Author: Lisa

My Area Of Expertise

Jimmy Kimmel had an interesting comment about his input into the healthcare debate:

“I never imagined I would get involved in something like this, this is not my area of expertise. My area of expertise is eating pizza, and that’s really about it. But we can’t let them do this to our children, our senior citizens, and our veterans, or to any of us.”

But let’s be honest here, there aren’t a lot of people whose area of expertise is the impact of public policy on health care. Kimmel does, however, have expertise in being a health care consumer dealing with a condition where there is no such thing as a rational actor: a parent trying to save their new baby.

Maybe Cassidy will claim he didn’t outright lie, as Kimmel asserts. But saying you have crafted a compassionate health care policy because a parent won’t have to watch their kid die for want of a life-saving surgery is disingenuous. Essentially any health care plan passes “the Kimmel test” unless it repeals the Emergency Medical and Treatment Labor Act (I believe the act scopes the ‘provide emergency care to anyone without considering ability to pay’ bit to facilities that accept Medicare, as it is the acceptance of Medicare funds that places the facility under federal purview … so the parent may need to go do a specific hospital, but they can find one). The hospital has to perform a medical screening, and they are not permitted to discharge the patient without stabilization (or the patient opting out of treatment, or if they are transferring to another facility better equipped to deal with the issue …. but I assume the accepting hospital assumes the same legal burden so the two end points are the condition is stabilized or the patient opts out of treatment.)

It’s an inefficient structure. My sister had a kidney stone. She could go into the hospital a few times a month in extreme pain, take up a doctor’s time, get doped up on some pain killer (which takes up even more of the doctor’s time because there are people who surf hospitals looking for Oxi), be handed a prescription she had no way of filling, and be on her way. Now if the stone ruptured something, surgical intervention may have been required to stabilize her ailment. But it didn’t, so they didn’t have to perform surgery to remove the kidney stone because the condition was stabilized by eliminating pain. It would have been cheaper to just remove the thing, but she couldn’t pay for that service.

Another facet of the long-standing federal law is that the hospital is not prevented from billing you for their services. If her kidney had ruptured and emergency surgery been required, she’d have been billed tens of thousands of dollars. If you don’t have anything to take, there’s a lien that sits on the record it expires. Or you have some assets and need to file bankruptcy to protect your car/home and clear the medical bills.

It’s not enough to say our health care system put a parent in the position of being unable to afford saving their kids life – it’s been that way since 1986. Our health care system shouldn’t make the parent bring their kid in every week to be stabilized until the situation becomes so dire that the underlying condition cannot be stabilized and actually needs to be resolved. Our health care system shouldn’t make a parent file bankruptcy to save their house and car from being liquidated to cover the lien from that hospital bill.

PHP: Windows Authentication to MS SQL Database

I’ve encountered several people now how have followed “the directions” to allow their IIS-hosted PHP code to authenticate to a MS SQL server using Windows authentication … only to get an error indicating some unexpected ID is unable to log into the SQL server.

Create your application pool and add an identity. Turn off fastcgi.impersonate in your php.ini file. Create web site, use custom application pool … FAIL.

C:\Users\administrator.RUSHWORTH<%windir%\system32\inetsrv\appcmd.exe list config "Exchange Back End" /section:anonymousAuthentication
<system.webServer>
  <security>
    <authentication>
      <anonymousAuthentication enabled="true" userName="IUSR" />
    </authentication>
  </security>
</system.webServer>

The web site still doesn’t pick up the user from the application pool. Click on Anonymous Authentication, then click “Edit” over in the actions pane. Change it to use the application pool identity here too (why wouldn’t it automatically do so when an identity is provided?? no idea!).

C:\Users\administrator.RUSHWORTH<%windir%\system32\inetsrv\appcmd.exe list config "Exchange Back End" /section:anonymousAuthentication
<system.webServer>
  <security>
    <authentication>
      <anonymousAuthentication enabled="true" userName="" />
    </authentication>
  </security>
</system.webServer>

I’ve always seen the null string in userName, although I’ve read that the element may be omitted entirely. Once the site is actually using the pool identity, PHP can authenticate to SQL accounts using Windows authentication.

