Not-so-smart Homes

Facepalm X 2Or why you should buy products that support an open architecture. Smart homes will turn dumb overnight as Charter kills security service. The end of service date is February 5th, so you have a little more than 2 weeks, if you’re a customer, to find an alternative.

Charter is also known as Spectrum cable.

The impending shutdown and customers’ anger at Charter—a cable company also known by the brand name “Spectrum”—has been widely reported over the past month. Over the years, some customers have spent large sums on products that will no longer work.

Refunds? Don’t expect any.

So open standards… Charter uses Zigbee communication. Why doesn’t that count as open? Why not connect Charter devices to another Zigbee hub? Turns out, Zigbee isn’t as open as one might think.

Why can’t Charter customers connect their security devices to a Zigbee-enabled smart-home hub or use them with another alarm-monitoring service that supports Zigbee? One user on DSLReports pointed out that years ago, Spectrum devices “were firmware coded to prevent them from being seen and usable within the normal universe of Zigbee devices.” But could Charter issue a software update that lets these products work with other Zigbee systems?

We haven’t gotten a definitive answer, but it seems that a Zigbee hub alone isn’t enough to ensure that Charter’s security products work with alarm-monitoring systems offered by other vendors.

This isn’t just a Charter/Spectrum issue; it is part and parcel of a lot of Zigbee infrastructure. The Zigbee Alliance (the standard-setting body) has a “new initiative” called the All Hubs Initiative to solve what is an outstanding problem.

[Ars IT Editor Sean] Gallagher also noted that “Zigbee is famously nonstandard as a standard.”

So these companies get to advertise that they are using an open standard, and get all the monopolistic benefits of having proprietary design. I keep hearing the phrase Caveat Emptor in the back of my head while typing this. Oh, and don’t believe the marketing hype. Ever.

Anita Dam, Montana: An Infrastructure Failure Near Miss

So what happens when engineers get it wrong? Bad things can happen.

Usually we think of failing infrastructure as being old, and poorly maintained. But that isn’t the only kind of failure. Case Study: Anita Dam (Montana, 1997). The photos tab on that page is particularly interesting.

The Anita Dam in Montana was built in 1996. It failed in the spring of 1997 mostly because it hadn’t included lessons learned from other dams that had been published in the 1980s. It is 36-ft high and impounds 979,384 cubic meters of water.

Anita Dam is (was?) an earthen embankment dam. It was built to provide water storage and control flooding. (It is currently listed in at least one place as a concrete gravity dam, but photos and video seem to show it is still mostly an earthen dam.)

For a more detailed view of the incident, refer to A Review of the Anita Dam Incident: Internal Erosion Caused by a Buried Conduit and Lessons Learned.

Conduits are one of the very common parts of embankment dams and almost any kind of hydraulic structures. Primarily, conduits convey the water from the reservoir in a controlled manner for various purposes, such as releasing water to meet the downstream requirements

The conduit was supplied with anti-seepage collars, but included no filters. The conduit also didn’t have a continuous support cradle. This resulted in the spring of 1997 of something called piping. Water flowed through the conduit, but also began to flow around the outside of the conduit causing rapid erosion. And increasing the amount of water released downstream. The entire reservoir was emptied in 4 days.

The statistics show that 28% to 46% of dam failures were caused by piping.

Though in this case the dam itself didn’t collapse, it had to be extensively rebuilt to correct the problems that caused this incident. No life was lost, but there was some downstream damage due to the rate of water flow.

What follows is a 2-minute video about the current management of the dam. In the spring of 1997, they didn’t even have an emergency management plan for the dam. (What could go wrong? It is brand new!) And yes, like most things produced by the .gov, that video is fairly self-serving. “See what great things we are doing for the American family!” At lest they are doing something, which seems to be more than they were doing in 1997.

Electronics Form Part of Your Infrastructure

And anyone who purchased a smartphone in the past 5 years knows that technology isn’t cheap. Public safety committee considering new Hawkins Co. emergency communication equipment after major malfunctions.

As Miller explained, Hawkins Co.’s radio communication equipment, which is used by law enforcement, EMS and fire departments within the county, has been malfunctioning off and on since the beginning of November and has been completely offline since Dec. 18.

