Entries Tagged "medicine"

Page 8 of 9

Chlorine and Cholera in Iraq

Excellent blog post:

So cholera has now reached Baghdad. That’s not much of a surprise given the utter breakdown of infrastructure. But there’s a reason the cholera is picking up speed now. From the NYT:

“We are suffering from a shortage of chlorine, which is sometimes zero,” Dr. Ameer said in an interview on Al Hurra, an American-financed television network in the Middle East. “Chlorine is essential to disinfect the water.”

So why is there is a shortage? Because insurgents have laced a few bombs with chlorine and the U.S. and Iraq have responded by making it darn hard to import the stuff. From the AP:

[A World Health Organization representative in Iraq] also said some 100,000 tons of chlorine were being held up at Iraq’s border with Jordan, apparently because of fears the chemical could be used in explosives. She urged authorities to release it for use in decontaminating water supplies.

I understand why Iraq would put restrictions on dangerous chemicals. And I’m sure nobody intended for the restrictions to be so burdensome that they’d effectively cut off Iraq’s clean water supply. But that’s what looks to have happened. What makes it all the more tragic is that chlorine—for all the hype and worry—is actually a very ineffective booster for bombs. Of the roughly dozen chlorine-laced bombings in Iraq, it appears the chlorine has killed exactly nobody.

In other words, the biggest damage from chlorine bombs—as with so many terrorist attacks—has come from overreaction to it. Fear operates as a “force multiplier” for terrorists, and in this case has helped them cut off Iraq’s clean water. Pretty impressive feat for some bombs that turned out to be close to duds.

I couldn’t have said it better. In this case, the security countermeasure is worse than the threat. Same thing could be said about a lot of the terrorism countermeasures in the U.S.

Another article on the topic.

Posted on September 25, 2007 at 12:23 PMView Comments

Home Users: A Public Health Problem?

To the average home user, security is an intractable problem. Microsoft has made great strides improving the security of their operating system “out of the box,” but there are still a dizzying array of rules, options, and choices that users have to make. How should they configure their anti-virus program? What sort of backup regime should they employ? What are the best settings for their wireless network? And so on and so on and so on.

How is it possible that we in the computer industry have created such a shoddy product? How have we foisted on people a product that is so difficult to use securely, that requires so many add-on products?

It’s even worse than that. We have sold the average computer user a bill of goods. In our race for an ever-increasing market, we have convinced every person that he needs a computer. We have provided application after application—IM, peer-to-peer file sharing, eBay, Facebook—to make computers both useful and enjoyable to the home user. At the same time, we’ve made them so hard to maintain that only a trained sysadmin can do it.

And then we wonder why home users have such problems with their buggy systems, why they can’t seem to do even the simplest administrative tasks, and why their computers aren’t secure. They’re not secure because home users don’t know how to secure them.

At work, I have an entire IT department I can call on if I have a problem. They filter my net connection so that I don’t see spam, and most attacks are blocked before they even get to my computer. They tell me which updates to install on my system and when. And they’re available to help me recover if something untoward does happen to my system. Home users have none of this support. They’re on their own.

This problem isn’t simply going to go away as computers get smarter and users get savvier. The next generation of computers will be vulnerable to all sorts of different attacks, and the next generation of attack tools will fool users in all sorts of different ways. The security arms race isn’t going away any time soon, but it will be fought with ever more complex weapons.

This isn’t simply an academic problem; it’s a public health problem. In the hyper-connected world of the Internet, everyone’s security depends in part on everyone else’s. As long as there are insecure computers out there, hackers will use them to eavesdrop on network traffic, send spam, and attack other computers. We are all more secure if all those home computers attached to the Internet via DSL or cable modems are protected against attack. The only question is: what’s the best way to get there?

I wonder about those who say “educate the users.” Have they tried? Have they ever met an actual user? It’s unrealistic to expect home users to be responsible for their own security. They don’t have the expertise, and they’re not going to learn. And it’s not just user actions we need to worry about; these computers are insecure right out of the box.

