I have 4 children and I actively help them with/cheat on their homework. They are assigned too damn much of it. They are all getting good grades and I don't think it is impacting them academically.
Code is supposed to change on the website all the time, though, when they run a deploy. Surely they do have a team working on checkout, but it isn't obvious how this would be detected. The article leaves out how they got the malicious javascript onto the page in the first place, though, so it's hard to say.
I have a tiny $5 Onion Omega2 on an independent cellular connection that checks file integrity on the production web servers every 15 minutes.
If the content of any of the files change, I get an e-mail.
If the alerts start coming in when I know I've just pushed a new version to production, the mail has a link that I can click that will re-scan all of the files and build new checksums.
If the alerts start coming in in the middle of the night, then I know something is up.
Obviously, this only works in small environments like mine where I'm the only one capable of updating the production servers. But it managed to catch a backdoor left in by the previous developer, who for some reason stored and updated his resume on the production server.
It would be interesting to deploy a few of them in different places and check that they all see the same as well maybe.
That's a great idea. And since they're only $5 each (I think I spent $15 with the power shield), it's not a big deal.
Also did you do this as a belts and braces thing or is the system you are auditing particularly high security/risk in some way?
When I got here, most of the web sites were riddled with worms and trojans and spambots other bad stuff. One by one I just nuked them and started over. This was a deliberate isolation to keep an eye on things in case the sites or the dev machines ever got compromised.
What that won't do is save you from malicious code inserted into 3rd party content (script libraries, etc.) that you load from a CDN. If you're worried about that, you should make a copy of a verified version and serve it yourself.
You can just set up Tripwire to do this sort of thing
I wanted something that was completely independent of the machine. Separate box, separate network, separate architecture, etc...
What that won't do is save you from malicious code inserted into 3rd party content (script libraries, etc.) that you load from a CDN. If you're worried about that, you should make a copy of a verified version and serve it yourself.
I don't CDN on work projects. It's not worth the risk. If something goes wrong, I'd rather it be my fault and something I can understand and fix, whenever possible. Farming stuff out just leads to layers of things that can break, be compromised, or simply go wrong.
Again, it works at my scale (about 15 sites). It won't work for everyone.
What if a developer's machine was somehow compromised and the bad version of the file was put into the actual repo or deploy? I have no idea how likely this is or if it is a possibility in NewEgg's environment but that would be a case where only scanning for changes on the servers wouldn't catch.
What if a developer's machine was somehow compromised and the bad version of the file was put into the actual repo or deploy?
In a complex environment, that's a complex problem. In mine, it's not a big problem. Keeping the security routine on an external device with no other function I think helps. And since the device is on a completely different network, and a cellular connection with changing IP addresses, if someone was targeting the company they'd never find it.
Whenever someone complains about another company's product, code, features, security....I always wish it was mandatory to include a link to the kind of software the poster is putting into production.
I have. I deploy in ASP.NET and get a hash of the uploaded DLL. I check it twice a day. Never had any incidents to this day but as the saying goes, it's better to be safe than sorry.
In ASP.NET pretty much all output, including html and js is included in the DLL. Only external js files are left out. Sure they could hack them which means my solution isn't bulletproof but I could also produce a hash for them too.
"It’s a response to scarce capital, and when that constraint is loosened, it’s worth considering whether other approaches are superior. With enough cash in the bank, Katzenberg can afford to create content, sign distribution deals, and see if consumers watch."
There are two main thoughts from this that occurred to me:
1. There are very few Katzenbergs out there, so him personally raising that money is not surprising. If Spielberg or Lucas wanted to create a short form video company I am certain that they would be able to raise similar amounts. I am not him; therefore the lean rules still apply to me
2. the times that I have had enough money to buy my way out of problems has not yielded the best results. In my 30 years of doing this the clever answers have always come when my resources have been restricted, with often the best results from the most constriction. Extra money can bring bad results sometimes, the beauty is in the restraints.
I do light manufacturing in Arizona. In the last six months the prices of steel have basically doubled. My #1 material input now costs twice as much, and to add insult to injury, it is now becoming very hard to get in some cases.
