From: Thomas Walker Lynch <eknp9n@reasoningtechnology.com>
Date: Wed, 20 May 2026 07:03:56 +0000 (+0000)
Subject: .
X-Git-Url: https://git.reasoningtechnology.com/money_circle.jpeg?a=commitdiff_plain;ds=sidebyside;p=RT-ID

.
---

diff --git a/document/A2.html b/document/A2.html
index 0ea107c..02a61b6 100644
--- a/document/A2.html
+++ b/document/A2.html
@@ -328,7 +328,9 @@ Engineers later discovered the cause. Temporary abuse-mitigation rules that had
   This is security by blunt instrument excluding people on the fringes. Literally a camera that decides who looks human enough to participate. The garden loses more than <RT-term>diversity of awareness profiles</RT-term>; it loses entire populations. The facial recognition system was deployed with no consideration for edge cases, no fallback, no human override that respected dignity. It&rsquo;s the security equivalent of a fence with no gate. And it&rsquo;s not a hypothetical: real people are being told by machines that their faces don&rsquo;t qualify. This destroys <RT-term>diversity</RT-term> and <RT-term>comfort to speak</RT-term> before a conversation even begins.
 </p>
 
-<p>There is another face mismatch case of a perfectly healthy man who works in high-tech not being recognized by ID.me, being initially rejected, and then not allowed to contact a human being there due a requirement of being recognized first, continuing over an 8 year period. The deadlock was finally broken only through the intervention of a Congresswoman.</p>
+<p>There is another face mismatch case of a perfectly healthy man who works in high-tech not being recognized by ID.me, being initially rejected, and then not allowed to contact a human being there due a requirement of being recognized first, continuing over an 8 year period. The deadlock was finally broken only through
+the intervention of the constituent services staff of their congressional representative.
+</p>
 
