Risk Factor iconRisk Factor

Australian Super Seasprite Software Problems - A Record?

Australian pals of mine clued me in on the latest program problems with the Australian Department of Defence's Super Seasprite upgrade program. Begun in 1997, the program was meant to upgrade the electronics and some other bits of 11 of these 1960s-era helicopters (Defence calls them "mature helicopters") over five years for an original cost of AU$745 million; the cost to complete is now estimated to range around AU$1.5 billion. Up until a few weeks ago, the Australian Defence Department said their Super Seasprites would become operational in 2008, but that date has now been slipped to 2011.

Software problems related to the Seasprite's avionics and flight control software have been at the root of many of the delays and cost overruns. The problems have been so severe that last year the helo was grounded because, according to Defence Minister Brendan Nelson, "You could not have 100 per cent confidence in the software program that supports the pilot flying the helicopter to 100 per cent safety."

According to Department of Defence's Portfolio Budget Statement 2007-2008, "The main sustainment risks to the Super Seasprite include the automatic flight control system issue, mission computer shortcomings, and a lack of customer confidence in the platform brought about by the extended flight suspension and ongoing technical issues." Oh, that's all?

The latest schedule slip was due to software testing and integration problems to the helo's mission system software. IT mercy rule, anyone?

I don't recall any other defense program of any nation being delivered 9 years late due mostly to software problems (other than maybe the Strategic Defense Initiative). Anyone have some other candidates?

Change Definition of Privacy: Government Official

The Principal Deputy Director of National Intelligence, Dr. Donald Kerr, thinks, "Too often, privacy has been equated with anonymity; and itâ''s an idea that is deeply rooted in American culture."

That's apparently no longer a valid or reasonable idea. "In our interconnected and wireless world, anonymity â'' or the appearance of anonymity â'' is quickly becoming a thing of the past. ... Protecting anonymity isnâ''t a fight that can be won."

In addition, "We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment...Instead, privacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured."

So privacy means faith in government bureaucracy.

Except, of course, when these privacy laws, rules and customs get in the way of safety. Then privacy must give way.

But not to worry for, "Our commitment to safety and privacy are nothing new to us and they are values that we must continue to protect as we learn to do our intelligence job better."

In other words, the intelligence community is committed to protecting us and our way of life - which just needs to change to make it easier for them to get information on us to protect us from - us?

Sounds logical to me.

More on this can be read here.

Executives Being Targeted for Scams

A story in the Wall Street Journal last week describes a highly sophisticated scam making the rounds of corporate executive offices.

Using information apparently found on Linked-in, Facebook or other websites where detailed personal information can be found, scammers are sending highly personalized and convincing phishing emails to senior company executives, saying for instance, that there has been a Better Business Bureau or Equal Employment Opportunity Commission complaint (along with a case number) filed against their company, and asking the executive to respond to it. Once they do by clicking on the convenient link provided, the executive's computer is immediately compromised with software that logs all activity and send the information to the scammer. More than one executive has been torched.

I guess that we are still a ways away from 2006, you know, the year that Bill Gates said,"Spam will be solved.â'' I wonder if someone has tried to spoof him recently.

Anyway, Part 2 of the San Jose Mercury News series on hacking is now available. The article starts off with the stats that 50% of the IRS employees who received phone calls in an audit test earlier this year, purportedly from the computer help desk, requesting their user names and suggesting they adopt a new password, provided the requested information. This was up from the 35% who did so in a similar test in 2004, and down from the 71% who did so in 2001.

Zombie Master Zapped

The LA Times reported yesterday that John Kenneth Schiefer, a 26-year-old computer security consultant from LA, admitted to hacking into a host of personal computers "to create a rogue network of as many as a quarter-million PCs, which he used to steal money and identities."

Schiefer used botnets to steal "user names and passwords for EBay Inc.'s PayPal online payment service to make unauthorized purchases. He also passed the stolen account information on to others." He faces up to 60 years in prison and a $1.75-million fine.

It is bad enough that one has to guard against outside hackers - having to worry about IT security folks burning you from the inside just adds to irritation. If we need to hire someone to watch over the IT security personnel, do we need someone to watch over this person as well? And how many watch-watchers are sufficient?

Hmm, sounds like it may be time to revisit the classic cat and rat problem.

LAUSD to Employees: Show Me the Money

Now that the LA Unified School District (LAUSD) has supposedly "solved" its on-going payroll problem, it wants all 36,000 of its employees who have been "over-paid" to a tune of $53 million by mistake to pony up the money - like yesterday.

In a story by the LA Times, this "request" has placed employees in a bit of a conundrum:

"The move to recover the money is placing teachers and other staff in the Los Angeles Unified School District in an unpalatable position. They must either trust the district's claim that they were overpaid and repay the money or dispute the calculations and face further chaos come tax season."

So who do you fight: the LAUSD or the IRS and California state tax folks or all three? Nice choice, eh?

The Times story goes on:

"Affected employees -- the vast majority are teachers -- have until Dec. 10 to choose whether to repay the district the entire amount they received, request a repayment plan, repay only the amount they believe they were overpaid or refuse to pay anything."

There are 7,000 employees who are owed $7 million, but the LAUSD isn't promising to get them their money by 10 December, however.

The LAUSD Chief Operating Officer is telling employees to "trust the LAUSD" when it tells them how much money they owe it or it owes them, but it is extremely difficult for individuals who haven't been receiving correct paychecks for the past 11 months to verify the totals given. The LAUSD also admits that at least 3,000 of its latest paychecks in its "fixed system" still aren't correct, either.

