For the first time in many years, I have been more successful than usual in trying to take my June-July vacation without too many work-related interruptions. However, the past three weeks since RISKS-the previous issue have been heavily larded with potential RISKS-related material that is so extensive that I cannot begin to include it all by way of catch-up. Instead, let me simply remark that the Snowden case continues to amaze in a swelter of information, misinformation, disinformation, fundamental issues of constitutionality, privacy, accusations (French, U.S.), new revelations of ongoing surveillance (NYC), and so on. In addition, telcos have once again resurfaced their desires to get rid of landlines, despite obvious risks of disasters when the mobile facilities fail as well as risks for rural folks with no cellular coverage. But they and ISPs and others have also been involved in surveillance. Furthermore, the Federal Election Commission has once again become more visibly broken—at a time when Supreme Court has considerably muddied the waters regarding fair elections. And so it goes. There is apparently no possibility of vacations from risks, even if you have had a vacation from RISKS. I have well over one hundred submissions in the new queueueueue, and clearly cannot use all of them. I've picked just a few that still seem relevant and timely. If you feel I might have missed a really salient item you submitted, please let me know. [NOTE: Two belated items that were resubmitted are included in this issue.]
About a third of this number are minivans in which a software bug causes side airbags to deploy on the opposite side to that of an impact. (I wonder how they did not catch this on QA?) Full story at: http://www.bbc.co.uk/news/business-23175919
Cecilia Kang has a story in *The Washington Post* about the controversy on Fire Island about Verizon's insistence that residents buy its new wireless service because the company has decided to stop servicing the existing copper-wired network. The story includes chilling quotes from phone company executives suggesting that, given the number of customers who have abandoned landlines altogether in favor of cell phones, it is just a matter of time before companies stop offering hard-wired telephone service even to those who demand robust phone service. http://www.washingtonpost.com/business/technology/verizon-pursues-all-wireless-phone-service-in-seaside-ny-town/2013/07/04/9120fa80-ac4c-11e2-a198-99893f10d6dd_story.html?hpid=z2
NY Attorney General to Verizon: Either Serve Your Customers Or Sell and Get Out http://j.mp/1aDsk2a (Stop the Cap) "Attorney General Eric Schneiderman is more than a little concerned with Verizon's plans to abandon offering landline service on the western half of Fire Island and potentially other areas further upstate to satisfy the company's wireless business strategy. In a hostile 13-page filing directed to the New York Public Service Commission, Schneiderman's office accused Verizon of abdicating its responsibility to provide universal access to high quality landline service in favor of moving customers to inferior Verizon Wireless service." [He's not mincing his words. Great reading. LW] [This item hits home, as it were. I am vacationing in an area where AT&T and Verizon both have miserable cellular service, cable is nonexistent, and the primary rather expensive alternative seems to be satellite for Internet, TV, and phone. PGN]
Bob Sullivan, Columnist, NBC News Lawyers eye NSA data as treasure trove for evidence in murder, divorce cases http://redtape.nbcnews.com/ The National Security Agency has spent years demanding that companies turn over their data. Now, the spy agency finds the shoe is on the other foot. A defendant in a Florida murder trial says telephone records collected by the NSA as part of its surveillance programs hold evidence that would help prove his innocence, and his lawyer has demanded that prosecutors produce those records. On Wednesday, the federal government filed a motion saying it would refuse, citing national security. But experts say the novel legal argument could encourage other lawyers to fight for access to the newly disclosed NSA surveillance database. "What's good for the goose is good for the gander, I guess," said George Washington University privacy law expert Dan Solove. "In a way, it's kind of ironic." Defendant Terrance Brown is accused of participating in the 2010 murder of a Brinks security truck driver. Brown maintains his innocence, and claims cellphone location records would show he wasn't at the scene of the crime. Brown's cellphone provider—MetroPCS—couldn't produce those records during discovery because it had deleted the data already. On seeing the story in the Guardian indicating that Verizon had been ordered to turn over millions of calling records to the NSA last month, Brown's lawyer had a novel idea: Make the NSA produce the records. Brown's lawyer, Marshall Dore Louis, said he couldn't comment while the trial was ongoing. "Relying on a June 5, 2013, Guardian newspaper article ... Defendant Brown now suggests that the Government likely actually does possess the metadata relating to telephone calls made in July 2010 from the two numbers attributed to Defendant Brown," wrote U.S. District Judge Robin Rosenbaum in an order demanding that the federal government respond to the request on June 10. The laws of evidence require that prosecutors turn over to the defense any records they have that might help prove a suspect's innocence. [Long item truncated for RISKS. PGN]