Nothing lasts forever, and that includes electronic communications gear. In this case, however, while they talk about recent outages, it isn’t clear that the radio system deployed ever really lived up to what the county needed.

Areas around Clinch and Slate Hill had poor to no service even when the communication was properly functioning.

Replacing the radio system will cost hundreds of thousands of dollars.

When you call 911 for a crime situation, you are counting on police to come and save your ass, but if officers can’t communicate with each other, or the 911 dispatch center, there are so many more opportunities for things to go wrong. They will move slow, and they may not have all the messages you’ve given the dispatcher. You don’t have to imagine all the ways that can go bad, all you have to do is read the news.

Doctor’s Ignore Security, Expose Patient Data

I’m shocked that doctors refuse to listen to anyone. A billion medical images are exposed online, as doctors ignore warnings. Okay, I’m not that shocked.

It isn’t just the 35 million patients and the images of X-rays, ultrasounds and CT scans. Patient info is also exposed.

These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient’s name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient’s Social Security number to identify patients in these systems.

Privacy is such a 20th Century concept. And the issue has been seriously ignored by the medical profession, because doing something would involve money, and listening to someone who is not an MD.

About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.

Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors’ offices to the problem, many have ignored their warnings and continue to expose their patients’ private health information.

You mean we can’t just keep doing things the way we’ve always done them?

The I-35W Bridge Collapse in 2007

If I’m going to have a series on infrastructure fails, it has to include one that was in the news for weeks or months. Lessons learned from the 35W bridge collapse. In case you were sleeping in the summer of 2007, this happened in Minneapolis.

Why did the bridge collapse? The short answer comes in 2 parts.

  • Parts of the bridge were under-designed. (But it had stood for 50 years as built.)
  • Construction crews getting ready to do work on the bridge placed some of their equipment and supplies on the bridge, exceeding the design-load by a factor of 4

And the only reason they could overload the bridge like that, was because there was no communication with anyone about known problems. So let’s review…

On August 1, 2007, at 6:01 PM, right during rush hour, a span of I-35 through Minneapolis collapsed. 13 people died, and 145 were injured.

I remember reading at the time that bridge inspectors in Minneapolis were constantly harassed by the driving public. Because “Why are you blocking lanes of traffic to inspect the bridge? There is obviously nothing wrong with it.” I wonder if any of the people who died, harassed any of the inspectors. Probably not. (There isn’t that much Justice in the universe.)

“We knew early on that this was a design error,” said Dorgan. “One of our people put it best — in the days after I-35 with the terrible event that happened, that something good has to come out of this. And I think people proceeded on that basis with, let’s take a look at everything we do and see where we can improve.”

The National Transportation Safety Board ruled that the 35W bridge collapsed because of under-designed gusset plates. But it also pointed to contributing factors, like too much weight from construction materials on the bridge.

Tyler Ley is a professor at Oklahoma State University, and he has a video on the collapse, which is short, at just over 8 minutes, and to the point.

The gusset plates were undersized by about a factor of 2. The gusset plate that failed was showing signs of deformation, or bending, which is an early indication of failure. And a construction crew parked a bunch of weight on the bridge. How much construction materials and vehicles? Estimates are that 580,000 pounds were placed in a 12ft by 115ft section of the bridge. That is 4 times the design load of the bridge. Of course it failed.

Everything needs repair. Everything needs maintenance.

This bridge failed at a place that was KNOWN to be a problem. When a structure starts to bend it is LITERALLY starting to fail. The construction crew overloaded the bridge in that exact spot, because no one reviewed what they were going to do, or at least no one with knowledge of the identified problems. (The bridge had been listed as “structurally deficient” for a long time.)

Breakdowns in communication have a long history, though you usually study them with respect to military defeats. But they are a breakdown of management, and we are refusing to manage our infrastructure. It needs to be repaired. Eventually, it will all need to be replaced.

Blogroll Changes

I was sorry to see Kenn Blanchard announce his retirement and closing (or whatever the word is) of the Black Man With a Gun podcast. But I understand his feelings.

