Tuesday, December 14, 2010

Gawker was hacked yesterday. Today LinkedIn?

Yesterday we learned Gawker was hacked. I got this message today ...

We have recently disabled your account for security reasons. To reset your password, follow these quick steps:
....
The LinkedIn Team

My LinkedIn password was not the same as the disposable Gawker password. It wasn't an ultra secure 64 character random string, but it was a 5th percentile good quality password, one of my class III credentials. It wouldn't fall to a standard attack.

So was LinkedIn hacked? Is this a false alarm? Are they being extra cautious after the Gawker hack?

There's another possibility. Since my Gmail account was hacked I don't enter my Google credentials on untrusted machines. Practically speaking, that means only OS X machines I control. Since that day I divide my credentials into five classes.

  • I: You want it? Take it.
  • II: I'd rather you didn't.
  • III: Help!! Help!!
  • IV: I'll fight you for it.
  • V: Kreegah bundolo! Kill!!

Category IV and V credentials are only used on trusted machines. Category I is used everywhere. Category II and III I'll use on my work machine -- an XP box with corporate class antiviral software. In other words, a vulnerable machine.

The fourth possibility is that one of my Category III credentials has fallen to a keystroke logger on my corporate laptop.

Yech.

I've reset my LinkedIn password (and reviewed the list of reset emails), and, on reflection, I've moved those credentials into "Class IV". So I won't use those credentials on an untrusted machine.

What's next?

See also (my stuff):

Update 12/14/10: LinkedIn wasn't hacked, unless you consider that they've hacked themselves. They'd matched every email address posted by the Gawker hackers, and reset the passwords associated with them. They explain that today (emphases mine) ...

We recently sent you a message stating that your LinkedIn password had been disabled for security reasons. (Note: If you have more than one email registered with us, you will receive more than one password reset message. You only need to act on one of them.)

This was in response to a security breach on a different site, Gawker.com, where a number of usernames and passwords were exposed. We want to make sure those leaked emails and passwords were not being used to attack any LinkedIn members.

There is no indication that your LinkedIn account has been affected, but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password ...

They would have done better to explain that yesterday. What a screw up.

Monday, December 13, 2010

The Gawker hack - and two factor authentication

I got my email from Gawker today

... the user name and password associated with your comment account were released on the internet...

Gawker was hacked - big time. Forbes has the gory details ...

The Real Lessons Of Gawker’s Security Mess - The Firewall - the world of security - Forbes

... Despite this, they do not really seem to be acknowledging the scale of what happened. They still try to put some blame back on users, suggesting that if they had a weak password they might be compromised. Well, that really does not make much of a difference when you expose the entire database table and have way too much faith in the 34 year old encryption algorithm reported to be used to safeguard the data...

Briefly, I take security far more seriously than Team Gawker. They were a big fat soft target.

I don't remember creating a Gawker account - I probably created it on io9 originally. I'm sure I used my throwaway password (still far more robust than most). I have retired that password, but it will now be a part of a future dictionary attack. I need to check that Emily doesn't use it any more either.

In the wake of these events there are typically calls to "use strong passwords". Except, of course, if the server side password store encryption is hacked then even the world's best password is useless. And, of course, there are keystroke loggers out there.

This is what I do now, but, really, we need two factor authentication urgently.

I did go through Gawker's password reset procedure, which seems to have given me a new username and password. There's no way currently to get to their accounts page so I'll just leave it as it is.

Update 12/14/10: This Lifehacker (Gawker) article on lessons learned from a hacked google account is quite ironic now. They didn't learn any lessons.

There've been two good commentaries today ...

The snowy 70s and nordic skiing

I came of age in Montreal in the 70s. It was a snowy time, and, not coincidentally, Cross Country (Nordic) skiing was relatively popular. There were cross country resorts as far south as mid-Pennsylvania.

Then came the 80s. The snows went away, the resorts closed, and cross country skiing declined. When global warming became obvious in the late 90s I figured that was the end of my favorite sport.

Now some are wondering if the 70s are back ...

