Who am I? I am one of many people in the computer security world who have great sympathy for the Palestinian people. We agree with you that the Palestinian people deserve to live in peace. We let our politicians know what we think. We use social media to spread news and awareness of the injustices suffered by the Palestinian people at the hands of Western governments and their allies in the region.
As computer security professionals, we also work hard to protect the privacy and cybersecurity of hundreds millions of individuals around the world. Some of those people are Palestinians. For example, I work at ESET, a company which protects the computers and smartphones of many millions of people in more than 180 different countries. I'm guessing some of them are Palestinian sympathizers.
Recently, some of you have been busy redirecting website traffic AWAY from sites that many people, including some Palestinian sympathizers, rely on for help in protecting their privacy and their data, and TO a page that calls for Palestinian rights. I have to say, I don't think this strategy is helping you, or the Palestinian cause; it hurts law-abiding human beings who use computers and smartphones to make an honest living, to connect with their families, and in some cases, to campaign for peace and justice.
[Note: When I say sympathy with the plight of the Palestinian people, or sympathy with the Palestinian cause, I mean that I think the people of Palestine have been, and are being, treated inhumanely, and that they deserve a secure homeland in which they are free to enjoy the rights and liberties that Americans take for granted. I do not mean that violence against civilians in pursuit of political aspirations is justified: it is not, ever, no matter what side you are on. Yet complacency and apathy in the face of inhumanity and injustice are equally objectionable.]
So, what is my professional advice? Use your computer skills to advance the cause in ways that don't impact innocent digital bystanders. Let me give you an example. This website you are reading right now is hosted on a web server that was hacked a few months ago in the name of freedom for Palestinians. The same web server hosts information about a potentially fatal genetic condition that doctors often fail to diagnose. That website helps a lot of people but it went down because someone thought hacking it would help the Palestinian cause. Did it help? I don't see any evidence that it did. Several kind and generous people had to give up their time to fix the website. Some innocent people in need of helpful information could not get to that information for days.
Did the hack provide any benefit to anyone? Not really. Security experts already know that websites can be hacked, and it is well known that the DNS servers which direct traffic to websites can be messed with. But the more protection that is applied to protect sites and infrastructure, the more expensive and cumbersome the Internet becomes. And I'm guessing you use the Internet for more things than hacking. How about use of the Internet to organize humanitarian aid for Palestine? How about use of the Internet to raise awareness of, and sympathy for, the Palestinian cause? Why not apply your skills and energy to those efforts? Help the people who are trying, or may be persuaded to try, to help you.
No quest for peace and freedom can prosper without a critical mass of support that comes from many quarters. Annoying people who might otherwise be persuaded to support you just seems counter-productive.
Respectfully...Stephen Cobb, CISSP
A photo snapped in August: Layla Cobb, 2004-2013
This is just a short note to all who knew and loved our Layla.
Earlier this week she ended her journey here in San Diego,
peacefully and with loving hands upon her.
Layla was not only a joy to us and those who met her, she was an enormous comfort to us through some very tough times. She steadfastly refused to leave Chey's side whenever Chey was feeling ill, and faithfully presented me with a retrieved object whenever I came through the front door.
Only recently did we discover that Layla had stoically endured many years of arthritis so severe that the vets, when they got the X-rays, said they were amazed that she was able to walk at all. But Layla has always soldiered on stoically, despite everything, from Florida to New York, and then the long journey out to San Diego. Living out here, Dog Beach became her favorite place. When she stopped wanting to go onto the beach we both knew that we would not have her much longer.
So here's to you Princess Layla, Super Trooper, Snow Dog,
indefatigable source of comfort and joy.
Layla's first snow, New York, 2007
Do I really have to go back inside dad?
Hello world, my first portrait, 2004
That's right, recent studies suggest that as many as 10% of people with high blood pressure could be cured by adrenal surgery. In the U.S. alone, where the number of people with high blood pressure is estimated to be 71 million, there could be over 7 million candidates for this procedure. And that's the funny thing about primary aldosteronism: you may be happy to find you've got it. Why? Because treating primary aldosteronism can lower the risk of heart attack and stroke. It can also mean lower blood pressure, or even an end to blood pressure medication.
