Risk Factor

Boeing finally admitted yesterday that it was delaying the introduction of the 787 Dreamliner from May 2008 to the end of 2008. Just a few days ago, Boeing was insisting that it would make the May delivery, even if it had to work 24 hours a day to do so.

Along with some production problems having to do with parts availability (e.g.,"from fasteners .. to clips and brackets and small assemblies being provided further down in the supply chain") as well as - drum roll please - software.

The issues with software are "coding and integration." More time is required to let the software "mature" through additional testing.

Quoting from Scott Carson,Boeing Co., EVP, CEO Boeing Commercial Airplanes:

"But let me say this about the overall system integration work. We have had two or three software areas that have been on the critical path right along with the production build of the airplane. .... the software and structures work, were running neck and neck."

"As it became clear that in fact the most critical pacing item was the structures, this has actually given us a little bit of headroom on the software side. We're going to have much more time with the software in the lab, both in terms of maturing the individual software itself but also in integrating the software packages to assure service-ready functionality by the time the airplane flies. So the silver mining in this cloud tied to the structures work is we think it has given us some breathing room that is going to allow the software piece to be much more mature by the time the airplane flies."

Ah, the old game of software versus systems chicken to see who has to blink first, and admit they are more behind than the other guy.

Congratulations!! The software guys win.

How hard do you think the software folks were praying that those fasteners wouldn't be available before their tests were? So even though the software is late (and over-budget?), it doesn't look as bad as if software development were alone the hold-up to the Dreamliner's in-service date.

BTW, a note to the FAA - you may want to do some extra "maturity" checks on that software.

ComputerWorld has two interesting stories today. The first was from this morning, which was about lawyers suing Apple for $2.6 billion claiming that, "Apple blocked third-party applications, barred any ring tones but those it sold via iTunes and disabled unlocked phones with last month's 1.1.1 version update."

Then this afternoon, it reported that for between $60 to $99, "The iPhoneSIMFree, a commercial venture that was the first to publish a point-and-click unlock hack last month, has announced Version 1.6 of its software, and claimed that it could bring any bricked iPhone back to life."

But wait; according to the story, "another unlock hacking group, the iPhone Dev Team, urged owners of bricked iPhones to sit tight. 'Free unlock of 1.1.1 is coming soon.' "

I would have loved to have seen the lawyers' faces this afternoon. Maybe by the weekend, their case will have been vaporized by hackers. Shakespeare would be proud.

As many as 40 employees at Palisades Medical Center in North Bergen where actor George Clooney and a companion was taken after his motorcycle accident a few weeks back are being investigated for looking at his medical records, with over two dozen suspended without pay so far. It is probably a safe guess that at least one leaked Clooney's records to the press, since the media reported in detail on his injuries within "minutes" of his admittance.

The employees got to Clooney's medical records by accessing the hospital's computers. Let's hear it for computerized medical records - makes spying so easy.

As I noted a few weeks back, a celebrity's (reported to be ex-English football coach Sir Bobby Robson) medical records were looked at in a UK hospital.

A Palisade's hospital workers union spokesperson said, "It was inappropriate but they [the employees who sneaked a peak] are paying a steep price. But I don't even think George Clooney would want people to pay. Again, the apology to him for his privacy rights [is necessary], but I think in fact the hospital is overreacting."

"There are hospital obligations to have security systems so that a breach can't occur -- obviously that failed," she added. The spokesperson also tried to argue that since the employees (for the most part) only looked at Clooney's medical record and didn't disclose it (what, other than to friends and relatives?), it was a "no harm, no foul situation."

I hate to differ - I think they all need to be terminated. Or how about this as a compromise: a full public disclosure of the medical records (or better tax records - what's the difference?) of all those who sneaked a peak, and for fairness, let's include the union spokesperson since she thinks snooping does not rate a suspension, let alone a firing. That's a fair trade, right?

Furthermore to say that it's the hospital's fault for not having technology to keep prying eyes out is more than a bit self serving. In the UK incident, for example, those authorized to look at Robson's medical records simply gave access to those who did not. Technology doesn't prevent bad behavior or a lack of personal responsibility.