 
 <h2>Byzantine security</h2>
@@ -385,7 +387,7 @@ Engineers later discovered the cause. Temporary abuse-mitigation rules that had
         Statisticians call this the expected time it will take to log in, though this specific time is not among the actual individual scenarios. Rather, after many times of logging in, the average time will tend towards this value.
        </p>
       <p>
-        Pay special note to this interesting effect: Although the normal mode login is merely 5 seconds, the average time approaches 4334 seconds. This average time result is so high  because, though it is highly improbable, it is overwhelmingly expensive to recover after having to wait a timeout period, or to contact support.
+        Pay special note to this interesting effect: Although the most common login time, when everything goes right, is merely 5 seconds, the average time for all users over many logins approaches 4334 seconds. This average time result is so high  because, though it is improbable, it is also overwhelmingly expensive to recover after having to wait a timeout period, or to have to contact support.
       </p>
       <p>
         The true dollar expense depends on how much a person's time is worth and how much of the waiting time can be filled with other tasks. If it is work time, it will be one value; if it is time with children, another. At \$100 an hour with no fill-in tasks, the average login cost comes to \$7,223. And people wonder why computers are so frustrating. Now imagine the cost of an expert spending 8 years dealing with ID.me.
diff --git a/document/White_Paper_Cybersecurity_Legislation.pdf b/document/White_Paper_Cybersecurity_Legislation.pdf
index dce1112..5c6321c 100644
Binary files a/document/White_Paper_Cybersecurity_Legislation.pdf and b/document/White_Paper_Cybersecurity_Legislation.pdf differ
diff --git a/document/white-paper.html b/document/white-paper.html
deleted file mode 100644
index 2a71b51..0000000
--- a/document/white-paper.html
+++ /dev/null
@@ -1,81 +0,0 @@
-<h1>How experts think about safety</h1>
-
-      <h2>Linear risk</h2>
-      <p>
-        In this model, each term is a product of the cost and the probability that the cost will be incurred. Then all the terms are summed to get a total expected cost.
-      </p>
-      
-      <RT-code>
-        T = Î£ (táµ¢ Ã cáµ¢)
-      </RT-code>
-      
-      <p>
-        Here táµ¢ is the probability of the event and cáµ¢ is the cost. As an example, consider that there is a 0.2 probability that a person forgot their password, and it will cost 900 seconds to recover it. (Here 0.2 is 20%, 1 out of 5 times). There is a 0.1 probability that a person made a typo in the user name which results in 45 seconds of time to figure out. There is a 0.3 probability that a person will type the password wrong, costing 15 seconds. There is a 0.05 probability that a person will get the password wrong 3 times and be locked out for a day, and thus a 0.65 chance that they type it correctly, taking 5 seconds to log in.
-      </p>
-      
-      <RT-code>
-        T = 0.2 Ã 15 + 0.1 Ã 45 + 0.3 Ã 15 + 0.05 Ã 86400 + 0.65 Ã 3
-        T = 4334 seconds
-      </RT-code>
-      
-      <p>
-        Statisticians call this the expected time it will take to log in, though this specific time is not among the actual individual scenarios. After many times of logging in, the average time will tend towards this value. The reason this time result is so high is because, though it is highly improbable, it is overwhelmingly expensive to have 3 wrong attempts.
-      </p>
-      <p>
-        The true dollar expense depends on how much a person's time is worth and how much of the waiting time can be filled with other tasks. If it is work time, it will be one value; if it is time with children, another. At $100 an hour with no fill-in tasks, the average login cost comes to $7,223. And people wonder why computers are so frustrating. Now imagine spending 8 years dealing with ID.me.
-      </p>
-      <p>
-        If this login model is implemented across millions of people, one would hope the company is protecting more than the aggregate login cost per user, otherwise they are costing users more than the value they hold on the system.
-      </p>
-
-      <h2>Catastrophic failure</h2>
-      <p>
-        When a person is sitting in an airplane, they probably hope the airline engineers were not thinking in terms of averages, and indeed the engineers were not. Instead, they planned for a very low probability of catastrophic failure.
-      </p>
-      
-      <RT-code>
-        P = 1 - Î  (1 - p(táµ¢))
-      </RT-code>
-      
-      <p>
-        Here p(táµ¢) again represents the probability that a specific failure táµ¢ could happen. P is then the probability that the system will fail due to any one of the independent parts táµ¢ failing. The symbol Î  means to take the product.
-      </p>
-      <p>
-        As an example, consider a small business where a Wi-Fi password gets guessed with probability p(tâ) = 0.02, the manager clicks a scam email with probability p(tâ) = 0.10, and a thief sneaks into the back room with probability p(tâ) = 0.01.
-      </p>
-      
-      <RT-code>
-        P = 1 - (1 - 0.02)(1 - 0.10)(1 - 0.01)
-        P = 0.13
-      </RT-code>
-      
-      <p>
-        There is a 13% probability that the system will be compromised. That is far higher than would normally be tolerated for a catastrophic risk. Here the biggest contributor was the human variable.
-      </p>
-      <p>
-        This is called the failure equation. Notice that it scales exponentially with the number of terms, making it disproportionately more difficult to drive the total failure rate down as systems grow more complex. For a small, simple computer system it is possible to reach P = 0, but even then it is exceedingly difficult. When it comes to security, small and simple is beautiful.
-      </p>
-      <p>
-        That scenario is unlikely to be found for a system that serves the general public. Most security engineers simply implement existing protocols. Those protocols use algorithms that we assume to be formally proven to be correct, although that is often not the caseâand it is certainly not the case for common algorithms used on the Internet. Even for correct security protocols that are correctly implemented, hackers have consistently found physical ways to vary timing, monitor power consumption, or grind the tops off chips to break into systems.
-      </p>
-
-      <h2>The role of perspective</h2>
-      <p>
-        It is typical that fraud cases act as linear risk failures from a credit card company's point of view, as they statically plan for some fraud to occur every year. However, those exact same risks are viewed as a catastrophic failure from the individual card holder's point of view. The entire purpose of insurance is to put card holders into the same boat as their card companies.
-      </p>
-      <p>
-        Computer security is almost always treated as an uninsured catastrophic risk situation. There is typically no contract with usersâand legally there sometimes can be no contractâto make up for losses after a security lapse.
-      </p>
-
-      <h2>Dynamic behavior</h2>
-      <p>
-        In computer security, a single failure is not treated as an isolated event; it spreads like a disease. It is assumed that once an attacker has figured out a way in, the attacker will scale that solution mechanically or sell it on the dark web. Consequently, once a failure occurs, the catastrophic failure equation changes, with a near 100% probability of repeat for the failure term.
-      </p>
-
-      <h2>Helps the bad guys, hurts the good guys</h2>
-      <p>
-        Most security systems are breakable or bypassable in the face of extreme innovation and effort. Once broken, an organization starts adding layers of friction on its way to the Marianas Trench.
-      </p>
-      <p>
-        Good-intentioned users do not expend effort to break systems. In contrast, bad actors do. Thus, the trend over time is for security to severely hurt the productivity of good people, while bad actors make use of hard-won know-how to easily bypass it.
-      </p>
