[SecurityRatty] tag: tony

A Brief Introduction to Blackboard Architectures

Sun, 20 Jul 2008 09:57:12 +0000

A blackboard architecture is a distributed computing architecture where distributed applications, modelled as intelligent agents, share a common data structure called the “blackboard” and a scheduling/control process. The blackboard can be either centeralized or distrbuted, depending on the requirements and constraints of the application(s).

To solve a complex problem in the blackboard-style, the intelligent agents cooperate as functional specialists, observing updates to the blackboard and self-actualizing in an event driven process) when there is new information to process. Agents continually update the blackboard with partial solutions when the agents capabilities for processing match the state of the blackboard.

The blackboard architecture is a distributed computing model for a metaphor describing how people work together to collaboratively solve a problem around a blackboard (whiteboard in todays lingo). For example, one person is standing at the whiteboard working on a solution while three other people are sitting (or standing) around watching. One of the observers sees new information on the whiteboard, thinks of how he (or she) can contribute, and then jumps up, takes the whiteboard marker from the person working, and adds to the solution. This process is repeated in various scenarios.

The blackboard architecture can be very effective in solving complex distributed computing problems, including event processing problems; however, scheduling the self-actuating agents can be a key challenge. Another core challenge is how to model and manage the blackboard itself, especially in distributed blackboard architectures.

John McManus, former CTO of NASA, wrote an excellent PhD dissertation in 1992, Design and Analysis Techniques for Concurrent Blackboard Systems, at the College of William and Mary, addressing challenges in BB systems.

The table below lists two books that focus on blackboard architecture:

Date	Editor(s)	Publisher	ISBN	Title
1989	V. Jagannathan et al	Academic Press	0123799406	Blackboard Architectures and Applications
1988	Robert Engelmore and Tony Morgan	Addison-Wesley	0201174316	Blackboard Systems

One of the thought leaders in blackboard architecture is Daniel D. Corkill a professor at the University of Massachusetts Amherst.

Blackboard architecture is relevant to the field of event processing, and in particular complex event processing. I will go into more details in future blog posts on this topic, including how blackboard architectures relate to grid computing, distributed object caching (of the blackboard), and CEP.

CBAC & Medical Identity Theft

Thu, 10 Jul 2008 06:09:41 +0000

Good story to keep in mind for those of you working on CBAC. Claims neeed protection and verification. Why steal an identity when you can capture a claim? (hattip: askelizabeth)

The Sopranokovs

The Russian mob comes to town with a new scam—medical identity theft.

When FBI special agent Ted Price peered through the window of a dingy brick storefront on Southwest Morrison Street in March, it was what he didn’t see that caught his attention.

The business, called UnimedCorner, claimed to provide ailing seniors with orthotics—braces and other devices to correct foot, joint and back problems.

Price and other federal investigators were skeptical.

On Unimed’s showroom floor, Price saw wheelchairs, motorized scooters, a variety of canes and, on the walls, a selection of amateurish paintings and framed photographs. There was no evidence, however, of the kinds of equipment for which Unimed had billed Medicare nearly $2 million in the previous couple of months.

“I observed wheelchairs and canes through the window but did not see any orthotics in the store,” Price later wrote in a search-warrant affidavit. “It is a sign of fraud that the store is not stocking the items [for which] it is billing.”

By the time Price arrived on the scene, the company’s owner, a shadowy Russian immigrant named Alexandr Shcherbakov, was long gone.

Today, Shcherbakov’s store sits undisturbed. The message light on the phone blinks, dead potted plants droop and a stuffed toy monkey slumps in a glass display case.

And behind the cash register hangs a framed poster of television’s best-known mobsters, the Sopranos.

From interviews and information presented in federal affidavits, it is clear Shcherbakov moved to Oregon to commit a crime elegant and lucrative enough to make Tony Soprano envious: medical identity theft.

...

“Medical identity theft is the new frontier for organized crime,” says Alex Johnson, a former FBI agent who investigates fraud for Regence BlueShield. “Pretty much anybody can set up a mom-and-pop operation and start cranking out claims.” Someday, most Americans will need a cane, wheelchair, home hospital bed or another of the items healthcare professionals call “durable medical equipment,” or DME.

For those over 64 and without private insurance, there’s a good chance federally funded Medicare will pick up the tab for that equipment. Last year, according to federal statistics, Medicare spent $8.6 billion on DME.

