10 interesting stories served every morning and every evening.
Despite the obvious risk and years of warnings, at least eight American states and 16 million American voters will use completely paperless machines in the 2020 US elections, a new report by New York University’s Brennan Center for Justice found.
Paperless voting machines persist despite a strong consensus among US cybersecurity and national security experts that paper ballots and vote audits are necessary to ensure the security of the next election. The Brennan Center report points to the Senate Intelligence Committee investigation of Russian interference in the 2016 section, which also recommends paper ballots for security and verification.
America’s largest election technology company, Election Systems & Software, announced earlier this year that it would stop selling paperless machines. ES&S spokeswoman Katina Granger said the entire industry should follow suit.
“Using a physical paper record sets the stage for all jurisdictions to perform statistically valid post-election audits,” Granger told MIT Technology Review. “We believe that requiring a paper record for every voter would be a valuable step in securing America’s elections.”
ES&S, the largest election tech vendor in the country, covers 44% of American voters, a 2016 report by the University of Pennsylvania’s Wharton School found. Dominion Voting Systems covers 37% of voters, and Hart InterCivic 11%. Both still sell paperless voting machines.
Senator Ron Wyden, a leading Capitol Hill voice on election security, has persistently pushed legislation that would federally mandate paper ballots, among other security measures. The legislation has been blocked by the Republican Senate majority leader, Mitch McConnell.
“Selling a paperless voting machine is like selling a car without brakes—something is going to go terribly wrong,” Wyden says. “It is obvious that vendors won’t do the right thing on security by themselves. Congress needs to set mandatory federal election security standards that outlaw paperless voting machines and guarantee every American the right to vote with a hand-marked paper ballot. Experts agree that hand-marked paper ballots and post-election audits are the best defense against foreign hacking. Vendors should recognize that fact or get out of the way.”
Chris Krebs, the top cybersecurity official in the Department of Homeland Security, said last week that paper ballot backups are needed in 2020. Congressional and law enforcement officials have repeatedly said that foreign powers are poised to interfere in the upcoming American elections.
Most of the states using completely paperless machines in 2020 are not historically battleground states, which are seen as the most valuable targets for interference and impact. Texas, Louisiana, Tennessee, Mississippi, Kansas, Indiana, Kentucky, and New Jersey will use paperless machines.
Some of those states, however, are more closely contested than usual. Texas in particular has been turning increasingly purple. In 2016, Democratic Senate candidate Beto O’Rourke stunned national observers by putting up a close race against Republican Ted Cruz. If Texas starts producing more close races, its persistence in using paperless machines—the result of a stalled legislative battle over election security—will make it a more tempting target.
“If my goal is to throw another US election, I have limited resources. I can’t attack everywhere. I want to focus on battleground states where even a small push can have a large impact,” says Dan Wallach, a computer science professor at Rice University and a member of the Technical Guidelines Development Committee of the US Election Assistance Commission.
Security experts overwhelmingly agree that paper ballots and risk-limiting audits are necessary to secure elections in the 21st century. Emblematic of that consensus is a 2018 report from the National Academies of Sciences, Engineering, and Medicine titled “Securing the Vote: Protecting American Democracy.” The conclusions: Elections need human-readable ballots and mandated audits before election results are certified.
Elections are managed primarily by US states as opposed to the federal government. Technical and security requirements vary by state and even by local government. Despite slow movement and resistance from some corners of the country, progress away from paperless machines has been significant: compared with the 16 million Americans who will vote on paperless machines in 2020, 27.5 million did so in 2016, according to the Brennan Center report.
Backups, however, are not a silver bullet for election security. Security experts say paper ballots are so important precisely because subsequent audits are necessary, and 17 of the 42 states requiring paper do not require audits.
“The name of the game as election officials is to produce election results that are convincing to the loser,” Wallach says. “The winner is happy to win; the loser requires evidence. In the face of propaganda and interference, you have to produce convincing results—convincing the loser to say, ‘Yeah, I lost.’ This is why people like paper. Once paper has been printed, it’s hard for someone like Vladimir Putin to reach out over the internet and change what’s already been printed on dead trees.”
Audits mean a high chance that incorrect outcomes can be detected with statistical efficiency, the National Academies of Sciences concluded.
The experts recommended that all voting machines should use human-readable paper ballots and that machines without the ability for independent auditing should be removed from elections right away.
...
Read the original on www.technologyreview.com »
A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks.
However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn’t do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform.
The entire chain of events behind the public disclosure of these two zero-days has caused quite a drama and discussions in the infosec community.
All the negative comments have been aimed at Valve and the HackerOne staff, with both being acused of unprofessional behavior.
Security researchers and regular Steam users alike are mad because Valve refused to acknowledge the reported issue as a security flaw, and declined to patch it.
When the security researcher — named Vasily Kravets– wanted to publicly disclose the vulnerability, a HackerOne staff member forbade him from doing so, even if Valve had no intention of fixing the issue — effectively trying to prevent the researcher from letting users know there was a problem with the Steam client at all.
Kravets did eventually publish details about the Steam zero-day, which was an elevation of privilege (also known as a local privilege escalation) bug that allowed other apps or malware on a user’s computer to abuse the Steam client to run code with admin rights.
Kravets said he was banned from the platform following the public disclosure of the first zero-day. His bug report was heavily covered in the media, and Valve did eventually ship a fix, more as a reaction to all the bad press the company was getting.
The patch was almost immediatelly proved to be insufficient, and another security researcher found an easy way to go around it almost right away.
Furthermore, a well-known and highly respected security researcher named Matt Nelson also revealed he found the same exact bug, but after Kravets, which he too reported to Valve’s HackerOne program, only to go through a similar bad experience as Kravets.
Nelson said Valve and HackerOne took five days to acknowledge the bug, refused to patch it, and then locked the bug report when Nelson wanted to disclose the bug publicly and warn users.
Nelson later released proof-of-concept code for the first Steam zero-day, and also criticized Valve and HackerOne for their abysmall handling of his bug report.
Today, Kravets published details about a second Valve zero-day, which is another EoP/LPE in the Steam client, allowing malicious apps to gain admin rights through Valve’s Steam app. Demos of the second Steam zero-day are embedded below, and a technical write-up is available on Kravets’ site.
A Valve spokesperson did not reply to a request for comment, but the company rarely comments on security issues.
All of Valve’s problems seem to come from the fact that the company has placed EoP/LPE vulnerabilities as “out-of-scope” for its HackerOne platform, meaning the company doesn’t view them as security issues.
Nelson, a security researcher who has made a name for himself for finding a slew of interesting bugs in Microsoft products, doesn’t agree with Valve’s decision.
EoP/LPE vulnerabilities can’t allow a threat actor to hack a remote app or computer. They are vulnerabilities abused during post-exploitation, mostly so attackers can take full control over a target by gaining root/admin/system rights.
While Valve doesn’t consider these as security flaws, everyone else does. For example, Microsoft patches tens of EoP/LPE flaws each month, and OWASP considers EoP/LPE as the fifth most dangerous security flaw in its infamous Top 10 Vulnerabilities list.
By refusing to patch the first zero-day, Valve inadvertantly sent a message out that it doesn’t care about the security of its product, putting the company’s 100+ million Windows users in danger just by having the Steam client installed on their computers.
Sure! Valve is right, in its own way. An attacker can’t use an EoP/LPE to break into a Steam user’s client. That’s a fact. But, that’s not the point.
When users install the Steam client on their computers, they also don’t expect the app to be a launching pad for malware or other attacks.
An app and users’ security is more than remote code execution (RCE) bugs. Otherwise, if EoP/LPE bugs weren’t a big deal, everyone else wouldn’t bother patching them either.
...
Read the original on www.zdnet.com »
The man who helped invent scratch-off lottery tickets now has his sights set on a bigger prize: overhauling the way the United States elects presidents.
On Tuesday, Nevada became the latest state to pass a bill that would grant its electoral votes to whoever wins the popular vote across the country, not just in Nevada. The movement is the brainchild of John Koza, a co-founder of National Popular Vote, an organization that is working to eliminate the influence of the Electoral College.
If Nevada’s governor signs the bill, the state will become the 15th — plus the District of Columbia — to join an interstate pact of states promising to switch to the new system. Those states, including Nevada, have a total of 195 electoral votes. The pact would take effect once enough states have joined to guarantee the national winner 270 electoral votes, ensuring election.
Enforcement, however, could be very difficult without congressional approval, according to constitutional law experts. And the pact would be highly vulnerable to legal challenges, they say.
...
Read the original on www.nytimes.com »
Today, Mozilla and Google took action to protect the online security and privacy of individuals in Kazakhstan. Together the companies deployed technical solutions within Firefox and Chrome to block the Kazakhstan government’s ability to intercept internet traffic within the country.
The response comes after credible reports that internet service providers in Kazakhstan have required people in the country to download and install a government-issued certificate on all devices and in every browser in order to access the internet. This certificate is not trusted by either of the companies, and once installed, allowed the government to decrypt and read anything a user types or posts, including intercepting their account information and passwords. This targeted people visiting popular sites Facebook, Twitter and Google, among others.
“People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security. We don’t take actions like this lightly, but protecting our users and the integrity of the web is the reason Firefox exists.” — Marshall Erwin, Senior Director of Trust and Security, Mozilla
“We will never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users’ data. We have implemented protections from this specific issue, and will always take action to secure our users around the world.” — Parisa Tabriz, Senior Engineering Director, Chrome
This is not the first attempt by the Kazakhstan government to intercept the internet traffic of everyone in the country. In 2015, the Kazakhstan government attempted to have a root certificate included in Mozilla’s trusted root store program. After it was discovered that they were intending to use the certificate to intercept user data, Mozilla denied the request. Shortly after, the government forced citizens to manually install its certificate but that attempt failed after organizations took legal action.
Each company will deploy a technical solution unique to its browser. For additional information on those solutions please see the below links.
...
Read the original on blog.mozilla.org »
I’m about to accept a PR that will increase druid’s compile time about 3x and its executable size almost 2x. In this case, I think the tradeoff is worth it (without localization, a GUI toolkit is strictly a toy), but the bloat makes me unhappy and I think there is room for improvement in the Rust ecosystem.