A Gland Called Adrenal
When either or both of your adrenal glands pump out too much aldosterone your body:
- a. retains sodium (we all know too much sodium is not good for blood pressure), and
- b. leaches out too much potassium (while excess potassium can be deadly, too little can also have fatal consequences, like a stroke or heart failure due to atrial fibrillation). If you have primary aldosteronism you are likely to experience one of more of the health problems that I list down below.
If your doctor successfully treats your primary aldosteronism, then you may enjoy lower blood pressure with fewer or no medications, plus return to a regular heartbeat, and freedom from muscle cramps. You could well feel more energetic, given the reversal of your hypokalemia (low potassium).
Farewell My Left Adrenal
Thanks to some good old-fashioned medical work by my primary care physician (Dr. Adam Pacal) and gifted nephrologist (Dr. Jadwiga Alexiewicz) it was determined that I was a classic case of primary aldosteronism in which a growth on one adrenal gland is responsible for the over-production of aldosterone.
The culprit was my left adrenal and this was confirmed by some fancy testing, reinforced by my body's positive reaction to a drug called spironolactone, an "aldosterone receptor antagonist that causes the kidneys to eliminate unneeded water and sodium from the body into the urine, but reduces the loss of potassium from the body." (NIH)
Because the spironolactone was effective at lowering my blood pressure by several points, it seemed likely that removing the cause of the excess aldosterone would be beneficial. Surgery was scheduled.
Nine days after the surgery I can sense numerous positive changes in my body. For a start, I have not experienced any muscle cramps since the operation, despite not taking any potassium supplements.
Second, I feel either more relaxed or less stressed. (I'm not sure which term best describes my state of mind, and that state of mind might just be a temporary state, but so far I am enjoying it.)
My blood pressure seems to be better controlled, with fewer medications, although it is early days yet. Whether I can be weaned off HBP meds altogether remains to be seen. I am pretty sure that the trauma and lingering pain of the surgery elevates BP readings for days afterwards. I will report back at 15 and 30 days.
What Was Going On?
In the years prior to my operation I was dealing with all of these symptoms of chronic lack of potassium, despite a potassium-rich diet and supplements:
- Palpitations, which are sensations of a racing, uncomfortable, irregular heartbeat or a flopping in your chest (that's language from the Mayo Clinic)
- Atrial fibrillation
- Weakness and fatigue
- Leg and foot cramps
In addition, I suffered from excess sodium despite watching my salt intake. That meant high blood pressure which would sometimes spike and make me feel quite ill if I ate a particularly salty meal (something that is frankly hard to avoid when you travel a lot on business -- some restaurants simply lie about their use of salt, a phenomenon that includes some very fancy eateries). Throughout these years, my heartbeat was funky and my medication regimen included five pills a day.
And guess what? For years I had been attributing most of physical ills to an inverse trifecta of advancing age, plus the stress of the financial crash -- in which we lost our home and our life savings, plus my wife's illness and disability. Only when I was back on my feet and settled into a job that I really enjoyed did it occur to me to dig deeper into why I was continuing to have these symptoms. Now, despite the lingering pain of abdominal surgery, I am very glad that I did dig.
Now I need to write up my surgical experience to help folks who discover that they need one of their adrenals removed. A recent study suggests that five percent of high blood pressure cases could be like mine, curable through surgery. The operation is no walk in the park, but in my case it is proving to have been a positive step forward.
The geek thinks: "Robot! Cool. What OS does it use? Is it on the network? Has anyone hacked this type of robot yet?"
I am that geek and I will get to those questions in a moment, but here's a question you need to be thinking about: Is it okay for a machine to slice into people and perform surgery, such as removing organs they no longer need? I'm thinking about this for several reasons, including my upcoming adrenalectomy and my job as a security researcher at ESET. But why do you need to think about this? Because robotic surgery is no longer science fiction: nearly half a million surgical procedures were performed robotically in North America in 2012.
So, there's a good chance that, if you need any one of a number of types of surgery in America today, your healthcare provider will want to use a robot. Are you okay with that? Clearly, most people will want to ask themselves: Does the surgeon's use of a robot increase or decrease the risks to me, the patient? In this post and others that I am planning to write, I hope to shed light on this question.
