Monthly Archives: April 2014

HeartBleed: what it really is (or was)

Posted on by
Reply

You will read that HeartBleed is a bug in OpenSSL, which is correct. You will then be told that it’s a security flaw – which is technically incorrect.

Unlike the deliberate weakness inserted by the NRA into encryption’s choice of random numbers, making them less random, the HeartBleed bug was a simple dumb coding error.

Some peer-to-peer connections need to be assured that the other party (computer, actually) is still ‘there’ in the internet-available sense. To do this, there is a ‘Heartbeat’ protocol which works approximately like this:

A sends to B a message which says: here’s some data, and its size. Here’s some padding, and its size. Send me back the same data, at this size.

B is then supposed to respond with essentially a copy of A’s data. A then knows that B is there and is listening.

The Bug: in some versions of OpenSSL, this protocol was implemented such that, if A requested more data from B than A actually sent, B would respond with A’s data, plus adjacent memory contents, up to the size requested.

This is a simple coding flub, mildly analogous to stack overflow. Whenever asked, B would show A up to some 64KB of data that happened to be next to A’s input storage memory.

Once this was known, sites with sensitive data were forced to close. (At least, sensible sites with sensitive data. Others kept open, knowing that a hacker could be looking at their computer’s memory contents.)

In Canada, the CRA (tax department, eh?) shut down until the bug could be fixed.

You will read that information can be stolen without trace, which is almost incorrect. First, websites can and do keep a log of all traffic, coming and going. Thus it is possible to find all the heartbeat requests and responses, and detect those that were for extra data, and inspect those packets for sensitive information. CRA did this and found that some 900 SINs had been accessed.

In addition, since the attacker needs to get the data back, his/her IP address must be in the heartbeat request. Thus CRA (possibly with some help) was able to track the attacker’s IP address. In the case of a provider like Rogers Cable, that IP address maps to a single cable going into a single location. The hacker has been arrested.

(There is a way around this difficulty, using a service such as TOR. But I’ll bet they notice obvious multiple repeated hacking attempts, as their stated intent is merely to prevent correlation of requests as a tracking service for governments and agencies such as NRA.)

Now for some observations.

It has been claimed that the NRA was aware of this and used it for the two years that the bug was in effect (for specific versions of OpenSSL). I believe this is a credible statement.

It has been noted that two sets of people detected the bug at about the same time. I find this fascinating.

If you google Heartbleed shutdown, you’ll not find much. CRA shutdown, of course, and a claim that

Communications Security Establishment Canada says it learned of the Heartbleed bug a full day before a federal government public warning went out and parts of the Canada Revenue Agency website were temporarily shut down.

You can find this here.

A quick search on BBC News for Heartbleed shutdown found little. Very few sites, it appears, were as thoughtful as the CRA. Many warned of slowdowns while servers had code updated. (Apparently, it’s one line of code and some sites can’t easily update that and compile and test it. I remember being iteration manager at a major bank’s development project, when we sometimes did over three thousand Cobol compiles overnight. Maybe the CRA should hire me to audit their code management practices, eh?)

So. The bug should be fixed everywhere now. Not all sites had the bug version to start with. Not all sites were attacked. Not all sites are checking their logs to find out if they were attacked. CRA shut down when informed. CSEC didn’t bother informing them for a full day.

Net net: if you were unlucky, and your information was in memory on a site with the HeartBleed weakness, your information could be in the hands of anyone hacking that site while your information was in memory. It is not clear why it would be, unless you were active on the site at the time, or your information was ‘in the same cluster’ as someone else’s information, and that someone was active on the site at the moment of the heartbleed request.

Comments? Did this help, at least a bit?

Deb Matthews

Posted on by
Reply

Deputy premier of Ontario, and Minister of Health and Long-Term Care. Sounds pretty responsible, eh? Perhaps not.

Here you can find the usual Wikipedia entry on Deb Matthews. It doesn’t say much about current drug problems nor the slow motion train wreck that was ORNGE ambulance service.

Let’s have a quick overview of Deb Matthews’ oversight of ORNGE. Here you will find that she didn’t read an audit on ORNGE (which she requested) for a year.

Here you will find these words:

“As minister, I take my full share of responsibility. I have acted quickly to fix the problems identified,” Ms. Matthews said.

Unfortunately you will also find these words:

Progressive Conservative MPP Frank Klees tabled a document dated June 2011, months before Ms. Matthews stepped in to dismantle Ornge, which sounded a host of alarm bells about the organization’s finances, including a loan receivable of $4.3-million in 2010-11. “This is a concern as Ornge is not in the business of advancing monies and, these are taxpayer dollars that have been lent,” states the memo, labelled “Confidential Advice to Minister.”

