Sunday, July 4, 2021

Government is now mandating safer software

 


In the late 90's I was invited to attend an event sponsored by National Institute for Occupational Safety and Health (NIOSH).  It was about how software sucked and was unsafe.


I saw the handwriting on the wall that someday the Government would start regulating software, because industry wasn't (Management sees it as a waste of time and more importantly Their money).  I started my Software Safety site way back then and became a Certified Software Quality Engineer (CSQE from ASQ).  I expected someday there would be a need for people, such as myself, that could review software for correctness, especially in the Embedded System area.  It has taken far longer than I expect for the Government to start mandating safer software.  That day has arrived.


This is about TicTok.  However they make no distinction about 'connected software' from embedded devices such as Their '(d) end-point-device'.


https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on-protecting-americans-sensitive-data-from-foreign-adversaries/


"... In evaluating the risks of a connected software application, several factors should be considered.  Consistent with the criteria established in Executive Order 13873, and in addition to the criteria set forth in implementing regulations, potential indicators of risk relating to connected software applications include: ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities; use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data; ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary; ownership, control, or management of connected software applications by persons involved in malicious cyber activities; a lack of thorough and reliable third-party auditing of connected software applications; the scope and sensitivity of the data collected; the number and sensitivity of the users of the connected software application; and the extent to which identified risks have been or can be addressed by independently verifiable measures. ...


(d) The Secretary of Commerce shall evaluate on a continuing basis transactions involving connected software applications that may pose an undue risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; pose an undue risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States; or otherwise pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.  ...


Sec. 3.  Definitions.  For purposes of this order: (a) the term “connected software application” means software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the Internet; ..."



http://www.softwaresafety.net


Monday, June 25, 2018

When Pain is Relentless

My interview for Migraine Awareness Month: When Pain is Relentless.

 I was once very active in many LinkedIn groups, then my wife Karen took her own life to stop the relentless pain from Intracranial Hypotension due to Cerebrospinal Fluid (CSF) Leaks. A condition that is more common that many think (for example Actor George Clooney had/has a CSF Leak and considered suicide), yet is so unknown that some doctors argue the condition does not even exist.

Part of the problem are Fluoroquinolone antibiotics maimed her for life. I'm now up to 34 people that have told me their own CSF Leak started after taking such antibiotics as Cirpo, Levaquin, Avelox etc. There is ZERO researching on this connection because no one else connected the dots. Please help me change that. http://www.kpaddock.com/fq.

Wednesday, June 20, 2018

The death of Gimpel Lint. Do you read your license agreements?

I have long been a fan of Gimpel Software LLC's Lint product for doing static analysis of my projects.

I was excited about buying the new "PC-lint PLUS" version, even with the price increase. That is until I actually read their license agreement.

First we need to take a step back and discuss license agreements. Do you actually read the license agreements before or after purchasing/licensing your software/firmware? You really should as you may find something you don't agree with, for example from my own license agreement:

"...General:
This License is the complete statement of the agreement between the parties on the subject matter, and merges and supersedes all other or prior understandings (no mater how conveyed), purchase orders, agreements and arrangements. This License shall be governed by the laws of the Commonwealth of Pennsylvania. Exclusive jurisdiction and venue for all matters relating to this License shall be in courts and fora located in the Commonwealth of Pennsylvania, and you consent to such jurisdiction and venue. You agree to grant The Designer-III Company, LLC a non-transferable option to claim, for now and forever more, your immortal Soul. Should The Designer-III Company, LLC. wish to exercise this option, you agree to surrender your immortal Soul, and any claim you may have on it, within five (5) working days of receiving written notification from The Designer-III Company, LLC, or one of its duly authorized minions. There are no third party beneficiaries of any promises, obligations or representations made by The Designer-III Company, LLC, herein. Any waiver by The Designer-III Company, LLC, of any violation of this License by you shall not constitute or contribute to a waiver of any other or future violation by you of the same provision, or any other provision, of this License.
...

As no one has ever commented on the binding agreement on their Soul I surmise that no one has ever actually read the text when they clicked 'Agree' on the installer.

Returning to Gimpel, as I read their license agreement, MANY times, it seemed to state that I must buy a copy of Lint for every project that I analyze with PC-lint PLUS.

To make this more tangible lets use the analogy of a contractor building a house. You generally expect the contractor to have their own fundamental tools such as a hammer.

Now according to the Gimpel license agreement, for every house (project) the contractor builds, the contractor (you or I) must buy a new hammer. At the completion of the house, the hammer is left with the customer whom contracted for the house to be built. That the customer has no use for a hammer or does not knows its correct and safe usage is irrelevant.

So if your build three houses, or projects, you must purchase three hammers (copies of PC-Lint PLUS).

When I raised this absurdity with Gimpel, in a length email exchange, they gave me the option of buying a reusable hammer (I can use PC-lint PLUS all I want for anything as a consultant working on software for a client for a limited time) at the cost of $9980! I must give credit to the lady in sales that I was working with, whom was sympathetic to my view. Alas management above her was not.

