Curiouser and Curiouser… The Strange Story of TrueCrypt

I have been using TrueCrypt for several years. It is not the key cog in my security plan but it is helpful. The TrueCrypt development process looked trustworthy and professional. So I was shocked  with the developer’s announcement last week. It was just so weird, I thought the site had been hacked. The developer’s explanation on why he was stopping development bordered on incoherent. What does the end of Windows XP maintenance have to do with anything? As an old IT guy I decided to wait this mess out. There was an ongoing security review of TrueCrypt which should sort some of the issues out. For those conspiracy buffs out there, Snowden was a big fan of TrueCrypt. This weekend I decided to see if I could still download the source. It was not available at the normal location but I did locate it at Gibson Research Corporation who I recognize from Shields Up fame. Considering their reputation in the security game, they had some interesting some things to say.

Yes . . . TrueCrypt is still safe to use.

Although the disappearance of the TrueCrypt site, whose ever-presence the Internet community long ago grew to take for granted, shocked and surprised many, it clearly came as no surprise to the developers who maintained the site and its namesake code for the past ten years. An analysis of the extensive changes made to TrueCrypt’s swan song v7.2 release, and to the code’s updated v3.1 license, shows that this departure, which was unveiled without preamble, was in fact quite well planned.

For reasons that remain a titillating source of hypothesis, intrigue and paranoia, TrueCrypt’s developers chose not to graciously turn their beloved creation over to a wider Internet development community, but rather, as has always been their right granted by TrueCrypt’s longstanding license, to attempt to kill it off by creating a dramatically neutered 7.2 version that can only be used to view, but no longer to create new, TrueCrypt volumes.

Then, leveraging the perverse and wrongheaded belief that software whose support was just cancelled renders it immediately untrustworthy, they attempted to foreclose on TrueCrypt’s current and continued use by warning the industry that future problems would remain unrepaired. This being said of the latest 7.1a version of the code that has been used by millions, without change, since its release in February of 2012, more than 27 months before. Suddenly, for no disclosed reason, we should no longer trust it?

I will continue to use it until a better option becomes available. Although I doubt I will look at the code for security problems, I am curious what the security professionals find.

How To Migrate WordPress from Shared Hosting to a Cloud Server with Zero Downtime


I have been a customer for several years and generally speaking I have been pleased with the services I got from Bluehost. Recently I noticed some annoying variability in response time which appeared to be directly related to the shared host arrangement. I did a little shopping and found that for almost the same monthly price I could get a virtual server at DigitalOcean.


My primary objective was to migrate two shared host WordPress blogs and an open source web-based news feed (RSS/Atom) reader called Tiny Tiny RSS from Bluehost to a virtual server at DigitalOcean. A secondary objective was to replace my web analytics with Piwik.

My Plan

My plan was to follow the DigitalOcean tutorial, How To Migrate WordPress from Shared Hosting to a Cloud Server with Zero Downtime, with a couple of changes. The tutorial was written for Ubuntu 12.04 LTS and I would be installed 14.04 LTS. Since I am a Windows guy I would be using Putty for SSH sessions and WinSCP to transfer files.

Step 1. Create a Backup

The biggest change I made in this step was to backup of the entire WordPress folder. Several services asked me to put little files in the root directory as part of the approval process. I also have a customized .htaccess file. Since my copies of WordPress are up to date, it was easier and faster to copy over the entire folder.

Step 2. Set Up the Cloud Server with LAMP Stack

Here :

  1. I followed the first four steps of the tutorial, Initial server setup for Ubuntu 14.04, but if I had to do it over again I would go ahead and configure ssh to restrict root login and explicitly permit certain users. Considering how many folks will be trying to break into your server, you might as start locking down the server.
  2. Next I followed the tutorial, How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 14.04.
Step 3. Install WordPress

Since I was going to restore the entire WordPress folder I skipped this step.

Step 4. Create a Virtual Host

In this step I started to follow the tutorial, How To Set Up Multiple WordPress Sites on a Single Ubuntu VPS. In my case I was going to use a wordpress folder under the default directory for the main blog and a second folder under www for the second blog. I created two virtual host files, and, for my two blogs. The original tutorial omitted the conf extension.

Step 5. Restore Database and Files

This is when I learned the most important lesson. My first Mysql backups were incomplete or bad when I tried to load them. I had poor results trying to load compressed files. So I made it simpler.

  1. I saved the Mysql backups to a temporary folder
  2. I compressed them.
  3. I transferred them to the new server.
  4. I uncompressed them.
  5. I created the database and user.
  6. I loaded the uncompressed file.