Last week we were scrambling to find 1/4 steel plate. A common common material. Its as rare as finding bread in a supermarket, its one of those staples that you never expect to see shortages of. And last week we had a lot of trouble getting it.
I had dinner with tubing salesperson this week. He was complaining that all the fancy DOM and high strength thin wall was in short supply - and this is where most of his commission based pay comes from. We don't use that much DOM, but we have noticed the price doubled this year.
Another friend sells a machine which uses hydraulic parts. He can get all the hose he wants, but nobody has any fittings. His suppliers of hydraulic cylinders are all out of stock and not expecting shipments until November. One supplier told him that he laid off his whole staff since there was nothing to sell and he wasn't sure if he could cover rent let alone employees until November.
The tariffs have caused a two-fold reaction; industrial customers with money in the bank have purchased 6 months or a year worth of stuff instead of a months worth of stuff, while suppliers offshore have stopped shipping because they don't know what the price will be by the time it arrives in port. Since the deal is struck before the ship leaves, what happens if a 25% tariff is added? So they ship nothing and wait.
The actual tariff itself is not the main issue, it is the market forces reaction to it. No USA based suppliers can pick up the slack, and nobody I knew of was hedged against a sudden tariff being applied to their main inputs.
Blue collar workers will get laid off and the effects will ripple through the economy. This crash will be different from the last, but that doesn't mean it won't happen.
I have no strategy other than avoiding new spending on machines and being very slow to add new hires. Your industry segment may vary tremendously, time will tell.
I am moving to a new factory this month, my electrician is harvesting all the conduit and panels, because they have gone up 130% this year he tells me. I am in fear of the invoice.
Same for Home Equity lines of credit. I had a friend who was a banker, he had planned on using a $100K HELOC to remodel his house. He was stunned when Chase dropped his Line from $100K to $5K. Killed that remodel.
When I heard that, I maxed out my line of credit and stuck the money in a different bank. That choice got me through 2009. Glad I did it.
My son had brain surgery when he was 6. He is now 14. The helicopter ride of 100 miles to the brain center was $25,000 and the brain surgery was $46,000. The helicopter ride took 1 hour and used 2 people. The brain surgery was 6 hours and involved at least 3 surgeons, plus unknown number of support staff. Insurance was willing to cover the surgery, but we had to fight for 6 months for the helicopter ride.
To quote the lead surgeon during the 6 month follow up - "I stopped looking at what we billed, and what I got paid years ago. It never made any sense to me, so I focused on the patient outcome, which did make sense to me". Great human, saved my kids life, was totally supportive afterwards and stayed in touch for a few years.
Medical practices in the USA makes no sense to me. I am Canadian.
Relevant to Simone, I have a friend who had the same problem and actually went to the same surgeon for the problem, but 5 years earlier. My son was recovered in a few days, she spent 6 months in the hospital to recover. The change was a new technique. They fixed my son through his leg, my friend had her skull removed and replaced.
Humanity can do awesome things sometimes. Sometimes great, sometimes horrid.
The interstate highway system got passed in 1956. It is now comprised of almost 50,000 miles of highway, and cost almost $500 Billion in todays dollars.
There would have been a whole lot of rebar used in the construction of all the concrete - bridges, overpasses, the concrete sections in Los Angeles and other high volume areas
You can come intern at my factory in Arizona, no charge :)
I will teach you about laser cutting, robot welding, keeping the supply chain going, and how to make a profit when competing directly with China and India.
The real scam is the ongoing, monthly, maintenance fees on your 'timeshare'. Worldmark wanted $100 per month, per week of ownership, in a presentation I saw in Vegas. Which means that 52 weeks x $100 x 12 months = $62,400 per year in 'maintenance' on each unit. So even if you paid cash, they still get $62K per year in addition. This was Worldmark Vegas, buying a 'week' in a townhouse complex of $150,000 units.
I get the sense that the days of "take out a huge loan to be locked into vacationing at a crummy house in Boca" are over, probably because the reputation got too bad. Now it's reasonable prices, flexible travel dates, luxury properties around the world - all yours, for the low price of bank-breaking fees for life.
