Discussing software, the web, politics, sexuality and the unending supply of human stupidity.

Ignore the talking heads: TalkTalk's security issues run much deeper

I have to say I’m rather intrigued by the TalkTalk hack. First of all, they’ve found the 15-year-old who allegedly did it, arrested him and bailed him pending investigations. Hopefully, if said person did it, he’ll be quite interested in helping the police with their inquiries and with a bit of luck, the customers aren’t going to have their personal or financial details released. TalkTalk have waived cancellation fees for customers who want to leave, but only if a customer has sustained a financial loss.

Meanwhile, Brian Krebs reports that the TalkTalk hackers demanded £80k worth of Bitcoin from the ISP. We’ve now had the media tell us it is “cyberjihadis”, a fifteen year old boy, and people holding it ransom for Bitcoin.

What’s curious though is how the mainstream media have not really talked very much to security experts. Yesterday, I listened to the BBC Today programme—this clip in particular. It featured an interview with Labour MP Hazel Blears (who was formerly a minister in the Home Office) and Oliver Parry, a senior corporate governance adviser at the Institute of Directors.

Here’s Mr Parry’s response to the issue:

The threat is changing hour by hour, second by second—and that’s one of the real problems, but as I said, I don’t think there’s one way to deal with this. We just need to reassure consumers, shareholders and other wider stakeholder groups that they have something in place.

Just a few things. This attack was a simple SQL injection attack. That threat isn’t “changing hour by hour, second by second”. It’s basic, common sense security that every software developer should know to mitigate, that every supervisor should be sure to ask about during code reviews, and that every penetration tester worth their salt will check for (and sadly, usually find).

As Paul Moore has pointed out in this excellent blog post, there are countless security issues with TalkTalk’s website. Craptastic SSL, no PCI compliance. The talking heads are going on about whether or not the data was “encrypted” or not. The SSL transport was encrypted but you could request that they encrypt traffic with an obsolete 40 or 56-bit key rather than the 128-bit that is considered secure.

There are new and changing threats, but SQL injection isn’t one of them. That’s a golden oldie. And it also doesn’t matter if the data is encrypted if the web application and/or the database is not secured against someone injecting a rogue query.

Mr Parry is right that there is not “one way to deal with this”. There are plenty. First of all, you need to hire people with some security expertise to build your systems. You need to hire independent experts to come and test your systems. That’s the in house stuff. Unfortunately, TalkTalk seem to have lost a whole lot of their senior technical staff in the last year, including their CIO. Perhaps they weren’t confident in the company’s direction on security and technology matters.

Then there’s the external facing stuff. Having a responsible disclosure process that works and which gives incentives for people to disclose. Have a reward system. If you can’t afford that, have a guarantee that you won’t seek prosecution or bring legal action against anyone who engages in responsible disclosure. Have an open and clear log where you disclose your security issues after fixing them. Actually fix the issues people report to you. Again, Paul Moore’s post linked above notes that he tried to contact TalkTalk and was ignored, disrespected and threatened. That’s not how you should treat security consultants helping you fix your issues.

All of this stuff should be simple enough for an ISP that has over four million paying customers. It isn’t rocket science. The fact that they aren’t doing it means they are either incompetent or don’t give a shit.

Brian Krebs nailed this corporate failure to care about security recently in a discussion on Reddit:

I often hear from security people at organizations that had breaches where I actually broke the story. And quite often I’ll hear from them after they lost their job or quit out of frustration, anger, disillusion, whatever. And invariably those folks will say, hey, we told these guys over and over…here are the gaps in our protection, here’s where we’re vulnerable….we need to address these or the bad guys will. And, lo and behold, those gaps turned out to be the weakest link in the armor for the breached organization. Too many companies pay good money for smart people to advise them on how to protect the organization, and then go on to ignore most of that advice.

Mr Parry said that the important thing was reassuring customers that their information was safe, not actually ensuring that customers data is safe. This is exactly the problem. I don’t want to be “reassured”, I want it to be safe. I don’t want to be reassured that my flight isn’t going to crash into the Alps—I actually want my flight to not crash into the Alps. Reassuring me requires salespeople and professional bullshitting, not crashing requires well trained pilots and staff, engineers doing proper checks, the designers of the plane making sure that they follow good engineering practices, constant testing. Engineering matters, not “reassurance”.

