Risk Factor

This has been a relatively quiet week with regard to IT-related problems that tend to annoy us. But we'll start off with transportation systems disrupted by computer issues—two at airlines and one on a metro system.  The Chicago Tribune reported that United Airlines suffered “intermittent Internet connectivity issues” last Friday, causing some its computer systems “to run more slowly than normal.” The problem didn’t affect all of United’s operating locations, but it struck the airline's major Chicago O’Hare International Airport hub. Luckily, no flights were delayed or canceled, unlike several other recent episodes.

Passengers on Utah-based SkyWest Airlines weren’t so lucky yesterday. According to the Salt Lake Tribune, the centralized aircraft management system that provides flight crews with information on their planes' weight, balance, fuel, and the like crashed on Sunday morning at 0500 Mountain Time and did not return to normal until 0700. Flights were disrupted for the remainder of the day as a result.

Also yesterday, an unexplained computer system failure shut down Montreal’s entire metro system at 0800 EST. News reports say that restoration of service began about 45 minutes later.

Also in Canada were reports earlier in the week about some 9000 Saskatchewan Telecommunications Holding Corp. wireless customers who received incorrect bills which the company says “may range from a few cents to [CN] $100 000.” The story at the Globe and Mail quotes a SaskTel spokesperson as saying that a “network capacity enhancement” to its 4G LTE network resulted in customers' Saskatchewan data being charged at U.S. data rates.

The SaskTel spokesperson went on to say, “We apologize for any inconvenience. Thank you for your patience as we continue making network improvements.”

A spokesperson from Cuscal, the owner of the RediATM network in Australia, also “sincerely” apologized, to users of its ATM network over the weekend. The network reportedly crashed for about three hours on Saturday, disabling ATMs across Australia. According to a story in the Sydney Morning Herald, the RediATM network is one of the largest in Australia, with about 3000 ATMs. On top of the inconvenience of not having access to an ATM during a major holiday season shopping day, apparently some customers reported that "money had been deducted from their accounts, despite an error message appearing on the ATM screens declaring the transaction had failed.” Cuscal stated that it has taken action to reimburse cardholders, but if any problems are not resolved, customers can submit a complaint form to them today.

Finally, also in Australia, AFP reports that Victorian police are warning Apple Map users not to depend on the app to navigate to the inland town of Mildura, which is about 310 kilometers northwest of Melbourne, as it could turn deadly. Instead of being directed to the town, Apple Map users are being sent “off the beaten track” to isolated and hazardous terrain in the Murray Sunset National Park, some 70 kilometers away from Mildura.

AFP reports that the police have released a statement saying, they are "extremely concerned as there is no water supply within the park and temperatures can reach as high as 46 degrees Celsius (114 F), making this a potentially life threatening issue.”

Police said that they have had to rescue lost drivers and passengers from at least five vehicles that have been stranded in the park without food or water for 24 hours as a result of following Apple Map directions to Mildura. One lost driver got stuck in an area of the park which had no cell phone coverage, and had to walk for 24 hours before he was able to find a signal and call police to be rescued.

Apple would not comment on the story except to refer “to an earlier statement that it was doing everything it could to fix problems with the maps application in the new operating system used by the iPhone 5,” the AFP story states. Victorian police say they have contacted Apple about the issue.

Unfortunately, the AFP story doesn’t say where Apple Maps sends you when you actually want to drive to Murray Sunset National Park. Anyone know?

ITU Internet Meeting Website Comes Under Attack

The International Telecommunication Union's World Conference on International Telecommunications (WCIT) in Dubai kicked off this week. The gathering, whose focus is on the Internet, was organized by the ITU, the UN organization that has quietly set technical standards for global telecommunications for decades. But late on the conference’s third day, a cyberattack disabled the ITU website. The ITU told Computerworld that the outage "blocked civil society, media and other interested parties from following the proceedings, and prevented access to the wealth of online information on the ITU's WCIT home page and Newsroom.” And some delegates were unable to access documents posted online that were being considered at the meeting.