The maintenance fee is $100 a month for each week of timeshare you own. So if you want to use the time share 4 weeks a year you pay $400 a month. After selling all 52 weeks the company is collecting $62,400 a year.
If the unit has been chopped up such that all 52 weeks of the share have been sold, then a combination of people will be paying $100 per week of ownership, every month. Your share of the monthly maintenance is allocated by the number of weeks you "own".
You aren't just paying maintenance for the week that belongs to you. Original calculation of $62400 is correct. Part of the scam is obfuscating from you the true costs of the deal.
If the 52 week-owners knew each other, and could all afford the costs of the share in the first place, they could conceivably form their own LLC, cut out the timeshare company middleman, pay $10k each up front for week-length shares in a $520000 property, and cut their maintenance fee in half, to $50 per share per month (assuming 5% upkeep/utilities/taxes per year). They could even rent out any unused weeks on AirBnB to cut the maintenance charges, or even pay out distributions.
The timeshare people are making bank on the fact that getting up to 52 people to spontaneously come together in a common cause is extremely unlikely. You need a prime mover organizing the whole thing, who is ideally positioned to profit from information asymmetry.
I'm not up to speed on the mathematics, but a matchmaking algorithm that keeps preference data secret until all participants in a trade web commit to a deal that satisfies at least one of those preferences could drive a lot of middlemen and scam-like businesses out of the market.
For instance, you might find an algorithmic pickle agent in the network, and tell it that you could eat one big jar of crisp dill cucumber pickles every two weeks if it costs less than 8 money units, delivered to your door, or one per week if it costs less than 3 money units, committing some number of money units greater than 8 to back a promise to buy at those prices. A small-time pickle-making farmer might tell the agent that they can ship at most 500 jars a week, as long as they get at least 2 money units per jar, or as many as 800 if they can get 4 per jar (cost of hiring a dedicated packer, perhaps). The pickle agent consults with a commodity shipping agent, calculates a billion different ways to move pickles from suppliers to consumers, and then starts moving money and pickles around. Everyone who promised to buy at a certain price is guaranteed to get the goods at that or a lower price, and everyone who promised to sell at a certain price is guaranteed to ship the goods at that or a higher price. The shippers get their fee for moving a package from point A to point B. The agents take their cut to pay for their computation, and for insurance against failed shipments or bad pickles. The system would also need to include distributor/importer/resellers, because some trades just aren't possible unless you pack a whole pallet of pickles, or a whole truckload/shipping container, and break that out for individual orders closer to the consumers.
That's all technically possible with smart contracts, as far as I know, but it would require a huge amount of programming effort to even get the basics correct. And Wal-Mart already has their supply chain, inventory, and distribution software in place.
I'm not sure if this is a complete "scam." I think it mostly works out as similar to the costs of typical hotels.
- I would assume the timeshare companies often have more supply of rooms than they have paying "owners." For example certain destinations are only desirable during part of the year when the weather is favorable. So they may not be making this full amount in the math above.
- They have regular expenses beyond the room maintenance itself: overall building maintenance, resort amenities, staffing, utilities, cable/tv, etc.
- For comparison: a simple $150 hotel room for example would be $150 x 365 = $54,750. Similar to the timeshare, this one may not be 100% booked, though I don't know what booking/ownership rates are for timeshares vs. hotel rooms. In any case many timeshare units may have one or multiple bedrooms, a kitchen, a living area, etc. whereas the $150 hotel room is probably just a sleeping area. So you are likely getting "more space" with the timeshare.
Admittedly, many timeshares are scams, I won't deny that. But the evidence you provided for this one is not completely indicative of that. It still may not be a "good deal" based on how you prefer to travel, and if it's not certainly don't partake in it.
To me spending $100 x 12 = $1200 per year for your housing on vacation is not completely unreasonable compared to $150 x 7 = $1050, considering the extra amenities and opportunity to save money by cooking in the unit. It doesn't make the timeshare a "steal of a deal" (like some of the presentations make it out to be) but rather more of a "prepaid vacation" which may make sense in some situations. It seems like a "legitimate business" in this case to me, assuming the up-front costs to buy in are not too crazy. Country Clubs have been using a similar structure of "buying in" + recurring fees since before the timeshare industry even existed, and presumably these country clubs are legitimate businesses as well. There are good and bad players in the timeshare industry, like is the case in so many other industries as well.