Snow storm snarls Midwest: Is US facing another extreme winter? - CSMonitor.com

.... Scientists at the University of Wisconsin in Madison are among those trying to understand the mysterious interplay between Pacific and North Atlantic weather phenomena that threaten to dunk the Eastern US into a second year in a row of 1970s-style blizzards and cold snaps...

... Scientists speculate that heat released from storms racing up the US East Coast toward the Labrador Sea may be feeding the so-called North Atlantic Oscillation – nicknamed "The Greenland Block" – in ways that are not yet understood. The region of high pressure over Greenland has pushed huge troughs of Canadian air into the US, causing the fifth biggest snow storm on record in Minneapolis over the weekend and now threatening Orlando, Fla., with 20 degree F temperatures.

The atmospheric upset has had the opposite effect on parts of the West, where cities like Long Beach, Calif., and Phoenix saw record high temperatures Monday...

So now I know why my childhood was snowy. It's news to me. I found a bit more about it in this Feb 2011 article inspired by DC snow ...

The North Atlantic Oscillation, a mid-oceanic pressure system, has some distinct internal variability, but generally it alternates between roughly 25-year-periods of warm, then cold, temperatures. During the previous cold phase, which lasted from about 1960 to 1985, there were major winter storms in the Washington, D.C., area every couple of years — big snow storms hampered John F. Kennedy's inauguration in 1961 and a week of sub-zero temperatures chilled many people attending Ronald Reagan's second inauguration. Like the current storm, these storms dumped lots of snow: A 1979 storm dropped 18.7 inches and a 1983 storm dropped 16.6 inches. The storm that struck the capital region in December 2009 also dumped 16.6 inches of snow in D.C.

Those biggies of the past were usually also associated with El Niño, like this year. The North Atlantic Oscillation brings colder weather; the El Niño, which arises out of an unusually warm equatorial Pacific Ocean and occurs roughly every two to seven years, brings moisture to the Mid-Atlantic...

From my selfish point of view, snowy winters are excellent. Even with global warming Minnesota is cold enough for winter snow -- we're just too dry. These past two years we've gotten the moisture we need.

Maybe cross country skiing will make a bit of a comeback, even if the long term outlook is a bit bleak.

 

Sunday, December 12, 2010

Obama's rant explained

Last week Obama blew up at Krugman.

Oh, sure, he was supposed to be attacking annoying liberal idealists (i.e. his supporters), but we all know it's Krugman who gets under his skin. Barack was beating on Paul.

What we didn't know was why.

Now we know ...

Smoking in D.C.: Obama, Boehner and the Surgeon General’s Report - Health Blog - WSJ

... I have not seen or witnessed evidence of any smoking in probably nine months,’ Gibbs said, continuing:

This is not something that he’s proud of. He knows that it’s not good for him. He doesn’t like children to know about it, obviously, including his. But I think he has worked extremely hard, and I think he would tell you even when in the midst of a tax agreement and a START deal and all the other things that accumulate, even where he might have once found some comfort in that, he’s pushed it away...

...Meantime, Speaker-of-the-House-to-be John Boehner is apparently not trying to kick his own habit. Politico also reports that he was seen smoking in a public area of the Capitol, which would be in violation of a House rule. (Boehner’s office declined comment to Politico.)"

Nicotine withdrawals is famously vicious for true addicts, and Barack has been wearing a big monkey. Going off the hard stuff is gonna lead to a crazed rant or two.

So give the guy a break. He's trying. I wouldn't be surprised if this is something he wants to give his kids for Christmas.

Meanwhile Boehner is every bit the ass we know he is. Of course in his own way he's probably reinforcing Barack's resolve...

Thursday, December 09, 2010

Terry Pratchett on fading from dementia

via Pharyngula, I find Terry Pratchett has written an article for the journal of mental health. His goal is make dementia something we can actually talk about, as a start to doing something about it.

