Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Maggie Fox and M. Alex Johnson, NBC News The Dallas Hospital that mistakenly sent home a man who had ebola says flawed software and not human error caused doctors to miss the diagnosis. http://www.nbcnews.com/storyline/ebola-virus-outbreak/texas-hospital-makes-changes-after-ebola-patient-turned-away-n217296 Health officials and local residents have been asking how the hospital could have missed what would have appeared to be an obvious potential case of Ebola: a Liberian citizen who said he recently traveled from Liberia, with fever and abdominal pain. “Protocols were followed by both the physician and the nurses,'' the hospital said in a statement issued Thursday night. The nurse who took Thomas Eric Duncan's medical history did the job correctly, the hospital said. “However, we have identified a flaw in the way the physician and nursing portions of our electronic health records (EHR) interacted in this specific case,'' “In our electronic health records, there are separate physician and nursing workflows. The documentation of the travel history was located in the nursing workflow portion of the EHR, and was designed to provide a high reliability nursing process to allow for the administration of influenza vaccine under a physician-delegated standing order. As designed, the travel history would not automatically appear in the physician's standard workflow.'' In other words, the nurse wrote that Duncan had come from Liberia, but the doctors who examined him would not have automatically seen that. And they were not prompted to ask. [...]
A poor user interface led to the information about the ebola patient being misfiled in the computer system, which in turn meant that proper procedures were not used to protect against infection. Usability is important! [...] http://www.politico.com/story/2014/10/ebola-us-dallas-hospital-flaw-111582.html?hp=l4
Workflow flaws caused by Electronic Health Record (EHR) software has been implicated in accidental release of an ebola patient from Texas Health Dallas. Bloomberg is reporting that the hospital uses EHR software from Epic Systems Corp. http://www.theatlantic.com/technology/archive/2014/10/the-ebola-patient-was-sent-home-because-of-an-electronic-health-record-problem/381087/ http://www.texashealth.org/body.cfm?id29&actionŞtail&ref71 http://www.bloomberg.com/news/2014-10-03/electronic-record-gap-allowed-ebola-man-to-leave-hospital.html http://blog.secure-medicine.org/2014/10/ehr-software-and-ebola-what-could.html
... or at least being able to reconstruct the history of whether there was an outside "attack" using them. "Digital Investigation of Security Attacks on Cardiac Implantable Medical Devices" In this paper, we propose a system for postmortem analysis of lethal attack scenarios targeting cardiac IMDs. Such a system reconciles in the same framework conclusions derived by technical investigators and deductions generated by pathologists. An inference system integrating a library of medical rules is used to automatically infer potential medical scenarios that could have led to the death of a patient. A Model Checking based formal technique allowing the reconstruction of potential technical attack scenarios on the IMD, starting from the collected evidence, is also proposed. A correlation between the results obtained by the two techniques allows to prove whether a potential attack scenario is the source of the patient's death. [...] http://cryptome.org/2014/10/cardiac-imd-attacks.pdf
This morning, the FDA released its final version of a cybersecurity guidance document for pre-market review of medical devices. A second draft guidance document on post-market practices (e.g., vulnerability reporting) is expected later this year. http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm416809.htm
[via David Farber] from www.amtrak.com today Full and complete text of their website at this hour: "Amtrak.com Reservations System Temporarily Unavailable due to a system-wide network outage. If you are traveling today, please purchase your ticket at the station. This system issue is not impacting operations of our trains. If you are booking tickets for a future date we recommend visiting the website at a later time. For immediate issues, please call 1-800-USA-RAIL. We apologize for this inconvenience and thank you for your patience as we work toward a resolution as quickly as possible."