The ITU says it employed a "contingency measure [whereby] network traffic was redirected to a backup website hosted in another geographical region." That shift, the group said, resulted in "performance degradation" that lasted for about two hours.

It wasn’t long before the hacktivist group Anonymous, which has been critical of what it views as the ITU’s foray into Internet regulation, claimed responsibility for the online attack. Anonymous, which called the ITU “extremely non-transparent and un-democratic," is one of a number of groups up in arms over the ITU having approved a standard last month that could lead to inspection of encrypted Internet traffic.

Will Banks Take the Fall When Security Lapses Lead to Big Losses?

Wired reported on 30 November that People’s United Bank in Maine has agreed to reimburse Patco Construction Company, of Sanford, Maine, for US $345 000 that was siphoned from Patco’s account in 2009. People’s United agreed to give Patco the money only after a First Circuit Court of Appeals in Boston ruled that the bank’s handling of information that could have prevented or at least limited the losses did not meet the standards called for under the U.S. Uniform Commercial Code.

According to court documents, cyberthieves sent a phishing e-mail to multiple Patco addresses. A single click put the Zeus Trojan, which steals passwords, on an employee computer, allowing the hackers to find out the login credentials associated with the company’s commercial bank account. The bank’s automated system later flagged a series of fraudulent automated clearing house, or ACH, transfers ($100 000 a day) as suspicious. But despite the fact that the transfers featured several glaring differences from the construction company’s banking habits, the bank did not alert Patco. Bank personnel reasoned that the bank had verified that the user ID and password used for the ACH transactions were correct and that was all it needed to do. When the construction company became aware of the missing funds, the bank insisted that Patco would have to take the loss.

Though a U.S district court in Maine ruled in the bank’s favor, finding that although bank’s security procedures “were not optimal,” they were about as good as those employed by other banks, the appellate court disagreed. It ruled that the bank’s handling of the matter did not meet the UCC’s “commercially reasonable” standard and told the two parties to reach a settlement.

“This case says to banks and to commercial customers … that there are circumstances in which the bank cannot shift the risk of loss back to the customer, and we’re not going to assume that security procedures are commercially reasonable just because the bank has a system that they say is state of the art,” Dan Mitchell, the attorney who represented Patco, told Wired.

Were Twitter and Facebook Lax About Fixing a Security Flaw?

Internet security research firm Kaspersky Lab reported on 4 December that a vulnerability in the Twitter and Facebook features that allows users to post tweets and status updates via text could let anyone who knows a particular user's mobile phone number to tweet or update from that user's account and change the user's profile information. Twitter lets a user post messages and perform account updates by sending SMS commands from a mobile device that he or she has registered with the social media service. The problem: Spoofing a phone number is as easy as spoofing the sender information in an e-mail header. Twitter’s security is set up so that a PIN can be required, but the user has to turn that feature on in his or her account settings.

"In August I was doing research on SMS spoofing and tested against Twitter and Facebook, and found that they were vulnerable,” Jonathan Rudenberg, the researcher who discovered the flaw, told Kaspersky Lab. “I was about to publish what I found last week when a friend asked me whether I had tested Venmo, which I found was also vulnerable," says Rudenberg.

Why are we just finding out about this? According to Rudenberg, he alerted Twitter in August and the company asked him to keep quiet about his discovery until it could fix the problem. But several weeks later when he asked for an update on Twitter’s progress, the company, he says, failed to respond. “Initially Facebook did not respond to my report on their security vulnerability page,” he notes in a post about the vulnerability on his website. “I then emailed a friend who works at Facebook, who facilitated my contact with their security team,” he recalls. But nearly three months went by before he received confirmation that Facebook had resolved the issue. Rudenberg published the information as well as a timeline of his contacts with Twitter, Facebook, and Venmo on 3 December.

There was a very interesting story in the Wall Street Journal that looked at the inability of patients who have implanted medical devices such as defibrillator implants to gain access to the raw information the devices are sending out.  According to the story, the device manufacturers say that rules by the U.S. Food and Drug Administration (FDA) require that the information be only sent to the patients’ hospitals or doctors, who are in fact the device manufacturers’ end-item customers. If a patient want’s to get access to the raw device data, they are told that they have to get it from their healthcare provider.