Informa Healthcare - Journal of Mental Health - 19(4):363 - Full Text

.... have posterior cortical atrophy or PCA. They say, rather ingenuously, that if you have Alzheimer's it's the best form of Alzheimer's to have. This is a moot point, but what it does do, while gradually robbing you of memory, visual acuity and other things you didn't know you had until you miss them, is leave you more or less as fluent and coherent as you always have been.

I spoke to a fellow sufferer recently (or as I prefer to say, ‘a person who is thoroughly annoyed with the fact they have dementia’) who talked in the tones of a university lecturer and in every respect was quite capable of taking part in an animated conversation. Nevertheless, he could not see the teacup in front of him. His eyes knew that the cup was there; his brain was not passing along the information. This disease slips you away a little bit at a time and lets you watch it happen...

I suspect Pratchett knows it's likely too late for him, but this is something he can do (he also donated $1 million, he's an honorably rich man).

I've read over 45 of Pratchett's books, he's written 47. I think I've missed one or two of his very earliest, before he was famous. If this were a just world, he'd be considered for the literature Nobel. It's not too late.

Pratchett writes "fantasy" for the same reason Banks writes science fiction. It's a way to write about subjects too big for conventional literature. Yes, he also likes to entertain.

Wikipedia has a full list of his Discworld novels. You can start just about anywhere, though the later novels do expect that you've at least red the Discworld wikipedia page. My favorites are between 1990 and 1998. Small Gods (1992) and Carpe Jugulum are a good pair, and this time of year Hogfather is a family favorite. All of the books are available through the St. Paul public library, and we own about a dozen or so. They are well worth rereading.

Information leakage in the digital age

Forget WikiLeaks [1].

I use my iPhone to record voice snippets. Ideas, plans, thoughts and so on.

When I sync my iPhone they go to the iTunes Library.

When my son uses his iPhone remote he broadcasts my voice recordings over the home stereo.

Fortunately they've been quite benign.

[1] Ok. Schneier has the best commentary. Cringely points out that Assange would never leak Israeli secrets because he'd then die.

Tuesday, December 07, 2010

Why did medical progress slow after 1984?

From 1910 to 1984 medical progress was extremely swift. After 1984, not so much. As I wrote in 1998 ...

Gordon's Notes: Challenges to medicine and science – medication invention hits a brick wall

... I can vouch for the lack of progress. I’m wrapping up a review of roughly the last 7 years of changes in medical practice.

To put it delicately, progress has sucked. If you put a good physician to sleep 7 years ago, and woke her up today, she’d be reasonable competent on day one. A week later she’d be fully up to speed.

My med review conclusions are:

  • Lots of new combinations of old drugs, maybe due to co-pay schemes Many new drugs have suicidal ideation as a side-effect.
  • Lots of failed immune related drugs re-purposed with limited focal impact on a few disorders. Probably some improvements in seizure meds.
  • Lots of new Parkinson’s and diabetes meds, but they’ve had limited value. (metformin was a home run, but that was more than 7 years ago).
  • Really lousy progress in antibiotics; there are fewer useful therapies now than 7 years ago. Actually, fewer every year...

Twenty-five years ago it was reasonable to criticize physicians for failing to keep up with a rapidly expanding medical literature. I used to lecture on that topic in residency and beyond, teaching "Grateful Med" [1] use with MEDLINE [2] before the internet went public.

By 1992 though I was getting suspicious. Many exciting journal findings were being reversed within 2-3 years. I planned out a small research study, looking at ten year success measures for novel therapeutic recommendations published in leading journals.

I never did that study, instead I moved from academic to industry. Later John Ioannidis did something similar [3]. Writing in 2010, he demonstrates that modern medical progress is slow with many reversals and lateral moves. The era of rapid progress in medicine is over.

Some of the consequences of slow progress are obvious. Nobody in 1984 would have predicted that by 2010 we still wouldn't be able to cure or prevent multiple sclerosis, rheumatoid arthritis, Alzheimer's disease, or diabetes mellitus. Even as recently as 2000, nobody would imagine the near total failure of clinical genomics. Such negativity would have been considered irrational pessimism.