[From Dewayne Hendricks via Dave Farber] Interesting at a number of levels in terms of human factor. Also something to think about with the effort to automate driving. The conclusion is that cockpit automation has made planes safer but has also reduced the ability of pilots to act as a manual backup system in unusual circumstances. Though the article didn;t mention it I can;t help but think of the extreme example of the 767 that glided into a successful landing in Canada. The Human Factor, William Langewiesche, *Vanity Fair*, Oct 2014 Airline pilots were once the heroes of the skies. Today, in the quest for safety, airplanes are meant to largely fly themselves. Which is why the 2009 crash of Air France Flight 447, which killed 228 people, remains so perplexing and significant. William Langewiesche explores how a series of small errors turned a state-of-the-art cockpit into a death trap. [...] <http://www.vanityfair.com/business/2014/10/air-france-flight-447-crash>
Megan Geuss, Ars Technica, 7 Oct 2014 Test subjects also rear-ended two cars trying to use Siri behind the wheel. http://arstechnica.com/cars/2014/10/driving-with-voice-activated-infotainment-is-really-distracting-studies-say/
Katie Collins, Ars Technica, 27 Sep 2014 Study shows that multitasking on the road is never a good idea. http://arstechnica.com/cars/2014/09/google-glass-no-safer-than-phones-for-texting-while-driving/
Y2K was about not expecting rollover; so too, it seems that a max counter of 40M 911 calls caused the routing system to discard calls coming over VoIP phones. Presumably the FCC report (which I have not read) has more details. Some years ago, I worked for a software company whose software shut down unexpectedly, when the date (which was stored as a decimal number since an epoch) increased to require one extra digit. No one had tried rolling the clock forward (either in our development labs, or in any of our customer sites) to see whether there it would continue working in the future. We keep making the same mistakes... http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/20/how-a-dumb-software-glitch-kept-6600-calls-from-getting-to-911/
Colin Lecher, The Verge, 3 Oct 2014 Our most important lifeline isn't always there when you need it On a June morning in Washington, William Leneweaver, the state's E911 IT projects and operations manager, was alerted to a call. A man had been attempting to dial emergency responders, but he couldn't get through. He was left listening to a "fast busy" - a pre-recorded tone. Eventually, he made contact by borrowing someone else's phone. The staff of the state's Vancouver call center, where the call was received, began investigating what might have prevented the call from going through. They made test calls with Sprint phones, the same provider the man had. No 911 service. They had someone in another location make more calls. Same problem. ... http://www.theverge.com/2014/10/3/6414949/911-call-failures-fcc
Machine-Learning Maestro Michael Jordan on the Delusions of Big Data and Other Huge Engineering Efforts Interviewed by Lee Gomes, in IEEE Spectrum, 20 Oct 2014 http://spectrum.ieee.org/robotics/artificial-intelligence/machinelearning-maestro-michael-jordan-on-the-delusions-of-big-data-and-other-huge-engineering-efforts
James Bamford, *The Intercept*, 2 Oct 2014 https://firstlook.org/theintercept/2014/10/02/the-nsa-and-me/
[From Cryptography via Dave Farber] http://www.alexaobrien.com/secondsight/wb/binney.html Best account yet of the Snowden releases by a technically capable person. Eventually, perhaps, the other 96% will receive similar public disclosure to fully inform beyond opportunistic journalism.
