Risk Factor iconRisk Factor

FAA: Bad Parts A Growing Problem - Will Software Be Next?


The US Department of Transportation's Inspector General released its audit of the Federal Aviation Administration (FAA) oversight of aircraft manufacturersâ'' quality assurance systems for both domestic and foreign suppliers. The audit found that the FAA's risk-based oversight system "does not ensure that manufacturers regularly audit their suppliers," nor does the FAA "perform enough audits of manufacturersâ'' suppliers (i.e., supplier control audits) to test how well manufacturersâ'' quality assurance systems are working."

As a result, substandard processes are being used by some parts suppliers (e.g., at one supplier, "an employee used a piece of paper, scotch-taped to the work surface, as a measuring device for a length of wire on an oil and fuel pressure transmitter") thereby allowing for "substandard parts to enter the aviation supply chain."

The FAA, however, claims that, "There are absolutely no imminent safety issues raised by the report."

If this is true, then I guess the DOT Inspector General is overly worried, correct?

The report made me curious about software-related supply chain issues, but the audit wasn't very forthcoming in this regard. It said that, "In conducting these audits, FAA inspectors review the suppliersâ'' organizational management structure, procedures for product design control, software quality assurance, manufacturing processes, manufacturing controls (including calibration), and supplier control (how well the suppliers oversee the vendors that supply parts to them)."

No other mention of software is in the report, like, how good these software quality assurance processes are.

For those of you in the business who know - a question. How much, if any, is legacy commercial aircraft system software outsourced to and maintained by third-party suppliers? And if it is, are the risks the same, less or more than what is being found with aircraft parts maintenance that is outsourced?

Google's Personal Health Record Plans Unveiled


Yesterday, Google formally announced it plans for creating a personal health record (PHR) service at the Healthcare Information & Management Systems Society conference in Orlando. Google's announcement was three days after Microsoft announced at the same conference a $3 million initiative "designed to empower providers with targeted funding to stimulate the research and development of online tools that improve health" in support of its four-month-old HealthVault PHR offering. Both companies say their objective is "to put you in control of your health information."

Google is currently piloting its system at the Cleveland Clinic, and hopes to have a commercial offering later this year.

Both Microsoft and Google have come under pressure about how secure their PHR systems will be as well as how patient information will be used. For instance, this week the World Privacy Forum (WPF) issued a report and a consumer advisory warning of the risks that PHRs pose.

As the advisory notes, "Consumers need to know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting... Few consumers understand that their health care files are not always protected under HIPAA (Health Insurance Portability and Accountability Act of 1996) when their files are in a PHR."

Neither Google or Microsoft are covered by HIPAA regulations, and so have been very publicly seeking to reassure potential users that their information will be secure and private. However, as the WPF says, I would be very wary of using any PHR service that is not HIPAA compliant (and has been thoroughly and independently audited to show that it is). HIPAA doesn't provide much protection (only 4 people have been criminally convicted of HIPAA violations in the past five years that I know of), but it is better than nothing.

The other problem is how the PHR information is going to be used. Microsoft places medical company advertisements on its HealthVault site but says it won't use any of your health record information unless you give permission. Google says it doesn't plan to advertise right now or use the information either, which makes one wonder how it plans to make money on its service.

I believe that it is only a matter of time before Microsoft and Google, as well as other PHR service providers, start agitating for access to their users' personal health information, though. Right now pharmaceutical companies very profitably data mine doctors' drug prescription information to up-sell them individually, and medical researchers are clamoring to get access to all patient data that a national electronic health record system would create. There is gold in them there records.

I give it a better than a 70-30 chance that Microsoft, Google and other PHR companies quietly lobby members of Congress to allow them legal "peeks" at patient information for "research" purposes within the next five years - if they aren't doing so already.

Ethics 101 for Robots


Government Computer News had a nice little story on the ethics of robot warriors a short time ago. It talked about the work of Georgia Institute of Technologyâ''s Mobile Robot Laboratory professor Ronald Arkin and his attempts to define algorithms to define ethical behavior in machines that can follow norms like the Geneva Convention. This is from the abstract of his paper Governing Lethal Behavior: Embedding Ethics in a Hybrid Deliberative/Reactive Robot:

"This article provides the basis, motivation, theory, and design recommendations for the implementation of an ethical control and reasoning system potentially suitable for constraining lethal actions in an autonomous robotic system so that they fall within the bounds prescribed by the Laws of War and Rules of Engagement."