Note that I am not a doctor, nor am I a medical researcher, but I have some experience with risks related to digital technology. I work for a company that works to improve the safety of digital technology. A surgical robot is digital technology. Here's a simplified diagram of a robotic surgery setup:
The surgeon guides the robot tools from a 3D imaging console using hand and foot controls communicating over wires to the device. Note that the surgeon's console can be some distance from the patient (in telesurgery it could be miles away).
Slicing and dicing with da Vinci
If your healthcare provider does want to deploy a robot as part of your surgery there are a couple of data points we know already. First, the procedure is likely to take a bit longer. Second, the procedure will cost more. Third, the robot they will use is most likely to be the da Vinci Robotic Surgical System. The da Vinci is made by Intuitive Surgical, a company that went public 13 years ago at $9 a share [ISRG]. This was the same year the FDA approved the system for general laparoscopic surgery. Intuitive has since traded as high as $585.67, which might lead you to think that things are going well in robo-surgery land.
Unfortunately, and I mean this sincerely as a fan of technology and a believer in the potential of robotics to improve our world, some things have not gone well. For example, according to one law firm:
there are now more than 4,500 complaints about the da Vinci surgical robot in the FDA’s MAUDE (“Manufacturer and User Facility Device Experience”) Database—50 or so of them involving the death of the patient—and 30 lawsuits against the manufacturer, Intuitive Surgical, Inc.
You don't have to take a lawyer's word for this because MAUDE is on the Internet. and you can look up reports yourself (I count 500 reports involving Intuitive surgical so far this year). Bear in mind that reporting medical device problems to MAUDE is not mandatory, so there is no way to tell the actual number of problems with the da Vinci system.
Then came a bunch of studies examining the cost and efficacy of these million dollar marvels (yes, a da Vinci robot can cost over $1.5 million). Together with the lawsuits and media scrutiny, these have depressed share prices for ISRG, which is now trading around $430 with some analysts predicting values of $300 within the year.
Somewhat ironically, given my initial security geek reaction to the idea of a robot slicing into my flesh--fear of hacking--none of the problems with this particular technology cited so far have anything to do with malware, coding errors, comms failures, or hacking. The greatest risk factor right now, in my opinion? The impact of market forces on safety.
Sales pressure and medical devices
Intuitive is under tremendous pressure from shareholders to sell more robots and get more robotic surgeries performed. This leads to marketing tactics that oversell benefits and downplay risks. For example, Johns Hopkins research shows hospital websites making excessive use of industry-provided content to sell robotic surgery and overstate claims of robotic success. A CNBC investigation quoted Suraj Kalia, a Northland Capital analyst, in a recent report on the company:
Our extensive field checks highlighted a story where aggressive marketing drives the message and true clinical utility seems secondary in nature.
There is a lot of pressure on Intuitive to market the heck out of their product because a lot of doctors are now expressing doubts about the value of robotic surgery. Consider the blistering Statement on Robotic Surgery by James T. Breeden, MD, president of ACOG, the American College of Obstetricians and Gynecologists (with 56,000 members, ACOG is the nation’s leading group of physicians providing health care for women). Here's the short version: "there is no good data proving that robotic hysterectomy is even as good as—let alone better—than existing, and far less costly, minimally invasive alternatives."
Here are some of the figures that ACOG quotes:
At a price of more than $1.7 million per robot, $125,000 in annual maintenance costs, and up to $2,000 per surgery for the cost of single-use instruments, robotic surgery is the most expensive approach. A recent Journal of the American Medical Association study found that the percentage of hysterectomies performed robotically has jumped from less than 0.5% to nearly 10% over the past three years. A study of over 264,000 hysterectomy patients in 441 hospitals also found that robotics added an average of $2,000 per procedure without any demonstrable benefit...an estimated $960 million to $1.9 billion will be added to the health care system if robotic surgery is used for all hysterectomies each year.
