``Patients at VA health centers were given incorrect doses of drugs, had needed treatments delayed and may have been exposed to other medical errors due to the glitches that showed faulty displays of their electronic health records, according to internal documents obtained by The Associated Press under the Freedom of Information Act. The VA's recent glitches involved medical data — vital signs, lab results, active meds — that sometimes popped up under another patient's name on the computer screen. Records also failed to clearly display a doctor's stop order for a treatment, leading to reported cases of unnecessary doses of intravenous drugs such as blood-thinning heparin. According to interviews and the VA's internal memos, the glitches began after the VA distributed its annual software upgrade last August .'' By early October, hospitals began reporting the troubling problems: When doctors pulled up electronic records of different patients within 10 minutes of each other to offer treatment advice, the medical information of the first patient sometimes displayed under the second person's name. In some records, a doctor's stop order for intravenous injections also failed to clearly display." http://www.msnbc.msn.com/id/28655104/ No explanation of what caused the software problem, which was reportedly fixed in December. [Also noted by Danny Burstein, who added that this was not disclosed to patients by the VA. PGN]
Excerpt: FRUSTRATED Queensland police are turning a blind eye to crime to avoid time-consuming data entry on the force's new $100 million computer system. Queensland Police Union vice-president Ian Leavers said the system turned jobs that usually took an hour into several hours of angst. He said police were growing reluctant to make arrests following the latest phased roll-out of QPRIME, or Queensland Police Records Information Management Exchange. "They are reluctant to make arrests and they're showing a lot more discretion in the arrests they make because QPRIME is so convoluted to navigate," Mr Leavers said. He said minor street offences, some traffic offences and minor property matters were going unchallenged, but not serious offences. http://www.news.com.au/couriermail/story/0,23739,24723327-952,00.html Steven J Klein, Your Mac & PC Expert, Phone: (248) YOUR-MAC or (248) 968-7622 [p prime and q prime are of course the basis for public-key crypto. QPRIME by itself sounds like public-free flip-tow. PGN]
Lisa Rein and Josh White, More Groups Than Thought Monitored in Police Spying, *The Washington Post*, 4 Jan 2009 http://www.washingtonpost.com/wp-dyn/content/article/2009/01/03/AR2009010301993_pf.html The Maryland State Police surveillance of advocacy groups was far more extensive than previously acknowledged, with records showing that troopers monitored - and labeled as terrorists - activists devoted to such wide-ranging causes as promoting human rights and establishing bike lanes. Intelligence officers created a voluminous file on Norfolk-based People for the Ethical Treatment of Animals, calling the group a "security threat" because of concerns that members would disrupt the circus. Angry consumers fighting a 72 percent electricity rate increase in 2006 were targeted. The DC Anti-War Network, which opposes the Iraq war, was designated a white supremacist group, without explanation. [...]
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2009/01/07/national/w123829S48.DTL&tsp=1 The US Army said today that 7,000 family members of soldiers killed in recent wars were sent letters addressing them as "John Doe". The U.S. Army Human Resources Command's Casualty and Mortuary Affairs Center in Alexandria, Va. issued a formal apology for what they described as a contractor's error. The contractor had used a placeholder greeting of "Dear John Doe" in the letter, which was to have been automatically replaced by the specific names of and addresses of the survivors but somehow wasn't. Army Chief of Staff Gen. George W. Casey, Jr. is said to be sending a personal letter to the families who received the improperly addressed letters.
