The Daily Parker

Politics, Weather, Photography, and the Dog

Predictable and sad

Credit reporting agency Equifax reported last week that thieves had made off with 143 million customer records:

According to a person familiar with the breach investigation, Equifax appears to have been targeted initially because the company keeps on file millions of active cards, belonging to people who pay $19.95 or more per month to have Equifax monitor their credit reports and alert them to potential fraud. The hack, which the company says took place in late July, put as many as 143 million consumers -- or half the U.S. population -- at risk.

The person, who requested anonymity to discuss the ongoing investigation, said the web application the attackers used to breach Equifax’s corporate network granted access to both the credit card files and back-end systems storing the exhaustive data profiles on consumers. Those profiles include Social Security numbers, driver’s license numbers and other sensitive information, Equifax said Thursday in a statement.

Criminals took advantage of a “U.S. website application vulnerability to gain access to certain files” from mid-May through July of this year, Atlanta-based Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit card numbers for about 209,000 consumers were also accessed, the company said.

“You would expect these guys to have compartmentalized this data far enough away from a web server -- that there would not be any way to directly access it,” said Tim Crosby, senior consultant with security-assessment firm Spohn.

Knowing how large companies work, and knowing about the diffusion of responsibility principle, and having a healthy belief in the power of governments to correct for bad incentives, I can't say I'm surprised. Neither is the Atlantic's Ian Bogost:

There are reasons for the increased prevalence and severity of these breaches. More data is being collected and stored, for one, as more people use more connected services. Corporate cybersecurity policy is lax, for another, and sensitive data isn’t sufficiently protected. Websites and apps, which are demanded by consumers as much as they serve the interests of corporations, expose paths to data that should be better firewalled. Software development has become easy and popular, making security an afterthought, and software engineering has failed to adopt the attitude of civil service that might treat security as a first-order design problem. And hacking and data theft have risen in popularity and benefit, both as an illicit business affair and as a new kind of cold warfare.

Of course Equifax, as would be expected of a normally-functioning American corporation, bungled the response:

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.

The solution many people recommend is to freeze your credit reports—for a fee, multiplied by 4 to make sure you get all of the credit-reporting agencies. (Everyone has heard of Equifax, TransUnion, Experian...and Innovis. You've heard of Innovis, right? The one that doesn't offer a free annual report?)

Almost immediately, a team of lawyers including a former Georgia governor filed a class-action lawsuit. So have a group of plaintiffs in Oregon. We can also expect an action from the SEC relating to at least three Equifax managers selling their stock right before the announcement.

This situation is why we have government. The incentives for credit-reporting agencies run directly counter to the incentives of the hundreds of millions of people whose data they store. (You're not Equifax's customer; commercial enterprises are.) Without government regulation and higher liabilities for data breaches, this will just keep happening. But that's not "business-friendly," so the right-leaning American and British governments will dither for another few years until someone publishes the leaders' own data. Because their incentives are bad, too.

Replicating climate change denial papers

A new paper in the journal Theoretical and Applied Climatology tries to replicate the most-referenced papers in the 3% minority that find alternate explanations for human-caused global warming. Turns out, the deniers are still looking for their Galileo:

This new study was authored by Rasmus Benestad, myself (Dana Nuccitelli), Stephan Lewandowsky, Katharine Hayhoe, Hans Olav Hygen, Rob van Dorland, and John Cook. Benestad (who did the lion’s share of the work for this paper) created a tool using the R programming language to replicate the results and methods used in a number of frequently-referenced research papers that reject the expert consensus on human-caused global warming. In using this tool, we discovered some common themes among the contrarian research papers.

Cherry picking was the most common characteristic they shared. We found that many contrarian research papers omitted important contextual information or ignored key data that did not fit the research conclusions.

We found that the ‘curve fitting’ approach also used in the Humlum paper is another common theme in contrarian climate research. ‘Curve fitting’ describes taking several different variables, usually with regular cycles, and stretching them out until the combination fits a given curve (in this case, temperature data). It’s a practice I discuss in my book, about which mathematician John von Neumann once said, "With four parameters I can fit an elephant, and with five I can make him wiggle his trunk."

This represents just a small sampling of the contrarian studies and flawed methodologies that we identified in our paper; we examined 38 papers in all. As we note, the same replication approach could be applied to papers that are consistent with the expert consensus on human-caused global warming, and undoubtedly some methodological errors would be uncovered. However, these types of flaws were the norm, not the exception, among the contrarian papers that we examined.

You can count the insurance industry among the groups that believe the science is settled. Insurers appear to have started looking at climate change as an inevitability, not a risk, which changes their models radically:

[F]lood insurance was not a lucrative business to begin with. Congress set up the National Flood Insurance Program in 1968 as it became clear that private companies couldn’t profitably provide coverage. Now, nearly half a century later, the program is—ahem—under water by $24.6 billion. As a result, there’s a push to move flood insurance toward the private market. That could mean less building in flood-prone areas, as they become effectively uninsurable thanks to sky-high rates. Says Morningstar’s Brett Horn: “Frankly, that’s not a bad outcome.”