Other consequences are less obvious. True innovation produces bigger results for less effort. In the absence of innovation there's only raw effort. That translates to more money spent on health care to achieve smaller results. Without genuine innovation, health care cost control is exquisitely painful.

So why has medical progress slowed so much?

One can imagine a lot of cultural explanations, but it's not just US health care innovation that slowed. It slowed everywhere.

I suspect it's more like what happened to aeronautical or automotive engineering or cars or, with the death of Moore's Law, CPUs. The period of medical progress from 1910 to 1984 was an anomaly, an explosive renaissance arising from a "perfect storm" of emerging technologies and cultural receptivity. It was wonderful, but it's been over for a while. The gasoline engine gets a little better every year, and so does medicine.

One day there will be another renaissance in medicine. We just can't predict when.

There's a silver lining of course. Physicians needn't feel guilty about not keeping up with the literature.

See also:

-- footnotes

[1] A terrific DOS and Mac Classic app, named by a terrific National Library of Medicine project leader who was also a Grateful Dead fan. It was the successor to today's PubMed, but I think it was, in several ways, better than PubMed. Grateful Med was a graphical shell over a terminal interface; in 1996 Internet Grateful Med took over. The 1993 version was the best though.

[2] I am just entropic enough to remember the vast shelves of paper-bound "Index Medicus"; dozens of yards of books listing research publications.

[3] Thinking is easy. Doing is hard.

Sunday, December 05, 2010

If Google acquires Groupon they're absolutely insane

There's a rumor that Google is going to acquire Groupon for a zillion dollars.

I signed up to see what it was about. Naturally I used my mail.yahoo.com junk email address - a disposable digital identity. (If it ever annoys me too much, I will destroy it and create a new Yahoo persona.)

Groupon is a service that sends you spam. You can't opt out of the spam. Oh, and you can never leave. There's no obvious way to delete a Groupon account.

If Google buys Groupon then I will begin disentangling my data from Google. It will be an incontrovertible sign that they've gone off the rails.

Why you will live in an iOS world

Five years ago, just before Microsoft Vista was released, our household CIO made a strategic decision. We would move to OS X.

It wasn't a hard decision. The cost of supporting both XP and OS X was too high, XP's security, debugging and maintenance issues were intractable, and OS X had a much more interesting software marketplace. Moving to OS X would dramatically reduce our cost of ownership, which was primarily the CIO's opportunity cost. Time spent managing XP meant less time spent on my health and on family joys and obligations. [6]

It worked beautifully. One of my best strategic decisions. Yes, I curse Apple with the best of them, but I know the alternatives. I'm not going anywhere.

Except I am going somewhere. I will fade. So will you, though there's a bit more hope for the under-30 crowd. We might be able to slow the natural deterioration of the human brain (aka "Alzheimer's" and its relatives [4]) by 2030. It's too late for the boomers though, and probably too late for Gen X.

Sure, I'm still the silverback of the geek tribe. I may have lost a step, but between experience and Google I still crush the tough ones with a single blow.

Not for long though. I give myself ten years at most. I won't be able to manage something like OS X version 20, and I don't want to be reliant on my geek inheritor - son #2.

We will need to simplify. In particular, we'll need to simplify our tech infrastructure (and our finances [1] and online identities [7] too).

So our next migration will be to iOS - a closed, curated, hard target, simpler world.

You'll be going there too -- even if you're not fading (yet). The weight of the Boomers [2] will shift the market to Apple's iOS and its emerging equivalents. Equivalents like ChromeOS, now turning into iOS for desktop device with its own App Store [5].

I still have a few years of OS X left, including, if all goes well, the 11" MacBook Air I've been studying. The household CIO's job, however, is to think strategically. Our future household acquisitions will shift more and more to iOS devices, possibly starting with iPad 2.0 (2011) [3].

I expect by 2018 we'll be living in largely iOS-equivalent world, and so will you.