To restore the WordPress files :

  1. I transferred the compressed file to the server.
  2. I uncompressed the file in the home directory.
  3. I copied the files to the web server using:
    sudo rsync -avP wordpress/ /var/www/html/wordpress/ 
    sudo rsync -avP firstsite/ /var/www/firstsite/
  4. Give ownership of the directories to the Apache web user and then add your linux username to the web group:
    sudo chown www-data:www-data * -R
    sudo usermod -a -G www-data linux_user_name
  5. Configure each wp-config.php with the new Mysql usernames and passwords for the databases you just loaded.
  6. This is a good time to make sure that the WordPress permissions are set correctly.
    sudo find . -type f -exec chmod 644 {} +
    sudo find . -type d -exec chmod 755 {} +
    sudo chmod 600 wp-config.php
Step 6. Test your Blog

For me everything worked except for mail and some hard coded links in the widgets. To solve the mail problem I installed the wordpress plugin, WP-Mail-SMTP, and sSMTP for a simple and lightweight MTA for the system messages. All of my messages are sent through Gmail.

Step 7. Update Your DNS Settings

If you are using a CDN like Cloudflare that is linked to your Bluehost account, this would be good time to deactivate it. I did not and the response time was all over the map for a day.

Step 8. Install phpMyAdmin, Piwik, Fail2Ban, and Logwatch
  1. I did not need to install phpMyAdmin but DigitalOcean does have a pretty simple tutorial showing how to install it.
  2. I was originally planning to install Awstats but Piwik looked like a better choice. The 5-minute Piwik Installation was easy.
  3. After a little browsing of the auth.log it was easy to see that there was too much SSH traffic that was not originating from me so the solution was to follow this tutorial, How To Install and Use Fail2ban on Ubuntu 14.04. After running Fail2Ban for a couple days it became apparent that I needed to permanently ban some folks. I followed the tutorial, Permanently Ban Repeat Offenders With FAIL2BAN.
  4. Obviously I needed to look at the log files on a daily basis until I get this SSH hacking under control. The solution in this case was this tutorial, How To Install and Use Logwatch Log Analyzer and Reporter on a VPS.
  5. The first thing I noticed from looking at the authentication failures in the pam_unix section was that some of the folks were spacing out their probes to get around the default settings for Fail2Ban. So I expanded the findtime and bantime and maxretry. This caught some more hackers but it still was missing some others.  So I brushed up on my grep, awk, and bash coding to find the worst of the bunch and ban them. Sorry China! There is something odd about restarting Faile2Ban.  It looked it was working but it was not banning IPs I thought it should. Sure enough when I rebooted the server it would read the log file and immediately ban the IP.
Step 9. Take a Snapshot and Project Wrap-up

At this point I can say that the migration is complete. The sites are working and I fixed all of the configuration issues that showed up in the log files.  The response time for the sites is much faster than on the shared host even though I added another application, Piwik. It looks like I can easily support another blog. I have another blog with a renewal date a couple of months from now.

The last thing to do was to take a snapshot or backup. So I took a manual snapshot as outlined in this tutorial,

How To Use DigitalOcean Snapshots to Automatically Backup your Droplets, and it took about five minutes to complete.

For fun I charted the IPs I had already banned by country.



R Portable Version 3.0.3 and RStudioPortable Version 0.98.501 Are Released!

R Portable Version 3.0.3 and RStudioPortable Version 0.98.501 have been released and are available at the R Portable project page,

  • R Portable Version 3.0.3 incorporates the 3.0.3 version of R in a portableapps format.
  • RStudioPortable Version 0.98.501 incorporates the 0.98.501 version of R Studio in a portableapps format.

Publicize for Admin and Editor only

I think I found a bug in the Jetpack plugin for WordPress that is stopping me from publicizing my posts to social media sites. It worked under version 2.8 but was broken in 2.9. When I go back to the 2.8 version of publicize it works so why did they change the code? I am guessing but it looks like they fixed the problem with "Publicize for Admin and Editor only" they created a new problem with publicizing posts created using Live Writer and maybe other methods. Here is the code I am talking about.

