Risk Factor

At 0819 this morning, a gentleman emailed to the Department of Homeland Security (DHS) a note that said he was changing jobs, and would like to receive the DHS daily reports at his new email address. The DHS daily report provides an open source news summary of articles involving the US infrastructure that might be of interest to the security community.

This gentleman mistakenly sent his request to the Distribution List email header, which was also configured incorrectly. Instead of this gentleman's request being bounced, his email went out to all the DHS daily report distribution list recipients. Chaos (and spam) soon began.

People who received this gentleman's email soon emailed back him saying that he had made a mistake - unfortunately, some used the "Reply All" button. This started another round of email broadcasts.

Some people who got the ensuing and rapidly rising number of emails thought it was hilarious, and decided to tell everyone else they thought it was hilarious. Others thought it was ironic that the DHS distribution list was set up incorrectly as a two-way rather than a one-way list, and had to tell everyone about that.

Still others thought the error provided an opportunity to social network ("I don't think everyone realizes that yet, but what a nice way for all of us to get to know one another! :-)"), so some started asking if anyone knew of job openings ("I looking for an FSO job...Any offers?"). Others used it as a marketing tool, and let everyone know what they were up to, including a person running for Congress from Texas. Others got annoyed, and told everyone to shut up, which got others to tell them to lighten up, and point out that they were now part of the problem.

On and on it has gone. I pity the poor folks who get their email on a Blackberry, or worse, someone overseas who owns an Apple iPhone . Their phone bills will be through the roof.

The DHS pleaded with everyone to cease and desist, even threatening to remove people who kept sending emails from their distribution list, kind of like Santa Claus's list of whose naughty and nice. The threat was not taken seriously, and to be honest, it isn't much of a threat since you can just go to the DHS website and download the information anyway. Another DHS person promised (with fingers crossed) that the issue with the list would be solved by tomorrow. He also tried the patriotic professional angle, asking that "As practitioners of national security best practices, lets set an example and not clog the communications channel with further white noise."

It is now 1300 and the flood of emails has grown in the past half hour with requests to unsubscribe requests. At 1306 the first real spam using the distribution list has arrived. More is sure to follow.

No one looks really good here - the DHS or its contractor who didn't do a test of their list configuration, nor for many of the security professionals who I doubt would have tolerated it if it happened in their organizations, or would tell their boss to "lighten up" if it did.

I'll update this entry later and let you know what it anything else has happened.

Update:

It is now 1600, and the emails have slowed to a trickle.

Update 1:

It is now about 1730, and there has been the occasional burst of commentary email followed by the inevitable automatic bounce messages. There has been one email from Iran with the subject line, "Is this being a joke?" and asking "why are so many messages today?"

Another person responded not long ago about the fact that this email from Iran showed how "open source" open source means, and that it is likely that people in less than friendly places have now received highly sensitive personal information regarding government and military security personal: "For those of you that have responded to this email from an official computer with your snazzy little signature at the bottom, especially those that have every piece of contact information listed, including those of you that have disclosed sensitive phone numbers and classified email addresses have knowingly provided this information to people all over the world some of which I am sure are deemed "undesirables'. ....But those of you that are in the military or provide services through any official office you should know better than to advertise who you are and who you work for." Good advice.

Update 2:

It is now 0500 Thursday morning. That last email seems to have done the trick, and sober everyone up. Thank you Marshall, wherever you are.

Alas, now that the server distribution list has been compromised, and any further emails under the name of DHS and using this list is likely to contain malware in the future, I have decided to remove my name from it. Maybe DHS should start over again, and require people to re-sign up.

It is interesting to note that today's DHS daily report (the one I received at 2057 last night dated 3 October) did not mention this problem. Not unexpected, but very sad nevertheless.

For those curious about what else was in some of the emails floating around, go here and here and here. The New York Times has a story here along with more email traffic here.