My parents are Worldmark owners, so I've done some analysis on that one in particular. There is a decent amount of flexibility (destination) and the units have seemed pretty well-equipped. In the math I've done it seems to work out to not necessarily make your vacation "cheaper" but it doesn't make it "more expensive" either. They like it because they get more space and a kitchen to cook some of their own meals, and they use it as encouragement to take vacations to destinations they otherwise would not have thought about (and have very much enjoyed).
The timeshare company in the article though is clearly a major scam though! I trust that most people on HN can take a look at the math to weigh what may be a good deal for their personal situation.
I'm assuming that the figures parent laid out as an example don't include the cost of the timeshare itself. So you're mortgaging the cost of the time share at a high interest rate, then it's $1200/yr./week on top of that for "maintenance".
Way back in the day, I had a reinsurance company as a client. For those unfamiliar, reinsurance companies insure insurance companies.
For example, they might insure a standard insurance company for automobile accidents, with a $1,000,000 deductible. So the retail insurance company handles payouts up to a million dollars, but when there's a really wild claim, the reinsurance company pays the insurance company for anything over a million.
They end up specializing in rare events that involve large payouts, so they also did things like the hole-in-one insurance you mention above, very common with charity gold tournaments.
They had many stories to tell, including the fellow who played a lot of golf and collected three hole-in-one payouts, and another story about a truck that went off a mountain road, slid down and blocked train tracks, causing a train derailment, with a town below the train that needed to be evacuated.
What makes you think that nobody can get the billion?
Insurance policies require you to pay a certain amount guaranteed, then pay back a much larger amount if something unlikely happens. So Pepsi had to pay $10 million. If the right thing happened during the game then Berkshire Hathaway would have paid a billion, and some lucky consumer would have walked away a newly minted billionaire.
Berkshire's General Re does reinsurance, not re-"reinsurance". Is there a recursive step -- Could General Re face a claim that it needs to leans on the rest of Berkshire to pay?
The article says its insurance companies face a 2 percent chance of being "$12 billion" insolvent, which Berkshire could cover from non-insurance profits. But would that still be true if the claims came in, or would the non-insurance companies also have correlated down years?
I suppose Berkshire Hathaway is big enough that if it came down to it, it could liquidate equity ($500B minus devaluation due to whatever catastrophe) to make good on claims.
No way that Berkshire pays a $500b claim. They would find a way to stick the US taxpayer with the bill as many smaller companies have done before them.
reinsurance is also a nice way to reduce a company's taxes, and to hold money offshore. Many reinsurance companies are owned by another company; but the "re" is incorporated in a low or no tax jurisdiction such as Cayman Islands or Bermuda.
Bizarrely it’s sometimes another division of the same reinsurance company.
I work for an insurer and got talking with one of our pricing guys who told me about a case where one of the big multinationals had one division which was way under it’s predicted claims volume for the year, and another that was over. To rebalance the risk the US division ended up insuring the EU division.
Another story that night was about a reinsurer that through several departments taking on different risks ended up on the hook for a dockyard which caught fire catastrophically. And all the goods in that dockyard. And the boat which started the fire.
That evening led to my drunken catchphrase: “fucking insurance”, said ever more enthusiastically.
They are doing it wrong - socialise that risk. Here in New Zealand when a big insurer has something bad happen (eg an earthquake flattens a big city) you get bailed out by the government. Departing staff still got big payouts in that era too, so it doesn’t seem to impose any stringent criteria on companies too. AMI specifically. Sarcasm aplenty in this comment.
Even reinsurance has limits, and large earthquakes on major metropolitan centres are basically the one thing that will exceed them (floods can be bad too, but the risks are more predictable, and are often excluded from policies in high-risk areas).
The only alternative to the "government backstop" is that insurers will refuse to write policies or will exclude earthquake risk (in which case the government may need to set up it's own scheme, e.g. in CEA insurance in California).