For me, bloat in Rust is mostly about compile times and executable size. Compile time is on the top 10 list of bad things about the Rust development experience, but to some extent it’s under the developer’s control, especially by choosing whether or not to take dependencies on bloated crates.
Bloat is an endemic problem in software, but there are a few things that make it a particular challenge for Rust:
* Cargo makes it so easy to just reach for a crate.
One of the subtler ways compile times affect the experience is in tools like RLS.
It’s going to vary from person to person, but I personally do care a lot. One of my hopes for xi-editor is that the core would be lightweight, especially as we could factor out concerns like UI. However, the release binary is now 5.9M (release build, Windows, and doesn’t include syntax coloring, which is an additional 2.1M). I’ve done a bunch of other things across the Rust ecosystem to reduce bloat, and I’ll brag a bit about that in this post.
Of course, the reason why I’m considering such a huge jump in compile times on druid is that I want localization, an important and complex feature. Doing it right requires quite a bit of logic around locale matching, Unicode, and natural language processing (such as plural rules). I don’t expect a tiny crate for this.
One recent case we saw a similar tradeoff was the observation that the unicase dep adds 50k to the binary size for pulldown-cmark. In this case, the CommonMark spec demands Unicode case-folding, and without that, it’s no longer complying with the standard. I understand the temptation to cut this corner, but I think having versions out there that are not spec-compliant is a bad thing, especially unfriendly to the majority of people in the world whose native language is other than English.
So, it’s important not to confuse lean engineering with a lack of important features. I would say bloat is unneeded resource consumption beyond what’s necessary to meet the requirements. Unicode and internationalization are a particularly contentious point, both because they actually do require code and data to get right, but also because there’s a ton of potential for bloat.
I would apply a higher standard to “foundational” crates, which are intended to be used by most Rust applications that need the functionality. Bloat in those is a reason not to use the dependency, or to fragment the ecosystem into different solutions depending on needs and tolerance for bloat.
I think a particular risk are crates providing generally useful features, ones that would definitely make the cut in a “batteries included” language. Some of these (bitflags, lazy_static, cfg-if, etc) are not very heavy, and provide obvious benefit, especially to make the API more humane. For others (rental, failure), the cost is higher and I would generally recommend not using them in foundational crates. But for your own app, if you like them, sure. I believe rental might be the most expensive transitive dependency for fluent, as I find it takes 27.3s (debug, Windows; 53.2s for release) for the crate alone.
I’m concerned about bloat in gfx-rs - about a minute for a debug build, and about 3M (Windows, quad example). For this reason (and stability and documentation), I’m leaning towards making the GPU renderers for piet use the underlying graphics APIs directly rather than using this abstraction layer. I’ve found similar patterns with other “wrapper” crates, including direct2d. But here the tradeoffs are complex.
I don’t have hard numbers yet, but I’ve found that the rust-objc macros produce quite bloated code, on the order of 1.5k per method invocation. This is leading me to consider rewriting the macOS platform binding code in Objective-C directly (using C as the common FFI is not too bad), rather than relying on Rust code that uses the dynamic Objective-C runtime. I expect bloat here to affect a fairly wide range of code that calls into the macOS (and iOS) platform, so it would be a good topic to investigate more deeply.
I sometimes hear that it’s ok to depend on commonly-used crates, because their cost is amortized among the various users that share them. I’m not convinced, for a variety of reasons. For one, it’s common that you get different versions anyway (the Zola build currently has two versions each of unicase, parking_lot, parking_lot_core, crossbeam-deque, toml, derive_more, lock_api, scopeguard, and winapi). Second, if generics are used heavily (see below), there’ll likely be code duplication anyway.
That said, for stuff like Unicode data, it is quite important that there as few copies as possible in the binary. The best choice is crates engineered to be lean.
A particularly contentious question is proc macros. The support crates for these (syn and quote) take maybe 10s to compile, and don’t directly impact executable size. It’s a major boost to the expressivity of the Rust language, and we’ll likely use them in druid, though have been discussing making them optional.
What I’d personally like to see is proc macros stabilize more and then be adopted into the language.
Digging into xi-editor, the biggest single source of bloat is serde, and in general the fact that it serializes everything into JSON messages. This was something of an experiment, and in retrospect I would say one of the things I’m most unhappy about. It seems that efficient serialization is not a solved problem yet. [Note also that JSON serialization is extremely slow in Swift]
The particular reason serde is so bloated is that it monomorphizes everything. There are alternatives; miniserde in particular yields smaller binaries and compile times by using dynamic dispatch (trait objects) in place of monomorphization. But it has other limitations and so hasn’t caught on yet.
In general, overuse of polymorphism is a leading cause of bloat. For example, resvg switched from lyon to kurbo [Note added: RazrFalcon points out that the big contribution to lyon compile times is proc macros, not polymorphism, and that’s since been fixed]. We don’t adopt the lyon / euclid ecosystem, also for this reason, which is something of a shame because now there’s more fragmentation. When working on kurbo, I did experiments indicating there was no real benefit to allowing floating point types other than f64, so just decided that would be the type for coordinates. I’m happy with this choice.
For a variety of reasons, async code is considerably slower to compile than corresponding sync code, though the compiler team has been making great progress. Even though async/await is the shiny new feature, it’s important to realize that old-fashioned sync code is still better in a lot of cases. Sure, if you’re writing high-scale Internet servers, you need async, but there are a lot of other cases.
I’ll pick on Zola for this one. A release build is over 9 minutes and 15M in size. (Debug builds are about twice as fast but 3-5x bigger). Watching the compile (over 400 crates total!) it’s clear that its web serving (actix based) accounts for a lot of that, pulling in a big chunk of the tokio ecosystem as well. For just previewing static websites built with the tool, it might be overkill. That said, for this particular application perhaps bloat is not as important, and there are benefits to using a popular, featureful web serving framework.
As a result, I’ve chosen not to use async in druid, but rather a simpler, single-threaded approach, even though async approaches have been proposed.
It’s common for a crate to have some core functionality, then other stuff that only some users will want. I think it’s a great idea to have optional dependencies. For example, xi-rope had the ability to serialize deltas to JSON because we used that in xi-editor, but that’s a very heavyweight dependency for people who just want an efficient data structure for large strings. So we made that optional.
An alternative is to fragment the crate into finer grains; rand is a particular offender here, as it’s not uncommon to see 10 subcrates in a build. We’ve found that having lots of subcrates often makes life harder for users because of the increased coordination work making sure versions are compatible.
Another crate that often shows up in Rust builds is phf, an implementation of perfect hashing. That’s often a great idea and what you want in your binaries, but it also accounts for ~13s of compile time when using the macro version (again bringing in two separate copies of quote and syn). [Note added: sfackler points out that you can use phf-codegen to generate Rust source and check that into your repos.]
For optimizing compile times in unicode-normalization, I decided to build the hash tables using a custom tool, and check those into the repo. That way, the work is done only when the data actually changes (about once a year, as Unicode revs), as opposed to every single compile. I’m proud of this work, as it improved the compile time for unicode-normalization by about 3x, and I do consider that an important foundational crate.
Compile time and executable size are aspects of performance (even though often not as visible as runtime speed), and performance culture applies. Always measure, using tools like cargo-bloat where appropriate, and keep track of regressions.
A good case study for cargo-bloat is clap, though it’s still pretty heavyweight today (it accounts for about 1M of Zola’s debug build, measured on macOS).
There’s also an effort to analyze binary sizes more systematically. I applaud such efforts and would love it if they were even more visible. Ideally, crates.io would include some kind of bloat report along with its other metadata, although using fully automated tools has limitations (for example, a “hello world” example using clap might be pretty modest, but one with hundreds of options might be huge).
Once you accept bloat, it’s very hard to claw it back. If your project has multi-minute compiles, people won’t even notice a 10s regression in compile time. Then these pile up, and it gets harder and harder to motivate the work to reduce bloat, because each second gained in compile time becomes such a small fraction of the total.
As druid develops into a real GUI, I’ll be facing many more of these kinds of choices, and both compile times and executable sizes will inevitably get larger. But avoiding bloat is just another place to apply engineering skill. In writing this blog post, I’m hoping to raise awareness of the issue, give useful tips, and enlist the help of the community to keep the Rust ecosystem as bloat-free as possible.
As with all engineering, it’s a matter of tradeoffs. Which is more important for druid, having fast compiles, or being on board with the abundance of features provided by the Rust ecosystem such as fluent? That doesn’t have an obvious answer, so I intend to mostly listen to feedback from users and other developers.
...
Read the original on raphlinus.github.io »
In July 2015 workers at the Garden Creek I Gas Processing Plant, in Watford City, North Dakota, noticed a leak in a pipeline and reported a spill to the North Dakota Department of Health that remains officially listed as 10 gallons, the size of two bottled water delivery jugs.
But a whistle-blower has revealed to DeSmog the incident is actually on par with the 1989 Exxon Valdez oil spill in Alaska, which released roughly 11 million gallons of thick crude.
The Garden Creek spill “is in fact over 11 million gallons of condensate that leaked through a crack in a pipeline for over 3 years,” says the whistle-blower, who has expertise in environmental science but refused to be named or give other background information for fear of losing their job. They provided to DeSmog a document that details remediation efforts and verifies the spill’s monstrous size.
“Up to 5,500,000 gallons” of hydrocarbons have been removed from the site, the 2018 document states, “based upon an…estimate of approximately 11 million gallons released.”
Garden Creek is operated by the Oklahoma-based oil and gas service company, ONEOK Partners, and processes natural gas and natural gas liquids, also called natural gas condensate, brought to the facility via pipeline from Bakken wells.
Neither the National Oceanic and Atmospheric Administration (NOAA), which monitors coastal spills, nor the Environmental Protection Agency (EPA) could provide records to put the spill’s size in context, but according to available reports, if the 11-million-gallon figure is accurate, the Garden Creek spill appears to be among the largest recorded oil and gas industry spills in the history of the United States.
However, the American public is unaware, because the spill remains officially listed as just 10 gallons. That is despite the fact that a North Dakota regulator has acknowledged the spill was much larger, and even the official record, right after stating the spill was 10 gallons, notes that the area was “saturated with natural gas condensate of an unknown volume,” and thus may have been larger.