Between the medical questions and the growing number of lawsuits, Intuitive is under pressure, the kind of pressure that should, I believe, influence the way you interpret what people say about robotic surgery. Is the hospital pushing it on you? Is the hospital pushing it on the surgeon? Is the hospital skimping on robotic training, given the manufacturer's claim that surgeons are ready after two or three operations? Is the motive to achieve the best healthcare for you or is the motive a need to pay back the huge investment in hardware and supplies and maintenance contracts? Are doctors and hospital administrators being plied with luxury vacations and other perks to encourage them to use the robot more often in a wider range of procedures, including yours?
Those questions are currently more pressing than the need to analyze the da Vinci system's coding and connectivity. So far, I have found no indications that the system has been hacked and it does not appear to be connected to any networks. But that may change as the pressure to perform remote robotic surgery grows, powered by the perception that this can expand healthcare delivery at lower costs than training more surgeons. Already we see FDA approval for passive telemedicine robots. The term telesurgery has been coined and tests of procedures performed over the Internet are under way.
What's next for robotic risks?
In my next post I will break down the technical risk factors in more detail. These include analog issues, like build quality (here is a self-reported problem with da Vinci hardware that can cause burns), and also logical issues, like the security of device programming.
I leave you now with a link to the AJOG report "The commercialization of robotic surgery: unsubstantiated marketing of gynecologic surgery by hospitals," and a link to a report that really rips into Intuitive. The author quotes a lot of sources that appear to check out. After reading it you are likely to question whether or not robotic surgery is right for you. As of now, I am going to ask my surgeon to take a more hands on approach.
This post is about my potential diagnosis of Conn syndrome and how that could lead to a healthier, more energetic life. If you have high blood pressure, dodgy heartbeat, nasty leg cramps, muscle weakness and chronic fatigue, pay attention: Conn's might be what's ailing you, and it can be cured. (This is of particular interest to anyone who has been told they have "essential hypertension", which means the doctors have essentially no idea why your BP is high.)
That fact that Stephen Cobb may have Conn syndrome is not a typo, Conn's is a medical condition first described by University of Michigan endocrinologist Jerome W. Conn in 1955. I did not have Conn's back then, but I'm pretty sure I have it now, and have had it since at least 2004. A recent CT scan revealed a growth on my left adrenal gland (we start life with two, one on each kidney). This type of growth, usually benign, is called an adenoma. Tests indicate that mine is producing the hormone aldosterone, too much of which not a good thing, as I will explain in moment.
Basically, Conn syndrome is an aldosterone-producing adenoma, and my hat is off to Dr. Conn for discovering this condition without the aid of things like CT scans. I got my doctor to order a CT scan looking for one of these adenomas because I had this quartet of symptoms:
- High blood pressure, poorly controlled despite multiple BP meds
- Low potassium, despite years of taking big potassium horse pills every day
- Atrial fibrillation (as a result of the low potassium or hypokalemia)
- Fatigue (more than just feeling tired)
Dig into these search results and you learn that aldosteronism, also called hyperaldosteronism, exists when too much aldosterone is produced by the adrenal glands, which can lead to lowered levels of potassium in the blood, also known as hypokalemia. An adrenal adenoma is one of a number of things that can cause primary aldosteronism. I have one on my left adrenal.
So what's the good news? If you confirm that just one of your two adrenal glands is responsible for the aldosteronism it can be surgically removed, giving your body a chance to return to normal, which appears to happen in over 50 percent of cases.
Cure of hypertension occurs in 50%–80% of patients after adrenalectomy for an aldosterone-producing adenoma, and most of the remaining cases show improvement (1–3,21,22). (Radiographics)That can mean no more blood pressure pills, no more potassium pills, an end to excruciating leg cramps, a return to a regular heartbeat, more energy, even loss of excess weight, partly through being more active but also, possibly, through reduction of cortisol production (but that topic is too complex for this humble blog post).
The role of AVSAfter confirming that my body was producing too much aldosterone through blood and urine tests, my primary care doctor referred me to a nephrologist who ordered Adrenal Vein Sampling (AVS) to confirm that the adenoma was the cause of this and not a general adrenal malfunction involving both glands. (You don't want an adrenal glad removed if that is not going to stop the excess aldosterone production.)