Here’s the way the system is supposed to work: A doctor prescribes a device such as a wheelchair for a patient, who presents his prescription to a DME supplier. The supplier provides the equipment and bills Medicare, which typically pays 80 percent of the cost. Unlike pharmacists, who fill prescriptions under strict scrutiny of state and federal watchdogs, DME suppliers are lightly regulated. “DME is very vulnerable to fraud,” says Consuelo Woodhead, the chief healthcare fraud prosecutor for the U.S. Attorney’s Office in Los Angeles. “It doesn’t require any background in medicine, any kind of professional licensure or appreciable capital.

There are barriers of entry in other medical fields, but not in DME.” To operate, DME suppliers simply need a place of business, a business license and liability insurance. Unlike pharmacists, DME suppliers operate under an honor system: The feds count on them to supply the equipment they claim to provide to the beneficiaries who need it.

That honor system is not working.

The epicenter of DME fraud, according to the federal Department of Health and Human Services, is South Florida, where Medicare billing for DME quadrupled from 2002 to 2006 to $1.7 billion. Investigators found much of that increase was due to fraud. In 2006, federal inspectors revoked the licenses of 634 DME suppliers in South Florida, nearly half the DME dealers in the region.

Later the same year, raids in Southern California yielded similar results: The feds shut down 95 DME suppliers. Many of the DME suppliers shut down around Los Angeles were run by immigrants from the former Soviet Union. It’s probably no coincidence that when the feds raided Los Angeles DME suppliers, some Angelenos fled to cities where there was less scrutiny—such as Portland.

The new golden age of comics

Sat, 21 Jun 2008 13:31:58 +0000

The golden age of comics in the 30's and 40's saw the creation of the superhero. The good versus evil storylines mimicked the real life events of the day. It elevated the comic book to an art form. Comic style illustration and story telling in short dialog balloons had never before or since reached those heights. Than after WW II, with the advent of TV and one evil empire ending, comic books seemed to recede back into the background of young boys play things. Their numbers never again reached the levels seen during the war and many of the characters faded away.

Over the years the comic industry tried to regain their former glory, but the age of the superhero was over. Yeah there was the TV cartoons, who didn't watch Superman or Batman when you were little. Some of you like me, may have even watched the Marvel Superhero Show that had short segments of many of the Marvel characters (check them out in the You Tube video), but they were campy and never appealed to an audience beyond young boys. The Superman movies with Christopher Reeves market a turning point on the return of the superhero and the Batman movies were very successful. But beyond those two, there were many flops.

With better technology and better story lines, Spiderman, Iron Man and now the latest, The Incredible Hulk have brought comic book superheroes from the page to the screen in a big way. I know that I was not a big fan of the Iron Man movie, but seeing Tony Stark come in at the end of the Hulk movie did get even me excited by the possibilities. Also seeing the Hulk and Iron Man, I began to see that these movies are not aimed at adolescent boys with stories that I am used to from comic books and TV shows. These are movies aimed at adults with adult storylines. The technology is great, the heroes are played by big stars (I hear Brad Pitt is playing Thor) rather than unknowns and the productions are first class.

Besides the movies already out, Thor, Captain America, and Namor, the submariner are all headed for the big screen. Once each of these and more have their movie debuts, the subsequent combinations and sequels are almost infinite. This could be the biggest movie franchise of all time and make the original comic book owners more money then they ever dreamed of! In the meantime, I am excited to see many of my boyhood heroes get this new big screen treatment!

Eco-Efficient Datacenters: Wheres the Money?

Tue, 10 Jun 2008 11:00:25 +0000

Global warming does not seem to have reached the UK yet this summer judging by my week here, but it has definitely been climbing the IT service provider’s agenda, to the point where The Web Hosting Industry Review dedicated their May edition to the subject (everybody needs their “green edition”).

Actually one of the most entertaining panel discussions at the Hosting Transformation Summit in London this week was titled Eco-Efficient Datacenters: Where’s the Money? Panel members included Jeff Lowenberg (The Planet), Michael Winterson (Equinix), Lex Coors (InterXion BV) and Tony Day (APC). The panel was moderated by Andy Lawrence at the 451 Group.

Judging by the debate, the European hosting companies have a fight on their hands keeping the politicians out of the datacenter. With green issues being even higher on the political agenda than in North America, and the vast energy requirements of modern data centers becoming more widely known, there are some legislators and “Eurocrats” sniffing an opportunity to add to the hoster’s power headaches. Never mind the fact that escalating power hosts are incentive enough for these companies to be as efficient as possible.

