My Best Teaching Is One-on-One

一対一が僕のベスト

Of course, I team teach and do special lessons, etc.

当然、先生方と共同レッスンも、特別レッスンの指導もします。

But my best work in the classroom is after the lesson is over --
going one-on-one,
helping individual students with their assignments.

しかし、僕の一番意味あると思っている仕事は、講義が終わってから、
一対一と
個人的にその課題の勉強を応援することです。

It's kind of like with computer programs, walking the client through hands-on.
The job isn't really done until the customer is using the program.

まあ、コンピュータプログラムにすると、得意先の方に出来上がった製品を体験させるようなことと思います。
役に立たない製品はまだ製品になっていないと同様です。

Monday, April 27, 2009

sub addresses to help manage junk e-mail

RFC 5233 came up in a thread at /. today.

Came up in another thread just a few days ago, but I can't seem to find it right now. I'd link to that thread if I could, because it was the thread that made me aware of the RFC. Oh, well.

Anyway, I posted this in today's thread, and I don't want to lose track of it, because I want to start setting my filters up this way.

It won't be perfect, but it will surely help find false positives among the junk e-mail.

This looks a bit complex, but you don't have to do it all at once.

Until the Internet has a bit better standards for e-mail, and until the ISPs quit being miserly with domain names, RFC 5233 addresses can help a lot, if used wisely.

RFC 5233 describes a way to implement sub addresses for your primary e-mail addresses. Simply put, you hang a "+" on your basic address, and then you tag some string on it after that.

Let's start with an example basic address:

user@isp.example

(Think of exampleisp.com or exampleisp.org or exampleisp.jp or some such, but the example top level domain is reserved for, hey! examples, where the example 2nd level domains are not.)

A sub address could look like this:

user+subaddress@isp.example (or, something like user+subaddress@exampleisp.com)

Another kind of sub address could look like this:

user#boxnumber@isp.example

If your mail provider supports these, they allow you to make the sub-addresses up as you want, and route your mail to you via the base part. That lets you filter the "to" address by the sub-address.

Okay. Now you know what they are. What else should you know about them? Many ISPs do not yet implement them which may be a problem. Google mail does, which helps a lot.

Obviously, if the spammers can steal your user@isp.example address, they can steal your user+subaddress@isp.example address as well. How does this help?

How do use these RFC 5233 addresses wisely?

First, assume that your base address will soon be harvested, if it isn't already. Thus, your base address of user@isp.example is essentially an alias for user+spam@isp.example . Pre-filter it that way.

Second, set up a suffix for bulk purposes, such as user+bulknnnnn@isp.example . "bulk" is okay, but you might prefer something a little more original to yourself, like "klub" (mix it up), or "hanbai" (Japanese for "sales"). The serial number could also come before, nnnnnbulk, or in the middle, like bunnnnnlk, and you might want to use pseudo-random serial numbers instead of just cycling through from bu00000lk to bu99999lk.

Hmm. bu23645lk would be harder to filter than bulk23645 with the simple non-RE filters that are most common. Okay, for this, let's stick with the sequence number after the tag.

Now you can give "bulk" sub-addresses out when you sign up for stuff on-line, instead of your "important" addresses. Write the made-up address down. Then, when you open up your MUA (your mail browser), you can set up a filter to grab that address and filter it to a filter for that kind of whatever it was to be filtered to. The first few mails you get from them, you find out what domains to expect.

If you start getting unrequested advertisements at that address, you can contact them and tell them they're somehow leaking their users' addresses, or you can change your filter to dump all mail to that address in Round File Q. Or you can add the sender address to the filter so that only legitimate senders for that address go to that folder. And then you can add another filter that dumps any mail to that address that comes from any other sender to the SPAM dump for consideration when you have the time, and/or for automatic deletion.

You can set up similar sub-address suffixes for mail lists. For example, user+listnnnnn@isp.example or user+listname@isp@example .

Then you can do the same thing for friends, family, church, school, clubs, etc. Maybe have filters for user+churchnnnnn@isp.example, user+schoolnnnnn@isp.example, and so on. For family and friends, maybe something user+frankl@isp.example for Frank Lemmon.

(You might expect spammers to try things like automatically cycling through user+joe, user+mary, user+john, etc., so you may want a little more than that. Or, you might adjust the address for joe, mary, and john when the spammers start doing that.)

