[This is an update to Richard's item in RISKS-25.44, 8 Nov 2008. PGN] Caveat emptor! [RIC] BBC News UK Politics, 18 September 2013 Taxpayers face a rising, multi-billion pound bill for a failed government IT project, MPs have said. A report by the influential Public Accounts Committee (PAC) concluded an attempt to upgrade NHS computer systems in England ended up becoming one of the "worst and most expensive contracting fiascos" in public sector history. The final bill for abandoning the plan is still uncertain, the committee said. Ministers initially put the costs of the NHS scheme's failure at 6.4bn pounds. Officials later revised the total to 9.8bn, but the PAC said this latest estimate failed to include a price for terminating a contract with Fujitsu to provide care records systems and other future costs. 'Ill-fated' The project was launched in 2002, with the aim of revolutionising the way technology is used in the health service by paving the way for electronic records, digital scanning and integrated IT systems across hospitals and community care. Hit by technical problems and contractual wrangling, it was effectively disbanded by the government two years ago. MPs on the PAC said some outstanding costs remain and committee member Richard Bacon said: "The taxpayer is continuing to pay the price for the ill-fated national programme for IT in the NHS. "Although officially dismantled (it) continues in the form of separate component programmes which are still racking up big costs." He highlighted a government decision to renegotiate 3.1bn worth of contracts with outsourcing company CSC, charged with setting up a care records system known as Lorenzo in the North, Midlands and east of England. "Despite the contractor's weak performance, the Department of Health is itself in a weak position in its attempts to renegotiate the contracts," Mr Bacon said. "The department's latest estimate of 9.8bn leaves out the future costs of Lorenzo or the potential large future costs arising from the department's termination of Fujitsu's contract for care records systems in the south of England." The report added that delays and problems with changes to benefit payments - another huge government IT project - showed ministers had not "learned and applied lessons" from the fallout. "This saga is one of the worst and most expensive contracting fiascos in the history of the public sector," Mr Bacon added.
M Heffernan, *The Guardian* UK [via Dave Farber] [... profound words of wisdom published today in the GuardianUK. SNK] http://www.theguardian.com/local-government-network/2013/sep/26/whistleblower-public-sector What the recent scandals have shown us is that no management or monitoring system will catch every problem breeding inside an organisation. But its employees could: they are an institution's best early warning system... Whistleblowers are rare and misunderstood. Popularly portrayed as marginal figures, eccentric if not downright mad, they always come across as irritable malcontents. Nothing could be further from the truth... By the time a whistleblower is frustrated enough to go public, managers have lost the battle. Not only do they now have a public relations crisis to manage but they've lost the chance to solve a problem while it was still small and private. The defensiveness that inevitably ensues drives truth-telling further underground and makes it less likely that anyone will speak up early enough next time.... The management of whistleblowers, therefore, requires real courage on the part of managers. They need to be unafraid when someone shines light on a problem and to recognise that the people who do so are their source of safety.... The overwhelming majority of whistleblowers are deeply loyal, committed employees who have high expectations of their organisations. It's when those institutions fail to meet high standards that the nascent whistleblower becomes distraught, frustrated and sounds the alarm. Only when they find -- to their mounting disappointment—that they are ignored or rejected do they go outside the organisation to draw attention to their grievances... The challenge for local authorities, therefore, is to create the culture and the systems that make it easy and attractive for anyone with a concern to articulate it early, when the issue is still easy to fix...
By Tuesday afternoon, L.A. Unified officials were weighing potential solutions. One would limit the tablets, when taken home, to curricular materials from the Pearson corporation, which are already installed. All other applications and Internet access would be turned off, according to a district "action plan." A second approach would be to buy and install a new security application. Apple's just-released new operating system might help, but not the current iteration, according to the district. A fix from Apple is not likely to be available before late December. The devices should work normally at school, although even that has been problematic. Teacher Robert Penuela said his use of the tablets has been limited because he can't get them to work for all students at once. Roosevelt freshman Alan Munoz said that, so far, he was using his iPad only during free time. The excitement of receiving the device quickly wore off for senior Kimberly Ramirez when she realized it was for schoolwork only. "You can't do nothing with them," she said. "You just carry them around." http://j.mp/1fmG8RZ (Howard Blume, *L.A. Times* via NNSquad) When this program (which basically was pushed through in secret) was announced, I was critical of its cost (sweetheart deal with Apple and Pearson for expensive iPads rather than alternatives) in a time when the LAUSD really needs more teachers. And I noted that if the district really thought they were going to restrict what students did with these things (liability issues, huh?) they were fooling themselves. Well ...