The panel discussion ranged widely between big picture green issues, and the technical challenges of retrofitting older data centers to be less power hungry. There are many incremental improvements to be had, but Tony Day pointed out that the biggest and most immediate savings are to be had simply by running our data centers hotter.

The American Society of Heating, Refrigeration and Air-Conditioning Engineers say data centers can operate at 77F. Most modern rack-mounted computers can run happily a long way higher than that, and yet most data centers are cooled to the high sixties (many of our customers now use EM7 to trend the environmental fluctuations across their data centers using environmental probes as well as readings from the servers themselves).

For the hosting companies this is a matter of educating their customers, so that raising the data center temperatures is seen as a welcome green move rather than a lowering of quality of service.

ShareThis

Iron Man Cameo - Samuel L. Jackson is Nick Fury

Mon, 05 May 2008 19:30:40 +0000

Late Friday night, I was one of the millions of weekend viewers that help make Iron Man the second-best premiere ever. I am surprised by those results, but only because Iron Man isn't so well-known as other Comic Book heroes like Superman or Batman.

Yes, I liked it and was pretty sure I would even before I wnt. However, Robert Downey Jr. really did an excellent job as Tony Stark and the movie was faithful to the Origin Story, though it was updated to modern times. I love to see the casting of good actors to make these characters into movies.

I had heard that there was an extra clip after the credits (which were super long, btw), so I stayed around until they were over and then snapped the picture to the left of the final scene and thought I'd share it with you.

And the cameo dialog seems to mean there will be a follow-up movie of some sort from Marvel, though maybe not Iron Man 2:"... I'm here to talk to you about the Avengers Initiative."

Iron Man was just not very magnetic to me

Sat, 03 May 2008 18:48:58 +0000

Took the kids to see Iron Man tonight with our cousins Jeri and Danny. I generally like Robert Downey, Jr and he acted very hard in this movie. However, I just didn't get the story. I remember watching Iron Man cartoons when I was little and reading the comic books, there was some special thing about Iron Man's blood the way I remember it that gave him super hero powers.

In the movie incarnation, Tony Starks is the son of a weapons designer and a brilliant weapons designer himself. However, he has some serious character flaws. He is kidnapped by some sort of mid-eastern terrorists and take some shrapnel in his chest. A doctor attaches an electromagnet to a car battery on his chest to keep the shrapnel from going into his heart. Downey then designs some sort of mini-power source to power the electromagnet, He uses the power source to power a metal suit he builds (long story) and escapes from the terrorists. From there the movie is fairly predictable and frankly in my opinion not very good. I didn't understand how he got the superpower, it was just a powered suit and how it worked was pretty silly.

The ultimate thumbs up or down for me was that both of my sons fell asleep in the movie theater. The good news is that this is the start of the summer movie season. I am really looking forward to Indiana Jones and the kids want to see Speed Racer!

Stolen account firm laptop contained personal information

Mon, 28 Apr 2008 05:50:55 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
Hough, MacAdam & Wartnik LLC

Contractor/Consultant/Branch:
Coos County, Oregon
South Coast Hospice & Palliative Care
Two other undisclosed organizations

Victims:
Client employees

Number Affected:
482

Types of Data:
"name, Social Security number, and other personal information"

Breach Description:
"NORTH BEND - The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft."

Reference URL:
The World

Report Credit:
Jessica Musicar and Jolene Guzman, Staff Writers at The World

Response:
From the online source cited above:

The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft.

County officials worry the data may have contained employees’ names, Social Security numbers and other personal information, which had been used in recent audits performed by Hough, MacAdam & Wartnik LLC of North Bend.
[Evan] We see too many breaches occurring through contractor/vendor relationships.

Although, there have been no known reports of identity theft from any of the 482 employees notified, the computer has not been found and, according to a letter from the firm, thieves sometimes hold victims’ information for later use.
[Evan] The fact that thieves DO sometimes hold victims' information for later use is important to remember. This is one reason why one year or two year free credit monitoring (a semi-standard offering by breached companies) is a very limited short term response.

According to a Coos Bay Police press log, at approximately 7:28 a.m. on March 5, officers received a report of a woman flagging down Officer Tony Wetmore, identified as 122 in the log, near Coos Bay City Hall. Crystal Albiar, 30, told Wetmore a laptop computer had been stolen from a vehicle, which, Wetmore said, belonged to Albiar. The victim is listed on the press log as Hough, MacAdam & Wartnik. Albiar is a senior accountant at the firm.