Starting last Monday, large retailers that accept payment via credit cards begin facing fines ranging from $5,000 to $25,000 per month if they aren't in compliance with the Payment Card Industry (PCI) data security standards. Unfortunately, according to news reports, at least half won't meet the standard.

Why? Cost of course.

It is expensive to implement the PCI standards if you haven't been too diligent about implementing IT security in the past, and just as expensive to prove that you are now in compliance. The public companies who have had to comply with Sarbanes-Oxley can regal you for hours about the difficulties (and costs) associated with proving compliance with an enterprise-wide standard.

Also, these non-PCI compliant retailers may be looking at the massive data breach and its aftermath at TJX and reason that non-compliance is worth the risk and the fine. TJX's stock hasn't tanked, its 2007 revenue is up, and customers seem to have forgotten about the incident. Yes, there was some short term financial loss and bad PR, but overall, non-compliance might have been an acceptable cost of business decision for TJX even in retrospect.

Of course, as a customer, I wouldn't agree, but currently the incentives for PCI compliance or disincentives for non-compliance are not great enough to get corporate behavior to change.

And since they won't change, they won't be able to get their suppliers to change their IT security behavior either. Hence, expect more stories like the one where a supplier to clothing retailer Gap loses a laptop with 800,000 job applicants' information in it. Gap said the supplier did not encrypt the information, which was against corporate policy. Surprise, surprise.

E Bay admitted yesterday that it had overpaid for Skype by over $1 billion (purchase price:$2.6 billion) two years ago and that its original projections for future profitable growth were, shall we say, overly optimistic. While Skype has 220 million registered users, fewer that 45 million are estimated to be active users, and the percentage of active users to registered users has been dropping. In addition, those who are active users are shunning Skype's premium (meaning paid) services - and this is a surprise how, given that calling is free?

When E Bay bought Skype, there was all this happy talk about synergies to be had:

"Skype will streamline and improve communications between buyers and sellers as it is integrated into the eBay marketplace. Buyers will gain an easy way to talk to sellers quickly and get the information they need to buy, and sellers can more easily build relationships with customers and close sales. As a result, Skype can increase the velocity of trade on eBay, especially in categories that require more involved communications such as used cars, business and industrial equipment, and high-end collectibles.

The acquisition also enables eBay and Skype to pursue entirely new lines of business. For example, in addition to eBayâ''s current transaction-based fees, ecommerce communications could be monetized on a pay-per-call basis through Skype. Pay-per-call communications opens up new categories of ecommerce, especially for those sectors that depend on a lead-generation model such as personal and business services, travel, new cars, and real estate. eBayâ''s other shopping websites â'' Shopping.com, Rent.com, Marktplaats.nl and Kijiji â'' can also benefit from the integration of Skype."

Oh well, not is all lost, if you believe Pop!: Why Bubbles Are Great For The Economy author Daniel Gross who argues that bubbles are the way to get infrastructure paid for which otherwise wouldn't get built.

Hmm, maybe the real reason why E Bay failed is that it didn't pay enough for Skype. Well, there may be hope yet, if you believe those who are encouraging other companies like Google, Microsoft, or Yahoo to buy Skype from E Bay. All of them (except maybe Yahoo) can afford to blow a couple of billion more blowing bubbles.

This coming Thursday, the 4th of October, will be the 50th anniversary of the launching of Prosteishiy Sputnik (or the Simplest Satellite) and the beginnings of the Space Age and Space Race. Only now is the fascinating back story detailing the events leading up to the launch coming out in the open.

For instance, the public was told that the object they were seeing as it twinkled across the night sky was Sputnik itself. However, the satellite weighing in at 184 pounds was too small to be seen with the naked eye. What people actually were looking at was the second stage of the booster rocket used to lift Sputnik into orbit. Interestingly, the Soviet leadership at the time did not at first realize the magnitude of their achievement until the Western governments and press made a big deal out of it.