Scott Skokos, Executive Director of the Dakota Resource Council, an organization that works to protect North Dakota’s natural resources and family farms, questioned whether it was legal for the state to cover up or downplay spills.
“I have seen many instances where it appears spills are being covered up, and there appears to be a pattern of downplaying spills, which makes the narrative surrounding oil and gas development look rosy and makes the industry look better politically,” says Skokos. “If this pattern is as widespread as it seems, then we have a government that is conspiring to protect the oil industry. This is not only reckless and unethical, but also potentially illegal.”
“In my view,” Skokos added, “this is not looking out for the best interest of the state or the people who live in the state, it is only looking out for corporations. And these are not even corporate citizens of this state, they are corporate citizens of somewhere else.”
Spills are pervasive in North Dakota’s oil industry and have been the focus of numerous media reports. “State regulators have often been unable — or unwilling — to compel energy companies to clean up their mess,” ProPublica reported in a 2012 investigation.
A 2015 Inside Energy article noted state reports “are riddled with inaccuracies and estimates” and cited a 2011 spill of oil and gas wastewater by a Texas-based company listed as 12,600 gallons but later determined to be at least two million gallons. An eight-year database of spills compiled by the New York Times in 2014 showed two spills of roughly one million gallons.
But no news agency has reported on any spill in North Dakota near the magnitude of Garden Creek.
Pumpjacks and flaring in McKenzie County, North Dakota, east of Arnegard and west of Watford City. Credit: Tim Evanson,
Gas processing plants are sprawling industrial facilities and contain numerous pipes and towers that help clean and separate the stream of natural gas and natural gas liquids like ethane, butane, and propane carried in gathering pipelines that originate at wellheads.
The explosion of fracking across the U. S. and the booming development of America’s gas-rich shale plays have planted gas processing plants, which emit a near-continuous stream of greenhouse gases and carcinogens, from the Pittsburgh suburbs and Ohio’s Amish country to the high plains of Colorado and the badlands of North Dakota.
“There should be ongoing investigations of these facilities regularly,” says Emily Collins, Executive Director of Fair Shake, an Ohio-based nonprofit environmental law firm. But there isn’t.
“There is so much to keep track of for these regulators that spills, among other things, are lost in the mix,” says Collins. “The old formula of having inspections and investigations where you show up once a year clearly doesn’t work here, not with the pace, not with how many places are at issue all of the sudden. We are just not able to handle it all.”
Map of western North Dakota that includes well density (number of wells per 5 km radius), reported brine spills from 2007 to 2015 (red circles), and sampling sites of samples collected in July 2015 (green triangles). Credit: Lauer et al. 2016
Meanwhile, examination of the industry, its spills, and its placid regulators has made its way to the U. S. Congress. The Subcommittee on Energy and Mineral Resources of the House’s Natural Resource Committee has been holding hearings on the impacts of oil and gas development on local communities, landowners, taxpayers, and the environment.
In May, Collins testified before the subcommittee, along with 71-year-old North Dakota farmer Daryl Peterson. He shared harrowing stories about decades of spills of toxic oil and gas industry waste on his farmland, and the utter neglect of the issue by his state’s regulators.
“In my experience, regulators have been reluctant to enforce compliance,” Peterson told Congress. “And have minimized the impacts, rather than holding the oil companies accountable.”
On April 29, 2019, oversight of spills shifted from the North Dakota Department of Health to a new agency, the Department of Environmental Quality, but the state’s Spill Investigation Program Manager has remained Bill Suess.
“I know for a fact that Bill Suess was made aware of Garden Creek’s size in October of 2018 after a 3-year investigation was completed to assess size and scope,” the whistle-blower told DeSmog. “Bill and state staff were presented an updated version of the spill size…at the state Gold Seal building in a PowerPoint presentation.”
In a phone conversation with DeSmog in mid-July, Suess explained that he had never seen a document showing the spill’s size to be any number other than 10 gallons, and he rejected the fact that the spill was 11 million gallons.
“That would be by far the largest spill on land in U. S. history. I mean you are talking 261,000 barrels,” Suess said. “That would be significant, and I will guarantee you it is not that volume. I have received no documentation and I have no scientific evidence to show it is anywhere near that volume.”
Suess readily acknowledged that the officially listed spill size was too low. “We know it is significantly bigger than 10 gallons. We have known that since Day One,” Suess continued. Yet he defended the state’s decision to continue to list the spill as just 10 gallons.
“In North Dakota we do not regulate based on volume,” Suess added. “Whether we put a 10 there, a 100 there, a 1,000 there is not going to change our response to the spill, it is not going to change what the responsible party has to do, not going to change their remediation, it is not going to change anything other than your curiosity.”
Crestwood discovered a 1 million gallon brine spill from its Arrow pipeline on July 8, 2014. Located north of Mandaree, North Dakota, on the Fort Berthold Reservation. Mandaree is one of the six segments on Fort Berthold and where most Mandan and Hidatsa people live. Courtesy of Lisa DeVille
DeSmog presented details of the Garden Creek spill to North Dakota environmental attorney Fintan Dooley, who leads the North Dakota Salted Lands Council, an organization dedicated to remediating spills.
“You got a big fish hooked here,” he said. “This has all the signs of a civil conspiracy. If instead of 10, it was 110 or 1010 gallons, one could make the determination the original report was a mistake, but to leave uncorrected a mistake this big is not an accident, it smells of deception and deliberation and this is not the first incident of deceptive record-keeping in North Dakota — I think a good question to ask is, how many state officials are implicated in covering up this story?”
The North Dakota Century Code, which contains all state laws, covers perjury, falsification, and breach of duty in Chapter 12.1-11. Subsection 05, “Tampering with public records,” states the following:
“A person is guilty of an offense if he: a. Knowingly makes a false entry in or false alteration of a government record; or b. Knowingly, without lawful authority, destroys, conceals, removes, or otherwise impairs the verity or availability of a government record.”
The offense, “if committed by a public servant who has custody of the government record,” is a felony. The crime carries a possible five-year prison sentence.
DeSmog confronted Suess with this portion of the code, and asked him if he believed he, or someone, was guilty of falsifying government records. “No, I am not guilty, but if I changed that number I would be,” he said. “If I were to go in there and just change that [10 gallons] to a larger number that I don’t have any scientific evidence or documentation for, then I would be falsifying it.”
The environmental attorney Fintan Dooley does not buy that officials behaved appropriately. “There has been a lot of talk around the state capitol lately about official breach of public trust, and I am just wondering how far this practice of falsification of records will be allowed to go?” he said. “The whole thing can be prosecuted, and if this presents an opportunity to prosecute, I think that is just wonderful.” Any decisions regarding prosecution, he stresses, are up to a state attorney.
When asked exactly who would be charged with a crime, Dooley said, “If anyone is going to file a criminal charge, they must file it against an individual. If there was a whole series of people involved, the best practice would be to identify all of them.”
Natural gas flares from a flare-head at the Orvis State well on the Evanson family farm in McKenzie County, North Dakota, west of Watford City. Credit: Tim Evanson, - 2.0
Garden Creek I became operational in January 2012. The project was applauded by state and industry officials for its ability to reduce the release of the prominent greenhouse gas methane in the oilfield by containing and processing that and other natural gas byproducts. Flaring, or burning, natural gas is common in the region’s oilfields.
“The completion of this facility is a positive step toward reducing flaring activities in North Dakota,” ONEOK president Terry Spencer told a Watford City newspaper in 2012. In 2015, at the time the spill was noticed, ONEOK was in the process of constructing a network of additional gas processing plants across the Bakken. In one industry press release, the company bragged of “better-than-expected plant performance at existing and planned processing plants.”
“There was motive to cover up the actual size of the spill to allow their infrastructure to be completed,” says the whistle-blower. Furthermore, by the summer of 2016, as the cleanup at Garden Creek I was moving along, protests against the construction of the Dakota Access pipeline (DAPL) at the Standing Rock Sioux Indian Reservation were in full swing. One major concern voiced by the tribe was that a spill could destroy farmland and contaminate drinking water for thousands of people.
On August 31, 2016, “Happy” American Horse from the Sicangu Nation locked himself to construction equipment as a direct action against the Dakota Access pipeline. Credit: Desiree Kane, 3.0
“Public outcry against gas collection could have threatened ONEOK’s expansion plans and might have stood in the way of the state’s flaring reduction goals,” says the whistle-blower. “It’s also possible that it could have further galvanized public opinion against the DAPL project. In short, it’s possible that the North Dakota Department of Health faced heavy pressure from both state and industry to keep this on the down low.”
David Glatt, Director of North Dakota’s Department of Environmental Quality, said, “The state makes public all spill reports it receives, so there is no under reporting by the state.” ONEOK has not responded to DeSmog’s questions on this incident. DeSmog has filed an open records request with the State of North Dakota for additional information and details related to the Garden Creek I spill.
In July, Suess told DeSmog, “Remediation is still ongoing. It is going to be a slow process, it will be a few years, I think.” Suess said he was planning to revisit the spill site but did not expect anything he found there would lead him to alter the officially recorded spill size. “I have a schedule to go out there later this month, but I still probably wouldn’t change that 10-gallon number because I still won’t have an accurate number,” he said.
In May, just as North Dakota’s planting season was beginning, I met with several North Dakota residents whose farms or communities had been marred by oil and gas industry spills, including the land of farmer Daryl Peterson, whose 2,500 acres of grains, soybeans, and corn have been contaminated by more than a dozen spills of brine.
This oil and gas waste product is loaded with salt and also contains toxic heavy metals and radioactivity. Peterson pointed to dead zones on his land that are unfit for crops though still fit for government taxes. The spills have also tainted his groundwater.
Daryl Peterson’s North Dakota farm has suffered from more than a dozen oil and gas industry brine spills. Courtesy of Daryl Peterson
“State regulators declare most spills are cleaned up to EPA standards and land productivity is restored but very often this has not been the case,” said Peterson, who, together with his wife Christine, has farmed this land in Bottineau County, near the Canadian border, for more than 40 years.
