To Fly, To Shoot, Perchance to Dream

We have a “No Fly” list in this country. It is supposed to keep people who are terrorist threats from boarding airplanes where their shoe or underwear bombs could do great damage. This is generally a good thing, but the no fly list has a couple of problems. The problems have been reported regularly for a long time, most recently in the 12/8/15 New York Times (Push for Gun Curbs Tied to No-Fly List Puts Republicans on the Spot, Alan Rappeport, NYT 12/7/15).. The problems are both pretty egregious and should have been fixed years (possibly decades) ago:

  1. According to some estimates, of the 700,000 or so people on the list, more than half don’t belong there.
  2. Once on the list, whether you belong there or not, there seems to be no way to get off.

This is apparently an easy list to get on. Elizabeth Pipkin, a California trial lawyer, says “there is really no criteria for these lists. The government can put anyone on it for any reason.” (Op cit.) She spent nine years in litigation getting one client off the list. In the government’s defense, the client has one of those funny-sounding, non-American names, which was probably enough to get her on the list in the first place.

That the problem is of long standing is evidenced by the fact that Ted Kennedy was once one the list. He got off the list, but it wasn’t easy for him either.

That this problem exists and has gone unaddressed for more than 20 years speaks volumes about the effectiveness (and value) of the Congress, a body in our government that has within its power the ability to fix such problems. The situation is ridiculous and should have been fixed in the previous millennium. But wait, there is more.

In the past few days, several, including the President, have proposed that one response to the shootings in San Bernardino should be to prevent people on the no-fly list from purchasing weapons. This seems like a no brainer, especially given GAO’s report that between 2004 and 2014, 2000 people on the list did buy weapons. Who could argue that people on the terrorist watch list should be able to buy weapons? Quite a few, apparently, several of them running for president.

There seem to be three main arguments, all of them specious.

  1. Marco—oops, sorry; respect—Senator Marco argues that more than half of the people on the no-fly list do not belong there. They are just ordinary citizens (many of them Muslim) going about their business, and we shouldn’t impinge on their rights by not allowing them to buy guns. News flash Senator: not being able to fly impinges on their rights, too. This is, indeed, a big problem. Get off your ass and fix it.
  2. The no-fly list is just a part of the terrorist watch list (more than a million people on that list), so making this change would not come close to solving the whole problem. That is true, but not relevant. If you have a gas leak in your house, you don’t refuse to fix it because the repair won’t also fix the leak in your roof. No change to gun ownership rules will fix all problems associated with guns. But, almost any change would demonstrate some willingness to address gun issues, and that would be a step forward. Congress, show a little bit of courage. Get off your ass and fix something.
  3. “Guns aren’t the problem. People are the problem.” Or, “mental illness is the problem.” Guns by themselves aren’t a problem. They can be useful. They can be fun. They can increase your sense of security (although for most gun owners, it is doubtful that they get more than a false sense of security—look at all they did for Reeva Steenkamp). But, 12-step attendees are taught that anything that causes problems, is a problem. Congress show a little bit of courage. Mentally ill people using guns is certainly a problem. I’ll bet there are things we could do to address that problem. The Congress would be the body that could address that. Get off your ass and do something.

We have averaged more than one mass shooting per day this year according to some reports shootingtracker.com reports 353 so far this year. Mother Jones puts the number at 4, so there is some controversy over how to count these things. What other country in the world even has something like shootintracker.com? None. They wouldn’t have anything to do. Even if the number is 4, that’s a problem (and it doesn’t include the number of individual shootings per year, which is also a problem).

I haven’t heard anyone yet argue that a mass shooting every day is perfectly normal, and no problem at all, but I’m expecting it soon.

 

Invasion

If someone breaks into your house or, worse, invades it while you are there, you will feel a variety of strong emotions including outrage, anger, and fear. It may be hard to feel safe there again. A few months ago, our neighborhood suffered a rash of mid-day burglaries–kick in the front door in the middle of the day while everyone is away and steal whatever you can that you can sell quickly, and generally trash the place as you are going through it. (The police told us that the front doors were heroin addicts. The rash of auto burglaries that we had at the same time were meth addicts.) One family across the street was broken into twice–once while the kids were at home. They moved to a gated community.

I haven’t personally had this experience. After years in security, I guess I know how to make my house look like a harder target than my neighbor’s house. But, I have a pretty good understanding of how they feel. In our current (over-) connected society, we can have the same feelings when our computers are invaded. I once had the experience of having my computer broken into while I was sitting in front of it. I didn’t really feel violated so much as insulted. “How could you. I’m using this now. How stupid do you think I am?” (“pretty stupid.”) In the end I felt pretty good about that incident. Using my superpowers, I removed the intruder, cleaned up his mess, and discovered and closed the hole he had used to get in, all within an hour.

Today things are different from those days long gone. Today I build and operate networks of computers “in the cloud,” somewhat freed from the computer under my desk (but not from a bunch of laptops). I get the computing horsepower I need from a large vendor of “Infrastructure as a Service” (IaaS in the industry jargon). If I need a new machine for an experiment, I ask for one and 5 minutes later, I have one. If after a couple of hours, I’m through with the new machine, I throw it away. There is some cost involved, but the machine I used for a couple of hours costs far less than my time, and way less than the cost of having a spare piece of hardware laying around. (If you want to learn a little bit more about how cloud computing works, you can look here.)