When the LAUSD was asked whether the letters being sent out demanding payment were correct, the COO said:

"Are the calculations '100% guaranteed'? No. But it's highly probable. We have a higher degree of confidence than ever before that we are accurate."

Boy, I bet you lots of LAUSD employees are taking comfort in those words.

Cyber Risk Review

Today's San Jose Mercury News has published Part 1 (registration may be required) of a three-part series on organized cybercrime, often based in Russia, and the widespread use of botnets to steal your identity and money. It also has an engaging slide show on internet crime, along with an interview with Dave DeWalt, the new CEO of McAfee.

The series coincides with the news reported today at the Dark Reading website that a "New York grand jury has indicted 17 people and a corporation on charges of identity theft, worldwide trafficking in stolen credit card numbers, and other crimes committed using the Internet." Those indicted, several with apparent ties to Russia, are said to have trafficked in more than 95,000 stolen credit card numbers and caused more than $4 million in credit card fraud

For those who are interested in this subject, as part of the article I wrote in this month's IEEE Spectrum on Open-Source Warfare, I interviewed Tom Kellermann on how terrorists are using the Internet for money laundering, fundraising, and identify theft. Kellermann was a member of the Treasury Security Team at the World Bank, where he advised central banks on monitoring illicit online activity. Heâ''s currently vice president of security awareness at Core Security Technologies, in Boston.

Tom pointed out, as did Mercury News story, that there is this large and growing underground economy where you essentially can hire software mercenaries to build code to attack a targeted system and to data mine that system for your own use. In this community, a perverse "Robin Hood" mentality prevails: steal and take what you can or barter what you find so that you can support your efforts in the real world.

Reading the Mercury News article and Tom's interview can be disconcerting to say the least. If you wish to stay worried or become slightly paranoid, do a daily read of the Dark Reading website. After about a week, it makes you wonder why anyone, including yourself, ever signs onto the net.

Computer Problems at London Stock Exchange

The London Stock Exchange suffered disruptions for the last 40 minutes of the trading day due to a computer problem which resulted in incorrect share prices being displayed. The trading day was extended for another 90 minutes to make up for the problems traders were having.

The last major disruption at the LSE occurred in the first week of April 2000. That week also saw computer problems hit the Nasdaq and Toronto Stock Exchange as well. That week reaffirmed the old maxim that bad news comes in three.

Is it time for a repeat?

Building Construction Mirrors Software Development

MIT filed a negligence lawsuit against architect Frank Gehry and construction company Skanska USA Building Inc, claiming â''design and construction failuresâ'' exist in its $300 million Stata Center that was opened in 2004, according to stories in the Boston Globe and New York Times. The Center opened to widespread praise by MIT.

Gehry has described as looking like "a party of drunken robots got together to celebrate," claims the issues are "fairly minor" and should be expected "in the design of complex buildings."

"These things are complicated and they involved a lot of people, and you never quite know where they went wrong. A building goes together with seven billion pieces of connective tissue. The chances of it getting done ever without something colliding or some misstep are small."

The executive vice president and area general manager of Skanska USA however, said that, "This is not a construction issue. Never has been." He claims that Gehry had rejected Skanskaâ''s formal request to change the design of the outdoor amphitheater, a source of the many of the problems; "We were told to proceed with the original design."

Gehry in turn, blamed cost-cutting by MIT: "There are things that were left out of the design.The client chose not to put certain devices on the roofs, to save money."

Doesn't this just sound like the aftermath of an IT project gone bad?

LA Unified School District Payroll System 82.4% Fixed

Today was payday once again for employees of the LA Unified School District (LAUSD). As you may have been following here, LAUSD implemented a new payroll system that has not exactly worked as planned.

In a story in today's LA Times, the problems supposedly now have been solved or at least most of them. According to LAUSD's spokesperson Binti Harvey, "employees' paychecks may be different, (but they are) more likely to be correct." She didn't specify a probability figure related to that likelihood, however.

Furthermore, Harvey says data shows that, "82.4% of all system defects have been fixed, and another 10.4% will be fixed" by the December payday. I guess using the decimal point means that 824 or 8240 defects have been fixed, and that either another 104 or 1040 still remain.

That of course assumes that current fixes don't create new defects. Also, the way Harvey said it, there seems to be an implication that all system defects are created equal. Either assumption is highly dubious.

Of course, given that many LAUSD employees have received over-payments as well as under-payments for months now, I don't envy them at all when they try figuring out whether today's paycheck is actually correct. I would hate to be in their shoes at the end of this year when they have to determine whether their total pay for 2007 is right or not. They might end up paying a whole lot more in taxes they did not expect.

As the Times story notes:

"With 2007 coming to a close, income tax forms present an additional worry, said A.J. Duffy, president of United Teachers Los Angeles. 'Our members are very concerned about their taxes,' Duffy wrote in a statement. 'LAUSD has told us that they may not be able to meet with all UTLA members before the end of the calendar year. Our members are concerned that their payroll issues will be resolved way too late.' "

What fun. I'll be back in December with another update.

What Business Risk?

ComputerWorld reports that a survey commissioned by the Information Systems Audit and Control Association (ISACA) found that 15% of respondents admitted logging onto peer-to-peer file sharing networks from work computers despite security warnings to the contrary. A further 74% of the survey respondents said they don't believe that downloading unauthorized content or software to work PCs creates a business risk.

I wonder what these 74% do consider a business risk.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Load More