Risk Factor iconRisk Factor

Second Life Becomes Second Swipe


Linden Lab's virtual world Second Life has had to crack down on virtual banking, giving them until yesterday to shut down their operations, according to the LA Times.

The reason for Linden's action is that after the infamous Ginko Financial ponzi-scheme scam that blew up last August, Linden Lab's cool response to those scammed once the scheme was discovered, and the continued appearance of "too good to be true" investment offers, confidence and trust in Second Life's economic underpinnings has started to erode. Linden Labs must have started to figure out that if people started viewing Second Life as a place to be scammed, major corporations might start rethinking their association with it.

Are Future US Programmers Being Taught to be Unemployable?

In an article titled, "Computer Science Education: Where Are the Software Engineers of Tomorrow?" in this month's CrossTalk (the Journal of Defense Software Engineering) and in a subsequent interview in Datamation under the title of "Who Killed the Software Engineers", two emeritus computer science professors from New York University argue that universities are so desperate to keep computer science student enrollments up, that they are dumbing down the curriculum to attract prospect students. This dumbing down, professors Robert B.K. Dewar and Edmond Schonberg say, is producing software engineers with a "set of skills insufficient for todayâ''s software industry (in particular for safety and security purposes), and, unfortunately, matches well what the outsourcing industry can offer. We are training easily replaceable professionals."

Dewar says in the interview that, " 'A lot of it is, â''Letâ''s make this [computer science and programming] all more fun.â'' You know, â''Math is not fun, letâ''s reduce math requirements. Algorithms are not fun, letâ''s get rid of them. Ewww â'' graphic libraries, theyâ''re fun. Letâ''s have people mess with libraries. And [forget] all this business about â''command lineâ'' â'' weâ''ll have people use nice visual interfaces where they can point and click and do fancy graphic stuff and have fun.' "

Dewar goes on, " 'Universities tend to be in the raw numbers mode. Oh my God, the number of computer science majors has dropped by a factor of two, how are we going to reverse that?â'' â''

Dewar and Schonberg point out in their article that companies like UK-based Praxis (see an article on the company published in IEEE Spectrum) who use formal methods to develop safety-critical systems are having a hard time finding people with the proper mathematical training, even though formal methods are taught in more in the UK than in the US.

I blogged a few months ago about Cambridge University having trouble recruiting computer science students, with part of the reason for the troubles being that the program, in Cambridge's words, "is a rigorous and demanding course." Yesterday's Globe and Mail also had a story about computer science enrollments dropping at many Canadian Universities by 36% to 64%.

The article has caused a stir in the defense community, with Dewar saying that he has received a lot of support for the position in their CrossTalk article.

But is the situation as dire as professors Dewar and Schonberg claim, or a natural issue of supply and demand, or is it over-blown, being one of those, "When I was your age, I had to walk fifty miles to school" arguments, or is it something else?

UK Loses Same Personal Data Twice

In a highly embarrassing, politically damaging and somewhat bizarre admission, the UK government over the past few days announced that (at least) three Ministry of Defence (MoD) laptops containing the personal details of hundreds of thousands of military personnel and recruits have been lost.

An MoD laptop containing details of over a half a million individuals who applied to join the military over the past decade was lost October 2006. Another laptop was lost in December 2005 that had the details on 500 individuals. And then there was the one lost on the 9th of January of this year that contained the personal details of 153,000 potential recruits, as well as the banking details of 3,700 service members.

What has made members of Parliament furious is that the data was not encrypted; much of the same data apparently has been lost twice; no one can explain to them why personal information was on these laptops in the first place; and the gravest sin of all is that members were never told about the 2005 and 2006 incidents until this week. They only came to light because of the investigation into the 2008 lost laptop incident.

Promises by the MoD to safeguard information in the future have been met with skepticism - to put it mildly.

I wonder if we are witnessing a UK government - or at least a Prime Minister - ready to fall because of failure to protect its citizens' personal information. All it may take is one more loss of good size to do it, I think.

Utilities Act Risk of Being Hacked: CIA


A story that appeared over the weekend in the Washington Post and elsewhere tells of a CIA warning to US utilities that hackers have broken "into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities."

The warning was made by Tom Donahue, the CIA's top IT security analyst, last Wednesday at a trade conference in New Orleans sponsored by the SANS Institute.

According to the Post story, "We suspect, but cannot confirm, that some of the attackers had the benefit of inside knowledge,' Donahue said. He did not specify where or when the attacks took place, their duration or the amount of money demanded. Little said the agency would not comment further."

The warning was taken more seriously than most because the CIA is normally pretty mum on what it knows or is doing in the area of cyber-security.

