I read this article from TheRegister with mild interest:
“Medical Data Experiment goes horribly wrong: 950,000 records lost” – http://www.theregister.co.uk/2016/01/27/centene_loses_95000_medical_records_on_six_hard_disks/
Ok, so yet another ‘company loses personal data, warns as a precaution’ story. In this case, six hard disks apparently containing personal health information of around 950,000 people.
So my initial thought was something along the lines of “are people really misplacing whole hard disks still in 2016”?
Personally, I suspect it is more likely an accounting problem rather than a physical loss – they are probably labelled up wrong, or left in a drawer somewhere, or have been re-used and nobody noticed, that kind of thing. But it is interesting to look at the phraseology of two consecutive press releases from the company involved (no, I’m not quite why I looked them up either – but I did!).
On the data loss:
“Centene has determined the hard drives contained the personal health information of certain individuals who received laboratory services from 2009-2015 including name, address, date of birth, social security number, member ID number and health information. The hard drives do not include any financial or payment information. The total number of affected individuals is approximately 950,000.”
Fair play – they are admitting their mistake and attempting to do the right thing:
“Notification to affected individuals will include an offer of free credit and healthcare monitoring. Centene is in the process of reinforcing and reviewing its procedures related to managing its IT assets.”
Otherwise, without openness and honesty around such issues, how can lessons be learned?
But the following day, the next press release announces their financial results for the year:
“On January 25, 2016, the Company announced an ongoing comprehensive internal search for six hard drives that are unaccounted for in its inventory of approximately 26,000 information technology (IT) devices. This incident resulted from an employee not following established procedures on storing IT hardware. While we cannot estimate the impact with certainty at this time, the Company does not expect the impact of the incident to have a material effect on its future growth opportunities, financial position, cash flow or results of operations.”
Yes – they don’t expect the fact that 950,000 people’s personal health details going missing will affect their financial position now or in the future.
I guess that answers the question of why it is 2016 and companies still lose whole hard disks of personal information. If there is minimal financial impact, it is good business sense for them to keep their procedures at the minimum deemed necessary – that is just sensible business risk-management. In fact the whole ‘free credit and healthcare’ monitoring could be seen as a cost effective insurance policy against possible loss should it occur, compared to the costs of labour intensive, fault-free asset management to prevent any chance of loss up front.
These things will only change when the impact of the issue impacts the companies involved much more significantly, rather than just ending up a problem for the people whose data is lost.
In the UK, I guess we have the Information Commissioner’s Office guidelines for handling data and ability to set fines, but even this misses the point for me. A fine is after the fact and with so many charities and volunteer organisations (cough, Scout National database) storing personal details, a significant fine would end up burying an organisation and an insignificant fine is largely pointless. But either way the data will still be lost. So the answer to this one is really education – so to that end, the ICO Guide to Data Protection is great – but unless someone is actually auditing and proactively educating organisations, or perhaps more appropriately companies now selling online services to organisations, on these principles, I suspect we’ll keep seeing problems occurring.
As we see massive growth in companies providing online payment services (ParentPay, SchoolMoney, PaySchool and so on) information and content management (dbPrimary, Google for Education, etc), communications and mailing services (ParentMail, etc), biometric authentication (40% of secondary schools apparently), online learning, and so on to education and charities, more of our data ends up online regardless of the fact it might not be us putting it there! For a cash-strapped organisation, managing an offline and online database isn’t going to happen. You might not use their online system, but your data will be there as they’ll be using it themselves.
The school use of biometrics is particularly worrisome – many kids may have their biometrics compromised before they are even old enough to decide for themselves if they want to hand over their biometric signatures to any company.
Fundamentally, at present, all the risk from a company storing your data is on you, not them. Until that risk balance is addressed, I guess we will stay at the mercy of “bottom line (non-)impact” reporting. And whilst it is convenient and cost-saving for organisations to use more of these online services, our data will keep being stored who knows where and there is very little we can do to stop the tide of information uploading.
Short answer – don’t, use a bootable Linux distribution instead – really, I’m sure it will be less trouble!
Still, my laptop is Windows 7 and I have a cross-over Ethernet cable and from time to time I’d like to connect to something via a point to point Ethernet connection through my laptop using my laptop’s Wifi connection to the Internet – can that be done? Yes – sort of, as long as you don’t try to be too intelligent about it!
