> Everyone being surprised at the bridge collapsing needs to reconcile with the amount of force that struck the bridge ... I am also a bit surprised at how many people don't grasp this or grasp engineering, magnitude of forces and design principles.
A spokesman for CalTrans claimed today that Bay Bridge could have taken the same hit without damage, thanks to fenders that protects all pylons for all bridges in the San Francisco Bay Area (1). Cargo ships are heavy, yes, but it appears we have the technology to prevent bridge collapses due to these sorts of collisions today.
1. "The Bay Bridge’s fenders insulated the span during the 2007 incident, so that the Cosco Busan ship struck a bumper, never hitting the bridge itself, Ney said. He noted that fenders on Bay Area bridges should be able to handle a ship traveling at 8 knots, the velocity at which the ship hit the Francis Scott Key span."
Thanks to things like planetwide bottlenecks through specific canals and locks and design of certain ports, approximately all container ships are within a couple meters of one of only a handful of size buckets, several of which are fairly close to each other besides. For example, a large fraction of the world's container ships are sized to be within a meter of fitting into chinese port facilities and the suez or panama canals. Because these dimensions include the depth of the water as well as the length and width of the ship they also limit the total volume of water which is available to be displaced, which puts a limit on the total mass that can be floated. As a result, "a container ship" is actually a fairly tight and predictable specification of a ship's maximum mass!
That may be so and I appreciate CalTrans confidence in the matter. I however would never want a similar set of circumstances to strike the bay bridge and have to test it.
It is a very different bridge design (assuming were talking about the Oakland to treasure island portion) and it is built in earthquake country.
I'm not saying there shouldn't have been fenders or other protective measures. I'm saying that the amount of force on a direct hit that STOPPED that the ship dead in its tracks - that bridge was not going to withstand it and I do question what would happen to the bay bridge. Again I appreciate the confidence of CalTrans to reassure the commuters but I have seen government officials express too much confidence before.
> I've found very few projects where a bit of poking can't turn up memory safety issues.
I'm working on a Rust project right now, and I'm probably one of those people who are overestimating the correctness of my code! I would love to know about what sorts of memory safety issues you often uncover.
Made it more clear in the original post that I was talking about the correctness of C and C++ code. I haven't observed any notable issues with this in Rust compared to similar languages, but I also don't have the same depth of experience building large systems in it to show me the error of my ways yet.
You are free to choose buildings with multiple stairways if that's a requirement for you! We're talking about easing mandatory regulations, allowing builders to meet demand. We're not saying that all buildings must only have one stairway.
Burdensome regulations on housing construction have caused costs to skyrocket. Minimum lot sizes, setback requirements, square footage minimums, floor-area ratio restrictions, overzealous height restrictions, parking requirements, abuse of environmental reviews, historic designations, community reviews, overzealous MFH requirements (like double-stair), below-market mandates, all have worked together to constrain supply, leading to skyrocketing costs.
It's the single most important economic issue for me. We need a nationwide effort to ease these restrictions, or we're just going to continue to see rents eat up more and more of young people's earnings.
Just curious, are there any regulations on housing you agree with? There tends to be belief that housing regulations exist to limit supply. Let's not forget that many of these encourage safety and are cost effective ways to increase the quality of life of the residents. If we take deregulation and cheap housing to the extreme we end up with shanty towns.
Environmental review, community review, and MFH standards all have something to do with safety. It's not like root comment is arguing against fire hydrants or carbon monoxide detectors. I'm just arguing not to throw the baby out with the bathwater.
We have zoning and internationally recognized building safety codes already.
Our current housing emergency happening everywhere is a pretty good indicator that we should be much more aggressive about trimming back the regulatory state which has ossified our cities.
Zoning is already pretty bad (at least in the US), and doesn't really have anything to do with safety.
In the sense that even without zoning laws, there were already public nuisance laws that wouldn't have allowed you to open a coal fired power plant next to a Kindergarten.
Zoning laws have a lot to do with safety & public health. Industrial zoning is far away from residential because factories produce pollution.
Edit: Some parts of zoning law has to do with safety/health. Some parts don't. Some parts are about more than one thing.
When I was growing up there was a chemical fire in a factory in town. People were evacuated. Luckily, very few homes were evacuated because zoning laws kept homes far away from the factory. The residential area that was evacuated was low density.
The point I'm trying to make is that there is some value in some of these rules.
Pollution laws protect against industrial operations polluting other areas, not zoning.
The real "pollution" they zoning was invented to solve was the "pollution" of residents of apartments living close to wealthier people. Seriously! Check out how the original Supreme Court decision phrased its motivation:
> “very often the apartment house is a mere parasite, constructed to take advantage of the open spaces and attractive surroundings created by the residential character of the district …. interfering by their height and bulk with the free circulation of air and monopolizing the rays of the sun which otherwise would fall upon the smaller homes.”
Here's a more extensive analysis from an org purporting to represent real estate, the source of much historical support for this sort of exclusionary zoning:
Usually when people discuss zoning it excludes things like industrial zoning and focuses on single family zoning vs multi-family zoning. In this case, yes, zoning needs to be deregulated. Zoning for housing should be zoning for housing and whether it is single or multi family shouldn't matter. But we should keep the industrial zoning from being put next to an Elementary school.
However by and large, the value that would be provided by zoning is already provided (and used to be provided) by other rules not falling under the bucket of 'zoning'. Especially not 'Euclidean zoning'.
No reason. Countries like Japan have reasonable zoning, meaning industrial uses are separate, but commercial and residential is largely interspersed. Which is great!
Side answer. This kind of regulation lifts GDP by mandating some sort of economic activity. A barber in a room in his house means less rental, less money for commercial real estate company, less money spent buying "commercial" chairs and commercial chemicals. And thousands of other things I can't even fathom as the scope of this problem is huge and so intertwined with all other economic activity.
That's easy: your barber operating a business out of his house will result in customers coming to your neighborhood, and that might bring "those people" around, and we can't have that.
That's ridiculous. Those people can't get even get to the neighborhood because the residents have gone out of their way to eliminate public transit (which is for poors).
It's all relative. Plenty of poorer people have cars, but instead of $150k cars, they have cheap-o $25k cars. We can't have those kind of people in our neighborhood.
