
...rate of about $1,137 per hour
I am most definitely in the wrong job.
Prison inmates in Arizona who should be eligible for release remain incarcerated because the state's inmate management software can't handle sentence adjustments, it is claimed. According to public radio station KJZZ, unidentified whistleblowers within the Arizona Department of Corrections revealed the software problem, which …
If that report is anywhere near accurate, as well as the ridiculously high cost per hour of bug fixing, 2,000 hours to tweak a calculation?
They evidently view Arizona's State Government as a bottomless pit of money who'll willingly throw millions of dollars at them - possibly even billions if they're charging over a thousand dollars per hour and over a thousand hours of development time to fix each of tens of thousands of "unresolved issues" and "feature requests"...
> If that report is anywhere near accurate, as well as the ridiculously high cost per hour of bug fixing, 2,000 hours to tweak a calculation?
Yeah, just a tweak to the code. And some testing to make sure you don't release a murderer by mistake - could you knock that off in half an hour or so as well?
> with proper unit testing, yes...
Repeat after me: unit testing is not system testing.
Please explain how a unit test will catch the scenario where a prisoner has transferred prison 5 times; been previously released but re-incarcerated after committing a further offence; has undertaken 3000 hours of study; but 10 days of which was on a non-contributing course? And then catch all the other nCr permutations - because a judge *will* ask you to explain if a prisoner is released early by mistake. And your explanation better be better than "well, we ran a unit test".
Because this sounds like a new requirement brought in by recent legislation, it's probably more like implementing a new metric that does not currently exist in the system along with all the associated changes to screens, queries and updates, and then incorporating that metric into the release date calculation.
How much does adding an extra field to a database cost? It depends on the database system, but I thought from my relational database training forty years ago that this was one of the features of a RDB that I'm sure cannot have gotten lost in the time since then.
But testing would need to be done, and the queries and update methods would have to be written, along with the required auditing, so it could well be quite expensive.
Which came first the software going live or the law SB1310 being passed as they both happened in 2019?
Even if it went live earlier (not earlier then six months) than SB1310, they must have know it was on the books to be debated. Should they not have delayed the software going live until it could handle changes to the release credit formula?
You'd think so.
The bill had its first reading in Arizona's Senate in January 2019 and it sailed through the process: a 60-0 final vote in the House, 28-2 in the Senate, signed into law by the Governor in June 2019.
ACIS (Arizona Correctional Information System) went live in November 2019.
I see this all the time.
The software would have been written to meet a spec and rolled out many months after approval. Once the scope, design documents, implementation and user acceptance testing has all had final sign off, it’s way too late to change things.
To adjust the system to handle the new rules would be chargeable out-of-scope works which the company could put any price on, knowing that hiring a third party to do the changes might cost less initially, but more in the long run to take over support.
Additionally, it’s in the best interests of Arizona State (not the programmers) to keep quiet about bugs to avoid being sued into the ground for mistakes made as a result of keeping people locked up for longer than they’re meant to. The development house will have a couple of executives laughing their arse off at this situation, enjoying all the easy money...
I agree it would be too late to change things and get the new formula supported but going live could have been delayed until it had been fixed.
The blame is on Arizona State letting it go live when they knew that it could not handle then new formula. Yes it would have cost them and been late but it could cost a lot more if it ends up in law suits.
It seems the requirements were poorly speced not allowing things like the sentence reduction formula to be adjustable. But hey hindsight is a wonderful thing. :)
I disagree it should be doing that job.
"The software, ACIS (Arizona Correctional Information System), implemented in 2019 at a cost of $24m by IT biz Business & Decision, North America, is said to contain a module for calculating the release dates of inmates.
The module's code, however, hasn't been able to adapt to Arizona Senate Bill 1310, a state law signed in June 2019 to allow non-violent inmates in Arizona to earn credits toward early release as a reward for participating in state-run education and rehabilitation programs."
So yes I read the story and stand by my statement "It seems the requirements were poorly speced not allowing things like the sentence reduction formula to be adjustable. But hey hindsight is a wonderful thing. :)"
Because how can you calculate release dates of inmates if you do no allow for the early release program which existed before Bill 1310 and also allow the formula for earning credits to be adjustable.