Windows 7 provides Internet Connection Sharing – in theory – when you have a lan and WiFi connection, simply right-click on the WiFi network, select properties and then the “share” tab. Once this is done, the TCP/IP properties for IPv4 on the Lan interface get changed to a static IP address – 192.168.137.1 in my case (I didn’t choose this, Windows did) – and anything connected over the Lan can request an IP address from the laptop using DCHP.
However, what is weird is that if you do ipconfig /all on the laptop, IP routing is shown as disabled and there is no evidence of a DHCP or routing service running on the laptop. Also, my Lan network always seems to come up as an Unidentified Network according to Windows no matter what I do.
So, my advice if you really want to use Windows 7 like this:
- Don’t attempt to configure IP routing by hand (as you’d think you’d have to) – following Internet tech articles to enable IP routing on Windows doesn’t seem to help.
- Don’t try to enable the “Routing and Remote Access” service – that doesn’t seem to help at all either.
- Don’t attempt to set up IP routes by hand – route print will show a basic routing table for both interfaces, but don’t attempt to do anything like tell the Lan interface that the default route should be via the WiFi interface or anything like that.
- Don’t attempt to set up a DHCP server by hand – using ICS, magic does seem to happen (I’ve seen the wireshark traces to prove it) even though there doesn’t seem to be any evidence of the laptop running a DHCP server.
- Don’t attempt to set the network type of the Lan interface to anything like Home or Work – once ICS is running, it doesn’t seem to matter that Windows thinks it is Unidentified.
- Don’t set a static IP address on the Lan interface yourself, just let Windows use what it wants to, and accept that the Lan interface will use 192.168.137.1 (or whatever else ICS chooses for you).
- Don’t attempt to turn the firewall off, configure special routes through it or otherwise fiddle with it at all! Like everything else in Windows, it keeps all that nasty, messy stuff about actually knowing what your firewall lets in and out nicely hidden away!
In short – if you need to share you Windows Internet connection then just let ICS do its stuff and hope the magic just works – don’t bother try to do anything clever yourself, like trying to actually understand why it is working or not.
And if ICS doesn’t work for you, then you can try resetting TCP/IP, rebooting, disabling and re-enabling sharing, disabling and re-enabling adaptors. But if none of that gets it going again – then my advice is to get that bootable Linux distribution, because from what I’ve seen so far no one seems to expect you to be able to debug ICS! Certainly it doesn’t appear to be consistent or integrated with any of the TCP/IP tools Windows provides that actually let you see what is going on (although I’ve not ruled out some deep netsh magic – but my interest has waned now).
So I do have ICS working to share my WiFi across to my lan interface, but have:
- No evidence of running a DHCP server, although DHCP is working.
- No evidence of any firewall configuration updates, but packets are being let in and out.
- No evidence of IP routing being enabled but packets are being forwarded between networks.
- No questions asked about IP configuration for my “subnet” but a configuration has been set.
So it does all appear to work. For now. But how and why is opaque to me and I’ve given up trying to understand it with the tools I seem to have at my disposal.
Isn’t it great the progress we have made as a society when it comes to being able to purchase things like tickets for events, whenever we want to, online. Here is my most recent example, this evening, buying tickets for a very prominent London venue.
Sitting down in front of the TV – ah yes, really must book those tickets whilst I think about it and whilst there is still a chance of getting the seats I want. Grab tablet and logon.
Google search – venue website location. Search for event – yes, there it is, right – “buy tickets” yes please.
Ok – do I go for best available? I’ve met these websites before, finding good seats can be a pain – yes, “best available” please. 5 selected (adults, kids, one hanger on) – now what – ah yes, “add to basket”. Ah, 20 minutes to complete – fairy nough.
Wait – those are the worst seats! Back – hmm. Number of tickets for the seats I wanted only goes up to 4. Select anyway to see if can change. Added to basket (19 minutes). Now have 9 seats …
Wait what is that – 2% booking fee? Sigh. Wait – and £2 per ticket? That’s taking the micky a bit … (18 minutes).
Remove from basket – back. Select four seats I want. Added to basket (17 minutes). Good. Back, add one more. Sigh – now have four in a row and 1 odd one elsewhere in the building (16 minutes). Wheres the seating plan? No – doesn’t actually give me seat numbers, or sector letters … Remove from basket and try again (15 minutes).
Select number of seats first this time – 5, good. Now select type of seat I want, yes, seems to work. Add to basket – yes, 5 seats – now we’re making progress. (14 minutes). Still not sure where they are though – Google for seating plan – ah yes, no numbers but that area will do. Right checkout. (13 minutes).
