I agree with your post. I'll just add that a big problem with IT security is that companies cannot rely on the same level of protection from governments in preventing intrusion.

For example, if I have a safe in my house, the means an attacker would have to penetrate it are going to be limited. Since my township has police and neighbors that wander around, they can only spend so much time there before they're likely to be detected. They can generally only carry in stuff that will fit in the doors and is man-portable, since if they have to cut a hole in the house and lower their equipment using a giant crane somebody is likely to notice. If they want to use explosives they will have to defeat numerous regulatory and border controls designed to prevent criminals from gaining access to them, and of course they will be detected quickly. Some destructive devices like nuclear weapons are theoretically possible to use to crack a safe, but in practice as so tightly controlled that no common thief will have them. If the criminal is detected at any point, the police will respond and will escalate force as necessary - it is extremely unlikely that the intruder will actually be able to defeat the police. If the criminal attempted to bring a platoon of tanks along to support their getaway the US would mobilize its considerable military and destroy them.

On the other hand, if somebody wants to break into my computer over the internet, most likely nobody is going to be looking for their intrusion attempts but me, and if they succeed there will be no immediate response unless I beg for a response from the FBI/etc. An intruder can attack me from a foreign country without ever having to go through a customs control point. They can use the absolute latest technology to pull off their intrusion. Indeed, a foreign military might even sponsor the intrusion using the resources of a major sate and most likely the military of my own state will not do anything to resist them.

The only reason our homes and businesses have physical security is that we have built governments that provide a reasonable assurance of physical security. Sure, we need to make small efforts like locking our doors to sufficiently deter an attacker, but these measures are very inexpensive because taxpayers are spending the necessary billions to build all the other infrastructure.

When it comes to computer security, for various reasons that secure environment does not exist.

Maybe. If you're buying an insurance policy to cover leaks of information, then almost by definition any claim is going to be the result of lax security. So, why bother buying insurance at all if the insurer can get out of it? The likely result is that those harmed won't be able to collect damages since there will be no insurance, and the company that lost the data will simply declare bankruptcy.

I think there are better precedents. For example, my company is routinely audited by its insurers or other certification bodies. If they spot a blocked electrical panel, that has consequences for the company. The purpose of the audits is to PREVENT bad things from happening, and of course passed audits will support later claims if something bad things happen anyway.

So, why not do the same with "cyber policies" or whatever they're calling them. The insurer states some standard that the policyholder is to be audited against. The policyholder agrees to be audited. If the audit passes, they're in the clear.

And that is what insurance is about - elimination of risk. If you are in charge of some big company you can get the blessing of the appropriate auditors and now it isn't you're fault if something bad happens. It is a bit like having an IT team with skin in the game.

Sure, you can hire what you think is a good IT security team, but how do you really know if you've gotten one? If you buy a cyber insurance policy you're getting that IT audit, but then if you're declared clean and you get burned anyway, that insurance company comes in and puts their money behind their words and pays for your loss. THAT is what insurance is supposed to be.

Heck, I remember continuous film slide projectors in school where the projector even auto-advanced the slides when it heard the bing. :)

Plus, oversimplification can be used to justify all kinds of short-sighted behavior, with all the plausible deniability you describe.

I remember learning my company's brand of six sigma, and they stressed not having more than a few CTQs for any process. It made for really nice-looking powerpoint slides (which seemed to be the main output of my company's six sigma efforts). It also made for some really broken processes in some cases, because the stuff the company was making was really hard to make. There were cases where somebody would optimize out some $10 part and end up destroying a million dollars worth of product from time to time due to a failure to deliver an acceptable level of quality. But, when you only focus on 3-5 key quality attributes, it is hard to justify every little $10 part in the multi-million-dollar manufacturing process.

I'm fairly convinced that far more was lost in market share due to an inability to meet demand than was ever gained from optimizing out the odd $10 part.

"For every complex problem there is an answer that is clear, simple, and wrong."
--H. L. Mencken

That is a fairly naive viewpoint. No business approaches loans in this way. A loan is a contract, with terms that apply in the event of default, and terms governing repayment. Defaulting on a loan has consequences, but most businesses do not view it as a moral issue. If it ever becomes advantageous to default on a loan, they will do so. If it is advantageous to take measures to hinder attempts at collection, they will do this as well. As far as they're concerned, it isn't theft - it is just the terms of the agreement the lender agreed to. Most nations have bankruptcy laws, and sovereign nations have, well, sovereignty. Lenders who agree to make loans do so with full knowledge of these laws.

So, if a person declares bankruptcy I do not believe they are committing theft - the lender understood the bankruptcy laws when they freely made the loan, and they did so at an interest rate that they considered profitable even in light of this risk. Likewise, when a bank lends to a sovereign nation, they do so knowing that they have very little recourse if the nation chooses to default on the loan.

