Tag: testing

Patches and Data Theft

Posted on by Greg Price in Articles
Greg Price

If you use a Windows-based computer, you are aware of Patch Tuesday and also the dark side of Windows patching. To say Microsoft’s patching process is riddled with issues would be a kind gesture.

The last several Windows 10 updates were buggy, and, in some instances catastrophic if installed. I often envision the Microsoft patching process as a game of whack-a-mole: one issue is addressed, another bursts onto the scene and the cycle seems to loop continuously.

In October 2019, Microsoft released a new update that was designed to remedy a printer driver issue from the previous update. However, many users encountered the nightmare for all Windows users: The Blue Screen of Death. If you’re not familiar with the Blue Screen, I’ll summarize. Your PC stops functioning completely.

In October, those who encountered the dreaded Blue Screen had to roll back their machines to a previous version of Windows, if they did so within ten days of installing the update. As usual, miscellaneous applications and settings had to be restored, but at least you could resurrect your PC.

Fast forward a few months and Microsoft did it again; an update is causing major problems for some.

The February Windows 10 update, KB4532693, contains almost 100 different bug fixes and some enhancements to improve user interaction, but there’s another problem lurking among the update.

Your data is deleted.

Yeah, you read that correctly, not a Blue Screen of Death, arguably, something worse. Reports from many Windows forums reveal that Windows 10 will sometimes fail to load user profiles correctly following the installation of the February update. As a result, personal files and settings disappear. Some researchers suggest the issue is related to the mechanism Windows uses to install the update. A temporary user profile is created by the update process and the profile isn’t waived, rather, Windows gets “stuck” in the temporary profile, resulting in loss of data to your other profiles.

In the forums that I reviewed, users who experienced the issue didn’t lose all data; however, in all instances when the error occurred, all files saved to the Desktop, custom wallpapers and icons vanish.

Microsoft hasn’t issued a response to the complaints, yet. However, Windows 10’s rollback feature appears to address the problem.

If you observe the issue, I suggest rolling back to the most previous working version of Windows 10. The steps follow.

Click the Start button and select settings. Go to “Update & Security”, then select Recovery. Under “Go back to the previous version of Windows 10”, choose “Get started”. Follow the instructions. Eventually the PC will prompt for a restart, and, your device should revert.

But, please note, Windows 10 can only rollback within a ten-day window following an update – if you miss the timeframe, the rollback option is no longer available.

For me, I advocate for keeping devices updated. It’s a solid method for securing a device against known vulnerabilities and ensures that you have the latest features and functionality. Microsoft’s poor history with updates is disconcerting. Many people are afraid to enable auto-updates due to the continued failures, more strikingly, large organizations fear Microsoft patches – the looming concern of “breaking” the business is a palpable anxiety.

I don’t know how Microsoft tests and manages quality for the patches. I recognize that their software is wildly popular and testing every permutation and application isn’t a reasonable expectation; however, exposing users to a seemingly incompetent process only erodes confidence and instills a reticence to staying current. In fact, Windows users often litter discussion forums with questions of “who’s done it”, hoping to find the poor soul who jumped before looking.

Let’s hope Microsoft recognizes that new features don’t outweigh reliable, safe operations.

Shifting gears, a bit, MGM Resorts recently announced a data breach. The breach occurred in July 2019, resulting in data compromise of nearly 11 million guests.

MGM didn’t specifically express the number of affected guests; however, a cybercrime monitoring firm offered that 10.6 million people had their information breached.

According to a statement from MGM Resorts, they discovered the breach last summer. The stolen data was stored in a cloud server. Among the data were basic “phone book information”. Apparently, names, email addresses, phone numbers and physical addresses were the main items stored in the cloud server. A much smaller number of guests’ driver license, military ID and passport information were exposed.

ZDNet revealed the personal information theft, indicating that it was accessible on a hacking forum. After the ZDNet report, MGM Resorts published a statement in which they acknowledged the event. The statement indicated that they hired two cybersecurity companies to assist in the investigation and pledged to upgrade the security systems.

MGM Resorts further stated, “We are confident that no financial, payment card or password data was involved in this matter.” MGM indicated they notified guests according to state data breach laws. Law enforcement is also working the incident, no indication of the cybercriminal was offered, and, no one has overtly issued claim to the breach.

Given that most state data breach notification laws do not require victims to be notified when the stolen information is limited to basic data, such as directory information, it’s likely that many of those affected have no idea their information exists among the breached data.

If you’ve stayed at an MGM Resort property recently, I suggest you follow basic fraud monitoring techniques; even though no financial data seems to exist among the data, we only know what has been released and stated. Taking a few precautions isn’t a bad idea.