Please register or login? Sigh. Sure I’ve used them before – guess probable email address/password – no go. Ok (12 minutes). Register again then. Name, postcode, email (typing on the tablet – wish I’d used the computer). (11 minutes). Submit.
Ah, email address already used – so I guessed that right at least then. Try to login with different password (10 minutes). No. Do I go for another try? No. Sigh. “Request password”. Now really do have to go to computer to read email. (9 minutes).
Ah a password reset link to click – at least they do the security right. Click on link. Select new password. (8 minutes).
Didn’t associate my shopping basket though from the tablet though, so back to tablet. (7 minutes). Login properly this time – good. No, I don’t want your email newsletter. (6 minutes). Stage 1 of 4 …
Click through confirm selection … yes, address details right … wait – what are those collection options? (5 minutes). Why do I care if its franked or not? Do they cost differently? Don’t think so. (4 minutes). Ok, just post them please. On to step 3. Right – ah of course, need to actually go and get my credit card. (3 minutes).
(2 minutes) Type in credit card. Verification. Name. (1 minute). Off to verified by visa … right. Done.
Ah, finally is that it? Yes, step 4 – receipt. Good job I typed the credit card details in correctly!
Was that really only 20 minutes? Was I buying tickets or taking part in some bizarre version of the kypton factor?
Still thats progress – I was able to just do it at my convenience from home, even if I couldn’t choose my exact seats … but maybe they really should have allowed half an hour!
Do you get fed up with today’s “the bonnet is welded shut” mentality to consumer electronics? I do.
Part of the issue, is that the drive for compactness is making the designs optimised for size rather than maintenance – so you get circuit boards shaped and interleaved around larger components, small ribbon connectors and carefully routed cables and so on. You also find that you need to know the exact order in which to unscrew things and pop them apart, and then work out if something is fixed by a clip, glue, screw or something else.
But it doesn’t need to be as hard as it is. There is also an annoying trend for hidden screws (often behind rubber feet or blanking panels that pop or stick on/off), speciality screws and one-way plastic fixings which makes the whole thing a lot more complicated than it needs to be.
But there is some hope. The excellent site ifixit.com has a massive range of guides for many popular consumer electronic devices. It is practically the haynes manual for electronics. Haynes themselves do have some computer related manuals, and a wide range of novelty manuals (sold ‘for kids’ – but they don’t say how big or small the kids have to be) – including Bob the Builder, Thomas the Tank Engine, the Millenium Falcon, Thunderbirds and a few others.
But the nice thing about the ifixit.com website is the community around it – you can see comments from fellow fixers and see how many people have rated and attempted the fix. It also lists the tools you need, and if you don’t have any you can help support the site by buying tools through them. You can also buy spare parts.
So, with a slight twist of irony, whilst my car is wide open to home mechanics, I’ve long since got fed up with getting my hands dirty, and seeing what look like simple steps in a haynes manual, which are performed on prestine, clean, non-rusted-up parts, turn into hours of frustration and finding out I’ve not got the right replacement washer or something. So today, I rely on a local, small garage round the corner and pay for their expertise and collection of tools and parts.
However with consumer electronics, I have most of the tools, already have the ‘well if its broken anyway I have nothing to lose’ mentality and enough of a background in basic electronics and computers to challenge the consumer electronics industry attempts at stopping me having a go. And the parts are rarely rusted shut or covered in oil (the odd exception being something whose last moments might have been spent left in a rainy sandpit! That tends to be fairly terminal). With a little dust to clear here and there and some basic static precautions I’m quite ready to have a go. In fact the most risky part is keeping the kids away from the carefully laid out screws and fittings as the thing comes apart – especially if something has to be taken apart and then left until a new part is sourced and delivered from some speciality online store or ebay.
And so, courtesy of a new drive from ebay. a tri-wing screwdriver, a range of small phillips screwdrivers, the ifixit.com guide for replacing the drive on a Wii, and some peace and quiet from the kids, we have a functioning Wii again and can now try out some of the new games the kids got for Christmas.
It’s not as hard as you might think but naturally you will void warrenties and everything is done at your own risk – but as I said, if its broken, you can either pay for repair (cash for someone else’s time), just buy a new one (what a waste) or at least see how complicated it will be to have a go yourself.
Sometimes it seems like everything has to be ‘just in time’ or ‘on demand’.