Greetings. Since I occasionally post audio (and more recently video) commentaries and other features on the Web, and have been doing so for a number of years, I've been becoming increasingly concerned about the phenomenon of what I might call "audio and video media haters" in the Internet environment. I'm beginning to see some significant related risks. Without fail, after each of my posting announcements of an audio or video presentation, I get e-mail from people that amount to variations on: "I refuse to watch video [listen to audio] on the Net. Please make a text-only version of all your materials available." Such messages have been particularly notable for this week's "Stimulus or Ripoff" - "Network Neutrality in 30 Seconds - Part 3" video segment ( http://lauren.vortex.com/archive/000494.html ), which I announced a couple of days ago. The reactions to the announcement of this particular video are a perfect example of my concern. Without the accompanying video track, and especially its animations, the entire humor of the piece, and even the key punch line itself, would be completely lost. The short narration script alone might be interesting to Net Neutrality intelligentsia, but the piece is designed to try reach a much broader audience, and the visuals are key to driving home the concepts (to those who have seen the video, no pun is intended by the term "driving" in this case!) There are of course legitimate accessibility concerns with all media. Unfortunately, I have not found available captioning tools, for example, to be entirely practical at this stage. In some of my very early audio efforts, I did make scripts available, and then ran into a wall trying to note tone of voice (sarcasm, etc.) in a way that would make sense. Without such notations, I found that some readers were misunderstanding the intent of the pieces. And while it's certainly possible to write commentary without tone of voice sarcasm, it can be quite constraining in an audio presentation. As the powerful capabilities of video to entertain, inform, explain, and convince — video is increasingly a sort of default "coin of the realm" in many ways on the Internet — it seems likely that the sorts of issues and concerns described above will be exacerbated. I don't claim to possess any magic wand solutions to this, though I have some relevant ideas. But I do believe we'd be very foolish to declare such matters as insignificant or unworthy of study. The ways in which people react to new forms of media have always been important, sometimes in political contexts that have affected untold millions of lives over the centuries. Video on the Web will not be an exception. Lauren Weinstein email@example.com +1 (818) 225-2800 http://www.pfir.org/lauren Network Neutrality Squad http://www.nnsquad.org Blog: http://lauren.vortex.com PRIVACY Forum - http://www.vortex.com
The decreasing size of electronics has made all kinds of devices from fantasy practical. Look around at audio and video recorders that fit in pens, packs of gum, etc.: http://gadget.brando.com.hk/prod_list.php?dept_id=001&cat_id=024 Now, that stuff is specialized and hardly mass market. One can even imagine attempts to outlaw it. But there's a really neat gadget, the Pulse Smartpen by Livescribe - http://www.livescribe.com/ - that *is* mass market. This is a pen with 2 or 4GB of memory, a microphone, an optical scanner at the pen tip, and a small LCD display. You write on special paper - you can print your own - and it records "digital ink" of what you wrote and time-sync's it with the recording. Later, you can review what you wrote and listen to what was being said at the same time. Sold today as a device for note-taking - but Livescribe was apparently started by a bunch of ex-Apple guys, and they are thinking big. There's an SDK so you can use the thing as a "pen computing environment". For example, they include a calculator: Write down an arithmetic problem and the answer appears on the LCD. Anyway ... besides the intended uses, with this kind of thing in millions of pockets - you should expect that anything you say will be recorded. Not all bad, of course - we'll certainly have some more cops caught lying on the stand about their interrogation techniques, as has happened of late with cell phones. But the overall effects on our ideas of privacy are hard to predict. People treated mail and chat and such as equivalents of speech - transitory and private. Reality - and the courts - have shown us that these are permanent, searchable records. Actual speech is about to cross over into the same territory. Welcome to the Panopticon.
Last year I signed up for Zipcar, a car sharing service that operates in the Boston area (among other cities). It seemed good to support such an enterprise--and it might come in handy. OK, so one day my car is in the shop and I need to get to work. I rent a Zipcar for the day, drive to work, park, work my day, return the car to its packing place, walk home. Cool. A month later I get an e-mail from Zipcar telling me I am being charged for my parking ticket. Charged for the fine, plus an extra $20 for handling. What ticket!? I don't remember getting a ticket. I check the address of the violation. Nope, I never went to that Cambridge neighborhood. I don't know where the error occurred. Did the Cambridge police get the plate number wrong? Did they get the date wrong? Did Zipcar match up plate number to the wrong car? Zipcar uses an RFID/proxcard system to unlock and lock their cars. Somehow they communicate to each car to tell it what proxcard is authorized per their reservation records. They have told me what time I picked up the car--supposedly I picked up the car 4-minutes before the reservation time. That is odd. I don't claim to always be on time (ask my wife) but I am a bit of a time nerd and always know how late I am, my watch is usually within 10-seconds of the correct time. Even before I had my coffee, I am quite sure I didn't pickup my first Zipcar 4-minutes early, I would have been startled that they let me have the car early. So I don't trust their time stamping. Getting this cleared up might be difficult. The risk: By sharing cars, if all the computer and human systems don't work right, we risk also sharing parking tickets (and other liabilities?) that are not shouldered by their rightful violators... kb, the Kent who is $60 guilty until he can prove himself innocent.