“The oil industry controls politics in North Dakota and long-term consequences to our precious land, air, and water resources are being ignored with this gold rush mentality. With the prospect of 40,000 more wells in North Dakota, the future of our bountiful agriculture state is in great jeopardy,” said Peterson.
Suess defended his agency’s methods. “What I believe the North Dakota public wants to know is not how big is it, but is this spill a risk to me,” he said. “Personally, I have actually been told by others that we are one of the most transparent agencies out there. My boss is the North Dakota taxpayer, and my door is always open, any citizen can walk in at any time and talk to me.”
However, other North Dakota residents dealing with spills strongly disagree. In May DeSmog also toured spills on the Fort Berthold Indian Reservation, in the heart of the Bakken oil boom in western North Dakota, with Lisa DeVille and her husband Walter DeVille Sr. The couple lives in the community of Mandaree and helps lead an environmental advocacy group called Fort Berthold Protectors of Water & Earth Rights, or POWER.
“You can see the earth slowly dying,” said Lisa, who has two master’s degrees in business and returned to school to get a bachelor’s* degree in environmental science so she could better monitor all the spills and contamination on her land and advocate for her community.
“Every day we have a spill,” she said. “Whether it is frac sand spilled, trucks that stall out and drop their oil on roads, trucks wrecking on the road and spilling oil and gas waste product, or our invisible spill, the methane released into the air from flaring and venting.”
Aerial view of a 1 million gallon brine spill from Crestwood’s Arrow pipeline on July 8, 2014. Located north of Mandaree, North Dakota, on the Fort Berthold Reservation. Mandaree is one of the six segments on Fort Berthold and where most Mandan and Hidatsa peoples live. Photo credit: Sarah Christianson
“The North Dakota Spill Investigation Program Manager can say that his door is open, but North Dakota is protecting industry, not people, and it is upsetting to me,” Lisa added.
“My people — the Mandan, Hidatsa, and Arikara Nation — have been here for centuries, there have been many broken promises, and they have been lied to and are still being lied to about all this oil and gas contamination. No one knows the amount of spills on Fort Berthold because industry will lie to our tribal leaders. Also, there is no data for the public to see. There are no studies, research, or analysis to create laws or codes for environmental justice.”
In July 2014, one million gallons of oil and gas waste spilled from a pipeline and into a ravine that drains into the tribe’s main reservoir for drinking water. In a 2016 paper, Duke University researchers, including geochemist Avner Vengosh, revealed the spill, as well as several others in the Bakken, had laced the land with heavy metals and radioactivity.
When asked in May 2019 if he was aware of this research, Glatt, director of the North Dakota Department of Environmental Quality, said he questioned Vengosh’s “initial premise” and believed the researchers were “looking for the worst case scenario.”
“I haven’t seen his report; I just didn’t even know it was out there,” said Glatt. “I knew he was in the state. This is the first time I hear that he wrote a report.”
As lawsuits against the oil and gas industry for climate impacts continue and a growing web of grassroots groups spotlight the industry’s wide arc of pollution, the uncovering of the oil and gas industry’s vast closet of toxic skeletons seems inevitable.
“Ultimately I am fed up with the rushed drilling programs and the lack of accountability when it comes to environmental impacts,” says the whistle-blower. “I am also disgusted with how state officials and city council members view these threats and deem it acceptable to potentially harm human health.”
Why, the whistle-blower added, “are we shielding the truth from public scrutiny?”
*Updated 8/20/19: This story has been updated to correct Lisa DeVille’s degree in environmental science, which is a bachelor’s, not a master’s.
...
Read the original on www.desmogblog.com »
Today we are announcing the distributed version of TimescaleDB, which is currently in private beta (public version slated for later this year).TimescaleDB, a time-series database on PostgreSQL, has been production-ready for over two years, with millions of downloads and production deployments worldwide. Today, for the first time, we are publicly sharing our design, plans, and benchmarks for the distributed version of TimescaleDB. First released 30+ years ago, PostgreSQL today is making an undeniable comeback. It is the fastest growing database right now, faster than MongoDB, Redis, MySQL, and others. PostgreSQL itself has also matured and broadened in capabilities, thanks to a core group of maintainers and a growing community. Yet if one main criticism of PostgreSQL exists, it is that horizontally scaling out workloads to multiple machines is quite challenging. While several PostgreSQL projects have developed scale-out options for OLTP workloads, time-series workloads, which we specialize in, represent a different kind of problem.Simply put, time-series workloads are different than typical database (OLTP) workloads. This is for several reasons: writes are insert, not update heavy, and those inserts are typically to recent time ranges; reads are typically on continuous time-ranges, not random; writes and reads typically happen independently, rarely in the same transaction. Also, time-series insert volumes tend to be far higher and data tends to accumulate far more quickly than in OLTP. So scaling writes, reads, and storage is a standard concern for time series. These were the same principles upon which we developed and first launched TimescaleDB two years ago. Since then, developers all over the world have been able to scale a single TimescaleDB node, with replicas for automated failover, to 2 million metrics per second and 10s of terabytes of data storage. This has worked quite well for the vast majority of our users. But of course, workloads grow and software developers (including us!) always want more. What we need is a distributed system on PostgreSQL for time-series workloads.Our new distributed architecture, which a dedicated team has been hard at work developing since last year, is motivated by a new vision: scaling to over 10 million metrics a second, storing petabytes of data, and processing queries even faster via better parallelization. Essentially, a system that can grow with you and your time-series workloads.Most database systems that scale-out to multiple nodes rely on horizontally partitioning data by one dimension into shards, each of which can be stored on a separate node.We chose not to implement traditional sharding for scaling-out TimescaleDB. Instead, we embraced a core concept from our single-node architecture: the chunk. Chunks are created by automatically partitioning data by multiple dimensions (one of which is time). This is done in an fine-grain way such that one dataset may be comprised of 1000s of chunks, even on a single node. Unlike sharding, which typically only enables scale-out, chunking is quite powerful in its ability to enable a broad set of capabilities. For example:
Scale-up (on same node) and scale-out (across multiple nodes)Elasticity: Adding and deleting nodes by having data grow onto new nodes and age out of old onesPartitioning flexibility: Changing the chunk size, or partitioning dimensions, without downtime (e.g., to account for increased insert rates or additional nodes)Data reordering: Writing data in one order (e.g., by time) based on write patterns, but then rewriting it later in another order (e.g., device_id) based on query patternsA much more detailed discussion is later in this post.While we plan to start publishing more benchmarks over the next few months, we wanted to share some early results demonstrating our distributed architecture’s ability to sustain high write rates. As you can see, at 9 nodes the system achieves an insert rate well over 12 million metrics a second:TimescaleDB running the open-source Time Series Benchmarking Suite, deployed on AWS running m5.2xlarge data nodes and a m5.12xlarge access node, both with standard EBS gp2 storage. More on access and data nodes later in the post.This multi-node version of TimescaleDB is currently in private beta. If you’d like to join the private beta, please fill out this form. You can also view the documentation here. The rest of this post describes the underlying design principles of our distributed architecture and how it works. There is also a FAQ at the end of the post with answers to questions we commonly hear about this architecture. Please continue reading to learn more.The five objectives of database scalingBased on our own experience, combined with our interactions with TimescaleDB users, we have identified five objectives for scaling a database for time-series workloads:
Total storage volume: Scaling to larger amounts of data under managementInsert rate: Supporting higher ingestion rates of rows or datapoints per secondQuery concurrency: Supporting larger numbers of concurrent queries, sometimes via data replicationQuery latency: Reducing the latency to access a large volume of data to handle a single query, typically through query parallelizationFault tolerance: Storing the same portion of data on multiple servers/disks, with some automation for failover in case of failureToday, TimescaleDB leverages PostgreSQL streaming replication for primary/replica clustering: There is a single primary node that accepts all writes, which then streams its data (more specifically, its Write Ahead Log) to one or more replicas. But ultimately, TimescaleDB using PostgreSQL streaming replication requires that each replica store a full copy of the dataset, and the architecture maxes out its ingest rate at the primary’s write rate and its query latency at a single node’s CPU/IOPS rate.While this architecture has worked well so far for our users, we can do even better.In computer science, the key to solving big problems is breaking them down into smaller pieces and then solving each of those sub-problems, preferably, in parallel. In TimescaleDB, chunking is the mechanism by which we break down a problem and scale PostgreSQL for time-series workloads. More specifically, TimescaleDB already automatically partitions a table across multiple chunks on the same instance, whether on the same or different disks. But managing lots of chunks (i.e., “sub-problems”) can also be a daunting task so we came up with the hypertable abstraction to make partitioned tables easy to use and manage. Now, in order to take the next step and scale to multiple nodes, we are adding the abstraction of a distributed hypertable. Fortunately, hypertables extend naturally to multiple nodes: instead of creating chunks on the same instance, we now place them across different instances.Still, distributed hypertables pose new challenges in terms of management and usability when operating at scale. To stay true to everything that makes hypertables great, we carefully designed our system around the following principles.Use existing abstractions: Hypertables and chunking extend naturally to multiple nodes. By building on these existing abstractions, together with existing PostgreSQL capabilities, we provide a robust and familiar foundation for scale-out clustering.
Be transparent: From a user’s perspective, interacting with distributed hypertables should be akin to working with regular hypertables, e.g., familiar environment, commands, functionality, metadata, and tables. Users need not be aware that they are interacting with a distributed system and should not need to take special actions when doing so (e.g., application-aware shard management).
Scale access and storage independently: Given that access and storage needs vary across workloads (and time), the system should be able to scale access and storage independently. One way of doing this is via two types of database nodes, one for external access (“access node”) and another for data storage (“data node”).
Be easy to operate: A single instance should be able to function as either an access node or data node (or even both at the same time), with sufficient metadata and discovery to allow each node to play its necessary role.
Be easy to expand: It should be easy to add new nodes to the system to increase capacity, including upgrading from a single-node deployment (in which a single instance should seamlessly become a data node in a multi-node deployment).
Provide flexibility in data placement: The design should account for data replication and enable the system to have significant flexibility in data placement. Such flexibility can support collocated JOIN optimizations, heterogeneous nodes, data tiering, AZ-aware placement, and so forth. An instance serving as an access node should also be able to act as a data node, as well as store non-distributed tables.