Robert Lemos, Ars Technica, 7 Oct 2014 Criminals with physical access to ATMs install malware to control flow of money. Criminals are installing fairly sophisticated malicious programs on banks' ATMs, allowing them to control access to the machines and easily steal cash, security firms Kaspersky and Interpol said in a joint statement released on Tuesday. ... http://arstechnica.com/security/2014/10/dozens-of-european-atms-rooted-allowing-criminals-to-easily-cash-out/
A great article on high-frequency trading in the LRB. 'Be grateful for drizzle' Donald MacKenzie, London Review of Books, 11 Sep 2014 http://www.lrb.co.uk/v36/n17/donald-mackenzie/be-grateful-for-drizzle After recounting the collapse of Knight Capital in Aug 2012 (also tracked in RISKS 26.97), he mentions a previously unreported incident: Such events don't always become public. In a New York coffeehouse, a former high-frequency trader told me matter-of-factly that one of his colleagues had once made the simplest of slip-ups in a program: what mathematicians call a `sign error', interchanging a plus and a minus. When the program started to run it behaved rather like the Knight program, building bigger and bigger trading positions, in this case at an exponential rate: doubling them, then redoubling them, and so on. “It took him 52 seconds to realise what was happening, something was terribly wrong, and he pressed the red button, stopping the program. By then we had lost $3 million.'' The trader's manager calculated “that in another twenty seconds at the rate of the geometric progression, the trading firm would have been bankrupt, and in another fifty or so seconds, our clearing broker—a major Wall Street investment bank—would have been bankrupt, because of course if we're bankrupt, our clearing broker is responsible for our debts; it wouldn't have been too many seconds after that the whole market would have gone.'' What is most telling about that story is that not long previously it couldn't have happened. High-frequency firms are sharply aware of the risks of bugs in programs, and at one time my informant's firm used an automated check that would have stopped the errant program well before its human user spotted that anything was wrong. However, the firm had been losing out in the speed race, so had launched what my informant called `a war on latency', trying to remove all detectable sources of delay. Unfortunately, the risk check had been one of those sources. After discussing the various techniques (lasers, microwave links along geodesics, bare-metal programming, FPGAs, etc) in reducing latency used in HFT, he says: If you're a certain kind of person, there's pleasure to be had in a lot of this. [...] I confess that some of the pleasure rubs off on me. It's nice to study a domain of economic life that's so caught up with the physical world: with wind and rain and fog, tunnels and oceans and sharks; and with the geography of such unfashionable places as Aurora, Weehawken and Slough. Highly recommended read.
This is old news but the Wired article has lots of details that I don't recall hearing about before: http://www.wired.com/2014/10/cheating-video-poker/ I also hadn't heard that the charges against the players were eventually dismissed. The article is a fascinating read.
The Cloud is a wonderful concept. Store and share your files around the world, contribute jointly to documents or a project, upload your precious files for safe keeping, etc., and whatever. But what happens if the Cloud site that you are paying good money towards goes down without notice effectively losing all of those files.? That is what happened FIVE days ago to Firedrive.com. Despite appeals for information from worried users (or should I say customers?), the site is well and truly down. Not that so-called "IsitUp" websites are reporting this. Apparently the Firedrive servers are up but the Firedrive file storage system isn't and hasn't been for days. The Firedrive Facebook account—with about 66,000+ 'Likes' or 'Friends' -- is full of customers complaining that they cannot log in to get at their files. The scandal is that Firedrive's landing / home page says nothing about any outage, there have been no warnings, no announcements, no apologies, no emails, nothing but silence. Emails that do (supposedly) get through are ignored. The issue has yet to be picked up by the media. Yet this is one of the biggest Cloud storage systems on the web. Yet it has gone - taken with it everyone's files. And the owners remain silent. Personally I have always been wary of the Cloud concept. Folks' files are only as secure as a site itself. In the past few years we have seen a major image hosting site suddenly disappear taking millions of images with it, and then there was the close down of the file-sharing site in New Zealand. Firedrive is apparently hosted by Cloudfare (who remain unhelpful when emailed). And the owners of Firedrive and the whereabouts of the servers are apparently scattered around the world with postal addresses in London UK. Singapore, Spain, and the Bahamas (domain BS). The risk? Hmm - eggs in one basket springs to mind. Something to avoid if using the Cloud. C.J.Brady (who has lost now hundreds of files from Firedrive to say nothing of the time and money uploading them. Luckily I have a complete backup on my computer—I don't trust the Cloud and never will !!!).
This is now day 6 of Cloud storage Firedrive' massive outage. One customer reports losing 6TB of files. And there has still been no communications from the owners. But Firedrive is hosted at the same IP address as Cloudfare. And Cloudfare has its own problems. See: https://blog.cloudflare.com/route-leak-incident-on-october-2-2014/ But I also understand that Firedrive has been taking payments under their premium plan to host many customers' files. To suddenly remove those services paid for without any communication is poor customer at best. This reflects upon the integrity of both Cloudfare and Firedrive. It also highlights the dangers and risks of using the Cloud (whatever that is) for the remote storage of files.
