Cyberattacks and the culture of cost-cutting

The recent major cyberattack on hospitals, even one here in Ontario, is continuing evidence that short-sighted practices of the past are coming home. And I would suggest that the root problems are more extensive than just software, but extend into every corner of the built environment.

Back in the 1970’s, there was an idea floating around the software developers I worked with called ‘Truman’s Triangle’. The concept was that there are tradeoffs between how quickly or cheaply something can get done and how good it was. Pick any two, they said — if you want it good then it will likely not be cheap or quick. Problem is that management always went for cheap and quick — issues could always be fixed in the next release (which frequently never happened).

As a developer, one common mistake in writing code is neglecting to check boundaries when writing into memory. So if one read 512 bytes from disk, there had better be a 512 byte buffer to accept it. Otherwise it overwrites whatever was above it in memory. A typical neophyte error and the root cause of buffer overflow, one of the common pathways for malware to gain a toehold. And if in a rush because the vendor had a committed release cycle — the 2001 version of windows (XP) there were probably a few such errors. Testing usually checks the expected behavior of a program — not what breaks otherwise. The software house where I worked had one guy who torture tested programs — if your stuff could get past Charlie Brown (his name, really) it was pretty bulletproof. Never saw this anywhere else.

In the real world this issue is compounded because the vendor (Microsoft) wants to sustain sales by forcing users to by the latest version when it is released. Not only are there improvements that may be desirable (and hopefully a few bug fixes) but changes to make the operating environment incompatible with the prior release. Hardware vendors facilitate this by only writing their drivers for the latest versions. And application vendors will put out a new version for the latest OS so that they get an upgrade sale as well. This is not always bad — sometimes the new version is better. And support has to be paid for somehow.

As bugs, like the buffer overflow, get discovered and complained about the vendor pushes out patches to fix things. These have to be installed and tested — sometimes the patch breaks things elsewhere, so some care and thought is required. A ‘fools rush in’ area to be sure. Why systems folk appreciate the value of patching but are sometimes reluctant to do it. And the thinner they are spread the greater the chance that this is one item than languishes.

So Microsoft adds pressure by dropping support, including providing patches, for those versions of the OS that they want off the landscape. For isolated machines like single desktops or computers embedded in machinery this is probably not an issue, IMHO. But for anything that is network connected, especially to the Internet, it is a serious threat, almost extortion. It is worth noting that after formally dropping support for XP, Microsoft has just released a patch for XP for the current, very conspicuous, bug.

But in the real world of enterprise the decisions around how to implement and maintain a computer application, a hospital medical records system for example, is made by people more interested in their balance sheet than the esoterica that they may be hacked. After all, that only happens to others — we are so much better, smarter, whatever… will never happen to us. So remote access is simplified with more a view to convenience than security, firewall rules not maintained, logs not checked, backups not monitored and tested to ensure they are really recoverable. And remote staff are used for support because its cheaper to get someone out of bed than have local staff — and they may need to get at everything remotely.

And finally we have a whole landscape of malefactors who want to steal, destroy or harass for a wide variety of reasons. And unlike conventional insurgency or warfare, this can be done from the comfort of a remote office or home with some chance that the source will remain hidden. And if greed is the driver, ransomware [locking a users system until ransom is paid] is seen as a whole lot better than just stealing the data and trying to sell it elsewhere.

So when one asks why are we not doing more to prevent these kinds of attacks, it is worth following the trail of breadcrumbs to realize that the issue exists because of deliberate decisions on many levels, most but not all, I believe, in ignorance, possibly willful, of the long term consequences of their choices. And until robustness and security are taken seriously at every point in the chain, the situation may change but only appear to get better.

But there is a larger issue seen in this problem. While there may be funding for the original creation, adequate funding for maintenance is a different problem. So corners get cut or ignored completely in keeping things running smoothly. And when funds get tight, maintenance and support is the first thing to go. And besides, every politician or business person likes the attention garnered for doing something new. But keeping things running smoothly and economically… not so much.