Support production deployments: The design should support high-availability deployments, where data is replicated across multiple servers and the system automatically detects and transparently recovers from any node failures. Now, let’s understand how our distributed architecture begins to follow these principles in practice.Following the above design principles, we built a multi-node database architecture that allows hypertables to distribute across many nodes to achieve greater scale and performance. Users interact with distributed hypertables in much the same way as they would with a regular hypertable (which itself looks just like a regular Postgres table). As a result, inserting data into or querying data from a distributed hypertable looks identical to doing that with a standard table. For instance, let’s consider a table with the following schema:CREATE TABLE measurements (
time TIMESTAMPTZ NOT NULL,
device_id TEXT NOT NULL,
temperature DOUBLE PRECISION NULL,
humidity DOUBLE PRECISION NULL
This table is turned into a distributed hypertable by partitioning on both the time and device_id columns:SELECT create_distributed_hypertable(‘measurements’, ‘time’, ‘device_id’);Following this command, all the normal table operations still work as expected: inserts, queries, schema modifications, etc. Users do not have to worry about tuple routing, chunk (partition) creation, load balancing, and failure recovery: the system handles all these concerns transparently. In fact, users can convert their existing hypertables into distributed hypertables by seamlessly incorporating their standalone TimescaleDB instance into a cluster. Now let’s look at the architecture that makes all of this possible.At a high-level, our distributed database architecture consists of access nodes, to which clients connect, and data nodes where data for the distributed hypertable resides. (While we are initially focused on supporting a single access node with optional read replicas, our architecture will extend to a logically distributed access node in the future.)Both types of nodes run the same TimescaleDB/PostgreSQL stack, although in different configurations. In particular, an access node needs metadata (e.g., catalog information) to track state across the database cluster, such as the nodes in the cluster and where data resides (stored as “chunks”), so that the access node can insert data on the nodes that have matching chunks and perform query planning to exclude chunks, and ultimately entire nodes, from a query. While the access node has lots of knowledge about the state of the distributed database, data nodes are “dumb”: they are essentially single node instances that can be added and removed using simple administrative functions on the access node.The main difference in creating distributed hypertables compared to regular hypertables, however, is that we recommend having a secondary “space” partitioning dimension. While not a strict requirement, the additional “space” dimension ensures that data is evenly spread across all the data nodes when a table experiences (roughly) time-ordered inserts.The advantage of a multi-dimensional distributed hypertable is illustrated in the figure above. With time-only partitioning, chunks for two time intervals (t1 and t2) are created on data nodes DN1 and DN2, in that order. While with multi-dimensional partitioning, chunks are created along the space dimension on different nodes for each time interval. Thus, inserts to t1 are distributed across multiple nodes instead of just one of them.Not really. While many of our goals are achieved by traditional (single dimensional) “database sharding” approaches (where the number of shards are proportional to the number of servers), distributed hypertables are designed for multi-dimensional chunking with a large number of chunks (from 100s to 10,000s), offering more flexibility in how chunks are distributed across a cluster. On the other hand, traditional shards are typically pre-created and tied from the start to individual servers. Thus, adding new servers to a sharded system is often a difficult and disruptive process that might require redistributing (and locking) large amounts of data. By contrast, TimescaleDB’s multi-dimensional chunking auto-creates chunks, keeps recent data chunks in memory, and provides time-oriented data lifecycle management (e.g., for data retention, reordering, or tiering policies).Increases aggregate disk IOPS by parallelizing operations across multiple nodes and disksElastically scales out to new data nodesChunks are automatically created and sized according to the current partitioning configuration. This can change over time: i.e., a new chunk can be sized or divided differently from a prior one, and both can coexist in the system. This allows a distributed hypertable to seamlessly expand to new data nodes, by writing recent chunks in a new partitioning configuration that covers additional nodes, without affecting existing data or requiring lengthy locking. Together with a retention policy that eventually drops old chunks, the cluster will rebalance over time, as shown in the figure below.This is a much less disruptive process than in a similar sharded system since read locks are held on smaller chunks of data at a time. One might think that chunking puts additional burden on applications and developers. However, applications in TimescaleDB do not interact directly with chunks (and thus do not need to be aware of this partition mapping themselves, unlike in some sharded systems), nor does the system expose different capabilities for chunks than the entire hypertable (e.g., in a number of other storage systems, one can execute transactions within shards but not across them). To illustrate that this is the case, let’s look at how distributed hypertables work internally.How it works: the life of a request (insert or query)Having learned about how to create distributed hypertables and the underlying architecture, let’s look into the “life of a request”, to better understand the interactions between the access node and data nodes.In the following example, we will continue to use the “measurements” table we introduced earlier. To insert data into this distributed hypertable, a single client connects to the access node and inserts a batch of values as normal. Using a batch of values is preferred over row-by-row inserts in order to achieve higher throughput. Such batching is a very common architectural idiom, e.g., when ingesting data into TimescaleDB from Kafka, Kinesis, IoT Hubs, or Telegraf.INSERT INTO measurements VALUES
(‘2019-07-01 00:00:00.00-05’, ‘A001’, 70.0, 50.0),
(‘2019-07-01 00:00:00.10-05’, ‘B015’, 68.5, 49.7),
(‘2019-07-01 00:00:00.05-05’, ‘D821’, 69.4, 49.9),
(‘2019-07-01 00:00:01.01-05’, ‘A001’, 70.1, 50.0);Since “measurements” is a distributed hypertable, the access node doesn’t insert these rows locally like it would with a regular hypertable. Instead, it uses its catalog information (metadata) to ultimately determine the set of data nodes where the data should be stored. In particular, for new rows to be inserted, it first uses the values of the partitioning columns (e.g., time and device_id) to map each row to a chunk, and then determines the set of rows that should be inserted into each chunk, as shown in the figure below.If an appropriate chunk does not yet exist for some of the rows, TimescaleDB will create new chunk(s) as part of the same insert transaction, and then assign each new chunk to at least one data node. The access node creates and assigns new chunks along the “space” dimension (device_id), if such a dimension exists. Thus, each data node is responsible for only a subset of devices, but all of them will take on writes for the same time intervals.After the access node has written to each data node, it then executes a two-phase commit of these mini-batches to the involved data nodes so that all data belonging to the original insert batch is inserted atomically within one transaction. This also ensures that all the mini-batches can be rolled back in case of a failure to insert on one of the data nodes (e.g., due to a data conflict or failed data node). The following shows the part of the SQL query that an individual data node receives, which is a subset of the rows in the original insert statement.INSERT INTO measurements VALUES
(‘2019-07-01 00:00:00.00-05’, ‘A001’, 70.0, 50.0),
(‘2019-07-01 00:00:01.01-05’, ‘A001’, 70.1, 50.0); One nice thing about how TimescaleDB carefully ties into the PostgreSQL query planner is that it properly exposes EXPLAIN information. You can EXPLAIN any request (such as the INSERT requests above) and get full planning information:EXPLAIN (costs off, verbose)
INSERT INTO measurements VALUES
(‘2019-07-01 00:00:00.00-05’, ‘A001’, 70.0, 50.0),
(‘2019-07-01 00:00:00.10-05’, ‘B015’, 68.5, 49.7),
(‘2019-07-01 00:00:00.05-05’, ‘D821’, 69.4, 49.9),
(‘2019-07-01 00:00:01.01-05’, ‘A001’, 70.1, 50.0);
QUERY PLAN
Custom Scan (HypertableInsert)
Insert on distributed hypertable public.measurements
Data nodes: data_node_1, data_node_2, data_node_3
-> Insert on public.measurements
-> Custom Scan (DataNodeDispatch)
Output: “*VALUES*”.column1, “*VALUES*”.column2, “*VALUES*”.column3, “*VALUES*”.column4
Batch size: 1000
Remote SQL: INSERT INTO public.measurements(“time”, device_id, temperature, humidity) VALUES ($1, $2, $3, $4), …, ($3997, $3998, $3999, $4000)
-> Custom Scan (ChunkDispatch)
Output: “*VALUES*”.column1, “*VALUES*”.column2, “*VALUES*”.column3, “*VALUES*”.column4
-> Values Scan on “*VALUES*”
Output: “*VALUES*”.column1, “*VALUES*”.column2, “*VALUES*”.column3, “*VALUES*”.column4
(12 rows)In PostgreSQL, plans like the above one are trees where every node produces a tuple (row of data) up the tree when the plan is executed. Essentially, a parent, which is sourced at the root, asks for new tuples until no more tuples can be produced. In this particular insert plan, tuples originate at the ValueScan leaf node, which generates a tuple from the original insert statement whenever the ChunkDispatch parent asks for one. Whenever ChunkDispatch reads a tuple from its child, it “routes” the tuple to a chunk, and creates a chunk on a data node if necessary. The tuple is then handed up the tree to DataNodeDispatch that buffers the tuple in a per-node buffer as given by the chunk routed to in the previous step (every chunk has one or more associated data nodes responsible for the chunk). DataNodeDispatch will buffer up to 1000 tuples per data node (configurable) until it flushes a buffer using the given remote SQL. The servers involved are shown in the EXPLAIN, although not all of them might ultimately receive data since the planner cannot know at plan time how tuples will be routed during execution.It should be noted that distributed hypertables also support COPY for further performance during inserts. Inserts using COPY do not execute a plan, like the one shown for INSERT above. Instead, a tuple is read directly from the client connection (in COPY mode) and then routed to the corresponding data node connection (also in COPY mode). Thus, tuples are streamed to data nodes with very little overhead. However, while COPY is suitable for bulk data loads, it does not support things like RETURNING clauses and thus has limitations that prohibit its use in all cases.Read queries on a distributed hypertable follow a similar path from access node to data nodes. A client makes a standard SQL request to an access node:SELECT time_bucket(‘1 minute’, time) as minute,
device_id, min(temp), max(temp), avg(temp)
FROM measurements
WHERE device_id IN (‘A001’, ‘B015’)
AND time > NOW() - interval ‘1 hour’