Not really news, but it's interesting to see more detail: “A Skype executive denied last year in a blog post that recent changes in the way Skype operated were made at the behest of Microsoft to make snooping easier for law enforcement. It appears, however, that Skype figured out how to cooperate with the intelligence community before Microsoft took over the company, according to documents leaked by Edward J. Snowden, a former contractor for the N.S.A.'' http://www.nytimes.com/2013/06/20/technology/silicon-valley-and-spy-agency-bound-by-strengthening-web.html?pagewanted=2&_r=0 and http://www.theregister.co.uk/2013/06/21/skype_project_chess_snooping_report/ The risk is that using 3rd parties to bypass the still overly high charges for phoning abroad has pushed communication into the hands of less structurally controlled 3rd parties. >From an intercept perspective, tools like Viber, WhatsApp and other data based platforms have been an astonishingly successful way of replacing communications protected under local laws with equivalents that can be easily tapped from the comfort of a US data centre, instead of having to play nice with local law enforcement and going through pesky approval processes, cross judicial access requests and due process paperwork.. Peter Houppermans, The Privacy Club, Switzerland
http://cironline.org/reports/license-plate-readers-let-police-collect-millions-records-drivers-4883 Ali Winston, The Center for Investigative Reporting, 26 Jun 2013 A license-plate reader mounted on a San Leandro Police Department car can log thousands of plates in an eight-hour patrol shift. “It works 100 times better than driving around looking for license plates with our eyes,'' says police Lt. Randall Brandt. When the city of San Leandro, Calif., purchased a license-plate reader for its police department in 2008, computer security consultant Michael Katz-Lacabe asked the city for a record of every time the scanners had photographed his car. The results shocked him. The paperback-size device, installed on the outside of police cars, can log thousands of license plates in an eight-hour patrol shift. Katz-Lacabe said it had photographed his two cars on 112 occasions, including one image from 2009 that shows him and his daughters stepping out of his Toyota Prius in their driveway. [...] [Long item truncated for RISKS. PGN]
[Justice Dep't press release] Woman Pleads Guilty to Defrauding Lowe's Stores by Fraudulently Obtaining Gift Card Credit Defrauded Lowe's of at Least $250,000 by Calling Lowe's stores and Pretending to be from Lowe's IT Department Baltimore, Maryland - Lucerte "Lisa" Abellard, age 35, of Dobbs Ferry, New York, pleaded guilty today to conspiracy to commit wire fraud in connection with a scheme to defraud Lowe's stores. ... According to her plea agreement, Abellard called employees at Lowe's stores around the United States, pretending to be from the "IT department" at Lowe's headquarters, telling the Lowe's employee that she received a report there were problems with a register at the Lowe's store. She would then ask the employee to run a series of diagnostics on the register, often pretending to be able to see the tests remotely. The purported diagnostics ended with a "test" transaction that put a credit on a Lowe's gift card - usually about $3,000 to $4,000. ... http://goo.gl/6jc63
Ted Samson | InfoWorld, 21 Jun 2013 Ransomware on Android: It was only a matter of time Malware called Android.Fakedefender pretends to be antivirus software while locking up your smartphone until you pay the 'registration fee' http://www.infoworld.com/t/mobile-security/ransomware-android-it-was-only-matter-of-time-221285
*The Daily News*, Kamloops, British Columbia, Canada, 29 Jun 2013; p. B8: [Taos] officials have finally identified the culprit behind a 20-hour Internet and cellphone outage last week in northern New Mexico—an eager beaver. CenturyLink spokesman David Gonzales told The Associated Press that a beaver chewed through the fiber line. He says the evidence was discovered by contractors who worked to repair the outage. Officials say more than 1,800 Internet users were affected by the blackout. The number of cellphone users without service during that time is still unknown." [Dam(n) luddite? PGN with a noodge from Gene]