George Dvorsky, io9, 11 Jan 2013 [From Dewayne Hendricks via Dave Farber. Thanks! PGN] http://io9.com/5975173/ibms-watson-computer-has-parts-of-its-memory-cleared-after-developing-an-acute-case-of-potty-mouth@AnnaleeNewitz It all started a couple of years ago when IBM's Watson, the computer voted most likely to destroy us when the technological Singularity strikes, was given access to the Urban Dictionary. In an attempt to help Watson learn slang—and thus be more amenable to conversational language—the machine subsequently picked up such phrases as OMG and "hot mess." But at the same time it also picked up some words fit only for a sailor. Watson, you'll no doubt remember, completely trounced its opponents on Jeopardy! back in 2011. The expert learning-system is no longer wasting its time on game shows, and is currently being used in the medical sciences to help researchers scour enormous reams of information and serve as a diagnostic tool. ...
http://j.mp/1dm1wSK (David Kravets, *WiReD* via NNSquad) "The Supreme Court is being asked to decide when an online threat becomes worthy of prosecution, in what could be the first Internet speech case to reach the high court's docket for the 2013-2104 term beginning next month. The justices are weighing whether to review the prosecution of an Iraq war veteran handed 18 months (.pdf) in prison for singing in a 2010 YouTube video that he would kill a local Tennessee judge if the judge did not grant him visitation rights to his young daughter."
Gregg Keizer | Computerworld, 23 Sep 2013 Gang responsible for Bit9 hack in February is responsible for latest attacks exploiting IE 'zero-day,' says FireEye after threat level moves to 'Yellow' http://www.infoworld.com/d/security/internet-threat-level-rises-expanded-ie-attacks-227302
... as they've wanted to do all along? http://j.mp/182muVe (Tech Freedom via NNSquad) "It would be a sad outcome of the surveillance disclosures if they led to an approach to Internet policy making and governance in which countries became a series of walled gardens with governments holding the keys to locked gates. But that is where we will end up if all data has to stay on servers located in the nation in which a citizen lives or where a device is located. The digital world does not need another Great Firewall - in Europe or anywhere else." And given that EU and most other countries are engaging in similar surveillance activities themselves to the extent of their technical abilities, what we really have here is dissembling as the enemies of the open Internet use this situation as an excuse to accomplish what they've been hoping for all along.
David Linthicum, InfoWorld, 24 Sep 2013 Startups and small providers have the most to lose when one of their own goes under http://www.infoworld.com/d/cloud-computing/nirvanix-shutdown-has-cloud-users-wondering-whos-next-227364
Jeremy Kirk, InfoWorld, 13 Sep 2013 The behavior was noticed after a file-tracking service was used to watch several files uploaded to Dropbox http://www.infoworld.com/d/cloud-computing/dropbox-takes-peek-files-226776
A company that markets video cameras designed to allow consumers to monitor their homes remotely has settled Federal Trade Commission charges that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet. This is the agency's first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices—commonly referred to as the "Internet of Things." http://www.ftc.gov/opa/2013/09/trendnet.shtm
Serdar Yegulalp, InfoWorld, 25 Sep 2013 Russian hackers have been stealing personal and financial data straight from information clearinghouses, reselling it in bulk http://www.infoworld.com/t/cyber-crime/identity-theft-service-planted-botnets-in-lexisnexis-other-data-providers-227519
This news is so old, the first time I heard about it, my computer was running Windows 3.1. It was the early 1990's, I was working for an online service company, and we were looking into providing our customers with traffic data from Transcom, a regional transportation alliance in the Northeast. The data they had was average speeds, picked up by EZ-Pass readers installed on the roadsides of highways on Long Island. Back in those days, EZ-Pass users were few and far between, mostly truckers, but there were apparently enough around to provide reliable information using the roadside readers. The Transcom people told us at the time that they did not keep the data very long, and used it only to measure average speed on the highways, and had rejected the idea of using the data for speeding tickets or the like since doing things like that would discourage use of EZ-Pass. Transcom's web site is www.xcm.org, and they will let you see some of their data at http://data.xcm.org/ .
