Risk Factor iconRisk Factor

Losing Your Heart May Have a Whole New Meaning

Surgery.gif

In a disturbing article in today's Boston Globe, it appears that there are large security gaps in "implanted devices that help regulate heartbeats and use wireless technology."

Dr. William H. Maisel, director of the Medical Device Safety Institute at Beth Israel Deaconess Medical Center, who led a research project into medical device security risks, says in the story:

"With some technical expertise, we were able to retrieve information from the device in an unauthorized fashion. We were able to send commands to the device in an unauthorized fashion and could reprogram settings and even tell the device to deliver a high-voltage shock."

Maisel goes on to say that patients with pacemakers and cardiac defibrillators that have wireless capability shouldn't be concerned because of the high level of technical skill needed to conduct such an attack.

Maisel suggests that device manufacturers and maybe regulators may need to consider adding an audible tone or a vibration that "could let a patient know whenever someone is communicating with an implanted heart device."

While the risk may be remote, I can see all sorts of new television murder mystery plots developing. A person wanting to bump off their spouse or relative who has a pacemaker hires some mysterious hacker to do the job, or a group of young people, fed up with seeing their Social Security and Medicare taxes going up or worried that there won't be any left for them as they grow older deciding to knock off seniors en mass by driving by nursing homes and fooling with implanted medical devices. Tech savvy lawyer, doctor, private investigator, neighbor sets out to solve the case, blah, blah, blah.

TV plots aside, I do wonder, though, how soon we'll see hackers in the near future offering software to destabilize medical devices for the right price.

Microsoft's Vista $2,100 e-mail machine

The Sunday New York Times has an interesting story on the continuing saga of the lawsuit against Microsoft by two plaintiffs contending, according to the Times, that "Microsoftâ''s 'Windows Vista Capable' stickers were misleading when affixed to machines that turned out to be incapable of running the versions of Vista that offered the features Microsoft was marketing as distinctive Vista benefits." The complaint can be found here.

A judge last month granted class-action lawsuit status to the suit, which is scheduled to go to trial in October.

Microsoft, of course, says that this complaint is hokum, as its response explains here.

Unfortunately, 158 pages of internal Microsoft emails by employees like Michael Nash, a Microsoft vice president who oversees Windows product management, tends to undercut Microsoft's insistence that there was nothing misleading with Vista. Nash wrote that he "personally got burned" by buying a laptop that was labeled as Windows Vista Capable: "I now have a $2,100 e-mail machine."

The emails make for amusing, but not surprising, reading for anyone who has been in the software business for more than a month. They tell a story of tough design trade-offs, "hold your nose" compromises, broken promises, schedule pressure, vaporware marketing, and so on. In other words, business as usual in any large IT development shop, commercial or government.

In fact, the emails are something every high school or university student should read to understand what it is like out there in the IS&T world. Software development is like sausage making - you don't want to look too closely at what is used as filler or goes on during the process.

REAL ID Costs Hitting Starting to Bite

DHS.gif

It looks like Virginia has decided that it will now charge residents $5 to renew their vehicle, motorcycle or trailer registrations in person at Department of Motor Vehicles (DMV) offices. The reason is to "encourage" residents to renew on-line, by mail, or over the phone because the expected wait times at DMV offices in Virginia when REAL ID gets implemented next January are expected to climb at least 200%. The DMV is also asking the state government for an additional $7 million to hire new employees to cope with the expected increased workload.

Also, a story in Government Computing News indicates that states are quietly complying with the 1st of May REAL ID requirements, rather than fight them, at least at this time. The Department of Homeland Security says that only a handful of states have failed to either obtain waivers or comply with the requirements.

Missing White House E-Mails

White-House.gif

IEEE Spectrum Senior Editor Harry Goldstein sent me a link to a ZATZ Publishing article titled, Where Have All the E-Mails Gone?" that discusses in detail what can only be called the appalling and absolutely amateurish IT practices at the White House in regard to its email system and its legal requirement to preserve them.

Currently, tens of thousands or more of White House e-mail messages that span a period of up to two and a half years may (or may not) be missing - no one seems, however, to be able to provide a definite answer.

The White House claims that "there is no evidence" of missing any e-mails: it just can't produce them.

If that explanation makes your head hurt, be forewarned - your logic circuits will be overloaded even more after reading the explanations in the ZATZ article as to whey they can't be produced.

Boeing To Slip 787 Dreamliner Again?