The only possible way to solve this problem is to force the ISPs to become IT departments. There’s no reason why they can’t provide home users with the same level of support my IT department provides me with. There’s no reason why they can’t provide “clean pipe” service to the home. Yes, it will cost home users more. Yes, it will require changes in the law to make this mandatory. But what’s the alternative?

In 1991, Walter S. Mossberg debuted his “Personal Technology” column in The Wall Street Journal with the words: “Personal computers are just too hard to use, and it isn’t your fault.” Sixteen years later, the statement is still true­—and doubly true when it comes to computer security.

If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There simply isn’t any other way.

This essay is the first half of a point/counterpoint with Marcus Ranum in the September issue of Information Security. You can read his reply here.

Posted on September 14, 2007 at 2:01 PMView Comments

Perceptions of Risk

Another article about risk perception, and why we worry about the wrong things:

Newsrooms are full of English majors who acknowledge that they are not good at math, but still rush to make confident pronouncements about a global-warming “crisis” and the coming of bird flu.

Bird flu was called the No. 1 threat to the world. But bird flu has killed no one in America, while regular flu—the boring kind—kills tens of thousands. New York City internist Marc Siegel says that after the media hype, his patients didn’t want to hear that.

“I say, ‘You need a flu shot.’ You know the regular flu is killing 36,000 per year. They say, ‘Don’t talk to me about regular flu. What about bird flu?'”

Here’s another example. What do you think is more dangerous, a house with a pool or a house with a gun? When, for “20/20,” I asked some kids, all said the house with the gun is more dangerous. I’m sure their parents would agree. Yet a child is 100 times more likely to die in a swimming pool than in a gun accident.

Parents don’t know that partly because the media hate guns and gun accidents make bigger headlines. Ask yourself which incident would be more likely to be covered on TV.

Media exposure clouds our judgment about real-life odds. Of course, it doesn’t help that viewers are as ignorant about probability as reporters are.

Much of what’s written here I’ve said previously, and it echoes this article from Time Magazine (and also this great op-ed from the Los Angeles Times).

EDITED TO ADD (7/13): A great graphic.

Posted on August 22, 2007 at 1:43 PMView Comments

Avian Flu and Disaster Planning

If an avian flu pandemic broke out tomorrow, would your company be ready for it?

Computerworld published a series of articles on that question last year, prompted by a presentation analyst firm Gartner gave at a conference last November. Among Gartner’s recommendations: “Store 42 gallons of water per data center employee—enough for a six-week quarantine—and don’t forget about food, medical care, cooking facilities, sanitation and electricity.”

And Gartner’s conclusion, over half a year later: Pretty much no organizations are ready.

This doesn’t surprise me at all. It’s not that organizations don’t spend enough effort on disaster planning, although that’s true; it’s that this really isn’t the sort of disaster worth planning for.

Disaster planning is critically important for individuals, families, organizations large and small, and governments. For the individual, it can be as simple as spending a few minutes thinking about how he or she would respond to a disaster. For example, I’ve spent a lot of time thinking about what I would do if I lost the use of my computer, whether by equipment failure, theft or government seizure. As a result, I have a pretty complex backup and encryption system, ensuring that 1) I’d still have access to my data, and 2) no one else would. On the other hand, I haven’t given any serious thought to family disaster planning, although others have.

For an organization, disaster planning can be much more complex. What would it do in the case of fire, flood, earthquake, and so on? How would its business survive? The resultant disaster plan might include backup data centers, temporary staffing contracts, planned degradation of services, and a host of other products and service—and consultants to tell you how to use it all.

And anyone who does this kind of thing knows that planning isn’t enough: Testing your disaster plan is critical. Far too often the backup software fails when it has to do an actual restore, or the diesel-powered emergency generator fails to kick in. That’s also the flaw with the emergency kit suggestions I linked to above; if you don’t know how to use a compass or first-aid kit, having one in your car won’t do you much good.