"The development house will have a couple of executives laughing their arse off"
... and burnishing the bottom line they report to the head office execs who report to their owners who report to theirs and so on until the execs at the top know nothing about any of it. (Business & Decision, North America is the US subsidiary of a French company owned since 2018 by a subsidiary of an arm of Orange.)
Mm! So should I hardcode the tax rates in this payroll software, and ensure an income for life, or give the user an admin option, so they can define and redefine to their heart's content?
Damn! I'm just too professional about my work to let grubby thievery get the better of me!
As a note, I always code with the knowledge that things change, and always create admin screens that give the user the option to make those changes themselves, and I always supply full documentation, often displayable on the screen to assist the admins in implementing those changes.
Yes it is hard work trying to anticipate how "constants" might change, and yes it's a pain in the butt trying to create as simple an environment for the user to navigate, but anything less doesn't ship with my name on it.
I was once offered a half-time job producing a series of similar bespoke programs. I expressed my surprise, explained the principle of code/data separation, talked through the real requirements, and spent three months producing a single configurable program which put my client's previous vendors out of six months' billing per annum for (if they were half-way competent and had done essentially the same thing behind the client's back) about three days' work.
Well, yes... but how long does it take to (a) get a hearing and (b) prove to the judge's satisfaction that the discount to the sentence is earned? You _know_ the Arizona Dept of Corrections will produce evidence that their "computer says no", so now the convict needs to prove that the DoC is wrong...
They do state in the update that there is a manual system that ensures no one is imprisoned when they should be released, and that it has been litigated in Arizona may times and always supported by the courts. So maybe someone over there had enough common sense to ensure a manual work around in case of IT failure?
Very dodgy ground using an IT system to dictate release dates anyway as it's not a straightforward process.
In England and Wales whilst the national database (Nomis) does do calcs, these have to be manually checked at various points in the offenders sentence. Prior to that the previous system didn't do date calculation at all.
Don't know about that but every project I've worked on in the last few years has had a contact with a clause in it requiring the supplier to incorporate any legislative changes, either as part of the routine software update releases or as a an out of cycle release. No change request required.
Normally when doing the work for free when legislation changes, both the supplier and the customer have no control over the legislative changes.
In this specific case, the customer gets to decide the legislative changes. That would be unfair on the supplier - though it looks like the rates they charge could provide a bit of a cushion for this.
There are two proven ways to reduce recidivism:
1) Never release prisoners.
2) Use the incarceration to rehabilitate prisoners, support them on release.
Too many people think that 'criminal' is a sub-species of humanity and that they are beyond hope. These are the 'lock 'em up and throw away the key' brigade. Despite centuries of evidence they persist in thinking that locking someone up will somehow stop them doing it again on release.
Anyone who understands human behaviour knows that locking someone up makes them more bitter and resentful. What's needed is a serious attempt to treat 'criminality' as an illness. Most criminals can be changed if enough effort is put in.
Never realising prisoners only dictates on whom they can practise their criminality. In fact there is a crime in the UK of 'Prison Riot' which you can ONLY commit if you are in prison.
Supporting them on release is a good idea, but that depends a great deal on the society into which they are released. Would you go for the divided, racist, class-ridden prejudice of parts of the USA, or the enlightened supportive, and far less prejudiced Norway? (Norway has an admirable record of rehabilitation, but spends loads of time effort and money on treating prisoners as human beings, see Rutger Bregman's "Humankind", ISBN 978-1-4088-9893-2).
> Most criminals can be changed if enough effort is put in.
Aye, and there's the rub. Most governments would rather spend more money on locking them up ('being seen to be doing something') rather than spending a lesser sum trying to prevent them from re-offending. Not good for the votes, you see.
I have just listened to the BBC Radio 4's 'The Life Scientific' today. It was about psychosis. Apparently someone who experiences a traumatic event before the age of 16 is 3 times more likely to have a psychotic episode than someone who has a happy childhood. Also the worse the trauma the more likely the episode. Spending money on treating people with a troubled childhood pays dividends.
https://www.bbc.co.uk/programmes/m000sj7c
A previous episode about mentalising was also fascinating:
https://www.bbc.co.uk/programmes/m000dpj2
Note: user account required to listen. Also some bad events are described.
Check out Eclectic Man's recommendation - Humankind.