Here in Singapore, we only have about 1 million licenses for cars total. They are auctioned off to the highest bidder.
So there are no cheap-o $25k cars. (The car itself might be cheap, but you need the license to run it.)
My description in this context is a bit tongue-in-cheek, but this is actually a great system given the limited road space we have here. And auctioning off the licenses is about the most economically efficient way to allocate them.
Here in Tokyo, they do things a little differently (and pretty sensibly I think): you simply can't own and register a car in the city unless you have a place to park it. So you have to get some kind of proof from the police showing they've certified you have a parking space that will fit the car, and they come out with a measuring tape to check too, based on the car's actual dimensions. So if you can afford a parking place, you can own a car. Otherwise, no. So car prices are subject to market forces and not artificially constrained; the constraint is the actual land area available for parking, and that's subject to market forces too, since it could be used for something else like a building, so parking tends to be expensive.
> Our current housing emergency happening everywhere is a pretty good indicator that we should be much more aggressive about trimming back the regulatory state which has ossified our cities.
That isn't true though. Our housing emergency is limited to places that are growing and thriving. There isn't a housing emergency in Detroit or much of the midwest for example, just not many are thrilled about moving to those places (or want to leave them as soon as possible).
Those places that don't have housing emergencies generally have just as bad regulations, and would have the same problems the instant they became appealing enough to move there. Eventually you run out of built out sprawl.
> hose places that don't have housing emergencies generally have just as bad regulations, and would have the same problems the instant they became appealing enough to move there.
If American population was equalized across these other cities, there would be less pressure on the few hot places everyone wants to move now, since our population isn't growing so much these days.
> Eventually you run out of built out sprawl.
Manhattan is not a sprawl and a very desirable place to live, with super high rents to boot. Hong Kong, Seoul, Shanghai, and even Tokyo are the same, so I'm not sure what you are trying to claim here. Out of all those, only Tokyo does well, but that wasn't the case in the 80s and is on the basis of a moribund economy and a not growing national population (one wonders when Seoul and SH will follow). IF you want to solve your housing emergency, limit growth in some way (or at least, make sure residents don't have as much money to bid up housing).
>Manhattan is not a sprawl and a very desirable place to live, with super high rents to boot. Hong Kong, Seoul, Shanghai, and even Tokyo are the same, so I'm not sure what you are trying to claim here.
Those cities are actually impossible to have in America (yes, including Manhattan), because of zoning laws and various other laws. Manhattan is only allowed to exist because it's grandfathered in and the local laws allow it. Such a city could never be built anywhere else in the US without some huge changes in legislation (not to mention local culture, since that drives the local legislation).
>IF you want to solve your housing emergency, limit growth in some way
Tokyo works because growth isn't limited: it's very easy to build here, unlike in the US. Tokyo builds hundreds of thousands of new housing units every single year, while the US struggles to build any. This is entirely because of regulations.
How many are they tearing down to rebuild? Buildings only last ~20-30 years in Japan, so a lot of those are just replacing something that was torn down.
> Out of all those, only Tokyo does well, but that wasn't the case in the 80s and is on the basis of a moribund economy and a not growing national population (one wonders when Seoul and SH will follow).
Japan's economy is growing again (Nikkei is now at the level it was in 1990) and Tokyo's population has always been growing.
…but the rent isn't, because they allow infill development.
Your argument doesn't really make sense because the problem isn't lack of houses or apartments, there's plenty of places to put everyone. The problem is one of affordability. The costs of stuff that already exists and has existed for ages isn't really tied to the current cost to build, even if we buy the specious argument that all regulation raises costs and those costs are inevitably passed directly to tenants.
supply and eemand sets rents. You you rent perfecly good existing houses cheap in rural areas. Nobody wants to like there.
There is no reason to think there is enourh room for everyone who wants to like in San Francisco, and statistics prove they heve not been building much. Mean while in other states we find areas of demand where housing is not expensive. Where I live you can rent one bedroom apartments for under $1000, mohe in won't be until spring as the building is still under construction. The owners are planning on starting the next building when this is done. That is what allosing building does.
Real estate has very distributed ownership and none of them are motivated to form a cartel.
The only way they can maintain one is through legal force. Zoning laws are almost entirely that force; they're a way to establish a cartel of homeowners.
This is just factually not true. There is plenty of empty homes, apartments and condos to house everyone. There are many units kept empty rather than lower prices. It is a myth that supply and demand sets prices.
There is also the effect of rich people needing a place to stash money and not wanting to bother with tennants
Housing activists in Melbourne have been campaigning about that for years now
I did not believe that was true until I stumbled on it happening. A rich lawyer, a salary far too big to spend, so they collected (empty) houses. They did not care about cash flow
A tax on empty houses in areas with accommodation shortage at worse cannot hurt and at best could free up a lot of accommodation
Side setbacks absolutely have an effect on fire safety (a greater distance gives less propensity to ignite the neighboring building and provides access with which to fight the original structure fire).
Front setbacks and lot area coverage ratios have a more minor version of this same effect from fires across the street. It takes a pretty good sized fire to ignite the building across a street, but as density increases and more of a lot's area is able to covered with structures, the chances to get a pretty good sized fire going do increase.
> Side setbacks absolutely have an effect on fire safety
Sure, but is the benefit worth the cost? Manhattan and denser European cities without those haven't burned down since we fireproofed building materials
Ya. My setback is 3 feet, definitely just a margin for fire safety. I wanted to put an awning in but couldn't because it would be too close to the fence of my property boundary (I live in a town home that abuses the 3 foot setback to maximize living space).
I have minimum lot size of 5 acres. Can't see the wisdom in that one. I also have a minimum square footage size. $20,000 impact fee just to build a house and I receive no utilities or city/ county services.
I wish more than anything we could legislate the fee structures backwards. If the government wants an environmental impact study then the government is footing the bill for it. Putting it on the builder is stupid and just a way of hiding the budget item in other people's wallets.
Any feedback brought up in a community review is on official record. I have witnessed safety concerns being brought up in community review multiple times that caused changes to the building plan. In one situation it was a very serious concern about blocking fire truck access to an elementary school.