Reinsurance funds typically market themselves as a source of alpha for large institutional investors. The reinsurance company sells bonds that promise a relatively high rate of return, with the caveat that in the event that the fund needs to pay out a large claim, the value of the bond may be nullified.
They used to talk about anti-selection (a/k/a "adverse selection"). For example, if a retail insurer has no reinsurance, it has to incorporate both the probability of claims and the distribution of payout sizes.
But if they have reinsurance, the payouts are 'clipped' at their deductible. This means that they have an incentive to take on clients that are less likely to have any sort of accident, even if when they do have an accident, it has catastrophic consequences.
This means that a reinsurance company cannot rely on the overall statistics for claims, because the insurance companies that buy reinsurance price their products with reinsurance in mind. The people unlikely to run into massive claims will end up in pools where the retail insurance company doesn't buy reinsurance.
So they have to carefully price the reinsurance to account for the fact that the insurance company is packaging their most reinsurance-sensitive pool of customers together.
A few years ago I was in charge of monitoring a hole in one contest for a golf tournament.
Anyone who got a hole in one was to receive $10,000. All I had to do was hang out in the shade and not get killed from golf balls while watching everyone's attempts.
I asked the tournament official where that 10k comes from, and he said from an insurance agency. They paid $200 insurance. No one ended up getting a hole in one that day.
Apparently some golf players even carry hole-in-one insurance against themselves, to cover the unexpected cost of the traditional celebratory round of drinks for everyone in the club afterwards.
If I recall, there was a basketball one where the insurance company didn’t want to pay because the shooter had paid college ball. The team wound up paying to avoid the PR disaster.
YES! This was at a Chicago Bulls game in the late 90's iirc. I watched the game on TV. The shot was from the free-throw line to the basket on the opposite end of the court. The guy shot one handed, wheeling his arm around wide to throw the ball with a great arc.
It took a few seconds to travel through the air, and from the moment he released the ball the crowd was silent - we could all see it was looking on-target. It went through the hoop! It barely nicked the rim on its way down, so after it went through it ricocheted hard to one side, in my memory it was a near 90-degree turn.
The crowd went wild. Everyone was thrilled to finally see someone win that prize. I don't remember how much it was, but I do remember it was a very large cash prize.
And then, like you said, the next day the prize company said they wouldn't pay because there was some stipulation that participants could not have played any pro or college basketball. Public sentiment turned harshly on the team - you see, to take away his prize would be to invalidate the joyful moment we all shared watching that shot. If he didn't win, what the heck did we just see?
I don't know if the insurance company changed their minds or if the team just ate the cost of the prize, but it didn't take long for the Bulls to realize what was the right thing to do, and do it.
It is interesting. It took me a while to find an article that described his "near disqualification" [1]. Am I imagining things, or is it like all the top results, even for an event so long ago, are tilted towards "of course he'll get the money, who said otherwise?" But clearly it was said. Maybe it was a risky play by the prize company to rope in the team & some partners into chipping in to pay for the loss, which might have crippled them [2]. And then a lot of spin after the fact by the team to save face. They were forced to legitimize a shady move by a business partner, who threatened their reputation. Some rough lines to FB/CA?
"It takes time to make up a hit like this . . . but I know this will generate enough business to cover the loss."
For $1m, the Bulls could avoid to pay it, and should, since they violated the terms of their insurance contract, and they are a huge profitable professional business, not a rube.
> Calhoun said he would not be quitting his job as a sales associate at the Reliable Office Superstore in Bloomington
Anyone that thought he could quit his job needs some math lessons and financial education. $1M isn't enough to retire if you're under 30, especially when taxes come out.
^ it would also solidly cover educational expenses and income loss, etc, in the event one wanted to change careers. One could move to the industry of one's choosing with that kind of cushion.
The prize was paid out at $50k/year for 20 years. After taxes, that could cover a modest living in many parts of the country, but I'd agree that is not "quit your job/retire" money, even in the 90's.
The story calls him a "A $5-an-hour office supply store salesman", so at 2,000 hours a year it's $10,000. That makes the gross prize money five times his salary.