-- footnotes

[1] I miss Quicken 1996 -- before Intuit went to the DarkSeid.
[2] The 2016 remake of Logan's Run will be a smash hit. 
[3] I bought iPad 1.0 for my 80yo mother -- same reasons.
[4] 1989 was when the National Institutes of Health needed to launch a "Manhattan Project" style dementia-management program. I wasn't the only person to say this at the time. 
[5] If their first netbook device doesn't come in under $150 with batteries Google is in deep trouble. Android is not an iOS-equivalent, it's a lot more like XP. 
[6] Pogue's 10 year tech retrospective is a beautiful summary of the costs of making the wrong household tech decisions. He misses the key point though. The real costs are not the purchase costs, or the immense amount of failed invention, or the landfill costs -- it's the opportunity costs of all the time lost to tech churn. I've a hunch this opportunity cost is important to understanding what happened to the world economy between 1994 and 2010. That's another post though!
[7] Digital identities proliferate like weeds. Do you know where all your identities are?

Saturday, December 04, 2010

Cheating in education

A mercenary academic writes essays for students. It's an interesting story, though since the author is essentially a con man I don't have a lot of confidence in the details.

I was impressed by how much the students pay for their essays. For many of these people that's a lot of money.

I was also impressed by the blackmail potential. These students are putting a lot of trust in a shady character. "Ed Dante" knows their names, and has proof of services delivered. If I were paying him, I'd use a pseudonym.

Otherwise, it doesn't seem like a terribly worrisome problem, there are many other ways to evaluate students that are less amenable to fraud. If teachers don't use them, it may be that the fraud works for them too.

Healthcare quality 101

There are superb French (and other) pastries all around the island of Montreal, but Minneapolis St. Paul pastries peak at mediocre. The Twin Cities are richer than Montreal, but money can't buy everything. In health care terms we'd call this a kind of variability.

The pastry variation is cultural. Minnesotans don't love the chocolate, flour and licquer pastries I grew up with, so there's no competitive market in my favorite food.

There's cultural variation in health care quality too. The best description of the causes of this variation, better than any prior academic publication, appeared in a 2009 New Yorker essay by Atul Gawande.

There's a different kind of variation that Gawande doesn't talk about. It's the difference between "Cicely" Alasaka and Rochester Minnesota.

Rochester is the home of the Mayo Clinic. It's the champion of conventional health care delivery.  The combination of a small city and an international service business generates enough revenue to support a full range of health care technologies and care givers. There's a culture of process monitoring and improvement that kicks it up a level above most referral centers.

Cicely is a mythical rural community. It's the archetype for communities with small populations that can only support a limited range of local health care delivery. At its best this will involve a reasonable number of family physicians, PAs and nurses and a smaller number of specialists. There may be only 1-2 pediatricians,  maybe some hospitalists, 1 orthopedic surgeon, 2-3 general surgeons, and so on. There's unlikely to be a colorectal surgeon. There's probably 1-2 obstetricians, but obstetrical epidural anesthesia may be hard to get.

Care in this mythical Cicely, the care experienced by 17% of Americans, is different from care in Rochester.

In some ways Cicely is better. Primary care physicians are experienced. Care communication is much better than in large centers. Reputations are known, and they matter. Patients don't get missed or lost as easily. Most of us don't want to die, but we particularly don't want to die miserably. If I'm ready to die, I'd rather be in Cicely than at the Mayo.

In other ways Rochester is better. Cicely is probably not the best place for a child with Cystic Fibrosis. When there's only 1-2 specialists in a community that needs at least one, choice may be limited. Many procedures aren't available, or shouldn't be available, outside of specialty centers. Health care will often involve travel to a place like Mayo (back in the day I liked Marshfield Clinic -- almost as good as Mayo, and a lot closer).

It's good to understand that there are different kinds of health care variability. The pastry-kind of variation is fixable. The Mayo model, or a cheaper variant that's 80% as good, could be applied elsewhere (it's not the water). Other kinds of variability are much more persistent; they're driven by local market size more than culture. Cicely will never be a good place to have a glioma removed; though it's the place I'd want for care of an untreatable glioma.

Tuesday, November 30, 2010

XMind: Software made in China for OS X and Windows

I am a niche market; I need software that few people care about.