ORNGE’s problems are manifold. There is a suggestion of payments under the table in both directions with regard to the famous Augusta Westland helicopters. Here you will find these words:

Rainer Beltzner left a legislative committee stunned when he said he saw documents in January that appeared to show that Ornge was under no obligation to pay for weight upgrades for its new helicopters, but did so anyway.

and these words:

Even though the board made it clear that they were to approve any major amendments to the deal with Italian helicopter firm AgustaWestland, they were completely unaware of the $6.7-million payment, he said.

Remember that amount: $6.7 million CAD. That number comes up again here, where it appears the OPP are investigating why AugustaWestland paid an ORNGE company $6.7 million for very little work – apparently a marketing services contract whose deliverables were found via Google Search. To give a small quote:

The daughter of ORNGE ’s chairman and the girlfriend of founder Chris Mazza did the small amount of research that brought the air ambulance’s for-profit arm a $6.7-million payment from an Italian helicopter firm.

In addition, the helicopters, reportedly specified by Mazza, aren’t well suited as air ambulances.

Dr. Bruce Sawadsky, medical director for ORNGE, checks out the new multi-million-dollar AW 139 helicopters and finds their cramped medical interiors are a “high risk environment.” Tough to do CPR. Hard to prop up a patient with difficulty breathing. Too long to load and unload a patient. Equipment malfunctions.

All of this went on during Deb Matthews oversight.

More recently, there have been questions about drug mis-prescriptions for seniors, particularly that nursing homes prescribe antipsychotics for dementia patients. This despite clear labels that such ‘off label’ prescribing can be fatal.

The minister’s comments came after a Star investigation found provincially regulated nursing homes are drugging helpless seniors despite warnings that the powerful antipsychotics can kill elderly patients suffering from dementia.

What do you suppose our Provincial Minister of Health and Long-Term Care had to say? She said this:

“Let’s remember, it’s doctors who prescribe these drugs, not the government,” Matthews told reporters in a heated scrum at Queen’s Park.

Now it’s time for some dumb questions, eh?

If doctors prescribe drugs, and surgeons perform operations, and Mazza runs ORNGE, and helicopters get bought with strange extra payments, is it obvious to all of us that that lets our Minister of Health and Long-Term Care off the hook? for everything?

Is it not the minister’s responsibility to know what’s going on? To propose legal restrictions and to enforce both legal and moral fairness to both the ill and the taxpayer?

Have you ever seen a weaker cop-out? From a politician with a weaker reputation of being hands-on in her/his responsibilities?

Ukraine, Russia, IMF, EU, USA, UK, and Canada: Some facts about debt

Posted on by
Reply

We should confidently expect Russia to continue to be active in the Ukraine, and to continually ‘foment’ referendums etc allowing Russia to absorb more territory.

Underneath all this is Ukraine’s debt.

Here you will see that Ukraine owes Gazprom some $2.2 billion. But that’s not all.

Here Al Jazeera quotes Vladimir Putin: Ukraine owes some $17 billion in discounts and a potential additional $18.4 billion in some sort of fine. On top of that, Russia purchased some $3 billion worth of Ukraine government bonds, which also need to be repaid, eventually.

After the acquisition of the Crimean Peninsula, sanctions against Russia started. The American Interest has a page here that claims Russia has, privately and publicly, loaned some Trillion Dollars to the EU. It won’t be easy to escape this level of financial involvement.

Sanctions re Russian exports were discussed. However, Germany gets some 50% (I’ve also seen an estimate of 40%) of its energy from Russia, some of it via the Ukraine. This Forbes page says the US could fill this gap in a few yearsassuming their supply of natural gas can be increased, liquified, and shipped – all of which require additional facilities.

Here you will read that the UK could indeed punish Moscow, but only if it were willing to take a hit in its own financial profits.

Meanwhile, the IMF has promised some $14 to $18 billion, but is waffling and not actually delivering anything. Amazingly enough, criticism of this procrastination came from Canada’s former foreign affairs minister Lloyd Axworthy. (I’ll get to the irony of Canada having anything to say later.)

Meanwhile, the USA has generously offered to guarantee a loan of $1 billion. Not much against the larger size of the actual need.Here you will read Vladimir Putin’s response to this: ‘ludicrous.’

Back to Canada’s magnificent involvement. Here you will find CBC News explaining that we are offering $220 million. That’s $0.22 billion. It does seem to be a gift rather than a loan guarantee, but we Canadians can never be sure what our federal government is really doing, eh?

