NJ Courts Impose Ridiculous Password Policy 'To Comply With NIST' That Does Exactly What NIST Says Not To Do
from the the-poor-online-security-guardin'-state dept
As a New Jersey native I know how tempting it is for people to gratuitously bash my home state. But, you know, sometimes it really does have it coming.
In this case it's because of the recent announcement of a new password policy for all of the New Jersey courts' online systems – ranging from e-filing systems for the courts to the online attorney registration system – that will now require passwords to be changed every 90 days.
This notice is to advise that the New Jersey Judiciary is implementing an additional information security measure for those individuals who use Judiciary web-based applications, in particular, attorney registration, eCourts, eCDR, eTRO, eJOC, eVNF, EM, MACS, and DVCR. The new security requirement - password synchronization or p-:-synch - will require users to electronically reset their passwords every 90 days.
For reasons explained below, this new policy is a terrible idea. But what makes it particularly risible is that the New Jersey judiciary is claiming this change is being implemented in order to comply with NIST.
This requirement is being added to ensure that our systems and data are protected and secure consistent with industry security standards (National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)).
The first problem here, of course, is that this general allusion to NIST is not helpful. If NIST has something specific to say that the courts are relying on, then the courts should specially say what it is. Courts would never accept these sorts of vague hand-wavy references to authority in matters before them. Assertions always require a citation to the support upon which they are predicated so that they can be reviewed for accuracy and reasonableness. Instead the New Jersey judiciary here expects us to presume this new policy is both, when in fact it is neither.
The reality is that the NIST Cybersecurity Framework does not even mention the word "password," let alone any sort of 90-day expiration requirement. Moreover, what NIST does actually say about passwords is that they should not be made to expire. In particular, the New Jersey judiciary should direct its attention to Special Publication 800-63B, which expressly says:
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
That same section of the Special Publication also says that, "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets" because, as a NIST study noted, it tends to reduce overall security hygiene. Guess what else the new New Jersey password policy does:
Users must select passwords that are no more than eight (8) characters long and contain at least one capital letter, one lower case letter, one numeral, and one of the enumerated special characters.
It also gets worse, because as part of this password protocol it will require security questions in order to recover lost passwords.
Additionally, this policy change will require that each user choose and answer three personal security questions that will later allow the user to reset their own password should their account become disabled, for example, because of an expired password. The answers to the three security questions should be kept confidential in order to reduce the risk of unauthorized access and allow for most password resets to be done electronically.
Security questions are themselves a questionable security practice because they are often built around information that, especially in a world of ubiquitous social media, may not be private.
From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo's, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They're meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won't forget your mother's maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place—web and social media searches can often reveal where someone grew up or what the make of their first car was—the approach puts accounts at risk. And since your first pet's name never changes, your answers to security questions can be instantly compromised across many digital services if they are revealed through digital snooping or a data breach.
The Wired article this passage came from is already two years old. Far from New Jersey imposing an "industry standard" password protocol, it is instead imposing one that is outdated and discredited, which stands to undermine its systems security, rather than enhance it.
And largely, it seems, because it does not seem to understand the unique needs of its users – who are not all the same. Some may log into these sites daily, while others (like me) only once a year when it's time to pay our bar dues. (What does this 90-day reset requirement mean for an annual-only user?) Furthermore, although things have been improving over the years, lawyers are notoriously non-technical. They are busy and stressed with little time to waste wrangling with the systems they need to use to do their job on behalf of their clients. And they are often dependent on vendors, secretaries, and other third parties to act on their behalf, which frequently results in credential sharing. In short, the New Jersey legal community has some particular (and varied) security needs, which all need to be understood and appropriately responded to, in order to improve systems security overall for everyone.
But that's not what the New Jersey courts have opted to do. Instead they've imposed a sub-market, ill-tailored, laborious, and needlessly demanding policy on their users, and then blamed it on NIST. But as yet another NIST study explains, security is only enhanced when users can respect the policy enforcing it. The more arbitrary and frustrating it is, the more risky the user behavior, and the weaker the security protocol becomes.
