Risk Factor

There were a couple of interesting stories in ComputerWorld last week from the cyber guerrilla war front.  According to this story, whoever is controlling the Flame virus has ordered it to self-destruct and erase all traces of itself to impede the forensic analysis of its code. ComputerWorld quotes the Symantec's security response team’s blog as saying a self-immolation or "suicide" module "locates every [Flame] file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection. …This component contains a routine to generate random characters to use in the overwriting operation. It tries to leave no traces of the infection behind."

It is obvious that the Flame authors are worried about not only possibly being found out (although the betting is that the virus is the work of the US and Israel) or that effective countermeasures to it will be found, but also that it might "escape into the wild" like Stuxnet did and become re-purposed. Of course, copies of Flame are in the hands of numerous IT security companies, researchers and national security organizations among others, so it is more than likely that it is only a matter of time before a new 'improved" version of Flame appears.

Speaking of the as yet unidentified authors of Flame, another story at ComputerWorld reports that Marc Stevens, a research cryptanalyst at Centrum Wiskunde & Informatica (CWI) in Amsterdam states that whoever created and distributed the virus needed access to world-class cryptanalysts. The reason behind that belief is that Flame's authors were able "to generate a rogue Microsoft digital code-signing certificate that allowed them to distribute the malware to Windows computers as an update from Microsoft." They accomplished this, ComputerWorld says, by using a previously unknown cryptographic collision attack on the MD5 encryption algorithm (Stevens and company demonstrated one method in 2008) which Microsoft security engineers explain in a blog post here.

Spreading malware using the Microsoft Windows Update function is seen as the Holy Grail of hackers since over 900 million Windows computers routinely use it to update their systems.

The ComputerWorld story notes that, "Interestingly, the attack would have failed a long time ago if Microsoft had been more diligent." The reason is that back in 2008, the weakness in MD5 was so well known that Microsoft issued a security advisory recommending "that administrators and certificate authorities cease using MD5 as an algorithm to sign digital certificates because of collision attacks. However, the company failed to disable the use of MD5 in parts of its own operating system, which is what Flame exploited."

Microsoft urgently released a patch and took other actions to close the Flame (or flaming) security hole early last week.

Photo: iStockphoto

Do we really know whether we have too few or too many STEM (Science, Technology, Engineering, and Mathematics) students to meet the future innovation and competitive needs of the US? That was one of the questions being addressed at a STEM conference on measures for innovation and competitiveness that I attended this week in Washington, D.C. It was sponsored by several industry associations, including the American Association for the Advancement of Science (AAAS) and IEEE USA. 

Since the 2007 publication of the influential National Science Foundation report, "Rising Above the Gathering Storm: Energizing and Employing America for a Brighter Economic Future," which examined the “erosion” of the “U.S. advantages in the marketplace and in science and technology” and which stated that a “coordinated federal effort is urgently needed to bolster U.S. competitiveness and pre-eminence in these areas,” there has been a bi-partisan consensus that  the way to reverse said erosion is to increase both the number of STEM graduates as well as STEM knowledge in the general student population, which has been on a relative decline over the past decade.

In response to the increasing concern over the dwindling supply of STEM students, back in 2009 the Obama Administration announced a $260 million government/private industry initiative called, “Educate to Innovate,” the aim of which was “to move American students to the top of the pack in science and math achievement over the next decade.”

More recently, the Administration proposed a new $100 million government/private industry initiative to train 100,000 STEM teachers and graduate 1 million additional STEM students over the next decade, an very ambitious goal given that about 167,000 students total graduated with STEM degrees last year.

Even as these and dozens more STEM initiatives have sprung up, there has been a lingering question about how much STEM professionals contribute to national innovation and competitiveness as well as whether there truly is a STEM education shortfall, and if so, by how much? Without good answers to these questions based on concrete data, national policy is formed and scarce national resources allocated based on anecdotal information which one can only hope provides the correct insights.