But it is not just software and computer systems where this is a problem. Look around… bridges are rusting, roads are crumbling, pipes leaking, food safety questionable. The list goes on and on — neglect, greed, short-sighted decision-making. Problems with building on flood plains that no one really knew about because the information was not collected or maintained. But because of that very human tendency to think that the potential consequences of taking the cheap/quick approach will not happen to them because they are…

The true miracle is that anything works at all.

Perversity of Renewable Power

For centuries, western civilization has worked to lessen the dependency on the weather for conducting our daily manufactured lives. That given, it does seem interesting that the current populist push for ‘renewables’ is a move to reverse that long avoided position. Although I might add that all forms of energy are actually renewable — just that the timescales for coal or uranium might be a tad long for the typical investor mindset.

Solar panels both photovoltaic and thermal require sunshine to harvest energy. A long spate of cloudy weather (this past winter comes to mind) significantly compromises their output. Not to worry though — here in Ontario there are immense solar panel arrays scattered about the rural landscape — after all, what do we need farmland for? Everything we need can be flown in from China, Chile or Mexico. Been noticing that last winter no one could be bothered to clear the snow from these things — suspect the Province was paying them for the power they might have generated, so why waste money on maintenance?

Wind farms are even more interesting — the huge monsters now in fashion need just enough — not too much and not too little. So areas that have any wind at all, away from the urban areas, are being carpeted with wind farms — mostly over the objections of the folks who live there. Freezing rain shuts them down. No way to defrost things — need to wait for the sun. Too much wind — you hope the automagic controls stop them. Watching video of overspeed turbines tearing themselves apart is pretty entertaining. But a broken blade can get lobbed a kilometer or more — and the Ontario setback is 550 meters. Don’t want one through my living room window… And we won’t mention that when the original research was done it was observed that little of the local winds blew during the same timeframes as the power was needed. Terawatt batteries? Dream on.

What we have seen over the last few years is that here in Eastern Ontario we are getting more days of cloud [I am an amateur astronomer] and wind levels overall are dropping in the Great Lakes area. And when it does blow it can be more extreme. And we will ignore for the moment the side effects of the technology itself — solar farms absorb heat differently than fields. And would not evaporate moisture in the same way as plants. Similarly, wind turbines work by taking energy from the low level air movement — and affect atmospheric mixing and increase low level turbulence. And as they turn the vibration shakes the ground.. big critters seem to ignore it but one wonders about worms?

So here we have it… re-introducing technology driven by weather as a means to ‘fight’ changes in the weather. One might think it was a big bet that conditions won’t change. And the apparent direction of the change we see moves away from the current conditions that support these things. Glad everybody is eager to make a quick buck from this stuff. But are we not being a bit over eager? Makes my head hurt…

Climate Change — the New Religion

I have been watching with some dismay the comments on Facebook and other places about the New York Times hiring Bret Stephens as a columnist. Ascribed to being an extreme climate change denier, parallels have been drawn with Holocaust deniers and suggestions made that the Times should be boycotted until they release him.

Interesting… he is accused of heresy for doubting the predictions of hard green religion and the demands for making specific changes in power generation and other things to save the planet. The science is fine but maybe we should not be so confident about our models and think about this a bit more. Guess this is what passes for non-belief in these hyper-partisan days. Infant damnation or atheism with no middle ground.

I will confess to similar leanings that have grown with the shrillness of the critics. I justify my thoughts with a comparison to political and economic forecasting — and the economic behavior of human society with its billions of interacting parts is quite simple compared with the climate.

Politicians of all stripes routinely tout specific programs to restore prosperity and end various flavors of unfairness. And their allies in business argue for policies to favor their industries with a heavy hand for similar reasons. Mostly these fail, often spectacularly. Trickle down, a favorite of the current White House occupant, has been proffered a number of times — cut taxes on the rich, the job creators and prosperity will flow down over everyone. So far not so much it seems — the latest was Kansas, where they had to dip into emergency funds to keep the state afloat. But the results are ignored… the real benefits achieved, if any, go to a more restricted group. So why do we believe them when the evidence is right in our faces?

