Risk Factor

The US Department of Defense announced that it was shutting down its controversial Talon data gathering program.

Talon was established in 2002 by then-Deputy Defense Secretary Paul D. Wolfowitz as a way to collect and evaluate information about possible threats to U.S. servicemembers and defense civilians at stateside and overseas military installations. It is being closed because reporting to the system had declined significantly, and it was determined to no longer be of analytical value, said Army Col. Gary Keck, a Pentagon spokesman.

A reason for its shut down was noted in an article in Government Executive,

A June 2007 report by the Defense Department's inspector general found that counterintelligence officials "maintained TALON reports without determining whether information on organizations and individuals should be retained for law enforcement and force-protection purposes."

In addition, the article notes that:

To ensure a mechanism to document and examine potential threats, Assistant Defense Secretary Paul McHale plans to propose a new, streamlined reporting system that can better meet the Pentagon's needs, an agency press release said. In the interim, Defense Department officials will send information pertaining to protection concerns to the FBI's Web-based threat tracking system.

What a "streamlined reporting system" means hasn't been explained, but past history says don't place bets that it isn't going to resemble a data vacuum cleaner.

A computer failure at Wells Fargo, the fifth-largest bank in the US, that knocked out its Internet access, telephones and ATMs over the weekend, has been fixed. The bank had to revert to its back-up systems until the issue was cleared up.

However, as reported in ComputerWorld, phishers are rapidly gearing up to exploit the event. According to the article, on-line scammers have been waiting for a problem to crop up at a large bank or financial institution which will help add legitimacy to their message.

So if you get something purporting to be from Wells Fargo, the best course is to ignore it.

eWeek posted an on-line slide show listing the "Most Disastrous Data Breaches" since February 2005. They list 17 of them: 5 caused by outside hacking, 1 by insider theft, 5 by inadvertent posting of information, 5 by devices (laptop, memory stick) being stolen, and 1 caused by data being lost.

One of the seventeen listed was the discount retailer TJX. The company announced last week that the cost of its data breach last year that affected 45.8 million of its customers was likely to exceed $150 million, although given its previous estimates this is probably an underestimate of at least 100% or more. To quote TJX's press release:

In the second quarter of fiscal 2008, the Company recorded an after-tax cash charge of approximately $118 million, or $.25 per share, with respect to the previously announced computer intrusion(s). This charge includes $11 million (after tax), or $.02 per share, for costs incurred during the quarter, as well as a reserve of $107 million (after tax), or $.23 per share, for the Company's exposure to potential losses. This reserve reflects the Companyâ''s estimation of probable losses, in accordance with generally accepted accounting principles, based on the information available to the Company as of August 14, 2007, and includes an estimation of total, potential cash liabilities from pending litigation, proceedings, investigations and other claims, as well as legal and other costs and expenses, arising from the intrusion(s). In addition, TJX expects to incur future non-cash charges of approximately $21 million (after tax), or $.05 per share, that are not included in this reserve and could be recorded in fiscal year 2009. Together, these cash and non-cash charges represent the Companyâ''s best estimate of the total losses the Company expects to incur as a result of the computer intrusion(s).

And people still argue that organizational IT security rules are meant to be broken.

Skype disclosed what happened to its services last week. Turns out the problem was related to its new software update and the reboot process.

On Thursday, 16th August 2007, the Skype peer-to-peer network became unstable and suffered a critical disruption. The disruption was triggered by a massive restart of our usersâ'' computers across the globe within a very short timeframe as they re-booted after receiving a routine set of patches through Windows Update.

The high number of restarts affected Skypeâ''s network resources. This caused a flood of log-in requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact.

Normally Skypeâ''s peer-to-peer network has an inbuilt ability to self-heal, however, this event revealed a previously unseen software bug within the network resource allocation algorithm which prevented the self-healing function from working quickly. Regrettably, as a result of this disruption, Skype was unavailable to the majority of its users for approximately two days.

SKype went on to say that it was their fault, and not due to hacking. They also pointed out that, in effect, to expect more of the same in the future.

This disruption was unprecedented in terms of its impact and scope. We would like to point out that very few technologies or communications networks today are guaranteed to operate without interruptions.

Thee was a nice little commentary last week in the London Times on our increasing interaction and dependence on the digital that is worth reading in light of the Skype outage. To quote from part of it:

Yet I think we underestimate the extent to which our lives are now lived in a sort of digital dream world, in the same way we underestimate how much we drink. If you're honest, how much time do you spend in front of a screen, your mind somewhere other than where you are in physical time and space?

I recommend you give the rest of it a peruse.

UPDATE

It didn't take long, but there is a lot of skepticism being given to Skype's reasons for its outage. A taste can be gleamed here.