The speakers at the STEM workshop dug into these issues and more.  For instance, Professor Richard Freeman from Harvard stated that while everyone generally agrees that “innovation” is critical to U.S.  economic and social progress, there aren’t good definitions of what the term means let alone how to measure innovation at a national level.  As a result, when R&D funding is reduced (as it has been for quite some time at the federal level in relation to GDP), no one is really sure what the effects are on future innovation and therefore economic or social progress.  Freeman proposed an approach to define and measure innovation (i.e., an "innovation index") so that when national policy decisions involving R&D funding are made there is some understanding as to what the end result will likely end up being.

In a similar vein, Professor Nicholas Vonortas from George Washington University spoke about the disconnect that seems to exist in US manufacturing and the role of STEM education.  He noted that the US manufacturing sector continues to shrink from the size it once was (although it is still the largest in the world) and what remains increasingly depends on knowledge-intensive work. Furthermore, there exist high-skilled manufacturing jobs that are going unfilled and likely will continue to be for some time, as this Washington Post story also noted a few months back.  This is important because in previous U.S. recessions, manufacturing has led the way out of them.  The assumption is that if these jobs go unfulfilled, what’s left of U. S. manufacturing will not only eventually disappear but the effects of the last recession and the current job stagnation will linger for a long time; therefore, the argument goes, if only there were more STEM graduates, the U.S. could at least preserve the manufacturing jobs that exist.

However, Vonortas noted that, when one digs into the data, most of the jobs going begging are apparently for production workers; not ones that would necessarily require STEM degrees.  In addition, manufacturing jobs may go begging because manufacturing is seen by students and their parents as a  poorly paying industry that doesn’t have a healthy long-term future.  Therefore, Vonortas says, there isn’t really any hard evidence to claim that the lack of STEM students is the problem or that more are the solution to maintaining U.S. manufacturing. U.S. policy makers may need to look at other avenues than STEM education to solve U.S. manufacturing issues.

One area where STEM students are needed is in aerospace and especially the defense industry. Edward Swallow from Northrup Grumman discussed how aerospace and defense (A&D) is the leading employer of STEM professionals, but it is having a hard time attracting new STEM grads. One reason, similar to manufacturing, is that STEM graduates look at A&D as a declining industry, which given projected defense budget cuts, is not an unreasonable perspective.  Another is that usually U.S. citizenship and often a security clearance is required, which reduces those eligible to be employed. A third is that there are not a lot of exciting new aerospace or defense initiatives that spur the imagination of young engineers like there once were.

Swallow’s company and others in the A&D industry are pushing hard to increase the total number of STEM students (especially from minority groups and women) in order to meet their needs. But as another speaker, Professor Ron Hira from Rochester Institute of Technology pointed out in his talk on the globalization of engineering and its impact, the US economy has created less than 50,000 new engineering jobs in the past decade. That lackluster performance can be attributed to both increased global competition and the outsourcing of engineering and other STEM-related jobs even as 900,000 engineering students were graduating from colleges and universities.  The use of H-1B visas has also negatively impacted the availability of STEM jobs in the US, Hira argued.

All these factors may help explain why only about half of those graduating with undergraduate STEM degrees actually work in the STEM-related fields after college, and after 10 years, only some eight percent still do. I should note that those with STEM degrees do seem to enjoy higher salaries than non-STEM degree co-workers in any field they so choose, which may be the best reason to get one.

By the end of the conference it was pretty clear that the assumption that a major increase in STEM educational funding is absolutely required for the US to avert future economic decline is not well tested. Funding may well be needed, but the current data provide mixed support.  I’ll provide a link to the speaker presentation videos when it appears, but in the meantime, you may want to read the Spectrum article on jobless innovation that made many of the same points the speakers at the conference did.

After initially pleading ignorance, the professional social network LinkedIn confirmed yesterday that it had been hacked and that the encrypted passwords of at least 6.5 million of its 161 million users had been taken.

According to a story at Cnet, a list of 6.5 million passwords allegedly from LinkedIn was uploaded to a Russian hacker server, after which someone claimed on a Russian forum that he was the one who had hacked into LinkedIn and uploaded the information. LinkedIn was contacted about the claim, and soon said that it was unable to confirm that it had been hacked.

However, as word spread about the alleged hack, experts at the security firms Sophos and Rapid7 announced that that they had confirmed the uploaded list contained the LinkedIn passwords of some of their colleagues.

