More than 100 million individuals had their private health information stolen during the ransomware attack on Change Healthcare in February, a cyberattack that caused months of unprecedented outages and widespread disruption across the U.S. healthcare sector.

This is the first time that UnitedHealth Group (UHG), the U.S. health insurance provider that owns the health tech company, has put a number of affected individuals to the data breach, after previously saying it anticipated the breach to include data on a “substantial proportion of people in America.”

Really, really hard to feel any sympathy for this organization when you read this a few paragraphs down in the article:

According to its 2023 full-year earnings report, UHG made $22 billion in profit on revenues of $371 billion. [Andrew Witty, CEO of UHC] made $23.5 million in executive compensation the same year.

Let’s say you invest in state-of-the-art workforce development programs, advance threat detection solutions, zero trust and identity management solutions, resilience infrastructure, and throw in some R&D.

Let’s even give UHC the benefit of the doubt and assume they have done all of this.

How are you able to walk away with $22 billion after you’ve allowed the PII of nearly a third of Americans (myself included) to walk out the door and into the hands of cybercriminals?

Nobody else is angry that this news isn’t blasted all over this election cycle?

Nobody else thinks we should be holding this conglomerate’s feet to the fire for this breach?

I’m not here to minimize the importance of other issues like border security and women’s reproductive rights, but I haven’t heard any politician make noise about our horribly inefficient healthcare system at all during this election cycle.

Why can’t we stop picking fights with each other and focus on addressing the systemic issues which lead to companies selling us all out in the name of shareholder value?

I personally tried withdrawing cash at three financial institutions in different weight classes, as was told it was absolutely impossible (in size) at all of them, owing to the Falcon issue.

At one, I was told that I couldn’t use the tellers but could use the ATM. Unfortunately, like many customers, I was attempting to take out more cash from the ATM than I ever had before. Fortunately, their system that flags potentially fraudulent behavior will let a customer unflag themselves by responding to an instant communication from the bank. Unfortunately, the subdomain that communication directs them to runs on a server apparently protected by CrowdStrike Falcon.

I have some knowledge of the history of comprehensive failures of financial infrastructure, and so I considered doing the traditional thing when convertibility of deposits is suspended by industry-wide issues: head to the bar.

I’ve ignored the CrowdStrike news primarily because it didn’t directly impact me, and secondarily because I made an assumption that this was yet another example of the joys of late stage capitalism.

I’m glad I read this article, though, because it helped put the crisis in perspective.

While it didn’t impact me, it certainly caused issues for those in my real life. Software truly has reached a point where it can cause massive headaches for large swaths of society.

When a big part of society gets bumped by an outage like this, the ripples of its consequences will surely be felt by everyone at some point down the road.

Second, I gotta stop being so cynical about capitalism. I should stop pretending I’m above it or better than it. Like it or not, it’s the system I have to play in.

It would probably be less stressful for me to accept the game and use it to accomplish my own set of goals.

One of my main goals in life is to build technology that helps make people’s lives better.¹ Say what you will about CrowdStrike, but this article reminded me that it’s because of tools like Falcon that we are provided a society in which we all can live better lives.

So instead of sitting here and (a) ignoring the news and (b) complaining about the existence of bad actors in our system, maybe I should instead do my best to help make our system as stable as I can.

In my opinion, security is one of the most forgotten aspects of software engineering. It rarely gets focused on until it’s too late. Even though at least one incident lands on HackerNews every week where some data gets leaked or someone gets hacked — people still think, “Nobody cares about my little startup.” You might think you're too small to be noticed by the big, evil hackers. Wrong. Size doesn't matter. You're always a target; there’s always data to leak and ways to exploit your business.

This is a great primer for the security-related items you need to consider when you’re building software.

Some takeaways:

First, any human-built product is going to be insecure. Nothing is 100% secure, ever. The best you can do is make the bad guys earn it by making it difficult to break into.

Second, your biggest vulnerabilities are almost always human. You can build Fort Knox, but if I’m able to trick your guard into opening the door for me, then what’s the point?

Third, I’m grateful for frameworks like Ruby on Rails which handle a good chunk of the author’s “step 0” items out of the box. Picking the right tool (and keeping that tool sharpened) is the best first step.