Baseball Shirt

Anya’s preschool class has “baseball day” on Friday, and they are to wear their baseball shirts. It’s an interesting assumption that everyone has a baseball shirt to wear. Three years ago, I happened across an Indians t-shirt on post-season clearance. It was a size too large, but she grows. Beyond my “you cannot go wrong with a 4$ t-shirt” purchase, we don’t have anything baseball related. I don’t particularly want to pay inflated MLB-licensed in-season (and the Indians are doing well) prices.

I picked up a bunch of blank t-shirts for embroidered designs, so I decided to make Anya a baseball themed shirt. She chose the green shirt, and I drew a heart and added baseball stitching. The black and white image was printed on this Transfer Eze paper that I love. Then I cut out a slightly larger heart of white satin and a same-sized heart from a very thin quilt batting. Laid out the t-shirt, centered the quilt backing, then affixed the Transfer Eze heart to the satin and laid it on top of the batting. Going with the quilting principal of working from the center out to avoid bubbles, I started with the red stitching. Now I’m using a satin stitch around the edge to needle turn appliqué the whole thing onto the t-shirt.

Precognition

how fucked up is our form of government when the passage of a bill rests on the author’s ability to craft perks for Alaska without specifically saying “Except for Alaska, which will get an extra fifty mill each year and the Department of Interior won’t accidentally lose all of their grant applications for the next three and a quarter years”?

Facebook’s Offensive Advertising Profiles

As a programmer, I assumed Facebook used some sort of statistical analysis to generate advertising categories based on user input rather than employing a marketing group. A statistical analysis of the phrases being typed is *generally* an accurate reflection of what people type, although I’ve encountered situations where their code does not appropriately weight adjectives (FB thought I was a Trump supporter because incompetent, misogynist, unqualified, etc didn’t clue them into my real beliefs). But I don’t think the listings causing an uproar this week were factually wrong.
 
Sure, the market segment name is offensive; but computers don’t natively identify human offense. I used to manage the spam filtering platform for a large company (back before hourly anti-spam definition updates were a thing). It is impossible to write every iteration of every potentially offensive string out there. We would get e-mails for \/|@GR@! As such, there isn’t a simple list of word combinations that shouldn’t appear in your marketing profiles. It would be quite limiting to avoid ‘kill’ or ‘hate’ in profiles too — a group of people who hate vegetables is a viable target market. Or those who make killer mods to their car.
 
FB’s failing, from a development standpoint, is not having a sufficiently robust set of heuristic principals against which target demo’s are analysed for non-publication. They may have considered the list would be self-pruning: no company is going to buy ads to target “kill all women”. Any advertising string that receives under some threshold of buys in a delta-time gets dropped. Lazy, but I’m a lazy programmer and could *totally* see myself going down that path. And spinning it as the most efficient mechanism at that. To me, this is the difference between a computer science major and an information sciences major. Computer science is about perfecting the algorithm to build categories from user input and optimizing the results by mining purchase data to determine which categories are worth retaining. Information science teaches you to consider the business impact of customers seeing the categories which emerge from user input. 
 
There are ad demo’s for all sorts of other offensive groups, so it isn’t like the algorithm unfairly targeted a specific group. Facebook makes money from selling advertisements to companies based on what FB users talk about. It isn’t a specific attempt to profit by advertising to hate groups; it’s an attempt to profit by dynamically creating marketing demographic categories and sorting people into their bins.
 
The only thing that really offends me about this story is that unpleasant people are partaking in unpleasant conversations. Which isn’t news, nor is it really FB’s fault beyond creating a platform to facilitate the discussion. Possibly some unpleasant companies are targeting their ads to these individuals … although that’s not entirely FB’s fault either. Buy an ad in Breitbart and you can target a bunch of white supremacists.

Security Standards For Financial Information

A long time ago, processors of credit card information didn’t have any standards. And they’d lose your data. People didn’t like that, and some type of regulation had to be put on the industry. The credit card processors got together and formed an initiative to form their own regulations – PCI. They were a lot more concerned with the regulation’s impact on profitability than government regulations would have been. The PCI standards were fairly effective.

