Later On

A blog written for those whose interests more or less match mine.

Archive for November 4th, 2019

An Indian nuclear power plant suffered a cyberattack

leave a comment »

Debak Das reports in the Washington Post about a cyberattack that portends the future:

The Nuclear Power Corporation of India Limited (NPCIL) has now confirmed that there was a cyberattack on the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India, in September. The nuclear power plant’s administrative network was breached in the attack but did not cause any critical damage. KKNPP plant officials had initially denied suffering an attack and officially stated that KKNPP “and other Indian Nuclear Power Plants Control Systems are stand alone and not connected to outside cyber network and Internet. Any Cyber attack on the Nuclear Power Plant Control System is not possible.”

So what really happened at Kudankulam? Here’s what you need to know.

1. The nuclear power plant and the cyberattack

The KKNPP is the biggest nuclear power plant in India, equipped with two Russian-designed and supplied VVER pressurized water reactors with a capacity of 1,000 megawatts each. Both reactor units feed India’s southern power grid. The plant is adding four more reactor units of the same capacity, making the Kudankulam Nuclear Power Plant one of the largest collaborations between India and Russia.

According to the NPCIL statement, the malware attack on KKNPP was noticed Sept. 4 by the CERT-In (Indian Computer Emergency Response Team), which is the national agency for responding to cybersecurity incidents. An investigation by India’s Department of Atomic Energy revealed that a user had connected a malware-infected personal computer to the plant’s administrative network. While the plant’s operational network and systems are separate from and not connected to the administrative network, one newspaper reported that there may have been a second “more serious” target.

VirusTotal, a virus scanning website owned by Google’s parent company, Alphabet, has indicated that a large amount of data from the KKNPP’s administrative network has been stolen. If this is true, subsequent attacks on the nuclear power plant could target its critical systems more effectively. Cyberattacks on nuclear power plants could have physical effects, especially if the network that runs the machines and software controlling the nuclear reactor are compromised. This can be used to facilitate sabotage, theft of nuclear materials, or — in the worst-case scenario — a reactor meltdown. In a densely populated country like India, any radiation release from a nuclear facility would be a major disaster.

China’s and India’s leaders met again this month. Here’s what you need to know about Sino-Indian relations.

2. Isolating the computer network from the Internet won’t protect against a targeted attack

In its initial denial, the NPCIL stated, “Any cyberattack on the Nuclear Power Plant Control System is not possible.” The KKNPP site director went on record stating that “the totally isolated network of KKNPP could not be accessed by any outside network from any part of the globe. Hence there was no question of it being hacked.” Even the second NPCIL statement emphasizes that “the critical internal network” was isolated from the administrative one, and by implication, the Internet.

This physical isolation of a computer or a local network from the Internet to prevent any outside breach is called an “air gap.” However, this security strategy can leave a nuclear plant quite vulnerable. The NPCIL’s statement, thus, reflects either a complacency about the cybersecurity of Indian nuclear power plants or ignorance of its network’s vulnerabilities.

Air-gapped nuclear facilities can be attacked. Air gaps can be effective against unsophisticated and untargeted cyberthreats — but not against targeted attacks. As the Nuclear Threat Initiative states in its 2016 report on cyberthreats to nuclear facilities, targeted attacks go beyond network connections and generally leverage “witting or unwitting humans, or a long and difficult-to-defend supply chain, to deliver the attack.” Another report by the Fissile Materials Working Group (a coalition of global civil society organizations) highlights that in practice, “organizations must transfer data into and out of their operational networks for a variety of reasons.” For instance, new data has to enter an air-gapped operational network to update the software and hardware in the network. That exposes the critical internal network in a nuclear power plant to a host of vulnerabilities. Most famously, the Stuxnet attack penetrated Iran’s air-gapped Natanz uranium enrichment facility.

The Iran nuclear deal isn’t so great — for Iran

3. Did North Korea launch the attack?

Some researchers suggest that the KKNPP attack was caused by a variant of the DTRACK virus, developed by the North Korea-linked Lazarus group. The NPCIL has not challenged these claims. India maintains good diplomatic and economic relations with North Korea, so if Pyongyang did sponsor the attack, expect a diplomatic fallout.

However, tracing a cyberattack to North Korea won’t be easy. Studies indicate that most state-sponsored North Korean cyberoperations are perpetrated from abroad. Nearly one-fifth are launched from India, where North Korea nationals have a considerable presence. North Korean students are present in India’s universities and other centers of higher education. The Indian Technical and Economic Cooperation program trains many North Korean students in India across several technical fields. This means that a cyberattack from North Korea could even originate from Indian territory.