At first blush, this doesn’t sound entirely unreasonable.  The device manufacturers argue that the data from a medical device like a defibrillator isn’t in a “useful format” that patients could understand anyway, and that if they were to try make it so, it would (a) require FDA approval and (b) cost the manufactures a lot of money, which they don’t want to spend. They also argue that they haven't seen any customer demand for such information.

The FDA, the Journal article states, generally “supports patient access” to medical device information, but only if it is in a format that is presented in a way that provides “proper interpretation and explanation,” like that delivered by a doctor. In other words, don’t count on the FDA to approve broad patient access to medical device information in “useful format” or not.

Many doctors support the FDA’s position, arguing that getting access to device information – especially raw information - might cause “cause anxiety or even harm if a patient misunderstood the signals.”  

However, there are other incentives also at work keeping patients from accessing raw or even interpreted medical device information. As I mentioned, the doctors and hospitals are the device manufacturers’ actual customers. If a patient wants their implanted device information, the patient is likely going to have get an appointment and pay whatever fee the doctor or hospital charges. A bit of mutual back-scratching there.

Furthermore, a doctor or hospital usually doesn’t get the devices' raw data themselves anyway: device manufacturers only send output summaries to them. In addition, even if a doctor or hospital wanted to provide raw data to their patients, it might not be possible anyway.  Device manufacturers typically make doctors and hospitals sign contracts that restrict use of the devices’ raw data. The manufacturers can do that because raw data from an implanted device is not considered to be medical record information under the 1996 Health Insurance Portability and Accountability Act (HIPAA) which gives a patient the right to access their medical information held by their healthcare provider.

It also turns out that the device manufacturers are exploring business opportunities to sell “the data to health systems or insurers that could use it to predict diseases and possibly lower their costs.”  It therefore behooves the manufacturers to keep access to their device data as restricted as possible.

Even more concerning is the other ideas device manufacturers are contemplating. The WSJ says that Medtronic , for example, “is developing a matchstick-size monitor, implantable without surgery, that could track measures such as heart rate and arrhythmia that can predict heart disease.” With such a device, Medtronic “envision(s) a future where employers might require insured workers with a family history of heart disease to have the device implanted or face higher insurance premiums.”

Of course, if that "vision" became the norm, I wouldn’t doubt that the next step would be for employers to start insisting that all of their insured employees have non-surgically implantable devices to check on a whole host of health factors, such as drug and alcohol use (why require random testing when you can monitor a person 24 hours a day?), the amount of sleep they are getting (drowsy workers may be a safety hazard), etc.

The only problem with Medtronic’s vision of the future, of course, is that the auto manufacturers may beat them to the punch.

A few weeks ago, there was a story appearing in the Atlanta Journal-Constitution about cyber criminals being able to penetrate the computer system of Nationwide Mutual Insurance Co. and steal the names, Social Security numbers, drivers’ license numbers, dates of birth, and marital statuses of more than 28 000 policy and non-policy holders residing in Georgia. The article went on to say that the data breach affected other states such as California, but that Nationwide refused “to say how many clients elsewhere have been affected and in how many other states.”

No wonder.

Last week, when the California Department of Insurance announced that it was launching an investigation into the Nationwide breach, it also disclosed that the total number of persons affected by the breach numbered 1 million along with noting that residents of all 50 states were affected (about 5 000 in California). After some prodding from the press, Nationwide confirmed the total number as being closer to 1.1 million. There have a scattering of mostly local news reports on the data breach in other states such as Iowa (90 000 affected), Ohio (29 050 affected) and South Carolina (12 500 affected), but that is about it. Nationwide must be breathing a sigh of relief at how sparsely the national press has covered such a massive breach.

According to a Nationwide account on its website, it took nearly a month for the company to be able to confirm what information was stolen. By all appearances, it says, the attack looked to be the work of cyber criminals from outside the United States, and per usual, the FBI is investigating. Also per usual, Nationwide is offering free-credit monitoring and identity theft protection for a year.