Henry K. Lee, *San Francisco Chronicle*, 26 Jun 2013 When a San Jose man charged with murdering a Monte Sereno millionaire was suddenly freed last month, prosecutors acknowledged he had an airtight alibi -- he was drunk and unconscious at a hospital when the victim was killed in his mansion miles away. But a mystery remained: How did the DNA of 26-year-old Lukis Anderson—who was so drunk his blood alcohol content was five times the legal limit - end up on the fingernails of slaying victim Raveesh "Ravi" Kumra? Santa Clara County prosecutors answered that question Wednesday, saying the same two paramedics who had treated Anderson for intoxication at a downtown San Jose liquor store in November had responded to Kumra's home just hours later. [Long item truncated for RISKS. PGN] http://www.sfgate.com/crime/article/How-innocent-man-s-DNA-was-found-at-killing-scene-4624971.php
"Opera's advisory leaves out key information that makes it hard to assess just how much damage was done. Missing details include when the attackers first gained access to the servers, precisely when the stolen digital certificate expired, and whether there's reason to believe other certificates may also have been obtained. It would also be useful to know how hackers got access to an official Opera digital certificate, which is supposed to cryptographically prove that the software that bears its seal could only have come from the company. As Ars reported last year, companies such as Symantec go to great lengths to secure such keys, although Opera is hardly alone in losing control of such a valuable certificate." http://j.mp/11JqQ1l (ars technica)
The Assault on Privacy; Snoops, Bugs, Wiretaps, Dossiers, Data Banks—and Specters of 1984 http://j.mp/1287w9h (Daily Beast via NNSquad)
According to the Metro, dozens of trains per day have been rolling around without functioning emergency intercoms for a lengthy period. The problem exists with some trains that have 6000 series rail cars in the lead. The newer electronics on those cars had trouble communicating with other, older cars in the train, specifically 1000 and 4000 series cars, the transit agency said. http://www.nbcwashington.com/traffic/transit/Metro-Identifies-Problem-With-Emergency-Call-Buttons-on-Trains-212165001.html Gabriel Goldberg, Computers and Publishing, Inc. firstname.lastname@example.org 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
[Originally sent 20 March 2013. I missed it. PGN] On March 19, at 7am, a routine weekly generator test was done at the University of Auckland. The generator failed. There was a UPS, with 20 minutes of power. "The controller was locked in the generator position, and we couldn't manually switch [the system] back [to mains power]." The backup generator also failed. The outcome was that Auckland University and AUT University lost both Internet and phone access all day. The phone system is IP based. Source: The National Business Review http://www.nbr.co.nz/article/massive-computer-outage-hits-auckland-university-aut-ck-137459 Generator failures are of course no news to Risks readers, and having a generator fail in a test is why the tests are done. The way the system couldn't be switched back to mains power is rather more worrying.
[Originally sent 11 June 2013] For the past several years a new payroll system for New Zealand's schools has been under development. It went live without a phased rollout, without testing complete, and indeed with some functionality not finished in August last year. There have been enormous problems with overpay, underpay, and non-pay. The Ministry of education have released a lot of documents about this at http://www.minedu.govt.nz/theMinistry/NovopayProject.aspx An (in my view, rather unsatisfactory) Technical Review is at http://www.minedu.govt.nz/theMinistry/NovopayProject/MinisterialInquiryTechnicalReview.aspx That review was the basis of the Government's decision to throw more money and people at the project—Brooks' Law having been repealed—to fix it. That report is anonymous, and the Government's response to my Official Information request makes it clear that the Minister Responsible for Novopay does not know who wrote it or what their qualifications might be or what they actually did in the review process. There was a Ministerial Inquiry, and the 120 page report http://inquiry.novopay.govt.nz/report is now available. (Follow the PDF link in that page.) While the particular system is of local significance, the report should be of interest to many RISKS readers and could make an excellent case study. Two particular points: - the IT contractor never got complete requirements, in large part because previous outsourcing meant the Ministry didn't actually know what the requirements were and didn't think to involve users (school administrators) in requirements gathering - New Zealand's previous spectacular IT failure, INCIS, also had a Ministerial Inquiry. http://www.justice.govt.nz/publications/global-publications/m/ministerial-inquiry-into-incis the lessons (section 6) of which seem to have been ignored in the development of Novopay.