As a footnote, the Post said that, "On Thursday, the Federal Energy Regulatory Commission approved eight cybersecurity standards for electric utilities. They involve identity controls, training, security 'perimeters,' physical security of critical cyber equipment, incident reporting and recovery." You can read more about the standards here and see the 221 pages of detail here.

Boeing Crash: Speculation Continues Unabated


The cause of last week's crash at London Heathrow's airport of a British Airways Boeing 777 is still unclear. Crash investigators promise a preliminary report within a month.

Speculation about the cause currently run from a problem with the airplane's electrics, avionics system and/or engine control automation (reported in the Sunday Times and yesterday's London Guardian) to something wrong with either the aircraft's fuel system or the fuel itself that led to fuel starvation (Sunday Express). Just about every British paper has a theory, it seems.

What is known that about 2 miles from the airport and 600 feet up, the "the autothrottle demanded more thrust. It was a normal procedure, a small adjustment intended to keep the plane at the correct speed and height. Nothing happened. The computer system again ordered more thrust. Again, no response." The pilots apparently then tried to increase the throttle manually, and again, no response. Skilled airmanship brought the 777 into what one could called a semi-controlled crash, which fortunately, didn't result in any loss of life.

The plane's wreckage is being moved to British Airway's Hatton Cross engineering facility about 500 meters from the crash site for further investigation. If a rare software anomaly is found to be the problem - as it was in the Malaysian 777-200 incident of 2005 (see the Australian Transport Safety Bureau incident report, and a brief description of it in today's Sunday Times) - then expect there to be some additional fall out towards the Boeing 787 development.

UPDATE: Peter Ladkin point out that a preliminary crash report is required within 30 days (I wrote promised, which implies something else). As Peter noted, the UK is an International Civil Aviation Organization (ICAO) signatory, and ICAO signatories are required to produce accident reports according to a general standard format; they are also required to issue a preliminary report within 30 days of the accident.

UPDATE 1: Today's London Times is claiming that, "British Airways technical staff believe that the Boeing aircraftâ''s computerised control system caused both engines to fail during its final descent towards Heathrow on Thursday." We shall see.

Boeing B787 network certification requirement

Greetings, folks. I am Peter Ladkin and hope to be contributing on safety matters, especially in transportation.

Bob wrote recently about the FAA's new certification requirement on the Boeing B787 "Dreamliner" networks. I checked it out.

The FAA makes regulatory requirements (which are administrative law) by publishing a Notice of Proposed Rulemaking (NPR) in the Federal Register (FR) , collecting comments, and implementing the rule in the light of comments. The NPR was published in FR 72(71) on April 13, 2007, eight months ago. The FAA received comments from Airbus and from the Air Line Pilots Association, and issued the rule, unchanged, with answers to the comments, in FR 73(1) on January 2, 2008, whence the brouhaha in Wired.

So far, this all looks routine. Let's look at what the rule does.

There are three "domains" for networks in the B787: the Aircraft Control Domain (ACD), the Airline Information Domain (AID) and the Passenger Information and Entertainment Domain (PIES). The ACD is the safety-critical bit. The PIES is the passenger network. The rule says "the design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software, and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain." It is harder to get any more stringent than that.

Why are the FAA doing this now? Because they have perceived a gap in existing regulation which needs to be filled. And it needs to come now because Boeing are certifying the aircraft now. Airbus wanted more generally applicable conditions along with guidance on how to comply. The FAA replied that they are working on that, but the B787 needs it right now.

A colleague suggested the least expensive way of fulfilling this criterion might be to separate the domains physically. Well, I am not sure that can be done, since some of the AID as well as PIED are wireless. In some current fleets, for example, sensor data and other data in the aircraft control networks is siphoned off to go to, amongst other things, the Quick Access Recorder (QAR), which records data on the flight for airline flight quality control and maintenance. At least one major airline downloads the QAR data at the end of each flight directly through the local cell phone network at the destination. So one already has potential interconnections between public networks and aircraft control networks in which all the bad stuff must be controlled (and is, by obvious means).

Why aren't the FAA requiring similar for ACD/AID interaction? They are; they say this is covered by existing regulation as well as other special conditions (which I haven't yet seen).

So this looks all routine admin stuff. I don't see anything below the surface. Except, of course, for the monster question of how one does assure absolute security of the sort that looks to be required. I don't know who can answer that question, and I doubt if Boeing's answer will enter the public domain.

Bank Software Problem Shreds Customers' Credit History

Shred.gif The Orlando Sentinel reports that a computer problem at Cincinnati-based Fifth Third Bank related to the recent acquisition of the former R-G Crown Bank of Casselberry, Florida "spilled false information into 'several thousand' customer accounts, in some cases generating credit-history errors and incorrect credit scores."