The insurance company also said, “We are very sorry for this situation and are committed to enhancing our defenses against these kinds of attacks.” But those enhancements don't come with any guarantee that this won’t happen again. “There is no such thing as perfect security," the company continued. "And no computer network can ever be completely safe against a sophisticated attack such as occurred here.”

It is a bit hard to tell how sophisticated the attack was, given that Nationwide won't discuss any details. However, if the company truly believed that a data breach was really just a matter of time, maybe it should have encrypted its policy holders’ and non-policy holders’ personal information so that the consequences of any such inevitable successful attack might have been significantly lessened. Maybe California's Department of Insurance can ask why Nationwide why its client data wasn't encrypted.

South Carolina, after learning its lesson the hard way, is now spending US $5 million to encrypt its resident and business tax data after a September breach in which cyber thieves almost effortlessly stole tax return information for 3.8 million taxpayers, 1.9 million dependents, and 700 000 businesses going back to 1998. In addition, the state is spending another $25 000 to install a dual password system to access its tax system that the U.S. Internal Revenue Service requires but South Carolina did not bother to ever implement. Security experts looking into the South Carolina breach reported last week that the dual password system would have likely closed off the attack vector used by the cyber attackers.

The total cost likely to be incurred by South Carolina for the breach is expected to hit nearly $30 million when all is said and done, a thousand times more than that dual password system. Nationwide, do you have any interest in a three-orders-of-magnitude savings that also might prevent your next breach?

We start off this week’s review of IT-related “ooftas” with one that most of us have probably done at one time or another: accidentally hitting “reply-all” to an email.  However, we probably never did it when the email ended up being sent to nearly 40 000 people.

That's exactly what happened last week when New York University sophomore Max Wiseltier attempted to forward an informational email to his mother from the school’s bursar office which described the use of a new, electronic tuition form but Wiseltier hit reply-all instead. Typically, nothing would have happened since the email list the university normally uses for its general distribution emails to students does not allow reply-all to sent messages. However, in this case, the NYU Student Resource center which sent out the email magnified Wiseltier's mistake by accidentally using a distribution list that allowed reply-alls.

So, Wiseltier’s email, in which he asked his mother “do you want me to do this?” was sent out to all 39,979 NYU students. You can imagine what happened next.  The university eventually ended the ever growing number of responding emails the next day, but not before Wiseltier and his “Replyallcalypse,” as it was dubbed, reached celebrity status.

A few years ago, a similar error at the U.S. Department of Homeland Security caused a security ruckus.

Unlike Wiseltier’s case, another keyboard error brought nothing but grief for a Catholic deacon in Des Moines, Iowa, who was out delivering food to a homebound person, a story in the Des Moines Register reported. The deacon, Quan Tong, was sitting in his car outside the homebound person’s home when a police car passed by and thought, for whatever reasons, it looked suspicious. The police officer ran Tong’s plates which showed that Tong’s license was revoked. The officer arrested Tong, who spent the next six hours in jail until his wife could bail him out.

For some unexplained reason, a data entry error at Iowa’s Department of Transportation made it appear that Tong’s license had indeed been revoked. But that information was incorrect. The story in Register didn’t say how the error was discovered, but the police, the county attorney, and the DoT have all apologized to Tong for the mistake. They are also working on returning Tong’s bail money and car impound fees, as well as trying to ensure that all traces of his arrest are removed from Iowa’s Courts Online database.

Another unexplained problem—most likely another keyboard-related error—caused the Chicago Mercantile Exchange Group (CME, which operates the world's leading derivatives market) to issue an erroneous Deliverable Commodities Under Registration Report last Thursday. According to a CME press release, the report, which commodity traders use to make decisions about their trading positions, indicated that 164 wheat shipping certificates had been registered for delivery with the Chicago Board of Trade on Wednesday. The report omitted the fact that there were an additional 2 000 contracts that had been registered with the trade board on Wednesday. The CME corrected its error about 2 hours later, but by then, the damage was done.

CME announced that it would “assume responsibility for actual losses associated with this reporting error.”  It didn’t apologize for the error or promise that it wouldn't happen again, however. I guess the CME assumes that given all the recent stock exchange related errors, an apology wouldn't be believed anyway.