 User names are also suspected of being stolen along with the passwords.

Not long afterwards, LinkedIn confirmed that it had indeed been hacked.  According to the story at Cnet:

“LinkedIn encrypted the passwords using the SHA-1 algorithm, but did not use proper obscuring techniques that would have made the password cracking more difficult, said Paul Kocher, president and chief scientist of Cryptography Research. The passwords were obscured using a cryptographic hash function, but the hashes were not unique to each password, a procedure called ‘salting,’  he said. So if a hacker finds a match for a guessed password, the hash used there will be the same for other accounts that use that same password.”

According to this story today at ComputerWorld, some 60 percent of the encrypted passwords have already been cracked and it is likely that the remainder will be shortly. The SHA-1 algorithm has been known to be susceptible to cracking since 2005. Of course, in many cases, LinkedIn users made the job a lot easier by using obvious passwords, such as "linkedin," "password," and "linkedinpassword."

Kocher also was quoted by Cnet as saying that LinkedIn, “did not segregate and manage the (user) data in a way that they would not get compromised.”

LinkedIn for its part has disabled the accounts of those affected, as well as rounded up the usual mea culpas, saying, “We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously.”

In related news, the dating site eHarmony also saw its security breached, possibly by the same hacker.  In this case, some 1.5 million out of 20 million passwords were taken and posted on a Russian hacker website. The passwords were encrypted in a similar way to those at LinkedIn, but it is unclear if a more secure encryption approach was used.

eHarmony similarly “deeply regret any inconvenience this causes any of our users.”

Let's hope that "inconvenience"—like getting lots of phishing email asking you to reset your eHarmony or LinkedIn passwords—is the extent of the suffering.

For quite some time—and again over the weekend—U.S. government officials have been warning U.S. businesses to shore up their cyberdefenses. Without a hint of irony, the U.S. Department of Homeland Security (DHS) issued an alert to businesses about “Flame,” the Washington Post reported, even though it’s likely that Flame (as well as Stuxnet) is the result of U.S. and Israeli cyberwarfare cooperation.

Over the weekend, Israel admitted publicly for the first time to engaging in “cyber activity consistently and relentlessly” for the purposes of "thwarting and disrupting enemy projects,” according to a story in the Sydney Morning Herald.

Last week's revelation that the U.S. government long ago decided that launching cyber-attacks against countries it views as a threat is a legitimate foreign policy tool is now leading to the inevitable question of whether this behavior will serve as an open invitation to others to do the same. In an article at ComputerWorld, for example, this question was raised by several security experts. They argue that the United States, having kicked off its cover of plausible deniability, has “painted a huge target on [its] back.” They add that the admission also undermines any complaints the U.S. has against others, especially China, for conducting cyber operations against U.S. businesses or government organizations.

The revelation has also raised questions regarding exactly what is the U.S. policy in regard to cyberwarfare.  David Sanger, the journalist who broke the story of U.S. involvement in a coordinated program of cyberattacks against Iran that fell under the moniker “Olympic Games,” wrote in a Saturday New York Times article that US government officials:

“’…  approached the Iran issue very, very pragmatically,’ one official involved in the discussions over Olympic Games told me. No one, he said, ‘wanted to engage, at least not yet, in the much deeper, broader debate about the criteria for when we use these kinds of weapons and what message it sends to the rest of the world.’”

This failure to think through all of the consequences of employing cyberwarfare parallels the lack of analysis preceding the initial deployment of armed drones to (and against) other countries, a move which continues to create major political as well as legal debate today.

While a Washington Post editorial yesterday noted that the U.S. “lives in a mammoth glass house and ought to be mindful of the dangers when we throw stones,” the time for counting up the cost of its actions looks long past. The U.S. cannot complain if it begins to reap what it has sowed.

And heralding what may be in store, there was an article today in the Washington Post about the search engine Shodan, which is able “to map and capture the specifications of everything from desktop computers to network printers to Web servers.” Users of Shodan, the Post said, were able to find that “uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in[to the Internet], and in some cases they were wide open to exploitation by even moderately talented hackers.”