... Legislator Ker said the computer crash lasted far too long and had jeopardized national security as well as the nation's image... National Immigration Agency Chief Hsieh said "faulty hard drives" were responsible ... in the meantime, to prevent criminal suspects from seizing the opportunity to flee Taiwan, his agency had provided a list... http://www.taipeitimes.com/News/front/archives/2009/01/07/2003433115 Fortunately former President Chen "Count the towels" Shuibian is safely behind bars and won't be making a break for it. [I presume no Count was ennobled thereby. PGN]
RISKS readers may be interested in the following presentation by Tony Hoare [Sir Anthony C. A. R. Hoare] at the upcoming QCon London 2009: Abstract: I call it my billion-dollar mistake. It was the invention of the null reference in 1965. At that time, I was designing the first comprehensive type system for references in an object oriented language (ALGOL W). My goal was to ensure that all use of references should be absolutely safe, with checking performed automatically by the compiler. But I couldn't resist the temptation to put in a null reference, simply because it was so easy to implement. This has led to innumerable errors, vulnerabilities, and system crashes, which have probably caused a billion dollars of pain and damage in the last forty years. In recent years, a number of program analysers like PREfix and PREfast in Microsoft have been used to check references, and give warnings if there is a risk they may be non-null. More recent programming languages like Spec# have introduced declarations for non-null references. This is the solution, which I rejected in 1965. http://qconlondon.com/london-2009/presentation/Null+References:+The+Billion+Dollar+Mistake
I am writing partly to vent my frustration but mainly in the vain hope someone on the IP list can help me out. My Facebook account was hacked approximately 40hrs ago. I discovered this when I was called by a concerned friend who wanted to confirm that I was being held at gunpoint in London and desperately needed him to wire me cash (via Western Union) so I could escape the country and return to Australia. Of course, I was not in London, and it was not me he was chatting to on Facebook. I immediately attempted to log into Facebook, but the password had been changed. So I tried to reset the password, but the e-mail address linked to my Facebook account had also been changed. I could not access my account. I spent an hour scanning the Facebook site looking for a contact phone number. No such luck. I completed 2 different incident reporting forms, and received auto-confirmations. I then scanned their T+Cs and Privacy notices and discovered the firstname.lastname@example.org e-mail address and sent an e-mail to that address. 40 hours later, I have had no response from Facebook, and I have been alerted by friends that the perpetrators are still active on my account, initiating chats with people begging for help and a money transfer. I just alerted several authorities in Australia (though it is now 1.30am in Sydney, so had to use online forms). Unfortunately, the Australian Federal Police (who do have a 24hr hotline) couldn't help me (they referred me to a Scam Watch service!). So I am asking whether anyone on the IP list has a direct contact with an appropriate stakeholder at Facebook, or some specific advice on who I might contact in the US to get the account suspended and the perpetrators locked out (or, better, traced and apprehended). Mark Neely, Master Strategist, Infolution Pty Ltd 'Beyond Strategy. Leading Change' e: email@example.com m: +61 (0)412 0417 29 skype: mark.neely Read my blogs --> www.infolution.com.au IP Archives: https://www.listbox.com/member/archive/247/=now [A follow-up note in IP from Chris Kelly <firstname.lastname@example.org> indicated that Facebook had disabled the account while they are attempting to pinpoint the perpetrators. PGN]
This both an accounting of experience and a warning away from a vendor. I recently purchased 2 Samsung Blu-Ray DVD players: a BD-P2500, and a BD-P1500. Both have Internet connections for firmware updates and Blu- Ray Live. The BD-P2500 also supports live streaming of Netflix content. A couple of days after Christmas, the 2500 froze up. I could not get it to respond to anything, including the factory reset code. I contacted Samsung and was given information to send the player in for service. They've had it for nearly 2 weeks with a status of "waiting for parts." It has now been broken longer than it was working. The 1500 came up with a message on Thursday that a firmware update was available. So, I initiated the download. It went without error, according to the display. After completion, it too was dead in the water — no response to anything. So, I called Samsung again. The problem was escalated in customer service. This is what I got told: 1) There was a bad update put on the servers, and many players that got the download have frozen up. 2) They do not have a fix for it at the current time and do not know when one will be available. 