I feel like I have been selected for personal punishment by being honest, and following the rules of actually reading the license agreement. I'm sure most people don't and simply buy one hammer (PC-lint PLUS) and go on their way.

Gimpel's position is that it was a lot of work to update their Lint product to match modern C++ proclivities and they need to be paid for that time consuming hard-work. I expect to be paid for my work as well, so I can empathize with their position, yet not at all with their current solution.

What do you feel is a better solution?

Using PC-lint PLUS with Open Source code also appears to be a problem. Saying a change was made to remove Lint error #123456 or using a Lint suppression directive around a section of code is apparently not allowed.

Now to be compliant with "5. OWNERSHIP" I must state, if we actually pony up the nearly ten grand for this new version, to be compliant with the PC-lint PLUS license agreement:

"

...Whenever You make any formal (written, printed or oral) reference to PLUS, such representation shall be accompanied by a reference to Gimpel as the developer of PLUS. However, such reference shall not be represented as an endorsement by Gimpel.

You agree that You will not represent Gimpel as endorsing or making specific claims regarding your organization, your products or your services thereof without the express written permission of Gimpel.

..."

I'm sure as the intelligent person that you are, you know Gimpel is not endorsing this particularly blog entry or The Designer-III Company, LLC. Must be true to the license agreements do we not?

I really wish we could get the world to move on to functional languages like Elixir and leave C and C++ in the dustbin of history where they belong today.

Elixir is a dynamic, functional language designed for building scalable and maintainable applications. Elixir leverages the Erlang VM, known for running low-latency, distributed and fault-tolerant systems, while also being successfully used in web development and the embedded software domain.

Sunday, May 29, 2016

When is it time to say 'No' designing a pain giving device?

I just came across the Pavlok a device that by design is to cause pain; Reference: Pavlov's Dogs.

THE FIRST DEVICE THAT BREAKS HABITS BY DELETING TEMPTATION.
PAVLOK ASSOCIATES A MILD ZAP WITH YOUR BAD HABIT, TRAINING YOUR BRAIN TO STOP LIKING THE HABIT.
THE ZAP IS AN ELECTRIC SENSATION THAT RANGES FROM PLEASANT TO SLIGHTLY UNCOMFORTABLE.
I realize the debate about designing weapons that kill people have been going on forever and we are not likely to have answers to that debate here.

What happens when the software in the device or its control app have bugs? What are the security of the device being 'hacked' or used by the mysterious evil 'Them' (fill in your choice of conspiracy group)?

The one that really puts it over the top for me is linking this pain giving device to Smart Meters. Set your thermostat to high you get Zapped. Is this really the world we want to be creating with the Internet of Things (IoT)?
'Road to hell'

...Prof Alan Woodward, a cybersecurity expert from Surrey University, said the more connections which are made between devices, the greater the risk of a security weakness.

"Having a convoluted interaction between systems is almost inevitably going to lead to unintended security flaws," he said.

"I know this type of technology is developed with the best of intentions but the road to hell is paved with them."

"Just because you can connect devices en masse doesn't necessarily mean you should." -- http://www.bbc.com/news/technology-36301778


Having watched my late wife suffer from Chronic Pain for years I will refuse to be involved with any device that causes someone to experience any level of pain. Karen's Journal is required reading at Duke School of Medicine.
Karen's first-hand account of her illness gave an honest, heart-wrenching depiction of what it is like to live with debilitating pain day-to-day. -- The Derrick Newspaper, Sept 8th 2014.


The late Karen Shettler Paddock on cover of the local newspaper.


NTP Study shows Cell Phones cause brain cancer. 50 Hz causes heart tumors.

The National Toxicology Program (NTP) animal study started in 1999 released summary of their findings this week. Cell Phones cause brain cancer. 50 Hz, the power line frequency used in Europe, causes heart tumors.

The cell phone "radiofrequency radiation (RFR)" study is led by the NTP, headquartered at the National Institute of Environmental Health Sciences. The NTP has posted their report of the study’s findings: Report of Partial findings from the National Toxicology Program Carcinogenesis Studies of Cell Phone Radiofrequency Radiation in Hsd: Sprague Dawley® SD rats (Whole Body Exposure). Note the comments about the study. Some are insightful for future studies most are just the usual fear mongering.

Length report http://microwavenews.com/news-center/ntp-cancer-results that can be summed up this way:

"Importantly, the exposed rats were found to have higher rates of two types of cancers: glioma, a tumor of the glial cells in the brain, and malignant schwannoma of the heart, a very rare tumor. None of the unexposed control rats developed either type of tumor."