The code doesn't catch anything. People catch violations of the code. Community review is a place people can point out code violations. It's actually extremely embarrassing when this happens to a developer.
Buildings get built with infractions all the time. With the MFH buildings it's actually a point of law to see who gets stuck with the liability -- the person that built it or the person that bought it.
In practice, the <environmental stuff> has mostly been used by non-environmentalists to delay development they simply don't like. (This one has to do specifically with CA, but it's not the first time I've seen this complaint.)
"Projects designed to advance California’s environmental policy objectives are the most frequent targets of CEQA lawsuits: transit is the most frequently challenged type of infrastructure project (edging out challenges to both highways and local roadways); renewable energy is the most frequently challenged type of industrial/utility project; and housing (especially higher-density housing) is the most frequently challenged type of private-sector project."
"Our study found repeated examples of intentional efforts to cloak the identity of CEQA litigants behind environmental-sounding names of fake and even unlawful “associations.”"
I'm clueless on the subject and don't intend to argue the point, but it struck me that the metric that article consistently uses is one that almost guarantees the results: It's not surprising to learn that the categories that have the greatest amount of activity by far are the ones with the most CEQA challenges.
The point would be much stronger if it was made in terms the rate of challenges for varrious project types rather then in terms of frequency of CEQA challenges being that kind of project.
The assumption I'd draw from that, being ignorant of the subject, is that the argument is unsupportable on that more reasonable basis.
From what I've seen of environmental review laws, they mostly just have to do with noise and construction nuisance. Whereas community review is mostly about aesthetics. I don't think these are the tools designed for safety.
It is all about the scenario where you die in a single stair where
the
second stair would have saved you being probably non existent in c21. Especially as you will have fire doors.
I reckon single is safer: no decision to make as you exit.
Even our wood has so much fire safety chemicals baked in now that it's not nearly as flammable as it used to be. The safety standards should be reevaluated. Plus, I'm sure that there are some developers who would happily build the whole MFH out of concrete if it lets them only use a single stair.
Concrete construction is expensive in the states, although I'm not sure why. 4+1s are common here in Seattle: first story is concrete and commercial, 4 stories on top of that are wooden (we also have the more liberal stair requirements, so I'm not sure what is really going on).
Concrete construction is the common way to build in China (and anywhere in Asia sans Japan), but the techniques they use require a bit of overbuilding and limit their towers to around 34 or so stories. Still, they have two stair cases side by side in those buildings (but I guess given the height, they need them by Chinese fire code standards).
>Concrete construction is the common way to build in China (and anywhere in Asia sans Japan)
Concrete-reinforced steel is absolutely common here in Japan. Wood is used for single-family homes, though, but anything larger is generally concrete+steel.
>but the techniques they use require a bit of overbuilding and limit their towers to around 34 or so stories.
Modern condo towers around me here in Tokyo are frequently 50 stories AFAICT. And that's with extremely strict building codes for earthquake protection. I can't tell you about the stairs though, as I don't live in one.
I was in Tokyo recently and didn’t see much talk building growth m, maybe I didn’t go to the right neighborhoods.
China leveraged construction techniques that use unskilled and lower skilled migrant labor, so building height is limited. Other countries that import Chinese and Indian to build (like Singapore) get similar limitations.
We don't really have shanty towns in the states. We definitely don't have a Kowloon Walled City, which is an example of what can happen when no regulations are involved (and somewhat remarkably not burn down and kind of thrive even if still a slum).
Hong Kong is super dense and super expensive, Shanghai is similar, but at Mainland Chinese prices. I'm all for density, but anyone who thinks that density alone solves affordability issues simply hasn't travel enough.
Tent cities != shanty towns. Shanty towns are like semi-permanent buildings, tents are just...tents you buy at REI and then set up at the park with your stuff. We had one nearby my house at the Seattle Ballard commons that lasted during COVID (and is gone now). I wouldn't have called it a shanty town like I saw in the Philippines.
Maybe it's OK if some housing is less perfect and closer to ashanty town. I'd rather live in a shanty town than a cardboard box under the freeway. If nobody wants to live in the "shanty town" nobody will move in and no investor will want to build another one. I sometimes think that the provocative way of putting all this is that we need more slum lords. They filled a need.
> If we take deregulation and cheap housing to the extreme we end up with shanty towns.
That's possible, but, considering that all the most expensive places in this country were developed in the very way this article is advocating, I'm going to label it as improbable.
Many amongst my friends and family think I'm a bit crazy living in the inner city, but the truth is my equity has skyrocketed, and will continue to do so. Urban dwellings are in high demand. Given that many of these same urban dwellings are illegal to construct now / prohibitively expensive, we've handicapped the ability of the market to meet demand.
I use to look at buying a 60+ year old condo/coop on the west coast, until I looked at the earthquake statistics and safety standards of brick multistory buildings. Now I know why the newer steel buildings cost 2-6x the old brick buildings in the same neighborhood.
I have been to many city council meetings. Stymieing population growth is an explicit goal. The speakers tend to perceive harms from more people as opposed to pure misanthropes.
e.g. "More people creates more traffic so we should prevent housing to prevent people"
Although, I cannot see their true intents. It is possible the speakers do dislike people, which is not politically popular. Expressing their desire requires making up other tangential causes. Hidden agendas creates engineering confusion. If the goal was truly to manage traffic, an engineer would suggest better bus routes.
Physical safety (structural integrity and fire safety), noise transmission and ventilation. I think regulations around these 3 aspects can help more than they hurt. Beyond these items, I would be skeptical.
If it makes you feel any better the oldest streets around here are wider than newer ones, because they had to be able to turn a wagon with a team of horses.
This was the seed that destroyed the American city. Roads were humongous 100 years before car was invented. It was fine, a buffer for the smoke and filth of the industrial city, but still multipurpose, accessible. Once cars started driving on these huge expanses, it turned every city street in a highway; dangerous, polluted, noisy, pushing out other uses, ...
Having streets unable to be accessible by fire response vehicles doesn't seem like a good idea. What would be the alternative here? (genuine question, I'm not from the US)
Indeed, this is a thoroughly solved problem thanks to countries like Japan where urban planning typically allows meandering networks of narrow, pedestrian-friendly streets.
