Adrenalectomy, from pain to promising signs of progress

This is a short note to record the successful execution of a laproscopic adrenalectomy by Dr. Allan Gamagami at Sharp Memorial Hospital on August 16, namely my left adrenalectomy. I talked about the need for this procedure in Cobb's Got Conn's, but not because I enjoy talking about myself. Okay, I do enjoy talking about myself, but the point of my writing about Conn's and primary aldosteronism is to help the many millions of people who might have this condition.

That's right, recent studies suggest that as many as 10% of people with high blood pressure could be cured by adrenal surgery. In the U.S. alone, where the number of people with high blood pressure is estimated to be 71 million, there could be over 7 million candidates for this procedure. And that's the funny thing about primary aldosteronism: you may be happy to find you've got it. Why? Because treating primary aldosteronism can lower the risk of heart attack and stroke. It can also mean lower blood pressure, or even an end to blood pressure medication.

A Gland Called Adrenal

When either or both of your adrenal glands pump out too much aldosterone your body:

• retains sodium (we all know too much sodium is not good for blood pressure), and
• leaches out too much potassium (while excess potassium can be deadly, too little can also have fatal consequences, like a stroke or heart failure due to atrial fibrillation). 

If you have primary aldosteronism you are likely to experience one of more of the health problems that I list down below.

If your doctor successfully treats your primary aldosteronism, then you may enjoy lower blood pressure with fewer or no medications, plus return to a regular heartbeat, and freedom from muscle cramps. You could well feel more energetic, given the reversal of your hypokalemia (low potassium).

Farewell My Left Adrenal

Thanks to some good old-fashioned medical work by my primary care physician (Dr. Adam Pacal) and gifted nephrologist (Dr. Jadwiga Alexiewicz) it was determined that I was a classic case of primary aldosteronism in which a growth on one adrenal gland is responsible for the over-production of aldosterone.

The culprit was my left adrenal and this was confirmed by some fancy testing, reinforced by my body's positive reaction to a drug called spironolactone, an "aldosterone receptor antagonist that causes the kidneys to eliminate unneeded water and sodium from the body into the urine, but reduces the loss of potassium from the body." (NIH)

Because the spironolactone was effective at lowering my blood pressure by several points, it seemed likely that removing the cause of the excess aldosterone would be beneficial. Surgery was scheduled.

Nine days after the surgery I can sense numerous positive changes in my body. For a start, I have not experienced any muscle cramps since the operation, despite not taking any potassium supplements.

Second, I feel either more relaxed or less stressed. (I'm not sure which term best describes my state of mind, and that state of mind might just be a temporary state, but so far I am enjoying it.)

My blood pressure seems to be better controlled, with fewer medications, although it is early days yet. Whether I can be weaned off HBP meds altogether remains to be seen. I am pretty sure that the trauma and lingering pain of the surgery elevates BP readings for days afterwards. I will report back at 15 and 30 days.

What Was Going On?

In the years prior to my operation I was dealing with all of these symptoms of chronic lack of potassium, despite a potassium-rich diet and supplements:

• Palpitations, which are sensations of a racing, uncomfortable, irregular heartbeat or a flopping in your chest (that's language from the Mayo Clinic)
• Atrial fibrillation
• Weakness and fatigue
• Leg and foot cramps

In addition, I suffered from excess sodium despite watching my salt intake. That meant high blood pressure which would sometimes spike and make me feel quite ill if I ate a particularly salty meal (something that is frankly hard to avoid when you travel a lot on business -- some restaurants simply lie about their use of salt, a phenomenon that includes some very fancy eateries). Throughout these years, my heartbeat was funky and my medication regimen included five pills a day.

And guess what? For years I had been attributing most of physical ills to an inverse trifecta of advancing age, plus the stress of the financial crash -- in which we lost our home and our life savings, plus my wife's illness and disability. Only when I was back on my feet and settled into a job that I really enjoyed did it occur to me to dig deeper into why I was continuing to have these symptoms. Now, despite the lingering pain of abdominal surgery, I am very glad that I did dig.