In another exchange-related error, the Wall Street Journal reported on Friday that a computer error two days earlier caused Nasdaq OMX Group Inc.'s (NDAQ) system “to wildly overstate the size of an order for Swedish stock-index futures.” The error caused Nasdaq to halt its index futures and options trading on the Stockholm market for the day. The WSJ story says a “trader entered an order to buy or sell six OMX30 futures contracts expiring in December [but] because of a 'bug' in Nasdaq’s system that disseminates information to customers’ trading applications, the order showed up as 4.2 billion contracts instead.” The bug was fixed a few hours later.

Another programming error is causing holiday season heartburn for hundreds of non-profits and local governments in South Carolina. According to a story at television station WJBF, a Department of Employment and Workforce computer program incorrectly accounted for the days which unemployed workers were allowed to file for benefits. As a result, employers were not billed for their portion of unemployment benefits the Department of Employment and Workforce paid out to the laid off workers (some $542 000 out of the $8.6 million in total benefits paid). The state will be sending out bills for the amount owed by the non-profits and local governments very soon. Happy holidays!

Finally, in a bit of better holiday season news, the Wyoming Tribune-Eagle reported that Cheyenne Light, Fuel and Power has fixed the billing error that caused it to over-charge 4664 of its customers a total of over $1 million. The affected customers were billed from January 2005 to October 2012 for a utility-related “franchise fee” that they exempt from having to pay. The error was discovered only after a customer complained about the fee being tacked on to his bill.

The Tribune-Eagle reported that customers are receiving refunds averaging between $15 and $20 dollars, which means the fee probably amounted to less than 30 cents on a customer’s monthly bill.  It explains why the affected customers never noticed it or just shrugged it off for the past seven years.

The Eagle also said that Cheyenne Light found 232 customers that should have been paying the fee and were not. All those customers have reportedly already paid the company what was owed.

Authorities Shutter Sites Hawking Fakes

Cyber Monday, when U.S. retailers offer special online discounts, has become a frenzied day of sales activity. Buried within a blizzard of transactions is a growing number of counterfeit goods. But, as CNET reported on 28 November, U.S. authorities including the Immigration and Customs Enforcement (ICE) agency and the Department of Homeland Security have taken down 132 websites meant to deceive consumers by making them think they were getting fantastic bargains when they were actually paying for knockoffs. The domain name seizures are part of an ongoing effort called Project Cyber Monday. Over the past three post-Thanksgiving shopping extravaganzas, these law enforcement agencies have taken over 1630 domains. How much potentially illicit business has been prevented? The authorities can’t say for sure, but ICE reports that warning banners put up in place of the sites’ previous content have received a total of 110 million views.

Russian Computer Security Group Developing Automated Cybercrime Stopper

Group-IB, part of the Skolkovo Foundation based in Moscow, says it is pouring US $966 000 into the development of a counter-cybercrime system. The CyberCop system will comprise three tools: FraudMonitor, which will sniff out fraud in online banking systems; BrandPointProtection, which will scan the Internet for signs of copyright infringement and phishing attacks; and the CyberCrimeMonitor, which will store and process the data the system gathers. Group-IB says the system, which it will market to banks, computer forensics organizations, and law enforcement agencies, will be ready to battle cybercrime in about a year and a half.

Romanian Cybercrooks Pinched in Massive Australian Credit Card Scam

The Herald Sun of Australia reported this week that law enforcement agencies from 13 countries collaborated to locate and arrest the members of an organized crime gang that had swiped the credit card data from more than a half million Australians. Australian banks agreed to pick up the tab for about A $30 million in fraudulent transactions. Among the arrested fraudsters, who all hail from Romania, are hackers who discovered vulnerabilities in the computer systems of 100 small Australian retailers. After the hackers exploited the security holes, other reputed members of the gang, including Greco-Roman wrestling champion Gheorghe “The Carpathian Bear” Ignat, used the data to create fake credit cards. Despite the loss of millions of dollars, the Australian Bankers Association insists that the vulnerability—which has since been closed—was limited to these merchants’ systems. The country’s online banking systems are secure, bankers’ association chief Steven Munchenberg told the Herald Sun. 