And if Suzanne Roberts's computer suddenly gets infected with something, and you start getting spam for user+suzier@isp.example, you write her and urge her (yet again) to switch from MSWindowsX 10.77 to Ubuntu 12 or Fedora 15 or openbsd 6 or whatever. Tell her you'll send her a new address once she has either re-installed and MSWindows with service pack 109 or whatever the latest is, or moved to a reasonable OS. And warn her that, until she does, you might lose mail from her in the deluge.

Okay, while she is recovering from that, you have set up additional filters on the sender address, so that the spammers have to at least spoof her address as the sender to get into her folder, and that might actually be enough, but at least she'll have a little of the fear of nature in her, and maybe she'll start being sensible and start looking at alternatives to MSLeviathan.

In case you're curious, this is what private white listing works like. It can be controlled, because you have an idea who and where mail should be coming from, by the receiver address it is sent to. Two or three sets of filters for each address or set of addresses, one that white-lists known senders, one that diverts unknown senders to a "probably-junk" folder, and maybe one that (temporarily or permanently) black-holes known offender senders who have latched onto that group of suffixes.

Finally, you have a set of doorbell or knock addresses that you give out at business meetings and other parties: bellnnnnn@isp.example . You enable filters for the one you gave out last night, then, after a week or a month, you disable them again. Or, if the spam to that address is not too bad, you just leave it enabled and keep using it.

When you get legitimate mail at that address, you reply and tell them the real address they should send stuff for you at.

Of course, with a little time, you can actually set up a domain of your own for cheap with a little help from a place like google.com and a place like dyndns.org. Google will run your mail server for you if you have a web server and a domain name pointed to it.

Of course, there's that thing about letting Google spool your mail, but it is possible. Read the terms of use and make sure that's okay for the kind of mail you expect first.

If you understand the way to use sub-addresses, the way to use your own private domain name should be fairly clear. And it should be fairly clear why that's going to work better than sub-addresses.


Thursday, April 9, 2009

daydreams

Okay, so I'm having trouble getting out of the daydream mode. I have to go back to work tomorrow, and I have accomplished none of the projects I had lined up for myself over the break -- drupal, finishing my shiftJIS ctype project, getting my BIF dialect of figFORTH moved to C so I can port it to whatever I use, fixing RanBunHyou and extending it for scrambles, etc.

I did almost get Drupal up on my portable. And I sort of got a start on rebooting the shiftJIS ctype project.

Too many things I want to do.

So, I'm going to list the things I daydream about here and see if that helps me get a better grip on my prioities.

So --

First big dream. Buy Apple. (Where do I come up with a cool 60 billion or so?)
  1. Bring back PowerPC Macs, starting with a dual-G4 Mac Mini. (Let's see just how much "better" Intel's core really is.)
  2. Start a line of ARM Macs, not just iPhone and iPods, but netbooks and ARM Minis.
  3. Add one more ethernet port to all Mac Minis.
  4. Start a line of Macs for tinkerers, cheap, slots for additional ports, breadboard cards.
  5. Start a line of Mac Word Processors, essentially netbooks with built-in thermal or light-weight ink-jet printers.
  6. Etc.
Second big dream. Take over Microsfot. Microsoft, I mean.
  1. Freeze all current products, except for security and other serious bug fixes.
  2. Split it down the product lines. (Some guy who calls himself joudanzuki blogged about this.) Make the APIs all open and free.
  3. Fund the Wine project and a couple of others, and add paid engineers.
  4. Start a new OS product, MSWindows Mars, based on BSD code and Wine, under whatever license Wine is under for the MSWindows interface layers, and keeping the BSD license(s) for the BSD infrastructure. But ACLs (Access Control Lists) will be an add-on. The security model will be based on the Unix model.
  5. Make a real mail system somewhat compatible with Outspook, I mean, Outlook, but designing out the intentional holes. Put the thing under a true open source license, preferably GPL, but at least as open/free as Apple's APL v. 2.
  6. Etc.
Third big dream. (My real dream.)

Start an open source computer company to compete with Apple and Microsoft.
  1. Build and sell systems with free/open hardware design, with drivers licensed under a two-clause BSD-class license so they can be used in either Linux or BSD OSses. Netbooks, home and small office NAS/routers/servers using low power processors (most likely not Intel).
Once that company is up and running, start a new OS project that would borrow significantly from Unix.