Last week, I had a strange experience. I received a notice that one of my cloud machines had been used in an attack on somebody else’s computers. Naturally they wanted to know what I was going to do about that. That part of the story is not unusual. The unusual part is how I felt about the incident. This was not a break-in at my house. It was not a break-in of my computer. But, there was a break-in, and I still felt angry and violated. I wanted to understand what had happened and make sure it could not happen again. I wanted to catch that hacker and step on their fingers (the tools of their trade). I wanted to make sure they would never again disrupt the flow of my well-ordered life.

A few days later, I see how strange this was. It’s not like some real possession was broken into or attacked. There is no physical machine anywhere in sight. There was nothing that was “mine” there except for some work 5 years ago. And yet, I have this feeling of violation. Why? I don’t really understand this. But, I do better understand the feelings op people who have actually been violated. It’s not a small issue, and could have lasting repercussions.

I also felt curiosity. My first instinct was to get on the machine and look around to see how they had gotten in. But, there was a problem with that. I built this machine almost 5 years ago and really hadn’t been back to it since then, and I couldn’t remember how to get on (which only convinced me even more that someone had taken it over). There really is a right way to deal with these incidents, and I had the luxury of being able to use it; I notified the right people, shut the machine down, and went to dinner.

I did get on the machine the next day and looked around. I found that the machine was under attack almost continuously, but from people who really need to get a life. I’m happy with attacks from the terminally stupid (the attackers who try the same thing over and over again, sometimes for hours or even days, in the hope that something will be different the next time). But, I didn’t find the attacker who succeeded, and I’m not happy about that. That means I would never know if I had successfully cleaned up the machine.

In the end, I chose the path of no resistance–preserve the data I’m trying to serve from the machine and throw everything else away. Rebuild the machine from the ground up on a new, more secure platform and move on. This is a cloud computing path I could not have chosen with a non-cloud machine. The attacks are inevitable and continuous, and some are bound to succeed. The cloud infrastructure has given me a new, less stressful way to respond, and I am happy about that.

Medical Records

@”Victo Dolore” recently posted an entry (here) in which she “confessed” that she wanted to move from doctoring (except for the part about seeing patients) to health policy or electronic health records (EHR). These are both areas that need vast amounts of attention. One comment that I have on EHR is that to be safe and effective, ultimately, a universal patient identifier (UPI) will be needed.

I spent many years in computer security, and one of the things that happened near the beginning of that time (in the ’70s) was the war over the use of the Social Security Number (SSN) as a universal identifier for all sorts of things government related (or even commercial). That war took years and, in the end, was a loss for everybody—activities that really needed the SSN didn’t get it; activities that didn’t need it got it; and the SSN was diminished as a result.

I predicted then, and still believe, that a universal identifier is needed for patient records, and that the battle over such a concept will be bigger and longer lasting than the SSN battle.

The UPI battle hasn’t really begun yet, but a pair of columns in the New York Times, even though they didn’t discuss this issue, suggested to me where it may occur. In this morning’s Times (2014/11/09) Elisabeth Rosenthal had a column entitles Medical Records: Top Secret. This was the second column dealing with a man named Peter Drier, who received a surprise bill of $117,000 from an out-of-network surgeon who assisted in his back operation—a surgeon he had never heard of. That situation begs comment on several levels, from ethical to legal, but that is not my objective here.

Rosenthal’s second column, was about the difficulty Mr. Drier had getting his own medical records from the hospital. It took him 6 weeks during which the hospital hid behind HIPPA (the privacy protection law intended to protect Mr. Drier, not the hospital), charged him $100 for copying (he would have needed a truck to carry $100 worth of copying), and made him appear in person to obtain the records. Ok, questionable legal ground—the hospital had 30 days to comply, according to the law, but when the clock starts is unclear, outrageous fee, and murky ethical ground (well, not really very murky), but in the end he got the records.

Suppose that, instead of the hospital, he had been dealing with his insurance company.

You can suppose that the insurance company had access to pretty much all of the medical record—they had to assess it to decide what they would pay. But, you don’t know what they did with the records. Did they look at them, make a decision and then destroy what they had. I don’t think so. Would you do that if you might be required to answer questions later? How do you know that the records they attached to your name were actually records pertaining to you (this is where the UPI comes in). How would you find out? If you suspected an error (even organizations as well meaning as your insurance company make mistakes), how would you get it corrected? You have access to your credit records and a mechanism to correct mistakes (it ain’t easy, but it is possible). Do you have access to the records held by your insurance company and a mechanism to correct them? If those things exist, I’ve never heard of them. And, the insurance company isn’t going to volunteer to give them up. Legislation will be required. Strong public opinion will be required to prevail in the face of lobbyists at least as well funded as oil company or banking lobbyists.

So, here’s my unsolicited career advice to Victo Dolore (my unsolicited advice to the rest of you is to go and read her blog , it’s pretty interesting): forget health policy (98% politics) and go do something about electronic records (probably no more that 75% politics, woo hoo). We badly need help in that area. We need it so badly that we don’t yet even realize that we need help. And, you won’t have to work with Ted Cruz.

Truth

The blogging 101 assignment to write a post about the Truth Serum prompt didn’t interest me at all. “You’ve come into possession of one vial of truth serum. Who would you give it to (with the person’s consent, of course) — and what questions would you ask?” I didn’t like it. I didn’t want to spend time on it. And, I didn’t want it on my blog.

Continue reading