Category Archives: Security

Energy, Security

National Auto Dealers Association Fail

Leave a comment

Ed Tonkin is President of the National Auto Dealers Association, a lobbying group for car dealers. An article in AOL points out why America’s car industry needs new leadership and should ignore the NADA.

Tonkin advanced the argument that, presently, consumers do not place a high value on fuel economy. “The American consumer buys products that are convenient, predictable and affordable,” he said, and right now, “the most important factors for a car buyer are overall price and monthly payment.”

I see consumers who value fuel economy. He is wrong right from the start. I would argue the Prius has been a success because of high value placed on short-term fuel economy (we know American consumers dislike figuring out long-term cost/benefit calculations). It does not have much else going for it and yet it has a huge consumer following.

What does he mean by “high value”?

Overall price and monthly payment are influenced by the efficiency of fuel, right? Then, by his own argument, there is demand for a drop in cost and that can easily come from better fuel efficiency. We just need to know the right number to get to “high value”. I do not know what the size of the monthly drop needs to be for most consumers reach this point in the short-term (recoup costs within 12 months?), but I could guess that if you can get a vehicle to “conveniently and predictably” reduce their monthly spend 50% we would see immediate significant interest.

The problem with my guess, of course, is that I mean a real 50% drop. I do not mean a drop of 50% with a 20% charge added back in as a premium to raise margins for dealers. That sounds like a vehicle that gets 50 mpg with the same features and for the same cost as the 25 mpg model today.

Anecdotally, I ran into a guy on my street the other day who drove a new Jetta VW TDI Sport Wagon. This diesel car, which now represents more than 80% of VW Jetta sales in America, gets great gas mileage. More to the point I said “nice car” and the guy said “yeah, I go to the pump half the time now so I can be with my family more”. His wife smiled at me.

Hey Ed, please tell me that you are calculating time at the pump in your estimate of what American’s value. When you take the famous American road trip a fuel efficient engine can literally add hours to your day.

Tonkin postulated that car buyers only care about fuel economy when gas prices rise sharply, like they did in the summer of 2008, when prices spiked up above the $4-per-gallon range. “Consumers today are not buying cars based on fuel economy. We may wish it were different. But that doesn’t change anything. And good public policy can’t be based on wishful thinking,” he said.

Oh, hey. Now we have a number. That contradicts your point above. Consumers place a high value on fuel efficiency but your argument is that we are $0.50 low at the pump this month so forget it?

What do you want public policy be based on? This kind of bad math? Good math says NADA should be behind higher mpg — dealers will sell more cars because consumers can actually hit a high value target as you admit with a $4 calculation. The number at the pump can easily be lowered; consumers will move at $3 when you understand what is really in their way. You.

I think the NADA is the one doing wishful thinking about keeping mpg low so they can continue to unload inventory. They want to work in high margins for cheap junk made today on consumers unaware that better options are available. Bill Ford probably said this best when he admitted that the Ford Escort in America was substandard and cheaply made compared to the one sold in Europe. Once gasoline prices went up the American Escort was made to be more on par with the European model. The mileage numbers did not change; Ford realized that selling cheap and unreliable cars was a barrier to demand for higher mpg. The demand grows for a car with good mileage if that means also buying a well-made car.

Of importance to regulators, we find [in a 2004 study of automobile buyer decisions] that good fuel economy is widely considered an attribute of cheap cars; many of our households expressed greater regard for fuel efficiency, a term free from a cheap image and more closely associated to ideas of resource conservation, advanced engineering, and high technology and quality.

Pushing old and unreliable inventory with high margins is the kind of sleazy sales strategy you might expect from a stereotypical car dealer but to see it come from Ed, the national president of their association, is disappointing. Good public policy can be based on better logic than fleecing consumers with engines that devalue sharply, do more damage to health and the environment, and that reduce productivity. Ed should forget the $4-per-gallon nonsense and give the market what it wants — technology that makes lives better (more efficient, fun and with less waste) and improves national security.

Look at it this way: NADA’s policy is for you to spend time at a gas station instead of home with your family. Which do you value more?

Finally, let me just say that NADA is opposed to 60 mpg as a target for 2017 and Ed calls it wishful thinking but anyone watching the industry knows that production cars already hit that number. You probably could buy one in America if guys like Ed were not standing in the way, polyester jacket arms crossed and puffing on a cigar, trying to dump his old inventory on you.

Wake up Ed! The 1980s called, they want their calculator back.

The ultra-fun stock European VW Golf TDI BlueMotion I drove last month used only 3.8 liters per 100 km (62 miles per gallon). I did not need a time machine to 2017, just a plane ticket to Europe in 2010. Green Car Reports wrote an article about it in 2009 with the very annoying title “The 62-MPG 2010 Volkswagen Golf TDI We Won’t Get In the U.S.”

Security

Real-world Hypervisor Exploits

1 Comment

A bone of contention that keeps appearing in discussion of hypervisor compliance, especially in terms of the new PCI DSS 2.0 and NIST SP 800-37 risk-based methodologies, is that there are few real-world hypervisor exploit examples.

I have thus been compiling both quantitative and qualitative data.