Businesses don’t want to keep stock longer than they have to, so want to go for ‘just in time’ delivery to still deliver products ‘on demand’. Food is getting faster, but we want more choice ‘on demand’. Television is going ‘on demand’. We use our Internet bandwidth to send us a personalised schedule of programmes to watch when with a little planning and upfront preparation we could just catch it as it streams through the air. It is (currently at least) broadcast through the airwaves regardless of if we watch it or not – doesn’t it seem a little wasteful to then get it downloaded digitally using power, bandwidth, energy on a person-by-person basis?
But then that is kind of the point – people don’t do ‘up front’ anything anymore really. We like our cars, partly because we don’t have to attempt to plan a journey up front. In fact have you tried to negotiate you way around the complex mess that is the British rail system? Fine if you want to go somewhere on the same line as your town – but just try to even work out what lines you might need to get somewhere else – its very hard work. And forget attempting to browse to see if a short car or bus journey will take you cross country to a line that gets you somewhere more direct. No, for the most part the ‘system’ will suggest a 60 mile trip into a major city to change trains to bring you back those 60 miles, but passing within 10 of your original starting point.
There is the promise of a future integrated transport system. Or intelligent transport. Or smart cities and towns and smart cars (and I don’t mean those quirky cars branded ‘smart’ – I mean cars that talk to each other and the road network). There is the promise of an intelligent alarm clock that will know that your train is delayed by 10 minutes and so let you have an extra 10 minutes in bed, telling the coffee machine and water heater for the shower to adjust their timings accordingly.
There is the idea of fully intelligent and integrated transport systems, where buses, trains and road congestion is managed such that people pass through the system as efficiently as packets traversing computer networks. Of course, when timetables are planned by computers down to the minute, what happens when a key dependent node is delayed by a minute and a half?
We talk of intelligent software agents that will know what you like to read and collect and order the day’s news for you, so your time is spent only on the things it has worked out you think are important.
So in order to have a ‘just in time’ and ‘on demand’ society, something is scheduling, planning and organising everything to a high precision at an ever increasing macro level. It just won’t be people. People are forgetting how to plan.
Or at least how to plan for themselves. We hire ‘services’ to plan parties, weddings, meals, events. We use ‘on demand’ media to stop worrying about reading TV schedules in advance. We use ‘on demand’ films to not consider if we will watch a DVD enough to warrant purchasing a disk outright. We use online shopping when we decide we need to (or want to) to not bother planning a trip to the shops.
And much of our social communication is becoming ‘on demand’ too. In an era of mobile phones, there is much more ‘last minute’ decision making. Don’t know where to meet up? Txt when you arrive. Not sure where to eat? Use location based services to find a restaurant near your current location. Want an impromptu coffee? Just pop it up on Facebook and see if anyone turns up.
And messaging is going this way too. In times of (practically for many) limitless text messages, why bother thinking too hard about what you might need to say. One-word, non-thinking, ‘it’ll do’ answers are the norm. Take communicating with your teenager these days.
The ‘thinking ahead’ conversation:
- “Are you out tonight?”
- “Yes. Can I have a lift back? I’ll be at xyz and finished around 10pm”.
The actual conversation (each taking up a txt message):
- “Are you out tonight?”
- “How are you getting home?”
- “Can I have a lift?”
- “Where are you?”
- “What time will you be finished?”
Ok – actually, I lie – this is just teenagers and has been since time eternal. I remember responding in exactly the same way myself to my parents. The difference is each prompt and sentence costs another text.
Thinking ahead? Who needs it. Messaging and communications bandwidth are plentiful.
I’ve always been slightly annoyed with ‘secret questions’ that aren’t secret, and consequently have for ages always made up an answer and if its been for a website I’m going to want to use again (rather than one of of those annoying websites that force you to register just to become a one-off customer of theirs) will keep a record of my answer somewhere.
Well I had classic confirmation of what a waste of time such things can be today. I had an online account with a large retailer that wanted to know my favourite colour. So I found something suitably obscure – at the end of the day there are plenty to choose from!
Now I can understand why the use of a second shared ‘secret’ (as long as it really is a secret) might be useful in an online system where you need some kind of assurance that the remote person is who they say they are. But in this case, my wife was in the store doing something and they needed the answer to the secret question. Of course, she didn’t even know the question let alone my obscure answer.