Dr. Arkin's 117-paper is a bit much to digest in one sitting, but I have taken a quick read and find it interesting in its approach and very thorough, at least from my perspective. In an AFP news story, Dr. Arkin is quoted last month as saying, "Robotics systems may have the potential to out-perform humans from a perspective of the laws of war and the rules of engagement," since with robots "there are no emotions that can cloud judgment, such as anger."

Arkin's work has direct relevance to another robot story in this week's London Telegraph and the aforementioned AFP story about University of Sheffield's Department of Computer Science professor Noel Sharkey's belief that the major powers are "sleepwalking" into an international robot arms race, and predicted "that it is only a matter of time before robots become a standard terrorist weapon, replacing suicide bombers."

This latter theme was reiterated by others at the UK robotics conference titled The Ethics of Autonomous Military Systems where Sharkey spoke. For instance, UK Rear Adm. Chris Parry spoke about the terrorists using remotely piloted planes as weapons such as Hezbollah's use of pilotless aircraft against Israel in 2006.

BTW, I wrote some about the US military's planned use of UAVs for warfare in the November 2007 issue of Spectrum article. As I wrote, "Back in 2001, Congress mandated, as part of the National Defense Authorization Act, that by 2010, one-third of the operating deep-strike aircraft of the Armed Forces are unmanned, and by 2015, one-third of the operational ground combat vehicles are unmanned.â'' Currently, there are approximately 4,000 robots and 1,000 UAVs of varying types being used in Iraq and Afghanistan by US forces.

Terrorist Watch list Grows and Grows


Senior Associate Editor Sam Moore pointed me to an American Civil Liberties Union (ACLU) claim that the US terrorist watch list now exceeds 900,000 if it has continued to grow at a rate of about 20,000 names per month as it has since its start. The ACLU has launched a new watch list "counter" showing the number of new names supposedly added each day to the list, as well as a number of well-known people who have been put on the list.

The Department of Homeland Security (DHS) has said in the past that records or names don't correlate one to one to actual people, but won't say how many people are on the list. Even cutting the number of records by 75% still leaves a couple hundred thousand folks on this list, and getting off after getting on is not easy.

It would be interesting to see how many foreign student pilots on this list. The reason I ask is that on this evening's ABC World News, there was a special report that claims that thousands of foreign citizens have been able to illegally enroll and obtain pilot licenses from U.S. flight schools. One former Federal Aviation Administration (FAA) inspector found that in 2005 alone there were over 8,000 foreign students "in the FAA database who got their pilot licenses without ever being approved by the Transportation Security Administration," as required by law.

The DHS in response to the report claims that "it conducts security threat assessments 'on all non-U.S. citizens seeking flight training,' " and that "We have a high degree of confidence that our layered security measures, both seen and unseen, have raised the level of security in our aviation sector."

If you say so.

Never Too Young to Protect Your Identity


The US Internal Revenue Service (IRS) recently warned a seven-year-old boy from the northwestern Chicago suburb of Carpentersville that he owed back taxes on $60,000 of income and unemployment benefits.

This happened when the mother tried to claim the boy as a dependent on her 2007 income tax return, but the IRS told the mother that her son's Social Security number was being used by someone else.

Turns out someone had stolen the boy's identity shortly after his birth to obtain a truck, three separate jobs, gas and electrical service for his home, a credit card, unemployment benefits and more than $60,000 in pay and services. The police have identified a suspect.

There is no word on what the IRS plans to do now, but I bet it takes months for the mother to straighten out the mess with them, the credit card companies, the credit rating agencies and the Social Security Administration.

Taxes and Software Don't Mix


In a story reminiscent of another I wrote about a few months back, a software error caused a $250,000 shortfall in tax revenue collected last year from property owners in Kootenai County, Idaho.

According to the press report, the problem occurred after properties were assessed but before tax bills were issued. This meant that the tax bills reflected a tax value lower than the assessments, which had been updated, should have reflected.

County officials say they hope to make amends to cities and schools; however there is no legal option for asking taxpayers to make up the difference.