The more rural you get, the more likely it is that the fire trucks have been purchased secondhand from urban fire departments that can afford to buy new equipment prior to the existing equipment literally falling apart (I've got an extended family member that runs the fire service for an entire county in a western US state, and often see him when he stops at my house while driving new-to-them equipment from the east coast).
You've also got a lot of volunteer departments where each firefighter keeps their equipment in their own personal vehicle.
Why firetrucks in the US are so large is a good question. In the spirit of Chesterton's Fence, I'd assume that there is a good reason until proven otherwise.
That's utterly impossible. It's the same reason America can't have public transit: since it doesn't make economic sense in small remote towns of 200 people, then it can't be done in huge cities. I can't explain the logic, but this really is how most Americans think.
Europe has wildfires and rural areas. How will a large fire truck help you when a wood house is burning? Being grotesquely large doesn't mean they put the fire out faster.
Hm.. couldn't a fire engine be driven in reverse? It could have an emergency driver's wheel in the back. I have seen crane trucks driven with a joystick from outside the vehicle, so it doesn't seem impossible.
We can make them turn 360 degrees like the electric G-Wagon. If upgrading the fleet of firefighting trucks to do so costs less than the value brought by tighter spacing of homes, it’s worth it.
Well, you can learn from other parts of the world, instead of coming up with solutions from scratch. (But yes, if nothing else your solution would probably work.)
If you time your upgrade to the fire engines with when you naturally would want to renew them anyway, then it doesn't really cost much extra.
A lot of these zoning changes lower the already low barrier for multinationals to build, but does nothing for actual families. I'm presently surrounded by hundreds of empty units priced out of reach because these companies are illegally colluding to fix the price. They may claim ignorance and try to launder responsibility through a series of tech products, but at the end of the day the rent is high where I am because of price fixing.
It has to do with the company's balance sheet - their list of assets which they use to borrow money.
If they have 1000 units that they say are worth $1 million each, they can borrow from banks as if they are sitting on $1 billion of assets.
If they sell one of those units at $500K, they now look like they have $500 million, which not only impedes their future borrowing but can trigger obligations to their current lenders.
It would be surprising if they can just not sell things because they're too expensive, and then borrow based on that too expensive price. Why not just have a single one and price it at $1bn?
They're maximizing revenue by operating at a lower quantity and higher cost. This is microeconomics 101. People get driven out of urban areas where there are good paying jobs. In an ideal market this should be undercut by competition. In reality all available housing in urban areas are owned by large corporations all using the same price-setting backend. This is an illegal trust supercharged by the internet and globalization. It's an international Pottersville rapidly sprung from nowhere. So no, big corporations don't need more government handouts to do more of the same. Incentives for not-profit-driven entities (such as humans seeking secure housing) should be given.
How is double stair MFH overzealous? I can’t control if my neighbor blocks the stairwell with a couch that gets stuck while he’s moving in and now I have no egress if my other neighbor starts a fire.
I’m in favor of greater freedoms, and the freedom to choose a single stair MFH if I want.
A couch and a fire and that couch can't be pushed over or jumped over... That's quite a contrived scenario. I suspect that most of the improvements in the fire safety record of apartment buildings have to do with other factors like materials used, fireproof stair doors, etc etc. The reason I think the two stairs don't do much is that first world countries exist outside North America, they don't have this rule, and their fire safety is just as good or better than ours.
Same reason I'm extremely skeptical that our fire trucks need to be so grotesquely large, despite what the fire departments claim. If there were no countries with a good fire safety record outside North America, like sure, okay, maybe. But they're just as good or better at fighting fires in Europe, and manage to go this with human sized trucks that don't require extremely wide streets, wide turn radiuses, and aren't nearly as deadly for pedestrians as a result. Thanks for existing, Europe, Japan, South Korea, Taiwan etc! One day we'll accept that you to cities, building and engineering better and just copy you.
If you have mobility issues that prevent you from exiting your building easily then you can move somewhere else. We don’t need to make every apartment building in the country more expensive for this extremely specific scenario.
I can go up and down unobstructed stairs without any issues, but I have back problems which keep me from doing heavy lifting and I'm in no condition to jump or climb over a sofa in the middle of a flight of stairs.
The real problem here is expecting people to be able bodied enough to deal with a lack of alternative exits when someone in the same building inevitably is careless enough to start a fire.
>A couch and a fire and that couch can't be pushed over or jumped over... That's quite a contrived scenario. I suspect that most of the improvements in the fire safety record of apartment buildings have to do with other factors like materials used, fireproof stair doors, etc etc.
I suppose you also think it’s silly for flight crew to confirm people sitting in the exit row are able and willing to help in an emergency.
Couldn’t you just push them out of the way or jump over them?
> I can’t control if my neighbor blocks the stairwell with a couch that gets stuck while he’s moving in and now I have no egress if my other neighbor starts a fire.
That is an extremely specific situation!
> How is double stair MFH overzealous?
There is a cost to every regulation. The cost to this one is that housing is more expensive for all Americans. Stress, poverty, and homelessness all lead to negative health outcomes. Taken as a whole, those negative outcomes may very well outweigh the fire safety benefits of double-stair (which have never been proven to exist).
> I’m in favor of greater freedoms, and the freedom to choose a single stair MFH if I want.
> But I don’t want.
Right, so it sounds like you are in favor of removing the double-stair regulation?
Good point. Why do we even bother with two-lane roads and a double yellow line? Such a waste of space. Very contrived to presume there is always a car coming the other way
You're comparing a situation that happens all the time (opposing traffic) with one that happens extremely rarely (blocked stairwell in a fire). If anything, you're strengthening my point.
We should design for situations to a level that is appopriate given their frequency and severity. Show me evidence that MANDATING the extra stairwell justifies the huge increase in national housing cost, and I'll concede.
Sorry, but the only thing that will change my mind is a significantly casualty different between single stairwell and dual-stairwell buildings accounting for building age, construction type, property value, and occupant demographics.
I just dont think it would really help that often. It is not the stairwells that are burning, it is some appartment on a floor below. Your problem is going to be smoke and visibility, not some couch blocking the stair. If those stairs are connected, you will most likely have smoke everywhere and will have no clue if one stair is safer than the other.
