If you are a Delta Sky Miles frequent flyer member and purchased an airline ticket in the past three weeks, you may want to see whether you overpaid for your ticket by a significant amount.

According to Minneapolis, Minnesota, television station WCCO, passengers purchasing Delta plane tickets via their online Delta Sky Miles accounts during that period were shown airfares that were sometimes hundreds of dollars more than those listed when the passengers didn’t use their Sky Miles account numbers.

WCCO reported that customers who complained to Delta about the issue were told by reservation agents that, “that’s the way the system works.”

However, when reporters from the station started to investigate the complaints, Delta quickly looked into the matter and belatedly admitted that the issue was the result of a computer error. An AP story states that Delta has been working on “upgrading elements of its website for more than a year. An upgrade less than three weeks ago to its flight search engine caused the fare discrepancies.”

Despite knowing that a software glitch is causing some of its most loyal customers to be fleeced, Delta said that it “wouldn't be notifying customers of the problem but if travelers call, they will look into it on a case-by-case basis.”

How very nice of them. I guess this is what Delta means when it states on its website:

"So many privileges just waiting for you with a free SkyMiles account."

You would think that irritating your best customers is not in your best interests, but that seems never to enter the business equation—at least not in the airline business.

Clocks on VCRs were once considered too difficult for the average person to program properly. Now, apparently, so are new automobile dashboards.

According to a story at the Wall Street Journal last week, auto manufacturers are strongly encouraging their dealers to add a “technology specialist” to their staff, whose purpose is to help customers figure out how to use all the digital technology packed into new cars. The Journal says that the automotive manufacturers are worried that the increasing level of technology found in new vehicles is creating a “skills gap” between what a typical customer understands and their car’s digital capabilities.

Ford is taking a lead role in encouraging its dealers to hire someone for the specialist role. Why? Ford is getting nervous, says the Journal.

“The auto industry is motivated in part by fear. Ford Motor Co. last year was jolted when Consumer Reports panned its MyFord Touch system, echoing customer complaints that it was annoying to operate. Ford is now accelerating efforts to persuade dealers to dedicate more time and personnel to hands-on technology training.”

And customer annoyance quickly can turn into a financial issue:  the industry is worried that “failing to educate customers eventually will hurt profits.” As one executive at Mercedes Benz U.S., which is also working on ways of how to best educate its customers, told the Journal, “How are you going to get people to pay for it [new technology] if sales people can't articulate the benefits?”

Lexus is another car manufacturer that is investing significant funds into training and digital tools to help its own dealers understand how its cars electronics work, the Journal article states.  In fact, Lexus is now mandating that all its dealers must spend more time training customers on the technology present in Lexus vehicles. You may recall that the US congressional investigations into Toyota’s sudden unintended acceleration problems were sparked in part by an accident several years ago involving an off-duty California Highway Patrol officer who was killed along with his family because he could not figure out how to turn off their borrowed Lexus ES 350 electronic ignition after a floor mat becoming stuck in the car's accelerator pedal.

Of course, it might help if car designers spent a little more time with their human factors counterparts to make the operations of the electronics more transparent and easy to use. There has been several occasions where I would have been more than pleased to explain in detail to the designers of several of the electronic systems on my Toyota Sienna how they got it dreadfully wrong. Needing a couple of hundred page manual  to explain how to use my car’s electronics is a symptom of the problem.

The good news, however, is that I expect the issue will finally go away once we are all in our autonomously driven cars, at which point we will have unlimited available time to figure our car’s electronics.

For many people, cellphones aren’t just a mode of communication, they’re lifelines. Sure, we laugh or roll our eyes at stories about people who are seemingly addicted to their "Crackberries," and get annoyed at the loud talker on the bus or the gem of a person who’ll answer calls in a movie theater. Still, it’s clear that cellphones solve more problems than they create. That is, unless you desperately need to make a call and find yourself in a dreaded dead zone.

That was the tragic situation that befell Arthur and Madeleine Morris, an elderly New York City couple whose vehicle fell down an embankment near the end of the driveway of their vacation home in New York’s Catskills region. After it became clear that the car was stuck, they made five unsuccessful attempts to call for help.  Calls to 911, Madeleine’s son, and a neighbor failed to connect because of spotty cellular reception in the sparsely-populated rural area. From what investigators have been able to piece together, Arthur Morris then attempted to climb out of the vehicle, but got wedged between the bottom of the door and the ground. He soon died of asphyxiation. His wife managed to get out, but four additional attempts to use the cellphone proved fruitless.