Also, Claire Wolfe at Living Freedom said she had been “demonetized” by Amazon or whoever. So there’s that.

I will keep checking on both, from time to time, in case minds change…

Baldilocks (Juliette Ochieng) while mostly posting at Da Tech Guy’s blog, is still using her blog for some stuff. Even if only cross-posting. And A Geek With a Gun has reemerged with infrastructure hosted out of his house. Mostly, he also has a virtual private server to handle the static IP problem.

The blogroll has grown fairly large lately, but as more and more people were banned from Twitter, F*c*book, YouTube, whatever, I thought we should encourage the old-school methods of connecting with one another. I hope it helps.

Infrastructure and Military Readiness

I don’t think most people know that the Interstate Highway System was started as a project by the federal .gov to help the military. Highway Bridge Deterioration from Climate Change Will Affect U.S. Military Mobility and Deployments.

This article was published before Christmas, but I thought I would wait before drawing attention to it. I thought it deserves attention, and I didn’t want to try to compete, with Santa, Family and general holiday insanity.

In an order different from that in the article, first we have the highway system and its strategic importance.

The National Highway System (NHS) “consists of roadways important to the nation’s economy, defense, and mobility.” The NHS has several subsystems including (1) the Dwight D. Eisenhower Interstate System; (2) other principal arterials that connect an arterial with a port, an airport, or other intermodal transportation facility; (3) the Strategic Highway Network are highways “important to the United States strategic defense policy and which provide defense access, continuity and emergency capabilities for defense purposes”; (4) major strategic highway network connectors “provide access between major military installations and highways which are part of the Strategic Highway Network,” and (5) intermodal connectors.

And the state of the infrastructure, which probably won’t surprise too many people in this audience.

The U.S. has over 615,000 bridges with an average age of 43 years. As of 2018, almost 8 percent of bridges were rated as structurally deficient, i.e., in poor condition, with an average age of 60 years. Regardless of their present condition, bridges are an integral part of the U.S.’ national highway system and its’ component sub-systems. Without functioning bridges alternative routes must be identified leading to lengthened trips and opportunity costs.

As they say, go read the whole thing. Though fair warning, they talk too much about Global Warming. (Not sure how that is supposed to be an issue for bridges in most of the country, but there you go.

“This is why planes are falling out of the sky”

Because saying that “anyone can code” is BS. And everyone who’s ever tried to debug a C program knows it. Joe Biden: Anyone Who Can Mine Coal Can Learn to Code.

So Joe Biden is back on the “Learn to Code” meme. I thought all the laid-off journalists determined that it was mean to tell people to Learn to Code. I guess that when Democrats do that it is OK.

There was an old Dilbert cartoon, where the pointy-headed manager says, “I drew up the schedule for your project. I started with the assumption that anything I don’t understand is easy to do.” Cue Joe Biden.

And then there is the reason planes are falling out of the sky. Boeing’s 737 Max Software Outsourced to $9-an-Hour Engineers.

Increasingly, the iconic American planemaker and its subcontractors have relied on temporary workers making as little as $9 an hour to develop and test software, often from countries lacking a deep background in aerospace — notably India.

Then there is this: 95% engineers in India unfit for software development jobs, claims report.

Over 36,000 engineering students form IT related branches of over 500 colleges took Automata — a Machine Learning based assessment of software development skills – and over 2/3 could not even write code that compiles.

It is one thing if you are writing code for “Candy Crush,” and another if you are writing flight-control software for Boeing, or self-driving car software for Toyota. And even the Candy Crush software needs to work. (At least it won’t kill anyone.)

As for Biden and his BS about teaching anyone to code. I would really love to see him learn. Or try to.

Oh, and it is SO easy to write code, that Zerodium is currently paying $2,500,000 for a new zero-click Android exploit chain. (They only pay $500,000 for iOS exploit chains). The payouts go down as a click is required, and whether the takeover is persistent or transient. Why are the gray markets paying so much? Because pretty much EVERY piece of software in your life is broken. Because management never wants to pay for full design, and full testing. And because you can’t hire programmers that can actually design/write decent code. And so planes are falling out of the sky. HakerOne pays less, but if you sell to Zerodium, you are feeding the beast.