In the past, North Korean cyberactivity has targeted the Indian Space Research Organization’s Institute’s National Remote Sensing Center and the Indian National Metallurgical Laboratory, and conducted network reconnaissance on laboratories and research centers. The use of humans, rather than network connections, to bypass an air gap in Indian critical infrastructure by North Koreans or their associates, hence cannot be ruled out. The malware that attacked the KKNPP system was reportedly custom-built for the nuclear power plant’s IT systems. That suggests that such a breach by an insider to the nuclear power plant may have happened already.

4. Could such attacks lead to military escalation? . . .

Continue reading.

Written by LeisureGuy

4 November 2019 at 8:10 pm

What, after all, is art?

leave a comment »

I’ve been having a number of art-related discussions lately, and I’ve encountered again how often people have the idea that art is external to themselves. Let’s stick with paintings for now.

The art of the painting depends heavily on the viewer’s knowledge and understanding. The painting presents ideas visually. A lecture presents ideas in speech. Both demand that the viewer/listener have the appropriate cultural knowledge and tools to grasp what is being communicated or the communication fails.

People who view (say) a Jackson Pollack painting without understanding anything of the context and intent and cultural issues will get no more out of it than will the typical American listening to a talk given in Mandarin. The talk may be full of excellent ideas, intricate wordplay, clever allusions to classical Chinese literature, and so on, but to the American who knows nothing of the Mandarin language and Chinese history and culture, it will just be a steam of odd vocal noises. The fault there is not in the speaker, but in the lack of knowledge in the listener.

The same is true of the painting. “Beauty is in the eye of beholder” speaks directly to the beholder’s role: what the beholder actually perceives are light rays reflected from oil paint applied to canvase. The meaning, the beauty, the ideas: those the beholder constructs by combining the visual stimulus with his or her cultural knowledge and experience.

Magritte’s famous painting speaks explicitly to this issue. That is not a pipe. It is oil paint on a canvas. The “pipe” exists in the viewer’s interpretation of the light reflected from that paint. And this particular work of art can be appreciated without the depth of cultural knowledge that (say) Jackson Pollack’s work require because this is representational — but it is also art because it places a demand on the viewer’s understanding, something that decoration does not attempt. Decoration aims to please the eye, art demands some work and though (and knowledge of context and cultural history).

That being said, let me highly recommend the Martin Scorsese documentary Picasso and Braque Go to the Movies. The movie provides the context for a series of paintings and is extremely interesting.

Written by LeisureGuy

4 November 2019 at 10:51 am

Posted in Art, Movies & TV

Greatest Healthcare System in the World™: One Employer Stuck a New Mom With a $898,984 Bill for Her Premature Baby

leave a comment »

Marshall Allen reports in ProPublica:

Lauren Bard opened the hospital bill this month and her body went numb. In bold block letters it said, “AMOUNT DUE: $898,984.57.”

Last fall, Bard’s daughter, Sadie, had arrived about three months prematurely; and as a nurse herself, Bard knew the costs for Sadie’s care would be high. But she’d assumed the bulk would be covered by the organization that owned the hospital where she worked: Dignity Health, whose marketing motto is “Hello humankindness.”

She would be wrong.

Bard, 30, had been caught up in an unforgiving trend. As health care costs continue to rise, employers are shifting the expense to their workers — cutting back on what they’ll cover or pumping up premiums and out-of-pocket costs. But a premature baby, delivered with gaspingly high medical claims, creates a sort of benefits bomb, the kind an employer — especially one funding its own benefits — might look for a way to dodge altogether.

Bard, distracted by her daughter’s precarious health and her own hospitalization for serious pregnancy-related conditions, found this out the hard way. Her battle against her own employer is a cautionary tale for every expectant parent.

Bard’s saga began, traumatically, when she gave birth to Sadie at just 26 weeks on Sept. 21, 2018, at the University of California, Irvine Medical Center in Southern California. Weighing less than a pound and a half, tiny enough to fit into Bard’s cupped hands, Sadie was rushed to the neonatal intensive care unit. Three days after her birth, Bard called Anthem Blue Cross, which administers her health plan, to start coverage. Anthem and UC Irvine’s billing department assured her that Sadie was covered, Bard said.

But Dignity’s plan, like many, requires employees to enroll newborns within 31 days through its website, or they won’t be covered — something Bard said she didn’t know at the time.

Meanwhile, believing that everything with her health benefits was on track, Bard spent nine of those first 31 days recovering in her own hospital bed and then had to return to the emergency room because of a subsequent infection. She spent as much time as she could in the neonatal intensive care unit, where Sadie, in an incubator, attached to tubes and wires, battled a host of critical ailments related to extremely premature birth. At times, doctors gave her a 50-50 chance of survival.

“Right from birth she was a fighter,” Bard said.

Then, eight days past the 31-day deadline, UC Irvine’s billing department alerted Bard to a problem with Sadie’s coverage. Anthem was saying it could not process the claims for the baby, who was still in the NICU.