Boeing.gif

Last week, a Goldman Sachs analyst warned in a research report is likely to slip another three to even six months due to continued difficulties with getting parts. Boeing refuses to comment directly to the report, other than saying, â''Boeing is in the process of conducting an assessment of its 787 delivery schedule and will communicate it to customers around the end of first quarter, as previously indicated in January.â''

From previous Boeing comments, a slip looks more and more likely.

In addition, All Nippon Airways (ANA) is demanding clarification of Boeing's 787 delivery schedule. According to the story in today's Sydney Morning Herald, the airline is very unhappy: " 'The longer we wait, the more servicing of the 767s we will need to do,' said Mr Shinobe, an executive vice-president at All Nippon. 'Some of them may become unfit for flying.' "

The story says that in February Japan Air said that it was considering buying Airbus A350 XWB planes to help increase its fleet's fuel efficiency last month after Boeing announced the delay in the 787-3 version of the Dreamliner.

If Boeing isn't careful, the Dreamliner may start getting a new name, like Dreamloser.

Computer Science Enrollment Looking Better?

Students.gif

In an Ars Technica story pointed out to me by IEEE Spectrum Associate Editor Joshua Romero, there is some data that suggests that the drop in university and college student enrollment in computer science has bottomed off, at least for the moment. Information gathered from the Computing Research Association shows that for the past three years, newly declared CS majors has remained in the vicinity of around 7,500 or so. This is still about half as many as those who declared a CS major in 2000.

Computer science professor Jacob Slonim from Dalhousie University in Halifax, Canada blames the media instead of computer science professors for some of the decline in enrollment the past few years, at least in Canada. Slonim is quoted in ITWorldCanada as saying, â''Every time Nortel lays off employees, it makes major headlines. But when CGI says itâ''s looking for 2,500 new people, we never hear about it. The fact that Iâ''m forecasting the need for 80,000 new IT people by 2010 hasnâ''t made headlines either.â''

DoD Admits to Being Severely Hacked

Sign-In.gif

Dennis Clem, the Office of the Secretary of Defenseâ''s (OSD) chief information officer, reportedly said last week at the Information Processing Interagency Conference that the June 2007 network hack into defense computers stole an â''amazing amount" of information, according to Government Executive magazine.

According to the magazine Clem said, â''We don't know when they'll use the information they stole, [which was] an amazing amount, [including] processes and procedures that will be valuable to adversaries.â''

While Clem didnâ''t say who the attackers were, the speculation has been that it was Chinese government sponsored hackers, a charge the government vigorously denies. CNN posted a story yesterday interviewing a number of Chinese hackers that suggests that the Chinese government was indeed behind the attack.

According to Government Executive, after the intrusion was discovered and the network shut down, it took OSD three weeks, $4 million, and the introduction of a boatload of new security processes before recovery was complete. The US Department of Defense gets some 70,000 intrusion attempts per day.

In a case of good timing, according to a story in yesterdayâ''s Washington Post, the Department of Homeland Security (DHS) is next week going to conduct a follow-on to its Cyber Storm I exercise. The Post says that Cyber Storm II is planned to be â''the largest-ever exercise designed to evaluate the mettle of information technology experts and incident response teams from 18 federal agencies, including the CIA, Department of Defense, FBI, and NSA, as well as officials from nine states, including Delaware, Pennsylvania and Virginia. In addition, more than 40 companies will be playing, including Cisco Systems, Dow Chemical, McAfee, and Microsoft.â'' Also involved will be government agencies from Australia, Canada, New Zealand, and the United Kingdom.

The exercise is needed none too soon, according to another Government Executive story this week that quotes National Intelligence Director Michael McConnell that the US is not prepared to deal with threats against military and civil networks and information systems.

US Census 2010: The Current Situation is Unacceptable

Census%20-%201.gif

"We have discovered serious problems with the FDCA (Field Data Collection Automation) program and I am personally involved in bringing key issues to the surface and developing a way forward. In short, the current situation is unacceptable. The American people expect and deserve a timely and accurate Decennial Census..."

So testified Carlos M. Gutierrez, Secretary of the U.S. Department of Commerce at a hearing yesterday in front of the U.S. Senate Committee on Homeland Security and Governmental Affairs on the status of the 2010 Census. Gutierrez finally awoke to the fact that the 2010 Census is in deep and very deep kimshe.

So serious is the trouble that in a highly unusual mid-session announcement, the U.S. Government Accountability Office (GAO) yesterday designated the 2010 Census Project as High Risk, which is in my opinion about 2 years late, since the program is already in trouble, not potentially in trouble.

The cause of the problem which the Census has been trying to paper over for quite some time is that it depends on 500,000 handheld computers to replace its paper-based collection system. As is always the case, it looked very easy to do on paper, but proved to be harder to do in reality.