The analysis that has been done, and IIRC is being done by some red states in the US after looking at the Scandinavian model, is that in the long-term it is cheaper to put the money into good prisons and into proper rehabilitation. With recidivism rates of only 20% in Norway against 50-70% (depending on source) in the US, it just makes sense in the long run for all except the private prison owners...
A common theme in Norwegian prisons is that they are looking after people who will be released and will then be someone's neighbour, employee, etc. Better for all to integrate them back into the community properly!
Politically, it is easy to sell taking revenge on wrong-doers. This is something that people can see is happening, so we are seen to be doing something about crime. Criminals being rehabilitated, so they do not commit crimes any more, rarely makes the news. Yes, I know there are news stories about ex gang members working to prevent kids joining gangs, or whatever, but I suspect those people are far outnumbered by former criminals who sort their lives out, keep their heads down, and nobody knows about them.
This is the same state that wants to pass a law that gives the Governor/State legislature the power to overrule the will of the people in all future elections.
As the US Constitution preamble starts with
"We the People..."
They want it to be replaced with "We the GOP..."
because the state is solidly red but voted blue in 2020. The good ole boys can't let that happen again now can they?
"ADCRR updates the calculation multiple times daily to ensure appropriate release times are calculated and acted upon"
Given that sentences are only counted in days, how exactly does recalculating them multiple times per day help? If a person is not elligible for release at 0900, they're still not going to be elligible a couple of hours later.
I also note that they state the numbers of prisoners in various stages of participating in this program or being encouraged to do so, but don't appear to say anything regarding people who have been released earlier as a result. Overall, the whole response seems to use a lot of words to say absolutely nothing relevant to the actual question at hand.
"Given that sentences are only counted in days, how exactly does recalculating them multiple times per day help?"
It doesn't. All it means is that either (a) they run batch processes a couple of times a day (that counts as multiple) to process any changes that might have come in since the last batch or (b) they they process changes as they come in and there are normally two or more per day. Either way they're recalculating several times a day even if they're not recalculating them all. Presentation is everything.
Either that or they get a different answer every time they run the program.
They could also save a lot of manual (or software) processing by only recalculating days left every 2 weeks until someone is down to a week left or less (with new calculations - could change if the formula changes again) given that it is 3 days credited per 7 days served (so max 6 day change in 2 weeks).
I briefly did prisoner support once.
I gave a lift to a girl who was visiting her ma, as she did every week even though he was 60 miles away and travel was expensive. He was inside for four years for assaulting her. He'd only been sentenced to two years but he had to do an anger management course before his release. There was no anger management course at that prison so we paid an extra £88,000 to keep him inside. Maybe more than that, I never followed up on his case. She hadn't even wanted him prosecuted and was impoverished supporting him.
This post has been deleted by its author
The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).
OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).
But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.
Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.
The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.
"Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.
Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.
Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.
"We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.
A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.
"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."
And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."
Slowly but surely, software package registries are adopting multi-factor authentication (MFA) to reduce the risk of hijacked accounts, a source of potential software supply chain attacks.
This week, RubyGems, the package registry serving the Ruby development community, said it has begun showing warnings through its command line tool to those maintainers of the hundred most popular RubyGems packages who have failed to adopt MFA.
"Account takeovers are the second most common attack on software supply chains," explained Betty Li, a member of the Ruby community and senior front end developer at Shopify, in a blog post. "The countermeasure against this type of attack is simple: enabling MFA. Doing so can prevent 99.9 percent of account takeover attacks."
Travis CI stands for "Continuous Integration" but might just as well represent "Consciously Insecure" if, as security researchers claim, the company's automation software exposes secrets by design.
Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.
In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.
Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.
The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.
The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.
Google has reportedly asked the US Federal Election Commission for its blessing to exempt political campaign solicitations from spam filtering.
The elections watchdog declined to confirm receiving the supposed Google filing, obtained by Axios, though a spokesperson said the FEC can be expected to publish an advisory opinion upon review if Google made such a submission.
Google did not immediately respond to a request for comment. If the web giant's alleged plan gets approved, political campaign emails that aren't deemed malicious or illegal will arrive in Gmail users' inboxes with a notice asking recipients to approve continued delivery.
Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.
Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.
Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.
Biting the hand that feeds IT © 1998–2022