Now normally, she would probably have rang me to see if I knew or could find out, but in this case the store assistent said ‘never mind, lets try some’ … and typed in ‘red’, ‘blue’, and so on. Then he said, oh, I’m not sure what other colours to try … so he rang their main office and explained that a customer was in store wanting to change something, but couldn’t remember her secret question answer … and then they asked to talk to her and asked for some personal details (date of birth, address, that kind of thing) and then promptly told her the answer to the question!
So, first of all, for the in-store situation, it just shows that it was totally unecessary to need the secret question at all – she was there, with account numbers, physical artifacts, personal knowledge, a store loyalty card – they really didn’t need anything else to know who she was – as evidenced by the fact that they were quite happy with all this information in order to disclose the secret answer!
And secondly, if the secret question is to be of any use, then they really can’t just put customer service over security and give it out to anyone who happens to be in the store, confident, annoyed with their systems and who happens to be armed with enough of someone’s personal information to sound convincing!
So – in summary, security is fine, but not at the expense of customer usability. However, if customer usability just blows holes an any security defenses, and no one seems to mind, then someone should really be asking some serious questions about the need for such security in the first place! Also, while I’m at it, this also shows that something that can be secure enough in one context (e.g. online transactions) can be totally pointless in a different context (i.e. when the same system is used ‘in person’).
I suppose I also should point out that a security question that a huge majority will answer with, I assume, something like one of only twenty odd values is also a bit meaningless. So in future, when asked for your favourite colour for a security question – I recommend getting a little more inventive. Just don’t forget to make a note of it somewhere!
I’ve just been prompted to update iTunes and have been asked to accept the new terms and conditions. Ok I thought, probably need to scan them to see what apple want me to sign away …
Then I scrolled to the bottom where it joyfully tells me this is page 1 of 34. Yes, 34 …
So, like every other page of terms and conditions I’ve ever read, I click “I agree” … Several times, knowing full well I have no idea what the say and have no intention of agreeing to them at all. Does our shrink wrapped licensed world really encourage such a blasé attitude to supposedly contractural arrangements? Yes, I’m afraid it does. And it will continue to do so whilst companies expect to produce terms and conditions designed to hide their intentions.
In fact I would suggest that apple deliberately present more pages than any one will read precisely knowing that they can say what they like.
It would be nice if a company was honest and presented sensible terms in a readable way so someone could honestly agree to them. In fact wouldn’t it be nice to have negotiable terms – so its not all or nothing, but actually a mutually beneficial arrangement, where you willingly, rather than grudgingly, give up data to benefit them in return for a benefit yourself.
Maybe one day we will see trusted brokering of personal data, but I suspect most will continue to ignore the control they could have over their data, and companies will continue to rely on deception, because that is what 34 pages of terms really is, to claim every thing from your content to your whereabouts to your social graph to your interest graph.
A free service Internet only seems possible whilst this one-way, parasitic relationship with our information exists. Sigh.
Yes, you read that right. That is what came home on the top of a school letter this week. What do you think that might be? What’s wrong with “Parent Evening”? Why start inventing new pretentious terminology? That’s one for the Plain English Campaign if ever I saw one!
Well, I might be a bit busy that evening, as I have to:
- Create a culinary, early evening nutritional experience (make the tea)
- Ensure that extra-curricular learning enhancements are being achieved (make the kids do their homework)
- Partake in mind expanding information gathering (browsing the Internet)
- Have some immersive, competitive, electronic stimulation (play some computer games)
- Perform some social voyeurism and expand my social horizons (read Facebook)
- Encourage wind-down, enduce a relaxed-mind state and create an environment for visual stimuli and body recharging (read bedtime stories and get the kids to bed)
- And then finally perform some passive media-rich information absorbtion (watch some telly)
If you are a local authority and the government has just told you that you have to provide free swimming for under 16s, then what do you do?
Well, if my local authority is anything to go by, you introduce so called ‘Family Friendly Swimming’ Sessions at all the times when children are likely to take advantage of the free swimming sessions, stating that children are not allowed in without an adult! Excuse me, did you say ‘family friendly’? So I now have to accompany any child under 16?
Result? Probably less children swimming than before, as now, all those families that permitted their children to go swimming on their own, (lets face it, there are more times in the day when the kids can go without parents than with), can no longer do that. Result? Probably less children swimming.
So a big thank you to the local authority for taking the spirit of the government’s scheme and turning it on its head. Sigh.
(Been a while since I’ve had a moan)