With attitudes expressed by this spokesperson, I would say that ensuring the privacy of electronic health records still have a long way to go.

Today's Washington Post has an interesting article and some neat video on the new class of insect-sized robotic spy cameras, some looking like dragonflies. The CIA tried this 30 years ago, according to the article, but gave up: seems the insectothopter couldn't be controlled in a cross-wind.

The Defense Advanced Research Projects Agency (DARPA) is funding a Hybrid Insect Micro-Electro-Mechanical Systems Project, which "is aimed at developing tightly coupled machine-insect interfaces by placing micro-mechanical systems inside the insects during the early stages of metamorphosis."

Some protesters at the 2004 Republican National Convention in New York claim they saw what looked like a dragonfly-like object suspiciously hovering as if spying on them. Law enforcement claims to know nothing about it, and an entomologist says that it was probably just a dragonfly.

However, the entomologist also says dragonflies don't fly in packs. So, if you see a bunch of dragonflies just kind of hanging around ...

Last week, the Massachusetts Division of Professional Licensure mailed 28 computer disks to 23 marketing agencies who requested the names of the 450,000 licensed professionals in Massachusetts; unfortunately, the disks also contained the professionals' social security numbers.

As of today, all but one of the disks has been recovered.

According to the Boston Globe, the spokesperson for the the state Executive Office of Housing and Economic Development, which oversees the Massachusetts Division of Professional Licensure blamed it on "a software failure during computer upgrades last month. An employee noticed the error a week later."

Now, if I only had a Euro or Canadian dollar for every time I heard that lame excuse and another for the promise of a thorough review of security procedures to keep it from ever happening again after such a problem occurs.

Last Tuesday, the General Services Administration, which manages '.gov" websites, shut down California's state government use of the Internet for three hours because a small California state website had been hacked (again) by a porn provider.

Needless to say, this was a bit of bothersome overkill. If this happened every time a ".gov" website was routinely hacked, well, ...

The GSA later apologized "to the citizens of California" but protecting everyone from the scourge of pornography was a highly important matter at GSA.

Contrast GSA's action to DHS's inaction the following day when the email spam problem occurred. Maybe the GSA and DHS can do a joint lessons learned and figure a good strategy to manage e-gov in times of trouble.

The LA Times reported last week that yet another payday passed with erroneous paychecks for employees of the LA Unified School District (LAUSD). The number of errors have remained basically the same over the past three paydays.

The rush is on to try to fix things before the end of the year, when tax forms will be mailed out. This could prove to be a real issue for the thousands of employees who have been overpaid, who could find themselves in trouble with the US Internal Revenue Service and California tax authorities for underpaying their taxes.

The LAUSD is contemplating ".. a plan to designate overpayments as no-interest loans that would not be counted as income." I am not a certified public account (anyone out there who is?), but I would suspect that this information would still need to be reported to the IRS at least by a person receiving this income. And if so, this means at a minimum a tax preparation day headache if additional more tax forms are required to be filed.

LAUSD management "anticipated that the technological glitch at the root of the problem would be fixed before the next payday in November, but left open the possibility that it could take longer."

Bets, anyone?

James Oberg reports in an IEEE Spectrum webcast a very important story on the background to the NASA computer failure that occurred in June. Oberg stories states that, "The critical computer systems ... had been designed, built, and operated incorrectlyâ''and the failure was inevitable. Only being so relatively close to Earth, in range of resupply and support missions, saved the spacecraft from catastrophe."

The problem was a cable short-circuit caused by moisture build-up, likely itself caused by a malfunctioning dehumidifier. But as Oberg writes, the short-circuit should not have caused the problems it did. "..in a shocking design flaw, there was a â''power offâ'' command leading to all three of the supposedly redundant processing units. The line was designed to protect the main computers, which are downstream of the power monitor, from power glitches too great for normal power filters to protect against. It does so by turning the computers off when it senses trouble. But in a failure unanticipated by its designers, this one command path itself was able to kill all three processing units due to a single corrosion-induced short."

As Oberg noted, if this happened on the way to Mars, it would likely have resulted in loss of the crew. What's worse, was the instinctive reaction of those involved to look for assigning blame instead of looking for the root cause of the problem, or a means to mitigate it.