The AVS procedure is tricky, requiring interventional radiology (not invasive radiology, a term I used in error when talking to several people about this). A tube is inserted into a major vein (femoral vein in my case) and threaded to the adrenals where a series of blood samples are taken. The doctor doing this is guided by a live X-ray view of your veins using a contrast. Not only are the veins thin, but the support staff have to get things just right with the labeling of samples and so on. In other words, you want an experienced team doing this if at all possible, otherwise you don't get a result and have to go through it again.
Speaking of "going through it", you will need to set aside a day off work for AVS, followed by a day of taking it easy. That's because a. you will be given a strong anesthetic and b. you don't want the vein to pop open due to sudden movements. I went in early for mine (5:30AM) and expected to be back at work in the afternoon. Nope. Could not drive and was clearly still feeling the effects of the wonderful "twilight zone" drugs they use to sedate you (you don't go all the way under, just into a very nice place, and not at all like Twilight Zone the TV series).
I read one blogger's account of AVS before I went for mine and it was very helpful, although not exactly reassuring. Partly this was due to my (now cured) ignorance of the word "catheter" which I used to think meant only those tubes they stick into the most sensitive organs, but no, it just means any tube, in this case the one that went into my femoral vein in this procedure. To be honest, I never felt a thing.
I also read about getting shaved, but that was only a small patch of groin north of the family jewels. The prep work was mainly the shave, some blood draws, an IV for the contrast, and paperwork. The actual procedure only took about an hour and then I was required to rest horizontally for two hours to let the vein heal up. The good news is that you can eat right away (blessings on the nurse who brought me a turkey sandwich). You will likely feel hungry because you have to fast, starting at midnight the night before (no food or liquids, although you may be able to take your BP meds--ask your doctor--I didn't take mine and so BP read very high on admission, but not too high to prevent it going ahead).
How common is primary aldosteronism? I think anyone with essential hypertension should get the basic urine and blood tests for this condition to rule it out. Although my cardiologist confessed to knowing very little about it, and both my primary care physician and the nephrologist said they have not seen it very often, there is this:
There is an increasing requirement for adrenal vein sampling, which is driven by the appreciation that primary aldosteronism is far more common than previously recognized (1–3). Many centers throughout the world are reporting a prevalence of between 5% and 10% in unselected hypertensive patients (4–8).So, check it out...and stay tuned. If I am a candidate for adrenalectomy I will describe the operation and my results for the benefit of anyone else who is going down this road.
I also wanted to extend a broad apology to those friends and family with whom my communications in recent years have been less than stellar. I have been beating myself up for some time over this, but recent medical adventures have led me to see things differently:
- I have been feeling seriously fatigued for several years now, leaving me with little energy at the end of the workday/week to reach out and communicate.
- I assumed that this lack of energy was due to the demands of a stressful life (dealing with Chey's disabilities, the aftermath of the 2008 financial disaster, the demands of a new job--on which I've been working many evenings and weekends, the stresses of moving 3,000 miles to a new city, and so on).
- I also thought to myself: "this must be what getting old is like"
- In fact, it appears that I have been suffering the effects of something called primary aldosteronism due to an adrenal adenoma, of which there will be more blogging later.
The good news is that primary aldosteronism--talk about a disease that needs a catchier name--can be treated and, in some cases, cured. That could mean I get back to 100%! Staying in touch will no longer be such a challenge.
I got the diagnosis in April, however it has taken me a fair amount of time to put the implications into perspective. At first I was hung up on the fact that this should have been diagnosed years ago. Right now I am focusing on the positive, the fact that it was finally diagnosed, and I have good access to some good doctors who can treat it.
Yesterday I took a big step toward treatment by undergoing AVS, which will determine if one of my two adrenal glands is responsible for pumping out excessive amounts of the hormone called aldosterone. Thanks to a CT scan I already know that there is a lump, called an adenoma, on one of those glands. That lump could be the culprit. Oddly enough, that condition, an aldosterone producing lump on an adrenal gland, is called Conn syndrome.