So far, over 100 million devices have been discovered using Shodan, which has aided in “recording their exact locations and the software systems that run them.”

It doesn’t take too much imagination to think what a government intent on doing harm to U.S. infrastructural and business systems could do with that information.

(By the way, the Washington Post story on Shodan is the second part of a very well-worth-the-read multi-part series of articles on cyber security. Part one was on the anatomy of creating a zero-day attack.)

One final consideration is whether all this will lead to even a greater push by the U.S government for the sharing of certain cyberthreat intelligence among the intelligence community and cybersecurity entities, as called for in the proposed Cyber Intelligence Sharing and Protection Act.  My bet, given past history, is most definitely.

Photo: iStockphoto

Just a week ago, the Flame virus, suspected to be a weapon in a heretofore undeclared cyberwar, was discovered by computer security experts. Now, unnamed U.S. government officials have told a New York Times reporter that the Stuxnet worm, another sophisticated piece of malware that was discovered in 2010, was the brainchild of secretive U.S. and Israeli intelligence agencies. Stuxnet, designed to deal a significant blow to Iran’s uranium enrichment program, was clearly a cyberwarfare tool. But previous discussions of its authorship were, at best, a series of educated guesses and unverified allegations.

The NYT reporter, David Sanger, says his U.S. government sources told him that the program responsible for Stuxnet, code named “Olympic Games,” was initiated in 2006 at the behest of former president George W. Bush, but has since been championed by Barack Obama. These sources told Sanger that Obama “decided to step up cyber-attacks on Iran’s Natanz enrichment facility, even after the existence of the worm became public in 2010 after it leaked out onto the Internet.”

The highly-detailed Times article, excerpted from Sanger’s soon-to-be-released book, “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power,” benefits from 18 months of interviews with current and former American, European and Israeli officials involved in the program, and several outside experts. In it, Sanger reveals what Stuxnet was intended to do, how it managed to conceal itself, why it remained effective even after a coding error allowed it to escape the Natanz enrichment plant’s computer system and eventually spread to the Internet, and even the decision making process that led Obama to order that the cyberespionage program be continued.

According to the Guardian, the U.S. National Security Agency and Israel’s Unit 8200 ended up as collaborators on the project because of U.S. fears that Israel would take it upon itself to end the threat of Iranian nuclear weapons capability by leveling the plant. The U.S. let Israel in on its plot in order to reassure its ally that Iran’s nuclear efforts would be greatly compromised without a single bomb being dropped. The article quotes Sanger, who notes that to talk them down from the ledge, “The Israelis would have to be convinced that the new line of attack was working…The only way to convince them, several officials said in interviews, was to have them deeply involved in every aspect of the program.” But Sanger’s New York Times article notes that Israel’s technical expertise and unrivaled intelligence about the Natanz facility’s operations helped to make it an attractive partner.

For a while, the plan went off without a hitch, the U.S. officials told Sanger. “The Iranians didn’t suspect foul play because no two attacks were exactly alike," they said; and even in the midst of a full-bore attack, the Stuxnet worm sent signals to the Natanz control room that made readouts being monitored by engineers there appear to be perfectly normal. "This may have been the most brilliant part of the code,” a U.S. official told the New York Times reporter.

How effective was it? Even after the malware’s existence became the subject of worldwide buzz, an updated version of the worm destroyed about a thousand of the 5000 centrifuges then in operation.

Now that the United States has acknowledged responsibility for Stuxnet, it naturally becomes the leading suspect in the case of the the Flame virus. According to an article in The Guardian, Kaspersky Labs, a Russian computer security firm that has studied both Stuxnet and Flame, confirms that the timing of the first Stuxnet attack on Iran in June 2009 and the worm being outed almost a year later gibe with the timeline proposed by the New York Times' sources.

Asked if there were any conclusions about Flame’s origin that could be drawn from the U.S. admission that it targeted Iran with Stuxnet, Kaspersky Labs said, “there are sufficient similarities between the two worms to suggest they have the same source.”

The U.S. government, which denies that the Flame virus was part of the Olympic Games program, maintains that it did not create that bit of malware. But then again, that was its official stance regarding Stuxnet until admitting it became politically expedient.