Everyone interested in risk assessments, communication and management should read it.

According to today's Boston Globe (registration may be required), the Massachusetts Appeals Court upheld the accuracy of information received from automobile event data recorders (EDR) for use in court cases. Event data recorders, sometimes called car "black boxes," are devices installed in a motor vehicle to record technical vehicle and occupant information for a brief period of time (seconds, not minutes) before, during and after a crash, according to the National Highway Transportation Safety Association website.

An EDR may record (1) pre-crash vehicle dynamics and system status (e.g., wheel speed, engine rpm), (2) driver inputs (e.g., braking, acceleration), (3) vehicle crash signature, (4) restraint usage/deployment status, and (5) post-crash data such as the activation of an automatic collision notification (ACN) system. According to an article in Time magazine, some 64% of cars made today have EDRs, and about 33% of all cars on the road today have them installed.

In the Massachusetts case, a woman was sentenced to two years in prison after her GMC Yukon skidded on ice and hit a tree, killing her passenger in 2003. The woman claimed that she was traveling only 20 to 30 miles per hour when she lost control, but the car's recorder showed that she was traveling 58 m.p.h. in a 40 m.p.h. zone. Her lawyer appealed her case arguing that the EDR's information was not reliable or accurate.

Consumer and privacy advocates have been opposite sides of the debate. According to the Time article, Public Citizen's Joan Claybrook "wants tougher rules compelling automakers to install EDRs in every car because objective crash data will lead to the design of safer cars and highways. Privacy activists want the government to prevent police and insurance companies from checking drivers' black boxes without permission. 'We have a surveillance monster growing in our midst," says Barry Steinhardt of the American Civil Liberties Union. 'These black boxes are going to get more sophisticated and take on new capabilities.' "

Like most technologies, once out of the bottle, they can't be put back in. And when its a question of public safety or privacy, privacy usually loses. The same will likely be true in the case of electronic medical records.

The New York Times wrote a nice little article this morning on the e-mail spamming mess. It claims that over 2.2 million emails were generated by the incident.

What will be more interesting to watch is how people who helped keep the spurious email traffic going and disclosing their personal contact information along the way to boot, will like seeing their names and email posted in the New York Times.

I would love to be a fly on the wall when some of these folks are explaining in the future to their bosses why IT security policy is important, why everyone needs to follow it, why they need more resources for improving security, etc., etc., and then being asked by their boss why they couldn't keep their own damn hands off the keyboard.

As the Times article notes:

"The accident raised questions among cybersecurity experts about how well prepared the Homeland Security Department is to defend against a cyberattack because it had trouble dealing with this computer problem."

No kidding.

I wouldn't be surprised that Congress gets interested in this little episode, given the response of both DHS and the many government security professionals (the term is debatable) who kept it going. Maybe Congress will call a few in to testify to find out what was so irresistible about keeping a spam chain letter going, and clogging up government servers. Or maybe disclosing what appeared to me to be email addresses and telephone numbers including cell phones of folks doing highly classified work. And now that this incident has been reported world wide, how valuable do you think this information is going to be, even if only for a short time?

I'll also be curious to see how the employers of those folks looking for new jobs will view it. Maybe they will help their employees find new ones.

Please, all of you who I am sure are happy to get their names and places where they work in the NY Times, let me know.

Update:

Kim Zetter's blog over at Wired has a bit more information on the person from Iran who wanted to know why he was getting so many emails. Turns out he works for the Iranian Ministry of Defense.

Another story at Information Week quoted a spokesperson at the DHS:

"It was just human error. I don't know. It [the way the distribution list was configured] has since been changed... No government secrets were leaked. No personal information was given out."

Just like good old DHS to downplay any mistakes they make, and of course, no apologies. She did admit that 7,500 email addresses of security professionals across the country were disclosed, but that apparently is not a big deal to the Department.

As I said before, sad, very.

One final comment: last year, US News & World Report reported that,"Homeland Security Secretary Michael Chertoff likes to keep his personal tech simple. "I don't use E-mail," he confides. 'You just get deluged with a lot of garbage.' "