Wednesday, September 1, 2010

Cybersecurity: Maine breaches

Published in the Portland Phoenix

When many Mainers think of "cybersecurity," they probably remember the 2008 HANNAFORD SECURITY BREACH, when 4.2 million credit- and debit-card numbers were stolen from shoppers at the grocery chain's stores.

What received little coverage amid the hype about the vastly overstated threat of identity theft (only 1800 accounts were actually used to make fraudulent charges — 0.04 percent of the stolen numbers) was that the breach was the first documented case of a new way of stealing this kind of information.

Previously, most security breaches resulting in theft of credit-card, bank-account, or even Social Security numbers had come from a single incident — either a physical theft of a computer or drive containing that information, or by connecting to a computer via the Internet and breaking through whatever security it might have in place. (This happened, for example, to THE UNIVERSITY OF MAINE HEALTHCARE CENTER'S COMPUTERS in June, when an unauthorized person accessed data on about 4600 students who had sought mental-health help at the university.)

But Hannaford's data was stolen over the course of several months, during transmission of the data from store cash registers to the system that the company used to verify card transactions. This process takes only seconds, as shoppers know, and became a target for thieves because protection had been beefed up on physical computers and their electronic defenses.

The fact that some credit-card information is not encrypted when traveling over private corporate networks remains an issue for retailers, banks, and credit-card companies to resolve. (When traveling over public networks, the data must be encrypted.) Also, the Hannaford hack was claimed by some to be an inside job — and there's little defense against data theft by a person who is allowed into a data center.

Most Mainers likely do not know that THE MAINE LEGISLATURE'S WEB SITE WAS HACKED just three months ago, resulting in some mild confusion about the lawmaking process. Specifically, the site's ability to designate the status of bills moving through the Legislature — including keeping users up-to-date on amendments and voting — was modified so that a user who clicked on various links would be taken to a Web site that would attempt to download viruses or other harmful software onto a user's computer.

State computer-support staff took the site offline entirely for several days while they fixed the security hole and reloaded correct information into the database. This went largely unnoticed because the Legislature was not in session at the time.

Dueling ideas: Maine's senators on cybersecurity

Published in the Portland Phoenix


Both of Maine's senators, Susan Collins and Olympia Snowe, have backed cybersecurity legislation in hopes of avoiding or averting the catastrophes described in David Scharfenberg's main piece. But their approaches have been different, leading to conflicting bills in the US Senate.

Collins's effort, also backed by senators Joe Lieberman (I-Connecticut) and Tom Carper (D-Delaware), is most controversial because it would give the federal government significant authority to monitor, or even shut down, the Internet or portions of it, if the president declared a cybersecurity emergency. (The fact that the Department of Homeland Security would be in charge of actually doing this doesn't exactly make us feel warm and fuzzy inside, either.)

But beyond that — and despite creating two more federal agencies (the Office of Cyberspace Policy and the National Center for Cybersecurity and Communications) — the bill does make some sense, because it also addresses education and training of future cybersecurity professionals, even introducing some concepts as early as elementary school.

Snowe's plan, proposed jointly with Senator Jay Rockefeller (D-West Virginia), would not go quite so far. It would create a new office in the White House (the Office of the National Cybersecurity Advisor) and set new federal standards for cybersecurity, with which private companies and government agencies would have to comply. It would also provide for licensing and certification of cybersecurity professionals.

Senate Majority Leader Harry Reid (D-Nevada) is reportedly working to combine the two bills and bring the merged proposal to a vote in the Senate sometime in September.

Corporate Albatross Dept.: FairPoint's struggles continue

Published in the Portland Phoenix


It has been a very long time since our last FairPoint update, but you can rest assured that the North Carolina-based landline provider's downward slide has continued, as the company attempts to restructure its way out of crushing debt through bankruptcy-court protection. Here are a few gems from the past few months.


First up, and most recently, on August 5, MAINE TAXPAYERS GAVE FAIRPOINT A $1.1 MILLION GIFT, when Maine Revenue Services agreed to accept just shy of $400,000 as payment "in full" of a $1.5 million tax bill the company owed the state.

But new math appears to be the way, as the COMPANY'S ACTUAL VALUE IS IN SERIOUS DOUBT. In its October 2009 bankruptcy filing, the company claimed its assets, as of June 2009, were $3.236 billion, with debts of $3.234 billion. An independent valuation of the company, however, set its total worth at between $1.8 billion and $2.1 billion. In another filing, FairPoint says its northern New England assets are worth $1.2 billion — far less than the $2.3 billion the company paid (including $1.7 billion in actual cash), to Verizon to take over landline service in Maine, New Hampshire, and Vermont, a takeover that was delayed several times before finally becoming effective at the end of 2008.