Executives Punish Themselves for Software Problems


It was reported last week that four top executives of Tokyo's Stock Exchange (TSE) including board chairman Taizo Nishimuro would slash their own pay 10 percent after a computer problem disrupted trading from the 8th until the 12th of February.

Although the fault's responsibility lay with Fujitsu Ltd., which developed the system, the TSE said that it's "responsibility as a market operator and administrator is also significant in terms of failure to construct an organisational structure that gives top priority to ensuring the functioning of the market."

In November of 2005, the TSE suspended trading in all shares for the first time ever in an embarrassing software glitch that brought stock dealing to a standstill for nearly a day. TSE management promised to fix the problem, but it obviously did not.

Yet, it would be nice to see other executives take responsibility for their organization's software problems and slash their pay 10% for a month. Maybe senior management at the LA Unified School District, for instance, or at the many others I have blogged about over the past few months will decide to emulate TSE executives acceptance of ultimate responsibility for the operations of their IT systems.

Naw - it will never happen. But wouldn't it be fun to ask them, "Why not?"

DC Tax Scam Longer and Bigger Than Thought

The Washington Post reported last week that the District of Columbia's tax scam now looks like it started 20 years ago, instead of seventeen years,which changed from nine years last, which itself was an update from seven years which was in turn a revision of the three year time frame first thought.

It also looks like that upwards of $50 million was stolen, as opposed to the $31 million that most recently was believed to be stolen (which was revised up from the $25 million or so thought lost, which was itself revised up from the $16 million initially said to be scammed).

The perpetrators charged in the scam (DC tax office employees) appeared to have figured out a way to manipulate paper-based tax records starting in at least 1989 to cut themselves bogus tax refund checks, and then hide the records from the tax office's automated tracking systems and auditors.

The Post says that some 40 people (who have not yet been charged) are now being investigated to see if they received or benefited from any of the ill-gotten gains.

LAUSD Tax Mess


Filling out tax forms is a pain, but for many of the poor souls who are employees of the LA Unified School District (LAUSD) it is a nightmare. As I noted a while ago, the LAUSD payroll fiasco is now (predictably) causing income tax filing problems.

The LA Daily News is reporting that at least 3,400 incorrect W-2 tax forms (i.e, tax forms that state the amount of income you earned, taxes paid, etc., for those of you who are not from the US) were mailed out to employees as a direct result of the payroll mess, despite the fact that the LAUSD management had promised last December that since the payroll system was now "fixed," information that its employees needed to file their taxes would be up-to-date and correct.

One of the problems surfacing is that for many employees their December 2007 pay-stub - which should show the total year-to-date income earned and taxes paid and which LAUSD had also assured would be correct - are not matching up with the W-2's they have received (normally they should be identical).

LAUSD management is now saying that the W-2's are correct, and that any mis-matching pay-stubs are wrong.

This is a neat way for management to "solve" the problem, don't you think, especially when (a) in December they said the end of year pay-stubs were correct (even though many teachers then were saying they weren't), and (b) they also admit some 3,400 other W-2s have been shown to be in fact wrong?

Needless to say, LAUSD teachers and other employees are a bit perplexed, miffed and worried over exactly what they owe the state and the federal government. As one teacher noted, " 'I am trying to work backwards now to see if this W2 is correct. If I can't understand my pay stub, how can I figure out if my W2 is right?' "

Good question. Glad I don't have to figure it out.

IT Security Gets a Double Whack

In today's New York Times, there is a story about how a group led by a Princeton University security researcher Edward Felton has found a rather simple way to access information on encrypted devices: freeze the device's memory chip.

As the Times reported, Felton wrote on his blog that, "Interestingly, if you cool the DRAM chips, for example by spraying inverted cans of â''canned airâ'' dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50 °C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data. Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power. Just put the chips back into a machine and you can read out their contents."

You can go to the group's website for a technical paper and the blog for discussions about the limitations of the technique.

Also today in ComputerWorld, there is a story about two researchers, David Hulton and Steve Muller, who claim they have found an expensive way to break the encryption on GSM phones, allowing calls to be easily listened to. They claim that by using about $1,000 worth of field-programmable gate array-aided computer equipment and a frequency scanner, they can crack a GSM phone's security in about 30 minutes. Spend $100,000, and you can crack it in 30 seconds is the claim.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More