The Guardian article calls the disclosure of President Obama's role in Stuxnet a tactical political strike meant to bolster Obama’s hawkish bona fides. The Guardian paints a picture of an Obama taking advantage of every opportunity to counter assertions from the right that he is weak on military issues:

“The decision to reveal Obama's role in the cyberwar against Iran follows hard on the heels of the highly political disclosure in an election year that the president had taken a personal role in approving terrorist targets for US drone strikes. And the depiction of his key involvement in two major clandestine military operations follows photographs last year showing him, as commander-in-chief, awaiting news of the death of Osama bin Laden.”

According to Sanger’s sources, who say they participated in many briefings on the progress of Olympic Games, Obama “was acutely aware that with every attack he was pushing the United States into new territory…He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons—even under the most careful and limited circumstances—could enable other countries, terrorists or hackers to justify their own attacks.” These aides revealed Obama’s concern that because the United States’ infrastructure is so dependent on computer systems, no country is more vulnerable to a similar type of attack.

It stands to reason that engaging in cyberwarfare would have a sobering effect: It was almost exactly a year ago that the United States drew a line in the sand, declaring that certain types of cyberattacks can constitute an act of war. As one military official in a Wall Street Journal article stated it: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."

Will Iran retaliate? Experts say they’ve seen no evidence of a return volley on the malware front. But there’s no guarantee that the country and its allies aren’t plotting something that, while less sophisticated, may be just as destructive.

Image: Caitlin Watson

Last April, I blogged about the long-running problems with New York City’s attempts to modernize its 911 emergency call system. The latest effort, called the Emergency Communications Transformation Program (ECTP), began in 2005 at an estimated cost of $1.3 billion and a completion date of 2007 has ballooned into a $2.3 billion plus effort with a completion date of (hopefully) 2015.

A new audit report released by New York City Comptroller John Liu yesterday raised previous charges of incompetent project management to the level of potential fraud on the part of Hewlett-Packard, the original prime system integrator on the project.

Liu’s press release states that  “the contractor selected to streamline the City’s vital 911 call system was unqualified and so poorly monitored that it was able to overbill taxpayers by as much as $163 million.  Because of the severity of the findings and potential for fraud in both the vendor selection and billing processes, Comptroller Liu has referred the matter to the Manhattan District Attorney’s Office for further review.”

Echoing the earlier charges of incompetent, Liu also says that the cost of the system could rise another $362 million because the work required was poorly performed.

City officials as well as New York City Mayor Michael Bloomberg have vehemently repudiated the audit findings. According to the Comptroller’s Office, the audit is “premised on a fundamental misunderstanding of the scope of HP’s work as system integrator… This misunderstanding is also the basis of the audit’s unsupportable conclusion that the system integration work for ECTP ‘could be’ up to $362 million over budget.”

The Comptroller Office unsurprisingly “strongly disagree(s)” with the City’s objections. Similarly unsurprisingly, HP has had no comment so far on the accusations contained within the audit report.

Most disagreements like this can be put down to politics—in this case, the mayor is still smarting over the CityTime scandal that Liu helped bring to light, and for his part, Liu will likely be running for mayor next year and wants to be seen as a stalwart steward of the taxpayer's money—but it seems likely that there's yet another financial scandal looming here.

Last week, Iran’s Computer Emergency Response team sounded the alarm about a sophisticated piece of malware that attempted to route sensitive information from a small group of infected computers to at least 10 command and control servers. The software is designed to spy on the users of infected computers, logging their keystrokes, recording their conversations, and stealing documents and other information. Security research firms such as Symantec, Kaspersky, and McAfee, which have been analyzing the code, are calling the malware the most complex ever detected.

The malicious code, dubbed Worm.Win32.Flame or just Flame for short, is so unique that, despite evidence of its existence having been available for at least two years, experts just didn't recognize it for what it was until now. How is that possible, you ask? (So did ZDNet Australia.)

Whoever developed Flame endowed it with a set of characteristics that allowed it to hide in plain sight. The malicious code evaded detection for as long as it did because it differs from the standard malware profile in so many ways.

