How Much Liability Insurance?

Judge's GavelThis question has been rattling around in the back of my mind given the qt-interest on and off-list conversations¬† I’ve been having about QML and “lone wolf” development of idiot phone apps.

How much liability insurance are you carrying?

The courts are letting plaintiffs gather in bulk now and companies have started pointing the finger at software providers. You might remember Equifax tried to finger Struts only to later admit they had the patch for Struts in their possession and put off applying it for months.

Interesting read about the per-violation damages Equifax is looking at now that things are moving to court.

https://www.marketwatch.com/story/equifax-could-pay-for-data-breach-in-court-2017-09-13

How many of you releasing stuff into the wild, be it idiot phone apps or IoT software have considered the amount of liability insurance you really need? Not just for the potential direct damages a bug in your stuff might cause a user, but, like that insecure “smart” device and in the case of Equifax, Struts, becomes the point where a network is breached and your software is now known worldwide as the software which allowed a T.J. Maxx or Equifax sized identity theft? Do you really think the company holding the data isn’t going to turn around and sue you for the damages, assuming they can’t just directly finger you and sidestep court all together?

We as Qt developers and IT professionals in general are standing at the edge of an abyss. Automated testing won’t protect you from a failure in your program allowing a breach to happen.

You may wish to believe

“So what? My hokey little Biorythms phone app crashed. It’s for entertainment purposes only.”

But, did it crash in such a way as to leave some form of console/terminal/inbound network access open? Why? Because your app was on the phone of a Transunion employee who was “saving their data plan” by connecting to the company network and their phone was still connected.

You may have made the person check a “hold harmless” box before they could run your app, but, Transunion didn’t check that box and they have more lawyers than you.

I’m not the only one thinking about this.

https://www.nowsecure.com/blog/2016/11/03/mobile-app-security-risks-could-cost-you/

https://www.bbc.com/news/business-37541594

Since January is a time for resolutions and plans, this is one to contemplate. Does the lure of a fast buck with a phone app you can write on your own out way the risks and theoretical liability?

The 142 Biggest Product Failures of All Time

I don’t care if I’m promoting a site which pushes ads at you . . . this time. I haven’t even made it to the end of the list, but I had to create this post. You have to take a few minutes out of your day and read this post.

Did you know Microsoft once tried to market a “smart watch?” I didn’t.¬† Number 35 on the list really shocked me.

Not only did they try to clone a Blackberry, they pulled Kin One and Kin Two from market after only 6 weeks!

Come on. How many of you bought one or more of the products on that list? Fess up! If you are of a “certain age” you tried “New Coke.” Many of you probably were forced to use a computer with Windows Vista preinstalled. Nothing like having failure built in, eh?

Since this blog is mostly read by IT geeks, a better question would be.

How many of you will fess up to having had a hand in creating one or more of these products?

 

Be sure to check out #74 on the list!

HUAWEI and the Phallus of Clouds

I have blogged for many years that cloud computing was a train wreck waiting for a plane crash to hit it so it could roll down the hill into a daycare center at lunch time. Too many worthless MBA diploma mills cranking out even more worthless management who can only chant buzz phrases like “quick win” and “cut costs.” Not one of them actually knows how to run and build a business. They are all too busy trying to fill out their Outlook calendar leaving only a random 15 minute slice open each day for the next two months.

There is no way anything developed using AGILE methodology can ever truly be secure. When you develop software looking 6 inches in front of your shoes without a real plan you end up with trash. Nobody can tell you it is trash because you never did the 4 Holy Documents up front so their is no architectural documentation proving your project was a failure.

Combine low skilled MBAs chanting “cut costs” with AGILE software to create cloud services and you create the biggest juicy target in the world for hackers. Are you willing to believe Cloudhopper was the first? I’m not. They just managed to do enough stupid stuff and get caught. I also gotta believe that the Trump trade war with China had something to do with this becoming public knowledge.

Were the MBAs really gullible enough to believe they could “cut costs” by selling off all their infrastructure, canning everyone who knew anything about it and turning everything over to a cloud service? Do they really believe if Cloud-Service-A is breached causing massive identity theft that their corporation who signed a contract with Cloud-Service-A won’t ultimately be held liable? Not one of those worthless MBA diploma mills had their students read about Slick Willie Sutton?

I rob banks because that’s where the money is.

Hackers target clouds because that’s where the data is.

Do the math. It is roughly the same amount of effort to breach one well designed corporate data system as it is to breach a cloud. They are all running the same near free operating systems on pretty much the same x86 based servers and their teams all read the same security manuals on-line. What does a hacker get when they breach one corporate data center? Quite possibly just email. While it is true the email server might have some research or technical specification documents attached to the messages, odds of it having a complete documentation set for an unreleased medical device or some hush hush weapons tech still on the drawing board are small. When you fully breach a cloud service, you get everything for all of their customers. What are you going to target? The crime and potential prison time are basically the same so, aren’t you going to look for a haul which will still leave you Jamie Dimon rich after you get out of prison?

Let’s pick on GE for a moment. Their stock is near worthless now and they are a good example of a mega corporation. GE isn’t just one company. It’s lots of companies bought over many years and never fully integrated. I have no insider knowledge, but, given the worthless management GE has had over the past decade or more, and the fact they are able to sell units off rather easily, I would be stunned to learn they have a centralized IT service. Each company did their own thing before they were bought and, most likely, continued to do their own thing after being bought. If you are a hacker and want unlreleased-product-X which is still in the design phase, you have to figure out which company within GE is actually designing the product. Then you have to find out where their data center is on the Internet and begin the drudge work of hacking your way in.