That doesnt help you because another neighbor is moving out and blocking the second staircase with another couch. This is the reason why you should have three staircases and only two neighbors. Though a problem arises if a neighbor is able to block a staircase and start a fire at the same time. That has to be checked beforehand.
We should require two stairs for single family housing as well.
The elderly and disabled will also need to get furniture up stairs. Not to mention that the housing shortage forces more people to share a house with strangers.
>Not to mention that the housing shortage forces more people to share a house with strangers.
Or, you could just build more housing... And stop insisting on so much living space while you're at it. Here in Tokyo, no one lives with strangers, even if they get minimum wage. They can still afford an apartment by themselves, though it'll be a very small apartment that's certainly illegal to build in America.
> Burdensome regulations on housing construction have caused costs to skyrocket.
How much have costs increased, and what tells us that it's regulations, not many other causes?
Also, which regulations? Some are more valuable, some less, and inevitably some will misfire. I'm not just going to trust real estate developers, who have their own interests, to meet other needs.
> below-market mandates
I'm not sure we need more high-end development - those tenants have plenty of options.
> community reviews
In cities, new buildings can impact a community for a century. They should have a say, not just a developer from another city.
The entire article is on the prohibition of single stair multi-family residential.
> I'm not sure we need more high-end development - those tenants have plenty of options.
This is silly. When car makers couldn't make enough cars in 2021 and the price went up, was the solution to ban making new cars? Should we have prohibited making cars with fancy trim? Having enough housing for everyone is the only way to make sure affordable housing exists.
Cities have seen plenty of high-end housing built (afaik), and yet there is still a lack of affordable housing.
Building more expensive homes doesn't seem to increase availability of affordable ones. The idea that it would seems to be another 'trickle-down economics' theory, the one from the 1980s that if we help the wealthy get wealthier, the benefits will 'trickle-down' (turns out, only the first step worked). Reasonably, wealthy people don't see poor housing as an option, though there is gentrification.
> When car makers couldn't make enough cars in 2021 and the price went up, was the solution to ban making new cars? Should we have prohibited making cars with fancy trim?
Making expensive cars wouldn't seem to result in many more affordable ones.
> This is silly.
An aggressive assertion that you aren't thinking, and aren't willing to.
> Cities have seen plenty of high-end housing built (afaik), and yet there is still a lack of affordable housing.
They permit office space for more workers than bedrooms. A big clue: pandemic aside, commutes get longer every year.
> The idea that it would seems to be another 'trickle-down economics' theory, the one from the 1980s that if we help the wealthy get wealthier, the benefits will 'trickle-down' (turns out, only the first step worked). Reasonably, wealthy people don't see poor housing as an option, though there is gentrification.
I see you're versed in the left-NIMBY lingo. No, 'trickle down economics' was an excuse for the wealthy to pay lower taxes. When fancy new housing is built, the property taxes are higher.
> Making expensive cars wouldn't seem to result in many more affordable ones.
I think you're intentionally missing the point. The price came down when more cars could be manufactured.
Err, I just enumerated many regulations I have a problem with in the very post you quoted, and evidence is pretty strong that it's the combined effect of all of those regulations that results in higher costs. [1] I realized I left off overuse of exclusively single-family zoning, which is the worst offender. [2]
> I'm not sure we need more high-end development - those tenants have plenty of options.
Evidence is strong that market-rate construction causes richer residents to exchange their current unit for a higher-end unit, opening up supply at the lower end. [3]
The problem with BMR requirements is the increased costs borne by developers, who have to offset those increased costs by charging more for the market rate units. There's a limit to that market, so fewer units are constructed than otherwise would be. Middle class families are especially worse off, as they neither qualify for BMR lotteries, nor earn enough for the rapidly accelerating market-rate unit. [4]
Further, rents are lower in states that disallow BMR mandates (like Texas) than those that have BMR mandates (like California).
I don't know anyone starting a family happy with the situation. Most people I know are moving to suburbs only because they can't get 3 bedroom apartments in cities. If MFH's became broadly available I think many new families would flock there.
Troy Hunt is such a treasure. And for us web application developers, there is no excuse for not having protection against credential stuffing! While the best defense is likely two-factor [1], checking against Hunt's hashed password database is also very good and requires no extra work for users!
I don't have anything to back this up, but my guess is that the vast majority of compromised user accounts comes from credential stuffing/password re-use. It's really surprising to me when I hear that huge companies don't do this check.[2] It's simple, easy, takes about a day to set up.
If you're a young CTO or early-stage engineer working on a web app and have never been targeted with a credential stuffing attack, let me tell you: It's coming! It's just a matter of time before it's 1AM and your phone blows up; your site is getting hammered; you think it's DDOS, but then realize most of the hits are on your login page, then realize that and then realize with a horrible feeling that some % of those hits are getting through the login page. You'll be up all night dealing with it, and then you have to make breach notifications, and that really sucks.
Troy Hunt's free database will save you that heartache (probably). Just do it.
About a decade back, I was at an event that had an FBI employee presenting. During his presentation, he had mentioned a story of a sys admin who had been arrested for taking a hashed PW database in his company, comparing the hashes against known compromised one's (perhaps from haveibeenpwned?), and forced a password reset for everyone who had reused a password that had separately been compromised and sent an email to each employee explaining this.
One of the employees was apoplectic at the actions of the sys admin and had accused him of violating her privacy by doing this. While I do not recall which party initiated legal action against the sys admin that led to his arrest (i.e. the employee or the company), the bottom line of the story was that the FBI employee (and, by extention, whichever judge was involved in adjudication the case) considered the act of a sys admin accessing password hashes placed under his care to be a criminal breach of privacy regardless of his intent being to improve his company's security against password stuffing attacks.
Assuming the FBI employee didn't just make the whole thing up (which I have no reason to believe - there are a lot of tech-stupid judges and, especially a decade ago, tech-stupid FBI employees), it might be prudent to pass this by your legal team before checking for password hashes for your employees being in haveibeenpwned.
The FBI feeds data into Troy Hunt's database and FBI Director Christopher Wray gave Troy Hunt a medal for his work [1].
The Open Web Application Security Project's Application Security Verification Standard recommends that you do a hashed password check [2].