Meanwhile, the second major hurricane of the season is heading for Florida...

Challenge to the Arpaio pardon

It took less than a week for two separate entities to challenge President Trump's pardon of racist thug former Maricopa County, Ariz., sheriff Joe Arpaio. Via Jennifer Rubin, the Federal judge who convicted Arpaio of criminal content has stopped short of vacating the conviction:

Instead she ordered Arpaio and the U.S. Department of Justice, which is prosecuting the case, to file briefs on why she should or shouldn't grant Arpaio's request.

Bolton has scheduled oral arguments on the matter for Oct. 4, the day before Arpaio was supposed to be sentenced.

There is case law that says a pardon implies an admission of guilt, and that will have to be argued in open court.

Rubin adds:

Meanwhile, Protect Democracy, an activist group seeking to thwart Trump’s violations of legal norms, and a group of lawyers have sent a letter to Raymond N. Hulser and John Dixon Keller of the Public Integrity Section, Criminal Division of the Justice Department, arguing that the pardon goes beyond constitutional limits.

Put simply, the argument is that the president cannot obviate the court’s powers to enforce its orders when the constitutional rights of others are at stake.

Lurking in the background is the potential for Trump to pardon associates involved in the probe of possible collusion between the Trump campaign and Russian officials and the possible obstruction of justice that followed. The Arpaio pardon may well have been an attempt to signal to those officials and ex-officials that they can resist inquiries with the assurance that Trump will pardon them. (Recall Trump’s unprecedented remarks that Michael Flynn should hold out for a grant of immunity.) Using the pardon power to obstruct an investigation into his own possible wrongdoing would signal a constitutional crisis.

A crisis that the Republicans in Congress could resolve simply by, I don't know, doing their fucking jobs. But the Party of Lincoln is happy to allow the President to destroy his office for personal gain, as long as they get their tax cuts.

Makes you long for the more-ethical days of Caligula and Nero, doesn't it?

How wet is Houston?

Via WGN-TV, the fourth-largest city in the U.S. has received more rain in the last week than Chicago receives in an average year. 

Chicago's average annual precipitation is 910 mm. Since last Friday, Houston has gotten 1,070 mm. The wettest year in Houston history (1900) dumped 1,851 mm on it. So far this year, with 4 months left to go, Houston has gotten 1,798 mm. Of course, the odds are pretty good that the city will get another 53 mm of rain before December 31st.

We have no idea how bad the damage is yet. The entire Houston Chronicle website is about the flood. At least the rain has stopped for now—but officials worry about additional reservoir overflows and levee breaks.

We're just beginning to understand the magnitude of this disaster. And with key Federal posts, including FEMA Director, yet to be filled, President Trump is so out of his depth one can only hope that state and local governments can help.

Not looking good in Houston

Hurricane Harvey has dropped so much rain on Houston that two 1930s-era dams have been overwhelmed for the first time in history:

The U.S. Army Corps of Engineers confirmed Tuesday morning that water was spilling from around the dam gates of the Addicks Reservoir, which has been overwhelmed by extreme rainfall from Hurricane Harvey. Officials said they expect the Barker Reservoir, to the south of Addicks, to begin overflowing similarly at some point Tuesday.

A Harris County Flood Control District meteorologist said the overflow from the reservoirs would eventually flow into downtown Houston.

The reservoirs, which flank Interstate 10 on the west side of Houston, flow into the Buffalo Bayou and are surrounded by parks and residential areas. Water levels in the two reservoirs had already reached record levels Monday evening, measuring 32 m at Addicks and 30 m at Barker.

Engineers were unable to measure water levels at the Barker Reservoir on Tuesday because its gauge was flooded overnight, said Jeff Lindner, the Harris County flood control meteorologist.

In response, City Lab asks, why can't the U.S. manage flooding?

For New Orleans, whose below-sea-level position makes it particularly imperiled, the August floods were a reminder of something we should take much more seriously than we have. We ought to apply more aggressively the lessons we claimed to be learning from the Dutch after Katrina. It’s a course of action that would amount to a sea change in how we approach the wet threat that surrounds us on every side.

We need to get as smart and wily about water as Rotterdam. New Orleans’s continued viability as a population center and commercial hub depends on it. We must learn to live with water, to absorb rainfall and storm surge in massive retention facilities, to designate greenspaces that double as parks. We need to stop paving our yardsto make nifty little pads for the family car. We need to build absorbent rooftop gardens on as many buildings as can be put to that purpose.