Fourth, there’s never a moment with software when you can dust your hands and say, “ope, we’re done!”

Security is especially an area in which you can’t sit still. If you build an app and let it sit for a decade without any updates, I can almost guarantee you that there’ll be a vulnerability in one of your dependencies which I could exploit to take over your system.

Finally, if you reach a certain size of organization, you need someone thinking about this stuff full time and orchestrating all the pieces needed to keep a secure system.

Whenever I talk about a knowledge win via robots on the socials or with humans, someone snarks, “Well, how do you know it’s true? How do you know the robot isn’t hallucinating?” Before I explain my process, I want to point out that I don’t believe humans are snarking because they want to know the actual answer; I think they are scared. They are worried about AI taking over the world or folks losing their job, and while these are valid worries, it’s not the robot’s responsibility to tell the truth; it’s your job to understand what is and isn’t true.

You’re being changed by the things you see and read for your entire life, and hopefully, you’ve developed a filter through which this information passes. Sometimes, it passes through without incident, but other times, it’s stopped, and you wonder, “Is this true?”

Knowing when to question truth is fundamental to being a human. Unfortunately, we’ve spent the last forty years building networks of information that have made it pretty easy to generate and broadcast lies at scale. When you combine the internet with the fact that many humans just want their hopes and fears amplified, you can understand why the real problem isn’t robots doing it better; it’s the humans getting worse.

I’m working on an extended side quest and in the past few hours of pairing with ChatGPT, I’ve found myself constantly second guessing a large portion of the decisions and code that the AI produced.

This article pairs well with this one I read today about a possible social exploit that relies on frequently hallucinated package names.

Simon Willison writes:

Bar Lanyado noticed that LLMs frequently hallucinate the names of packages that don’t exist in their answers to coding questions, which can be exploited as a supply chain attack.

He gathered 2,500 questions across Python, Node.js, Go, .NET and Ruby and ran them through a number of different LLMs, taking notes of any hallucinated packages and if any of those hallucinations were repeated.

One repeat example was “pip install huggingface-cli” (the correct package is “huggingface[cli]”). Bar then published a harmless package under that name in January, and observebd 30,000 downloads of that package in the three months that followed.

I’ll be honest: during my side quest here, I’ve 100% blindly run npm install on packages without double checking official documentation.

These large language models truly are mirrors to our minds, showing all sides of our personalities from our most fit to our most lazy.

In September last year, a breach at LastPass’ parent company GoTo (formerly LogMeIn) culminated in attackers siphoning out all data from their servers. The criticism from the security community has been massive. This was not so much because of the breach itself, such things happen, but because of the many obvious ways in which LastPass made matters worse: taking months to notify users, failing to provide useful mitigation instructions, downplaying the severity of the attack, ignoring technical issues which have been publicized years ago and made the attackers’ job much easier. The list goes on.

Now this has been almost a year ago. LastPass promised to improve, both as far as their communication goes and on the technical side of things. So let’s take a look at whether they managed to deliver.

TL;DR: They didn’t. So far I failed to find evidence of any improvements whatsoever.

If you aren’t using a password manager, the likelihood of every single one of your online accounts getting hacked is extremely high.

If you’re using a bad password manager, I guess it’s just as high? 😬

At around 7 am on a quiet Wednesday in August 2017, Marcus Hutchins walked out the front door of the Airbnb mansion in Las Vegas where he had been partying for the past week and a half. A gangly, 6'4", 23-year-old hacker with an explosion of blond-brown curls, Hutchins had emerged to retrieve his order of a Big Mac and fries from an Uber Eats deliveryman. But as he stood barefoot on the mansion's driveway wearing only a T-shirt and jeans, Hutchins noticed a black SUV parked on the street—one that looked very much like an FBI stakeout.

Journalism students should study this as a quintessential way to write a profile piece. I find computer security a fascinating topic, but it's hard to present it to non-nerds as a compelling story. Andy Greenberg did this story justice.

For those of you not following the story, some hackers have found code to this software on mobile devices (both the iPhone and Android) called Carrier IQ. It allegedly sends a ton of data back to the carriers, including logging keystrokes and recording data sent through Wi-fi, even if it's encrypted.

The important thing to take away, however, is that even though we all like to fight the "Apple vs. Android" battle, the real war is The People vs. the Carriers.