According to a ZDNet Australia article, one major difference is its size. The initial Flame module was 6 megabytes; once uploaded, it used a command and control server to download additional modules that brought its total size to 20 megabytes, says the security firms. Most other viruses attempt to hide among the other programs and bits of software on a computer by staying small. Those malicious codes typically top out at a few hundred kilobytes.

Another thing that sets Flame apart is the fact that it doesn’t indiscriminately attempt to infect every possible computer. Vitaly Kamluk, chief malware expert for Kaspersky Labs, a Russian antivirus firm, told the Wall Street Journal that the malware’s precision suggests that it was designed to be a cyberwarfare weapon. Kapersky says that only 382 infections have been reported; of those, 189 were in Iran, and the targets were individuals rather than organizations.

Budapest University’s Cryptography and System Security (CrySyS) Lab says that the results of its investigation “support the hypotheses that [Flame, which it refers to as sKyWIper] was developed by a government agency of a nation state with significant budget and effort.” How so? The WSJ article quotes from a report explaining that:

"Usually with a standard attack malware writers will try to limit the amount of data coming off the machine because otherwise it is very hard to find what you are looking for," she said. "This is like old-school espionage. Take everything you can and sift through it. This shows there is an agency at the back end that has the bandwidth to deal with this."

Despite these large volumes of traffic, Flame still evaded detection. According to Pure Hacking CTO Ty Miller, Flame uses SSL encryption, the same type that ensures the security of online banking transactions. "The malicious network traffic is transferred over SSL and SSH tunnels, which are generally encrypted from end to end. This means that network-based intrusion prevention systems would not be able to detect rogue activities," Miller told ZDNet Australia. And even if something about the traffic aroused suspicion, "Without knowing what algorithm the traffic is encrypted with and what keys were used to encrypt it, no security solution would be able to classify such traffic as malicious, without increasing the risk of false positive detections that may potentially block legitimate traffic," Sergei Shevchenko, manager for threat research and analysis at Stratsec, a leading Australian IT security firm, told ZDNet Australia.

Another precaution taken by the malware’s creators was cloaking its activity under the cover of several dozen domain names and nearly 20 distinct IP addresses.

Just as likely to have put security and network administrators wrongly at ease is the programming language in which Flame was written. Kaspersky Labs’ Kamluk told the Wall Street Journal that parts were written in Lua, which is the leading scripting language used by videogame developers. “I have never seen it used in any piece of malware before,” Kamluk reports. But according to the programming language’s website, “A fundamental concept in the design of Lua is to provide meta-mechanisms for implementing features, instead of providing a host of features directly in the language.” In other words, in the hands of a malicious code writer, it can become a fertile seedbed for hiding things in plain sight, or for gradually adding capabilities that if seen together might arouse suspicion.

The Daily Mail over the weekend published a widely picked up story on the extent of the U.S. Department of Homeland Security’s (DHS) monitoring of social media for information that not only signals a threat to the United States or other countries but also “reflect adversely” on the DHS itself and its “response activities.” In a bit of its usual over-hype, the Daily Mail story listed words like Mexico, cloud, or pork as ones to possibly avoid when posting to social media sites since they are among the hundreds of words DHS routinely searches for on various social media sites every day. But whether or not you really are subject to DHS scrutiny may rest with some rather subjective decisions by a trio of men named Brad, Ray, and Mitch.

First, a little bit of the back story.

The Daily Mail story is based upon a Freedom of Information (FOI) lawsuit filed by the Electronic Privacy Information Center (EPIC) in December of 2011 to discover the scope of DHS social media snooping activities which began in early 2010.

At that time, DHS had initiated a pilot social media surveillance capability for specific events, such as the earthquake in Haiti in January, the 2010 Vancouver Winter Olympics held in February, and the April BP oil spill. The idea–which is not entirely unreasonable–was to get a broader picture of what was happening on the ground by looking at what was being tweeted, blogged about, being put on message boards, etc., instead of waiting for regular mass media news cycle to publish information. The downside was that the raw information being posted on social media sites might reflect nothing more than rumors, speculation, and the usual conspiracy theories. But among all the chaff, the hope was, some kernels of truth that DHS could acted upon might appear in a near real time manner.