For bigger companies, sure, go talk to legal, but for young startups, my feeling is it's not worth the $200 or whatever your counsel will charge to say it's ok. I personally did not ask anyone (am cto), I just added the check.
The whole situation did seem pretty exceptional when I heard it and I felt like I was being exposed to an alternate reality where lawyers made security worse for everyone.
That said I struggle to believe the sys admin had competent representation.
It is worth it, that $200 dollars gives you lots of credibility to stand on if something should arise and you need to prove diligence, which is not at all uncommon in these cases, if legal recourse is ever saught (unlikely if you do it from day 1, I think, but never the less)
Besides legal, I think it's important to realize that there is a very emotional response to discovering that your password is not good.
I know a company that started doing quarterly brute-forcing of passwords as a security check and the reaction to finding out that your password is not strong enough is....all sorts of emotions.
If you have a 10-12 character password that may have been strong at one point but now is not and your IT team is informing you, you're reaction is NEVER, oh thank you for helping me out. It's not stupidity, it's human nature to feel attacked.
As part of fixing security problems 20+ years ago we put together a migration process that included cracking passwords. First off we created an interface for updating your password and that interface essentially ran through all the tests that the cracking software to better ensure you'd picked something good. Passwords were expired every 90 days (remember, this was 2001. The migration first set the expiration date so that people got used to the process and then, on occasion, we'd run the passwords through a brute force attack. To your point, the users were most unhappy when their password would get cracked and expired, but that's life.
2FA, keys, etc.. is really an improvement over what we've had for such a long time.
When a 12 character gets bruteforced, my initial reaction is to blame the system for allowing so many password attempts!
Like imagine how many failed attempts must've happened for a 12 character password to get bruteforced. Alarms should have been raised way before it became an issue.
The password doesn't get brute forced via an API. The threat model would be more like your salted and hashed passwords got exported and now they can be brute forced. A 12 character password in the DB can be brute forced in seconds or minutes. If your password is strong it will take years or millenia.
That's what haveibeenpwned.com is about. It tells you if your email is in one of these database lists out in the wild. If it is, assume your password will eventually be discovered.
what if it was a crappy 12 character password like 123456789012 and got bruteforced in 2 tries?
also, at one point it was popular to use l33t speak for passwords so there are many crappy 12+ char l33t passwords floating around that are trivial to guess, no brute forcing required.
> sys admin accessing password hashes placed under his care
Parent commenter never mentioned anything about comparing stored password hashes. What you do is block bad passwords at password set time by hashing the prospective password and comparing with HIBP. A prospective password you haven't accepted or stored or transmitted off the application server - common sense says that's not a privacy violation - and many giant companies including my employer do this routinely.
[Edit] Oh yea I remember HIBP has an online API. Don't use this. Take the HIBP dumps that they make freely available and compare locally. If not for reasons of privacy, for reasons of simplicity and removing an unnecessary external business/legal/software dependency.
> Oh yea I remember HIBP has an online API. Don't use this.
That's not the greatest advice IMO. The API gets updated data more frequently, doesn't require that you transmit the password or a useable hashed form, and it's dead simple to consume. I'd argue that it's more effort to maintain an internal store and synchronization infrastructure, and you're less likely to accidentally breach anonymity and leak a weak hash by using the API than you are rolling your own query against the raw data.
It's also used by hundreds of bigcorps and government agencies who have way more pedantic lawyers than you're likely to have. If they couldn't find a good reason not to use it I doubt yours will.
Those are good arguments for using an online service. But your conclusion is premature and certainly cannot be made blanket like that in favor of using the API.
Just as many arguments can be made for an offline check. Or against an online check. From added latency via required uptime to added dependencies.
Be satisfied with fixing the new passwords going forward. Or gracefully force a new password for everyone, if circumstances permit that (circumstances including decision making authority; if you are the new CTO or CISO, and you're paranoid about reviewing the existing hashes, you should strongly consider the batched graceful forced reset!)
You can set a flag on login to use the password in memory rather than stored.
That's how you get the whole company to love you as a new CTO - force everyone to change their password, including people who have a strong non-reused password.
We’re evaluating different options in this thread. The right move is based on the circumstances and your judgement. I would support a new leader with the courage to close a security hole, maybe respect them even if I don’t love them.
By the way, I don’t feel paranoid to flag bad passwords on login (perhaps triggering an email OTP and forcing a password reset), personally. I responded to this thread because a commenter made an unfounded implication about using HIBP data to reduce vulnerability to credential stuffing.
Would it matter which hash function was used to create the password database.
But there's more than just the issue of discovering the passowrd itself.
What about the issue of discovering that a particular password hash comes from an employee at a certain company.
As I understand it, Tory Hunt downloads dumps of stolen passwords. He does not share the dumps. Instead he collects queries, like a search engine. Until people start sending him queries of hashes to check he does not necessarily know the locations of the people whose passwords were stolen.
However if he gets a series of hashes sent from some IP address belonging to a perticular corporation, then argubaly he now knows these are likely to be passwords belonging to employees at that corporation.
This is true. The story as written probably didn't happen with HIBP's database. Troy Hunt's database only includes SHA-1 hashes, and passwords in your own database will be hashed with a stronger algorithm (hopefully) and salted (hopefully), so you can't do a simple hash-to-hash comparison. The way to do a HIBP check is, when a user signs in, you hash their password in the way HIBP expects, and check that against either their API or against a local copy of HIBP's database, and if a hit is returned, you give them a nice message and direct them to the password reset flow. There's no easy way to use HIBP's data to identify users with compromised passwords until users actually try to log in.
Unfortunately I have no source to give. The FBI employee was just giving an example of illegal behavior he knew of. He didn't cite jurisdiction or the names of people involved. Hell - even if he did, I likely wouldn't have remembered it as this was roughly 8 years ago I was in the audience for this (I know I said roughly a decade ago in my prior post - but I checked a receipt for the event and it was in 2015).