The U.S. Department of Health and Human Services inspector general (IG) released a report this week that stated that the U.S. electronic health record (EHR) incentive program administered by the Centers for Medicare & Medicaid Services (CMS) is “vulnerable” to fraud. The IG says that CMS “has not implemented strong prepayment safeguards” to keep healthcare providers from claiming that they are meeting the meaningful use standard required, and CMS’s “ability to safeguard incentive payments postpayment [i.e., conduct audits] is also limited.”

As I noted a few weeks ago, CMS has already paid out over US $7 billion since January 2011 to over 100 000 healthcare providers claiming to meet federal EHR meaningful use standards. To get the incentive payment, healthcare providers in essence self-certify (“self-attest”) to the CMS that they meet the standards.  However, the IG says, CMS does only minimal cross-checking to see whether the self-certifications it receives pass a reasonableness test, and its audit capability is weak to say the least. For instance, the IG report notes that so far, “CMS had not yet completed any postpayment audits.”  

Nor would the audit approach that CMS proposes to use conclusively determine in all cases whether a healthcare provider’s EHR system met the meaningful-use criteria, the IG reports. The IG wants CMS to set up a more robust and fraud-resistant self-certification process that it can apply before incentive payments are made, as well as for CMS to start conducting audits using a rigorous process that could accurately measure the EHR meaningful-use achievement being claimed by a health provider.

Interestingly, when the EHR incentive program was set up, there was no requirement “to verify the accuracy of this [self-certification] information prior to payment," the IG report stated. Apparently, CMS set the program up under a “trust, but verify approach,” but it has yet to do its verification bit.

CMS agreed with the IG that it needs to start auditing healthcare providers to confirm that they are indeed meeting the meaningful use criteria, but disagrees that it should do more than the minimal cross-checking to see whether healthcare providers are being truthful or not before sending out the claimed incentive payments. CMS told the IG that conducting “prepayment reviews would increase the burden on practitioners and hospitals and could delay incentive payments.” The CMS argues that its current cross checking is sufficient, and that the threat of audits is sufficient to keep healthcare providers truthful.

CMS is looking at EHR systems as an important means to cut down on Medicare/Medicaid fraud, which is estimated to be over $60 billion dollars a year. The faster the EHR rollout, the faster fraud can be reduced seems to be the thinking. It looks like CMS is willing to accept some potential fraud in its $27 billion or so EHR incentive program in a bid to reduce the much larger pool of Medicare/Medicaid fraud.

The ironic fly in the ointment is that CMS is also majorly concerned that healthcare providers are using their new EHR systems for perpetrating Medicare and Medicaid fraud.  

It may take a while to see whether the CMS’s rapid trust-but-verify EHR rollout strategy is a good bet, or one that creates as many problems as it solves.

There has been an increasing push to warn drivers—especially young drivers—about the dangers of driving while fatigued. A AAA Foundation survey published earlier this month found that “one in seven licensed drivers ages 16-24 admitted to having nodded off at least once while driving in the past year as compared to one in ten of all licensed drivers who confessed to falling asleep during the same period.”

Safety studies (using admittedly sparse data) estimate that from15 percent to 33 percent of fatal accidents in the U.S. may be due to drowsy drivers (pdf). That risk was highlighted by recent story in the Sidney Morning Herald, which reported that University of New South Wales researchers had found that driver fatigue led to nearly twice as many crashes in NSW last year as drunk driving did.

Automotive manufacturers have now taken note of this risk (the military has done so for a while) and are researching ways to use information from embedded biometric sensors to “keep tabs on a driver's vital health signs, including pulse, breathing and 'skin conductance,' aka sweaty palms" and thereby detect, among other things, the alertness of drivers, a story in the Wall Street Journal reports. Some luxury car models already have sensor devices to detect drowsy drivers. For instance, “some Lexus models use in-cabin cameras and some Mercedes-Benz vehicles have steering sensors to detect drowsy-driving behavior. The cars sound a warning beep or flash a coffee-cup icon to suggest that it's time for a break.”