Later that day, a letter from the company was sent to clients stating that a "serious data security incident" may have involved clients’ personal information.
[Evan] Quick response.

"During the night of Tuesday, March 4, 2008, a notebook computer was stolen from a locked vehicle. The notebook’s hard drive may have contained your name, Social Security number, and other personal information,"

"We have notified law enforcement about this incident. This notification included a general report alerting them to the fact that the incident occurred. However, we have not notified them about the presence of your specific information in the data breach."
[Evan] I wonder why the firm decided not to notify law enforcement about specific information on the computer.

A public accounting firm, Hough, MacAdam & Wartnik is locally owned by Jim Hough, Shirley MacAdam and Jayson Wartnik. It opened in July 2004, following the acquisition of the office from Moss Adams LLP. The business dates back to the 1940s.

Shirley MacAdam said the March 5 letters were sent to the 482 employees of four clients - only one of which was a public agency. She demurred from identifying the clients involved, but further investigation revealed the County and South Coast Hospice & Palliative Care in Coos Bay are among the four.

it is possible the four data files from the four clients contained Social Security numbers and addresses of some of the employees on the laptop’s hard drive.

Some of the information could have been on the laptop since October 2007.
[Evan] This is a long time for personal information to be stored on a mobile device. The longer the time, the higher the risk that the mobile device will be lost or stolen. Right? CPAs now this thing called risk, don't they?

The CPA said the computer was password protected, as were certain files.
[Evan] Oh boy, here it is. The password protection mention. Password protection should not be considered adequate protection is most circumstances (some would argue ALL circumstances). Operating system passwords are simple to circumvent as are many common application passwords.

Some of the information contained in the programs require "special knowledge in order to find the personal information inside of the program"
[Evan] And now, the security through obscurity mention. Security through obscurity is a myth. It is not effective.

When MacAdam and other members of the firm learned the computer had been stolen, their first priority was to identify affected clients and to notify them of potential risks. This was done within 24 hours of the theft

"Our concern was to ensure that we are taking all actions that we should as prudent business people, in addition to complying with all regulations regarding proper and timely notification," MacAdam wrote to The World.
[Evan] Prudent business people should do many things, and one thing among them is to regularly evaluate the risks involved with the way the handle information. A prudent business person should be able to identify that storing confidential information from multiple clients on a poorly secured laptop is an unnecessary and unacceptable risk.

"We informed them of the actions they and their employees needed to take. Due to the nature of our work and our internal policies, no client information other than audit data is ever stored on a laptop, so there is no concern that any other client information might be on the stolen laptop."

The firm has since revisited its internal information technology security policy and implemented changes such as increased frequency of password changes, more complex passwords and encryption software when applicable.
[Evan] Careful. Increased frequency of password changes and increased password complexity can very easily lead to an increase in the probability that people will write passwords down. A person writing a password down on a Post-It note will defeat all of these controls (password changes, password complexity, and encryption software).

Additional training also was provided to Hough, MacAdam & Wartnik staff regarding the security policy
[Evan] I am a big proponent of training. People argue about its effectiveness, but my experience has typically shown that it is well worth the time and effort. Training should be fun and interactive, periodic (maybe annual), and followed-up with regular awareness reminders (such as posters, email newsletters, banners, freebies, etc.).

While no reports of identity theft or fraud have been made to the firm, MacAdam said the impacts of the theft have been felt by clients as well as by the firm.

"The impact on HMW has been both time and financial as we took all steps necessary to inform the individuals affected and address all concerns brought to our attention."
[Evan] The costs of a breach are significant in soft and hard dollars. What did my grandma say "an ounce of prevention is worth a pound of cure"? Wise advise, maybe she could have been a good information security professional .

MacAdam noted her firm has never experienced a data breach in the past and is still not aware if one has occurred.
[Evan] The firm is "still not aware is one has occurred" (meaning a breach)? Oh yes, it has occurred! In my definition, if you cannot be reasonably assured that confidential information has remained confidential, then a breach has occurred (not to mention integrity and availability).

More than 300 employees who received paper paychecks from the county may have had their personal information on the laptop, said Coos County Commissioner Kevin Stufflebean.

Information on the missing computer was left over from the county’s 2005-06 audit, Stufflebean said. There is a chance nothing was on the computer, he added.

