Blockchain Snake Oil

Before the FDA came along, shills could go about selling all sorts of crap promising to cure anything from dyspepsia to gangrene. Customers bought in because they had no understanding of human physiology, let alone what went into these products.

battery

Coca-Cola was great at this. Since Coke tastes like shit no matter what, the inventor mixed in a bunch of random ingredients that purported to have medicinal properties: Cassia, sarsaparilla, ginger, phosphate, cocaine… the cutting edge of 19th century medicine.

Then he invested in marketing:

coca-cola_ideal_brain_tonic_1890s

The total number of ailments solved by sugary sodas is zero. Well, maybe Coca-Cola solved the problem of childhood consumption, but it might have overshot the solution on that one.

Now blockchains are supposed to revolutionize everything from healthcare to finance to self-driving cars. It’s like a miracle drug for the world’s computing systems. We have banks dumping hundreds of millions of dollars into these things because… what the hell is a blockchain??

Does a blockchain need blocks, meaning Hyperledger is not a blockchain? Does it need Proof-of-Work, meaning Ethereum will soon be not-a-blockchain? When a word doesn’t mean anything, all claims are unfalsifiable!

And that’s how you end up with nonsense like this:

CMW blockchain session

See Also:
Maybe Blockchain Really Does Have Magical Powers –Bloomberg

Ransomware, it’s all about Marketing

Sometimes, threats of “Pay money or all your files are gone forever” are not convincing enough. Maybe the victim has everything backed up in the cloud, or maybe there was nothing on the computer but cat photos. To really drive the threat home, ransomware developers have gotten very good at, ah, marketing.

The purpose of any marketing is to represent a product in such a way that the consumer will be compelled to part with their money. One way is to show a fake message from the FBI accusing the victim of viewing child porn.

The lock screen actually downloads and displays the porn, so the accusation is sort of self-fulfilling, in a horrible way.
The lock screen actually downloads and displays the porn, so the accusation is sort of self-fulfilling, in a horrible way.

This one threatens to send a copy of all your skype conversations to your contact list (no one has reported that this actually happened. Hackers are unlikely to act upon this threat, because large file uploads increate the risk of getting caught.)

jigsaw

Continue here (yes sorry I’m making you click through)

EpiPens and Adrenaclicks

If Bernie Sanders had tried to shop around a little, which is a thing that people do in free-market economies, he would see that there is a cheaper generic called Adrenaclick.

Granted, a duopoly between Amedra Pharmaceuticals and Mylan is not the ideal market. But at $142, Adrenaclick is less than a quarter of the price of EpiPen. Why are so many people bitching about Mylan when they can vote with their dollars instead?

One mealy-mouthed excuse is that Adrenaclick is harder to use, and that most people are trained on EpiPens.

Who are these people? I would imagine that the allergy patients who carry auto-injectors on their person at all times (as recommended by Mylan paid spokesperson Sarah Jessica Parker) are trained in whatever they choose to carry.

Even if these patients are depending on a second responder, the instructions are printed ON THE CASE. For both products. Not that it matters, because the steps are practically the same. Just watch the training videos: EpiPen vs Adrenaclick

The videos are very boring and no one’s gonna watch them, so here’s a spoiler: The ONLY discernable difference is that Adrenaclick requires that the user remove two end caps before administration, whereas EpiPen only has one cap. I suppose this could be confusing for a person who can neither read, nor comprehend number labels, nor follow the cartoon drawings on the package. But I don’t know what subset of the population that might be.

generic-epi

A better explanation for why we’re vilifying Mylan is that doctors don’t know a competitor exists. A professor of pediatrics who writes for The NYTimes says of Adrenaclick: “few physicians think of it.”

This sounds like a terrible failing on the part of the medical physicians. Doctors are supposed to be aware of the drugs available to treat their patients. It’s part of their job description. It’s also why state medical boards require medical doctors fulfill some minimum number of hours of continuing medical education (CME) every year. In California, the minimum requirement is 50 hours of education every two years.

The purpose of CME is to make sure physicians have up-to-date knowledge of medical developments. CME requirements can be met through activities like coursework, manuscript review, or by attending conferences SUCH AS THIS ONE SPONSORED BY MYLAN, in which participants listen to educational things like this presentation about patients forgetting how to use their EpiPens.

The conferences might be educational in nature, but they also involve lavish dinners and parties. If I were a doctor (which I most definitely am not, therefore nothing here is medical advice), I, too, might conveniently forget about EpiPen’s cheaper competitor after a sponsored trip to Orlando.