"In July 1995, Schwartz was prosecuted in the case of State of Oregon vs. Randal Schwartz, which dealt with compromised computer security during his time as a system administrator for Intel. In the process of performing penetration testing, he cracked a number of passwords on Intel's systems. Schwartz was originally convicted on three felony counts, with one reduced to a misdemeanor, but on February 1, 2007, his arrest and conviction records were sealed through an official expungement, and he is legally no longer a felon." -- https://en.wikipedia.org/wiki/Randal_L._Schwartz
Important aspect: he had been fired and cracked passwords while no longer an employee, to try to get rehired:
"Rather ill-advisedly, the Perl-programming guru (who's written several books on the subject) tried to prove his worth by running a password cracking package after he'd left in order to produce evidence that security practices had deteriorated since his departure. Instead of re-hiring Schwartz, as he hoped, Intel called in the police and he was charged with hacking offences."
Really hard to belief without anything else to go by. This sounds like old wives tales like people that add disclaimers saying they aren't laywers when they comment on the internet because someone once told them they heard someone got in trouble.
Does it sound that unbelievable for the 2010s? There was quite a discrepancy between how the internet/computers were generally being used and the legality.
Like https://www.eff.org/deeplinks/2016/07/ever-use-someone-elses...
> Last week, the Ninth Circuit Court of Appeals, in a case called United States v. Nosal, held 2-1 that using someone else’s password, even with their knowledge and permission, is a federal criminal offense.
Jobs can ask if you have ever been arrested outside of CA. (Note: not convicted of a crime).
Also you are going to spend a long time being arrested before the appeal goes out.
"In California, a criminal appeal can take several months to several years. The length of time depends on the complexity of the case and how quickly it moves through the appeals process."
Well this unlocked a new fear I didn't know I needed to have. I suppose this is the massive drawback to allowing dinosaurs to spearhead policy and govern laws.
For what it's worth, the average tech-smarts in the legal realm and within the FBI are significantly improved compared to 8 years ago. This is just from my personal observation.
That said, there are still tremendous gaps yet to be bridged with the understanding of many procecutors and lawyers as well as weird applications of the law that aren't intuitive to people whose life is technology.
For example (and I caveat this with IANAL): Did you know the physical medium you get Internet to your house determines what laws and processes the government can use to monitor your Internet traffic?
>Did you know the physical medium you get Internet to your house determines what laws and processes the government can use to monitor your Internet traffic?
That I did know, only because I was dumb enough to hitch my wagon to Comcast/Xfinity as a headend tech for years. Just affirmed the idea that all ISPs should be community owned.
From my (non-lawyer) understanding, if you have a coax cable connected to a cable modem providing Internet to your residence, your privacy is governed by https://www.law.cornell.edu/uscode/text/47/551
Other means of Internet getting to your residence is covered by Title 3 of the ECPA which, historically, Feds have played fast and loose with getting data from.
I certainly believe it a user was upset by it. We've gotten support tickets before from users accusing of of "snooping on their local machine" to find passwords... Like no, it was just in a breach, relax.
They're often now upset they've been called to task so it's just hard all around.
Hmm. Interesting. Shitty outcome if true, but AD/Azure AD has an extension (3rd party if I recall) that automatically checks for breached passwords and lets the user know and forces them to change their password.
I'm pretty sure the password manager in Safari also checks this db, as I've been warned that some passwords have been discovered in breaches (even going back to the linked in breach).
>> Why are good deeds punished so much by authorities?
The problem can be "who defines good deeds?" There are so many things which seem good when presented one way, but can be harmful when viewed another way. Obviously, as presented above this seems like "an obvious good", but context matters, snd clearly you don't get the whole context from a one paragraph summary.
Ultimately we have civil structures (government at every level) that tries to codify "good" and "bad". Life is seldom that clean though, so inevitably every regulation and law is good for some bad for others.
So, to answer your question, because "good" and "prosocial" are not universally true.
Besides 2FA, rate limiting your login endpoint (both by IP address and username) is a much more robust protection against this attack. Especially if you include temporary bans (e.g. “20 failed login attempts with the same IP, and/or same username, in the past minute = 15 minute ban for that IP and/or username”). A lot of API gateways, K8s ingresses, etc. make this dead simple, and if not it’s also super easy to add with a few lines of code and something like Redis to store counts of recent login attempts.
I do think checking against the HIBP DB is a good call too, but it doesn’t stop this attack overly well, rate limiting is a much better way to stop it.
Rate limiting definitely helps against credential stuffing in the form of trying a bunch of common passwords against random accounts.
But there's also "stuffing" with known breached username+password combinations – in which case it still helps, but I don't think as much? In the latter the attack is much more likely to succeed and there's a much smaller number of values being attempted, so the threshold of detection + blocking would have to be much lower...
Yeah, I do think it's worth doing both :) As well as at least making 2FA an option for your users - 2FA is the ultimate defence to most of these problems, but depending on the company/use case, not everyone is willing to make it mandatory, it does tend to be a lot more annoying to users. Things like failed login rate limits, minimum password length/complexity, and banning known breached logins is less intrusive to the user, and still pretty good defence when combined, though not as good as 2FA.
The threshold is lower but in reality it still makes considerably more login attempts, many of them failed, than a normal client ever would. Credential stuffing attacks don't really limit themselves to a single account, even if it worked.
Sorry, I don't understand the procedure. If the database contains hashed passwords (I haven't seen or download the database), how can you know you're using the same salt and method that the one in the datbase?
For example, let's say Tumblr was hacked and with it my password `hunter2`. Tumbler used some naive HMAC-MD5 method with a salt, but my site uses argon2 with (obviously) a different salt. Even though my password is the same (`hunter2`) the resulting hashed passwords will be different. How is this any effective preventing credential stuffing?
The HIBP database only stores hashes of leaked passwords, but the source material is often (always?) plaintext passwords. If the hash of a password is in the HIBP database, the plaintext password is out there somewhere in a database of a malicious actor.
There are some leaks where passwords are cracked and included in plaintext and there are some leaks where passwords are not cracked and included only as hashes. If the leak includes cracked passwords in plaintext then they will be added to HIBP and can be checked, otherwise they are not included and cannot be checked.
Yes, exactly, so that's why I was asking, you mentioned the database was of hashed passwords. The database then contains the source passwords? And you're preventing the user from using one of those passwords?
Sorry, I still don't understand the procedure you mentioned and I'm genuinely curious.