Bard, an emergency room nurse at St. Bernardine Medical Center in San Bernardino, called Dignity’s benefits department and made a sickening discovery. Sadie wasn’t enrolled in its health plan. It was too late, she was told, she could no longer add her baby.

Dignity bills itself as the fifth-largest health system in the country, with services in 21 states. The massive nonprofit self-funds its benefits, meaning it bears the cost of bills like Sadie’s. And it doesn’t appear to be short on cash. In 2018, the organization reported $6.6 billion in net assets and paid its CEO $11.9 million in reportable compensation, according to tax filings. That same year, more than two dozen Dignity executives earned more than $1 million in compensation, records show.

Dignity is also a religious organization that says its mission is to further “the healing ministry of Jesus.” Surely, Bard remembering thinking, they would show her compassion.

With the specter of the bills hanging over her, Bard said she literally begged Dignity to change its mind in multiple phone calls, working her way up to supervisors. She thought she’d enrolled Sadie by calling Anthem she told them. It was an innocent mistake.

The benefits representatives told her information about the 31-day rule was in the documents she received when she was hired. It didn’t matter that it was six years earlier, long before she dreamed of having Sadie, she said. The representative also told her it wasn’t just Dignity’s decision, the Internal Revenue Service wouldn’t allow them to add the baby to the plan.

Under Dignity’s plan, Bard could have two written appeals. She got nowhere with either of them. “IRS regulations and plan provisions preclude us from making an enrollment exception,” Dignity wrote in its Nov. 30, 2018, response to her first appeal.

IRS officials said they can’t talk about specific cases because of privacy issues and could not comment in general in time to meet ProPublica’s deadline.

Dignity rejected Bard’s second written appeal in a July 8 letter, saying the deadline was included in a packet sent nine days before Sadie’s birth. But at that time, Bard had already been admitted to the hospital because of complications. Dignity’s letter said it “cannot make an exception to plan provisions.”

But the federal regulator of Dignity’s plan said such plans can, in fact, make exceptions. An official with the federal Labor Department, which regulates self-funded health benefits, told ProPublica that plans can make concessions as long as they apply them equally to participants. Plus, federal law allows plans to treat people with “adverse health factors” more favorably, the official said.

Bard scrambled, futilely, to see if any publicly funded insurance plan would be able to cover the costs. Meanwhile, the bills began arriving: $206 in November, $1,033 in January, $523 in February and $69,362 in April, with the biggest yet to come. Sadie had spent 105 days in the hospital and had several surgeries — and the bills would be Bard’s alone.

Sadie’s total hospital tab was nearing $1 million and climbing when ProPublica first spoke to Bard. “I’ll either work the rest of my life or file for bankruptcy,” she said.

Bard said she and her fiancé — Sadie’s father, Nathan Benton — considered delaying their wedding so he wouldn’t be legally saddled with the bills as well.

The looming debt, and her employer’s rejection, sent Bard reeling when she was already suffering from postpartum depression. She went back to her job while worrying that she might lose her home in Norco. She wept and beat herself up again and again about missing the deadline: How could she not think of something like that? She should’ve known. She should’ve been on top of it more.

Anthem declined to comment for this story. UC Irvine, where Bard said the care was excellent, said that cases like Bard’s are unusual but may happen in 1% to 2% of births. The hospital tries to work with patients when they get stuck with the bills, a UC Irvine spokesman said.

With the appeals exhausted, the $898,000 bill landed. Bard could see right away that handling it the typical way, with a payment plan, was not going to work. If she chipped away at it at $100 a month, settling the obligation would take more than 748 years. “It would take so long I’d be dead,” Bard said.

Bard could see no way out. On Oct. 7, she posted a photograph of the $898,000 bill on Facebook. “When Dignity Health (the company I work for) screws you out of your daughter’s insurance…” she wrote.

A week later,  . . .

Continue reading.

World’s greatest healthcare system? No, it’s not. Not by a long shot.

Written by LeisureGuy

4 November 2019 at 10:22 am

Omega 20102 and Colonia, with the German 37 and Diplomat

with 2 comments

The Omega 20102 is my standard recommendation for a boar shaving brush. I like the beechwood handle and the knot has enough loft to feel good while still being resilient (more resilient than Saturday’s Omega, for example). Omega brushes have the benefit of breaking in over just a week or at most two, though in the first couple of uses the lathers dies almost immediately. But that quickly passes, and they really are good brushes—this one particularly, IMO.

The Colonia shave soap shown makes a fine lather, and I do like a triple-milled soap. Three passes with the German 37 left my face perfectly smooth, and then a splash of Diplomat finished the job. Diplomat has a very interesting fragrance with a spice note I’ve not been able to identify, but it does catch one’s attention. Pick up a bottle if you get a chance.

Written by LeisureGuy

4 November 2019 at 9:28 am

Posted in Shaving

%d bloggers like this: