Real problems worth solving

A self-employed graphic designer earning $75,000/year in Colorado goes to the ACA marketplace. The cheapest Bronze plan (high deductible, limited network) is $450/month. A Silver plan with reasonable deductibles is $650/month. For a family of 3, the Silver plan is $1,800/month — $21,600/year, or 29% of gross income — before they use any healthcare. If they earn too much for subsidies (>400% FPL for a family, roughly $120K), they pay full price. A $120K household income with $21,600 in premiums, a $6,000 deductible, and 20% coinsurance means they could spend $35,000 (29% of gross) on healthcare in a bad year. So what? For employees at large companies, the employer pays 70-80% of premiums. The employee sees $200-400/month deducted from their paycheck. A self-employed person pays the full premium themselves — often $600-2,000/month — with no employer subsidy and no group negotiating power. This creates a massive hidden tax on self-employment and entrepreneurship. Many people stay at jobs they hate specifically for health insurance (called 'job lock'). Studies estimate job lock affects 25-30% of workers who would otherwise start businesses or go freelance. Why does this persist? The US employer-based health insurance system exists because of a 1943 IRS ruling that excluded employer-paid premiums from taxable income. Employers get a tax deduction; employees get tax-free benefits. Self-employed people get neither advantage. ACA subsidies help lower incomes but the 'subsidy cliff' means a $1 income increase can cost $5,000 in lost subsidies. The structural problem: health insurance is priced for risk pools, and a single self-employed person is the worst possible risk pool (pool of 1).

In Austin, TX, median 1BR rent went from $1,100 in 2019 to $1,650 in 2026. Median individual income for 25-34 year olds went from $40K to $48K. Rent-to-income ratio went from 33% to 41%. The standard financial advice — spend 30% of gross income on housing — is now impossible in 35 of the 50 largest US metros without roommates. A single person earning the median income in San Francisco ($65K), New York ($58K), or Miami ($42K) literally cannot afford a studio apartment alone. So what? Housing unaffordability is not just uncomfortable — it restructures life decisions. People in their late 20s and 30s delay marriage (cannot afford a place together), delay children (need a 2BR, cannot afford one), delay career risks (cannot miss a paycheck when rent is 45% of income), and delay building wealth (cannot save for a down payment). An entire generation's life milestones are pushed back 5-10 years by housing costs. This is not a lifestyle preference — it is economic constraint. The birth rate is falling, entrepreneurship among young adults is declining, and homeownership rates for under-35s are at historic lows. All trace back to housing costs. Why does this persist? Housing supply has not kept pace with demand. The US is short an estimated 4-7 million housing units. Zoning restrictions (single-family zoning, parking minimums, height limits, lot size minimums) prevent construction in the places people want to live. NIMBYism blocks new development in existing neighborhoods. It takes 3-7 years to get permits for multi-family housing in many cities. The people who benefit from high housing prices (existing homeowners) vote in local elections at 3x the rate of renters.

A bag of Doritos was 9.75oz in 2020 for $4.29. In 2026, the same bag is 9.25oz for $5.79. The per-ounce price went from $0.44 to $0.63 — a 43% increase. But the shelf price only looks like a 35% increase because the bag shrunk by half an ounce. This is shrinkflation: reducing product size while maintaining or increasing the sticker price. It happens across every grocery aisle — toilet paper with fewer sheets per roll, cereal boxes with less cereal, ice cream containers that went from 64oz to 48oz. So what? Consumers budget by sticker price, not by unit price. When a box of cereal stays at $4.99 but drops from 18oz to 15.5oz, most shoppers do not notice. Their grocery bill looks stable but they are getting 14% less food. Over a year, a family of 4 loses $500-1,000 in value through shrinkflation alone — on top of the visible price increases. The CPI partially captures this through 'quality adjustment' but most consumers never see unit prices. Grocery stores display unit prices in tiny font at the bottom of shelf labels, and unit formats vary (per oz, per 100g, per count) making comparison impossible. Why does this persist? CPG companies (PepsiCo, General Mills, P&G) prefer shrinkflation to price increases because consumers punish visible price hikes but do not notice size reductions. It is deliberate deception optimized by consumer research. The FTC has no regulation requiring consistent unit pricing or package size transparency. State-level unit pricing laws exist in only 9 states and enforcement is minimal.

You are an immigrant (any status: green card, H-1B, student visa) and you move apartments. Federal law (INA Section 265) requires you to notify USCIS of your new address within 10 days. Failure to do so is a misdemeanor and can be used as grounds for deportation. You go to the USCIS website to file Form AR-11 (Change of Address). The form is a single web page from 2004 that frequently times out, does not send a confirmation email, and does not update your address in the USCIS systems that matter (your pending case file). You also need to separately update your address with your local USCIS field office, with the immigration court (if you have a pending case), and with the National Visa Center (if you have a pending immigrant visa). None of these systems are connected. So what? A single address change requires notifying 3-4 separate government entities through 3-4 separate processes. If you miss one, you may not receive your hearing notice, your biometrics appointment, or your approval notice — and failure to appear at a hearing results in an automatic deportation order. Thousands of immigrants receive in absentia deportation orders each year because a hearing notice was sent to an old address that USCIS did not update despite receiving the AR-11 form. You did everything right and were deported because a government system lost your address change. Why does this persist? USCIS, EOIR (immigration courts), DOS (State Department), and CBP operate completely separate IT systems. AR-11 updates USCIS's person-centric database but does not propagate to the court's case-centric database. Consolidating immigrant records across agencies has been recommended by GAO since 2005 and has never been implemented. Each agency guards its data systems as bureaucratic territory.

A Nigerian entrepreneur wants to attend a 3-day tech conference in San Francisco. They apply for a B-1 visa. They provide: a letter of invitation from the conference, proof of their business in Nigeria (5 employees, $200K revenue), round-trip flight booking, hotel reservation, and bank statements showing $50,000 in savings. They pay $185 in non-refundable application fees. They wait 3 months for an interview at the US Embassy in Lagos. The interview lasts 90 seconds. The consular officer says '214(b) — you have not demonstrated sufficient ties to your home country.' Denied. No further explanation. No appeal. $185 gone. They cannot attend the conference, cannot meet potential investors, and cannot grow their business relationship with American partners. So what? The B-1/B-2 visa denial rate for Nigerian nationals is approximately 50%. For some countries (Ethiopia, Ghana, Bangladesh), it exceeds 70%. The stated reason — 'insufficient ties to home country' — is a subjective judgment made in 60-120 seconds with no written reasoning and no appeal. A consular officer glances at your documents, decides whether you look like someone who will overstay, and stamps deny. The $185 fee is collected regardless. Multiply by millions of applications: the US collects hundreds of millions in fees from people it rejects without explanation. Why does this persist? Section 214(b) of the INA creates a presumption that every visa applicant is an intending immigrant unless they prove otherwise. The burden of proof is on the applicant. Consular officers have unreviewable discretion (doctrine of consular nonreviewability) — no court can overrule a visa denial. This gives individual officers enormous power with zero accountability. Denial rates correlate strongly with nationality and income level, not with individual risk — a Nigerian CEO with $5M in assets is denied at the same rate as someone with no assets.

Your employer's immigration attorney prepares your H-1B petition. They charge the employer $5,000-8,000. The work: fill out Form I-129 (template), write a support letter explaining why the job requires a specialty degree (80% boilerplate, 20% customized), compile your educational credentials (you provide everything), and file online via myUSCIS. Total attorney time: 8-15 hours. Of those hours, 2-3 involve actual legal judgment (is this role genuinely a specialty occupation? what is the best argument for the prevailing wage level?). The rest is form-filling and document assembly. So what? The US processes 400,000+ H-1B petitions annually. At an average attorney cost of $7,000, that is $2.8B in legal fees — for what is largely a document assembly task. Small employers who want to sponsor a great candidate are deterred by the $7,000+ legal cost on top of the $2,805 USCIS filing fees. The legal fee is a regressive tax that favors large companies (who have in-house immigration teams) over small companies and startups who must hire outside counsel. Why does this persist? Immigration law is a guild: only attorneys can prepare immigration petitions (unauthorized practice of law). Paralegals do most of the actual work but cannot sign filings. Templates and form-filling software exist (LawLogix, Fragomen's proprietary systems) but they are sold to law firms, not to employers directly. An AI agent that could handle the 90% template work and flag the 10% requiring attorney judgment could reduce per-petition cost to $500-1,000 — but bar associations resist anything that looks like technology replacing attorneys.

A 30-year-old software engineer was brought to the US at age 3. They have lived here for 27 years. They went to American schools, speak only English, pay $40,000/year in federal taxes, and have never been to their 'home country' as an adult. They are a DACA (Deferred Action for Childhood Arrivals) recipient. Their status must be renewed every 2 years at a cost of $495. If DACA is struck down by a court (as Texas v. United States is attempting), they become deportable to a country they do not know, in a language they may not speak fluently, within 60-90 days. They cannot plan more than 2 years ahead. They cannot get a mortgage easily. They cannot start a company with venture funding because investors want founders who will definitely be in the country in 5 years. So what? There are 580,000 active DACA recipients who have lived in the US for an average of 20+ years. They are American in every way except legal status. They contribute $6.3B annually in federal taxes. But they live under permanent legal threat — one court ruling could end their authorization. This uncertainty is not just emotionally devastating; it is economically irrational. The US invested in their education (K-12, often college), they are in their peak productive years, and the immigration system is poised to deport them to countries that did not invest in them and do not want them. Why does this persist? DACA is an executive action, not a law. It can be rescinded by any president or struck down by any federal court. The DREAM Act (which would give DACA recipients a path to permanent residency) has been introduced in every Congress since 2001 and has never passed. It has majority support in polls (70%+) and in Congress but gets blocked by the same comprehensive-immigration-reform bundling that kills every immigration bill. 580,000 people's lives depend on a policy that has no statutory foundation.

You get an immigration medical exam from a USCIS-designated civil surgeon. It costs $200-500 (not covered by insurance). Blood tests, TB test, vaccination review, physical exam. You submit Form I-693 with your green card application. USCIS sits on your case for 2.5 years. Your medical exam expires (valid for 2 years from the civil surgeon's signature). You must get a new medical exam: another $200-500, another day off work, another set of blood draws. Some applicants have had to redo their medical exam 2-3 times because USCIS processing exceeded the validity period each time. So what? The medical exam validity period is 2 years, but USCIS processing regularly exceeds 2 years. The applicant pays the cost of USCIS's slowness — literally, in repeated $200-500 medical fees. This is a direct financial penalty imposed on immigrants for the government's inability to process paperwork on time. For a family of 4, re-doing medical exams costs $800-2,000 per round. Some families have spent $3,000-5,000 on repeated medical exams alone. Why does this persist? The 2-year validity period is set by USCIS policy (not statute — they could change it administratively). USCIS has no incentive to extend validity because the cost falls on the applicant, not the agency. Civil surgeons have no incentive to lobby for change because repeated exams are revenue. AILA has requested validity extensions during backlogs but USCIS has only granted temporary extensions during COVID, not permanent policy change.

An Indian software engineer on an H-1B brings their spouse to the US. The spouse has a Master's degree in biochemistry and 8 years of research experience. On an H-4 visa, they are legally prohibited from working. They sit at home. For years. Their career atrophies. Their skills become outdated. Their professional identity erodes. Their mental health deteriorates. The Obama administration created the H-4 EAD (Employment Authorization Document) rule in 2015, but it only applies to spouses of H-1B holders who have an approved I-140 (green card petition) — which requires the primary H-1B holder to be 3-5 years into the green card process. So for the first 3-5 years, the spouse cannot work at all. So what? There are approximately 600,000 H-4 visa holders in the US. Before the 2015 EAD rule, none could work. After the rule, approximately 200,000 became eligible — but 400,000 still cannot because their spouse's green card process is not advanced enough. These are overwhelmingly college-educated professionals (90%+ have bachelor's degrees, 50%+ have graduate degrees) who are forced into domestic dependency. The economic waste is staggering: 400,000 educated professionals unable to contribute to the economy. The personal cost is worse: depression, loss of professional identity, marital strain from forced dependency. Why does this persist? The H-4 work authorization has been politically contested since its creation. The Trump administration attempted to revoke it in 2018 (ultimately blocked by litigation). Every election cycle, H-4 work authorization is at risk. The underlying problem is that the H-4 visa was designed in 1952 (INA) when spousal dependency was the norm. The visa structure assumes one working spouse and one homemaker — a model that is 70 years outdated.

A Venezuelan family crosses the US-Mexico border and applies for asylum. They pass a credible fear screening. Their case is assigned to an immigration court. Their first hearing date: 2030. They must live in the US for 4-7 years in legal limbo — they can eventually get a work permit (after 180 days) but cannot travel, cannot access most benefits, and cannot make long-term plans. If after 5 years a judge denies their asylum claim, they are deported — having built a life, enrolled kids in school, established a community — back to the country they fled. So what? The US asylum system promises due process (the right to present your case before a judge) but delivers a 5-year wait. During those 5 years, families live in uncertainty that causes severe psychological harm — studies show asylum seekers have 3x the rate of PTSD and depression compared to resettled refugees who have status. Children grow up American (language, culture, friends) and are deported to countries they do not remember. The system neither protects people quickly (genuine refugees wait years) nor deters false claims (anyone can file and stay for years pending a hearing). It fails everyone. Why does this persist? There are 600 immigration judges for 3.7 million pending cases. Hiring more judges requires Congressional funding. Each judge handles 1,500+ cases per year — 4x the caseload of a federal district judge. The immigration court is part of the DOJ (executive branch), not the judicial branch, meaning judges can be pressured by political priorities. Both parties benefit politically from the dysfunction: one side uses the backlog to argue for stricter enforcement, the other side uses it to argue for more resources. Neither side fixes it.

A computer science PhD graduate from MIT has spent 6 years in the US. Their OPT (Optional Practical Training) work authorization expires. They enter the H-1B lottery with their employer's sponsorship. The lottery has a 25-30% selection rate — it is literally a random drawing. They are not selected. They have 60-90 days to leave the country they have lived in for 6 years, where their apartment is, where their friends are, where their career is. They can try the lottery again next year — from outside the country. So what? The US spends $100K+ in subsidized education per international STEM graduate (state university funding, research grants, teaching positions). Then it forces them to leave and build competing products in their home countries. The H-1B lottery is not merit-based — a MIT PhD competes in the same random lottery as a bachelor's degree holder from a less selective program. Approximately 400,000 international students graduate from US universities annually. The H-1B cap is 85,000. Simple math: most cannot stay. China and India actively recruit returning graduates through programs like China's Thousand Talents Plan. Why does this persist? The H-1B cap of 85,000 was set in 2004 and has not been adjusted for 20+ years despite the tech economy tripling. A 'staple a green card to a STEM diploma' proposal has been discussed since 2012 but never passed Congress. Immigration reform is politically toxic — even universally popular provisions (like keeping STEM PhDs) get held hostage in comprehensive immigration bills that fail.

You file an I-485 (Adjustment of Status) application to get your green card. USCIS cashes your $1,225 filing fee within 2 weeks. Then silence. You check the USCIS case status page daily: 'Case Was Received.' Every day for 14 months: 'Case Was Received.' You call the USCIS contact center. After 90 minutes on hold, an agent reads your screen: 'Your case is pending. There is no further information available.' You cannot plan your life — can you buy a house? Can you change jobs? Can you travel? You do not know if your green card will arrive in 2 months or 22 months. So what? USCIS processes 8+ million applications per year with no meaningful status transparency. 'Case Was Received' means anything from 'sitting in an unprocessed pile' to 'actively being reviewed by an officer.' There is no queue position, no estimated completion date, no notification when it moves to the next stage. Applicants spend hundreds of hours refreshing a status page that never updates, calling a helpline that has no information, and living in legal limbo that prevents major life decisions. Immigration attorneys charge $200-400/hour to make the same phone call and get the same non-answer. Why does this persist? USCIS is funded entirely by filing fees, not taxpayer money. When application volume drops (as during COVID), revenue drops, staff are furloughed, and backlogs grow. When volume increases, staff cannot be hired fast enough. The agency has no SLA (service level agreement), no accountability for processing times, and no obligation to provide transparency. Congress has never mandated processing time standards.

An Indian software engineer on an H-1B visa at Google wants to start a company. They cannot. Their employer sponsors their green card, and the India EB-2/EB-3 green card backlog is 10-15+ years. If they quit Google, their green card application resets to zero. They must find a new employer willing to sponsor them within 60 days or leave the country. So they stay at a job they have outgrown for a decade, watching less-talented colleagues start companies, switch jobs freely, and negotiate raises with competing offers. So what? The US immigration system turns the most ambitious immigrants — people who want to start companies and create jobs — into indentured workers. They cannot negotiate salary (leaving means deportation), cannot start companies (no self-sponsorship on H-1B), and cannot take entrepreneurial risks. Studies show that 55% of US unicorns were founded by immigrants, but these founders either waited out their green card or found workarounds (O-1 visa, marriage). The hundreds of thousands of potential founders trapped in the H-1B/green card queue never get the chance. Why does this persist? The per-country cap (7% of green cards per country regardless of demand) means India and China have 10-15 year waits while most other countries have no wait. Eliminating the per-country cap has bipartisan support but Congress has failed to pass it for 15+ years because it gets bundled with controversial immigration reforms. The employer-tied visa structure benefits large tech companies who get below-market labor from workers who cannot leave.

A US Army E-7 Sergeant First Class with 15 years of experience leaves the military. Their resume says: 'Platoon Sergeant, 3rd Battalion, 75th Ranger Regiment. Managed 42-person element. Responsible for training, readiness, and welfare. Planned and executed 200+ combat missions.' A civilian recruiter reads this and has no idea what it means. What is an E-7? Is a 'platoon sergeant' middle management? Is '42-person element' a big team or small team? The veteran is a proven operations leader with more management experience than most civilian directors — but their resume reads like a foreign language. They apply to 50 jobs and get 3 interviews, all for entry-level security guard positions. So what? 200,000 service members transition to civilian employment annually. The unemployment rate for recent veterans (within 12 months of discharge) is 2x the national average despite having leadership, logistics, and technical skills that civilian employers desperately need. The problem is not skill — it is translation. Military occupational specialties (MOS/AFSC/NEC) do not map to civilian job titles. Military jargon on resumes triggers ATS (Applicant Tracking System) rejections because the keywords do not match civilian job descriptions. Why does this persist? The Department of Labor's O*NET system maps military to civilian jobs but the mapping is crude (Army 11B Infantryman → Security Guard). TAP (Transition Assistance Program) is a mandatory 5-day class that covers resume writing but does not solve the systemic keyword mismatch. LinkedIn's military skills translator exists but maps MOS codes to generic categories, not specific job listings. No tool does the granular translation: 'Managed $2M annual supply budget for 42-person element' → 'Operations Manager overseeing $2M P&L for 42-employee division.'

A defense contractor builds a new logistics tracking application. Before it can run on a military network, it needs an Authority to Operate (ATO) under the Risk Management Framework (RMF, NIST SP 800-37). The ATO process requires: documenting 300-800 security controls, running vulnerability scans, penetration testing, writing a System Security Plan (100+ pages), and review by an Authorizing Official. This takes 12-18 months. The application was built on React 17 and Node 16. By the time the ATO is granted, React 19 and Node 22 are current. The approved versions have known CVEs. The application is 'certified secure' but actually less secure than the current versions it is not allowed to use. Updating to new versions requires a new ATO. So what? The military's software security process guarantees that every system is running outdated, vulnerable software. The 12-18 month certification cycle was designed for hardware systems that change every 5-10 years. Modern software releases weekly. The ATO process cannot keep up. The result: military networks run Windows Server 2012, Java 8, and Internet Explorer 11 because those are the 'approved' versions. Each unpatched system is a known vulnerability that adversaries can exploit using publicly available CVEs. Why does this persist? The ATO process is mandated by federal law (FISMA) and DoD policy (DoDI 8510.01). Changing it requires Congressional action or a DoD policy revision, both of which take years. The process was designed when software was delivered on CD-ROMs, not deployed continuously. DevSecOps and Continuous ATO (cATO) programs exist but cover less than 5% of DoD systems. The other 95% are stuck in the 18-month cycle.

An autonomous drone is programmed to identify and engage enemy combatants. It uses computer vision trained on images of soldiers in uniform carrying weapons. It encounters: a farmer carrying a long tool over his shoulder (classified as 'combatant with rifle' — false positive), a child holding a toy gun (classified as 'combatant' — false positive), a combatant wearing civilian clothes (classified as 'civilian' — false negative). In testing, the system has a 95% accuracy rate. In a scenario with 1,000 people, 50 of whom are combatants, a 5% error rate means: 47-48 combatants correctly identified, 2-3 combatants missed, and 47-48 civilians falsely identified as combatants. Each false positive is a potential war crime. So what? The fundamental challenge of autonomous weapons is not 'can AI aim a gun' — it is 'can AI make the legal and moral judgment of who to shoot.' International Humanitarian Law requires distinguishing combatants from civilians (Additional Protocol I, Article 48). This is difficult for humans (Rules of Engagement require visual identification of a weapon, hostile intent, and hostile action). For AI, it is currently impossible in the real world: combatants do not wear uniforms in asymmetric conflicts, weapons can be concealed, and 'hostile intent' is a subjective judgment. A 95% accuracy rate that sounds good in a lab means dozens of dead civilians in deployment. Why does this persist? Militaries want autonomous weapons for speed (faster than human decision-making) and scale (operate thousands of drones simultaneously). The ethical/legal barrier is real but the competitive pressure is stronger — if China deploys autonomous weapons, the US feels compelled to match. The result is a race to field systems that are not reliable enough for the legal standard they must meet.

A US Army platoon is operating alongside a French infantry section and a Polish reconnaissance team in a NATO exercise. The Americans use AN/PRC-163 radios with MUOS encryption. The French use Thales PR4G radios with SATURN encryption. The Polish use Radmor radios with their own encryption standard. None can communicate directly. They relay messages through a human translator at a joint coordination center who has access to all three radio nets — adding 5-15 minutes of delay to every tactical communication. In combat, 5 minutes of communication delay means the supporting artillery fires on the wrong position because the friendly force has already moved. So what? NATO's entire value proposition is collective defense — multiple countries fighting together. But 'fighting together' requires real-time communication, and NATO has no common tactical radio standard that works across all member nations. STANAG 4691 defines interoperability requirements but compliance is voluntary and incomplete. Each nation procures radios from domestic defense contractors (Harris/L3Harris in US, Thales in France, Elbit in Israel) who have no incentive to make their radios compatible with competitors' products. Why does this persist? Radio interoperability is a solved technical problem — software-defined radios (SDR) can implement any waveform. The barrier is crypto: each nation's encryption standards are classified and cannot be shared. A French soldier cannot use American encryption because the key material is US-classified. The coalition communication gap is not a technology problem — it is a classification/trust problem that technology alone cannot solve.

A US Army brigade in Europe needs 50,000 rounds of 5.56mm ammunition. The request goes from the brigade S4 (logistics officer) via email to the division G4, who enters it into GCSS-Army (Global Combat Support System), which sends it to the theater logistics command. The theater logistics command checks warehouse inventory in a different system (LMP — Logistics Modernization Program) that does not interface with GCSS-Army without manual re-entry. The ammunition is shipped from a depot in Germany. The S4 has no tracking number. They call the division G4 daily asking 'where is my ammo?' The G4 calls the depot. Nobody knows. The shipment arrives 18 days later — 6 days later than needed for a planned operation. So what? Amazon can track a $12 package from warehouse to doorstep in real-time with sub-hour accuracy. The US military cannot track a pallet of ammunition across a continent. In a major conflict, logistics determines the outcome — battles are won by whoever can resupply faster. The US military's logistics information systems are 15-30 years old, do not interoperate, and require manual data re-entry at every handoff point. A pallet moves through 4-6 systems from request to delivery, each requiring a human to read from one screen and type into another. Why does this persist? Military logistics software is procured through decade-long acquisition programs. GCSS-Army took 12 years and $3.8B to deploy. LMP took 14 years and $2B. Both were designed in the early 2000s. Replacing them requires another decade-long program. Meanwhile, the systems do not talk to each other because they were built by different contractors (Accenture, SAP) with no interoperability requirement in the original contracts.

A military commander requests satellite imagery of an enemy convoy spotted by ground forces. The request goes through NASIC, which tasks a reconnaissance satellite. The satellite must orbit to the correct position (2-6 hours), capture imagery (minutes), downlink to a ground station (30-60 minutes), process and analyze the imagery (2-4 hours), and deliver the intelligence product to the commander (1-2 hours). Total: 6-24 hours. The convoy has moved 200km. The intelligence is historical, not actionable. So what? Satellite reconnaissance was designed for Cold War intelligence — tracking fixed installations (missile silos, airfields, factories) that do not move. Modern warfare is mobile: vehicle convoys, infantry positions, and artillery batteries relocate every 2-4 hours specifically to avoid satellite detection. The 6-24 hour satellite intelligence cycle is useless against mobile targets. Ukraine's solution: commercial drones providing real-time ISR (intelligence, surveillance, reconnaissance) at the tactical level, bypassing satellites entirely. But commercial drones have 30-minute flight times and 10km range — not enough for operational-level intelligence. Why does this persist? Building more satellites is expensive ($500M-2B per reconnaissance satellite). Commercial satellite imagery (Maxar, Planet) offers faster revisit rates (1-4 hours) but still has analysis delays. The bottleneck is not collection — it is processing. Each satellite pass generates terabytes of imagery that must be analyzed by human imagery analysts, of which there are too few. AI-assisted imagery analysis (Palantir, Project Maven) helps but is not trusted for targeting decisions due to false positive rates.

An airbase detects an incoming small drone on radar. Is it a $500 FPV drone carrying explosives or a $200 DJI Mini flown by a hobbyist who wandered into restricted airspace? The radar signature is identical. The drone is too small to visually identify at range. The base commander has 30 seconds to decide: shoot it down (risk killing a civilian, waste a $100K missile on a toy) or let it pass (risk a successful attack). In practice, most bases let it pass because the false positive rate is 90%+ — for every real threat, there are 9 hobby drones. So what? The proliferation of consumer drones has created a needle-in-a-haystack problem for air defense. Any $500 drone is a potential weapon. There are 800,000+ registered drones in the US alone and millions unregistered. Current counter-drone systems (Coyote interceptor: $100K, microwave: $1M+, laser: $500K+) are too expensive to use against every detected drone. Kinetic intercept over populated areas risks collateral damage. RF jamming affects friendly communications. There is no scalable, cheap, accurate way to detect, classify, and neutralize hostile small drones in a mixed airspace with civilian traffic. Why does this persist? Small drones have the same radar cross-section as birds. Acoustic detection works within 500m but not beyond. Visual AI classification requires line-of-sight. RF detection only works if the drone is actively communicating (autonomous drones are RF-silent). The physics of detection fundamentally favor the attacker: small, cheap, numerous objects are hard to find and expensive to neutralize.

A swarm of 50 autonomous drones is deployed to surveil a battlefield. Each drone must share its position, sensor data, and target assignments with the others in real time. They communicate via radio. The adversary turns on an electronic warfare system (GPS jamming + communications jamming) across the operating area. The drones lose GPS positioning and cannot talk to each other. The swarm becomes 50 individual drones flying blind, colliding with each other, duplicating coverage, and missing targets. The entire swarm degrades to worse-than-useless in seconds. So what? Every military drone swarm concept assumes reliable communications between drones. In a contested electromagnetic environment (which is every real battlefield against a peer adversary), radio communications are degraded or denied. A swarm that requires constant communication is not a swarm — it is a fragile network that fails catastrophically when jammed. The alternative — fully autonomous pre-programmed behavior with no real-time coordination — means the swarm cannot adapt to unexpected threats or opportunities. Why does this persist? Swarm algorithms are developed in RF-clean lab environments and test ranges. The jump from 'works in a test range' to 'works under active jamming' is enormous. Solutions exist in theory: mesh networking that adapts to jamming, visual inter-drone communication (LED signaling), pre-agreed behavioral rules that require no communication (like bird flocking). But none have been tested at scale under realistic electronic warfare conditions. The military-industrial complex demos swarms on test ranges and calls them combat-ready.

A Ukrainian FPV drone operator sits in a basement 5km from the front line. They pilot a $500 drone with a camera and explosive payload toward a Russian soldier. Through their VR goggles, they see the soldier's face in the final seconds before impact. They do this 5-15 times per day. After 3 months, the operator cannot sleep, has nightmares about the faces, and is rotated off the position — but there are not enough trained replacements. The intimacy of FPV drone combat — seeing your target up close, in real time, making a conscious decision to kill a specific individual you can see clearly — creates a unique form of PTSD that is different from artillery or air strikes where targets are distant abstractions. So what? Every military is scaling FPV drone programs (US, China, Iran, Turkey) without addressing the psychological cost to operators. The US Air Force has already documented higher PTSD rates among Reaper drone pilots than among fighter pilots who face physical danger — because drone operators see the aftermath in high-resolution video. FPV drones make this worse: the operator is not at 15,000 feet watching a building — they are 10 feet away watching a person. As militaries deploy thousands of FPV operators, they will face a mental health crisis among personnel who are physically safe but psychologically destroyed. Why does this persist? Military culture treats psychological resilience as an individual trait, not a systemic design problem. The solution is autonomous terminal guidance — the drone flies itself in the final seconds so the operator does not see the impact — but this creates legal and ethical issues under Laws of Armed Conflict (human must be in the loop for lethal decisions).

A US MQ-9 Reaper drone costs $32M. It is shot down by a $50K surface-to-air missile. The defender spent 0.15% of what the attacker spent. This cost asymmetry is catastrophic at scale: in a conflict with a peer adversary, the US could lose its entire drone fleet in weeks while the adversary spends a fraction of the fleet's value on missiles. In Ukraine, Russia loses $5-10M drones to $200 FPV kamikaze drones — the Ukrainians are on the right side of the cost ratio. So what? The cost-per-kill ratio determines who wins wars of attrition. The US military's drone strategy was built for asymmetric conflicts (Iraq, Afghanistan) where the enemy had no air defense. Against a peer adversary with modern SAMs (S-400, Patriot equivalents), expensive drones are flying targets. The military needs either: (a) drones cheap enough that losing them is acceptable ($10K-50K each, not $32M), or (b) drones survivable enough to justify the cost (stealth, electronic warfare, autonomous evasion). Neither exists at scale today. Why does this persist? Defense procurement is optimized for capability, not cost. Each Reaper is loaded with sensors, communications, and weapons because the acquisition process adds requirements. A $10K surveillance drone could do 80% of what a Reaper does for 0.03% of the cost, but the Pentagon acquisition process cannot produce a $10K drone — the minimum viable procurement program costs $500M+ in overhead before a single unit is built.

Google your full name. The first 5 results are data broker sites (Spokeo, BeenVerified, WhitePages, Radaris, FastPeopleSearch) showing your home address, phone number, email, estimated income, family members, and property records. This data is aggregated from public records, purchase history, app data, and breached databases. To remove it, you must visit each site individually, find their opt-out page (often deliberately hidden), verify your identity (by providing MORE personal data), and submit a removal request. Each site takes 24-72 hours to process. There are 200+ data broker sites. Removal from one does not affect the others. And removed data often reappears within 3-6 months because brokers re-scrape public records. So what? Your home address being publicly searchable enables stalking, doxxing, swatting (fake emergency calls to your address), and targeted break-ins (criminals use data brokers to find houses whose owners are on vacation). Domestic violence survivors are particularly endangered — their abuser can find their new address for free on Spokeo. Opt-out is a Sisyphean task: 200+ individual requests that must be repeated quarterly. Services like DeleteMe ($129/year) automate opt-outs but cannot cover all brokers and cannot prevent re-listing. Why does this persist? Data brokers are a $250B industry. They have no legal obligation to remove data in most US states (Vermont and California have broker registries but no mandatory deletion). Each broker scrapes public records, which are genuinely public — the problem is aggregation. Your home address in a county assessor database is public record. Your phone number in a data breach is leaked data. Combining them into a searchable dossier should require consent but legally does not.

You sign up for a project management tool. It asks 'Sign in with Google.' You click it. A permissions screen says: 'This app wants to: View your email address, View your Google Drive files, Send email on your behalf, Manage your calendar.' You need the tool for project management — why does it need to send email on your behalf? You click 'Allow' because the alternative is not using the tool. You now have 40+ apps with Google OAuth access, each with permissions you granted years ago. You have no idea which apps still exist, which have been acquired, or which have had data breaches. Three of those apps were acqui-hired and their Google API access was transferred to the acquiring company — a company you never agreed to share data with. So what? OAuth was designed to give users control over data sharing. In practice, it is a 'click Allow or go away' wall. Apps request maximum permissions upfront because requesting incrementally is harder to implement. Users cannot practically audit their OAuth grants — Google's security page lists connected apps but does not show what data each app has actually accessed. The permission labels ('manage your calendar') are vague and could mean 'read your free/busy status' or 'delete all your events.' There is no activity log showing what an app did with its access. Why does this persist? OAuth scopes are defined by the platform (Google, Microsoft) and they are too coarse. 'Read Gmail' means read ALL emails, not just 'read emails matching a specific label.' Apps request broad permissions because narrow ones do not exist. Google and Microsoft have no incentive to add granular scopes because it would increase API complexity and reduce developer adoption of their platform.

The 'left-pad' npm package (11 lines of code) was unpublished by its author in 2016, breaking thousands of production builds including Facebook, Netflix, and Airbnb. The 'event-stream' npm package was handed off to a stranger who injected cryptocurrency-stealing malware — it was downloaded 8 million times before detection. The 'xz utils' backdoor (March 2024) was planted by a contributor who spent 2 years gaining trust of the sole maintainer through social engineering. In each case, one unpaid volunteer controlled code running on millions of servers. So what? Modern software is built on a foundation of packages maintained by individuals who are unpaid, unsupported, and unsupervised. The xz maintainer was a single person maintaining a critical compression library used by every Linux SSH installation worldwide. They were burned out and grateful when a 'helpful' contributor offered to share maintenance burden — that contributor was a state-sponsored attacker. The entire Linux SSH infrastructure was 2 weeks from being backdoored because one burned-out volunteer accepted help from a stranger. There is no vetting, no background check, no security clearance for people who maintain the software that runs the internet. Why does this persist? Open-source maintainers are volunteers. Companies that profit billions from open-source software contribute almost nothing to its maintenance. GitHub Sponsors and Open Collective pay maintainers $500-5,000/year — less than minimum wage for the hours they put in. The Heartbleed bug (2014) revealed that OpenSSL, used by 66% of web servers, was maintained by one full-time developer earning $20K/year. The economics of open source create a permanent security crisis: critical infrastructure maintained by exhausted volunteers who cannot afford to say no to 'help.'

Your bank sends a 6-digit code via SMS to verify a login. An attacker calls your carrier (T-Mobile, AT&T, Verizon), pretends to be you, says they lost their phone, and asks to transfer your number to a new SIM. The carrier rep asks your billing address and last 4 of SSN — both available from public data brokers for $5. The transfer goes through. The attacker now receives your SMS codes. They log into your bank, your email, your crypto exchange. Total time: 15 minutes. Total cost: $20. So what? SMS-based 2FA is the default for banking, healthcare, and government services. 80%+ of 2FA-enabled accounts use SMS because it requires no app or hardware token. But SMS was never designed as a security protocol — it is a plain-text communication channel with no encryption, no authentication, and no protection against SIM swapping. In 2023, the FBI reported $48M in SIM swap fraud losses, and that is only reported cases. Crypto holders are particularly targeted — one SIM swap can drain a $500K wallet in minutes. Why does this persist? Banks and services use SMS 2FA because it works on every phone (no app required), users understand it (enter the code you received), and it is free for the service provider. TOTP apps (Google Authenticator, Authy) and hardware keys (YubiKey) are more secure but require user setup and create support burden when users lose their phone/key. Carriers have no financial incentive to prevent SIM swaps — they face no liability for fraud that results from a swapped number. The FCC finalized SIM swap protection rules in November 2023, but enforcement is complaint-driven and carriers are slow to implement.

A hospital's EHR system goes dark at 6am on a Monday. Patient records are inaccessible. The ER cannot look up medication allergies. The pharmacy cannot verify prescriptions. Surgeries are canceled. Ambulances are diverted to other hospitals. A ransomware gang has encrypted every server and demands $5 million in Bitcoin. The hospital's backup was connected to the same network and is also encrypted. The FBI says do not pay. The hospital CEO knows that every hour of downtime risks patient deaths — a medication error without chart access, a delayed surgery, a diverted ambulance arriving 20 minutes later. They pay. So what? Healthcare is the #1 ransomware target, with 46% of hospitals attacked in 2023. Average ransom payment in healthcare: $1.5M. Average total cost including downtime: $10M. But the real cost is measured in lives: a Ponemon Institute study found that ransomware attacks on hospitals increase mortality rates by 20-35% during the incident. Patients die because their doctors cannot access their medical records. Ransomware gangs know this — they deliberately time attacks during high-census periods (Monday mornings, flu season) to maximize pressure to pay. Why does this persist? Hospitals run on razor-thin margins (2-3%) and chronically underinvest in IT security. Average hospital IT security budget is 6% of IT spend vs 15% in financial services. Medical devices (MRI machines, infusion pumps) run outdated operating systems (Windows XP, embedded Linux) that cannot be patched without FDA re-certification. Network segmentation between clinical and administrative systems is poor because clinicians demand seamless access. The attack surface is enormous and the security budget is tiny.

An employee uses 'Company2024!' as their Active Directory password. They also use 'Company2024!' on their personal LinkedIn, their kid's school portal, and a cooking recipe site. The recipe site gets breached (it was a WordPress site with a 3-year-old plugin). The breached credentials are published on a dark web dump. An attacker finds the email address matches a corporate domain, tries the password on the company's VPN, and they are in. The employee did not violate any policy — most companies require 'unique passwords' but cannot enforce it for personal sites. So what? Credential stuffing attacks (using breached passwords from one site to log into another) are the #1 initial access vector for corporate breaches, accounting for 80%+ of web application attacks (Verizon DBIR). The problem is not technical — it is behavioral. Companies can enforce password complexity on corporate systems but cannot control what employees do on personal sites. MFA on corporate systems helps but is bypassed 5-10% of the time via MFA fatigue attacks (repeated push notifications until the user approves). Why does this persist? SSO and MFA protect corporate applications but do not protect the human who reuses passwords. Dark web monitoring services (SpyCloud, Have I Been Pwned) can detect when corporate emails appear in breaches, but they detect after the breach — not before the reuse. The root cause is that humans cannot remember 50+ unique passwords and will always take shortcuts. Password managers help but corporate adoption is 30-40%, and even among users who have them, many still reuse their 'easy' password on low-stakes sites that do not get saved to the manager.

You buy a $30 Wyze or generic IP camera on Amazon for your front door. You connect it to Wi-Fi and download the app. The camera now streams video of your front door — and everything visible from it — to a cloud server. Where? You do not know. The privacy policy says 'servers in the United States' but network analysis shows connections to Chinese IP addresses (Alibaba Cloud, Tencent Cloud). The camera firmware has not been updated in 18 months. It has known vulnerabilities (CVEs published on NVD) that allow remote access. An attacker — or the manufacturer — can watch your front door, see when you leave and return, identify your visitors, and monitor your daily pattern. You paid $30 for a surveillance device pointed at yourself. So what? There are an estimated 70+ million consumer security cameras in US homes. The majority are manufactured by Chinese companies (Hikvision, Dahua, or white-label OEMs using the same firmware). The FCC banned Hikvision and Dahua from new sales in 2022 for national security reasons — but millions of installed cameras remain operational, streaming to servers controlled by companies with legal obligations to share data with the Chinese government under China's National Intelligence Law. The cameras that people buy for security are themselves a security vulnerability. Why does this persist? Consumers buy on price. A $30 camera outsells a $120 camera 10:1. Manufacturing in China is cheap. The cloud infrastructure is free (subsidized by the Chinese government, which benefits from the surveillance data). American/European alternatives (Arlo, Ring, Eufy) are 3-5x more expensive. Consumers cannot evaluate firmware security — there is no 'nutrition label' for IoT device security.