Beware of Un-updatable Devices

A hundred million IoT devices are open to hacking. It turns out there is a whole slew of flaws in four different basic TCP/IP implementations. Since many IoT devices don’t have auto-update capabililty, and many don’t have updatable firmware at all, all of these devices are simply waiting to be subverted by hackers.

In order news, a startup has produced an autonomous robot that drives around the farmer’s field all by itself, zapping what it considers weeds with lasers. What could possibly go wrong?

If you are deploying any IoT technology, consider carefully how the devices will be updated with new software. Parts of the IoT industry have a sell-and-forget mindset, and that will embed ticking timebombs in your infrastructure.

The Intern Did It!

The intern did it! Solarwinds’ new CEO just added another top contender to the pantheon of bad excuses. This one is right up there with “the dog ate my homework” and is destined to become an instant classic.

Testifying before a U.S. Congressional Committee, Solarwinds came out looking like bungling amateurs. First, they had a system that allowed a password like solarwinds123. Second, they had an externally accessible system where that password worked. Third, they didn’t do anything about it when security researchers pointed it out. Fourth, they try to pin the blame on an intern that created that password.

As a CIO, you can either isolate your public-facing systems completely from the internal ones, and allow username/password access. Or you can use two-factor authentication or other additional security. The time when you could secure a non-trivial, externally-facing system with just a username and password are long gone.

Beware of Data Collectors

The days of untrammelled data collection “for the common good” might be ending. At least the watchdogs are yapping a little louder, as a new court case in London shows. The British National Health Service apparently has a contract with secretive American data analyst company Palantir, and they are being sued by a private privacy watchdog.

I would probably not choose to name my company after the device with which the dark lord Sauron subverted the wizard Saruman. However, the Lord of the Rings reference is obviously lost on investors, who value Palanatir at around $50 billion even though they have yet to make money.

As a CIO, you need to know where your data goes. If you have third parties analyzing them, you need to have someone make an independent assessment of whether you can expect your data to be safe with them. You need to balance the reward against the reputational risk if you are found cooperating with shady operators.

Do You Know Where the Problems Are?

In Arizona, there are prisoners still behind bars who should have been released. The reason: The software that calculates their release date hasn’t implemented a 2019 law change. With this being just one of the 14,000 bugs (!) reported on the system, these people can potentially stay locked up for a long time yet. Officials claim there is no problem and their manual process flawlessly implements a complicated rule estimated to take 2,000 hours to program.

It is a leadership decision to decide what gets implemented first. And this one should be at the top of the list – right after the bug that means gang affiliation is not properly recorded, and members of warring gangs might end up in the same cell…

A desparate whistleblower finally went to a local radio station with this story after having been ignored internally for a year. As the CIO, do you have a method in place that ensures concerned programmers and users have a way to point out critical issues?

Missing AI Results

It turns out AI was not about to cure cancer. There was no shortage of hyperbole when IBM’s Watson AI beat the best humans at Jeopardy, but IBM has been unable to create a viable business from their AI prowess. Now their AI-powered health department is for sale if anybody wants a slightly used AI with one careful owner.

AI has proven its worth in many places, also in healthcare. But they have been narrow, well-defined areas like examining X-rays or flagging possibly fraudulent insurance claims. Just throwing a bunch of data scientists and an AI at a problem does not work.

If you have AI projects like Watson that has not delivered the results they promised, you can re-scope them try to harvest some value from solving a smaller and more well-defined problem. Or you can shut them down. The age of unquestioned spending on AI is over.

Use Real Intelligence Instead of the Artificial Kind

If you can leverage real user intelligence in your systems instead of the artificial kind, you get a better result with less effort. But it takes some intelligent thinking by your developers to get to that point.

The new Microsoft Edge (version 88) that rolls out soon has crowdsourced the difficult decision of which browser notifications to allow. Users are tired of constant “Allow this website to send you notifications?” prompts, but it didn’t work to just make all of them more unobtrusive. Microsoft tried that first with “quiet” notification requests, but that meant many users were missing out on the notifications they did want. Instead, the upcoming version will use the decisions by all Edge users to decide which notification requests to show. If everybody else has refused notifications from a specific website, the Edge infrastructure learns that and defaults to not show notification requests from that site.

Do you have ways to harvest the decisions your users are already making and use that data to improve your systems? Put your data scientists to work on the challenge of using human intelligence instead of continuing to try to train AIs.

Are you Releasing Sub-Standard Systems?

Out of a sample of 5,000 apps, 80% did not live up to a reasonable standard. Are you releasing sub-standard apps or systems?

A company the reviews healthcare apps for the UK National Health Service found many bad examples, including apps that provided complex medical advice without any expert backup, or apps without security updates for several years. They’ve been though 5,000 apps, but there are 370,000 health-themed apps out there.

As a CIO, look in your systems list for information about applicable regulation. For every system, you should see a list of what regulations (GDPR, CCPA, HIPAA etc.) apply to that system, and the name of the person who has certified that this list is complete. For every regulation, you should also see the name of the person who certify that the system complies. If you don’t have that information in your systems list, you are probably releasing sub-standard systems.

Which Snow do you Shovel?

Which snow should you shovel? We’ve just had a couple of inches of snow here in Denmark, which means that I will have to get out the snow shovel and clear the sidewalk. But I live on a small private road where the snowplough doesn’t go. Should I shovel the snow from the road as well? Should I clear the patio? There is always more snow I could shovel.

In any IT organization, there is an infinite amount of possible work. It is constantly snowing new tasks – security patches, new cloud services, new integrations, enhancement requests, bug reports. You can easily run out of space for more post-its on your Kanban board, but you will never run out of tasks. As Elton John sang in The Lion King: “There’s more to do than can ever be done.” As an IT leader, it is your job to decide what gets done. Do you have a policy for what gets done first? If you don’t, write one and distribute it to your team. That makes it easier for them to find and do the most important jobs first.

Hackers Almost Poisoned our Water Supply

What would be a truly scary computer intrusion? It would have to be something potentially lethal and something we weren’t expecting. Like hackers poisoning our water supply. But the water supply is highly secured, you say? Couldn’t happen, you say? Think again. It just did.

In a US city, hackers turned up the amount of sodium hydroxide that is added to the water. Adding a little is part of normal procedures, but the hackers turned it up to dangerous levels. Fortunately, operators immediately noticed, and countermanded the order.

Like in almost all disasters and near-disasters, there is a long chain of events that have to go wrong for the problem to occur. For example, you would have to be running an unsupported old Windows 7 installation. Check. You would need to keep remote access software running all the time. Check. You would need to have a widely shared common password. Check. You would need to have no firewall software in place. Check.

If you are a CIO, share the story of this almost-disaster. Security reviews are good, and would have caught most or all of these problems. But security awareness among users is better. Reminding people of the IT policy doesn’t work. But sharing a story of how it almost went wrong might change behavior.

Another Avoidable Disaster

Today’s totally avoidable IT disaster is found in the Slack app for Android. It turns out the app stored the user password in unencrypted plain text. That means that every other app on your phone had access to it, and it might now lurk in various log files on your device. Slack is red-facedly asking users to update their app and change their password.

This is an example of what happens when developers operate under tight deadlines and without adult supervision. Any competent IT development organization has code review procedures. If you are a large, high-profile organization that release apps to millions of user, any new release should have a separate security review performed by a security professional. But Slack insisted on letting their team operate without any guardrails. That means it was a matter of time before they ran off the track.

If you are a CIO, take a look at your systems list. For every non-trivial or externally facing system, there should be a link to the latest security review with a date and a name of a real person – outside the development team – who performed the security audit.