But the social media company, which outraged users with an emotion study, declined to disclose its guidelines. http://www.nytimes.com/2014/10/03/technology/facebook-promises-a-deeper-review-of-its-user-research.html
Cyrus Farivar, Ars Technica, 3 Oct 2014 Marriott remains defiant: "We believe that the Opryland's actions were lawful." http://arstechnica.com/tech-policy/2014/10/after-blocking-personal-hotspot-at-hotel-marriott-to-pay-fcc-600000/
Jon Brodkin, Ars Technica, Sept 29 2014 Unlimited plans throttled after 5GB, but AT&T gives new lines 100GB unthrottled. AT&T yesterday began offering "double the data for the same price" to new customers and existing customers who sign new contracts, apparently forgetting that its network is so congested that speeds must be throttled when people use too much data. ... http://arstechnica.com/information-technology/2014/09/att-congestion-magically-disappears-when-its-signing-up-new-customers/
Even those most confident in the virtual currency are having trouble explaining the recent decline. http://dealbook.nytimes.com/2014/10/05/price-of-bitcoin-tumbles/
Jason Mick (Blog) - October 3, 2014 12:08 PM http://www.dailytech.com/Windows+9+Reportedly+Skipped+as+Name+Would+Have+Created+Code+Bugs/article36656.htm Searches for Windows 95 and 98 typically only look for "Windows 9" selected text: Back in the 1990s, lazy coders often put checks for the first part of the OS name string "Windows 9". Now like some bizarre form of Y2K, those lingering bits of code have returned and forced Microsoft to make a bold move, according to some developers claims. But the idea has been backed up by searches of popular third party open-source Windows plugins and software. For example, it appears in many core Java packages.
Not sure whether this is a RISK or not, but last Sunday most of Australia switched to Daylight Saving Time. A pity that the Electronic Program Guides didn't, at least, not up until the day before... Even the printed TV guide (published that Monday) was off by an hour for Sunday!
The flip side being if they had to repossess it due to nonpayment then there would be no chance of her being able to use it in a timely manner. With the remote shut down option she could for example have paid the outstanding balance, or possibly phoned them and asked for a compassionate exception (e.g., they re-enable it for an hour or something. Also there is a potential upside of this: traditionally if you sold cars to people who didn't have a lot of money (aka the poor), you ran a higher risk of having to repossess the car for nonpayment, which meant having someone track it down and tow it away (having seen an episode of Repo-men, this looks like a total pain). With the remote disabler it becomes "safer" to sell cars to riskier customers as you have easier recourse (just turn it off and send someone to collect it if they continue to refuse payment). This technology could make it safer to sell cars to people with riskier credit profiles. On the other hand this tech could be used to justify selling cars with financing to people with really risky credit purposefully like the NINJA (No Income No Job) loans that were so popular during the mortgage crisis because there's minimal downside to the lender/car dealer. If I had to bet my money I'd put it on the less happy outcome.
Legally, the liability of the automobile creditor sounds analogous to utilities who shut off power because of nonpayment. Electric or gas cutoffs have resulted in death from time to time. I presume that the risks date all the way back to the 1800s birth of public utilities. There must be analogous tragedies resulting from cutting off water, food deliveries, even Internet connections that are similar from a legal point of view. I can imagine a repo man who specializes in fire trucks and ambulances. More extreme, I imagine a supplier who demands payment before shipping biohazard supplies to West Africa. The point is that there is no defined upper limit to the risk associated with the consequences of nonpayment of bills. I believe that the debtors, not the creditors are usually liable for those consequences.. Today, many electric and gas utilities are required to observe all sorts of safeguards to prevent tragic outcomes from service cutoffs. There are also specific laws in some locations preventing software vendors from embedding "self help" logic bombs in their programs. But absent such specific laws, there is no general liability that I am aware of.
I cannot help but compare (1) arguments that requiring voter identification at the polling station is racist/classist, and (2) that generalized Internet voting would increase turnout amongst the under-represented. Has anyone written the obvious heighten-the-contrast diatribe?
Gary Hinson noted that the URL was incorrect. http://www.protocoljournal.org is the main URL (my typo), but he suggested http://www.internetsociety.org/sites/default/files/ipj17.1_0.pdf
Please report problems with the web pages to the maintainer