For example, I need software to dynamically manage concepts (ex: “ideas”), concept properties (“attributes”) and relationships. These products are usually marketed as “mind map” or “outliner” or (less often) concept mapping tools.

Even though this is a niche market where good software goes to die, geek developers cannot resist it. So they create beautiful products with relatively short lifespans. Past examples include Symantec’s MORE 3.1 (my all-time favorite), Ecco Professional, Lotus Agenda, Symantec’s GrandView, and Inspiration [1] (Mac, Windows, Palm!). There are many other examples.

Current examples include MindManager ($$$), FreeMind, Freeplane and OmniOutliner (OS X, outliner only). There are many others, the Freemind wiki has two pages describing Freemind’s alternatives.

One of those alternatives is XMind. There’s something special about XMind. XMind has been made in Shenzhen China since 2006. It’s currently available for Windows and OS X. It is the only multinational consumer-oriented Windows  productivity software I’ve come across that is made in China; I don’t know of any OS X productivity software made in China.

This is an intriguing, even historic, development. [2]

[1] Didn’t exactly die, went to a school-only market.
[2] I don’t recommend the software though. The churn in this market and the costs of data lock mean I wouldn’t consider any product that used a proprietary file format. The XMind file format is proprietary. Even with open source products you need to evaluate the data store strategy.

Celebrating the war for the preservation of slavery

It’s been 150 years since the war for the preservation of slavery began …

Secession Defended on Civil War Anniversary - NYTimes.com

… James W. Loewen … put it: “The North did not go to war to end slavery, it went to war to hold the country together and only gradually did it become anti-slavery — but slavery is why the South seceded.”…

Of course millions in the South were anti-slavery too. Unfortunately, they were slaves.

Some wish to celebrate the event …

… events include a “secession ball” in the former slave port of Charleston (“a joyous night of music, dancing, food and drink,” says the invitation), which will be replicated on a smaller scale in other cities. A parade is being planned in Montgomery, Ala., along with a mock swearing-in of Jefferson Davis as president of the Confederacy.

In addition, the Sons of Confederate Veterans and some of its local chapters are preparing various television commercials that they hope to show next year. “All we wanted was to be left alone to govern ourselves,” says one ad from the group’s Georgia Division…

“Govern ourselves”. Uh huh.

Monday, November 29, 2010

Who’s betting on China’s bubble blowout?

China will be the third great bubble blowout in a bit over ten years, following the .com and leverage bubbles. The world, of course, will go back into yet another great recession (YAGR).

What a way to start a millenium!

When will China’s bubble blow? I’m guessing within the next 12 months, but since I usually guess early a more likely answer is 18 months from now.

That much is obvious. What I want to know is how the Lords of Finance are placing their bets. I assume the big money will be in currency shifts.

When China’s bubble collapses the remninbi will drop compared to the US dollar. So I’m assuming those with money will bet using a convoluted and indirect equivalent of buying the right to exchange renminbi for dollars in 2012 at today’s exchange rates. Since it’s widely assumed that the renminbi will rise over the next few years those contracts may discounted.

So here’s the assignment for an ambitious journalist. Figure out how the bet will be made, then look for evidence that billions of dollars are already on the sidelines.

I suspect Soros has something on the line …

Sunday, November 28, 2010

wikileaks: An unstable China

Reuters' hit list of this week's top WikiLeaks was remarkably uninteresting except for this one ...

Factbox: WikiLeaks cables offer inside peek at global crises | Reuters

... China's Politburo directed the intrusion into Google's computer systems in that country, a Chinese contact told the U.S. Embassy in January, as part of a computer sabotage campaign carried out by government operatives, private experts and Internet outlaws recruited by the Chinese government. They have broken into U.S. government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said."...

This confirmation is relatively newsworthy; it's consistent with China's rare earth embargo and China's support for North Korea's shelling of a South Korean island. China is less stable than most imagine.

Update 12/1/10: Subsequent leaks portray China's leadership much more favorably. In particular, they are portrayed as more sane about North Korea and Iran than I expected.