If Verizon gets its way, it will be making choices about what goes across its line to its users. Does that mean that it will no longer be able to rely on the "safe harbor" provision of the DMCA? Will that ability to choose allow it to be sued for any copyright-infringing material that goes across its network? I'm not a lawyer and I don't know, but I'd very much like to read opinions on this from IP lawyers.
Serdar Yegulalp | InfoWorld, 24 Sep 2013 Ban on device usage during takeoff and landing has long been believed to be based more on anecdotes than actual data http://www.infoworld.com/t/mobile-technology/faa-preparing-remove-restrictions-in-flight-electronic-devices-227446
[via Dave Farber] [Note: Yet another article on Apple's Touch ID mess. This one adds a bit of info to the others that I've posted on this topic. DLH] Dan Goodin, *Ars Technica*, Sep 23 2013 The hack using lifted fingerprints is easy; here's how you can make it harder. <http://arstechnica.com/security/2013/09/defeating-apples-touch-id-its-easier-than-you-may-think/> This weekend's decisive defeat of Touch ID is the most poignant reminder yet of the significant limitations of using fingerprints, iris scans, and other physical characteristics to prove our identities to computing devices. As previously reported, a team of German hackers who have long criticized biometrics-based authentication bypassed the new iPhone feature less than 48 hours after its debut. Many security researchers and writers, yours truly included, predicted that the ability of the high-definition scanner included in the iPhone 5S wouldn't be fooled by attacks using scanned fingerprint smudges to impersonate an already enrolled thumb or finger. It's now clear we were wrong. Hacker Starbug overcame the purported ability of Touch ID to read prints at a sub-epidermal level by using a slightly higher resolution camera to generate a cloned fingerprint. The availability of a 3D printer also seemed to help. Some critics have castigated the technique as too difficult for the average hacker. Others have argued that the hack has little significance in the real world. They cite Apple talking points that the protection of Touch ID represents a significant improvement over what many people have now, since a large percentage of iPhone users currently use no PIN at all to lock their phones. There's some merit in this second argument, since any protection, no matter how flawed, is better than none at all. But as Rob Graham, CEO of penetration testing firm Errata Security makes clear, Starbug's technique is easy for many people to carry out. "Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he wrote in an e-mail to Ars. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy—you just need to try." Graham later posted his comments on his blog. As Ars pointed out last week, there's little we can do to keep our fingerprints and other physical characteristics private. They leak every time we touch a door knob, wine glass, or ATM. And that calls into question whether Touch ID is a truly "secure" way to unlock phones, as Apple's own press release announcing the new feature claimed. That's not to say there aren't things people can do to limit the leakage, though. Graham is one of the organizers behind istouchidhackedyet, a bounty program that pledged cash bounties to the first person who could override the new feature, which allows people to unlock their iPhones using one or more fingerprints. He told Ars that he's still waiting to see a detailed video that documents the hack from start to finish, but at this point he's satisfied that Starbug has met the requirements for the cash prize. He estimated the amount at about $10,000, after at least one of the people who pledged a bounty reneged on the promise. [...] [PGN comments: RISKS noted the gummi-bear attack previously. This newer incarnation is getting a lot of coverage. Here are a few examples. Monty Solomon noted: IOS 7 Lockscreen Bug Allows Anyone to Sidestep Passcode, Access Photos/Email Tiffany Kaiser, 20 Sep 2013 http://www.dailytech.com/IOS+7+Lockscreen+Bug+Allows+Anyone+to+Sidestep+Passcode+Access+PhotosEmail/article33416.htm Gene Wirchenko noted three more: Video: Watch this Siri hack bypass iOS 7's lock screen Security vulnerability allows a third party to grab your iPhone and tell Siri to perform various functions even when locked Pete Babb, InfoWorld, 23 Sep 2013 http://www.infoworld.com/t/mobile-security/video-watch-siri-hack-bypass-ios-7s-lock-screen-227256 "Show of hands: Who hasn't hacked Apple's Touch ID?", Robert X. Cringely, InfoWorld, 25 Sep 2013 http://www.infoworld.com/t/cringely/show-of-hands-who-hasnt-hacked-apples-touch-id-227520 "German hackers say old technique can bypass Apple's Touch ID" Jeremy Kirk, IDG News Service, InfoWorld, 23 Sep 2013 http://www.infoworld.com/d/mobile-technology/german-hackers-say-old-technique-can-bypass-apples-touch-id-227292 ]