GROUP BY minute, device_id;Making this query performant on distributed hypertables relies on three tactics: Optimally distributing and pushing down work to data nodes, andExecuting in parallel across the data nodes TimescaleDB is designed to implement these tactics. However, given the length of this post so far, we’ll cover these topics in an upcoming article.Selected users and customers have already been testing distributed TimescaleDB in private beta, and we plan to make an initial version of it more widely available later this year. It will support most of the good properties described above (high write rates, query parallelism and predicate push down for lower latency), as well as some others that we will describe in future posts (elastically growing a cluster to scale storage and compute, and fault tolerance via physical replica sets).If you’d like to join the private beta, please fill out this form. You can also view the documentation here. And if the challenge of building a next-generation database infrastructure is of interest to you, we’re hiring worldwide and always looking for great engineers to join the team.Q: What about query performance benchmarks? What about high-availability, elasticity, and other operational topics?Given the length of this post so far, we opted to cover query performance benchmarks, how our distributed architecture optimizes queries, as well as operational topics, in future posts.Q: How will multi-node TimescaleDB be licensed?We’ll announce licensing when multi-node TimescaleDB is more publicly available.Q: Why didn’t you use [fill in the blank] scale-out PostgreSQL option?While there are existing options for scaling PostgreSQL to multiple nodes, we found that none of them provided the architecture and data model needed to enable scaling, performance, elasticity, data retention policies, etc, for time-series data. Put another way, we found that by treating time as a first-class citizen in a database architecture, one can enable much better performance and a vastly superior user experience. We find this true for single-node as well as for multi-node. In addition, there are many more capabilities we want to implement, and often these integrate closely into the code. If we didn’t write the code ourselves with these in mind, it would have been quite challenging, if not impossible.Q: How does this fit into the CAP Theorem?Any discussion of a distributed database architecture should touch on the CAP Theorem. As a quick reminder, CAP states that there’s an implicit tradeoff between strong Consistency (Linearizability) and Availability in distributed systems, where availability is informally defined as being able to immediately handle reads and writes as long as any servers are alive (regardless of the number of failures). The P states that the system is able to handle partitions, but this is a bit of a misnomer: You can design your system to ultimately provide Consistency or Availability, but you can’t ultimately control whether failures (partitions) happen. Even if you try really hard through aggressive network engineering to make failures rare, failures still occasionally happen, and any system must then be opinionated for C or A. And if you always want Availability, even if partitions are rare (so that the system can, in the normal case, provide stronger consistency), then applications must still suffer the complexity of handling inconsistent data for the uncommon case.The summary: TimescaleDB doesn’t overcome the CAP Theorem. We do talk about how TimescaleDB achieves “high availability”, using the term as commonly used in the database industry to mean replicated instances that perform prompt and automated recovery from failure. This is different than formal “Big A” Availability from the CAP Theorem, and TimescaleDB today sacrifices Availability for Consistency under failure conditions.Time-series workloads introduce an interesting twist to this discussion, however. We’ve talked about how their write workloads are different (inserts to recent time ranges, not random updates), and how this pattern leads to different possibilities for elasticity (and reduced write amplification). But we also see a common idiom across architectures integrating TimescaleDB, whereby the write and read data paths are performed by different applications. We rarely see read-write transactions (aside from upserts). While queries help drive dashboards, reporting/alerting, or other real-time analytics, data points are often ingested from systems like Kafka, NATS, MQTT brokers, IoT Hubs, or other eventing/logging systems. These upstream systems are typically built around buffering, which greatly ameliorate availability issues if the system temporarily blocks writes (which any “C” system must do): these upstream systems will just buffer and retry upon automated recovery.So in short, technically TimescaleDB is a CP system that sacrifices A under failure conditions. But in practice we find that, because of upstream buffers, this generally is much less an issue.
Why SQL is beating NoSQL, and what this means for the future of data
Match the flexibility and scale of your application with a stack that works for you.
...
Read the original on blog.timescale.com »
People are excited about running WebAssembly outside the browser.
That excitement isn’t just about WebAssembly running in its own standalone runtime. People are also excited about running WebAssembly from languages like Python, Ruby, and Rust.
Why would you want to do that? A few reasons:
* Make “native” modules less complicated
Runtimes like Node or Python’s CPython often allow you to write modules in low-level languages like C++, too. That’s because these low-level languages are often much faster. So you can use native modules in Node, or extension modules in Python. But these modules are often hard to use because they need to be compiled on the user’s device. With a WebAssembly “native” module, you can get most of the speed without the complication.
* Make it easier to sandbox native code
On the other hand, low-level languages like Rust wouldn’t use WebAssembly for speed. But they could use it for security. As we talked about in the WASI announcement, WebAssembly gives you lightweight sandboxing by default. So a language like Rust could use WebAssembly to sandbox native code modules.
* Share native code across platforms
Developers can save time and reduce maintainance costs if they can share the same codebase across different platforms (e.g. between the web and a desktop app). This is true for both scripting and low-level languages. And WebAssembly gives you a way to do that without making things slower on these platforms.
So WebAssembly could really help other languages with important problems.
But with today’s WebAssembly, you wouldn’t want to use it in this way. You can run WebAssembly in all of these places, but that’s not enough.
Right now, WebAssembly only talks in numbers. This means the two languages can call each other’s functions.
But if a function takes or returns anything besides numbers, things get complicated. You can either:
* Ship one module that has a really hard-to-use API that only speaks in numbers… making life hard for the module’s user.
* Add glue code for every single environment you want this module to run in… making life hard for the module’s developer.
But this doesn’t have to be the case.
It should be possible to ship a single WebAssembly module and have it run anywhere… without making life hard for either the module’s user or developer.
So the same WebAssembly module could use rich APIs, using complex types, to talk to:
* Modules running in their own native runtime (e.g. Python modules running in a Python runtime)
* Other WebAssembly modules written in different source languages (e.g. a Rust module and a Go module running together in the browser)
* The host system itself (e.g. a WASI module providing the system interface to an operating system or the browser’s APIs)
And with a new, early-stage proposal, we’re seeing how we can make this Just Work™, as you can see in this demo.
So let’s take a look at how this will work. But first, let’s look at where we are today and the problems that we’re trying to solve.
WebAssembly isn’t limited to the web. But up to now, most of WebAssembly’s development has focused on the Web.
That’s because you can make better designs when you focus on solving concrete use cases. The language was definitely going to have to run on the Web, so that was a good use case to start with.
This gave the MVP a nicely contained scope. WebAssembly only needed to be able to talk to one language—JavaScript.
And this was relatively easy to do. In the browser, WebAssembly and JS both run in the same engine, so that engine can help them efficiently talk to each other.
But there is one problem when JS and WebAssembly try to talk to each other… they use different types.
Currently, WebAssembly can only talk in numbers. JavaScript has numbers, but also quite a few more types.
And even the numbers aren’t the same. WebAssembly has 4 different kinds of numbers: int32, int64, float32, and float64. JavaScript currently only has Number (though it will soon have another number type, BigInt).
The difference isn’t just in the names for these types. The values are also stored differently in memory.
First off, in JavaScript any value, no matter the type, is put in something called a box (and I explained boxing more in another article).
WebAssembly, in contrast, has static types for its numbers. Because of this, it doesn’t need (or understand) JS boxes.
This difference makes it hard to communicate with each other.
But if you want to convert a value from one number type to the other, there are pretty straightforward rules.
Because it’s so simple, it’s easy to write down. And you can find this written down in WebAssembly’s JS API spec.
This mapping is hardcoded in the engines.
It’s kind of like the engine has a reference book. Whenever the engine has to pass parameters or return values between JS and WebAssembly, it pulls this reference book off the shelf to see how to convert these values.
Having such a limited set of types (just numbers) made this mapping pretty easy. That was great for an MVP. It limited how many tough design decisions needed to be made.
But it made things more complicated for the developers using WebAssembly. To pass strings between JS and WebAssembly, you had to find a way to turn the strings into an array of numbers, and then turn an array of numbers back into a string. I explained this in a previous post.
This isn’t difficult, but it is tedious. So tools were built to abstract this away.
For example, tools like Rust’s wasm-bindgen and Emscripten’s Embind automatically wrap the WebAssembly module with JS glue code that does this translation from strings to numbers.
And these tools can do these kinds of transformations for other high-level types, too, such as complex objects with properties.
This works, but there are some pretty obvious use cases where it doesn’t work very well.
For example, sometimes you just want to pass a string through WebAssembly. You want a JavaScript function to pass a string to a WebAssembly function, and then have WebAssembly pass it to another JavaScript function.
Here’s what needs to happen for that to work:
the first JavaScript function passes the string to the JS glue code
the JS glue code turns that string object into numbers and then puts those numbers into linear memory
then passes a number (a pointer to the start of the string) to WebAssembly
the WebAssembly function passes that number over to the JS glue code on the other side
the second JavaScript function pulls all of those numbers out of linear memory and then decodes them back into a string object
which it gives to the second JS function
So the JS glue code on one side is just reversing the work it did on the other side. That’s a lot of work to recreate what’s basically the same object.
If the string could just pass straight through WebAssembly without any transformations, that would be way easier.
WebAssembly wouldn’t be able to do anything with this string—it doesn’t understand that type. We wouldn’t be solving that problem.
But it could just pass the string object back and forth between the two JS functions, since they do understand the type.
So this is one of the reasons for the WebAssembly reference types proposal. That proposal adds a new basic WebAssembly type called anyref.
With an anyref, JavaScript just gives WebAssembly a reference object (basically a pointer that doesn’t disclose the memory address). This reference points to the object on the JS heap. Then WebAssembly can pass it to other JS functions, which know exactly how to use it.
So that solves one of the most annoying interoperability problems with JavaScript. But that’s not the only interoperability problem to solve in the browser.
There’s another, much larger, set of types in the browser. WebAssembly needs to be able to interoperate with these types if we’re going to have good performance.
JS is only one part of the browser. The browser also has a lot of other functions, called Web APIs, that you can use.
Behind the scenes, these Web API functions are usually written in C++ or Rust. And they have their own way of storing objects in memory.
Web APIs’ parameters and return values can be lots of different types. It would be hard to manually create mappings for each of these types. So to simplify things, there’s a standard way to talk about the structure of these types—Web IDL.