The key finding of this study is that employees’ attitudes toward the rationale be-hind cybersecurity policies are statistically significant with their password behaviors and experiences. Positive attitudes are related to more secure behaviors such as choosing stronger passwords and writing down passwords less often, less frustration with authentication procedures, and better understanding and respecting the significance to protect passwords and system security.
As NIST noted in a summary of the study, "'security fatigue' can cause computer users to feel hopeless and act recklessly." Yet here are the New Jersey courts, expressly implementing, for no good reason, a purposefully cumbersome and frustrating policy, one that could hardly be better calculated to overwhelm users, and which, despite its claims to the contrary, is far from a respected industry norm.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: new jersey, nist, passwords, security
Reader Comments
The First Word
“This is a very important principle to remember when designing such systems: "Security at the expense of usability comes at the expense of security."
Subscribe: RSS
View by: Time | Thread
See how security conscious we are?
[ link to this | view in thread ]
Same Policy
The only thing this has done is made my passwords cycle over a few years. This is still less secure then the alternative of a long passphrase made from all lower case letters.
"Thisismyverylongpassword" is more secure then !@ABCDe
[ link to this | view in thread ]
Joisey is DOOMED!
BUT OF COURSE A TECHDIRT RE-WRITER KNOWS BETTER EVERY TIME.
[ link to this | view in thread ]
Re: Joisey is DOOMED!
Reset password links are often the weak link. Mostly because they make them super easy to use. Firms are really bad at people calling in on them as well. All it takes is 1 call to steal someones account, a call to change the password.
[ link to this | view in thread ]
Re: Joisey is DOOMED!
[ link to this | view in thread ]
Security Theater
I see this in so many large organizations. A 90 day password rotation cycle is a complete farce. Arbitrary complexity requirements/limits and password histories make it that much worse for users, who just tune out these IT policies. What really gets me is when they limit the password length to 8 or 9 characters; my normal passwords are usually at least 15 characters long and I have many over 20.
Users end up with a piece of paper hidden somewhere at their desk or in their wallet/purse with the list of passwords they rotate through. To make matters worse, they are usually garbage passwords like Sprn$018, Smmr$018, Atmn$018 and Wntr$019.
Don't even get me started on password reset procedures.
[ link to this | view in thread ]
Re: Joisey is DOOMED!
Did you read the NIST std?
What do you consider to be reasonable? And how is this case reasonable considering the environment in which it resides?
Not sure why people use caps .. it is sorta silly and makes you seem to be a bit off kilter while working on your manifesto.
[ link to this | view in thread ]
Re: Same Policy
I've heard stories of workplaces with this policy.
A lot of employees did one of two things to remember their constantly changing passwords:
Wrote their passwords down and left it somewhere on their desk. (this is referred to as the 3 feet rule, where if you throw a bunch of arbitrary password rules on that make it hard to remember your password users will leave their written down password within 3 feet of their desk chair)
[ link to this | view in thread ]
Re: Joisey is DOOMED!
You should read this famous XKCD comic on password strength
And the worst part is a bunch of sites still don't allow CorrectHorseBatteryStaple as a password because of it violating those password rules. Which makes requiring password switches every so many days even worse for all the reasons this comic highlights.
[ link to this | view in thread ]
Re: Joisey is DOOMED!
[ link to this | view in thread ]
Re: Re: Same Policy
The good news is that they've made that hard to do by having a max password length of 8 characters.
[ link to this | view in thread ]
Oh my
Two things.
1) Those are very nearly the worst possible rules for secure passwords. See https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124 118
2) Of course: https://xkcd.com/936/
[ link to this | view in thread ]
Password Lunacy
Now add on top of that the fact that we have multiple systems, all with their own different password rules and change schedules.
Since no one except Rainman can remember strings of gibberish characters like that which change every 45 days, the end result is a Post-It on everyone's computer with the passwords written down on them, which defeats the entire purpose of this whole blinkered system.
[ link to this | view in thread ]
Designed to fail on purpose
Now you can try to sell me a conspiracy theory that says that EVERY SINGLE SITE and organization ALL fail to grasp this basic logic ... or you can admit that the purpose of security questions is to be hacked.
That leaves only one question: are they meant to be hacked only by cops/private investigators/spies etc. who have some "good reason" to prowl through your account without some official rigamorale like a warrant? Or are they designed to be hacked by organized crime in exchange for a simple payment? That I can't be totally sure about. The abundance of overpaid spies supports the former, while the intentional profit centers built into U.S. drugs policy and prostitution policy favors the latter. It's also possible the two are indistinguishable even in principle.
[ link to this | view in thread ]
Our 'secure' password policy
The user was presented a password of 9 characters with a random mix of uppercase, lowercase, numbers and special characters.........and it changed monthly.
Did we write it down? Of course we f***ing did!
[ link to this | view in thread ]
Re: Re: Re: Same Policy
[ link to this | view in thread ]
Re: Designed to fail on purpose
The purpose of security questions is that WHEN they get hacked, they can waive the security questions in front of a technically illiterate decision maker, to say "yes, we did due diligence and made a reasonable effort to secure the hacked data", and have them buy it, even if they are sending passwords over email and storing them in plaintext.
[ link to this | view in thread ]
HOW long has it taken..
There is one site I need to pay bills, that I ALWAYS have to redo, almost every month. It cant ID' my computer.
Beyond..
A Name(dont think of it as NAME, Make it Any word you want)
A REASONABLE password(Patterns work better then anything else, I have customers that have 5 email accounts they cant figure the password for)(and have Never forgotten the one I created on their computer)
DEDICATED Phone contact Phone number, OR 2.
An email address, NOT from your ISP.. OR 2.
1-2 Secret words.. I say words, because the Questions mean nothing...its the Answer that Counts. Dont give name of your Dog, Parents, or your School...MAke up a BETTER WORD.
NEVER ask for your password..ASK for it to be sent to your EMAIL..PHONE, or other location that you have already set.
MANY sites keep a list of changes, you have made to your account and Data.. Which is GREAT. BUT pay attention to any EMAIL warning..\
NEVER CLICK AN EMAIL YOU DONT KNOW..GO DIRECT TO THE SITE YOURSELF. If there is a problem CONTACT THEM..Be aware you will be asked REAL questions..
[ link to this | view in thread ]
Easier, and safer to do.
[ link to this | view in thread ]
Its like someone in IT management decided to pick a random standard publisher and impose it on the courts state-wide. But NIST compliance won't save you from liability and so - why do that rather than an in-house standard that you developed with the needs and peculiarities of your users in mind?
[ link to this | view in thread ]
Re: Joisey is DOOMED!
[ link to this | view in thread ]
Re: Re: Re: Re: Same Policy
2)It must be changed weekly.
3)Do not write it down.
[ link to this | view in thread ]
Longer Passwords Are Better
If Jersey is not allowing passwords longer than 8 chars, I think we can all agree that this is stupid, not user friendly, and also less secure than longer passwords.
And, of course it's, AGAIN, the opposite of NIST recommendations.
From NIST 800-63B:
"Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length."
[ link to this | view in thread ]
Hacking idea
Might want to start with the presumption that anonymous access to public court records doesn’t need a password!
[ link to this | view in thread ]
Re: Designed to fail on purpose
"Never attribute to malice that which is adequately explained by stupidity."
Given our current political and cultural climate, is it really THAT surprising many sites and organizations fail at security?
Plus you also have to take into account that security wasn't really that big of a thing in the early days of computing, at least not in the public sector and many of these sites and organizations are still playing catch up in that respect.
Why do some businesses continue to refuse to update their internal IT operating systems and software. Some businesses are still operating on Windows XP for crying out loud. It's not because they're deliberately making their businesses insecure, they just don't understand the ramifications or aren't willing to spend the money and effort to actually be responsible. Being irresponsible is cheaper and easier and they are gambling they won't have any breaches.
That said, I think we are seeing a paradigm shift, especially with major organizations like Target and Equifax being hacked, they're realizing they can no longer take security so lightly, but now they're playing catch up.
And it's not "EVERY SINGLE SITE and organization". There are ones out there that do get it right. Are they in the minority? Absolutely but, like I said, that's starting to change. More places are supporting and/or requiring MFA, password policies are being updated to be more robust, along with some sites doing away with the secret questions.
Case in point, have you ever tried to recover your gmail account? The information they ask for is crazy specific. I have a throwaway gmail account I created years ago that I now can't get access to because I forgot my password and the information Google wants to know before granting me access is stuff I don't even remember. Like how long ago did you create it and when was the last time you accessed it, among others. Hell if I know the last time I accessed it was, sometime way back in high school and early college, but that's a range of at least 4 - 6 years. That's too broad and Google denies me access because I can't be more specific.
[ link to this | view in thread ]
Re: Joisey is DOOMED!
Don't make a fool of yourself.
[ link to this | view in thread ]
Re: Longer Passwords Are Better
NJ screwed up. Badly. If this came from their iT staff then they should fire the ones responsible.
[ link to this | view in thread ]
NIST 800-53 Control Set
Control Enhancements:
(1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
I think what they may actually be referring to is CJIS, not NIST. Here is the relevant control from that set:
5.6.2.1.1 Password
Agencies shall follow the secure password attributes, below, to authenticate an individual’s unique ID. Passwords shall:
1. Be a minimum length of eight (8) characters on all systems.
2. Not be a dictionary word or proper name.
3. Not be the same as the Userid.
4. Expire within a maximum of 90 calendar days.
5. Not be identical to the previous ten (10) passwords.
6. Not be transmitted in the clear outside the secure location.
7. Not be displayed when entered.
Either way, it's a shit policy.
[ link to this | view in thread ]
Re: Re: Designed to fail on purpose
Next week a bunch of first graders are going to get put on the school bus and there's going to be some little darling who gets whacked on the back of the head before he gets half a block from Mommy. "Oh, sorry, it was an *accident*." Then it's a kick to the back of the seat and cupcake icing in his hair. And he's going to get off the bus to be told by some teacher "Never attribute to malice what can be ... called an accident." Yeah. Uh-huh. Right. You know, a first grader wouldn't believe the second grader behind him was too stupid to know what he's doing. SO WHY SHOULD I BELIEVE THAT A BUNCH OF SELF-PROCLAIMED COMPUTER GENIUSES MAKING WAY MORE THAN I DO ARE DOING THE SAME IDIOTIC THINGS OVER AND OVER AGAIN BY ACCIDENT???
[ link to this | view in thread ]
Re: Joisey is DOOMED!
No, that's never a reasonable policy. Especially when the max character limit is a measly 8 characters. If it's only going to be used briefly for a short period, then the better way to handle it is to disable their account automatically after a few days, once they've done what they needed to. Or grant access using time limited, temporary credentials, and require re-registration each time they need access. Or another option, issue security tokens.
No, they just know better than you.
Basically I guess what I'm getting at is almost ANY solution is better than the nonsense you've proposed. Try educating yourself on security before you make a fool of yourself. Oops, too late.
[ link to this | view in thread ]
And I have a deep hate for 'Security Questions'. Years ago, we had an employee leave, on good terms, from a remote office. A few months later, we had to call the ISP to change something with the account. They required the correct answer to the Security Question answered several years earlier by the recently departed employee. Ever had to guess the Favorite Restaurant of a former employee that worked in a town 50 miles away?