But testing isn’t just valuable because it reveals practical problems with a plan. It also has enormous ancillary benefits for your organization in terms of communication and team building. There’s nothing like a good crisis to get people to rely on each other. Sometimes I think companies should forget about those team-building exercises that involve climbing trees and building fires, and instead pretend that a flood has taken out the primary data center.

It really doesn’t matter what disaster scenario you’re testing. The real disaster won’t be like the test, regardless of what you do, so just pick one and go. Whether you’re an individual trying to recover from a simulated virus attack, or an organization testing its response to a hypothetical shooter in the building, you’ll learn a lot about yourselves and your organization, as well as your plan.

There is a sweet spot, though, in disaster preparedness. Some disasters are too small or too common to worry about. (“We’re out of paper clips!? Call the Crisis Response Team together. I’ll get the Paper Clip Shortage Readiness Program Directive Manual Plan.”) And others are too large or too rare.

It makes no sense to plan for total annihilation of the continent, whether by nuclear or meteor strike: that’s obvious. But depending on the size of the planner, many other disasters are also too large to plan for. People can stockpile food and water to prepare for a hurricane that knocks out services for a few days, but not for a Katrina-like flood that knocks out services for months. Organizations can prepare for losing a data center due to a flood, fire, or hurricane, but not for a Black-Death-scale epidemic that would wipe out a third of the population. No one can fault bond trading firm Cantor Fitzgerald, which lost two thirds of its employees in the 9/11 attack on the World Trade Center, for not having a plan in place to deal with that possibility.

Another consideration is scope. If your corporate headquarters burns down, it’s actually a bigger problem for you than a citywide disaster that does much more damage. If the whole San Francisco Bay Area were taken out by an earthquake, customers of affected companies would be far more likely to forgive lapses in service, or would go the extra mile to help out. Think of the nationwide response to 9/11; the human “just deal with it” social structures kicked in, and we all muddled through.

In general, you can only reasonably prepare for disasters that leave your world largely intact. If a third of the country’s population dies, it’s a different world. The economy is different, the laws are different—the world is different. You simply can’t plan for it; there’s no way you can know enough about what the new world will look like. Disaster planning only makes sense within the context of existing society.

What all of this means is that any bird flu pandemic will very likely fall outside the corporate disaster-planning sweet spot. We’re just guessing on its infectiousness, of course, but (despite the alarmism from two and three years ago), likely scenarios are either moderate to severe absenteeism because people are staying home for a few weeks—any organization ought to be able to deal with that—or a major disaster of proportions that dwarf the concerns of any organization. There’s not much in between.

Honestly, if you think you’re heading toward a world where you need to stash six weeks’ worth of food and water in your company’s closets, do you really believe that it will be enough to see you through to the other side?

A blogger commented on what I said in one article:

Schneier is using what I would call the nuclear war argument for doing nothing. If there’s a nuclear war nothing will be left anyway, so why waste your time stockpiling food or building fallout shelters? It’s entirely out of your control. It’s someone else’s responsibility. Don’t worry about it.

Almost. Bird flu, pandemics, and disasters in general—whether man-made like 9/11, natural like bird flu, or a combination like Katrina—are definitely things we should worry about. The proper place for bird flu planning is at the government level. (These are also the people who should worry about nuclear and meteor strikes.) But real disasters don’t exactly match our plans, and we are best served by a bunch of generic disaster plans and a smart, flexible organization that can deal with anything.

The key is preparedness. Much more important than planning, preparedness is about setting up social structures so that people fall into doing something sensible when things go wrong. Think of all the wasted effort—and even more wasted desire—to do something after Katrina because there was no way for most people to help. Preparedness is about getting people to react when there’s a crisis. It’s something the military trains its soldiers for.