3) I should check their WWW site once a week to see when an update is available. "It should almost certainly be within a month." 4) Even though it is their fault for putting up a bad firmware update, if I am required to send in the player, it is out of warranty for service so it is my own expense. I wonder how many other people around the world are stuck with non-functional players and a vague answer about the fix? And the best they can do is have me check the WWW site once a week to see when they are ready for me to pay to install a fix to a problem they caused in the first place. What crock! Needless to say, I will probably not buy another Samsung product. You might want to consider this as a big red flag in your own purchasing decisions -- the risk of bad updates and really bad customer service.
Last year I started a small investment fund. Earlier today I sent out an e-mail to a mailing list for all the investors reminding everyone to send me their SSN or Tax ID number, which I needed in order to complete the tax filings for the fund. The investors are mostly tech- savvy people who are better educated about computer risks than most, and I am a long-time RISKS reader. So in order to insure that no one thought this was a phishing expedition, I signed the message with my PEM key. I then went to run some errands. When I returned there was a message in my inbox from one of the investors saying, "Would you please delete the message with my SSN in it from the mailing list archives?" Apparently he saw my digital signature and thought that meant he didn't have to worry about security any more, so he just hit "reply" on his mail client and typed in his SSN — which was of course sent out to the entire mailing list. When I went to delete the message in question I found that it had spawned a rather extensive discussion thread about the risks of blindly hitting the "reply" button and what could be done to mitigate them. Every message in the thread contained a copy of the previous message. I did eventually manage to delete them all from the archives, but there are now dozens of copies of this poor man's SSN sitting in various people's mail boxes, e-mail logs, etc. etc. which are of course out of my (and his) control.
A bit late in the game, but a welcome move — "Electronic voting machines used in 18 New Jersey counties will be refitted with attachments to provide a paper trail that could be used for potential recounts, Secretary of State Nina Mitchell Wells has decided. Wells made her decision Monday, accepting the recommendation of a special voting machine examination committee, and making a change sought by activists who contended that electronic voting machines are vulnerable to hackers. ... rest: http://www.nj.com/news/index.ssf/2009/01/nj_officials_order_paper_trail.html
[Source: Tamar Lewin, *The New York Times*, 20 Nov 2008] Good news for worried parents: All those hours their teenagers spend socializing on the Internet are not a bad thing, according to a new study by the MacArthur Foundation. "It may look as though kids are wasting a lot of time hanging out with new media, whether it's on MySpace or sending instant messages," said Mizuko Ito, lead researcher on the study, "Living and Learning With New Media." "But their participation is giving them the technological skills and literacy they need to succeed in the contemporary world. They're learning how to get along with others, how to manage a public identity, how to create a home page." The study, conducted from 2005 to last summer, describes new-media usage but does not measure its effects. ... http://www.nytimes.com/2008/11/20/us/20internet.html
secappdev.org is excited to announce SecAppDev 2009, an intensive one-week course in secure application development. secappdev.org is a non-profit organization dedicated to improving security awareness and skills in the developer community. The course is a joint project with K.U. Leuven and Solvay Brussels School of Economics and Management. SecAppDev 2009 follows the widely acclaimed courses in 2005, 2006, 2007 and 2008, attended by an international audience from a broad range of industries including financial services, telecom, consumer electronics and media. In order to offer an effective learning environment, we limit the number of participants. This allows for optimal interaction between participants and