Now I need to write up my surgical experience to help folks who discover that they need one of their adrenals removed. A recent study suggests that five percent of high blood pressure cases could be like mine, curable through surgery. The operation is no walk in the park, but in my case it is proving to have been a positive step forward.

Robot or not? Robotic surgery and risk, part one

A security geek goes to see a surgeon about having an operation. The surgeon says, "We may use the robot."

The geek thinks: "Robot! Cool. What OS does it use? Is it on the network? Has anyone hacked this type of robot yet?"

I am that geek and I will get to those questions in a moment, but here's a question you need to be thinking about: Is it okay for a machine to slice into people and perform surgery, such as removing organs they no longer need? I'm thinking about this for several reasons, including my upcoming adrenalectomy and my job as a security researcher at ESET. But why do you need to think about this? Because robotic surgery is no longer science fiction: nearly half a million surgical procedures were performed robotically in North America in 2012.

So, there's a good chance that, if you need any one of a number of types of surgery in America today, your healthcare provider will want to use a robot. Are you okay with that? Clearly, most people will want to ask themselves:  Does the surgeon's use of a robot increase or decrease the risks to me, the patient? In this post and others that I am planning to write, I hope to shed light on this question.

Note that I am not a doctor, nor am I a medical researcher, but I have some experience with risks related to digital technology. I work for a company that works to improve the safety of digital technology. A surgical robot is digital technology. Here's a simplified diagram of a robotic surgery setup:

The surgeon guides the robot tools from a 3D imaging console using hand and foot controls communicating over wires to the device. Note that the surgeon's console can be some distance from the patient (in telesurgery it could be miles away).

Slicing and dicing with da Vinci

If your healthcare provider does want to deploy a robot as part of your surgery there are a couple of data points we know already. First, the procedure is likely to take a bit longer. Second, the procedure will cost more. Third, the robot they will use is most likely to be the da Vinci Robotic Surgical System. The da Vinci is made by Intuitive Surgical, a company that went public 13 years ago at $9 a share [ISRG]. This was the same year the FDA approved the system for general laparoscopic surgery. Intuitive has since traded as high as $585.67, which might lead you to think that things are going well in robo-surgery land.

Unfortunately, and I mean this sincerely as a fan of technology and a believer in the potential of robotics to improve our world, some things have not gone well. For example, according to one law firm:

there are now more than 4,500 complaints about the da Vinci surgical robot in the FDA’s MAUDE (“Manufacturer and User Facility Device Experience”) Database—50 or so of them involving the death of the patient—and 30 lawsuits against the manufacturer, Intuitive Surgical, Inc.

You don't have to take a lawyer's word for this because MAUDE is on the Internet. and you can look up reports yourself (I count 500 reports involving Intuitive surgical so far this year). Bear in mind that reporting medical device problems to MAUDE is not mandatory, so there is no way to tell the actual number of problems with the da Vinci system.

Then came a bunch of studies examining the cost and efficacy of these million dollar marvels (yes, a da Vinci robot can cost over $1.5 million). Together with the lawsuits and media scrutiny, these have depressed share prices for ISRG, which is now trading around $430 with some analysts predicting values of $300 within the year.

Somewhat ironically, given my initial security geek reaction to the idea of a robot slicing into my flesh--fear of hacking--none of the problems with this particular technology cited so far have anything to do with malware, coding errors, comms failures, or hacking. The greatest risk factor right now, in my opinion? The impact of market forces on safety.

Sales pressure and medical devices

Intuitive is under tremendous pressure from shareholders to sell more robots and get more robotic surgeries performed. This leads to marketing tactics that oversell benefits and downplay risks. For example, Johns Hopkins research shows hospital websites making excessive use of industry-provided content to sell robotic surgery and overstate claims of robotic success. A CNBC investigation quoted Suraj Kalia, a Northland Capital analyst, in a recent report on the company:

Our extensive field checks highlighted a story where aggressive marketing drives the message and true clinical utility seems secondary in nature.

