Forgive me for going totally off topic (hey its my blog I write what I want) but it is Sunday and not much news on security.  I wanted to write about an article I saw in the NY Times today called "Even the Insured Feel the Strain of Health Costs". The article details that with the hard economic times even people who have health insurance are being bitten by the ever rising costs of health care.  Rising premiums, covering less procedures and care and charging more for prescriptions and medical care combine to put the bite on everyone.  From my own experience here are 4 examples of how even with health insurance, medical care costs are taking a bite:

1. My wife had minor surgery in September.  It was ambulatory surgery where she went in the morning and went home that afternoon/evening.  Even though we have full PPO coverage and it was participating doctors, hospital, etc. my out-of-pocket costs after insurance were almost $3000! The surgeon received a whopping $472 from the insurance company for the operation and the hospital billed like 17k!  When I called the hospital they said they did not expect to get paid that much, but had to bill it so they could get as much as they could.  I than had to negotiate what I would pay out of pocket beyond that. I also had to pay the anesthesia, the prescriptions, etc.

2. Here at StillSecure we had to switch providers again this year because United Health Care wanted another 15 to 20% raise in premiums. In fact that is about normal for health insurance, way above the cost of living and inflation.  We pay a good chunk of our employees insurance premiums, but even so the 20% or so that we have the employee pick up gets bigger and bigger.  Plus the insurance company covers less and less.  This squeeze is frankly baffling. How can you pay more and get less.

3. I had a dental implant a few months back.  Though we pay for dental coverage, our insurance would cover a bridge or cap, but they don't consider implants necessary and would not cover any of it. I had to lay 2k out of pocket. On top of this the panoramic x-ray the oral surgeon took (which again was not covered, another 100 bucks) showed I had an impacted wisdom tooth with a cyst around it.  My dental insurance covered the wisdom tooth, but the cyst removal would be considered under my regular insurance and my dentist was not participating. In fact I could not find a participating oral surgeon in the area.  So I had to an extra $600 dollars out of pocket and of course my out-of-network deductible was $750, so I ate it again.

4. The orthodontist.  This one is perhaps the worst of all and really gets my goat.  My oldest son went for an orthodontic exam. The doctor told my wife that he would probably need braces when he gets older and that current best practices in orthodontics is to put braces on now in a phase 1 and than if necessary they put other braces on later when more of his adult teeth come in. Putting braces on now would lesson the severity of what he would need later.  OK, great lets do it, right?  Wrong!  Our insurance covers a one time payment of $1200. The dentist said if we use it now, the cost for phase 1 would be $3600.  That leaves a balance of $2400 that I have to pay.  However, if I do it without insurance he would charge me $2400 and than I could use the $1200 towards the phase 2 braces my son may need which could be up to 10k. So if we went through insurance the cost was $3600 with $2400 out of pocket or no insurance $2400 out of pocket.  What is wrong with that picture. Whether I have insurance or not, it still costs me $2400!  This is fundamentally what is wrong with our health care system.  The dentist is willing to accept $2400.  He should take the $1200 from my insurance and I should pay him another $1200.  Anything else is ludicrous and in my mind borders on criminal insurance fraud.

We need to restore sanity to the whole system. It is not just the 48 million people in this country that don't have insurance, it is also the costs of the people who do have insurance. Don't tell me that giving us greater limits to put in tax deferred health savings plan are the answer either.  Fundamentally we need the insurance companies to stop sucking the blood of the premium payers. We need the health industry to bill for what the do and what it is worth, not how to maximize what the insurance company pays and most of all we need to make sure that people can afford and receive decent health care!

BTW, if you want to read an excellent blog on this subject, Dr. Stanley Feld, Brad's dad writes a great blog on it.

Security is invisible. Customers are willing to pay for visible software product functionality but not for secure software product development methodology. Unfortunately, most of the security is in the backend, if security works well, truly, it should be "invisible" and the fact that it hidden does not motivate customers to pay anything extra. Security incidents motivate customers to act, this is the time when security becomes visible but the limelight fades away as soon as this  incident is handled.