faculty. The course is taught by leading experts including - Dr. Gary McGraw, the Cigital CTO, inspired speaker and prolific author. - Prof. Dr. Daniel Bernstein whose Internet applications have impeccable security credentials. - Prof. dr. ir. Bart Preneel who heads COSIC, the renowned crypto lab. - Ken van Wyk, well-known author and lecturer as well as the moderator of the SC-L. The course takes place from March 2nd to March 6th in the Groot Begijnhof in Leuven, Belgium, a UNESCO World Heritage site. Registration is on a first-come, first-served basis. Early Bird registration offers a 25% discount on the course fee and ends on January 15th. Public servants can attend the course at a 50% discount. [Sorry not to get to this issue of RISKS until the day after the Early-Bird deadline. If you apply after seeing this message here, tell them you saw it in the 16 Jan RISKS, and maybe they can give you a break. Johan, Please give them a break! Dank U wel. PGN] More information on the web site, http://secappdev.org. Wishing you a safe, happy and secure 2009, Johan Peeters, Program Director, http://secappdev.org
BKIPOPSO.RVW 20081128 "Intellectual Property and Open Source", Van Lindberg, 2008, 978-0-596-51796-0, U$34.99/C$34.99 %A Van Lindberg %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2008 %G 978-0-596-51796-0 0-596-51796-3 %I O'Reilly & Associates, Inc. %O U$34.99/C$34.99 800-998-9938 707-829-0515 email@example.com %O http://www.amazon.com/exec/obidos/ASIN/0596517963/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596517963/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596517963/robsladesin03-20 %O Audience i Tech 2 Writing 2 (see revfaq.htm for explanation) %P 371 p. %T "Intellectual Property and Open Source" The preface states that this book provides documentation for the legal system, obviously intending that it be addressed to a technical audience, explaining to them what the legal operations are (as related to intellectual property, or IP). Chapter one outlines the legal categories of IP (patent, copyright, trademark, and trade secret), as well as reviewing general economic theory, and the philosophy of knowledge as a type of material "good." Patent documents are explained, in chapter two, in terms of file formats. The important concepts of invention (as claim) versus embodiment, conception versus reduction to practice, and first to file as opposed to first to invent are also defined. What is, and isn't, patentable is covered in chapter three. The details, requirements, and limits of copyright are in chapter four. Chapter five points out that trademark has value not only for the company, but also for the customer. The discussion of trade secret, in chapter six, notes the factors involved in the utility of a trade secret. This chapter also examines some issues of open source software for the first time, since the preceding material is fairly generic. Chapter seven looks at contracts and licences, a number of issues of which are important to open source. Using an interesting (and useful) analogy of the difference between banks and credit unions, chapter eight notes the economic and legal basis for open source software, and why (and where) it works. (The licencing discussion is also extended here.) The factors involved in ownership of intellectual property (whether on the part of the individual, company, or work-for-hire) are examined in chapter nine. Chapter ten notes terms, and provides examples, of open source licences. Some very interesting implications of accepting code patches are noted in chapter eleven. Chapter twelve extends chapter ten's content, specific to the General Public License (GPL). Chapter thirteen briefly looks at the process of reverse engineering, but is primarily concerned with the legality of the operation. The establishment of non-profit organizations, and particularly in relation to the benefit for open source projects, is outlined in chapter fourteen. Appendices provide various samples of legal documents. The writing is articulate, and the material reasonably comprehensive. The organization leaves a little bit to be desired. The book is almost two books; one on IP and one on open source; and it's not clear why chapters seven, ten, and twelve are distinct (and separated). However, this is a valuable guide for anyone in the technical world who wishes to know about legal issues of intellectual property, and particularly for anyone in, or contemplating, an open source project. copyright Robert M. Slade, 2008 BKIPOPSO.RVW 20081128 firstname.lastname@example.org http://victoria.tc.ca/techrev/rms.htm http://blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/
Please report problems with the web pages to the maintainer