Oh, I see the issue. The HIBP database is SHA-1 hashed with no salt. It was created from unhashed passwords. You can't download the unhashed version (you could of course compute it, if you really wanted to; but there's no need).
So, the procedure you need to implement is, on login/registration/pw reset, you SHA-1 hash the user's unhashed password and do a indexed lookup on your copy of HIBP's database. Or if you don't want to maintain that copy, you can use HIBP's API to do something similar.
Ah! Thanks a lot, it now makes sense. So at some point HIBP has the unhashed passwords, they obviously don’t make those public, good trick. How do you handle this from a UX perspective? Just tell the user that password is “not strong enough”?
> If you're a young CTO or early-stage engineer working on a web app
If you're working on a greenfield login/auth, please don't accept and store passwords in a database! Setup social OAuth, SSO, or magic link emails and make it someone else's problem.
If you do go down this route though, be sure to read up on what you're deploying, and understand what your libraries are doing (and more importantly, not doing).
You don't want to end up with a naive implementation of OAuth2 (like some big names had recently) which fails to check the audience parameter, and therefore lets anyone other service using the same SSO gain access to your users' accounts.
I agree, and thanks for pointing that out, but between the two security failures, I'd rather have an incorrect OAuth2 implementation, which can be quickly fixed with no impact on existing customers, than credential stuffing, where I need to email customers apologizing for why I needed to reset their passwords.
> ... and then realize with a horrible feeling that some % of those hits are getting through the login page.
(Non sarcastic), why would you feel bad for users using 1234 as their passwords? Unless your website is aimed at vulnerable people, I consider this to be their responsibility.
As other comments have said these users will probably go the easiest route (1234websitename) to fix the error.
Any restriction you put on your password field reduces entropy, and safety for everyone (even if marginally so).
Because anyone that has ever been responsible for anything knows that there’s a difference between something being your fault and something being your problem.
Breach notification etc legislation in some jurisdictions will also require that you report successful widespread credential stuffing.
Even AWS with their “shared responsibility model” works with GitHub etc to ensure that programmatic access credentials aren’t accidentally exposed via public repositories. This isn’t credential stuffing, but it’s a blindingly accurate demonstration of the fact that drawing a line in the sand and saying “users, work it out from here!” and attempting to wash your hands of the situation is nothing more than the ill-informed pipe dream of someone that’s never had to deal with this stuff in reality.
Have you ever operated an online business? Poor password choice is practically harmful to business. Marginal reduction of entropy by blocking breached passwords, what's the practical harm from that?
1234websitename is objectively better than 1234.
I'll go with NIST on this one (yes, and have a minimum length too):
> When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised... If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.
> ... and then realize with a horrible feeling that some % of those hits are getting through the login page.
The alternative is the exact same scenario, except that the percentage is several orders of magnitude lower, right?
The small subset of your users that explicitly opted-out of 2-factor authentication (if you allow that) and who try to choose "Password1!" with a second exclamation point when your site said "Error, your password has seen 83,000 times in password dumps, please use a unique password" will still get hacked.
Or is your expectation that no one will attack every user on your webapp with a credential stuffing attempt if they see that the probability of success is 0.001% instead of 1%?
Your numbers literally turns a scenario where 200,000 accounts are hacked into one where 200 are exposed. Or one where 30 hacked accounts turn into 0 hacked accounts.
There is a point where a difference in quantity becomes a difference in quality. I far prefer the latter scenarios.
Anybody (like GP) that doesn’t understand that this is entirely the nature of security work, should not be making any material decisions about security.
The number of times I’ve seen DEVELOPERS neglect to implement materially useful security measures because “they’re not technically perfect!” Is astounding.
The number of times I’ve seen purported security practitioners dismiss materially useful security measures because of some theoretical attack that nobody has ever seen in the wild in recorded history outside of stunt-hacking at Defcon is…probably higher
Yes, same scenario, but far fewer logins are successful. 3 orders of magnitude sounds right, but I don't know precise numbers. (Can others shed light?) Three orders of magnitude is a lot!
> It's not on 23andMe, or anyone (other than the user) for that matter, to ensure the passwords used by the user are not copied passwords from other credentials.
In my opinion, it is, actually, on 23andMe. At my tiny startup, I implemented a simple check against Troy Hunt’s compromised password database.[1] If I can do it, 23andMe can.
If anyone reading this is in the business of making web apps and there’s literally anything of value behind your login, prioritize this mitigation. OWASP recommends it too. [2]
It is not hard and every web service really should implement this sort of check. I’m actually pretty surprised to see so many comments here that aren’t aware of it!
I don’t know about criminal liability, but they’re certainly at fault for not implementing a check against known compromised passwords[1]. I believe it’s been an accepted best practice since something like 2017.
Websites should mitigate credential stuffing by checking against known cracked passwords. All you have to do is download Troy Hunt’s hashed password database, check it when someone logs in and if it’s cracked do your email password reset flow. Or you can use their API.
It’s very simple, and I believe has been an accepted best practice since like 2017. This is 100% on 23andme. They are responsible.
This and noticing a bunch of accounts are suddenly being logged into in mass in a way that is obviously an attack. It cannot be hard to detect such an event if you cared to notice. So it’s 100% negligence and 100% the result of putting profits over safety. A terrible management failure.
I had to deal with this problem in our product, which has a visual programming language. I opted to throw an exception if, for whatever reason, "all()" receives an empty list! I had forgotten I'd done that. There's no explanation for it in the code.
As I sit here justifying my own reasoning, though, it sort of makes sense. For ordinary people (for whom this product is supposed to be for), I figure if they put in nothing, that was probably just a mistake.
A spokesman for CalTrans claimed today that Bay Bridge could have taken the same hit without damage, thanks to fenders that protects all pylons for all bridges in the San Francisco Bay Area (1). Cargo ships are heavy, yes, but it appears we have the technology to prevent bridge collapses due to these sorts of collisions today.
1. "The Bay Bridge’s fenders insulated the span during the 2007 incident, so that the Cosco Busan ship struck a bumper, never hitting the bridge itself, Ney said. He noted that fenders on Bay Area bridges should be able to handle a ship traveling at 8 knots, the velocity at which the ship hit the Francis Scott Key span."
https://www.sfchronicle.com/bayarea/article/baltimore-bridge...