The private utility companies would likely be in the best position. They already have security teams, they have upgrade paths, and they have incentive.

The city run utilities would be in the worst position. They typically engage an engineering company for a project to oversee the installation of systems, and train a few city workers to do basic monitoring and maintenance. Twenty years later the city still "owns and operates" the system, but they do not have anyone who understands it. Even if they recognize the need to patch it, their skint budgets are determined years in advance by city council members who are under pressure to fix the potholes, keep the police on the streets, and rein in taxes and spending. There is no budget this year or the next for overhauling the water systems infrastructure. These systems are a long way from being patched.

It could easily take several years to fix every system that needs fixing, even amidst the panic a world-wide hacking spree would induce. During those years, unpatched infrastructure installations around the globe would be hacked, with very negative consequences.

Why should he hold back from publishing? You doubted three specific claims:

People already have carried out technological sabotage on various infrastructure elements. These are generally not publicized because there is negative value in making this information public -- creating panic without a solution is the desire of the attacker. Some information about these attacks is shared in industry appropriate discussions, but these are not public forums, and participants are invited only on a need-to-know basis. There are real attacks on automation systems today, and there are dedicated, well-funded organizations backing these attackers.

With the nature of automation, an attacker does not need to know that "Manhattan Pumping Station #12" at 127.0.0.1 has a login page susceptible to buffer overflow of exactly 1028 bytes. All they have to do is try a 1028 byte overflow on every SCADA system they find, and maybe a few dozen or a few thousand are similarly unprotected. Even if Manhattan's pumping station fixes their login problem, that doesn't help protect the water pumping systems in Peoria, Illinois, or Nome, Alaska. It's important to remember that a terrorist doesn't have to "call his shots" in advance in order to achieve his objectives of spreading fear or panic.

A honeypot is completely ineffective at determining the identity of an attacker. Sounding an alarm that an attacker is present simply means the attacker will disconnect, and move on to the next potential target. A honeypot is only useful for studying the moves of an attacker, and of potentially diverting them away from your own valuable systems. It can't catch them.

I'm actually not disagreeing with you that we need sunshine in order to fix the problems. The bigger problem is that we have a huge, non-centralized infrastructure that can't be fixed all at once. If Nome, Alaska's pumping station is vulnerable, Nome, Alaska is solely responsible for fixing it. There is nothing about owning such a system that means the owners are up to date on all security issues or patches needed. We may think they should be, but it's academic: they're not patched, they are vulnerable, and the cost of publishing the vulnerabilities could mean the destruction of critical infrastructure.

Industry, government, and law enforcement groups have been trying to solve this problem for quite a while, but they're simply not there yet.

I think Wikipedia falls along the path that many potential buyers take. Wiki articles are usually very highly ranked by search engines, and tend to float near the top of results. When people start researching an upcoming purchase, many look at Wikipedia as a less-biased source of information. (Like you, I tend to think that people who read Wikipedia articles for such information are also somewhat more adept at spotting marketing materials, and are slightly less likely to be duped by them.)

These articles may not have specific products featured (although many do), but they can certainly steer the consumer in the direction that best aligns with their business, and that may or may not be in the best interests of the reader.

I think they have intelligent people. What they're looking for is some outside perspective.

When you've been staring at your own solution for years and years, it's good to have someone make you question it once in a while. They will no doubt get plenty of rookie and novice suggestions, the easy stuff they've long ago solved. They may even get some of the suggestions that took them a long time to understand and develop. What they're hoping for is something completely different. Maybe some grad student working on a new form of video compression will spot similarities that can be applied. Who knows?

The Courts are supposed to weigh cases based on the facts and arguments presented, and not so much on their own personal experiences. As a matter of fact if a member of the court is too closely involved in a case, they're supposed to recuse themselves. Therefore one does not need to use email to listen to arguments involving email.

At least that's the theory. Of course personal experiences and biases do enter into their decision making, but the rulings are to be made on the case before the court.

Of course the function of the courts are completely distinct from the function of a trade negotiator. A negotiator who does not fully understand their topic needs to be surrounded by people who do, and they need to get well versed in it prior to negotiations. That could be what's happening here: I don't know anyone who could recite every TLA in use by every technology out there, so an unfamiliar acronym might need a bit of context.

Regardless, it sounds like the "U.S. Official" is a bit of a dolt.

Being one of the aforementioned Minneapolitans, I have to state that a Minnesota winter is not nearly as bad as an Arizona summer. In the winter, we just keep adding layers: long underwear, flannel shirts, a fleece pullover or sweater, a down jacket, a nylon shell. There's not a fixed limit. Sure, it takes a bit longer to go outside, but it's not all that uncomfortable. If you're dressed right, you can stay outside all day long, doing whatever you want (as long as it involves two feet of snow.) In Phoenix in July, however, there's a limit as to what you can take off when you go outside, and after that you're simply going to die from heatstroke after an hour or two.

It's still no excuse for inflicting Daylight Savings Time upon us. Given the headaches I've got today from this politically induced jet lag, I have to believe DST was invented by the people who sell aspirin.

Actually, it turns out that most people make most of their purchases during the day, and only a few 24 hour stores are profitable enough to keep the doors open all night.

About 20-25 years ago there was a local push to keeping stores open 24 hours. For a while it seemed every retailer and grocery store wanted to jump on the 24 hour bandwagon. The store operators thought that "because I already have staff in here resupplying the shelves and mopping floors from 10PM to 6AM, I should keep a register open so I can sell stuff, too."