267 Million Users’ Data Stolen From F*c*book

Are we surprised? Data Leak Exposes 267 Million Facebook Users.

A database of 267 million Facebook user IDs, phone numbers, and names was left exposed online for a fortnight thanks to another cloud misconfiguration, according to researchers.

At this point we don’t know if the data came from a breach at FB, or was a left-over from when their developer API allowed people access to the phone number, or if it was scraped from public profiles.

The researchers warned that such a large database of sensitive information could be used in major spam, phishing and smishing campaigns.
[SNIP]
This is just the latest in a long line of data leaks stemming from unsecured cloud databases. In November personal data on over one billion individuals harvested by data enrichment companies was found exposed.

Privacy is such a 20th Century concept.

Health Care Attacks During the Christmas Season

‘Tis the Season. Or something. Criminals Pull Hard Before Xmas, Attack U.S. Health Industry.

Seems there was a big effort to hit health care before the holidays.

Colorado Department of Human Services, Sinai Health System, Cheyenne Regional Medical Center, Children’s Hope Alliance, and RiverKids Pediatric Home Health are a handful of the total number of healthcare providers impacted by data breaches just during December.

Tens of thousands of people had their data stolen.

For the year there were more than 750 attacks on health care providers.

Alconétar Viaduct

Alconétar ViaductSo when I started looking into infrastructure, I was finding a lot on the failures of the same. But that is mostly in the US – where I’ve been looking. It turns out a lot of the world (including the US) is continuing to build and maintain infrastructure. Today we have The Alconétar Viaduct, which is an arch bridge in Spain that carries a motorway.

[The image is from WikiMedia Commons, by Chemasanco. Click on the image for a larger view and more info.]

This photo gallery is fascinating. The images are great, but they allow no use. (And while this might be “fair use” …) The first few photos are of the completed structure, but if you scroll down, you can see some images taken during construction. All the fins welded to the span of the bridge (visible above and in the first few photos at the link) are there to disrupt the wind, and eliminate wind resonance. A problem that should have been fixed in the 1940s, and not been an issue in the 21st Century. (So this probably counts as a “near miss” in terms of infrastructure failure.)

Next up is a video of “wind resonance” and this bridge (while under construction). This is the same effect that destroyed the Tacoma Narrows Bridge in Washington State. That disaster was supposed to inform the design of all follow on bridges. Apparently something was missed. Alconétar Arc Bridge Wind Resonance Effect. It is a short video of less than 4 minutes. At least they found the problem during construction, and were able to take measures to mitigate it.

And finally, to understand what those construction photos in the Gallery linked the top are telling you, the video below is 15 minutes of incredibly dry information on how this bridge was built. Alconétar Viaduct Construction. It is all animation, but still has some decent info. And you can see why this style of bridge can be used to cross very deep caverns. (Where building temporary supports in the center of the structure are not practical.) At a guess, I would say that this animation was produced when the bridge was initially proposed, to explain to the powers-that-be how it would be built. And the photos from the gallery back it up.

Tis The Season for Data Stealing

One Day, Three Credit Card Data Breach Notifications.

  • Wawa store, food market, coffee shop, gas pump
  • Islands restaurants (Most are in California, with rest mostly in Hawaii, Arizona and Nevada)
  • Champagne French Bakery Cafe

In all three cases, malware designed to collect magnetic stripe data was discovered on payment processing servers for card transactions.

If you’ve been to any of these businesses, you might need a new credit card.

First World Problems

Cash? Kroger credit card machines working after being down; upset shoppers share experiences.

OK, so maybe I would have been a little pissed off as well, but I do usually carry some cash, because occasionally stuff like this happens.

According to online users, all registers were down and could not accept card payments. Customers had to pay in cash until the issue was resolved. Shoppers also could not purchase gift cards even with cash.

Because nothing says “I really thought about your gift” like buying a gift card on the day before Christmas.

Some of the twitter reactions were hysterical.

The Future of Texting Is Broken

Whiskey. Tango. Foxtrot. The Future of Texting Is Far Too Easy to Hack: Rich Communication Services promises to be the new standard for texting. Thanks to sloppy implementation, it’s also a security mess..