After giving up on technology, she walked to the home of their closest neighbors. Finding them already gone, and unsure of what else to do, Madeleine covered herself with a tarp to protect herself against the rain, but died of hypothermia after nighttime temperatures dipped into the forties.

Two sentences in a CNET News article encapsulate the level of faith (misplaced or not) we’ve come to place in technology:

“…their grandson had bought them a phone from AT&T, in the belief that a network from such a large carrier would offer the best chance of a signal in that remote area. But locals reportedly say no carrier has much of a signal in those mountains.”

As someone who lives less than an hour from where the Morrises’ were unable to reach out and touch someone (as AT&T prompted people to do years ago in its commercials), I fully understand frustration over spotty coverage. When I’m at home, my handset (with service through a different carrier) can receive calls and text messages on alternate Thursdays—but only when I stand on one foot while facing the sun.  On cloudy days, well, it’s good to have a landline.

For its part, AT&T responded to the CNET article with a brief statement:

“Our thoughts and sympathies go out to the Morris family during this extremely difficult time. Wireless coverage in mountainous and remote areas is an industrywide challenge, and AT&T, along with other carriers, are continually striving to improve service levels in those areas.”

In other words, don't hold your breath waiting for AT&T or any other carrier to erect cell towers simply for the public good. If they cannot justify that cost in terms of the number of customers on their subscriber rolls or potential customers they can add, don't look for them to surmount that "industrywide challenge" anytime soon. 

On this blog, we write a lot about cybercriminals defeating organizations’ online security measures (often because they’re woefully inadequate) or tricking consumers via some phishing or social engineering scheme. But sometimes you have to wonder whether the people responsible for other people’s personal information could make a bigger mess if they were intentionally trying to divulge the data.

Take for example California’s Department of In-Home Supportive Services (IHSS), which reported late last week that more than 700 000 records containing personal records of caregivers and patients were either lost or stolen. The department, which organizes and oversees the provision of home attendants and visiting nurses for elderly and disabled people, says that Hewlett Packard, with which it contracted to manage the data, notified it that a package containing microfiche with payroll data was missing from a package it sent via the U.S. Postal Service. Among the items were 375 000 workers’ names, Social Security numbers, and wages, plus the names and state identification numbers of care recipients. The package, which HP sending to California’s Compensation Insurance Fund arrived with the container damaged and some of the records missing.

A Los Angeles Times article quoted Michael Cox, a spokesman for the Service Employees International Union, the labor union that represents hundreds of thousands of home care workers in the state:

"[The fact that such] primitive security measures are still in place is inexplicable.”

I think Cox’s characterization was a bit generous. It doesn’t seem out of place to look at a cardboard box containing pictures of unencrypted records and ask: What security measures? I have no idea whether California law allows it, but it would be perfectly just for the people whose information was handled so carelessly to sue the state. Perhaps the pain in the state’s purse strings will cause it to set the bar for maintaining or distributing sensitive data a little higher.

In March, computer storage devices containing the names, Social Security numbers, and other private records of about 800 000 adults and children were lost in transit between an IBM facility and the California Department of Child Support Services. See if this sounds familiar: a container holding the memory devices broke during shipping, allowing some of them to spill out.

A reporter for The Wall Street Journal appears to have hacked a popular crowdfunding website last week, exposing a security gap created during a software update. The reporter, Jeremy Singer-Vine, was able to access a massive amount of private information before Kickstarter hurriedly fixed the problem on Friday 12 May.

Kickstarter is a place for artists and gadget-makers to present their projects to the public and ask for monetary backing in exchange for rewards. It could be a $1 pledge to a documentary with satisfaction as the reward, or a $200 pledge to back the next iPad accessory in exchange for the new toy.

Singer-Vine and the Journal downloaded almost 77 000 unpublished projects.

According to Kickstarter, one of its engineers found the so-called bug. Not the case, says the Journal. Singer-Vine, who is a computer programmer as well as a reporter, didn’t say what he was doing snooping around Kickstarter’s innards. But it appears that he discovered the problem, then he told Kickstarter about it—maybe so they could fix it, maybe so he could get a quote (which, by the way, he didn't).