See also:

http://microwavenews.com

Cellphone Towers Amplify Pain in Amputees: http://www.painnewsnetwork.org/stories/2016/2/4/cellphone-towers-amplify-pain-in-amputees

Anthropogenic Radio-Frequency Electromagnetic Fields Elicit Neuropathic Pain in an Amputation Model: http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0144268

Cell Phone Convenience or 21st Century Plague?
Compiled by Dr. Nick Begich and the late James Roderick.
July/26/2000
http://www.mind-fields.org/doku.php/cellphone/21stplague

If you are at all interested in this stuff a book you MUST read is The Body Electric by the late Dr Robert Becker (Not Bob Beck).

There also lots of scam devices out there that sell you something to reduce cell phone radiation then show before and after thermal graphs. I want to see a thermal graphs of an empty cell phone case held to the head. I expect it will give the same thermal graph.

If such a device worked there will be a noticeable decrees in battery life. If the 'radiation' is reduced the cell tower would get a weaker signal and the range would be less. The transmit power level of a cell phone is controlled dynamically which is why when it places with poor cell phone reception the battery drains faster due to the phone using a higher transmit power. If such a device worked it will drain the battery faster even with no connection to the battery.

A simple way to reduce exposure is use wired ear buds. They still don't bring the risk to zero. Bluetooth Handsfree headsets are not improvement. Bluetooh operates at 2.6 GHz. The same frequency as your microwave oven and WiFi. I'm not putting a tiny microwave oven next to my head...

Sunday, January 31, 2016

Visit to Large Scale Systems Museum in New Kensington Pennsylvania

Yesterday [ January 30th 2016 ] I paid a visit to the Large Scale Systems Museum (LSSM), Dave McGuire President/Curator, in New Kensington Pennsylvania.




The audio makes it sound like a very noise place, really it is not, just the microphone picking up the background cooling fans.

Currently the Museum is open only by appointment.  It is expanding to two floors soon and will then be open to the public.

Still pictures of the machines both insides and out are found on my site.

The machine labelled "ML AI" is the actual machine that The Scheme Programming Language was created on.

Directions: https://maps.here.com/directions/drive/mylocation/LSSM-large-scale-systems-museum:40.565697,-79.766243?map=40.57196,-79.76624,12,normal&fb_locale=en_US

Saturday, January 16, 2016

Maxim make the best parts that no one can ever get. Are you a "stale_member" too?

I was telling someone about the Maxim Integrated  
 MAXREFDES73# reference design a wearable, mobile galvanic skin response (GSR) system.

We were hoping to get a few of them for some parapsychology experiments. When my client asked how much it cost, I tried to log into my Maxim account, established years ago. 

All in all the experience matched that of Maxim's reputation for delivery, that is it won't. :-( 

Says it does not know my email address. When I try to register it (I've had account there for years) it says my email address is already registered and I'm a "stale_member".

Password reset generated a SQL error. So does it know my email address or not?

This is just as bad as the Maxim factory dude walking in to our meeting and saying "I don't make it out here to the Rust Belt very often...", not realizing how insulting that is to those in the area. 

They seem to make the best parts that no one can ever get... :-(  What has been your Maxim experience?

I wonder if that is why TI and Analog Device both just passed on buying them?

Maybe they are up For Sale because ignoring the markets delivery concerns has finally caught up with them?

Even this distributors in the Pittsburgh/Cleveland Market area try to get you to not buy Maxim parts from them, they don't want to hear the delivery complaints...



Sunday, October 11, 2015

Dr Richard Stallman to present at Kent State Saturday Oct. 17th


Kent, Ohio – Northeast ACM and the ACM Distinguished Speaker Program in partnership with the Kent State ComputerScience Department will present Richard Stallman Talks, taking place at Kent State University's Kiva Auditorium on Saturday October 17th 2015 featuring Dr. Richard Stallman.

NEOACM and Kent State Computer Science Department are proud to bring Dr. Richard Stallman to Kent State University for the first time. Dr. Stallman's will present his non- technical speech, A Free Digital Society, that addresses the many threats to freedom in our digital society, focusing on issues of proprietary software that controls users, digital handcuffs, massive surveillance, and censorship that undermine the foundations of democracy. Dr. Stallman is a software freedom activist and the main author of the GNU General Public License, the most widely used free software license.

Stallman developed the GNU operating system along with a number of widely used software components including the GNU compiler collection, symbolic debugger, and Emacs installed on millions of computers today. He is also the founder and president of the Free Software Foundation. Following the speech, there will be a Q & A session with Dr. Stallman and attendees will be able to purchase his books and essays.

This event is free and open to the public. Seating is limited. This event will be held in the Kiva Auditorium on Kent State Campus 800 E Summit St, Kent, Ohio.
"If in my lifetime the problem of non-free software is solved, I could perhaps relax and write software again. But I might instead try to help deal with the world's larger problems. Standing up to an evil system is exhilarating, and now I have a taste for it." - RMS
For more information, please visit http://www.neoacmchapter.org/stallman_at_kent or http://www.meetup.com/Northeast-Ohio-ACM-Chapter-Meetup
 
Copyright © 2015 Northeast Ohio ACM (A non-profit organization)