There is a lot of pressure on Intuitive to market the heck out of their product because a lot of doctors are now expressing doubts about the value of robotic surgery. Consider the blistering Statement on Robotic Surgery by James T. Breeden, MD, president of ACOG, the American College of Obstetricians and Gynecologists (with 56,000 members, ACOG is the nation’s leading group of physicians providing health care for women). Here's the short version: "there is no good data proving that robotic hysterectomy is even as good as—let alone better—than existing, and far less costly, minimally invasive alternatives."

Here are some of the figures that ACOG quotes:

At a price of more than $1.7 million per robot, $125,000 in annual maintenance costs, and up to $2,000 per surgery for the cost of single-use instruments, robotic surgery is the most expensive approach. A recent Journal of the American Medical Association study found that the percentage of hysterectomies performed robotically has jumped from less than 0.5% to nearly 10% over the past three years. A study of over 264,000 hysterectomy patients in 441 hospitals also found that robotics added an average of $2,000 per procedure without any demonstrable benefit...an estimated $960 million to $1.9 billion will be added to the health care system if robotic surgery is used for all hysterectomies each year.

Between the medical questions and the growing number of lawsuits, Intuitive is under pressure, the kind of pressure that should, I believe, influence the way you interpret what people say about robotic surgery. Is the hospital pushing it on you? Is the hospital pushing it on the surgeon? Is the hospital skimping on robotic training, given the manufacturer's claim that surgeons are ready after two or three operations? Is the motive to achieve the best healthcare for you or is the motive a need to pay back the huge investment in hardware and supplies and maintenance contracts? Are doctors and hospital administrators being plied with luxury vacations and other perks to encourage them to use the robot more often in a wider range of procedures, including yours?

Those questions are currently more pressing than the need to analyze the da Vinci system's coding and connectivity. So far, I have found no indications that the system has been hacked and it does not appear to be connected to any networks. But that may change as the pressure to perform remote robotic surgery grows, powered by the perception that this can expand healthcare delivery at lower costs than training more surgeons. Already we see FDA approval for passive telemedicine robots. The term telesurgery has been coined and tests of procedures performed over the Internet are under way.

What's next for robotic risks?

In my next post I will break down the technical risk factors in more detail. These include analog issues, like build quality (here is a self-reported problem with da Vinci hardware that can cause burns), and also logical issues, like the security of device programming.

I leave you now with a link to the AJOG report "The commercialization of robotic surgery: unsubstantiated marketing of gynecologic surgery by hospitals," and a link to a report that really rips into Intuitive. The author quotes a lot of sources that appear to check out. After reading it you are likely to question whether or not robotic surgery is right for you. As of now, I am going to ask my surgeon to take a more hands on approach.

Wheels on fire: the curiously British need for speed

For a small island that is increasingly crowded with people, Britain displays a strangely persistent fascination with traveling fast, as reflected in several recent news stories about speed records and vehicular races.

Last month, a British built vehicle set a new world land speed record for electric cars. And while nobody dislikes the idea of aristocracy more than me, I must admit to being impressed by the BBC report that: "Lord Drayson, who was behind the wheel, said the achievement was designed to highlight electronic vehicle technology's potential." I'm assuming this is Lord Drayson, sitting on the amazing vehicle (and I'm hoping he doesn't mind me displaying this picture--which is particularly interesting to me since it shows one of the sponsors was Qualcomm, based in my adopted home town of San Diego).

Lord Drayson is CEO of Drayson Racing Technologies, developer of the amazing Lola B12 69/EV which hit a top speed of 204.2mph (328.6km/h). Drayson is based in Oxfordshire, England. The vehicle was built using a lot of parts from Lola, a leading supplier of chassis for prototype racing, such as you see driven in the Le Mans 24 Hours race. Lola is based in Cambridgeshire, England. Drayson's car handily beat the previous record of 175mph set by Battery Box General Electric in 1974.

Building fast cars has long been a passion in England, from the early records set by Rolls Royce powered cars in the 1920s to the Formula One cars of today. Regardless of their official country affiliation, most of the F1 teams are based in England, where the lion's share of the engine and chassis development occurs. This graphic from NBC coverage of Formula One makes this quite clear.