The problem started in December when Fifth Third converted files of R-G Crown Bank customers to its own system. In at least one case, a customer found that he had an account showing three loans that were not his, with one showing a history of 19 late payments, all of which trashed this person's credit history. Others found that they were denied credit because of the false information put into their bank records.

Fifth Third Bank seems to have been very slow in notifying customers negatively affected by the problem, as well as shown a pretty cavalier attitude towards the whole episode. It won't discuss details of the problem, citing the old canard of "customer privacy."

Fifth Third claims that it has notified the credit reporting bureaus, and that everyone's credit rating is as good as before, but I seriously doubt this. Once poor credit history information gets out there, even if false and later "corrected," it is extremely difficult to put that genie back into the bottle, especially in this time of tightening credit.

Another Big Data Loss

I thought we'd be able to ring the bell, but only the records of 650,000 J. C. Penney (and up to 100 other retailers') customer records were lost when a computer tape went missing. In a Chicago Tribune story, GE Money which handles the the credit card operations for Penney's and the others said btoh customer credit card and social security records were on the missing tape.

GE Money says that it will be paying for 12 months of credit-monitoring services for those on the missing tape.

The tape went missing last October, so I guess this loss wouldn't have counted towards the first million record data loss in the US of 2008 anyway.

UK Chinooks: $150 million for Hope over Experience Software?

Chinook.gif While Boeing may be having troubles with the Dreamliner, according to a story in the UK Computing it is to receive a £90m contract to rectify software and avionics problems for eight brand-new Chinook helicopters that have been sitting in hangers at RAF Odiham for the past nine years.

This has been one strange defense program from the beginning, which goes back some 13 years. Below are excerpts from the 2005 UK Select Committee on Public Accounts report that gives some background to the story:

"In July 1995, the Department [UK Ministry of Defence] decided to upgrade eight of the 14 Chinook Mk2 helicopters it was procuring as part of its requirement for a Medium Support Helicopter. The upgrade to an enhanced Mk3 standard would include improvements in range, night vision, and navigation capabilities. The project was scheduled to cost more than £250 million and the forecast in­service date was November 1998. A subsequent change to the requirement led to an avionics upgrade programme being put to contract in 1997, which entailed a hybrid solution, incorporating elements of the existing analogue cockpit and new digital systems and displays. The need to test the airworthiness of the aircraft together with some programme slippage led to the setting of a new In-Service Date of January 2002. When the aircraft were accepted from the contractor in December 2001, the Department found that it was unable to demonstrate that the flight instruments met United Kingdom Defence Standards, as this requirement had not been specified in the contract. Consequently, the aircraft could not be used other than for limited flight trials."

"The Department said that there were three main reasons why the helicopters remained grounded and were unfit for their operational task. First, without access to the source software codes held by the United States, the safety parameters of the aircraft could not be tested in its current configuration. One of the main contractors has now indicated that it would allow access to some software data. The process of analysis is, however, time consuming and expensive and there is no guarantee of success because the legacy software is not amenable to the techniques required to confirm the robustness of the software design. Secondly, the specialist role envisaged for the aircraft had changed since they were acquired. Finally, the aircraft needed to be fitted with Health and Usage Monitoring Systems, a range of systems that seek to monitor the progressive wear of engines, and better Defensive Aids Suites."

"Despite the fact that all the aircraft accepted from the contractor met, and in some cases exceeded, the contract, the Department accepted that the taxpayer had not been well served by the procurement of the Chinook Mk3."

According to Computing, the Chinooks should be ready by 2009, 11 years late. I guess that is a bit longer than the Australian Super Seasprite avionics upgrade program. At least the Chinook program hasn't been a continuous cock up like the Seasprite, though.

Boeing Delays 787 Dreamliner Again


Just a month after delaying the first-flight of the 787 Dreamliner and promising that things were on track, Boeing once again delayed first flight by at least three months. First customer delivery subsequently slipped from the end of this year into early next.

Boeing admitted that it had underestimated the amount of time needed to complete the work done by suppliers of key 787 components. During the analyst conference call yesterday, Boeing management was asked, "Supply chain aside, you have a slip here in first flight of three months, and how much of that and the delay in power on is related to problems in getting systems to play to one another? We still hear rumors of problems with the flight control computer, the common core, etc." Boeing management gave a long-winded, roundabout answer to the question without really answering it, so one suspects that there may be more computer issues than it is letting on to or the FAA is asking about.

One analyst says that "Boeing's credibility is shot." Some customers like Qantas, Nippon Airways and Japan Airlines are thinking of pressing for compensation as well. Boeing's credibility may not be shot, but it is pretty thin.

If Boeing has to slip again, things could start to get very, very interesting.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More