  1. The run time would explicitly separate the program flow stack from the parameter stack, and explicitly provide a hierarchical local address space access mechanism (with the means to close it off).
  2. Users in said OS would be effectively virtual systems of their own, running their web, mail, and other external resource browsers as separate (sub-)users not privileged enough to access the primary user's data space or even other browser's data space.
  3. As a benefit of the user model, secure special-purpose browsers would be implemented to access banks and share credit information with stores, etc.
  4. Said OS would need a CPU that would cache the stacks efficiently and efficiently implement the address space separation in hardware, so I'd need to design a family of processors optimized to that kind of run-time.
  5. I'd need to build a language back-end that would take advantage of the OS, run-time, and CPU.
  6. And then build various front-end languages, post-fix, in-fix, and pre-fix. (Yeah, I like FORTH and C.)
  7. Etc.
And while I was balancing those two projects, current information encoding schemes are really messy. That's okay, but the URIs and other stuff that computers process need an encoding that is less ambiguous. So,
  1. Design a new standard for information encoding that would have an international encoding and international display/parsing context for use in things like URIs, and include most of the current encodings shifted, so that you could work with just about any language in its own context and not fight the production rules of all the other languages.
  2. It would also include a binary encoding, so that burying binary data would be less of a problem.
  3. And it would include separate tag characters so that parsing tags would not be such a headache.
  4. Extensible IP type addresses would also be defined in the encoding, although I suppose it's too late to replace IPv4 and IPv6 with extensible IP addressing. High-bit extension could be used, although it would require re-possessing most of the current IP addresses. Another possibility might be to start appending the internal, NATted addresses to the router address to get longer addresses, although that would require some standards beyond NAT to allow nested addresses to be physically independent of the router.
  5. Something like ASN.1 would be built into the encoding, as well.
And while that's eating my lunch and taking more time than a guy my age can manage out of every day, I'd set up a personal data service that would provide e-mail and web sites with a few more guardrails than we presently have. Specifically,
  1. Customers would have their own domains, and the personal data server would provide dynamic DNS mapping, so that the customers could even run their own domains on their own servers if they chose to do so.
  2. Customers would by default be routed IPv6, although I would prefer to use an extensible system, now that the processing resources are available to support an extensible numeric (index) addressing scheme.
  3. A mail system that would take advantage of the customers' private domains, to allow them to define their own mail addresses as they choose. This would help with spam problems, because the customer could even make up new addresses on the spot for new contacts, then go home and register filters for those addresses, and know who is trying to do what with his or her personal information.
  4. An on-server mail viewing system that assumes that the user wants to sort most of the mail before looking at it, and lets the user sort based on header and envelope contents, setting up persistent sorting rules that would, for instance, send all posts with variants of "viagra" and the like in the subject or sender headers to a folder labeled "fraudulent medical ads", and so forth: select the text, right-click for a list of context elements to trigger on, left click to commit the rule, and the sorting rule remains in effect until the user edits it. And the destination folders have rules like, hold one week and then dump, or dump oldest first when the folder hits a limit on size or number of messages. (Google mail does get close to this kind of thing, but, yet, not so close after all.)
  5. Web sites are where I get lost, but the point here is to refrain from restricting the knowledgeable customer, but not expose the less knowledgeable customer to the dangers of letting machines be their proxies. Domain management for customers hosting their own, web hosting for customers who want that, and bulletin boards and blogs for customers who want that. Google already does this one, pretty well, given the technology that's available to them.
Looking back on that, Apple and Microsoft are responsible for their own problems. So I really don't benefit from daydreaming about fixing their problems.

The web services companies, if the technology were available, Google, Yahoo, etc. would be able to do the things I'd like to do. The only issue is whether we can get the ISPs to quit trying to hold domain names and IP addresses for ransom, but I think competition would eventually take care of that.

The biggest problems are
  1. that the underlying information encoding is too cluttered by kludges to efficiently process in the way we need to get this kind of stuff to work,
  2. that the run-times of the various OSses are too cluttered by kludges and cruft from technologies that lead in other directions,
  3. that the programming languages we have are at once too inflexible in expression and too loose in semantics to support the kind of systems I'm trying to describe here.
  4. I'm not sure whether the current crop of CPUs can efficiently run this kind of system. I'm pretty sure the Intel CPUs have too much cruft, and not enough memory support for efficiently managing memory. Most of the other CPUs are oriented towards the limited execution model that the 8086 supported too efficiently, too, as a result of having to compete in a market where the 8086 was seen as the leader.
Hmm. Do I see anything in the above that would help me weed out daydreams I can't or shouldn't reach for, but leave me something to work on?