Yesterday, Fairchild Semiconductor celebrated its 50th anniversary as well. Founded by Gordon Moore, Robert Noyce, C. Sheldon Roberts, Victor Grinich, Eugene Kleiner, Jean Hoerni and Julius Blank, and Jay Last with $3,500 of their own money, the company helped make Silicon Valley. Fairchild perfected the capability to mass produce transistors from a single wafer, whereas up to this point only one transistor could be produced per wafer. The company also created the monolithic integrated circuit and the planar transistor, which is still the the primary method for producing transistors today.

Moore and Noyce left 11 years later to start another company in the Valley, something called Intel.

Sputnik and Fairchild together helped to create much of the IT Age we live in now. The Space Race provided an unquestioned rationale for spending vast amounts of government money on improving computing, and computing provided satellites with ever increasing capability. For instance, global satellite communications were commercially available by 1965 - less than eight years after Sputnik. Today, we get satellite imagery on Google for free at resolutions of two-meters or less, and spy satellites today supposedly have resolutions of 5 to 10 centimeters or less.

So, even as we celebrate these two anniversaries, it is not without some irony that the US Department of Homeland Security yesterday announced that it was suspending its planned sharing of military satellite imagery with local law enforcement and other local agencies until privacy issues could be worked out.

We've come a long way in the last fifty years, and not all of its fruits borne over that time have been sweet.

The Canadian Broadcasting Corporation (CBC) reported this week that a software "glitch in the electronic records system delayed medical test results for nearly 600 patients since January," and no one noticed until two weeks ago.

The report also noted that, "The electronic system was backed up by paper faxes until May, which department officials say may be part of the reason why the problem went unreported for nine months." Not sure what that has to do with anything, but there it is.

The remedy is to do more system audits.

The newspaper Jamaica Gleaner reported that a computer problem with Jamaica's new integrated tax administrative system caused 28,818 tax payment reminders to be mailed out in error. Tax officials want those receiving the notices to call so that their accounts can be reconciled.

Yet another example of the pain of a computer error to be borne by the customer.

IBM announced this week what they call an Anatomic and Symbolic Mapper Engine (ASME) that allows doctors to visualize patient medical records in 3-D using an avatar. Using a mouse, a doctor can click on a particular part of the avatar's "body" to trigger a search of medical records to retrieve relevant information.

The idea is to be able to display information contained within electronic health records in a way that a doctor can make sense of quickly, and is specific to the ailment a patient is currently complaining about. You can go to the press announcement link above and see a sample illustration.

I will be curious to see how this approach impacts how electronic health records are designed and what information is captured.

I guess soon our electronic medical records will be made up of our own avatars that replicate us down to our genetic code.

The Seattle Times reported that a new $171K computer system that a Seattle school district used to develop student school bus schedules had a slight software "kink" that led to students riding on the wrong buses or getting off at incorrect stops.

My elder daughter suffered a similar fate a few years ago when, again thanks to a new bit of scheduling software, we were informed that her bus stop had not only moved significantly further away, but was now located underground by some 150 feet.

As happened to us, Seattle parents are finding it hard to get through to the proper authorities to correct the problem. My advice to Seattle parents - it will take a few more weeks to correct - and it will probably happen again next year.

The Los Angeles Unified School District recently decided to hire a monitor and spend another $10 million to try to remedy its payroll system problem.

It appears few think another $10 million is going to do the trick. Furthermore, with the amount of patching the system is undergoing, I guess that the system is now getting to that precariously fragile state that every new patch risks causing cascading errors in areas of the system thought to be okay.

I wonder how long before the school district figures out that it can't make any major changes to its business procedures without risking a total meltdown?

Probably when new contract talks are held with the School District's employee unions, and District management sees the difficulty of the IT meeting any of the new contract terms and conditions. At that point, I wouldn't be surprised to see the system put out of its misery.

The Office of the Information and Privacy Commissioners of Alberta and Calgary, Canada, released a report today on the TJX data breach. Not surprising, the report found that TJX skimped on privacy safeguards. It appears that initial access into TJX computer systems was via the wireless local area networks at two of its US stores.