[ link to this | view in thread ]
Re: Re: Re: Designed to fail on purpose
[ link to this | view in thread ]
If this is an improvement...
[ link to this | view in thread ]
Re: Re: Re: Designed to fail on purpose
Considering the concept, if not the label, has been around long before the CIA, you'd be wrong in that assumption.
If you look for conspiracy theories you will absolutely find them. Sorry to burst your bubble but the human race is a bunch of bumbling idiots. We do stupid stuff ALL THE TIME. If you don't believe me look at history. Automatically assuming anything any government or corporation does is inherently malicious is, well, stupid. Look at the facts and weigh them on their merits.
If it was truly the case that these entities were deliberately making it easy to hack your accounts, then 1) why are so many of them implementing more security features that are much more difficult to hack such as MFA, physical security tokens, etc... and 2) if it was all a giant conspiracy then why hasn't it come to light? Seriously. You can't honestly sit there and tell me that hundreds of thousands of corporations have all plotted together to deliberately let hackers into your accounts and NO ONE has ever come forward with claims or proof of it? We're talking thousands of people who would have to be in the know for decades, there's no way that never gets out.
I'm so sorry you were bullied as a child. Maybe try to let it go now?
Intellectually dishonest much? There's a difference between "called an accident" and "explained by stupidity". Maybe try not re-wording things to fit your narrative?
A first grader deliberately doing those things is different than them happening by accident. And in those cases you bring up it's pretty easy to tell whether it was done maliciously or accidentally. Hanlon's Razor comes in when you can't easily identify whether it was malicious or stupidity. And since you think it's so obvious this is all done maliciously you must have some pretty obvious proof, right? Leaked emails? Corporate documents? Court cases? Eye-witness accounts? Anything? Bueller?
No, and neither would most adults because there is a BIG difference in evidence if something was done deliberately or by accident. Whacking someone on the back of the head, kicking their seat, and smearing frosting in their hair doesn't happen ordinarily, but if the bus hit a bump and the cupcake went flying was that malicious too? See, your result can be labeled the same if you ignore everything that led up to it.
Besides that, your schoolyard examples are really apples to oranges to what we're talking about here.
Whoever said that computer geniuses were in charge of every single corporation out there? Do you have proof of this?
And even if they are computer geniuses, that doesn't make them security geniuses as well.
And finally, because people are idiots and make mistakes, even if they are "self-proclaimed genius" (note the self-proclaimed part).
Come on man, this isn't hard.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Oh my
You just had to link to XKCD didn't you? That's a half hour I'll never get back... saved only by the need to get up from my computer so I could stop looking at random pages.
You evil evil mugwump you!
[ link to this | view in thread ]
I wish i could say Russia wasn't involved.
How in the world is an eight didgit,basic alphanumeric pascode supose to be more secure
Makes you wonder who implemented the change in protocol and wherether or not they were bribed by or unfluenced by Russian in some manner.
[ link to this | view in thread ]
Re: Same Policy
Then they should be fired.
[ link to this | view in thread ]
New Jersey password stupidity
[ link to this | view in thread ]
Re: Re: Re: Same Policy
[ link to this | view in thread ]
Writing Down Passwords Is Fine
If you can’t remember your passwords, by all means write them down. But keep those notes safe. You know how to keep your credit cards and your keys and your cash safe from being lost or stolen, right? Just keep your passwords in the same place.
Common sense, really.
[ link to this | view in thread ]
Personal password policy
Likewise, truthful answers to secondary questions will always be discoverable and are likely to leak.
Therefore, a 16 character random string which increments my favorite punctuation character is what I use to protect a work account, and the answers to the secondary questions are random strings kept in a little black book.
But... dear courts, do make sure that whatever passwords are required for actually needs protection and isn’t just a public record!
[ link to this | view in thread ]
Re: Writing Down Passwords Is Fine
Stealing credit cards is not so useful anymore, because people will notice quickly and cancel them, plus they require PINs. It's more practical to snap a discreet photograph of the card, including security code, and sell it online.