This advice holds true for organizations, families, and individuals as well. And remember, despite what you read about nuclear accidents, suicide terrorism, genetically engineered viruses and mutant man-eating badgers, you live in the safest society in the history of mankind.

This essay originally appeared in Wired.com.

EDITED TO ADD (8/1): A good rebuttal.

Posted on July 26, 2007 at 7:14 AMView Comments

Bioterrorism Detection Systems and False Alarms

Interesting.

It took several days for New Jersey officials to establish that the alert wasn’t the beginning of a deadly bioterror attack, but had been triggered by someone’s allergic reaction to a smallpox vaccine at a local military facility. This false alert came from the government-funded computer program, Biosense. The complex program, which culls electronic health data from 350 of the nation’s urban hospitals as well as veterans’ hospitals and defense department facilities, comes after a string of costly, and never fully realized computer ventures before it. But three years into its development, with a price tag of around $230 million (on top of millions more spent on unsuccessful systems before it), it is unclear as to exactly what the program can accomplish.

EDITED TO ADD (7/2): The article is in Google’s cache.

Posted on July 2, 2007 at 7:54 AMView Comments

Direct Marketing Meets Wholesale Surveillance

A $100K National Science Foundation grant to Geosemble Technologies, Inc.

SBIR Phase I: Exploiting High-Resolution Imagery, Geospatial Data, and Online Sources to Automatically Identify Direct Marketing Leads

Abstract: This Small Business Innovation Research Phase I project will conduct a feasibility study to demonstrate that by combining currently available high-resolution imagery, geospatial data (e.g., parcel data or structure data), and other related online data sources (e.g., property tax data or census data), it is possible to automatically generate highly targeted direct marketing leads for a variety of markets. The plan is to approach this problem by (1) aligning existing geospatial sources with the high-resolution imagery in order to determine the exact location and determine the address of the parcels seen in the imagery, (2) extracting the relevant features from the imagery to provide appropriate leads, such as determining the presence or absence of a swimming pool, the type of roofing materials used, or what types of cars are parked in the driveway, and (3) bringing in other sources of data, such as property tax assessment data to provide additional context.

The primary focus of the phase I project will be to demonstrate the use of machine learning technology for identifying features in high-resolution imagery that can be used for direct marketing. High-resolution aerial imagery is now being widely collected and is available for low cost or in some cases is even free. The challenges are to first to align parcel data with the high resolution imagery to identify the exact address and boundaries of a property, and second to develop feature extraction techniques that can exploit the contextual information to accurately identify novel features, such as roofs, cars, pools, landscaping, etc., that can be used for direct marketing. The ability to accurately identify features in imagery and then relate them to specific properties as well as related sources of information will allow a targeted direct marketing product to be built. The end users of this product will be companies seeking to market products directly to residential consumers. This includes product and services relating to home improvement, both exterior and interior, as well as those products relating to residents of the home, that can be gleaned from imagery available for the parcel in question. This is a large market and includes everyone from home improvement stores to roofing companies, construction companies, automobile dealers, tree trimmers, landscapers, and pool construction companies. Beyond direct marketing, the technology can also be used for other applications that combine imagery, geospatial data, and structured information. For example, it could used for mosquito abatement, which is important to stop the spread of West Nile Virus, by identifying large pools of stagnant water, associating those hazards with the appropriate address, and then mailing abatement notifications to the residents.

Posted on June 19, 2007 at 3:52 PMView Comments

Childhood Safety vs. Childhood Health

Another example of how we get the risks wrong:

Although statistics show that rates of child abduction and sexual abuse have marched steadily downward since the early 1990s, fear of these crimes is at an all-time high. Even the panic-inducing Megan’s Law Web site says stranger abduction is rare and that 90 percent of child sexual-abuse cases are committed by someone known to the child. Yet we still suffer a crucial disconnect between perception of crime and its statistical reality. A child is almost as likely to be struck by lightning as kidnapped by a stranger, but it’s not fear of lightning strikes that parents cite as the reason for keeping children indoors watching television instead of out on the sidewalk skipping rope.