Also, ITS BUSINESS MODEL IS FAILING. The bankruptcy filing is clear: "FairPoint has been unable to attain the performance levels it projected at the time of the acquisition" of Verizon's northern New England business. In 2008, 8.5 percent of customers who had been with FairPoint before the merger cut their landlines. That's pretty bad, but customers who joined FairPoint in the Verizon switch left even more quickly: 12.3 percent of them bailed in 2008 alone, according to court documents. That's a big increase from the 7.3 percent subscriber loss Verizon experienced in 2007, which FairPoint's plan had projected it would beat (meaning lower losses, not higher).

The COMPANY HAS TROUBLE FORESEEING THE FUTURE in other ways, too. Beyond FairPoint's bizarre pre-merger projections, Vermont's Public Service Board (its equivalent of Maine's Public Utilities Commission) ruled in late June that "FairPoint has provided virtually no explanation" for its service-quality promises, saying that "based upon the record before us, we cannot find that FairPoint has demonstrated the financial capability to meet its obligations under Vermont law and its (state license) as a telecommunications carrier."

For that matter, FAIRPOINT HAS PROBLEMS VIEWING THE PAST ACCURATELY. In February, the company announced that it had overstated 2009 revenue by 3 percent, or $26 million.

The COMPANY HAS LEVERAGED ITS BANKRUPTCY TO TAKE ADVANTAGE OF STATE REGULATORS in Maine and New Hampshire, getting permission to delay paying millions in poor-service-quality penalties, and even the potential for them to be waived altogether, if service improves. FairPoint also was given extra time in those two states to roll out its outdated version of broadband Internet access to rural customers. Vermont regulators have so far held firm, but FairPoint is asking them to reconsider, and if that fails the company is expected to ask a federal judge to overrule the state officials.

This is particularly ironic in Maine, because FAIRPOINT HAS SPENT MONEY TO LOBBY AGAINST A HIGH-CAPACITY BROADBAND NETWORK to be built with state, federal, and private funds. The company has argued that such an effort would unfairly compete with the slower-speed and later-arriving service FairPoint promises it will one day get around to providing. But federal funds aren't the real issue: having failed to receive any of the $38 million in economic stimulus money it applied for a year ago, the company has nevertheless applied again, this time seeking $20 million in federal funds to build out its network.

In the past five months, two TOP EXECUTIVES HAVE LEFT, AND ARE BEING REPLACED WITH EXECUTIVES WITH PRIOR CORPORATE BANKRUPTCIES ON THEIR RESUMES. Alfred Giammarino, who became FairPoint's chief financial officer in September 2008, resigned March 31 for what were called "personal reasons." He was replaced July 18 with Ajay Sabherwal, who was CFO for Choice One Communications leading up to, during, and after that company's 2004 bankruptcy restructuring. And David Hauser, appointed CEO in June 2009, was asked to resign by the company's major creditors and did so in mid-August. He has been replaced with Paul Sunu, who was CFO of Hawaiian Telecom when that company, another former Verizon landline property, entered bankruptcy protection in 2008.

And then, if all that wasn't enough, FAIRPOINT HAS ARGUED THAT IT SHOULD FACELESS SCRUTINY FROM STATE AND FEDERAL REGULATORS after it emerges from bankruptcy. Specifically, the company told Vermont regulators that their oversight puts the company at a competitive disadvantage when offering Internet and television services that are not regulated by the state, in combined packages with landline service, which is regulated.

In making this argument, FAIRPOINT HAS FORGOTTEN THAT IT PROMISED THE PUBLIC MORE AND FASTER INTERNET ACCESS as a key element in its argument that its takeover of Verizon would benefit the public. Now that it has sought — and received — permission from state regulators to delay and renege on those promises, the public benefit is reduced. No wonder FairPoint wants less regulation.

Thursday, August 26, 2010

Press Releases: Maine's broken e-mail system

Published in the Portland Phoenix


When Naomi Schalit of the Maine Center for Public Interest Reporting asked for electronic copies of e-mails between the chairman of the Maine Public Utilities Commission and representatives of companies the PUC dealt with, she did not expect to receive a cost estimate of $10,000 from the state — nor to be required to pay $80 for the privilege of receiving that estimate.