To the extent that anybody was forced to loan money against their will, they might be able to claim that whoever forced them to lend money was a thief.

Well, the solution is simple then - they should just default. As long as they are internally self-sufficient as you assert, it won't be a problem for them. They won't be able to borrow money for a long time, but they shouldn't have to.

However, I'm not convinced their cash flow is nearly as rosy as you suggest. And of course they need to be able to defend their own borders/etc if they don't want somebody ticked off about their debts to come looking to collect.

And this is a general problem with federated governments. When it comes to socialism/etc they tend to be a race to the bottom, because companies can effectively pay the lowest tax rate anywhere in the federation. It happens in the US as well - if a US state wanted to raise state income taxes to 60% and pay basic income to all their residents, their employment would go to zero because companies would flee the state, since they could do so while still being able to sell their wares in the state's market, since US states cannot interfere with interstate commerce. This is why US states are only "laboratories of democracy" to a limited extent.

If you want to have different tax rates and social policies, then you need to have tariffs at the border. That is obviously a two-edged sword, but it is still the reality of the economics.

Somehow I doubt that is going to work on my $70 Seagate 7200RPM hard drive plugged into my $50 motherboard or $20 SATA controller card. However, by all means let me know if it will.

Plus, COW filesystems offer a lot more than just data checksumming.

Agree, as the other reply pointed out as well. And you can do the same with mdadm raid too (though obviously with none of the benefits btrfs/zfs bring for data integrity like checksumming and copy-on-write). Mdadm will also let you reshape an array in place (that is change raid levels or number of disks), though with mdadm that will often result in messing up your stripe alignment and of course it is more likely to eat your data if something goes wrong since if it finds a parity mismatch it has no way to know which copy is bad.

I was just commenting that btrfs tends to have a lot of features that appeal to small system users that you'll actually find missing on zfs, even if it is far less mature overall, and lacking in many enterprise-scale features. It just reflects the emphasis of the developers behind it.

I really can't complain about zfs - it is a great filesystem. However, things like not being able to reshape an array or mix disk sizes in an array are some of the things that hold me back from adopting it. Heck, btrfs will let you switch from raid1 to raid5 without touching any of the data already written - newly-allocated chunks will use raid5 and existing chunks will continue to use raid1 - it doesn't manage arrays at the whole-device level. In practice though you're likely to tell it to rebalance your data of course.

Sure, but with btrfs you can just add one drive and sometimes get its entire capacity added to your array - it works fine with mixed-size disks.

Of course, it might just decide not to boot the next day, and that is the downside to btrfs. It does tend to be a bit more friendly in scenarios where you have a small number of disks, though, which was my main point.

Perhaps, but my point was more that if you want to grow ZFS this is the ONLY way to actually do it, as far as I'm aware. You can't add individual drives to individual "vdevs."

The problem is that the feature-list for ZFS is very enterprise-oriented.

Why would you want to add just one drive to a server with 5x 6-drive RAID6 arrays? Just add another 6 drives at a time.

On the other hand, if you have a PC with 3 drives in RAID5, you could easily want to turn that into a 4-drive RAID5 or a 5-drive RAID6 in-place.

Btrfs has a lot of features that are useful for smaller deployments, like being able to modify the equivalent of a vdev in-place. ZFS on the other hand has a lot of features like ZIL that are very useful for larger deployments.

Agree. RTGs aren't actually all that efficient - they're a very primitive form of nuclear power. Their advantage is in their simplicity and longevity, which makes them great for things like spacecraft that need low power for VERY long duration, and where repairs are impossible.

You'd need a pretty big aircraft before nuclear turns into a viable option.

I'm interested in whether this is limited to ONLY proprietary research.

I could actually see an argument for banning export of such research. Do we really want companies finding flaws in widely-used software, keeping those flaws secret from the software vendors and the general public, but then selling details on those flaws to others who could potentially turn around and exploit them? In a sense, this does sound like a munition.

I don't see the same concern with public research. If you disclose a vulnerability publicly, then everybody can fix it, and that strengthens the ecosystem instead of weakening it.

If the ban were limited to proprietary research, I don't see it as a bad thing. Of course, it does nothing to keep companies from selling their findings to NSA contractors and such, but I don't expect the US to lift a finger to ban practices like these.

In my experience the problem isn't getting everybody to not scribble on the board. The problem is that everybody has a 14" monitor and it is just really hard to do anything freehand on such a display. Maybe with graphics tablets and better software it might work.

Even diagramming something solo is a mess in my experience. I tend to end up doing mindmaps or outlines in Word or visio, but the last tends to be pretty painful to do quickly.