Can't say that I do.

value vs. price

The news on the radio this morning seems to be about a big data spill from Mitsubishi-UFJ or whatever's investment. (I'm thinking, I'm glad we don't bank there, then I remember, ...)

I was reading a lot yesterday, cleaning up old stuff, scanning some newspaper articles for possible use in classes, and I notice a theme -- the war on drugs, the war on terror, it's all driven by a disparity in price and value.

Most private data is of perceived value precisely because people protect it. The rest is only of value to the people who protect it. Well, if I take you down that path, you'll scream "Transcendental!" and run away.

Hmm.

Let's see. Sure, spam is a problem in your mailbox. It clogs the internet and wastes a lot of energy and a lot of user and administration time. It draws people into wasting their money and, in many cases, putting themselves at risk.

It took several years to train myself to recognize and delete the bad-ads, and I don't want to claim that I don't regret the time I wasted on that. But the primary problem was/is that I, like most people, am still a little susceptible to the lure of the quick fix.

Yeah, it's easy to get lost in a daydream about what I'd do if I won the lottery. But I'm getting pretty good at reminding myself that I just don't play the lottery, and you don't win if you don't play. Then I can ask myself what I really want to do, what is it that is distracting me from whatever job is in front of me?

After a little bit of thinking, I remember that the primary things I want to do, I have the means.

I don't need to win a lottery and start a company that sells just machines pre-loaded with a Linux or BSD class OS, even though it would be nice to have more such companies in the world. It would be fun, but it isn't the project I need to be working on.

Yeah, I'd like to have an ARM Kurobako to load openBSD on and run as my home server, and free up the Mac Mini for my kids to play with. But, again, my kids don't need to think they are free to load any web page that looks interesting, and I have another project or three that need my attention first. When/if I really need to get Drupal running on my home server (and therefore need to separate it from the family Mac), the Lord will help me get an appropriate server.

It's basically the same with drugs, pornography, private data, etc. Sure, I'm not invincible, but if I get uptight and do unreasonable things to prevent others from doing whatever they are doing, that raises the perceived value of whatever it is they are doing in their minds.

Like the kid in class who insists on disrupting. The more you try to prevent him from doing so, the more attention you're giving him, and the more he thinks that, even though your words say it's wrong, what he is doing is in some hidden sense "right".

What is the reason for the door lock on your car. Is it to prevent theft?

No.

It is to declare that the car is not public property.

If the society in which you and your car exist do not recognize private property (think, slums), the lock does no good. Period.

The real thing that protects your car is that its perceived value is lower than the hot car down the street. Well, the perceived value, less the trouble the potential thief has to go to.

So-called "speed bumps" really are useful, when used correctly.

So, what does this have to do with private data?

Maybe it has a bit to do with one reason why I wouldn't really want to win the lottery, even if I did play it.

The real key to security is to refrain from having things worth the trouble of taking.

Drive used cars, carry a used notebook PC.

Sure, use a password to keep the speed bump up, but don't put important information on the PC you carry around. (Leave it in the office, where it belongs, really.)

Don't use the internet for financial transactions, unless you have an account you can afford to lose money from every now and then.

(Yeah, one of the projects I have on a back burner somewhere is a dedicated internet terminal that could be safely used for on-line transactions, if the stores and banks would cooperate, but even that is relative. It would be more secure than what we currently have, but not unbreakable. You still would not want to regularly access your retirement fund with it.)

Tuesday, April 7, 2009

drupal on apple

I was going to install drupal and play with it, see whether it would save me time and otherwise help on my personal website.

Yeah, right. Maybe on a current system, 10.4 or 10.5. I have reasons for trying to install drupal on an iBook running Mac OS 10.3, but, right now, rather than explain to the world why, I want to record what I did and where I ran out of time. (This is from memory, I'm probably forgetting something.)

Drupal can theoretically run on the stock apache+php on 10.3. PostGreSQL seems to run fine, so I should be able to run basic drupal functions.

But there were some critical security issues with both php and apache between the latest updates available from Apple for 10.3 and the latest versions of both php and apache.