Getting solid numbers on Ukraine’s problem is, well, problematic. Wikipedia (as usual an excellent reference) says three things: Ukraine needs $17 billion in 2014 alone; Ukraine is in recession; economic indicators are betting Ukraine’s probability of default in the next five years is 50%.

Now for the most amazing part of all this muddle. The IMF says that cash it provides to Ukraine will not be used to pay of Russian debt. At least not the early cash.

And, part of the price of IMF assistance will be, austerity in Ukraine. Already being in recession isn’t enough, eh?

Now for the dumb questions.

  • Does anyone seriously believe that sanctions will stop Putin in his tracks?
  • Does anyone seriously believe that the IMF etc will provide enough to bail Ukraine out?
  • Does anyone seriously believe that austerity is a cure-all of country recessions?

and finally,

  • If you were in ‘power’ in this situation (Christine Lagarde’s position, for example), what would you think was the right thing to do?
  • Is this the same as the most human, humane thing to do?

Are these dumb questions?

Triage

Posted on by
Reply

First, let me honour James Orbinski for bringing the reality, the horror, of the word ‘triage‘ into public consciousness.

Triage is doing medicine with limited resources. I submit that pharmaceutical resource choices are also a form of triage.

Here you will find an article complaining that Canada lags behind on rare disease research. I hold that this is a form of triage, and could be a correct decision. The article references an unfortunate individual whose life-extending treatment costs $200,000.00 a year. The condition is extremely rare, one in 100,000 or so.

I ask you to think: how much vaccine (polio, flu, measles, whatever) or research (artemisinin generated in yeast instead of bacteria, for example) could be funded with $200K per year.

One country, New Zealand, performs triage overall in its drug decisions. There is a government agency to achieve this. I believe this agency will come under attack as New Zealand goes into further trade agreements, such as this one.

The pharmaceutical industry is driven by profit, not humanitarianism. The entire book Information Feudalism, ISBN 1-56584-804-7 is about this. India was forced to disallow generic drug manufacturers by elongating and broadening patent restrictions. Claims of poorer quality were false. On page 67-68 of this book we read this:

Having just returned from medical work in Nepal, I am intrigued by the Association of the British Pharmaceutical Industry’s statement that “the pharmaceutical industry in the UK is highly competitive especially in terms of prices.” Most of the drugs available in Nepal are manufactured in India and their efficacy in clinical practice I have found to be the same as their UI equivalents but the price is about one-tenth to one-twentieth of the UK price. Any argument about research and development costs can hardly apply to such humble drugs as paracetamol.

Here you will find that a specific HIV drug costs about $25K per year. At one point some other drugs were of the order of $1300 per month. India offered to produce that for about five bucks, and were told they’d be trade-sanctioned into the ground if they did so. So they joined GATT, TRIPS, et cetera. African countries agreed to prosecute generic manufacturers of drugs under patent.

Wholesalers regularly squeeze pharmacies as well. This page is not meant to be visible by non-medical practitioners. I found it by google searching.

So, what’s my point? Triage is my point. We should, as human citizens, demand that our governments and health practitioners do the following:

  • bargain for the best treatments, based on cost-effectiveness and patient counts.
  • question the profits of Big Pharma. Is this fair?
  • Question focusing on rare drug research. Is this good triage? or just good money?

In The Economist page, there is hope, where these words appear:

Second, the price of AIDS drugs plunged. In May 2000 a year’s “triple cocktail” therapy cost $10,000 or so. By 2011 the same pills sold for $62 in poor countries. PEPFAR cash buys generic versions of patented drugs, which may be supplied only to poor countries. Last year two drugmakers won most of PEPFAR’s contracts: Aurobindo, an Indian firm, and Matrix, an Indian firm acquired in 2007 by Mylan, an American one. PEPFAR’s bidding system keeps margins slim even by the standards of the generics industry, says Rajiv Malik, the president of Mylan. But volumes are huge.

I note that $62 a year is roughly $5 a month – what the Indian firms said they could produce it for, in the first place.

Again, think about triage: we have a poplulation with ailments. Let’s be efficient with limited resources. And not try to do everything, even if a newspaper article thinks we should.

Kathleen Wynne, Tim Hudak, Dalton McGuinty, and Peter Faist

Posted on by
Reply

We’ve been told a number of fibs about the erasure of hard drives. This related to the cancellation of power plants and the related eMails that conveniently disappeared.

This matters, as Kathleen Wynne is charged by Tim Hudak of being aware of the erasure and culpable therein. This is apparently false.