Kickstarter had updated its website with some new features and a new software interface on 24 April, in honor of its third birthday. The updated software included a back-end way to look at projects that weren’t ready for consumption. That private information wasn’t readily accessible from the site, but outsiders, such as the Journal’s reporter, apparently were able to access the site's internal data feed for about three weeks.

Users of the site never provide credit card information to Kickstarter itself—it uses Amazon for payments—so no financial information was divulgled. But the reporter was able to access project photos, videos, locations, descriptions, fundraising goals, planned rewards for project backers, and user names.

An invasion of privacy in a creative space may be less of a concern than a financial incursion or a medical records breach, but the fact that no one at the company was aware of the security hole for three weeks is disconcerting. Still, very few people actually exploited the breach, Kickstarter says. Only 48 projects were looked at, including those accessed by programmers to fix the bug. Except, of course, for the thousands of projects accessed by the reporter.

Updating a website is often necessary for rapidly growing start-ups. Kickstarter is prime example. In 2011, users pledged almost $100 million to over 27 000 projects. In the last month, users pledged over $10 million to just one project: Pebble, the fabled smartphone-enabled watch. But, clearly, mistakes can be made during an upgrade.

Keep an eye out for our June video on Kickstarter crowdfunded Apple accessories.

The decision last year to finally cancel the UK’s National Program for IT (NPfIT) effort to implement a nation-wide integrated electronic health record (EHR) system because of its spiraling cost and complexity  is looking better all the time. According to a recent  story in Computer Weekly, roughly 60 percent of London National Health Service (NHS) hospital trusts are operating without IT disaster recovery systems in place. The startling news was delivered at a health informatics conference by a program manager at the London NHS Commercial Support Unit. The speaker said her group is trying to determine why such a high number of hospitals don’t have these basic systems in place, and whether the trusts that lack them are planning on implementing any of them soon.

In a related story, the Guardian reported earlier in the month that the North Bristol NHS trust’s effort to roll out its Cerner-based electronic health record system has overrun its budget by nearly 100 percent. Apparently, the trust severely underestimated how challenging the data migration effort would be, not to mention the level of staff support needed to operate the system once it was in place. Issues with the EHR roll-out led to a series of clinical incidents; the trust cited the Cerner implementation ”as the causal factor” in 16 of them, the Guardian stated. Fortunately, none of the incidents created a hazard for patients.

The definitive history of the failure of the NPfIT has yet to be written. The closest that exists is the Dossier (pdf) of concerns that professor Brian Randell of Newcastle University has compiled over the years. Now, another useful historical contribution has been written by professor Geoffrey Sampson of the University of South Africa, who provides his own view of the debacle.

Like Randell, Sampson was one of the “Gang of 23” computer professorswho wrote an open letter to the UK government in April 2006 questioning its NPfIT strategy and implementation approach, and calling for an independent technical review of the effort. The letter caused a stir at the time, but ultimately did not cause the government to change its NPfIT approach one iota, other than to double down in its defense of its plans. As in most situations of denial of the obvious like this, all that was needed for the approach to fail was time.

Sampson’s observations of the NPfIT debacle are interesting, especially in regard to the lessons that those involved in government IT need learn from it. He writes, for instance, that:

“Government and computing are bound to mix badly, because the two domains are founded on contrary assumptions. In the government world, it is a given that sufficient authority will elicit any desired action. In the world of informatics, authority is impotent. Bring as much pressure as you like to bear on a flawed software system, and what you will get is a worse-flawed system.”

In addition:

“If governments hope to make IT serve their purposes, as since the turn of the century they have increasingly been aiming to do, then they have got to learn to defer to information-technology realities. Human beings bend to government will. Software development does not take orders.”

Maybe Katie Davis, the interim Managing Director of NHS informatics, should keep that in mind the next time she thinks about reiterating her claims about the future of the NHS and technology. For example, insists that NHS has an 80 percent chance (if not better) of having “world beating” health informatics in place across the country within the next 5 to 10 years, although that statement is based on nothing more than the "enthusiasm" the government has for health information technology.

Members of the hacktivist group Anonymous have been active this week, striking out at Virgin Media, Vladimir Putin, and, allegedly, a Twitter spammer.