When you’re using these functions, you’re usually using them from JavaScript. This means you are passing in values that use JS types. How does a JS type get converted to a Web IDL type?
Just as there is a mapping from WebAssembly types to JavaScript types, there is a mapping from JavaScript types to Web IDL types.
So it’s like the engine has another reference book, showing how to get from JS to Web IDL. And this mapping is also hardcoded in the engine.
For many types, this mapping between JavaScript and Web IDL is pretty straightforward. For example, types like DOMString and JS’s String are compatible and can be mapped directly to each other.
Now, what happens when you’re trying to call a Web API from WebAssembly? Here’s where we get to the problem.
Currently, there is no mapping between WebAssembly types and Web IDL types. This means that, even for simple types like numbers, your call has to go through JavaScript.
WebAssembly passes the value to JS.
In the process, the engine converts this value into a JavaScript type, and puts it in the JS heap in memory
Then, that JS value is passed to the Web API function. In the process, the engine converts the JS value into a Web IDL type, and puts it in a different part of memory, the renderer’s heap.
This takes more work than it needs to, and also uses up more memory.
There’s an obvious solution to this—create a mapping from WebAssembly directly to Web IDL. But that’s not as straightforward as it might seem.
For simple Web IDL types like boolean and unsigned long (which is a number), there are clear mappings from WebAssembly to Web IDL.
But for the most part, Web API parameters are more complex types. For example, an API might take a dictionary, which is basically an object with properties, or a sequence, which is like an array.
To have a straightforward mapping between WebAssembly types and Web IDL types, we’d need to add some higher-level types. And we are doing that—with the GC proposal. With that, WebAssembly modules will be able to create GC objects—things like structs and arrays—that could be mapped to complicated Web IDL types.
But if the only way to interoperate with Web APIs is through GC objects, that makes life harder for languages like C++ and Rust that wouldn’t use GC objects otherwise. Whenever the code interacts with a Web API, it would have to create a new GC object and copy values from its linear memory into that object.
That’s only slightly better than what we have today with JS glue code.
We don’t want JS glue code to have to build up GC objects—that’s a waste of time and space. And we don’t want the WebAssembly module to do that either, for the same reasons.
We want it to be just as easy for languages that use linear memory (like Rust and C++) to call Web APIs as it is for languages that use the engine’s built-in GC. So we need a way to create a mapping between objects in linear memory and Web IDL types, too.
There’s a problem here, though. Each of these languages represents things in linear memory in different ways. And we can’t just pick one language’s representation. That would make all the other languages less efficient.
But even though the exact layout in memory for these things is often different, there are some abstract concepts that they usually share in common.
For example, for strings the language often has a pointer to the start of the string in memory, and the length of the string. And even if the string has a more complicated internal representation, it usually needs to convert strings into this format when calling external APIs anyways.
This means we can reduce this string down to a type that WebAssembly understands… two i32s.
We could hardcode a mapping like this in the engine. So the engine would have yet another reference book, this time for WebAssembly to Web IDL mappings.
But there’s a problem here. WebAssembly is a type-checked language. To keep things secure, the engine has to check that the calling code passes in types that match what the callee asks for.
This is because there are ways for attackers to exploit type mismatches and make the engine do things it’s not supposed to do.
If you’re calling something that takes a string, but you try to pass the function an integer, the engine will yell at you. And it should yell at you.
So we need a way for the module to explicitly tell the engine something like: “I know Document.createElement() takes a string. But when I call it, I’m going to pass you two integers. Use these to create a DOMString from data in my linear memory. Use the first integer as the starting address of the string and the second as the length.”
This is what the Web IDL proposal does. It gives a WebAssembly module a way to map between the types that it uses and Web IDL’s types.
These mappings aren’t hardcoded in the engine. Instead, a module comes with its own little booklet of mappings.
So this gives the engine a way to say “For this function, do the type checking as if these two integers are a string.”
The fact that this booklet comes with the module is useful for another reason, though.
Sometimes a module that would usually store its strings in linear memory will want to use an anyref or a GC type in a particular case… for example, if the module is just passing an object that it got from a JS function, like a DOM node, to a Web API.
So modules need to be able to choose on a function-by-function (or even even argument-by-argument) basis how different types should be handled. And since the mapping is provided by the module, it can be custom-tailored for that module.
How do you generate this booklet?
The compiler takes care of this information for you. It adds a custom section to the WebAssembly module. So for many language toolchains, the programmer doesn’t have to do much work.
For example, let’s look at how the Rust toolchain handles this for one of the simplest cases: passing a string into the alert function.
#[wasm_bindgen]
...
Read the original on hacks.mozilla.org »
from The Overworked American: The Unexpected Decline of Leisure, by Juliet B. Schor
See also: Productivity and the Workweek
and: Eight centuries of annual hours
The labouring man will take his rest long in the morning; a good piece of the day is spent afore he come at his work; then he must have his breakfast, though he have not earned it at his accustomed hour, or else there is grudging and murmuring; when the clock smiteth, he will cast down his burden in the midway, and whatsoever he is in hand with, he will leave it as it is, though many times it is marred afore he come again; he may not lose his meat, what danger soever the work is in. At noon he must have his sleeping time, then his bever in the afternoon, which spendeth a great part of the day; and when his hour cometh at night, at the first stroke of the clock he casteth down his tools, leaveth his work, in what need or case soever the work standeth.
-James Pilkington, Bishop of
Durham, ca. 1570
One of capitalism’s most durable myths is that it has reduced human toil. This myth is typically defended by a comparison of the modern forty-hour week with its seventy- or eighty-hour counterpart in the nineteenth century. The implicit — but rarely articulated — assumption is that the eighty-hour standard has prevailed for centuries. The comparison conjures up the dreary life of medieval peasants, toiling steadily from dawn to dusk. We are asked to imagine the journeyman artisan in a cold, damp garret, rising even before the sun, laboring by candlelight late into the night.
These images are backward projections of modern work patterns. And they are false. Before capitalism, most people did not work very long hours at all. The tempo of life was slow, even leisurely; the pace of work relaxed. Our ancestors may not have been rich, but they had an abundance of leisure. When capitalism raised their incomes, it also took away their time. Indeed, there is good reason to believe that working hours in the mid-nineteenth century constitute the most prodigious work effort in the entire history of humankind.
Therefore, we must take a longer view and look back not just one hundred years, but three or four, even six or seven hundred. Consider a typical working day in the medieval period. It stretched from dawn to dusk (sixteen hours in summer and eight in winter), but, as the Bishop Pilkington has noted, work was intermittent - called to a halt for breakfast, lunch, the customary afternoon nap, and dinner. Depending on time and place, there were also midmorning and midafternoon refreshment breaks. These rest periods were the traditional rights of laborers, which they enjoyed even during peak harvest times. During slack periods, which accounted for a large part of the year, adherence to regular working hours was not usual. According to Oxford Professor James E. Thorold Rogers[1], the medieval workday was not more than eight hours. The worker participating in the eight-hour movements of the late nineteenth century was “simply striving to recover what his ancestor worked by four or five centuries ago.”
An important piece of evidence on the working day is that it was very unusual for servile laborers to be required to work a whole day for a lord. One day’s work was considered half a day, and if a serf worked an entire day, this was counted as two “days-works.“[2] Detailed accounts of artisans’ workdays are available. Knoop and jones’ figures for the fourteenth century work out to a yearly average of 9 hours (exclusive of meals and breaktimes)[3]. Brown, Colwin and Taylor’s figures for masons suggest an average workday of 8.6 hours[4].
The contrast between capitalist and precapitalist work patterns is most striking in respect to the working year. The medieval calendar was filled with holidays. Official — that is, church — holidays included not only long “vacations” at Christmas, Easter, and midsummer but also numerous saints’ andrest days. These were spent both in sober churchgoing and in feasting, drinking and merrymaking. In addition to official celebrations, there were often weeks’ worth of ales — to mark important life events (bride ales or wake ales) as well as less momentous occasions (scot ale, lamb ale, and hock ale). All told, holiday leisure time in medieval England took up probably about one-third of the year. And the English were apparently working harder than their neighbors. The ancien règime in France is reported to have guaranteed fifty-two Sundays, ninety rest days, and thirty-eight holidays. In Spain, travelers noted that holidays totaled five months per year.[5]
The peasant’s free time extended beyond officially sanctioned holidays. There is considerable evidence of what economists call the backward-bending supply curve of labor — the idea that when wages rise, workers supply less labor. During one period of unusually high wages (the late fourteenth century), many laborers refused to work “by the year or the half year or by any of the usual terms but only by the day.” And they worked only as many days as were necessary to earn their customary income — which in this case amounted to about 120 days a year, for a probable total of only 1,440 hours annually (this estimate assumes a 12-hour day because the days worked were probably during spring, summer and fall). A thirteenth-century estime finds that whole peasant families did not put in more than 150 days per year on their land. Manorial records from fourteenth-century England indicate an extremely short working year — 175 days — for servile laborers. Later evidence for farmer-miners, a group with control over their worktime, indicates they worked only 180 days a year.
[1] James E. Thorold Rogers, Six Centuries of Work and Wages (London: Allen and Unwin, 1949), 542-43.
[3] Douglas Knoop and G. P. Jones, The Medieval Mason (New York: Barnes and Noble, 1967), 105.
[4] R. Allen Brown, H.M. Colvin, and A.J. Taylor, The History of the King’s Works, vol. I, the Middle Ages (London: Her Majesty’s Stationary Office, 1963).
[5] Edith Rodgers, Discussion of Holidays in the Later Middle Ages (New York: Columbia University Press, 1940), 10-11. See also C.R. Cheney, “Rules for the observance of feast-days in medieval England”, Bulletin of the Institute of Historical Research 34, 90, 117-29 (1961).
- Adult male peasant, U.K.: hours
Calculated from Gregory Clark’s estimate of 150 days per family, assumes 12 hours per day, 135 days per year for adult male (“Impatience, Poverty, and Open Field Agriculture”, mimeo, 1986)
- Casual laborer, U.K.: hours
Calculated from Nora Ritchie’s estimate of 120 days per year. Assumes 12-hour day. (“Labour conditions in Essex in the reign of Richard II”, in E.M. Carus-Wilson, ed., Essays in Economic History, vol. II, London: Edward Arnold, 1962).