So here in Ontario we have a Green Energy Act that removes planning control from local governments and substitutes the will of a highly politicized government power system. Rural areas are being covered with enormous wind farms against the will of most of the residents and in violation of various treaties and so forth. And harm… well, if the research was not done in Ontario it just doesn’t apply. And when locals fight it is against the government and the ‘renewables’ industry. And with the project across the street, the developer admitted that even though the costs are more than double any other project it is so profitable they have to do it. Curious… Ontario has a huge surplus of wind power being sold at a loss to surrounding areas, and soaring power costs — where is the money going?

Similarly, on a planetary scale, there is urgency in saving the planet by deploying more and more solar panels, wind farms and so forth. And making other changes to decarbonize the economy by industrial taxes and mandating expensive technology. But transportation, which accounts for almost 40% of greenhouse gasses in Ontario, continues to be the realm of cars, trucks and airplanes. Trains, which produce a tiny amount of GHG per passenger mile in comparison, continue to be under attack. And regional bus service has been shut down in a number of places. So if you don’t drive and cannot afford to fly you are going no place. And logging continues everywhere — although in North America there is replanting, unlike places where the forests are cut for agriculture, beef or palm oil.

The science is clear — hard to argue with years of rising temperatures, rising sea levels and melting ice. But some do… Where it gets trickier is in the efficacy of the models — and this is where things diverge. Problem as I see it is that compared with something simple like the planetary economy, the climate is a non-trivial system. We have human activity to be sure — coal, oil, gas and forests all cheerfully burned to power our civilization. And in some quarters nowhere near fast enough. But there are other factors — and more are discovered every week. We have the heat flow from the sun, the impact of large scale magnetic fields on all sorts of interactions, thermal properties of the earth and seas. And this is to say nothing of the solid gas hydrates on the ocean shelves, the gasses coming from permafrost organics that have been frozen for millennia. And the venting from millions of beef cattle who are very gassy on the diets we feed them to speed the trip to the table.

The problem with models is that at best we have simplifying assumptions about the factors we know about, the actual interactions may be a bit more complicated — and likely non-linear in ways we cannot even imagine. Then there are the factors we suspect, the known unknowns. And then there are the unknown unknowns… So while the models may be descriptive, I suspect they have a long way to go before becoming prescriptive. So airconditioning the arctic to refreeze the ice cap (and where does the rejected heat go one might ask?) or putting a giant parasol in space — if we could do it might have other effects than the one predicted by the proponents. But it is increasingly obvious that it is heretical to suggest otherwise.

Back to the columnist… the stuff I have read of his seems to be nothing more extreme than saying trust the science but the predictions not so much. A sense of modesty is called for about what we know and, probably more important, what we don’t. And what we can do to effect long term change. Not sure this is climate change denial in my book — but some seem to think so. And are suggesting that perhaps burning at the stake for heresy should be revisited.

There is one other factor that suggests caution. There are places right now that are being harmed by climate change — island chains vanishing under the sea, coastal erosion and flooding here in North America. And arctic communities under threat because the ice is melting and the permafrost is thawing — so their homes are vanishing. Curiously, we have no money to help any of these folks. But I guess if we don’t like them probably plenty of money to bomb them…

And changing the entire basis of our collective societies from burning stuff to something less destructive is not an overnight task, nor a free one. (Assuming there was the political will to do that, either.) Might be easier if we were not so eager to make more people and worsen the problem — but that is another rant. And if the climate modelers are right, even if we stopped everything right now it will take centuries before things change.

So I suspect that in reality the targets are where there is an easy buck to be made, like here in Ontario, and the sincere believers are being encouraged to think that these projects are the solutions to a planetary catastrophe and no one must stand in the way. Any one who disagrees is a heretic and must be burned. Of course that adds to greenhouse gasses but who cares, anyhow… not when there is money to be made. And in the end, the climate will do what it wants and we will adapt to it or perish.