So long as business thinks “reassuring” customers matters more than actually fixing security problems, these kinds of things will keep happening. It would be really nice if the media actually spoke to security experts who could point out how trivially stupid and well-known the attack on TalkTalk was, so this kind of industry avoidance tactic could be properly squelched.

The story that’s been doing the rounds about the woman who presented her father a “certificate of purity” on her wedding day is itself a hilariously awful example of how American religious culture screws up sexuality but this blog post from Homeschoolers Anonymous made me see exactly why it is so horrible: in saying that virginity (especially female virginity) is ‘purity’, it automatically implies that anyone who has been raped or sexually assaulted or abused is ‘impure’.

That’s the message that is sent in such cultures: that a person—especially a woman—who has had sex, whether voluntarily or not, is ‘impure’, is ‘damaged goods’. And if they’ve been abused, no matter how much they’ve worked to free themselves of the shame or negative feelings about that abuse, they are haunted by the cultural stain of ‘impurity’.

We need to burn purity culture to the ground: it is truly nasty psychotic shit created by truly awful people.

Pi is a constant unless you are a software developer

You may think that pi is a constant like 3.14159 (etc.), but that is because you learned mathematics in school. You learn a lot more once you enter the world of work.

As a software developer, you have to get used to the fact that pi is whatever management have decided it to be this week. For one project, pi might be 3.14159, but in other projects management may decide that pi is actually the integer 4, an API call to an old system that you need to use Java Remote Method Invocation to access, an XML document that is inside a Word file in an email account you don’t have access too, or it might be green, except on Thursday when it is furry and invisible. That’s what they sold the client, so that’s what it is.

You might think that if pi is being redefined, someone might file an issue about it or raise it with you in a meeting. No, they’ll mention it to you off-hand and indirectly, or they’ll put it on page 53 of a PowerPoint slide deck with a filename like CLIENT PRESENTATION DRAFT FINAL MAYBE? CHECK WITH CAROL (1).pptx that they CC to you, except the subject line says “Drinks on Friday” and the body is about the birthday party for Steve in accounting. Or, worse, they’ll upload it to Confluence, because it has to be useful for something. When you persist with your school-derived belief that pi is 3.14159 (or the value of java.lang.Math.PI and equivalent), you will be upbraided for not keeping up with the rapidly changing needs of a growing enterprise.

When you have learned to live with the fact that pi could be anything from one day to another, and once you have learned to listen patiently to the idiot telling you that pi is actually a Labrador puppy, suppressing your strong desire to grab him by the lapels and throw him down a ricin-laced lift shaft, you have progressed to the point where you can become a senior developer, a project manager or a consultant.

None of this means that pi is anything but 3.14159. It is a mathematical constant—your maths teacher is right. If you need to deal with the cognitive dissonance, step away from your computer, have a nice holiday—or a good gin and tonic, or dance your tits off in a nightclub or whatever hedonism gets you through life. Once you’ve coped with the dissonance, pretending pi and many other similar things aren’t constants makes dealing with companies much easier. Deadlines, requirements and functional specs are mostly make believe, so why can’t mathematical constants be fictional too?

Some Netgear routers vulnerable to hack that allows modification of DNS server. Consumer-grade routing and DSL gear seems like a pretty vulnerable area: consumers have no idea about security, there’s no automatic software updates, and it is somewhat unlikely to be detected by the user.

Django: automatically testing admin pages are working

Today, I was working on a simple Django app. I was cranking away on something, then went to the admin panel and… something wasn’t working. I had made a typo and written foriegn rather than foreign in formfield_for_foreignkey.

And I hadn’t noticed. Computers are supposed to notice these things. Test suites and CI servers are supposed to catch my errors.

I realised then that having something that just checks to make sure that the admin panel is working is useful.

Something like this.

You could automate this some more: have it so it probes through your admin panel and clicks links for you. This will do for now though.

One could also go further and have the tests put data in the forms and so on. But this is good enough. It’s likely to blow up if you’ve made a mistake when you are writing the Python code that defines the admin panels.

On BBC Radio, Piers Morgan said that if tens of thousands of Americans were dying of a disease the government would act in a way they aren’t over similar levels of gun deaths.