The Census reasoning seems to have been along the lines of: if Fed Ex can use handhelds to track packages, why can we do the same for collecting Census data - should be dead easy, right? The idea in itself wasn't not outrageous, as long as the risks involved were clearly understood and managed. The GAO report makes clear - as the GAO has several times in the past - that they weren't (and from reading the report still aren't) on both accounts.

In Gutierrez's testimony, he goes on to state that the Census discovered late last year a "gap" as he calls it "between the capacity to get the work done and the amount of time remaining. One of the main reasons for this gap was significant miscommunication concerning technical requirements between the Census Bureau and Harris [the prime contractor]. The lack of clarity in defining technical requirements was a serious problem especially with regard to the testing and functionality of the handheld devices in a full Census environment. For example, discrepancies arose over data upload times, screen change speed and data storage capabilities."

So let me get this straight - with a little more than six months to go before a full scale dress rehearsal of the system, it was discovered that there was still major miscommunication between the Census and the contractor about basic performance parameters for the device to be used by hundreds of thousands of census takers? Weren't these parameters weren't spelled out in detail in the contract? Or did Harris follow the contract, and now the Census has figured out that what it specified won't do? Did Harris tell them there were problems, but the Census didn't listen? What the hell happened here?

Interestingly, back in November 2005, the Government Communications Systems Division (GCSD) of Harris achieved "a Capability Maturity Model Integration (CMMI®) Maturity Level 3 rating. The Level 3 rating denotes superior process maturity within the division's program management, engineering, quality assurance, and other disciplines, and achievement of this rating has become a competitive differentiator on many government programs." I wonder if this rating helped Harris win the Census contract?

At the very least, I think the division's CMMI rating may need to be re-evaluated, or maybe better, the US government better start looking at what, if anything, SEI CMMI Level 3 actually means in practice.

Alas, the Census provided Harris with an updated set of requirements in mid-January 2008; hopefully they are the correct and technically feasible ones.

In the testimony yesterday, it came out that it may cost another $2 billion to "ensure" that the 2010 Census actually can succeed, on top of the $11.5 billion already allocated to the Census (of which $3 billion was for the IT portion of the Census). It also appears the probability of completing the Census on time is dropping rapidly unless there is a marked turnaround. The dress rehearsal in May will give better indication of the true risk status of the situation.

Gutierrez' also said yesterday, "There is no question that both the Census Bureau and Harris could have done things differently and better over the past couple of years."

No kidding?

What I really want to know is who in management is going to be held accountable for this excess level of risk mismanagement, incompetent communication, and rank amateurism in program and contract management. Or is it business as usual, with "mistakes were made," "we have learned from this experience," blah, blah, blah.

The folks at Government Executive have been following this slowly unfolding big time blunder in the making closely, and you can read more about it here, here and here.

IT Mercy Rule Called: Seasprite Contact Cancelled

Sprite.gif

The Australian Defence Minister Joel Fitzgibbon decided it was time to invoke the IT mercy rule and announced that he was terminating the ill-fated Super Seasprite avionics upgrade program after 11 years of futility.

The total amount the canceled program will cost Australian taxpayers is estimated to be about AU$1.3 billion, not counting the costs of procuring a new helicopter or the costs/risks associated with Australia's eight ANZAC class frigates not having helicopters providing anti-surface and surveillance capabilities for probably another 5 years.

Nine of the Seasprites have been delivered to the Australian Navy's 805 Squadron based at Nowra, New South Wales, but have been grounded for safety reasons.

Maybe they can be made into nice flower planters in front of the main gate.

Counterfeit Computer Chips Security Risk?

About two weeks ago, it was reported that US and European customs officers seized more than 360,000 counterfeit computer chips and network components bearing more than 40 trademarks in a joint operation last November and December.

Last week, US and Canadian seized 400 counterfeit Cisco network hardware components and labels with an estimated retail value of more than $76 million, the US Justice Department announced. Now ComputerWeekly is reporting that there is a worry that counterfeit Cisco hardware may be on corporate and government networks, and thus possibly posing a security risk.

Computer Weekly also suggests in its story that Cisco may be hesitant to spell out in detail how to spot a fake, since it will let counterfeiters know what to correct.

Cisco, however, has published an internal guide to help spot fakes, which, interestingly enough, is stamped "confidential." More information on uncovering counterfeit Cisco equipment can be found here.

UPDATE: It turns out that IEEE Spectrum had an article on counterfeit chips and electronics in 2006. You can read it here.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Load More