Tuesday, April 29, 2014

My son is not a statistic.


There is a notice on my fridge.  It is pinned there with a magnet right under the words "PARTS ARE NOT CURRENTLY AVAILABLE".  It has been there for over a month and every day there is growing fear that my son's 2007 Pontiac G5 could become a death sentence.

The letter (posted in full below) starts by essentially saying 'The government says we have to tell you about this' and then follows by minimizing the potential risks down to "... a partial loss of electrical power and turning off the engine".   There is also the very real risk of this fault also disabling power brakes, power steering, airbags, and this has been public knowledge for over a year.  Even worse, the fault was known to General Motors as early as 2005.  This particular defect is found in 2.6 Million vehicles in North America and has been linked to 13 known traffic fatalities.

The really tragic part of this whole thing is that those lives may have been saved if GM line management had listened to their own engineers who identified a simple fix for under a dollar a piece. As far back as 2005,  company engineers proposed solutions for the switch problem, but GM had concluded that none of those fixes represented "an acceptable business case."  The parts to fix the problem could have amounted to as little as $0.57 not including labour.

GM has obviously known about this problem for some time and they do have replacement parts that are available for only $30US, yet based on the recall notice tied to my son's car, "PARTS ARE CURRENTLY NOT AVAILABLE".  Yeah...

I would prefer that my son not become a statistic in a class action lawsuit.  It should never have come to this.  There are too many stories like this one and a common buyer for these vehicles are young adults.  General Motors knew about the problem and they ignored it, even after traffic deaths had been linked to the defect.  Parts are available, yet for some reason, they have not taken the time to ramp up production to fill these orders adequately, even though they have known about this problem for almost a decade.

Large companies like this have an even more important responsibility to their customer's safety and when they make a mistake, they should fix it.  When they knowingly ignore a potentially deadly defect, they should be punished appropriately.  The $1.3 Billion charge for recalls is a pin prick in their $37.4 Billion Q1 revenue.  As large as that number sounds, it is hardly punitive for a massive company like General Motors.  This is a $500 Billion Company so it is hard to imagine how any actual dollar amount could have any real impact.  More to the point, no dollar amount will ever make me trust them again or bring back the 13 lives that were lost to this incident.  This is one of those times when a corporation should not be able to shield it senior executives from the harm their decisions can result in.

Please help raise awareness and make GM get serious about actually resolving the problem they caused.




Friday, April 11, 2014

Heartbleed (yes, again)




I usually refrain from jumping on the common news bandwagon and just reposting already circulating
ideas, but I think the "heartbleed" security flaw is an important enough exception.  It is really (really, really) important that people know what this is and how to protect themselves, so I may be repeating information you already knew here.

Heartbleed [http://heartbleed.com/] is a compromise of the Secure Socket Layer (SSL) that drives secure communications on the internet.  Essentially, any web site where you may see HTTPS:// as opposed to HTTP:// could potentially be at risk.  Any secure communications using SSL based on OpenSSL will be affected.  It is a pretty big deal.  This xkcd comic does a great job explaining how the exploit works [http://xkcd.com/1354/]

Many companies use SSL to protect and secure their email, IM, and other private data when sending between servers and every one of those secure certificates will need to be discarded and rebuilt.  That causes down time and unique maintenance headaches for every server administrator.

Even if companies don't transport information using SSL, their web hosts (all of them) will need new security keys and that involves not only the generation of the cert, but stopping and restarting web services and everything that goes along with that.  It is a LOT of work.  Elastica Inc has a pretty decent Video here if you want a longer explanation.

BTW… you should change all your passwords.... NOW.  Even though you probably do not have any SSL protected data of your own, the servers you connect to *do*.  Lets say you use the same password  and username for several services - admit it - you do so do that.  If some "bad" person used this exploit to get your username and password from a server, they can then use that information in any number of other sites you also use that information on.

This is not just a password hack though.  This bug allows the adjacent data from memory (up to 64kb blocks) to be returned from the server unencrypted and untraceable. That means that any other data in the server may be returned to someone exploiting the bug.  Scary stuff.

This is being taken very seriously by everyone in the IT world and in some cases, it was easier just to shut down access to all servers while the software was being patched.

If you have any doubt about any service you use, there is a tool here you can use to check if a site has been patched. [http://filippo.io/Heartbleed/]

UPDATE:
I know there are many sites and blogs out there that are saying you don't need to change all your passwords, but I will disagree.  If you use a unique password everywhere then sure, you are fine, but if you are one of the millions of people who reuse passwords because it is too hard to remember them all ( admit it, that is you) then you need to change them all.  If you happened to reuse a password from your secure and unaffected bank login on a site that is affected, then there is potential for your credentials to have been compromised.