- English worker: hours
Juliet Schor’s estime of average medieval laborer working two-thirds of the year at 9.5 hours per day
- Farmer-miner, adult male, U.K.: hours
Calculated from Ian Blanchard’s estimate of 180 days per year. Assumes 11-hour day (“Labour productivity and work psychology in the English mining industry, 1400-1600”, Economic History Review 31, 23 (1978).
- Average worker, U.K.: hours
Based on 69-hour week; hours from W.S. Woytinsky, “Hours of labor,” in Encyclopedia of the Social Sciences, vol. III (New York: Macmillan, 1935). Low estimate assumes 45 week year, high one assumes 52 week year
- Average worker, U.S.: hours
Based on 70-hour week; hours from Joseph Zeisel, “The workweek in American industry, 1850-1956”, Monthly Labor Review 81, 23-29 (1958). Low estimate assumes 45 week year, high one assumes 52 week year
- Average worker, U.S.: hours
From The Overworked American: The Unexpected Decline of Leisure, by Juliet B. Schor, Table 2.4
- Manufacturing workers, U.K.: hours
Calculated from Bureau of Labor Statistics data, Office of Productivity and Technology
...
Read the original on groups.csail.mit.edu »
When WeWork, the coworking space now known as The We Company, released its S-1 filing to go public, it spurred numerous concerns about the company’s large valuation ($47 billion at last count). It also renewed questions about WeWork’s claims of being a tech company: What makes a modern tech company? Does WeWork meet those qualifications? The authors argue that WeWork does not meet any of the five qualifications that enable a modern tech company to achieve exponential growth as well as winner-take-all profits. Analysts should be wary of thinking every startup, however disruptive, is a tech company or is worthy of a tech valuation, because the “tech” label isn’t what determines shareholder value. What does are profits, return on investments, and dividend-paying potential.
When WeWork, the coworking space now known as The We Company, released its S-1 filing to go public, it spurred numerous concerns about the company’s large valuation ($47 billion at last count). It also renewed questions about WeWork’s claims of being a tech company: What makes a modern tech company? Does WeWork meet those qualifications? The authors argue that WeWork does not meet any of the five qualifications that enable a modern tech company to achieve exponential growth as well as winner-take-all profits. Analysts should be wary of thinking every startup, however disruptive, is a tech company or is worthy of a tech valuation, because the “tech” label isn’t what determines shareholder value. What does are profits, return on investments, and dividend-paying potential.
Last week, WeWork, the coworking space now known as The We Company, released its S-1 filing to go public. That spurred numerous concerns about the company’s large valuation ($47 billion at last count), given its hefty losses ($1.6 billion on revenues of $1.8 billion) and despite its rapid growth (86% year-over-year revenue growth). It also renewed questions about WeWork’s claims of being a tech company (the word “technology” appears 110 times in its prospectus) and about whether it’s worth a tech-type high valuation. Pundits have long argued that it is not a tech company, but a modern-day real estate company — purchasing long-term leases from landlords and renting them out as short-term leases to tenants. Many have also argued that WeWork does not deserve the large EBITDA-based (earnings before interest, depreciation, and taxes) valuation multiple that is often ascribed to tech companies.
These concerns raise questions like: What makes a modern tech company? Why do these companies achieve such lofty valuations? Does WeWork meet those qualifications? And are the concerns over WeWork’s valuation warranted? Here’s what, in our view, a modern tech company is — and why WeWork isn’t one.
In our opinion, a successful modern tech company can transform whole industries, achieve expansion of scale and scope at breakneck speeds, and make enormous profits, without requiring significant capital investments. It typically has most, if not all, of these five features:
Low variable costs. Google, Airbnb, Yelp, Uber, Twitter, and Facebook have scalable virtual models that can be exponentially magnified overnight with little additional costs. So, an additional dollar of revenues comes without commensurate expenses. How much does it cost to make another copy of Windows 10 or service another Google or Facebook customer? Relatively little. Facebook’s gross margins, for instance, run as high as 80%–85%.
This concept does not even remotely apply to WeWork. It is an office rental company, offering free internet, beer, snacks, coffee, and working space to paying members. Even if it becomes the largest and most successful player in its business, it will have significant operating expenses and, therefore, wafer-thin profit margins. (Think about it: Rent, utilities, maintenance, insurance, security, refreshments — these all cost money!)
Low capital investments. Even though a modern tech company may invest in server farms, it will still often remain asset light because of its low requirements for land, buildings, factories, and warehouses. For example, Facebook has just $25 billion of physical assets and a $525 billion valuation.
While WeWork rents real estate, it must develop and furnish it to the highest-quality levels to distinguish itself from other office providers. And rented premises are now considered to be capital assets. These facts imply two things. First, WeWork has much higher capital requirements than a typical tech company for the same revenues. So, WeWork would never be able to grow nonlinearly based on its internally generated cash. It would keep approaching capital markets and lenders to fund its ambitious growth plans. More important, the company’s ability to generate free cash flows (the amount left after subtracting capital investment from its profits) is questionable. Contrast this with Facebook, whose revenue growth generates huge profits. And given its low reinvestment requirements to sustain growth, most of those profits are free cash flows, which are potentially payable to investors as dividends.
Second, expenses related to depreciation and wear-and-tear of assets would be a much higher expense for WeWork than for an asset-light tech company. That wear and tear would require commensurate funds for replacement. After all, customers attracted to trendy offices expect that fused neon lights, worn-out carpets, and broken chairs and printers will be regularly replaced. As Warren Buffett says, the tooth fairy doesn’t pay for those replacement expenses. Hence, while an above-the-line performance metric, such as EBITDA, might work in the valuation of an asset-light tech company, it is a meaningless concept for WeWork. Other metrics proposed by WeWork, such as community-adjusted EBITDA, which ignore even the most basic costs for providing services, such as lease rentals, are even more ridiculous.
A lot of customer data and customer intimacy. Modern tech companies — think Uber, Amazon, Apple, Google, Yelp, Tesla, and Facebook — collect, store, organize, and analyze years of user data. This data is not only virtual gold for those companies, as it enables targeted ads and the sale of tailor-made products; it also increases users’ switching costs as people use the service and get customized solutions in return. It is unclear whether WeWork would collect this kind of data and how it would use that data to develop customer-intimate solutions. Too much monitoring and intrusion in an office location could violate privacy laws.
Network effects. For most modern tech companies, the bigger the network, the more valuable the company, but on an exponential scale. Each new customer joining Facebook, even if remotely located, creates value for an existing customer, because it extends the existing customer’s network potential. Any new customer joining Uber or Amazon improves the value proposition for an existing user by improving the feedback quality, logistics optimization, and number of suppliers addressing the market. But it’s hard to see how someone joining WeWork in, say, Indonesia creates value for an existing member in Texas. The member doesn’t need WeWork’s network to collaborate globally, because there are bigger and better platforms (such as LinkedIn) to serve that purpose.
Ecosystems that boost expansion with little cost. A modern tech company leverages its relationships with customers, and what it knows about their tastes and preferences, to deliver more services. This is achieved at little cost by leveraging ecosystem partners’ assets. Consider Apple’s use of the iPhone and Amazon’s use of Echo devices to cross-sell apps, music, video, and payment services. The companies that control these platforms take a cut from each dollar flowing through the system. WeWork might be able to enter other real estate areas, such as apartments or schools, but that will require making massive investments and addressing new customers. Contrast that with Uber, which can extend its offerings to Uber Eats with minimal investments.
In sum, WeWork does not meet any of the qualifications that enable a modern tech company to achieve exponential growth as well as winner-take-all profits. In contrast, even asset- and inventory-heavy companies like Amazon, Tesla, and Apple meet three of the five criteria.
WeWork seems to be a disruptive real estate company, with the goal of changing “how people work, live, and grow.” Some may be impressed by WeWork’s tremendous growth. But this growth has required and will continue to require massive costs and investments. More important, this growth will not exponentially grow profits as it might for a digital firm, for which any revenue growth after breaking even adds to profits and dividend-paying potential.
But we do think that some of the other criticisms being laid against the company and its valuation are addressable. And doing so requires adjusting the price investors are willing to pay for WeWork shares.
Concern about asset-liability duration mismatch. WeWork obtains real estate using long-term contracts (which have a long duration of liability) and rents properties through short-term contracts (which have short duration of revenue-generating assets). This feature is typical of many real estate–based businesses, such as hotels. Duration mismatch is a double-edged sword. It can produce large profits in good times, because the firms will have fixed their leasing costs a long time ago and can now command higher membership fees. But it could drag WeWork into bankruptcy in bad times, because its fixed liabilities, which currently stand at $34 billion, would remain payable, come rain or shine. Investors can assign an appropriate discount to valuation to adjust for higher risks.
Concern about public offering of shares that carry lower voting rights than promoters’ shares. Offering multiple classes of shares is a common feature of many modern public corporations. To ease concern over purchasing shares that don’t have voting rights, shareholders can assign an appropriate discount in exchange for voting rights, as they do with Facebook, Alphabet, and Spotify.
Concern about insider dealings, such as promoters being renters of the company’s real estate. While we oppose any manager-owned vendors becoming preferred suppliers to a public corporation, WeWork has disclosed its insider dealings. Investors can therefore assign a suitable discount for potential value loss due to insider dealings.
In summary, we are reluctant to put WeWork in the same category of tech companies as Apple, Microsoft, Facebook, and Alphabet. It doesn’t have the features that make those companies cash-generating machines, so it doesn’t warrant a tech-type valuation. We hope that analysts and managers will use the more holistic framework given here to determine what is truly a tech company. Analysts should be wary of thinking every startup, however disruptive, is a tech company or is worthy of a tech valuation, because the “tech” label isn’t what determines shareholder value. What does are profits, return on investments, and dividend-paying potential.
...
Read the original on hbr.org »
To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".
10HN is also available as an iOS App
If you visit 10HN only rarely, check out the the best articles from the past week.
If you like 10HN please leave feedback and share
Visit pancik.com for more.