And when a child is parked on the living room floor, he or she may be safe, but is safety the sole objective of parenting? The ultimate goal is independence, and independence is best fostered by handing it out a little at a time, not by withholding it in a trembling fist that remains clenched until it’s time to move into the dorms.

Meanwhile, as rates of child abduction and abuse move down, rates of Type II diabetes, hypertension and other obesity-related ailments in children move up. That means not all the candy is coming from strangers. Which scenario should provoke more panic: the possibility that your child might become one of the approximately 100 children who are kidnapped by strangers each year, or one of the country’s 58 million overweight adults?

Posted on April 12, 2007 at 6:05 AMView Comments

Consequences of a Nuclear Explosion in an American City

This paper, from February’s International Journal of Health Geographics, (abstract here), analyzes the consequences of a nuclear attack on several American cities and points out that burn unit capacity nationwide is far too small to accommodate the victims. It says just training people to flee crosswind could greatly reduce deaths from fallout.

Results

The effects of 20 kiloton and 550 kiloton nuclear detonations on high priority target cities are presented for New York City, Chicago, Washington D.C. and Atlanta. Thermal, blast and radiation effects are described, and affected populations are calculated using 2000 block level census data. Weapons of 100 Kts and up are primarily incendiary or radiation weapons, able to cause burns and start fires at distances greater than they can significantly damage buildings, and to poison populations through radiation injuries well downwind in the case of surface detonations. With weapons below 100 Kts, blast effects tend to be stronger than primary thermal effects from surface bursts. From the point of view of medical casualty treatment and administrative response, there is an ominous pattern where these fatalities and casualties geographically fall in relation to the location of hospital and administrative facilities. It is demonstrated that a staggering number of the main hospitals, trauma centers, and other medical assets are likely to be in the fatality plume, rendering them essentially inoperable in a crisis.

Conclusion

Among the consequences of this outcome would be the probable loss of command-and-control, mass casualties that will have to be treated in an unorganized response by hospitals on the periphery, as well as other expected chaotic outcomes from inadequate administration in a crisis. Vigorous, creative, and accelerated training and coordination among the federal agencies tasked for WMD response, military resources, academic institutions, and local responders will be critical for large-scale WMD events involving mass casualties.

I’ve long said that emergency response is something we should be spending money on. This kind of analysis is both interesting and helpful.

A commentary.

Posted on April 6, 2007 at 10:24 AMView Comments

Interesting Bioterrorism Drill

Earlier this month there was a bioterrorism drill in Seattle. Postal carriers delivered dummy packages to “nearly thousands” of people (yes, that’s what the article said; my guess is “nearly a thousand”), testing how the postal system could be used to quickly deliver medications. (Here’s a reaction from a recipient.)

Sure, there are lots of scenarios where this kind of delivery system isn’t good enough, but that’s not the point. In general, I think emergency response is one of the few areas where we need to spend more money. And, in general, I think tests and drills like this are good—how else will we know if the systems will work the way we think they will?

Posted on November 27, 2006 at 1:44 PMView Comments

Friday Squid Blogging: Squid Soap

It’s SquidSoap:

SquidSoap works by applying a small ink mark on a person’s hand when they press the pump to dispense the soap. The ink is designed to wash off after the hands are washed for about 15-20 seconds, which is the time recommended by most doctors.

Note the security angle:

Dirty hands are a leading cause of the spread of infection and food-borne illness. Whether it’s due to laziness or lack of education – our failure to wash our hands is costing the U.S. economy billions every year and causing thousands of unnecessary illnesses and deaths.

Never mind about terrorism. It’s dirty hands!

Posted on September 8, 2006 at 3:07 PMView Comments

1 6 7 8 9

Sidebar photo of Bruce Schneier by Joe MacInnis.