The Wednesday attacks on Virgin Media and Vladimir Putin were denial-of-service hacks that temporarily brought down the sites. The motivations in these incidents were clearly stated. 

According to a Reuters report, Anonymous took credit for the Putin hack, a follow-through on a threat that the group would target Russian government websites in support of opposition protests, via the Twitter account @Op_Russia. Details of the kremlin.ru attack were less clear. Reuters said it went down for several minutes on Wednesday. But the RT network reported that the site was down for almost an hour, and that other government sites were also attacked, though not as successfully. Several Russian media sites also experienced denial-of-service hacks, but Anonymous members did not claimed responsibility for those, RT said. 

The Virgin Media denial-of-service hack was retaliation over the takedown of The Pirate Bay, a massive file-sharing site, Daily Tech reports. “#Anonymous have just taken down #VirginMedia website again because of their involvement in the #Censorship of The Pirate Bay,” @AnonUK tweeted Wednesday. Virgin Media had decided to cooperate with the U.K. High Court’s order to block the site.

Earlier in the week, hackers claiming to be from Anonymous took credit for publishing a list of 55 000 Twitter handles and passwords on Pastebin. Many of the accounts listed were spam handles. Many, though, were duplicates, bringing the total closer to 35 000.

It appears that Twitter was not hacked—a spammer was hacked, and that list was released by another hacker. Or perhaps a spammer posted the list in retaliation against Twitter for cancelling some of the accounts on the list, suggests The New York Times. An eWeek columnist went so far as to speculate that the cache of passwords were a honeypot laid out by Twitter itself to catch hackers intent on nabbing Twitter's user files.

In a debate about the list on Y Combinator’s Hacker News, the consensus was that it was a white hat hack: an attempt to force Twitter to close a long list of fake accounts. When the handles and passwords went public, Twitter reset all of the passwords and sent out email notifications. That would kill a fake account, as the emails aren’t real.

But not all of the accounts posted in the Twitter list were fake. One Y Combinator user, felipe_csl, hacked into a real person’s Twitter account, then into that person’s Hotmail, and then emailed the owner to tell them their password had been posted online. Some users denounced felipe_csl's actions as illegal and invasive, while others called him conscientious.

This week’s hacktivist events may not be over. The BBC reports that tweets from Anonymous hackers have threatened a weekly repeat of Saturday's denial-of-service attack on United Kingdom’s Home Office website, in which the site was taken down for several hours.

Crime-fighting agencies around the world are making the war against e-crime a higher priority. On Tuesday, at a conference in Tel Aviv, Interpol announced that it will open a center dedicated to cybercrime and digital security in Singapore in 2014. 

The steady increase of cybercrime has inspired a wave of new regulations, stricter punishments for online law-breakers, dedicated international centers, and cyber-specific law enforcement units.

The Internet provides a unique opportunity for crimes without borders. And online crime has become a lucrative business for organized gangs, says Interpol’s president Khoo Boon Hui. Cross-border gangs commit 80 percent of online crime, he told the Associated Press, citing a London Metropolitan University study. National boundaries pose no challenge to criminals. Hui also mentioned a recent spat of 200 arrests of scammers in Malaysia, China and Taiwan—all connected to the same syndicate boss in Taiwan.

But Interpol’s center will not be the first. In fact, they're a little late in joining the e-crime fighting posse.

In March, the European Union announced its plans to build an anti-cybercrime center. The E.U.’s center will open in early 2013 in the Netherlands at Europol’s center. In addition to online gangs and fraud, it will fight sexual predators, and hackers.

Hacking can cause national security problems, especially from attacks on infrastructure or government systems (although there's vigorous debate about the severity of the threat). But there is also a tremendous amount of money at stake.

Worldwide cybercrime profits reach U.S. $388 billion a year—€21 billion in the United Kingdom alone—a European Union committee told the New York Times. That eclipses the global drug trade of marijuana, cocaine and heroin.

Its global nature makes fighting cybercrime difficult. The E.U. committee proposed mandatory jail sentences that would be standard across the E.U. According to the Times, part of the problem has been a lack of communication.

The United States committed to new measures to fight international cyber crime last year. In a strategy statement from the White House in July 2011, U.S. President Barack Obama stressed a need for national responsibility and international cooperation. The state of California, which leads the United States in per-capita victims of cybercrime, even founded its own e-crime unit in August 2011.

