegates to the states with the closest elections in the past Presidential election? Hugh Hewitt has recommended at least once having the nominee determined only by the closest states. That seems like a recipe for a splintered party to me. It's one thing to give extra credit to electorally important states, it's another entirely to say to Texas or Georgia that the party doesn't care what you think, we're going to find a moderate who does well in Ohio and Pennsylvania.

We also have a bunch of unbound delegates who got their position through some previous party position. I actually don't have a problem with these. The "super delegates" bring some of the horse trading in order to get the desires of various factions of the party fulfilled while finding the most likely candidate to actually secure the election into the convention. If it's a close call, that's a role I don't mind seeing.

If I were head of the primary process, I would allocate votes among the states based on the number of popular votes they cast for the Republican in the prior election. Then I would give a bunch of extra votes to the 4 closest states. The national convention needs some way of allocating votes within states other than congressional districts which are drawn based on general population and frequently drawn to intentionally skew towards one party or the other. I would suggest something like forcing proportional distribution based on the entire states' returns. I would love to draw districts, but you would need special districts established for the purpose if you wanted to fairly district among just one party, and that doesn't seem practical.