"Why are software development task estimations regularly off by a factor of 2-3?" This question was asked a few months ago on quora.com and the responses are absolutely stunning. This question, and the more than 100 responses it got, is absolutely fascinating reading for the constant reasons for failure. Michael Wolfe, a responder back in January whose answer got picked as the #1 response, gave an example of a couple of guys deciding to hike from San Francisco to Los Angeles. "The line is about 400 miles long; we can walk 4 miles per hour for 10 hours per day, so we'll be there in 10 days. We call our friends and book dinner for next Sunday night, when we will roll in triumphantly at 6 p.m. They can't wait!" And it all goes downhill from there! And I don't mean downhill as in easier, I mean the amount of progress on the schedule goes downhill. Actually, progress doesn't go downhill, it isn't long before it starts dropping like a rock! First, the trip is not a straight line, the coast has lots of twists and turns so it's more like 500 miles. Then they discover the terrain doesn't support moving as fast as they thought. So they need to call and push back the schedule by another 20%. And it gets worse. "Man, this is slow going! Sand, water, stairs, creeks, angry sea lions! We are walking at most 2 miles per hour, half as fast as we wanted. We can either start walking 20 hours per day, or we can push our friends out another week. OK, let's split the difference: we'll walk 12 hours per day and push our friends out until the following weekend. We call them and delay dinner until the following Sunday. They are a little peeved but say OK, we'll see you then." Does this sound familiar? His example goes on, and on, and on, showing how this project's end result follows the lyrics of the Steve Miller Band's "Fly like an eagle": "Time keeps on slipping, slipping slipping... Into the future..." And this fascinating and very enlightening comment is just one of dozens and dozens of extremely interesting comments. Oh, as for our two intrepid explorers making a 400 err I mean 500 err I mean whatever mile hike? Check out where they get stuck, or rather, where he ends the example, showing how bad things can get, faster than you'd expect. If this example of a simple trek between two cities doesn't remind you of more than one software project you've been involved in - if not all of them - you're either working at a world-class ISO 9000 certified development facility or you've never worked on any software project taking more than two days! 1. http://tinyurl.com/software-estimates Paul Robinson <email@example.com> http://paul-robinson.us (My Blog)
FYI—What could possibly go wrong with this database ? http://news.investors.com/062513-661264-obamacare-database-hub-creates-privacy-nightmare.htm John Merline, Investor's Business Daily, Think NSA Spying Is Bad? Here Comes ObamaCare Hub The Health and Human Services Department earlier this year exposed just how vast the government's data collection efforts will be on millions of Americans as a result of ObamaCare. Sen. Max Baucus, D-Mont., asked HHS to provide "a complete list of agencies that will interact with the Federal Data Services Hub." The Hub is a central feature of ObamaCare, since it will be used by the new insurance exchanges to determine eligibility for benefits, exemptions from the federal mandate, and how much to grant in federal insurance subsidies. In response, the HHS said the ObamaCare data hub will "interact" with seven other federal agencies: Social Security Administration, the IRS, the Department of Homeland Security, the Veterans Administration, Office of Personnel Management, the Department of Defense and—believe it or not -- the Peace Corps. Plus the Hub will plug into state Medicaid databases. And what sort of data will be "routed through" the Hub? Social Security numbers, income, family size, citizenship and immigration status, incarceration status, and enrollment status in other health plans, according to the HHS. "The federal government is planning to quietly enact what could be the largest consolidation of personal data in the history of the republic," noted Stephen Parente, a University of Minnesota finance professor. Not to worry, says the Obama administration. "The hub will not store consumer information, but will securely transmit data between state and federal systems to verify consumer application information," it claimed in an online fact sheet . But a regulatory notice filed by the administration in February tells a different story. That filing describes a new "system of records" that will store names, birth dates, Social Security numbers, taxpayer status, gender, ethnicity, email addresses, telephone numbers on the millions of people expected to apply for coverage at the ObamaCare exchanges, as well as "tax return information from the IRS, income information from the Social Security Administration, and financial information from other third-party sources." They will also store data from businesses buying coverage through an exchange, including a "list of qualified employees and their tax ID numbers," and keep it all on file for 10 years. In addition, the filing says the federal government can disclose this information "without the consent of the individual" to a wide range of people, including "agency contractors, consultants, or grantees" who "need to have access to the records" to help run ObamaCare, as well as law enforcement officials to "investigate potential fraud."
The engines on these planes collect their own data about wear and are smart enough to ask for parts replacements in preventative maintenance compared to a complex model of parts wear from benchmarked engines. When I get in my car and leave the door half-closed it tells me. Am I an idiot to ask why there isn't some flashing red incandescent bulb in the cockpit if an engine cowl says it is not closed? [No, you are not an idiot! PGN]
Please report problems with the web pages to the maintainer