Apparently, those experimental monitoring efforts provided sufficient intelligence value that in June 2010 DHS decided that it needed to start monitoring social media on a full time basis.  So, in February 2011, the DHS signaled it was now ready to pursue this goal by putting out a public notice that it intended to establish a new DHS “Publicly Available Social Media Monitoring and Situational Awareness Initiative System of Records.” The purpose of creating this new “system of records” was to indeed monitor social media such as “publicly available online forums, blogs, public websites, and message boards” to provide DHS (and other government officials at the federal, state, local and foreign level) with increased “situational awareness and establish a common operating picture.” A slightly more detailed description of DHS’s monitoring approach is found here (pdf) in its privacy assessment of the operation. The document also gives an initial list of search terms the DHS proposed to use in monitoring social media—running from telecommunications, to terrorist, to tornado.

However, a close reading of what DHS was proposing to do wasn’t just some benign monitoring of social media but to also actively (and covertly) participate on the social media sites, as well as to obtain personally identifiable information (including full names, affiliations, and positions) of those participating in online discussions, all based on posts using those above mentioned search terms.

(I wonder how DHS separates posts created by its own social media covert agents from those created by others being monitored?)

Needless to say, this raised concerns among privacy advocates as well as members of Congress. In April of last year, EPIC requested more information from DHS about the social media surveillance program and especially the deal it inked with a government contractor to carry out the monitoring. The DHS decided to effectively ignore EPIC's request. As a result, in December 2011, EPIC filed a FOI lawsuit (pdf) against the DHS to get the information.

In January and February of this year, the DHS decided because of the lawsuit and probably congressional pressure to start releasing information about its social media monitoring program, including a redacted version of the operating procedures and search terms used by analysts in monitoring social media sites (pdf).  The Analyst’s Desktop Binder, as it is called, describes which news events and information analysts need to be on the lookout for and when and to whom to disseminate it. Apparently, according to the Item of Interest (IOI) Severity Chart,  if subjective social media reports “reflect adversely” on DHS “especially those that have a negative spin on DHS/Component preparation, planning, and response activities,” it will be passed along to others in DHS after it is verified by “Brad, Mitch or Ray, or one of the other team leads.” I wonder who Brad, Ray or Mitch are, and are they government employees or contractors?

The DHS insisted at Congressional hearings in February that what is it is doing is necessary, legal and certainly doesn’t violate anyone’s privacy rights, but others aren’t so sure. When does critiquing the government, and especially DHS which has a ragged track record on projects, appear to those inside government as a moving from being legitimate criticism to becoming threatening? Does it really depend on the personal views of the Brad’s, Ray’s and Mitch’s and other team leads that DHS employs?

Furthermore, as a post at Forbes notes, DHS isn’t saying how it is gaining access to all those social media sites it is monitoring. The post speculates that “the DHS has a ‘special arrangement’ with companies like Google, Facebook, Microsoft, Yahoo and Twitter to gain secure direct API access. This type of access would allow it to use distributed cloud technologies to monitor the daily flow of social media and search activity in something close to real time.”

The Forbes post goes on to note that “this post itself is now [likely] coming up on the DHS radar,” as no doubt this one (and comments to it) will as well.

I wonder if anyone at last week’s 24-hour Hackathon created an app to highlight DHS search terms in case you wanted to avoid using them on social media posts, or alternatively, use as many of them as possible to annoy the DHS analysts? If not, I am sure one will be available soon.

Glossophobia–or the fear of speaking in public–has long been said to be the number one phobia, with 75 percent of people suffering from a form of it. However, a new fear–nomophobia–is said to be rising and may soon replace glossophobia as our greatest fear.

What is nomophobia? According to a 2008 survey of 2163 adults in the UK by YouGov plc underwritten by the UK Post Office Telecoms who coined the term, it is supposedly “the fear of being out of mobile phone contact,” i.e., a no mobile phone phobia.

(Note, "nomophobia" is not a recognized phobia by the Diagnostic and Statistical Manual of Mental Disorders, however.)