In addition, the WSJ article says that manufacturers are exploring ways of monitoring a range of drivers’ vital signs that would be combined with other car sensor information to determine the level of driver stress.The car might react to a high stress level by ensuring your cell phone doesn't ring or even, in a particularly severe case, by reducing power to the engine.

BMW going even further and is looking at how to “connect Bluetooth-equipped blood-sugar monitors to future BMW models,” as well as looking at “how to design a car that could automatically stop if the driver suffered a heart attack,” the WSJ also reports. Researchers working with BMW see a time when a vehicle’s biometric sensor system will communicate “not just to onboard safety systems, but also to doctors and patients looking to better manage health care.”

One of the BMW researchers who is also a doctor noted that cars already inform drivers when they need repairing, so why not have cars that can tell when drivers themselves need repair? “My car calls me when it needs something," he was quoted as saying. "I want patients' cars to call them when they need blood-pressure medicine.”

Early last week there was a related story at Phys.org on the work being done by the Swiss Federal Institute of Technology Lausanne (EPFL) in conjunction with PSA Peugeot Citroën to develop techniques of determining a driver’s state through the use of facial recognition software. One of the directors of the effort said that, “Our goal is to build the technological base to detect and situate a driver's face at any moment in time. Using this tool, it will then be possible to build and test various driver assistance applications such as eye tracking, fatigue detection, lip reading, and so on.”

To be honest, I am not sure I want a car which nags me about my blood-pressure, or complains about my colorful language when I get cut off in rush hour traffic. I get enough of that already at home.

Photo: iStockphoto

We start off this week’s edition with a story that has its origins dating back to the Second World War.  A few weeks ago, the London Telegraph published an interesting article about the remains of an Allied Forces carrier pigeon found during the recent renovation of a homeowner’s chimney in Bletchingley, Surrey, England. The bird's skeletal remains still had a coded message encased in a red capsule attached to one of its legs.  The message, the Telegraph stated, was “almost certainly dispatched from Nazi-occupied France on 6 June 1944—during the D-Day invasions.”

The Telegraph noted that carrier pigeons were used to inform Allied military commanders in England about how the D-Day operations were proceeding during the radio blackout which Churchill had imposed during the invasion. Over 250 000 such pigeons were used during the course of the war.

The coded message (pdf) was turned over to cryptographers working for the U.K. Government Communications Headquarters (GCHQ) in Cheltenham. However, after a few weeks of trying, the government cryptographers admitted that they have been unable to break the code. A GCHQ press release explaining why the code remains undeciphered states that, "GCHQ’s experts are now satisfied that the pigeon-borne message assumed to have been sent during the Second World War cannot be decoded without access to the original cryptographic material."

GCHC cryptographers believe the code involved using a "one-time" pad. As explained in the press release, "The basis of a 'one-time pad' encryption system is that a random key is used to encrypt (and subsequently decrypt) only one message. The advantage of this system is that, if used correctly, it is unbreakable as long as the key is kept secret. The disadvantage is that both the sending and receiving parties need to have access to the same key, which usually means producing and sharing a large keypad in advance."

According to a Telegraph story from last week, GCHQ has publicly appealed to any retired codebreakers who worked at Bletchley Park or in military signals during the war to help break the code. Former members of the French resistance are also being contacted to see whether anyone still alive may know the code's key. The Telegraph has invited the public to try to solve the coded message as well. If you feel so inclined, send your answers to mynews@telegraph.co.uk – you might win a copy of the Telegraph’s All New Toughie Crossword Book. I suspect, though, if you can crack the code, the crossword book probably won't be much of a challenge.

Unlike last year, Black Friday and the following weekend's online sales suffered few disruptions. On Monday of last week, Best Buy’s “website failed to calculate some of the sales taxes on the Black Friday specials that it offers online ahead of time for its Reward Zone customers,” a story in the Pioneer Press reported. Things were straightened out by the next day. Click Frenzy, Australia's take on today’s Black Monday—when U.S. retailers offer online discounts on electronic merchandise—had a rough start. The group's website, which hosted virtual storefronts for dozens of Aussie retailers, was overwhelmed by heavy demand. Though the site crashed soon after it opened for business,  it was able to recover a few hours later—but not before Click Frenzy organizers received a bashing in the Australian press.  