< 				if ( false == apply_filters( 'wpas_submit_post?', $submit_post, $post_id, $service_name, $connection_data ) ) {
< 					delete_post_meta( $post_id, $this->PENDING );
< 					continue;
< 				}
> 				if ( false == apply_filters( 'wpas_submit_post?', $submit_post, $post_id, $service_name, $connection_data ) ) {
> 					update_post_meta( $post_id, $this->POST_SKIP . $unique_id, 1 );
> 					continue;
> 				}

Integrating Twitter Summary Cards Into Your Blog Using Jetpack And All In One SEO

Recently I was wondering why some tweets had extra graphic images in them. It looked like someone had figured out how to create a tweet from a blog post and include first image from the post in the tweet. That looked pretty cool. Here is an example.

2014-03-04 15_26_46-alazycowboy

There are two tricks here. The first trick is configure Jetpack to publicize your post via Twitter. With Jetpack you can publicize your posts to several social media sites such as Facebook, Google+, and LinkedIn. Click here for more information on using Publicize. This will get you the standard tweet format. That is okay but I wanted the tweet with more information and graphics in it. To get that format you have to use Twitter Cards and get it approved by Twitter. Here is the Twitter information on configuring Jetpack. There are several Twitter Card formats to choose from and I chose the Summary Card. The next trick is find the plugin that generates the correct meta data for Twitter, validate the card, and apply for approval. I tried several different plugins with varying degrees of success of getting the first image in the post into the tweet. Then I discovered that the best plugin to generate twitter meta data was one I already had installed, All In One SEO Pack. All I had to do was to activate the Social Meta feature and configure it. The changes I made were:

  1. I set Select OG:Image Source to “First Image in Content” to see the first image from the post.
  2. I deleted the default content in Default OG:Image to get rid of the default image.

When I was happy with the layout of the Summary Card preview, I applied for approval. I read somewhere that it takes up to 72 hours to get approved but my approvals arrived within a few minutes. Enjoy!

KrebsOnSecurity reports that the network credentials of Fazio Mechanical were stolen with by a password-stealing malware called Citadel

KrebsOnSecurity reports that the network credentials of Fazio Mechanical were stolen with by a password-stealing malware called Citadel. This is what I feared. Recently I spend a lot of time working through some problems updating McAfee ASAP because I was pretty sure it had a better malware protection than Microsoft Security Essentials.

The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.

Since Citadel is not a new threat I assume it must be a modified version that was not detected by the virus/malware checking software. I wonder if the current versions of the top virus checking software catches it now. My desktop version of Outlook is twice protected via McAfee’s SaaS. My private email is protected by Yahoo(Symantec). Hmm… I wonder what Fazio was using?

How Did I Miss Knowing About WordPress Jetpack?

I was playing around with the WordPress app on my Android phone when it told me to install Jetpack if I wanted to see statistics on my phone. This has been a long time annoyance of mine. You could only see statistics with the Android app if you hosted your blog on To make up for this deficiency I installed a couple of web statistics plugins. So I thought why not one more. I already had a userid. So I went back to my laptop, installed the plugin, and connected to To my surprise there were 31 features that I could enable with Jetpack and some of these features were interesting. Since there are so many new features I opted to start off small and connect my blog with my Twitter, LinkedIn, and Google+ accounts. Let’s see what happens when I publish this post.


R-Studio is a really nice environment to develop R programs. Since I like portable versions of programs I created a PortableApps version of R-Studio last year and mentioned it in a PortableApps forum. Padraig asked if I would make it available. For those inquiring minds out there you can find it on SourceForge, RStudioPortable_0.97.551.paf.exe.


IIS, MySQL, WordPress, and The Famous 5-Minute Installation

Yesterday I was upgrading some programs on my home laptop and realized I had an old version of MySQL, 5.1. The current version is 5.6. The 5.1 version of MySQL was installed when I used Microsoft’s Web Platform Installer to install a test WordPress blog. This is a really easy way to checkout software when it works so I set out to upgrade MySQL to the latest version. Surprisingly there is no way to upgrade or remove MySQL using the Web Platform Installer. So I downloaded the community upgrade from and ran the upgrade. It did not work. I kept getting an unhandled exception error message during the upgrade. Since I did not have any important information in the data base I uninstalled the current version and installed the 5.6 version. Now MySQL is working but I kept getting password errors when I tried to install a new blog using either the Web Platform Installer or Microsoft’s WebMatrix. So I did a complete MySQL reinstall using these instructions for Windows 7 from

  1. Uninstall MySQL using the uninstaller.
  2. Delete C:\Program Files\MySQL
  3. Delete C:\Program Files (x86)\MySQL
  4. Delete C:\ProgramData\MySQL
  5. Delete from any Users’ AppData folders. Example: C:\Users\rdoverby\AppData\Roaming\MySQL
  6. Reinstall MySQL

This did not fix my problems with Web Platform Installer or WebMatrix. Since I had phpMyAdmin working under IIS and a working version of MySQL, I opted to try “The Famous 5-Minute Installation”. I copied an old WordPress installation to a new folder, followed the instructions, and in about five minutes I had a new WordPress blog working on my laptop.