Well, the notebook is not a production server, and is generally behind a firewall not configured to show it to the web, so I really don't need to be that concerned about security. (Oh, yeah?) But, I'm installing stuff anyway, and I've become used to the idea in the open source world that there are often less bumps if you go ahead and use the latest versions applicable.

So, I tried installing apache 1.3.41 over the system version. I thought about parallel installs, the way I do with perl, but I looked at all the tweaks I'd have to do to php, and balked.

So, after backing up /usr/libexec, I downloaded apache 1.3.41 from apache.org, unpacked it in a local build directory, read the READMEs and the INSTALLs,

cd ${my local build directory}
gnutar czvf libexec_httpd_old.tgz /usr/libexec/httpd
cd apache_1.3.41
./configure [bunch of arcane parameters that weren't what I wanted]
make
sudo make install

and mod_rewrite bit me. Could not get a valid copy of the re-compiled mod_rewrite to install to /usr/libexec/httpd. More reading, and I discovered that, for some modules, the make file seems to want you to say,

--enable-module=mod_xyz.c --enable-shared=xyz

That effectively doubles what was already a lot of typing arcane parameters anyway.

Deep sigh.

Next place I got hung up was mod_hfs_apple. It is compiled outside the apache source tree, so I had to figure out how. Late last night, with my mind buzzed by lack of sleep, I tried the obvious thing. (Well it was obvious last night, after re-discovering where Apple puts the source for Darwin, not so obvious yesterday afternoon.)

I downloaded the apache_mod_hfs_apple-5 tarball from Apple's darwinsource for Mac OS 10.4.11 archives, unpacked it in the local build directory and, after reading more and just trying configures and makes in various places, I downloaded apache from Apple's archives, as well. They have apache 1.3.41 in the archive directory for Mac OS 10.4.11, as well as in the latest directory for 10.5, and it is buried in a directory containing some (but not all) of their customization work. For some reason, I got the one from 10.5.6. (Late at night, you see.) I'm not sure whether that caused me the problems that have me stumped right now.

cd ${my local build directory}
gnutar xzvf ${my downloads for 10.5}/apache1-697.tar.gz
cd apache1-697
ls

hmm. There is apache_1.3.41.tar.gz sitting there. Okay,

gnutar xzvf apache_1.3.41.tar.gz
cd apache_1.3.41

and I looked around for a few minutes.

./configure [tons of arcane parameters]
make
sudo make install

and, of course, it's not quite there.

cd ..
make
sudo make install

and now I see something that raises my eyebrows: apxs-1.3?

After nosing around the net, I decided to just go into /usr/sbin and

ln apxs apxs-1.3

No, this was not last night, it was this morning. My mind is not as clear. After more fussing around with make files and such,

cd ${my local build directory}/apache1-697/apache_1.3.41
./configure \
--with-perl=/usr/local/bin/perl \
--server-uid=70 --server-gid=70 --with-port=80
--disable-shared=vhost_alias --disable-shared=env \
--enable-module=log_config --enable-shared=log_config \
--enable-module=log_forensic --enable-shared=log_forensic \
--disable-shared=mime_magic \
--enable-module=mime --enable-shared=mime \
--enable-module=negotiation --enable-shared=negotiation \
--disable-shared=status --disable-shared=info \
--enable-module=include --enable-shared=include \
--enable-module=autoindex --enable-shared=autoindex \
--enable-module=dir --enable-shared=dir \
--enable-module=cgi --enable-shared=cgi \
--enable-module=asis --enable-shared=asis \
--enable-module=imap --enable-shared=imap \
--enable-module=actions --enable-shared=actions \
--disable-shared=speling \
--enable-module=userdir --enable-shared=userdir \
--enable-module=alias --enable-shared=alias \
--enable-module=rewrite --enable-shared=rewrite \
--enable-module=access --enable-shared=access \
--enable-module=auth --enable-shared=auth \
--disable-shared=auth_anon --disable-shared=auth_dbm \
--disable-shared=digest --disable-shared=proxy \
--disable-shared=cern_meta --disable-shared=expires \
--disable-shared=headers --disable-shared=usertrack \
--disable-shared=unique_id \
--enable-module=so \
--enable-shared=setenvif \
--add-module=/local/build/apache_mod_hfs_apple-5/mod_hfs_apple.c \
--enable-shared=hfs_apple
make
sudo make install
sudo /usr/sbin/apachectl start

And no go. Now it's hung up on mod_rendezvous_apple. So I go looking around for a more recent apache_mod_rendezous_apple on darwinsource. Nope. Download mod_bonjour_9 from the Mac OS 10.5 archives and try compiling. Lots and lots of errors.