"They didn’t have confirmation that it was wiped off the computer," he said. 'That’s why they notified (employees)."

Coos County Counsel Jacki Haggerty said she had not received any reports from county employees of any unauthorized use of their information. Still, the incident will raise the level of awareness of possible breaches in the future, according to Haggerty.

"I think it’s sobering,' she said. "You don’t think about it until something like this happens. This is kind of a wake-up call."
[Evan] This should be a wake-up call. It's really too bad that it takes an personally affecting incident before waking up. Wouldn't it be easier and more cost-effective to do a little research and learn from other people's mistakes?

Both the county and Hough, MacAdam & Wartnik are in the process of changing how data is used to make sure no unnecessary personal information is released in future audits. Haggerty said she feels assured by the lengths the firm has gone in order to increase data security.

"They are taking certain steps ... including not requesting or accepting certain information," she said. On the list of banned data includes clients’ Social Security numbers.
[Evan] This is the best control so far. You can't lose information that you never had.

Employees of South Coast Hospice & Palliative Care also received copies of the March 5 letter from the accounting firm.

Carol Gardner, the administrative and personnel manager for South Coast Hospice, said Hough, MacAdam & Wartnik has audited the organization for approximately 10 incident-free years. In fact, Gardner said, the hospice’s board of directors complimented the company for acting so promptly.

"It was one of those unfortunate faux pas," Gardner said of the theft. "This was an unusual situation and proper steps (were) taken to coach and correct that employee.
[Evan] A faux pas (false step) yes, but I would argue against "unfortunate". Unfortunate for the victims, certainly, but not for the firm. Information mismanagement should not be confused with bad luck.

"It did scare me a little bit to think that somebody had access," Gardner said, adding her own son dealt with a four-year struggle after someone stole his identity. However, 'Up to this point we have not heard of any repercussions from it.

"I feel that we were very fortunate because, as I understand (it), it’s big business " things getting stolen out of vehicles ... " I think everyone needs to be aware not to leave anything of value in their vehicles."

Commentary:
Another sad incident of personal information on a poorly secured laptop computer. When I read news articles like this, my blood boils. Do people not know any better? If they don't, then they shouldn't be allowed to create, collect, process, transfer, or store confidential information.

It is Monday morning, so maybe I'm in a bit of a mood.

Past Breaches:
None

Is the White House being "green" or covering up for the CIA?

Thu, 17 Jan 2008 22:18:00 +0000

There has been a lot of discussion lately about the erased CIA tapes. Were they erased to cover up torture techniques such as "waterboarding' or was it done in an attempt to conceal the identities of the interrogators? The debate is not just confined to the States, but goes on around the world. At least nobody is trying to say that they were erased by accident. Afterall, who would fall for that line?

Actually, it seems that the White House would like us to believe that line. A Washington Post article by staff writers Elizabeth Williamson and Dan Eggen, tells us that the White House routinely "recycled" e-mail messages during the first three years of the Bush administration. This, despite two Federal statutes requiring presidential communications (to include e-mails) involving senior White House aides, to be preserved for the nation's historical record.

Perhaps it is just a coincidence that the "recycling" was being done at a time when the CIA tapes, that are now erased, were being recorded. It does however beg the question, was penny-pinching so important to the White House in those early years that they would use the same back-up tape over and over?

Of course the White House spokesman, Tony Fratto, says that he has no reason to believe any e-mails were deliberately destroyed. Well he wouldn't, would he? Afterall, he is the White House spokesman.

Call me crazy, but it sounds a little bit too much like the "dog ate my homework" excuse. At least they didn't try to say that Spot ate the tapes.

Turn off Autorun - yet another reminder

Fri, 30 Nov 2007 07:41:00 +0000

Tony Bradley makes a great point on the Hack Report site about Autorun. Sure it seems convenient that when you load in a CD, DVD, or USB stick to take some automatic actions. Isn't is great to have the new Springsteen disc start to play once you put it in?

Actually, not so much. If any of that media is malicious, you've got no defense. If you remember back to the original Sony Rootkit issue from a few years back, most folks ended up installing the rootkit because they had Autorun engaged and the software automatically launched when the disc was loaded.

It was my Velvet Revolver disc that infected me. But I'm reasonably technical, so I was able to remove it pretty quickly.

I've already posted about this back in September in Autorun can be hazardous to your health. But I think it's important enough to mention it again.

So do yourself a favor and turn off Autorun. Detailed instructions are in Step 2 of Security Mike's Guide.