The health care industry is full of unofficial kickbacks and sort-of conflicts-of-interest. Sometimes there’s nothing a patient can do about it, but this is not one of those times. GoodRx is a site for comparing prescription drug costs, and Adrenaclick is the first result that appears in a search for generic epinephrine. GoodRx is a great resource that everyone should use. And I don’t get a kickback for saying that.

See Also:
This Post Brought To You By Your Insurance Provider

Stop calling Bitcoin hacks, “Bitcoin hacks”

Occupy Mt. Gox
Occupy Mt. Gox

They’re exchange hacks, they’re wallet hacks, they’re service-provider hacks. It just so happens that bitcoin was stolen. To call these breaches “Bitcoin hacks” is like calling the SWIFT hack a “US dollar hack.” Obviously the USD did not get hacked; only the central bank does that.

Bitfinex was an unregistered Bitcoin exchange with over $150M in custody. Rumor has it they’re based in Hong Kong, owned by a parent company in the British Virgin Islands, with a management team spread all around the world. The only listed contact information is an email address and a Twitter handle.

What did you think would happen?? Go ahead, drop your life savings into a southeast-Asian bank you found on the internet and see how well that works out for you.

Securing tiny electronic files from leaking – keys – pushes the bounds of known computer science. –Jeff Garzik, Co-Founder of Bloq

The fact that Jeff Garzik has trouble keeping his keys in his pants is not a fundamental flaw of Bitcoin, or even of known computer science. The frequency and magnitude of Bitcoin losses reflect the fact that users are giving full custody of their funds to irresponsible third parties.

Bitcoin’s underlying technology is fine; the problem is that people do dumb things on top of that underlying technology. Of the fifty largest Bitcoin-related thefts, only one can be definitively attributed to the protocol*. Everything else was caused by a higher-level breach, most commonly an unauthorized server access. You know, the same thing that happened at JP Morgan Chase in 2014.

Preventing data leakage isn’t a matter of pushing the bounds of computer science, it’s a matter of responsible access control. This is a problem faced by every industry in every part of the world. A Bitcoin service provider is a financial institution, and should be held to the same level of scrutiny one might employ when selecting a financial institution.

Bitcoin rarely gets hacked. Bitcoin only fails when we expect digital bucket shops to provide the bulletproof security of a private Fort Knox.

*In 2013, an inadvertent Bitcoin hard fork temporarily enabled users to double-spend their money. Only one such attack was conducted, and the attacker later returned the money. This is the only “Bitcoin hack” on a Bitcoin service provider (that I know of).

See Also:
The Wretched, Endless Cycle of Bitcoin Hacks –Bloomberg

LinkedIn vs the Bots

googlebot

LinkedIn’s business model is to charge money for information that users give them for free.

To advertise the availability of such information, they rely on Google for search indexing. Google’s web crawlers only index what they see, so LinkedIn’s servers disable login checks when a page request appears to come from Google.

Digital publications do this too. NY Times, Wall St Journal, Economist. Paywalls come down when Google crawlers arrive. The sites even disable ads to give Googlebot faster page downloads.

If you optimize your site experience for search engine bots, don’t be surprised when your website attracts a lot of bots.

Last week, LinkedIn filed a lawsuit against a hundred anonymous bots. Apparently people were renting cloud computing services from Google, and then running bots to collect LinkedIn user profiles. Because the bots made requests from Google’s servers, LinkedIn mistook them for Google’s web crawler [1]:

Don’t you hate it when you leave the backdoor open for a trusted third party, only to have unwelcome guests invite themselves inside?

bot

This isn’t the first time LinkedIn tried to stop profile-pulling bots. They filed a similar lawsuit two years ago, against bots running on Amazon’s cloud. The result was that LinkedIn identified a single defendant and settled the case for $40,000, an amount that doesn’t even begin to cover the “hundreds of hours of employee time” that LinkedIn spent investigating the bot activity [2].

The lawsuits are a losing battle. Anyone can run a bot to pull LinkedIn data. A Github search for “LinkedIn scraper” returns sixty open-source tools advertising this exact functionality. Each repository has dozens of contributors and followers, and I bet the closed-source tools do even better.

This is what happens when you make exceptions for a “whitelisted partner”. On the internet, any loophole inevitably turns into open access. Remember that time LinkedIn suffered a data leak, and 117 million users had their passwords and personal information stolen and sold on the black market?

So, LinkedIn, how does unauthorized access feel now?

See Also:
1. LinkedIn Corporation vs. Does, 1 through 100 inclusive, No. 5:16-cv-4463 (US District Court, Aug. 8, 2016)
2. LinkedIn Corporation v. Robocog Inc, No. C14-00068, (US District Court, Mar. 27, 2014)

Pandoras-iPhone