Download apache_mod_rendezvous_apple-8 from the Mac OS 10.3 archives. Just a few link errors, and I might have a hope of actually finding a way to clear them. But I have other things I wanted to do today. I don't really need mod_rendezvous, I think. So I disable mod_rendezvous in httpd.conf and go back:

cd ${my local build directory}/apache1-697/apache_1.3.41
./configure [the list above]
make
sudo make install
sudo /usr/sbin/apachectl start

And apache tells me it started successfully. I suppose I could have used the apachectl test command. Anyway,

sudo /usr/sbin/apachectl stop
cd ..
make
sudo make install
sudo /usr/sbin/apachectl start
sudo /usr/sbin/apachectl stop

And that is how I got apache 1.3.41 on this iBook running Mac OS X 10.3.9. I think it will serve for my development work, but I'll tell you. This is one of the huge reasons I want to leave Mac OS behind and switch to Fedora full time.

The reasons I don't switch now?

I need some time to read up on loading the binary blob to the wireless card. --Bleaugh-- Stupid hardware companies that still believe in security through obscurity.

Trackpad. I need to figure out how to unset some "advanced" behavior for the trackpad and find all those notes that I can't find any more on setting up right-click emulation.

ClarisWorks/AppleWorks. I'm using draw documents with embedded spreadsheets (with randomized lists), and, last time I looked, iWork is not quite there yet.

MSOffice? Are you kidding? Microsoft has no idea how to do this stuff. They just don't know how to get out of the end-user's way any more.

One of these days, I hope to be able to figure out how to load java extensions to openoffice, and maybe then, but openoffice basically inherits the clumsy interface from MSOffice. (Quoth Bill Gates: "Let us help you do things the MS-OUR-WAY!")

I suppose, if teaching English paid enough to squeeze JPY 200,000 out of a year's wages, I'd go for a new Intel macbook and appropriate software, or even the macair or whatever that is. (A light-weight portable would ease some of the stress on my back quite a bit.) Maybe. I prefer AMD or other non-Intel on principle, if I have to put up with x86.

Or, I could spring $300 for a family pack of Mac OS X 10.4 original install CDs from some dubious internet company, and keep using AppleWorks. Or I could get new dictionary software and finish re-writing ranbunhyou to run on Mac OS X and get Mac OS X 10.5 on this iBook for a bit less. Or something.

I have something else in my queue now. Hopefully I'll get back to Drupal later.

Wednesday, April 1, 2009

A Parable of Drive-in Banks and Cars

Well, okay, this isn't really a parable. Parables come from the real world, and this analogy comes from an alternate universe.

In this world, there is one major automobile manufacturer. It sells more than 80% of all cars. It also sets a bunch of implicit standards relative to the way cars are built and used. For instance, all cars have a driver's-side window at a specific height, of a specific size and shape, to match drive-in service facilities, and all drive-in service facilities are built to match the standard driver's-side window.

Moreover, all drive-in service personnel are trained, and required by law, to only serve windows of the standard height.

The reasons for this standard are said to be safety and efficiency, but there is one other reason that over-rides the rest. The window also has a special encoded certificate in it that identifies the person who is authorized to drive the car. This certificate, of course, is hidden, so that the casual thief won't have an easy time of copying it.

The certificate was originally intended only for banks and other financial institutions, but they proved so convenient that even the fast-food industry has taken to using them. They weren't supposed to be trained to read them, but you know how it is with secrets.

Besides, it provides another revenue stream for the banks, to handle the money for other drive-in services automatically. It's considered a win-win situation.

This works for a little while, because the "bad guys" go along with it for the most part. They knew that they could get away with copying only a few certificates and using them only occasionally. The banks and other companies are insured, so the customers don't lose money, and if the bad guys don't steal too much, nobody gets overly concerned.

But, just like in this world, not all countries are created equal in our alternate universe. And there are some countries that, because of war, or graft, or by tradition, or other reasons, have a large number of people who have no prospects of finding work, and very little access to the charity hand-outs.

These people have grown up without the traditions that would help them plan ahead and not steal too much. So, now, suddenly, certificates are being copied all over the place, and the insurers are losing so much money that the economy is threatened.

Okay, it's not a really great analogy. Don't try to push it too far.