Fingerprint authentication has been available on computers for quite a while. For example, my 6 year old laptop came with a fingerprint reader. Apple may make them more ubiquitous, but I haven't heard of them doing anything new with them. AFAIK, fingerprint readers are only good for local authentication, and are pretty much useless for encryption. Remote authentication doesn't work well, because you need a reasonable degree of certainty that the finger is in fact present, and hopefully even attached to a live body, so the reader itself needs to be trusted. Encryption is problematic because you don't get the exact same data each time you read a finger, so it can't be used an an encryption key. (For those who don't see how this could still be used for local authentication: The finger is scanned a few times during setup. Some data derived from those scans is stored on the device. Then during authentication, said data is used to do a fuzzy comparison of the new scan to the original scans.) So if I understand things correctly, yes a judge could order you to produce your finger, but in the cases where that is useful he could just as easily order the prosecution to purchase a screwdriver and stop wasting his time. IANAL, etc, etc. Ivan PS: Please let me know if there is some newfangled way of using fingerprint readers for encryption that I have not heard about. PPS: I don't actually use my fingerprint reader because I could not find enough documentation to convince myself that it couldn't be trivially defeated. (STMicroelectronics Fingerprint Reader)
Nuclear weapons were touched on in the Fukushima essay by Charles Perrow noted in RISKS-27.48. There is a more explicit discussion of them in this review in *The New Yorker*. http://www.newyorker.com/arts/critics/books/2013/09/30/130930crbo_books_menand?currentPage=all With numerous examples, the review explains that: But most of the danger that human beings faced from nuclear weapons after the destruction of Hiroshima and Nagasaki had to do with inadvertence -- with bombs dropped by mistake, bombers catching on fire or crashing, missiles exploding, and computers miscalculating and people jumping to the wrong conclusion. On most days, the probability of a nuclear explosion happening by accident was far greater than the probability that someone would deliberately start a war. Charles Perrow is acknowledged explicitly. Schlosser cites Charles Perrow's Normal Accidents (1984) as an inspiration for his book. Perrow argued that in systems characterized by complex interactions and by what he called `tight coupling'—that is, processes that cannot readily be modified or turned off—accidents are normal. They can be expected. And they don't lend themselves to very satisfying postmortems, since it is often difficult to explain just what stage it was in the cascade of bad events that made them irreversible. [Schlosser's long item in *TNY* includes quite a few cases long ago mentioned in RISKS. He is also the source of the next item. PGN]
On Oct. 23, 2010, at about 1:30 in the morning, the underground launch control centers at F.E. Warren Air Force Base in Wyoming lost communication with 50 Minuteman III intercontinental ballistic missiles. Instead of showing the status of the missiles, the computer screens in the control centers displayed the acronym LFDN (Launch Facility Down). Briefly losing contact with a few missiles wasn't unusual. But having an entire squadron go down, simultaneously, was extraordinary. Closed-circuit television images of the missile silos, which sit miles away from their control centers, revealed that none of the Minuteman IIIs had lifted off. Almost an hour after the problem suddenly appeared, communication was re-established between the missiles and their launch crews. Nevertheless, heavily armed Air Force security officers spent the next few hours visiting all 50 silos, in the early morning darkness, to ensure that no security breach had occurred. The Air Force dismissed the possibility that the computer network controlling its Minuteman IIIs had been hacked. The idea that a hacker could somehow disable 50 ballistic missiles—each of them armed with a nuclear warhead about seven times more powerful than the bomb that destroyed Hiroshima—seemed like the improbable plot of a Hollywood thriller. http://www.politico.com/story/2013/09/neglecting-our-nukes-96854.html?hp=r17
Please report problems with the web pages to the maintainer