Can we PLEASE get some secure communications. Aside from Signal that is. (Look, I love Signal. I wish I could get everyone to use it, but for some reason I can’t.) And in what is essentially 2020 there is no fucking excuse to have insecure communications. We know how to do this.

But when security researchers looked under the hood, they found the way carriers and Google have implemented the protocol creates a basket of worrisome vulnerabilities.

At the Black Hat security conference in London on Tuesday, German security consultancy SRLabs demonstrated a collection of problems in how RCS is implemented by both phone carriers and Google in modern Android phones.

For the love of all things Holy. USE Signal.

Another (tunnel) Boring Video

Though some of you will probably just consider it to be just plain boring.

Tunnel boring machines are an amazing bit of engineering, and I find the way that they build the tunnel in place as they go, just fascinating. In this case they can’t only rely on the prefabbed, prestressed concrete tube, but have to build a reinforced concrete tube inside the prefabbed tube to make sure that the tunnel is waterproof.

The tunnel in question is part of Switzerland’s A2 highway from Basel on the Rhine, to Chiasso. Belchentunnel (Switzerland). And yes, I realize that this is basically a 12 minute advertisement for the company building the tunnel, but I still find it fascinating.

These things are truly super-machines. And despite the fact that they only mention the main contractor, Marti, they do mention in the fine print on the video site at YouTube, that Herrenknecht also had a hand in building the system, too. Specifically, the tunnel boring machine at the very front of the assembly line.

1,000 Ransomware Attacks on Schools for 2019

Because they love to put stuff online, but can’t be bothered about security. Ransomware Hit Over 1,000 U.S. Schools in 2019.

The FBI advises all U.S. entities currently targeted by a heavy barrage of ransomware attacks to follow these best practices:

  • Regularly back up data and verify its integrity
  • Focus on awareness and training
  • Patch the operating system, software, and firmware on devices
  • Enable anti-malware auto-update and perform regular scans
  • Implement the least privilege for file, directory, and network share permissions
  • Disable macro scripts from Office files transmitted via email
  • Implement software restriction policies and controls
  • Employ best practices for use of RDP
  • Implement application whitelisting
  • Implement physical and logical separation of networks and data for different org units
  • Require user interaction for end-user apps communicating with uncategorized online assets

Of course a lot of the problems for the past few years were caused by (or at least it was a contributing factor) unpatched, unsupported Windows machines. So I seriously doubt that the rest of this will happen. And the backups must be offline. (Ransomware will encrypt your raid server.)

If you can’t update or upgrade, then you have no business putting stuff on the public internet. Unless dealing with ransomware is something you like to do. But schools and cities will continue to put insecure servers on the public internet, and then shriek about how it was “totally unexpected” when bad things happen.

Just What I Would Expect from a Group that Works (mostly) for the .gov

In the Juan Browne video I referenced the other day, there was a brief mention of the American Society of Civil Engineers and their 2017 Infrastructure Report Card. As a country we got a D+ in 2017.

I really wanted to like this report. It seems to be data driven, though I haven’t been through a quarter of it yet. I just can’t warm up to it.

Right off the bat I viewed their “Overview video.” It is queued up to a point where they talk about the freight railroad infrastructure in America. “It is second-to-none.” Yet they manage to gloss over the fact that virtually all of the freight rail infrastructure is owned by, and maintained by, private companies, not governmental organizations. Most of the rest of the infrastructure they bemoan as being inadequate, (there are notable exceptions) are government owned. Roads and Bridges. Ports and airports. Inland waterway maintenance in the form of locks and markers. Public transit. Waste water. And what isn’t owned by the .gov, is regulated to death.

Go ahead, click through and watch the 15 seconds that they devote to the amazing results of private enterprise.

They actually do admit that the rail infrastructure is mostly in the hands of private enterprise. They just don’t admit that in the one video most people will view. Odd that…

The private freight rail industry owns the vast majority of the nation’s rail infrastructure, and continues to make significant capital investment — $27.1 billion in 2015 — to ensure the network’s good condition.

It’s the public transit rail system that’s in deep trouble. Along with the roads, bridges, etc.