Interesting comparison: the last time tens of thousands of Americans died from a mystery new disease, the government did sweet fuck all for years and years. AIDS for the memory challenged.

The fact it primarily affected gay people, black people and drug users caused certain sectors of American Christendom to welcome AIDS with glee and schaudenfreude, in fact.

I know I shouldn’t expect journalists to have a memory that stretches as far back as the 1980s.

Of flibanserin, pharma and patient groups

BBC Radio 4’s excellent series The Report has a very interesting show this week investigating the controversy around the approval and use of flibanserin (now sold in the United States under the trade name Addyi, and often referred to as the “female viagra”). Flibanserin is used to treat hypoactive sexual desire disorder.

Unlike viagra, which simply stimulates blood flow to help one maintain an erection, flibanserin is supposed to increase a woman’s desire for sex. It originally was developed as an antidepressant and then was put forward as a treatment for hypoactive sexual desire disorder.

As is the way of such things, and as the documentary pointed out, the Diagnostic and Statistical Manual (DSM) has since changed and through the waving of the American Psychiatric Association’s magical wand, hypoactive sexual desire disorder vanished and has been replaced in the fifth edition of the DSM with two new disorders: male hypoactive sexual desire disorder and female sexual interest/arousal disorder.

Before I get into the meat of the post, a quick aside: the asexual community have pointed out rather an interesting thing about hypoactive sexual desire disorder (and its spinoff conditions) is that not feeling sexual desire shouldn’t automatically be pathologised—doing so kind of puts asexuals in the same place gay people were when homosexuality was considered by psychiatrists to be a disorder. Given the long and rather sad history of attempts by the medical profession to pathologise sexual minorities—the legions of gay men zapped, drugged and generally tortured for the crime of loving other men is testament to the extreme folly of that approach—we should hope that the current generation of medics faced with the messy complexity of human sexuality deal with it in a more caring, open and tolerant way than they did in the past.

Anyway, back to The Report. In the programme, Melanie Abbott examines the gender politics around the approval of flibanserin. The producer of the drug, Sprout Pharmaceuticals, were supported in their bid for FDA approval by a campaign called Even the Score, an umbrella campaign supported by a whole host of different organisations including the feminist campaigning group, the National Organization for Women (NOW). The Report points out that both Even the Score and critics of the approval of flibanserin ended up using the rhetoric of equality: Even the Score talks about “women’s sexual health equity”. Before the approval of flibanserin, Even the Score’s website noted that the “FDA has approved 26 drugs marketed for the treatment of male sexual dysfunctions, compared to zero [now one] to address the most common form of female sexual dysfunction”.

A critic of the approval of flibanserin quoted on the programme called Even the Score an “astroturf” campaign funded by Sprout Pharmaceuticals. An astroturf campaign from a pharmaceutical company? Whatever next? Next you might suggest that a pharmaceutical company might manipulate the patent system for profit or that they might drastically ramp up the prices of drugs in order to profiteer off patients who have no choice but to buy their products or die a grisly death? Or, slightly less drastically, that they might engage in manipulation of data, hiding of trial results, selective statistical fiddling and an overly friendly (one might even say incestuous) relationship with regulators. You’d have to be some sort of loon to believe that, obviously.

Anyway, The Report spoke to the CEO of Sprout Pharmaceuticals, Cindy Whitehead, and asked her a pretty simple question which, if answered clearly, would show how not-astroturf-ish Even the Score was:

How much money did Sprout put into Even the Score?

Her answer?

We don’t disclose any of our financial investments to coalition efforts, medical societies, or any of the other groups we work with on education.

Abbott follows up:

Wouldn’t it be fairer for people watching this story for them to know how much?

Good question.

It’s a very interesting perspective that people seem so particularly interested in this—in this patient advocacy movement when I don’t see that same level of interest in advocacy movements for conditions like diabetes or breast cancer.

Well, that’s a fair point. And I mean nobody bangs on endlessly about the transparency and behaviour of, say, breast cancer awareness groups for slightly dodgy relationships with big companies, or for excessive and expensive trademark enforcement against other charities.1

Here Whitehead reveals exactly why transparency is needed throughout the pharmaceutical industry. Perhaps Even the Score is a perfectly legitimate grassroots organisation. There are surely women who suffer from sexual desire problems and there may even be a case that women’s sexual healthcare is treated as an afterthought compared to men’s sexual healthcare. Female sexual and reproductive health is certainly demonised, mythologised and judged a whole lot more often than male sexual health is.