That ended about 15 years ago. Most stores quietly took down the 24 hour signs and went back to shorter days. Why? It wasn't worth it. The vast majority of people proved they do NOT buy what they want 24 hours a day from every store in their neighborhoods, they shop for those products only during business hours. Yes, a few people stop in at the 24 hr convenience store, the 24 hr pharmacy, and the 24 hr grocery store. Of those, many are there primarily for "life's necessities", and choose the shop based on location. People will only shop the drug store at midnight for cold medicine if it's closer than the convenience store. But stores that sell hardware, electronics, clothing, etc., very few of them chose to remain open 24 hours locally. Why? Because there weren't enough customers to keep the cash registers open all night, and of the few customers they did get, a certain percentage were "problem customers" who were looking for a place to sober up. There certainly weren't enough paying customers to justify the extra security and managerial staff.

These days, even if more people than before are shopping for other goods at midnight, they are far more likely to shop online than they are to head to a brick store. There still isn't justification to keep the doors open overnight, unless you carry those necessities.

It's easy enough to check. Surf to any public https secured site, and check the certificate's chain of trust. If the self-signed cert at the top of the chain is the school's cert, they've been pwned.

Do the Go-pro carrying quad-copters fly in a different atmosphere than commercial aircraft? No? Then at some point the two can come in contact with each other. The FAA needs to have some regs that govern the places where these two could meet. "No flying anything (toys, kites, balloons, drones) within X of an airport" seems perfectly reasonable.

About the only way to deal with third party libraries is through the terms of the contract. If you agree to license it, you're going to hold them responsible for security violations. Perhaps you stipulate they must run their code through a designated scanner like Fortify or Klocwork and they must agree to fix all critical or severe errors, or that they undergo an annual independent code review.

If all that seems like it's too heavy handed for a simple library, just wait till you get hacked. That's a lot more expensive.

Except when you go to a parts store, you have very specific needs: 5 1k resistors, 3 NPN transistors, 4 .01uf caps, etc. At the bakery, if you can't get exactly three chocolate frosted bear claws, you can pick up three long johns instead, and if someone else complains, you eat theirs and they go without. :-)

For Radio Shack to sell any resistors means they also have to stock a few dozen primary values of resistors, plus a few types of transistors, plus some caps, connectors, project boxes, switches, relays, and a whole bunch of other surrounding components. Sure, they could do without the little barcoded bags, but the bags aren't the primary expense here. The expense is in needing to have hundreds or thousands of components on hand in order to sell even a few of them.

Think of it this way: if they advertised themselves as the "470 ohm resistor store", how many customers would leave the 470 ohm resistors out of their on-line shopping carts in order to drive over there just to pick up their 470 ohm resistors? (If you guessed "zero or less", you'd be right.)

The people who are giving Microsoft difficulty here are the people who distinguish purchase types based on price. If they're going to spend $500 or more on a thing, that thing represents a significant investment, and they have always received 20-50 years of durability from significant investments in the past. Washers, cars, tractors, refrigerators, houses, all those things are expensive, but they last a long time. Even a color TV from the 1970s is still good enough for many of them.

You say "people shouldn't keep computer upgrade cycles to the same timing as vehicle or appliance upgrade cycles", but why is that true? All the rest of their experience is that "expensive things should last 20+ years" (even though they know that occasionally requires a roll of duct tape.) I see that as the root of the problem Microsoft has created here. Microsoft agrees with you on that assumption, but practical viewpoints of the world do not.

You and I know that security problems, reliability problems, media incompatibilities, speed incompatibilities, and all those things make keeping up with technology important, at least for people who are focused on the technology, but we have to consider that most of this equipment is now owned by people who aren't focused on the tech.

And we really can't reach them, either. If we use technical terms like "buffer overruns", we'll be ignored. If we say "upgrade or they'll steal your credit cards" they'll say "so I won't buy online, or I'll pay cash at the store, or I don't have a credit card anyway." If we say "it's too slow, or it's too limited, or the screen is low res" they'll say "it's good enough for me." And if we say "new computers are cheap these days", they'll say "I can't even afford to fill my car with gas." They are probably already feeling the pinch of not enough disk space, or ancient browsers unable to display their favorite web sites, but they simply can't afford an upgrade now or in the immediate future. Filling the gas tank helps them get to their paychecks, and food and rent are simply more important than upgrading their computers.

These people expect to get 20+ years out of their computers. It's our problem to live with them, viruses and all; it's not their problem that they have old gear.

For a lot of these hold-out users, it's a matter of pride to keep a 50 year old tractor running, because it proved they made a good investment when they acquired something that has durability. For them, acknowledging that they have to replace a 9 year old computer means they made a bad decision when they bought it, and they don't want to admit that they invested in a piece of crap. Investing in a new computer after such a short time means they personally failed. They can understand replacing damaged parts, but they don't understand buying "improvement parts" just to keep doing what they've already been doing.

Microsoft's business model doesn't acknowledge this mindset. Their old profit model was built on upgrades to existing products, not sales of new products. They needed customers who are the opposite of who I described above, people who pedal the upgrade cycle every two or three years. But Microsoft's gotten really good at developing good software that meets people's primary needs, and the incentives to upgrade to Office yyyy+3 have dried up. Their new profit model is to lease software and services via the cloud. But to get everyone to the leasing model, they need to make that last push to upgrade them.

From the point of view of the hold-outs, why would they junk a perfectly suitable 50 year old tractor just so they can lease a shiny new one for a ton of money every month? That's crazy talk.

Not necessarily. Sure, some devices, like the Nest thermostat, only work with a data-grubbing service. Others allow you direct control. Some offer remote control via a service because people can't figure out how to safely poke a hole in their firewall, but offer unsecured local control from within your network.

Fortunately, not every thing is sold as a service. You can still exert control with your wallet. Support good companies that don't require a service, and shun those that do.