I plan to write up more of what I have learned about primary aldosteronism. Readers and Googlers may benefit from this because, from what I can tell, this is an under-diagnosed condition. For now, please accept my apologies for sub-par performance in the friend and correspondent department. I hope to be able to do better.
I leave you with a list of primary aldosteronism symptoms that I have been experiencing, some for many years:
- High blood pressure not well controlled despite multiple medications
- Chronic low potassium or hypokalemia
- Abnormal heart rhythm and atrial fibrillation (my heart sounds like my dog's)
- Sodium retention, increasing blood pressure, causing swollen ankles, legs
- Muscle cramps and muscle weakness
- Decreased cardiac output associated with elevated renin levels
If I am lucky, my AVS results will indicate than an adrenalectomy can eliminate these symptoms. Stay tuned!
In the very earliest days of the Internet I made a conscious decision to live at least part of my online life like an "ordinary" person, that is, someone who is not well-versed in the risks of being online or the strategies for mitigating those risks. And sure enough, living like that can lead to problems.
You don't need to attend a cybercrime conference in Argentina to know that there are a lot of bad guys out there, armed with an extensive array of easy-to-use attack tools with which to perpetrate whatever online mayhem makes them the most money. But I did attend such a conference, a very fine conference put on last week by the APWG (Anti-Phishing Working Group) and sponsored, I am proud to say, by my current employer, ESET (the Latin American office of ESET, but ESET all the some).
One of the many valuable things I learned at the conference (full title: Computer eCrime operations Summit VII) was that my own impression of a rising tide of nastiness preying on Linux webservers was in line with the data that is being collected by groups like APWG. Indeed, from my hotel room in Argentina I published a timely blog post by my Canadian colleague, Pierre-Marc Bureau, on new Apache backdoor malware (the image of a back door at the top of the post was actually taken from a photo I snapped from the window in my hotel room).
From malware like that, to the mass compromise of webservers that is behind the ongoing Brobot attacks on American banks, the focus of malicious attention on Linux boxes, many of them running WordPress, many of them rented from hosting providers, is now clear. In fact, reporting of the latest APWG survey, released at the CeCOS event, leads with this finding:
A new phishing survey by the Anti-Phishing Working Group (APWG) reveals that phishers are breaking into hosting providers with unprecedented success, using these facilities to launch mass phishing attacks.
Now, as for this blog right here, it does not get a lot of traffic. Let's face it, I don't keep the content very fresh. But that didn't stop some criminal scumbag somewhere from breaking into the computer that serves up this content. No files were erased and no personal data was stolen (because there is no private data on that box). But a collection of malicious .php scripts were installed in the directory of an unused WordPress theme on an even more neglected domain. These scripts enabled the criminal hacker who put them there to use the box to launch DDoS attacks on other systems.
Ironically, up to that point the attack was not noticed by the system administrator (me) nor the hosting provider who owns the server and rents it to me. But when the DDoS capability was activated, the hosting provided was alerted, possibly by the victim of the DDoS attack, and I was informed that the server had been taken offline. That's where the fun--no sorry, the opposite of fun--began for me, but I will write that up another time. For now, here are some lessons learned:
- If you have a rented webserver somewhere--like a virtual private server, hosting slice, or web hosting account--that you have not touched or upgraded in a while, you might want check on it now.
- If you are a hosting provider, ask yourself if you could be doing more to help your customers avoid getting hacked like this. I know my provider could have done a lost more than they did.
- Do you know the current backup status of your rented webserver? Are daily backups being made? Do they include the entire servers? Does that mean the databases powering your WordPress blog[s] are backed up?
- If you use WordPress on your own/rented server, have you set the WordPress Database Backup plugin to email a database bakcup to you on a regular basis? (This saved my bacon when my machine had to be wiped out to remove malware and any potential backdoors.)
- Avoid storing any personal information--such as customer data--on your rented server. More than 45 states now have data breach notification laws which might apply to you if your server is hacked and it did have confidential personal data on it.
Speaking of private data and privacy, I have just revived my "Privacy Think" blog, partly to coincide with Privacy Awareness Week. In my latest post I highlighted the availability of my privacy book, the first few chapters of which are still a decent primer on privacy for business, despite being about ten years old (and are still free to download).