But while the relationship between pharmaceutical companies and patient advocacy groups (and medical societies, and charities) remains both cosy and extremely shady, cynics have every right to look askance at any campaign group whose interests align with that of a pharmaceutical company sponsor. Patient advocacy groups will speak very loudly about NICE not approving drugs but keep eerily silent about the high prices charged by the manufacturers. One must not bite the hand that feeds.

Back in 2013, a leaked email that was originally sent between drug companies showed that they planned to use patient groups as a key part in fighting against campaigns to require them to open up trial data, even though such transparency will allow doctors to better inspect data, spot anomalies, do unplanned group analysis, and better find side effects. This demonstrates the kind of relationship that exists between drug companies and patient advocacy groups. Without clear disclosure of the money given to patient advocacy groups, one must be somewhat skeptical of them.

The Report also mentioned that Cindy Whitehead used to run marketing at Slate Pharmaceuticals while her husband Robert was Slate’s CEO (before Cindy took over as CEO of Sprout, can you guess who was running Sprout?), they were marketing Testopel, a testosterone pellet for in men with hypogonadism. They received a massive dressing down from the FDA for their marketing materials, which included suggestions that it could be used as part of treatment for a whole variety of things that the FDA hadn’t been given evidence for including erectile dysfunction, type II diabetes, HIV, depression and even just as a way to improve sexual and athletic performance. The FDA also stated that Slate’s website for Testopel contained misleading and unsubstantiated claims regarding the cost of the medication, pain and side effects.

If you are looking for more of the tell-tale signs of pharma industry fun and games, have a read of this piece in The Atlantic. It notes how flibanserin’s clinical trial processes have changed over the years, going from asking patients about the desire they felt every day, to asking them about the desire they’ve felt over the last four weeks. A cynical person might suggest that changing your way of measuring outcome over time when you find out it gives you more promising results isn’t exactly kosher. But, as Cindy Whitehead said, why just pick on flibanserin? Fiddling outcome metrics and jumping between primary outcome measures when they give you pesky inconvenient data is just routine, just as rather uncomfortable funding arrangements with supposed patient advocacy groups is. We shouldn’t necessarily pick on Sprout or flibanserin—the problems of the pharmaceutical industry are systemic and widespread, and the pharmaceutical industry is keen on ensuring reform efforts (like AllTrials) is kept slow and watered down if it can’t be killed off entirely.

Anyway, if you are interested in the interplay between politics, healthcare, sexuality and the pharmaceutical industry, it is well worth listening to this week’s episode of The Report.

  1. In honour of the Komen Foundation, I’ll soon be organising Cynics For The Cure, a charity fun run to cure grumpy bastards like me of our perpetual miserableness.

Pope says government workers should be able to refuse gay marriage licenses. At some point, The Advocate—and other liberal and gay activists—are going to have to eat some humble pie for their completely misplaced Tinkerbell-esque faith in Francis as some kind of radical reformist Pope who is going to suddenly magically make the Catholic Church not hate gay people.

Stop believing the lie that Francis is a radical change on gay rights. He’s not. Please stop being conned.

I’d like to thank the idiot who shouted “look at those faggots” at us for his keen observation skills and his #everydayhomophobia.

Selling Out and the Death of Hacker Culture is an excellent piece on the commercialisation of hack days.

A few years ago, I was at a big commercial hack day and ended up going “fuck it, this isn’t for me anymore”. I haven’t gone to the big corporate ones since and just tried to restrict myself to the non-commercial, public interest and fun hack days instead.

OptiKey is an open source eye tracking assistive keyboard for Windows, meant for people with diseases like motor neurone disease and amyotryphic lateral sclerosis designed to provide an alternative to commercial software that can be prohibitively expensive.

Open source health software is a really interesting field. Open source medical records software could provide huge savings for hospitals and medical practices, but software that directly benefits patients—and for which support is provided by a peer group of patients—is really going to be pretty revolutionary.