Death (blessed relief!) and Taxes

Last night as I walked in the house, my daughter was watching President Clinton shilling for a proposed tax on "energy company" profits here in California. We watched Mr. ex-President explain all the glowing things this tax was going to do for us, including freeing us from the need for foreign oil, and my smart daughter asked if I was going to vote for this proposition. Hmmm.

Aside from being a great teaching opportunity, and from being proud that my 10-year-old actually took an interest in something in the world other than dolls or video games, it was a great opportunity to review whether this proposition was worthwhile or not. I'm not opposed to whacking the cretins that run the "energy" companies in the USA, hoarding billions of dollars of assets that should be returned to the people somehow, but does this proposition actually do any of that?

This happened just before dinner, so I only had a few minutes to explain to Bailey why I think this proposition, like every other tax proposition on the crowded California ballot, is a bad idea. We got out the voter information bulletin we received in the mail a week ago and I showed her the page where the pros and cons of this proposition were outlined in gory detail. She didn't understand a few of the words, so it was a vocabulary building lesson as well. When we got done, she was unable to make up her mind, and understood the process of getting both sides of the story a little better.

So how do I feel about Prop 87, and Prop 86, the "Tax the Smokers 'til they Quit" tax, and the other taxes on the ballot? Fine, so long as they don't establish yet another state beauracry full of handle-hangers or give my hard-earned dollars away to yet another special interest. Guess what? Both of these propositions are full of corporate hand-outs, new state offices of wasting tax dollars, and questionable grant funds with no performance targets.

No thanks.

School (in)security

A few days ago, a colleague accused me of being a "computer security expert" in a group of people. He was a little surprised when I bristled at that description, and less than amused when I described the average "computer security expert" as a charlatans, as he thought he was paying me a compliment.

I explained to him that most "computer security experts" in my experience know little about computers and nothing about security, but rather have just attended classes and tested their way to certifications designed to boost their resume but not their job performance. The ensuing discussion about what "secure" really means took an immediate turn away from computers.

A few weeks ago my daughter's school sent her home with a packet of fund-raising materials. She was to around to my friends and colleagues (since her friends parents all got the same packet from their kids) and sell holiday wrapping paper, chocolates, etc. to raise funds for the school. The children were baited with various prize rewards based on their sales volume. She picked up nearly $500 in sales in two afternoons, and had roughly $300 in cash in her envelope on the appointed day to return the orders to the school.

Rounding down to $100 per student for arguments sake, consider this: the school has more than 900 students. Is their security system adequate to protect $90,000 in cash?

My colleague reacted strongly to this statement, he has two children in the same school. He had not considered the ramifications of collecting large amounts of money in an insecure location with a large group of children, especially his children, and was surprised I had. That's when I got to pull the punch line: there is no such thing as computer security, there is simply security as it applies to computing.

No amount of training in computing techniques, code walkthroughs, design methodologies, or security APIs is ever going to make you a security expert. Security isn't even about the technology, it is about how a system interfaces to the world around it and how these interfaces might be abused by miscreants.

In actual fact, I've spent too much of my life implementing and later designing computer systems to really be effective as a "computer security expert." The real experts are the (former) miscreants now working on the side of angels; those who have the ability and mindset to probe the weaknesses in a system and then report them to the originators so they can fix the system, rather than exploiting these weaknesses for their own amusement or personal profit. I am awed by these geniuses.

That said, I'll probably still pull the "computer security expert" card when I visit with the school Principal to discuss his endangering the life of my child.