According to a Daily Mail article at the time,

“Experts say nomophobia could affect up to 53 per cent of mobile phone users, with 48 per cent of women and 58 per cent of men questioned admitting to experiencing feelings of anxiety when they run out of battery or credit, lose their phone or have no network coverage.”

Apparently, the nomophobia survey findings so concerned the UK Post Office that it created a nomophobia memory guide (pdf) with all sorts of helpful ways to improve your memory so as to not lose your phone.

A recent Daily Mail article now reports that nomophobia affects 66 percent of UK adults. The signs of nomophobia, according to the Daily Mail are:

• An inability to ever turn your phone off
• Obsessively checking for missed calls, emails and texts
• Constantly topping up your battery life
• Being unable to pop to the bathroom without taking your phone in with you.

The Daily Mail cites a 2012 survey by the security company SecurEnvoy that states that young people aged 18-24 are the most nomophobic (77 percent), while those in the 25–34 age group are second at 68 percent. In addition, some 41 percent of those surveyed carry two (or more) phones to make sure they are never out of contact.

Furthermore, people on average check their phone 34 times a day the SecurEnvoy study claims (as comparison, this New York Times article cites a study from 2008 that reports that a “typical information worker” checks his or her email program more than 50 times a day).

SecurEnvoy undertook the study in part to see how important securing their phone is in case of it being stolen or lost, which apparently happens a lot. Unsurprisingly, some 46 percent of those surveyed don’t use any type of security on their phones, while 41 percent use a four pin access code, 10 percent encrypt their phones and the remaining 3 percent use two factor authentication technology.

So, do you suffer from "nomophobia," and does it extend to other mobile devices (iPadaphobia or Kindophobia?) as well?

The Victorian state government finally decided last week to throw in the towel on the nearly decade-long implementation of its HealthSMART e-health record system project after recognizing that the "e" actually stood for an "extravagance" it could no longer afford.

In 2003, Australia’s Victorian government embarked on an ambitious modernization of the state’s health IT infrastructure. The idea was to combine its health-related financial systems with its patient record management systems through the creation of a comprehensive, Victoria-wide electronic health record (EHR) system. The original HealthSMART project budget was $A323 million and a completion date was set for June 2007. However, by the end of 2007, while some 57% of the money had been spent, only 24% of the project had been completed. Projected costs to complete had risen to $A427 million, and a roll out date was estimated to be sometime in late 2009. There was talk at the time of cancelling the project, but the government decided to keep the effort alive given what it believed to be its significant potential benefits.

By late 2010, questions were again being raised, especially by the newly elected Baillieu government about whether HealthSMART should indeed be cancelled. The completion date had now slipped to sometime late in 2012, and the project costs were still rising, with at least another $A100 million being seen as needed to finish the job. The government decided, after lobbying by the Australian Medical Association Victoria and others, that it was in a “In for a penny, in for a pound” type of situation, so it held its collective nose, and soldiered on.

However, by early this year it became increasingly apparent that the end of the EHR effort was still not in sight, even though $A566 million had now been spent on it. So last week, the Victorian government decided it was no longer going to “throw good money after bad,” ZDNet Australia reported. It scrapped the project, but announced a new plan to set aside $A100 million to help individual hospitals improve their health IT. Health Minister David Davis was quoted in the ZDNet story as saying that:

“In those hospitals where it has been put in place or partially put in place, health services will make their decisions from that position, but going forward, beyond that, health services will be able to examine what is appropriate for their particular service.”

Shades of what happened in the UK with its national EHR program.

That said, at the national level, the Australian government is still continuing its support of the controversial personally controlled electronic health records (PCEHR) system, which is supposed to begin its roll out across Australia this July. Prime MInister Gillard's government has recently even allocated $A233 million in this year’s budget (on top of the original appropriation of $A466 million) to bolster the effort's probability of success.

At the same time, the government has also been trying to dampen down expectations about the PCEHR system, saying that it will take years before it will actually be useful. But the government predicts that the changes it will make in the way medical data is handled will eventually save Australia $A15 billion in government-related health costs by 2030. Given the current state of the PCEHR system and the lukewarm support of it by the Australian populace and medical profession, that amount sounds more like political wishful thinking that an estimate grounded in economic reality.