Hudak uses the fact that the erasure was done using an ID that had erasure power for longer than needed. In fact the RCMP have determined that all the erasures occurred on two specific dates, before Kathleen Wynne was installed as Premier. Hudak should know this. His website continues to say Wynne was involved. This appears to be patently false.

Martin Regg Cohn, writing in the Toronto Star, agrees with this assessment.

Here you will find that the wiping occurred a few days before Wynne was sworn in.

So, the first set of fibs, told by Mr. Hudak, is that Wynne was involved. She was, according to the RCMP, definitely not involved.

Now for the fibs told by pundits and pseudo-techies. I won’t dig up the quotes here, but I’ve read in the papers that ‘hard disk erasure invariably leaves footprints’. This is incorrect.

Here you will find these words: The sanitization process involves each bit of data on a hard-disk being overwritten by an arbitrary value between 3 – 30 times. Clearly if I do this for an entire disk, there’s nothing left to trace back to anything.

That’s fib number one: erasure leaves footprints. Now for fib number two: the erasure was done cleverly. It was not.

Apparently, all the hard drives in question were found in storage afterward, because they had all been replaced; the computers they were in became inoperable. The staffers said they couldn’t log into their computers after Faist left and called IT staff, who said it was clear that system files had been deleted, police allege. In February, Ontario Provincial Police seized hard drives from government computers at ReCall, a data storage facility in Mississauga, Ont.

If I were willing to have 24 computers become inoperable, that would not be a subtle erasure. There are better, less obvious, ways to accomplish this. In fact, deleting the eMails (entire folders would work) and then doing a ‘erase the erased space‘ run, would have left no trace of the deleted files. (I note that, had Rob Ford’s acquaintances known how to do this, the infamous ‘crack’ video could not have been recovered.)

I am aware of this sort of program (Heidi Eraser) because, on one occasion, I had to make very sure a hard drive could not be ‘recovered’ for its erased files. It is not a fast process; every unallocated cluster, including cluster tips, are re-written several times with various bit patterns. Apparently, after that, even an electron microscope cannot guess what any bit was before the erasure.

So, now for the persons of interest. Will Peter Faist go to jail? Will Tim Hudak face a libel suit? Will Dalton McGuinty continue to look worse and worse? And finally, will Kathleen Wynne be effectively tarred by Hudak’s brush, even if it’s not fair or correct?

You probably thought those were the dumb questions. Nope; here they are:

Is Martin Regg Cohn correct in his assessment, that Hudak will gain seats now with slander that holds up for a couple of months, whereas a lawsuit would take two years to get to court?

Is this fair?

Does it matter? Torontonians elected Rob Ford and may well re-elect him. Dalton McGuinty left leadership after cancelling two gas plants to save five seats. Kathleen Wynne gave Scarborough a totally inappropriate subway, apparently to save one seat. Dalton’s five seats cost roughly a billion dollars; we’ll all burn much more than that over the Scarborough subway’s lifetime.

Again, does it matter? Will we allow our politicians to get away with this nonsense? Will we reward Tim Hudak for his apparent slander?

Dumb questions, eh?

 

Stephen Harper, Marc Nadon, and Rocco Galati

Posted on by
Reply

First, let me remind all of us of an earlier column by the now-deceased James Travers. In that article Mr. Travers detailed how our prime minister is shifting our country a bit at a time.

Today, we have a further example of this. In this article you will find these words:

The court also rejected as unconstitutional the government’s attempt to bypass those rules by retroactively amending the law. The Conservatives tried to redefine the law to support Nadon’s appointment, but only after it became clear his ascendance to the Supreme Court bench faced legal and political challenges.

In short, the Government snuck a piece of legislation into another bill, and thereby attempted to rewrite the law retroactively.

This after what looks to me like an attempt to pad the Supreme Court with an ineligible person, at least from the point of view of the province of Quebec.

You will also find these words in the above National Post hotlinked page:

The 6-1 decision was a stunning political defeat for the Harper government, the latest in a string of constitutional decisions from the top court that have not gone the government’s way. They include rulings over supervised injection sites, the country’s prostitution laws and a decision Thursday that struck down a Harper government law on day parole for criminals.

To recap: Stephen Harper’s government made an incorrect supreme court appointment, Marc Nadon, and then tried to rewrite the law to justify that retroactively. This failed because Rocco Galati challenged the legality of the move.

James Travers would have approved Mr. Galati’s challenge. Meanwhile, we still live in the country he asked us to imagine: Stephen Harper’s Canada, where laws are passed that only the Supreme Court has the power to strike down.

Now for the dumb question: why do we put up with this? Are we just dumb?