Mr. Zients Versus The Mythical Man Month

Last week I had to chuckle when Mr. Zients announced that "by the end of November, will work smoothly for the vast majority of users." I am one of the few long time visitors and have been anxiously looking forward to improvements since 2010 when I first complained the insurance finder was useless. Although I admire his chutzpah the two things I can say for sure is that there will be a touchdown dance on November 30th and there will still be a lot of serious problems to fix. The touchdown dance is the easy part of his task. Unfortunately the American people are married to this software. Like a bad Las Vegas wedding in which we hate to admit our mistake, we will trudge onward for the sake of the children.

The first problem facing Mr. Zients is that he is up against the software engineering and project expertise of Fred Brooks, whose central theme in his book, “Mythical Man Month”, is that "adding manpower to a late software project makes it later" has been ignored by the administration. They have already announced their plan to hire QSSI to come in and fix the problems with the web site in 30 days. Adding more people and thinking this will fix the problem is a big problem. Saying that it has to be done in 30 days has me in alternating fits of laughing and crying. As a person who has made his living fixing “other people’s code” for thirty years, this solution is a recipe for disaster and no seems to be listening. So let me frame the problems facing this system with a diagram from the book, Mythical Man Month.


Using the analogy from the book software products start out in the “Program” quadrant and are transformed via generalization, testing, documentation, maintenance, and system integration into a “Programming System Product”.  The “Programming System Product” in our case is and the final acceptance test is whether the American people can use it to purchase subsidized insurance. In 1974 Mr. Brooks asserted that a “Programming System Product” costs nine times as much as the “Program” so the vast majority of the cost and effort is spent generalizing, testing, documenting, and integrating the interfaces. Unfortunately for Mr. Zients this part of software engineering has not changed over the years.

From the reports I have read there has been very little testing and the specifications for the programming interfaces did not go out until eight days before the launch. It looks like most of the money and effort was spent in the “Program” quadrant and very little was spent in the areas that would actually result in a successful “Program System Product”. This reeks of management failure. As part of the 1% who successfully got through the application process far enough to download a copy of my potential insurance plans I can say that the site has a lot of serious problems. It brings a whole new meaning to the term, “bad beta site”. Although I have no doubt that this new contractor, QSSI, can clean up the code discussed in this Reddit thread, the other problems that have been reported are more daunting and time consuming. Here is a short list of problems in no particular order.

  1. The usability problems pointed out by the NN group
  2. The back end problems pointed out by Dan on marginal revolution.
  3. The 834 problems pointed out by Sarah Kliff on the Wonkblog
  4. Identity theft  problems pointed out at MotherJones.

I think both the Affordable Care supporters and detractors agree that despite the fact that the web site is a clusterfark of monumental proportions, it will get fixed eventually. The question is whether it will be sufficiently complete and secure in time. Since they ignored my old web development adage, “copy the best and ignore the rest”, maybe they should start looking at an exit plan that involves joining forces with the “best in the business”. There is still time for letting and its six competitors finish a smaller, less politicized version of the  the job and minimize the impact of a failed

Cross posted at

The Mythical Man Month

With the web site problems of dominating the news, I was reminded of the classic book on software project management from my era, The Mythical Man Month. Surprisingly I found out that the first edition is available at I guess it is too late to recommend that someone in the Department of Health and Human Services read it before throwing more people at the project.

Some people might argue that a book written in 1975 is not relevant to today’s project managers. Well, here is a shorter IEEE article, Why Software Fails, written in 2005 that echoes a lot of the same sentiments. If we believe the reporting is accurate then this project has already exhibited many of the factors that should cause the project to fail. Read it and weep! In that article the authors say:

Why do projects fail so often?

Among the most common factors:

  • Unrealistic or unarticulated project goals
  • Inaccurate estimates of needed resources
  • Badly defined system requirements
  • Poor reporting of the project’s status
  • Unmanaged risks
  • Poor communication among customers, developers, and users
  • Use of immature technology
  • Inability to handle the project’s complexity
  • Sloppy development practices
  • Poor project management
  • Stakeholder politics
  • Commercial pressures

Fixing a Blank Icon in the Start Menu for Evernote

I am not sure when this happened but I have a blank icon for Evernote in my Start Menu. It is one of those Start Menu shortcuts that does not allow you to change the icon. Someone called it a “msi shortcut”. Today I finally got annoyed with it to fix it. I tried re-installing Evernote but I still had a blank icon. I found the icon in a folder under C:\Windows\Installer so I don’t understand why the re-installation did not point to the icon. This is how I fixed it.