And in fact, people don't know how to keep their keys safe. Some people wear them fully-visible on an exposed keychain. I understand it's trendy now to post pictures of one's house keys when buying a house. Do you remember when the TSA key bitting leaked similarly? (Nevermind that one would have had millions of cheap cylinders to reverse-engineer even if it hadn't.)
[ link to this | view in thread ]
Re: Re: Joisey is DOOMED!
To be fair were I in charge of setting password rules on a site I wouldn't allow that one anyway, because at this point you can be sure anyone trying to crack an account would try that one early on(if not first) just in case.
That point that many sites still have stupid password rules on the other hand stands.
[ link to this | view in thread ]
seo
Whiteboard animation videos are very useful but it's not so easy to create you have to pay something and also your attention too.
You can use these tools to learn making a white board animation video.
Go Animate
VideoScribe
Pow Toon
I am also sharing links that would provide you with complete learning lesson on how to make whiteboard video.
I can create awesome and professional whiteboard animation vdieo for you in only $5 Ooppss ..! Isn't great offer ? Off course it is contact me now and i 'll start your work from now.
Keywords are the foundation of your website content. The topic of every page and what it is about should tie directly back to a keyword or keyword phrase. Since keywords are topics, they are also prevalent when creating offers and emails.
Keywords help visitors and potential customers understand the purpose of your page. When reading the content of the page, a visitor will often scan for the keywords they searched for.
Keywords help search engines understand the purpose of your page. When a search engine crawls your website pages to index them it will parse the keywords on the page to determine the purpose of your pages.
I 'll research lot of new keywords for your business which can be rank easily and you can bring your website on Google #1st page get in touch us..!
https://www.fiverr.com/aliarslangorsi2/build-a-professional-website-for-your-business
[ link to this | view in thread ]
Re: Re: Re: Re: Same Policy
[ link to this | view in thread ]
Re: Security Theater
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Personal password policy
Why not use shadow password? iirc, it is enabled by default.
[ link to this | view in thread ]
The next time...
[ link to this | view in thread ]
Re: Re: Personal password policy
[ link to this | view in thread ]
I fought for years...
Of course, some jerks didn't get the memo, didn't read contemporary publications from NIST and still think the old security theater is still sanctioned.
[ link to this | view in thread ]
Re: Re: Re: Personal password policy
[ link to this | view in thread ]
Re: NIST 800-53 Control Set
The [new NIST guidance](https://pages.nist.gov/800-63-3/sp800-63b.html), published June 2017, does not require password categories, explicitly discourages (SHOULD NOT) arbitrary password change requirements (eg, password expiration) with forced password changes only encouraged when there is evidence that the password has been compromised.
They also recommend that the entered password be allowed to be displayed at the request of the user (for example, when they are alone, etc) to reduce typographical errors in password entry.
In fact, most of the recommendations they previously made have been rescinded.
[ link to this | view in thread ]
This is a very important principle to remember when designing such systems: "Security at the expense of usability comes at the expense of security."
[ link to this | view in thread ]
Re: Re: Re: Same Policy
And the hackers win too, because that password is guessable by the sort of botnets serious hackers use for this sort of thing in less than 4 hours.
[ link to this | view in thread ]
Re: Re: Re: Re: Personal password policy
I started with the assumption that whatever I was protecting was valuable enough to steal. No password at all has been good enough for me on Techdirt, for example. If it's just a crap account, like a place I ask for tech support, I don't bother with password security.
[ link to this | view in thread ]
Personal password policy
[ link to this | view in thread ]
[ link to this | view in thread ]
The NJ Courts can't pay enough for competence.
The -average- salary for a Chief Information Security Officer is $157K.
The highest non-judge salary permitted, as of this writing, is $152,622.50.
By keeping costs down, they reduce security. Government at work.
[ link to this | view in thread ]