Yesterday morning (about 0900 EDT in the US) the internet phone and messaging company Skype acknowledged that its users were experiencing log-on problems due to a software problem. The problem shut down the service to an unknown number of customers around the world, but it was likely in the millions.

According to the Financial Times of London late this afternoon, the problem has been fixed. Now let the debate begin as to whether this will harm Skype in particular or internet calling in general.

It will be interesting to see how similar this "software problem" will be to the one that happened on 15 January 1990 when AT&T suffered a massive failure of its long-distance service due to a elementary programming error.

There is a report in Dark Reading that the IT company Verus, Inc. (the link to their site is dead) has gone out of business. Verus built websites for hospitals across the company, but its work was cited in at least five security breaches where confidential patient information was exposed.

Not only is this a warning to IS&T suppliers about taking security seriously, but also for those in the medical community about ensuring that their suppliers can handle the security & privacy requirements. It also points out a warning to those who want to place electronic health records on the web.

October 19, 1987 has become known as one of the world's stock markets Black Mondays. Part of the reason blamed for the rapid market fall-offs was automated trading.

By 1989, there were calls by Congress and others to stop the use of automated trading; one firm, Dean Witter Reynolds said they were going to stop using it as it "threatened the integrity of the market in customers' minds."

This attitude didn't last long. Program trading volume now runs about 30 - 35% of the New York Stock Exchange on a weekly basis, and occasionally as high as 50%.

Well, here we are twenty-years later, and program trading surfaces as a cause again in the current world's stock markets' wild gyrations, which as of today, has wiped out all this year's market gains. This time, it appears that the algorithms used by the trading programs underestimated (i.e., missed) the risks that the sub-prime mortgage meltdown implied.

In an interesting article in the Wall Street Journal (subscription required), there were many excuses given for why the trading programs failed this time: "A unique combination of factors," " A perfect negative storm," etc., etc.

For more on the problem, just Google the word "quant," which is the modern slang for quantitative automated trading programs.

Using computer models for market prediction is great as long as the current reality meets the model reality. Once they diverge, then they don't work very well if at all. This has been known and warned about for over forty years - yet it is a lesson that people just keep insisting they want to painfully relearn, which is why I call it the déjà vu to the nth power problem.

The US Customs and Border computer malfunction at LAX on Saturday was blamed on a hardware fault. Once the fault occurred, the back-up system didn't immediately takeover, and once it did, surprise, surprise, the back-up system lacked needed capacity.

US Customs said that 17,398 passengers on 73 flights were affected. So, I guess that the "over 20,000 passengers affected" count given out by Customs yesterday was an over-estimate, while the 11,000 passenger number put out by LAX management was an undercount. I think LAX management may want to go back and see how they missed 6,000 incoming passengers.

The mayor of Los Angeles, Antonio Villaraigosa, reportedly called for - what else - but an investigation into what happened, and said that he was working with Customs officials to prevent another such a failure, which Villaraigosa called "troubling and unacceptable."

Wonder how the mayor plans to prevent computer systems from malfunctioning, or their back ups from being inadequately scaled. I think we would all like to know.

It is bad enough that US Customs did a poor job of systems design and contingency management, but may we all be saved from politicians who think they are instant computer system experts.

UPDATE 1

There was another problem at LAX late Sunday night that affected about 1,700 incoming international passengers.

UPDATE 2

Looks like the outages were caused by a faulty network card. This just goes to show the fragility of our information systems.

According to news reports, a computer problem with a U.S. Customs and Border Protection immigration system delayed more than 20,000 arriving passengers into LAX for hours. The problem began at 1330 local time yesterday, and a back-up system wasn't operational until 2145. The last person finally cleared customs at 0350 this morning. A couple of flights diverted to other airports to avoid the problem.

What is interesting in reading the various news stories was that U.S. Customs and Border Protection authorities were telling the press that initially it was 2,500 and then later 6,000 passengers were affected. In the LA Times article I linked to, you'll see that the airport said that it was 11,000 passengers that were affected but Customs finally ended up with a 20,000 passenger count.

I don't know what is more troubling - the computer glitch or the "lost 9,000."

The UK government has decided against suggestions made earlier this year by the Commons Public Accounts Committee to conduct an independent assessment of the NHS's electronic medical records project's business case.

The NPfIT program has been plagued by uncertainty since its inception four years ago. The government insists that everything is fine, but as the testimony taken by Commons Public Accounts Committee suggests, there are plenty of reasons to be concerned.

It is more than likely that in a few years, some government spokesperson will, like in the C-NOMIS situation, call for an urgent review because the NPfIT will also have been seen in retrospect as being a wee bit optimistic.