Speaking of, I'm planning to visit New Orleans this weekend. Harvey is expected to pass northwest of the city tomorrow and land in the Tennessee Valley by Friday afternoon. I'm still bringing water shoes and an umbrella.

Monday afternoon I'll-read-this-later summary

Articles I haven't got time to read until later:

That's all for now. Busy weekend behind me, another one ahead.

Existence proofs and military robots

Via Bruce Schneier, an essay on how the fact that something appears in nature means it can exist, and what this means for military robots:

In each of the [Planet Earth II] documentary’s profiles of monkeys, birds, and lizards, I saw what technologists refer to as an “existence proof.” Existence proofs are the simplest way to resolve an argument about what is technologically possible. Before 1900, people argued whether building a human-carrying powered airplane was possible. In 1903, the Wright Brothers ended the debate with an existence proof. As I watched Planet Earth II, I saw existence proof after existence proof of technological capabilities that, applied to warfare and espionage, would make global militaries and intelligence agencies significantly more powerful – but also significantly more vulnerable.

I realized Hollywood has it all wrong. The future of military robotics doesn’t look like The Terminator. It looks like Planet Earth II.

Imagine a low-cost drone with the range of a Canada goose, a bird that can cover 1,500 miles in a single day at an average speed of 60 miles per hour. Planet Earth profiled a single flock of snow geese, birds that make similar marathon journeys, albeit slower. The flock of six-pound snow geese was so large it formed a sky-darkening cloud 12 miles long. How would an aircraft carrier battlegroup respond to an attack from millions of aerial kamikaze explosive drones that, like geese, can fly hundreds of miles? A single aircraft carrier costs billions of dollars, and the United States relies heavily on its ten aircraft carrier strike groups to project power around the globe. But as military robots match more capabilities found in nature, some of the major systems and strategies upon which U.S. national security currently relies – perhaps even the fearsome aircraft carrier strike group – might experience the same sort of technological disruption that the smartphone revolution brought about in the consumer world.

The next war won't look anything like the last one. (Then again, it never does.)

Possibly the worst self-inflicted data disclosure in history

It's hard to overstate how bad this is. Via Bruce Schneier, it turns out that the Swedish Transport Ministry outsourced its database hosting to IBM, which subcontracted the work to a Serbian company with ties to the Russian military. And what databases did Sweden wind up hosting in its "Cloud" facility in Serbia? All of them:

Part of what IBM contracted to was run, and which was run from Serbia, was the Swedish government’s secure intranet – the SGSI, the Secure Government Swedish Intranet. This network is in turn connected to the European Union’s STESTA, which is a European Union secure network. This is what the Swedish Transport Agency gave staff in Serbia administrative network accessto, and it is no conspiracy theory that Serbia is a close military ally with Russia. While it can’t be proven in this specific case that high-value military information in Serbia’s hands also comes into Russia’s hands, it’s one of those things that should just be assumed in the general case.

The net effect here is that the EU secure Intranet has been leaked to Russia by means of deliberate lawbreaking from high ranking Swedish government officials. Even if there are additional levels of encryption on STESTA, which there may or may not be, this has “should never happen” written all over it.

Sweden's own data, leaked through this outsourced administration, include:

  • The weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields);
  • Names, photos, and home addresses of fighter pilots in the Air Force;
  • Names, photos, and home addresses of everybody and anybody in a police register, all of which are classified;
  • Names, photos, and home addresses of all operators in the military’s most secret units – equivalent to the SAS or SEAL teams;
  • Names, photos, and home addresses of everybody in a witness relocation program or who has been given protected identity for other reasons;
  • Type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a ton about the structure of military support units....

There isn't a desk in the world sturdy enough for the massive head impacts that the rest of the worlds' security forces are perpetrating on them right now.

Stunning.

ACLU changes its policy after Charlottesville

The organization will no longer defend armed hate groups:

The change in policy followed the ACLU of Virginia’s decision to file suit to ensure that an assortment of white supremacist groups could hold the now-notorious “Unite the Right” rally earlier this month in Charlottesville’s Emancipation Park. While the ACLU wasn’t responsible for the fatal violence that ensued, the entire organization was convulsed in the fallout. One ACLU of Virginia board member resigned in protest. In a historic gesture, three California affiliates broke with the Virginia branch and the national organization to condemn the lawsuit. “If white supremacists march into our towns armed to the teeth and with the intent to harm people, they are not engaging in activity protected by the United States Constitution,” they said.

In a statement to the New Republic, an ACLU spokesperson said the new policy will be applied on a “case by case” basis, meaning greater scrutiny will be applied to possible clients. “If we determine that any potential client intends to subvert their rights under the First Amendment to cause violence, we wouldn’t represent them. The First Amendment doesn’t protect violence, that hasn’t changed,” Noa Yachot said.

Interesting. And sad. But necessary.