Check your financial accounts for fraudulent activity. If you observe something odd, contact your financial services provider and seek a review. If you employ credit monitoring, check your credit reports. If you don’t, request a free report. Again, if you notice something peculiar, report it.

And lastly, consider changing your passwords. Despite the relatively low quality of the data, password guessing success increases as the volume of pertinent data increases.

Watch those patches and check your financial records. Be safe.

Election Run Amuck

Posted on by Greg Price in Articles
Greg Price

A simple definition of technology follows: the application of resources to achieve a goal. Often, the goal is a scientific endeavor, other times, it’s an efficiency objective, and let’s not forget a more obvious desire: solve a problem.

We live in a world littered with fascinating technology, ripe with seemingly constant change. If you take a few moments and ponder the major changes that have occurred in your life over the past few years, it’s likely that technology can be found among those events.

As a technologist, I will testify that technology is often imperfect. In fact, I worked in design for many years and the process of developing a new “computer” technology isn’t immaculate. I’m certain you’re familiar with the old saying, “you don’t want to see how the sausage is made”.

Technology development can follow the scientific method. Careful review, testing and analysis are the hallmarks of pragmatic development. However, nowadays, the desire to reach a goal, such as a new app, frequently requires abandoning rigorous testing. As a result, poorly designed software has become a normal for many of us.

We have become the testers, the evaluators, the frustrated audience for the rapid development of new software technologies. If enough of us complain and allow error logs to be whisked away, patches will arrive. Well, maybe patches will arrive.

Are there bad consequences of these approaches?

No doubt. Crashed apps are common, frustrated users are normal, and technologists fear moving away from stable software platforms.

Just this week, we were reminded of the real-world consequences of poor software development. The Iowa Democratic caucus was Monday night. It’s election year, 2020.

What does that mean? An app of course.

As the nation held its breath and waited with anticipation of the results from a crowded Democratic field, the new technology didn’t fare well.

Last month, the Iowa Democratic Party announced that it planned to use a mobile app to report precinct results. Despite requests by many, the Party refused to reveal much about the app. Independent security companies asked to review the app’s source code (the underlying instructions that constitute the app), those requests were denied. Some sought the testing process and those results; denied. Who developed the app? No comment.

According to the Wall Street Journal, elected officials asked for details about the app; those were met with the same refusal from the Democratic Party.
In the aftermath, we know what happened, at least we made observations and have notions of what happened.

The Iowa precinct chairs could not get the app to work properly. It crashed repeatedly. The app was built hastily, and testing was woefully inadequate.

What are some lessons learned from the Iowa Democratic app debacle?

As a starting point, let’s appreciate the importance of an election. There are few things more personal and important than one’s right to cast a vote. In doing so, we place our confidences in the systems and people who manage the technologies that facilitate our desire to voice our choice. The process of voting should be transparent and devoid of obstacles.

Based on the responses to inquiry before the Iowa caucus and the aftermath of the event, one thing is certain, the notion of rapid software design failed.

It’s important to state that the app did not cast votes. Rather, it was designed to deliver quickly the results of precinct votes to the state party. So, based on our basic definition of technology, it appears that the problem that was being addressed was expediency: deliver the results quickly. After all, all eyes were on Iowa – who had the time for slow results reporting. We want what we want right now.

If you’re in the business of running an election, transparency of your technology is essential.

Whether you’re using pencils and paper ballots or computer-based voting machines, allowing inspection, review of the technology and explaining to the voters what’s being used builds voter confidence. If I asked for information on the pencils and paper ballots and the response is “you’ll see, don’t worry about it.” I’m instantly worried.

So what are you to do?

First, explain what’s going on. Mount an open campaign about the technology and explain the purposes and reasons for the approach.

Next, allow, require independent inspections. Consider the value of positive validation of your technology from someone not directly involved in the process.

Test, test, test. Inadequate testing of software is irresponsible, especially given the purpose behind an app assigned to a voting process. Proper, rigorous testing will reveal deficiencies and allow for mitigation efforts – hoping for success and accepting likely failures as part of the process is disingenuous.

Lastly, provide adequate resources for success. Technical support resources should be highly available. Planned contingency efforts are a must. And, without a doubt, realistic time for all of the above is mandatory. Reports suggest that the Iowa Democratic app process was executed within two months. That is a tight timeline.

Conspiracy theories are running wild in the aftermath of the caucus. Russians are a favorite, the app developer, Shadow, Inc. has been beaten up – but, in reality, the explanation is far simpler.

Rushed software and unrealistic expectations gave way to an unfortunate experience.

The bottom-line? Technology development should take into account the intended use for the enhancement and develop accordingly. For voting technology, the technology must be accurate and open.

Trust in our election processes is essential. Failed technology is always disappointing, but, in this case, the failure eroded confidence in existing voter technologies and brings their design into question.

Be safe.