  1. I opened Explorer as an Administrator
  2. Since I had a good Evernote shortcut(i.e. one with the correct icon) on my desktop I copied it into the folder, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Evernote, and replaced the existing shortcut that had the blank icon.
  3. Now when I open the Start Menu Evernote has the correct icon.

Simple Notepad++ Trick to Preview Markdown

One of my favorite Notepad++ plugins is NPP_EXEC and the compile_or_run script. Using this framework I created specialized scripts for python, Perl, c, c++, CMD, VBS, and PowerShell. It has become a handy way to run ad hoc scripts since I typically have a Notepad++ instance open. My latest creation was to create a variation of the Perl script to display a Markdown preview based on the “MD” file extension. In this case it runs a Perl Markdown script that sends the formatted HTML output to a new tab. Since I use Markdown so infrequently this is a quick and handy way to check my Markdown format.

Rcmdr for R-Portable or How to Create a Custom Shortcut in the PortableApps Menu

I have been playing around with Rcmdr since I saw several folks talk say good things about it. To make it play nicely R-Portable I decided to create my own PortableApps icon to launch R-Portable and automatically start Rcmdr. The procedure is similar to creating a shortcut for Rcmdr except that I will start R-Portable from a separate folder that contains a customized version of .Rprofile that automatically starts Rcmdr. So I created a  Rcmdr folder in my Portableapps program directory, created a DOS batch file that starts R-Portable with the “—sdi” option, and created a .Rprofile file like Scott Hyde had recommended. You can test your setup at this point. I am assuming you have previously installed R Commander. When you execute the batch file a DOS screen should briefly flash and both the R and the “sdi” version of the R Commander window should open.

To get a PortableApps icon to appear I created the PortableApps folder structure in Rcmdr, created an appinfo.ini file that referenced the batch file as the program executable, and copied the R icons from R-Portable into the “app\appinfo” folder. Now when I refresh my PortableApps icons I have a “R” icon for R Commander Portable to go with my existing icons for R Portable and RStudio Portable. Here is a zipped version of my Rcmdr folder,

Google Reader Replacement Tryouts–Part 2

This weekend I followed up on the two RSS feed readers in my Google Reader Replacement Tryouts. I have been pretty happy with Tiny Tiny RSS. My only problem is that it could not read five feeds. The forums implied that the trunk version might fix some of the problems. After a few missteps my Tiny Tiny RSS is running the trunk version and two more feed are readable. I am still getting a 403 on and a “LibXML error 5” on two other feeds.

While I was updating my notes on RSS readers I went back to Yoleoreader. When I was last there only a part of feed was imported and the site was having stability problems. I repeated the import and all of the my feeds got in. Although I like the UI the response time of the browser is much slower than Tiny Tiny RSS. It looks like more growing pains. So far Tiny Tiny RSS is faster and more stable.

Google Reader Replacement Tryouts

This week I decided to start the Google Reader replacement tryouts. It was the article, Yoleoreader Is Another Google Reader Alternative With Slick UI, by Jonathon Hu and the fact that Google Reader is supposed to disappear on July 1 that motivated me to get moving. I guess Google wants us to use Google+ instead of RSS readers. That is a much bigger problem for me than finding a RSS reader replacement. So I created an account on Yoleoreader and imported my feeds. The user interface is nice but the server rebooted during my feed import. I tried again but it still has not loaded. I guess they are having some problems scaling the system up for more users. The support person was nice but I think I will wait a week before trying again.

Another alternative to Google Reader is Tiny Tiny RSS. Since I have a self hosted site and experience installing web software, I installed it. For the average Google Reader user they need a  Yoleoreader type solution. I found some instructions for Installing Tiny Tiny RSS on Bluehost. The instructions relied on the command line so I modified the instructions to use the GUI tools. Here is my version of Richard’s instructions.