No major Black Monday IT glitches are being reported thus far today.

Early last week, departments of motor vehicles (DMVs) across the United States were affected for several days by a database problem originating at the American Association of Motor Vehicle Administrators. That group keeps up to date information used by a state's DMV to verify the information on a driver wanting to exchange an out of state driver's license for one it issues. The database, which kept crashing, reportedly caused long lines at DMVs in Georgia and Nevada, among others.

An IT glitch associated with a change in Canada’s Citizenship and Immigration computers granted permanent residency visas to some 50 immigrants and members of their families even though they were no longer eligible, the Vancouver Sun reported Wednesday.  Luckily for them, Immigration Minister Jason Kenney decided that because it was an “administrative error” on the part of his department, he would allow the 50 to stay in Canada. They probably wouldn’t have been so lucky if they had been moving to the U.S. under the same circumstances.

Finally, the Sydney Morning Herald reported that university scientists working aboard the RV Southern Surveyor, Australia's Marine National Facility research ship, had “undiscovered” an island.  Apparently, Sandy Island is shown on marine charts – and Google Earth – as a large island sitting between Australia and New Caledonia in the south Pacific. However, when the scientists sailed to the charted location of Sandy Island, it was nowhere to be found.

The Herald noted that Sandy Island has appeared in scientific publications since at least the year 2000 without anyone reporting its non-existence. Google, in its defense, said that it “consulted a variety of authoritative public and commercial data sources in building its maps.” However, the Herald said, the company “encouraged users to alert Google to incorrect entries using the 'Report a Problem' tool… which they would then confirm with other users or data providers.”

If I interpret that correctly, Google doesn’t quite believe the Australian university scientists’ word that Sandy Island doesn’t exist. It still apparently needs the island’s non-existence confirmed by others before it will delete it.

The guilty verdict of fraud handed down by the jury against former UBS trader AG trader Kweku Adoboli yesterday at Southwark Crown Court was of little surprise: The only question was going to be how long a sentence he was going to receive for the largest banking-related fraud in U.K. history.

According to the Financial Times, the jury found Adoboli guilty of “two counts of fraud by abuse of position but acquitted him on four counts of false accounting.” He was sentenced to seven years in prison. Adoboli’s illegal trading cost UBS the equivalent of US $2.3 billion, as well as wiping £2.8 billion off the bank’s share price. The losses go beyond money; they're also being blamed in part for the loss of 10 000 jobs at UBS.

Adoboli’s lawyer had an unenviable task, and tried to show that the trader was being made a scapegoat for merely following what his bosses wanted him to do. In his closing arguments the lawyer said the trader was “encouraged by superiors to exceed risk limits as he made record profits from unauthorized trades,” Bloomberg reported. The lawyer said, “You can’t make $6 million profit in one day by not being massively in excess of risk limits… In the end, did he lose control and miscalculate? Yes, he did. He got it wrong and he apologized.”

However, the Crown prosecutor claimed that Adoboli was arrogant and dishonest, and had “fraudulently gambled” away UBS money by creating “fictitious deals” to hide his increasingly reckless trades, both the FT and New York Times reported.

Adoboli's sentence was two years longer than that of Jérôme Kerviel, the Société Générale rogue trader who was convicted of breach of trust, forgery and unauthorized use of computer systems. When his fictitious trades came crashing down five years ago, Société Générale lost an estimated $6.4 billion. But at least Adoboli wasn't ordered to pay back the money he lost, as Kerviel has been ordered to do.

That UBS was unable to detect Adoboli’s activities has led to ongoing investigations by the Financial Services Authority (FSA) and the Swiss Financial Market Supervisory Authority (FINMA). With the trial over, their reports will likely to be published shortly, and I don’t think they will reflect well on the risk management controls at UBS, which have been under scrutiny for years (pdf).