And now one of the credit bureaus has lost a huge amount of personal data – including social security numbers and account numbers that I don’t get why were stored in anything other than a one-way hash in the first place. But the bigger question is how are these credit bureaus able to operate with standards that are less strict than the industry-association generated PCI standards? My guess is that there will be a credit bureau industry association writing security standards in the next week or so. If there isn’t an industry association forming to ensure my social security number and account numbers aren’t stored in clear text on web-accessible servers at credit bureaus … I should hope the government would intervene and mandate a certain level of security.

Revisiting Court Decisions

In 2008, Miami-Dade enacted Ordinance 08-34 requiring cranes be able to withstand load from 140 mph winds. Construction companies objected — they’d need to spend more money ensuring public safety, and really how often are 140 mph winds ripping through Miami? Courts deemed the local regulation to cover worker safety and not public safety; the OSHA requirement, which is something like 90 mph, superseded the local government’s Ordinance (I think the 11th Circuit decision actually said it was a multi-purpose regulation … but since the requirement touched on workplace safety, OSHA wins). I wonder, as cranes come crashing into buildings in downtown Miami, if the court would revisit that decision.

I worked for a company that operated each regional area as an independent entity. Each had their own set of rules, regulations, processes … they just shared a common HR staff and all of the money rolled up to the same ledger. Their “sell” to this approach was that it allowed different regions with different requirements to make rules that met their customer’s needs. The unfortunate example that got cited, though, was a military base out in Virginia. *That* region had a policy where, upon being deployed overseas, a military family could have their account flagged as forward deployed. The the account would not be suspended for non-payment and no collections attempts would be made. Which is nice – but why weren’t military bases in other regions afforded the same courtesy? Or customers stationed at the base in Virginia who happened to retain their cell phone from their family’s home in Kansas? Essentially, I could never understand what about cellular service could need to be customized for a specific region where it was a completely unreasonable policy in other regions. There are areas where a single nation-wide regulation makes sense.

Construction regulations, on the other hand, seem very location specific. And a area where a nationwide minimum standard would be far more reasonable. I doubt there’s a lot of concern about coastal flooding in Denver. Snow load regulations for equipment in South Texas is silly, but I wouldn’t want to sleep next door to a crane in NYC that didn’t fall under some snow load reg. Builders in Maine don’t need to worry too much about tornado damage, but construction sites between OKC and Tulsa can reasonably be required to lash down their materials at the end of each day to avoid debris being flung all over the countryside. And, yeah, cities in Southern Florida can reasonably want large pieces of equipment to have higher wind load ratings than a crane in Seattle.

Furthermore — why is it “states rights” people only support the state’s rights to be *more* Republican? Why should Cali need a waiver to have stricter air quality and fuel efficiency rules? Why should Miami be unable to have higher standards for wind force? It isn’t like Washington needed a waiver to set their minimum wage above the federal set-point.

Equifax Hack

First of all, saying half the population of the United States has had their personal information stolen might be accurate, but it’s the good marketing spin. 2016 numbers had 249,485,228 adults in the United States. That’s 57% of people over 18 who have had their personal data stolen. Now there are people with no credit history. It’s a bit of a thing when you first want to rent a flat or get a credit card … you have no credit history, and can’t get credit until you have one. Last I read, it was something like 14% of adults who have no credit record — meaning Equifax gave up information on 66% of the credit-having population.

Leaving aside the marketing spin on numbers, though, why the hell is a credit bureau storing my personal information in a retrievable format instead of a one-way hash? Performance, I assume … so I guess my question really is why were a couple of clock cycles considered more important than the security of my data? Some of the data is probably maintained in clear text because they use heuristic matching to link incoming data to entities. I’m guessing my info comes in with a name, address, creditor name, and account number. And they’ve got to be able to match up the thirty different iterations of my address to ingest the data. But there’s no reason for the account number to be stored unhashed – store the last two or three digits in a new column for display (Your XYZ account ending in ###). And there’s sure as hell no reason for the SSN to be stored unhashed – even if they’d have to store the full one hashed and the last four in another hash because some data doesn’t come in with full SSNs.