Centralized data systems are a lot of work. Done correctly they are quite secure. Those IBM mainframes and DEC midrange systems kids like to make fun of today were, in many cases, built before the Internet. There are rings and layers of both security and systems connecting these things to the Internet. Many, some might say most, have no direct connection to the Internet. You have to breach N services before you can issue a request to get some small piece of data from them. Selling off a division which is integrated into such a system requires staff years of effort migrating applications and data sets onto a mirror system. It’s not like selling off a division with its own IT infrastructure. For them you sign a few contracts, they turn off data feeds (if any) to your systems and presto, all done.

Cookie-cutter MBAs always wanting a “quick win” leapt onto the cloud. They sold off all of the infrastructure, fired everyone who used to run it and whenever they wanted to sell off a division, they signed a few contracts, some passwords and IP addresses were changed and presto, deal done. They never really thought about security. They never really thought about the liability. Today’s hackers aren’t there to trash your computer for the fun of it. They are there to steal your most precious information and sell it on the black market. Many corporations around the world will pay top dollar for the source code behind your driverless car, surgical robot or any other tech product you have in the pipeline.

While this case may be getting the press right now, it is a long way from the only such instance. The list of companies willing to buy their ill-gotten goods is long. One might even be a company you currently work for. Once you sign a nondisclosure agreement and they let you see some source code, if it doesn’t have a comment in there saying something like john.smith@ge.com you don’t know where it came from. They tell you they had a third party develop the initial cut of the software but are now bringing the development in-house and you continue coding.

Today, it is nothing to walk into a “small” shop of less than a dozen developers, find out they’ve had a high turn over rate and learn the code base is now millions of lines long. You will never read all of that code. You may never see the file which has a comment stating john.smith@ge.com. If you do, are you going to buy the story that they bought some code from GE? Are you even going to ask where it came from?

Seriously? Be honest. How many of you cut and paste code from the Internet leaving out the copyright notice? The majority of you will probably just delete the comment from john.smith@ge.com along with any copyright notice and continue coding.

Theranos – How All AGILE Projects End in a Regulated World

Theranos blood sampleIt’s rather fitting that this story breaks shortly after I finished the first draft of “The Phallus of AGILE and Other Ruminations.” The tale of Theranos is the tale of every AGILE project in an environment where things actually matter.

At the heart of the problem is the institutionalized belief that it is okay to sell failure. Hell, why wouldn’t they. Look how rich Bill Gates got committing mail and wire fraud hand over fist. Putting “Operating System” on the outside of Windows boxes and in every ad, when it was not. Every version prior to Windows NT 3.x was nothing more than a task switching GUI layered on top of DOS. IBM had Presentation Manager on top of OS/2, but, the didn’t offer Presentation manager as an independent operating system. They had ethics, Microsoft did not. Probably still doesn’t to this day.

In order to use AGILE, you have to firmly believe criminal fraud is not only okay, but the preferred method of doing business around the world. At the heart of this belief is a two word phrase:

For Now

Just take this tiny bucket of user stories, work on them for a sprint, code up some Jenkins test scripts which test absolutely nothing and turn it into product for use by paying customers. This is something which is not allowed in the FDA regulated world and shouldn’t be allowed at any business operating in or selling to America.

I’m willing to bet “For Now” is exactly how Theranos got into this fine pickle. Investors screaming for them to go live and start generating revenue meant going live “for now” using the traditional tests. Those developing this be all and end all product working from a single user story without The Four Holy Documents to guide them fully believing if they kept hacking at it, the thing would eventually work.

As a clinician I would like to run a full battery of blood tests in half the time at far less than half the cost using as little as one drop of blood.

While that’s an idea, it isn’t sufficient for a project. Those of you looking to learn more about The Four Holy Documents can wait until “The Phallus of AGILE and Other Ruminations” is printed. It’s not a religion unless you consider doing projects correctly, then, yes, it is a religion and AGILE is this heretical offshoot which has surfaced time and time again trying to justify hacking on the fly. Look up RAD (Rapid Application Development) during the era of DOS. It was later followed by Extreme Programming and now AGILE. I may even have missed a few labels this heretic cult used to market it over the decades.

As an added marketing incentive Extreme Programming adopted the moniker XP which helped sell it to clueless MBAs who knew their company was running the XP operating system so shouldn’t we use XP development practices? Yes, that is the flaw with abbreviations and monikers, like saying the sea is called the sea because you can’t see across it.

So, here we have a company operating by the guiding principal of AGILE “for now” burning through cash without having developed an actual product, just like AGILE. The shell game goes on as those in the know pray to various deities that somehow the boys and girls in the lab would get the thing to work. Just one more sprint and this time things will all be fine.

The goal wasn’t bad. Adopting the AGILE mantra of “for now” and going public was. Hopefully their research wasn’t complete shit. If so, I really hope government funded universities around the world will create The Four Holy Documents, determine which steps have and have not been achieved, and continue the missing pieces based on the strengths of each university. The goal was laudable. Everything which happened afterwards wasn’t. Maybe it can’t be done, but that doesn’t mean it isn’t worth a real try.

Those who don’t believe that last statement should read up on the history of glucose meters. They used to be incredibly expensive, take a rather large quantity of blood (for people testing multiple times per day) and, by some accounts, you had to wait somewhere between 1-15 minutes for a result. Today anyone can walk into a drug store and buy a glucose meter for under $50 which uses test strips that need one small drop of blood and gives you the results in 5 seconds or less.

There was a time when getting polyps removed was major surgery you might not live through. Today they make you dink nasty stuff, shit your brains out, and line you up like cars outside of Jiffy Lube on Saturday morning. Anyone who doesn’t get this reference simply isn’t old enough. Wait until you turn 50 for that wonderful experience which is required every 3 years thereafter.