We as security professionals see: the internal mechanics of software security and also can speculate ramification of poor software security in customer deployment. Because we see this we can't expect customers to pay for it. Making security visible to the customer will defeat the whole purpose of security and making it invisible diminishes the value of security. It is a dichotomy that we (as security professionals) have to manage and live with.  Customers who notice and are aware of security may start check on of the security aspect of a product before buying it. Unfortunately, security is just one aspect, buying a specific product vs. other products purely based on security is a pipe dream. In the distant future when all products have security built in, security won't be a differentiator anymore and visibility of security will diminish even further.  

If security was highly visible, we would find Steve Jobs touting security on stage at MacWorld. May be this is the reality check for security professionals.

I plan on posting about explosives and how they were used in the terrorist attacks tomorrow, but in the mean time, I thought it would be fun to share some of the lessons I learned as a child through trial and error.  First off, a word of warning:   

Do not try any of this at home.  The experiments were done by an idiot.  None of it is legal.  I’m lucky to have my fingers and some of the hair I lost never grew back.  Scar tissue isn’t as strong as regular tissue.

I remember one of the first little experiments I did as a kid involved the lawn mower’s gas can.  Several attempts to use gasoline to replicate those awe inspiring car explosions from action movies failed time and time again.  The only result I could get was a simple fire that often proved difficult to put out. 

It’s kind of funny the safety controls I employed at age 12.  My love of danger was superseded by my desire to live and stay out of trouble.  For example, one of the first things I learned was remote detonation systems.  The first one I employed was a catapult, built from popsicle sticks, a metal spoon, and rubber bands which could launch a cotton ball soaked in alcohol 20 ft.  The catapult itself could even be operated remotely by using a piece of dental floss to release the firing pin.  The way I figured it, I could open a flame a safe distance from my explosive, run to my makeshift bomb shelter (a foxhole), launch the catapult, and wait for the explosion.  My ignition systems advanced over the years to electrical (steel wool, 9V batteries, and phone cord), 12 gauge shotgun shells minus the lead shot, and tracer rounds (regular bullets do nothing, you need an incendiary round). 

My experiments always started with small trial runs. The simple process I employed had numerous benefits, such as teaching me how to construct proper firebreaks, that gravel roads don’t burn but they do throw significant amounts of shrapnel, and why the military loves foxholes.

The first time I got an explosion occurred by accident.  I was very disappointed after another failed experiment.  As I sat there next to an empty gas can waiting for a fire to go out, I was playing with strike anywhere matches on the empty gas can when to my surprise it exploded and launched itself to the other side of the field.  I lost all the hair on my knuckles and had now had a mystery to solve.

I can’t imagine what my dad must have thought when I started asking all these questions, but he explained to me how a combustion engine works.  Either a carburetor or fuel injection systems mix gasoline with oxygen to form a gas which is ignited by a spark plug at specific intervals to propel a car.  He also explained that if a car’s gas tank could explode then it would not be safe to drive.  Without being properly mixed with an oxidant, gasoline does not detonate, but rather it deflagrates, or burns.

Experimenting with a car battery charger, a glass beaker, some balloons, and water was also a source of immense fun.  At the time, I hadn’t taken any chemistry classes and thought I was collecting pure hydrogen in my balloons.  In my mind, I was making mini-Hindenburg’s.  I would take them out to my fort and blow them up.  Those made some nice explosions.  It wasn’t until a later experiment that I learned I was collecting oxygen in addition to hydrogen through electrolysis.

That later experiment occurred when I discovered dad’s acetylene tanks (he’s a jeweler and has a torch for soldering). At first I was disappointed.  Balloons filled with only acetylene barely did anything.  But then I found that if I mixed in some pure oxygen from the other tank in a 2:1 ratio of oxygen to acetylene, you could produce an explosion with a shock wave that could be felt from 50 ft. away.  It literally sounded like a stick of TNT. 

Over the years I grew more and more brave.  I don’t know what my poor parents must have thought.  At age 15, I printed off an anarchist cookbook and unintentionally left before it was done printing.  The printer was simply out of paper, and later that night when dad put some more in, out popped a page on making napalm from gasoline and styrofoam.  They have also never asked me how the metal window screen in my room melted in one corner.  I don’t know how I would have told them it was due to a freak accident when I was making my first accurate time delay fuse using slow burning gunpowder, cardboard strips that were coiled and soaked in wax, and a tuna can.

Looking back at some of the stuff I did from age 10 to 16, I would have made an excellent engineer, scientist, or lawyer.  I built all kinds of things, always figured out how they worked, and argued my way out things that get people sent to Guantanamo :)