Aside from that 15 seconds, the video is basically an advertisement for spending more tax dollars on infrastructure. Of course I believe that we need to spend more money on infrastructure. I don’t believe we need to raise taxes to do so. We built all this infrastructure with less tax revenue than we have now. We just didn’t waste that tax money on so much insanity.

Every thing that has ever been built has a design life. Dams. Roads. Bridges. The day they cut the ribbon they should know about when that structure will need to be replaced. And yet the .gov isn’t able to plan ahead more than a year. You shouldn’t need to raise billions of dollars to replace every bridge in America. Every state and local .gov should have been saving money for the day they KNEW would come. But even when a .gov knows that it has numerous structures to replace they seem incapable of saving money for a rainy day. Now maybe they can’t legally save that money, but then maybe that should change.

Failed PG&E Infrastructure Maintenance

As always Juan Browne of Blancliro has some interesting info. The video includes photographs of both a failed component, and some components near failure from the area the are where the Camp Fire started. A failure of a power-line where a “c-hook” failed and allowed the power-line to contact the tower, causing enough of a spark to get the Camp Fire started in the Feather River Canyon near Pulga, California.

The tower in question was last inspected in 2001. In the interim, PG&E has been relying on helicopter flyby inspections. The photographic evidence starts a little bit past the 3 minute, 30 second mark. The video is worth a look.

And let the rest of the nation heed this warning of what’s happening here in California, with your infrastructure nationwide.

The governor of California has rejected the settlement as presented by PG&E. So it isn’t clear if the company will be able to exit bankruptcy anytime soon.

Hat tip to Wirecutter.

One of the things that is clear is that PG&E is going to need a whole bunch of linemen to get the infrastructure upgraded.

New Orleans Hit With Ransomware

Are we surprised? New Orleans declares state of emergency following ransomware attack.

Suspicious activity was spotted around 5 a.m. Friday morning. By 8 a.m., there was an uptick in that activity, which included evidence of phishing attempts and ransomware, Kim LaGrue, the city’s head of IT said in a press conference. Once the city confirmed it was under attack, servers and computers were shut down.

Ransomware was detected, but they didn’t say how many computers were hit or what variety it was. They were mostly reassuring everyone that all is fine.

“If there is a positive about being a city that has been touched by disasters and essentially been brought down to zero in the past, is that our plans and activity from a public safety perspective reflect the fact that we can operate with internet, without city networking,” said Collin Arnold, director of Homeland Security, adding that they’ve gone back to pen and paper for now.

I’m sure there will be more info later in the week.

The Collapse of the Silver Bridge – December 15th, 1967

A series on the failure of various bits of infrastructure, must include the failure that changed the way we inspect bridges. Silver Bridge Collapse.

On December 15, 1967, the Silver Bridge collapsed while it was full of rush-hour traffic, resulting in the deaths of 46 people. Two of the victims were never found. Investigation of the wreckage pointed to the cause of the collapse being the failure of a single eyebar in a suspension chain, due to a small defect 0.1 inch (2.5 mm) deep. Analysis showed that the bridge was carrying much heavier loads than it had originally been designed for and was poorly maintained.

National Bridge Inspection Standards were a result of that collapse. Real inspections are supposed to be carried out at least every 2 years, and things should be (and usually are) addressed. Following the 1967 collapse many bridges were retrofitted or dismantled.

OK so this is also the bridge that gave rise (in part) to the Mothman stories. That is all I have to say about that. If you’re interested in that kind of thing, the links, sites, even a movie, are easy enough to find.

This first documentary is 8 minutes. Actually it is less than that because it starts to repeat. (You are not imagining it.) It covers the highlights of construction and how the failure was analyzed. It isn’t the greatest, but it is short (for those 21st Century attention spans). And yes, this documentary gets the date wrong. It was December 15th, not the 16th.

This second documentary, from the Open University, is complete, and well done, but the problem is that it’s 25 minutes long. It covers design, and how the design was not sufficient over time, as loads increased. It covers maintenance, and the lack thereof. It covers the complete lack of (reasonable) inspections. And it is complete if you have the time.