  1. I went to the Tiny Tiny RSS site and downloaded the tarball, v1.7.9 (May 13, 2013)
  2. I logged into the Controlpanel application on Bluehost and created a subdomain(Domains-Subdomains) with its own folder. I called the subdomain, reader, as a memorial to Google Reader.
  3. I used the File Manager(Files-File Manager) to upload the tarball to public_html, expanded the tarball, and then moved the source code to the reader folder.
  4. I created a new data base(Databases-MySQL Databases) called myusername_tt-rss, a data base user called myusername_ttrss, assigned the user to tt-rss, and assigned all privileges to the user.
  5. Although I used PhpMyAdmin to import the schema and edited the config.php file via the File Manager, I found that this was not necessary. When I opened the browser and went to, I accidentally ended up at the install screen. I had saved my edits to config-dist.php. I followed its instructions to import the schema and edit the config.php. When I went to the home screen, everything worked. If I ever have to do this again I would open a browser and go directly to instead.
  6. I followed the instructions for securing the admin password and importing my subscriptions and starred items.
  7. I followed the instructions for updating the feeds manually but I changed the cron job command line to:  cd ~/public_html/reader && /usr/php/53/usr/bin/php-cli ~/public_html/reader/update.php –feeds –quiet >/dev/null 2>&1

Here are some of my initial impressions on Tiny Tiny RSS.

  1. The user interface is not as slick as Yoleoreader but it is more than adequate as a replacement for Google Reader. My browser response time was excellent.
  2. My Google Reader feeds and starred items imported quickly without problems.
  3. Tiny Tiny RSS is more persnickety about the quality of the feeds. I guess that Google Reader fixed the feed problems behind the curtains. I read a bunch of comments from RSS developers complaining about the different feed exceptions that had to code for. In my case I had about twenty bad feeds. The feed shows up in red. Some of the feeds no longer exist. They were easy to fix. Some feeds have problems but still display the posts. Five feeds have valid addresses but the feed cannot be read. Maybe this weekend I will see if the newest version of the RSS and Atom code will fix the problem.

Where are RStudio’s Options Stored?

I was looking at Joseph Reid’s description on how to set up RStudio when I realized I did not know where the RStudio settings are stored.  Since I created a portableapps version of RStudio, I was curious if it left any files on the hard drive. The answer is found in the article, Resetting RStudio’s State. Here is the pertinent part of Windows Vista and 7 users:

RStudio stores your custom settings and options in a hidden directory called RStudio-Desktop. If this directory does not exist, RStudio will create it on start up. This directory includes user settings, log files, and other state information. Removing (or renaming) this directory will reset RStudio’s state analogous to a fresh installation.

We recommend renaming this directory to create a backup version instead of completely deleting it. This allows you to save your settings, incase you want to revert back to them. Additionally, if you experienced a crash or RStudio failed to start, this directory may contain vital information for determining the source of the error. In this case, we recommend renaming this directory to backup-rstudio-desktop and sending it along with a support request.

Accessing the RStudio-Desktop Directory


You can open an Explorer window into the RStudio-Desktop directory by typing the following command into Start -> Run:

For Windows Vista and 7:


Occam’s Razor Meets The Internet Sales Tax

I was reading a post on internet sales when one of commenters compared internet sales to the problem with liquor sales across state borders. Here was my reply as I make the argument internet sales tax will fail because it is too complex. Simplicity is typically the best solution and the internet sales tax is not simple. The internet sales tax plan is a recipe for failure.

Since I grew up in Northern VA the reason the residents went to DC to purchase liquor was because the prices were cheaper. Virginia sold liquor via state run alcohol beverage control stores(ABC). DC had private businesses selling liquor who drummed up business by aggressively promoting their products. Over a period of years Virginia decided it was wiser and simpler to allow VA grocery stores to competitively price beer and wine and to allow the ABC stores to competitively price their liquor than to ask police officers to monitor liquor sales at the border. The simple solution won but it took many years and a lot of complaining by local residents and grocery stores.

If we try to look for a simple solution to internet sales tax we do not have one for either the small businesses or the smaller states. If I had a choice of creating a small business that was tax exempt or expand one that would pay internet sales taxes, I would choose to create a tax exempt business. Internet retailing is brutal so any advantage I get on Amazon is good! What can California do? Sue me in civil court!? Good luck with that!

Does anyone think it will be cost effective for Alaska and the other smaller states to collect internet sales tax? I am sure there are state employees who are dreading the thought of thousands of sales tax applications that will result in little to no tax revenue. All that work for so little money. Isn’t this the same situation as posting police officers at the border to catch out of state liquor sales? Customers are amazingly adaptive. I would not be surprised if we create a new market for package forwarding from states that do not collect sales tax. If the internet sales tax is not as simple to implement as the payroll tax, it will fail. Simplicity wins in the end.