It's unclear how all of these new and individual teams will work together. Perhaps they will need to emulate the criminal element and its borderless cooperation.

In the past few weeks, there has been a spate of news stories that highlight wide-spread concerns that the United States is vulnerable to cyber-attack, cyber-espionage and id theft. For example, over the weekend, there was an article in the Christian Science Monitor about an on-going “spear phishing” campaign aimed against companies operating in the natural gas pipeline sector. The attack apparently began last December with a number of natural gas pipeline organizations reporting “either attempts or intrusions related to this campaign.”

That was preceded by an article in the New York Times that reported on an assessment of the U.S. ability to respond to man-man or natural disasters. The National Preparedness Report, performed under the auspices of the Federal Emergency Management Agency (FEMA), reported that, in general, the U.S. was fairly well-prepared for dealing with the effects of epidemics, natural disasters and even terrorist attacks, but not adequately prepared for dealing with a cyber-attack. The report states that:

“The Nation is highly reliant upon interdependent cyber systems, yet stakeholders have an incomplete understanding of cyber risk and inconsistent public and private participation in cybersecurity partnerships. Trends also point to cyber criminals’ continued focus on stealing customer records, including personally identifiable information, payment card data, email addresses, and other customer data.”

The report states that only 42% of state and local officials feel that they were adequately prepared for a cyber-attack, and that, “Cybersecurity was the single core capability where states had made the least amount of overall progress.”

In addition, there was an editorial in the Wall Street Journal by Martin Feldstein, chairman of the Council of Economic Advisers under President Ronald Reagan, in which he states:

“The United States is vulnerable to cyber-attacks by unfriendly nations and nonstate actors. Attacks through the Internet are now stealing billions of dollars of intellectual property from American businesses. Internet attacks can also bring down such critical infrastructure as the electricity supply, the air traffic system and the stock market. Congress can and should act to protect us from this widespread and increasing danger.”

Feldstein called on Congress to provide funding, say by diverting money from the US Defense Department budget, to help U.S.  infrastructure companies meet a mandatory level of cyber-security. He also states that, “Protecting the nation from cyber-attacks that steal technology and that can disrupt our daily lives should be at the top of the government's agenda.”

But not everyone is convinced that the cyber threats are as severe as being depicted.

About a month ago, I blogged about the medical record breach at Utah's Department of Health (UDOH). Nearly a million patient medical records were stolen by suspected Eastern European hackers. When the story first broke, the state blamed the incident on a technician who “installed a password that wasn't as secure as needed” on a new server that had been placed into service just three months earlier.

Well, news stories like this one in the Salt Lake Tribune are now reporting that UDOH has partly shifted its stance, admitting the breach was made worse because the medical record data, instead of being erased each day as its own security protocols require, was left to accumulate on the server from the time it was first installed. UDOH is keeping quiet, however, about why the security protocol was not followed, as well as why compliance with the protocol and password requirements weren’t checked as a matter of course when the new server was brought online.

UDOH is also refusing to say whether those responsible for the security breach have been disciplined, something that those whose medical records were compromised have been asking about. In response to these inquiries, the department's executive director, David Patton, was quoted as saying that, "We’re in the mode of trying to help people, not find culprits."

So far, only 20 000 people have taken up the state’s offer of one year of free credit monitoring, although part of the slow uptake is being blamed on the state’s approach to victim outreach. According a separate story published by the Tribune, the letters from the state sent to potential victims concerning the breach direct them to “call a hot- line and enter their Social Security number.” Many folks, the Tribune reports, fear the letters they are receiving are part of some scam, since this type of request is exactly what  Utah’s government officials routinely advise state residents never to comply with. And even if you believe the letter is legit and follow the enclosed directions, the Tribune says, the operators manning the victim hotline are apparently only able to read from a script and have been instructed not to answer any questions posed to them by callers!

And speaking of engineering mistakes, according to an article in Computer World, an Apple programmer forgot to turn off a “debugging switch” in the latest version of Apple’s Lion operating system. The consequence of the error is that it can reveal “the passwords for material stored in the first version of FileVault, the company's encryption technology.” The issue doesn’t affect those with the latest version of FileVault, however.