Here is one of the more interesting cases I ran across: allegedly the researcher was not happy with the vendor response and so demonstrated the exploit at the 23rd Chaois Communication Congress (23C3) in late 2006.

However, the system was patched only six days after the demonstration, which suggests a fix was already underway by the time the exploit was public.

The SecurityFocus bulletin gives details on the flaw.

Unprivileged code interacts with the hypervisor via the “sc” (“syscall”) instruction, which causes the machine to enter hypervisor mode. The vulnerability is a result of incomplete checking of the parameters passed to the syscall dispatcher, as illustrated below.

The simple attack explanation is that the system inconsistently used “secure mode”. The exploit was to access untrusted memory and then push the hypervisor to access the same area as trusted.

As it is not possible to directly overwrite even non-priviledged code, existing code needs to be tricked into calling the hypervisor syscall with the desired register set. This can be done by setting up a stack frame and forcing a context switch to this stack frame.

Giving access to trusted space from untrusted paths is a good example of multi-tenant risk and a real-world hypervisor exploit.

In other words, this is like a highly secure castle that has rents out 32 of 64 inside bedrooms on weekends and holidays. The first 32 rooms are accounted for all year but there is a good chance the other bedrooms will become occupied by hostile residents who may attack when approached.

Inside the main gate of Chepstow Castle, Wales. The curtain wall on the right was breached 25 May 1648 by Isaac Ewer’s cannons and the site where Royalist commander Sir Nicholas Kemeys was killed. Photo by me.

I will speak to this and related issues in tomorrow morning’s presentation sponsored by Cisco, Savvis, HyTrust, VMWare and CoalFire:

Title: PCI-Compliant Virtualization Reference Architecture Webinar
Date and time: Wednesday, November 10, 2010 10:00 am Pacific Standard Time (San Francisco, GMT-08:00)
Program: HyTrust Webcast Series
Duration: 1 hour

Security

Facebook is lying

1 Comment

Michael Arrington, founder of TechCrunch and on Time’s list of the world’s most influential people, rattles his digital saber in a scathing review and call to arms called: Give Us Our Data, Facebook

Facebook’s statement today boiled down to this: The most important principle for Facebook is that every person owns and controls her information. Each person owns her friends list, but not her friends’ information. A person has no more right to mass export all of her friends’ private email addresses than she does to mass export all of her friends’ private photo albums.

That’s the same argument that they used two years ago with Scoble. But since then Facebook has been quite willing to allow “mass exports” of “friends’ private email addresses” if the terms are right. They did it with Microsoft, they’re doing it with Yahoo, and possibly other partners. Facebook violated their own privacy policy with the Microsoft relationship. The policy has since been updated.

Food, History, Security

Breaking the Law With High Fructose Corn Syrup

4 Comments

The Public Health Advocacy Institute has dropped a wet blanket over the high fructose corn syrup lobby. The lobby has claimed sugar is always sugar, no matter what, based on measured levels of fructose. To prove their point using propaganda they have started to pressure the government to allow corn syrup to be hidden with the label corn sugar.

While they play games with the names, actual fructose measurements are in and it does not look good for high fructose corn syrup. It turns out that it has…high fructose.

A report on October 27th from the PHAI is thus titled: Discovery of Elevated Fructose Levels in Popular Soft Drinks Raises Important Legal Questions for Regulators and Consumers

Laboratory testing revealed that bottled full-calorie Pepsi, Coca-Cola and Sprite had fructose estimates of 64-65%, well in excess of the upper-level of 55% fructose generally recognized as safe by the Food and Drug Administration

These levels not only put them in excess of safe levels, defined by others, but also at odds with their own claims to safety.

…the representation that HFCS is “compositionally equivalent” to table sugar could amount to false and misleading advertising requiring action by the Federal Trade Commission and State Attorneys General.

Fructose was isolated and extracted from corn in America during 1970s after President Nixon’s economic advisers demanded that payments for corn surplus should be put to some kind of use. Leaders of the country at that time balked at the idea of paying farmers to grow something and then do nothing with it, so they set about to manufacture demand. The very recent origin of high fructose corn syrup was thus driven by an artificial (US Patent 3,689,362 by Yoshiyuki Takasaki in 1972) urgency related to farm politics, as I have discussed before.

I could also point out the political importance of high fructose corn syrup comes from an even older issue of national concern. The reason corn syrup has been made cheaper to use in processed foods than sugar is due to import quotas that restrict America’s supply of sugar.

Before artificial corn sweeteners were made in America the US Marines were called into action to invade the state of Hawaii in 1894 and overthrow the Queen. This was to ensure access to sugar. American plantation owners feared they would lose their land to the Queen if she maintained power. They formed a “Committee of Safety to overthrow the Kingdom” and found a sympathetic ear in the US Secretary of State, James Blaine. He had suggested in 1881 that the US would be better off invading Cuba, another rich source of sugar, than to let it sit in the hands of a European power.

The sugar of Hawaii is not enough to meet demand today. This makes me wonder if Blaine had realized the safety risk present today from high fructose corn syrup in America, would he have pressed even more to annex Cuba? Alas, Cuba became independent and America continues to try and find ways to dispose of its corn surplus.