And when she wrote back asking for that exorbitant fee to be waived, as allowed in state law, because she is a reporter for a non-profit organization publishing its material in more than 20 newspapers around the state, she did not expect to get a revised estimate of $36,239.52. (Happily, she was not charged to receive that new figure, though in a passing encounter with the PUC's chief lawyer, she did have to hear complaints about "all the work you're making us do.")

The cost is clearly outrageous, and a barrier to public access to information that belongs to the public. But here's the really surprising thing the Portland Phoenix has learned from just a little research into the matter: the estimate reflects the state's actual cost to extract the information from its e-mail archive, which is so cumbersome that it's next to impossible to actually use.

Greg McNeal, Maine's chief information officer, says he and his staff have calculated that responding to a similar request (from an attorney involved in a lawsuit relating to state government) would take one of his two e-mail technicians an entire year of full-time work.

Hence the sky-high dollar amount: Even with a statutory limit of $10 per hour of state-employee time responding to freedom-of-information requests, the process of e-mail recovery is so lengthy that expenses easily rise into tens of thousands of dollars.

This clearly is not just delaying — and inflating the cost of — Schalit's request, but court proceedings, and even internal state investigations performed at taxpayer expense (McNeal confirms that his agency bills other state agencies similar amounts for similar services.)

McNeal calls the backup mechanism "archaic," and says he has been lobbying to improve it for some time now, but the state lacks both funding and a working example to adapt to Maine's needs.

State archivist David Cheever uses the word "nightmare" to describe this situation, and goes on to say the e-mail backup system is "entirely unworkable."

But Cheever and McNeal both say this is not a problem unique to Maine, which has roughly 12,000 state e-mail accounts, with thousands upon thousands of actual messages, which must all be backed up in a way that must somehow or other be accessible to the public and yet secure from destruction (and, in e-mail messages with criminal-justice information, secured from prying eyes according to strict federal rules).

Neither of them is aware of a state government that has a timely, inexpensive storage-and-retrieval method for state officials' e-mail messages. (For that matter, Cheever says he just got back from a trip to the National Archives, which has also not yet devised a functioning system for billions of federal e-mails.)

The state can't afford to experiment to find something that might work: "We don't have the money to be wrong," Cheever says. But every state is in that boat, and so all of them are sitting around waiting for someone else to experiment long enough to make something work.

Schalit's reaction to this information was partially relief (that she apparently isn't being singled out for obstructionism by state officials wary of her reporting), but also outrage. Calling the existence of a system like this "mind-boggling for anybody who has an interest in history," she says, "If this is the kind of system they have installed for government business, there's something wrong with the system."

But it's Cheever who has the best summary of the way things are right now for anyone interested in how state government is actually functioning: "There's your haystack. Good luck with the needle."

Wednesday, August 11, 2010

Music Seen: Street musicians at First Friday Art Walk, Portland, August 6


Published in  the Portland Phoenix

With the Tower/Building of Song on hiatus while its creators move apartments (again), the street-music scene on First Friday was quieter than in recent months. But that left more aural room for buskers along Congress Street.

In a two-hour gallery-browsing stroll from Monument Square to Longfellow Square and back, we heard nine musical performances (two other people looked like they might be about to start playing, but didn't in the time we lingered in anticipation).

A traditional Americana fiddler outside the Maine College of Art got us going with a toe-tapping rhythm and a little shuffle of his feet. But something echoing down the street caught our ear, and it turned out to be a man smoothly playing soulful jazz on his saxophone very nearby — just outside SPACE Gallery.

Two guitar players were next, a female singer-songwriter with some original tunes outside Two Point Gallery and a man strumming Spanish-tinged airs on a classical guitar outside the Empire.

Outside the Green Hand Bookshop were three women merrily fingering their accordions, giving our turn to head back toward the Monument a little extra jaunt. At least until we encountered a young man with a synthesizer outside Strange Maine. He was working the electronica-plus-drum-machine end of his small keyboard, extracting haunting, ethereal sounds that in some cases seemed to surprise even their creator. (His abstraction meshed startlingly well with the classical guitar across the street. Perhaps there's a collaboration option there?)

Down by LL Bean, a man was playing two different-sized recorders simultaneously, fairly capably handling a pair of two-handed instruments without help. And then he switched to saxophone, with a big-band sound.

Next on our way was a woman strumming on a banjo and doing vocals that are best described as shouting. She was outside MECA (the fiddler had moved on), and her friends were whooping it up around her, possibly having too much fun than could be reliably ascribed to their muse of the moment.

Finally, as we left the Art Walk to go in search of sustenance, a lonely Cranky the Clown School Dropout was mournfully tending to his saxophone, sitting beneath the gaze of Portland, To Her Sons Who Died For The Union.