All of which seems a bit odd for such a small and crowded place. In Britain, the phrase "Land's End to John O'Groats" is synonymous with "one end of the country to the other," and this is about 600 miles as the crow files. The journey by road is 837 miles according to Google, which estimates you can cover it at an average of 60 mph. Compare that with my drive in 2011, from Upstate New York to Southern California, when my Jeep clocked 3,000 miles. Google reckons you can average that one at 67.35 mph.

Brits also like speed in the air and on rails and on water. Back when trains were pulled by steam locomotives, the highest speed attained was 126mph, attained in July of 1938, by an engine called Mallard, seen here:

This month there will be a big celebration of the 75th anniversary of that achievement and six examples of this type of locomotive, designated A4, will be reunited at a museum in York. This inspired the Daily Mail to produce a great graphic explaining how to drive a steam locomotive. Nowadays you might not associate Britain with high speed train travel, given that the French hold the world record for rail, hitting 357mph using electric power delivered by overhead lines. But it is worth noting that British Rail Class 43 holds the Guinness record for the fastest self-contained locomotive (diesel powered).


As I have written elsewhere, Britain currently holds the world land speed record at 763mph and is looking to push that past 1,000mph. (But props to America for setting and holding the wheel-driven and combustion-engined records.)

Why do the Brits have this need to make machines go faster, I don't know. But it makes for exciting times, whether it is a Formula One race or a record attempt.

Stephen Cobb's got Conn's Syndrome? Probably, but I go through Adrenal Vein Sampling(AVS) to be sure

[Updated 6/11/13: It's official, I do have Conn syndrome. The nephrologist just called to say my AVS test results were, direct quote: "Stunning!"]

This post is about my potential diagnosis of Conn syndrome and how that could lead to a healthier, more energetic life. If you have high blood pressure, dodgy heartbeat, nasty leg cramps, muscle weakness and chronic fatigue, pay attention: Conn's might be what's ailing you, and it can be cured. (This is of particular interest to anyone who has been told they have "essential hypertension", which means the doctors have essentially no idea why your BP is high.)

That fact that Stephen Cobb may have Conn syndrome is not a typo, Conn's is a medical condition first described by University of Michigan endocrinologist Jerome W. Conn in 1955. I did not have Conn's back then, but I'm pretty sure I have it now, and have had it since at least 2004. A recent CT scan revealed a growth on my left adrenal gland (we start life with two, one on each kidney). This type of growth, usually benign, is called an adenoma. Tests indicate that mine is producing the hormone aldosterone, too much of which not a good thing, as I will explain in moment.

Basically, Conn syndrome is an aldosterone-producing adenoma, and my hat is off to Dr. Conn for discovering this condition without the aid of things like CT scans. I got my doctor to order a CT scan looking for one of these adenomas because I had this quartet of symptoms:

• High blood pressure, poorly controlled despite multiple BP meds
• Low potassium, despite years of taking big potassium horse pills every day
• Atrial fibrillation (as a result of the low potassium or hypokalemia)
• Fatigue (more than just feeling tired)

If you plug these into Google you will likely see "aldosteronism" in the top results (I did this with "high blood pressure low potassium hormone" and "high blood pressure low potassium fatigue" but without the quotation marks).

Dig into these search results and you learn that aldosteronism, also called hyperaldosteronism, exists when too much aldosterone is produced by the adrenal glands, which can lead to lowered levels of potassium in the blood, also known as hypokalemia. An adrenal adenoma is one of a number of things that can cause primary aldosteronism. I have one on my left adrenal.

So what's the good news? If you confirm that just one of your two adrenal glands is responsible for the aldosteronism it can be surgically removed, giving your body a chance to return to normal, which appears to happen in over 50 percent of cases.

Cure of hypertension occurs in 50%–80% of patients after adrenalectomy for an aldosterone-producing adenoma, and most of the remaining cases show improvement (1–3,21,22). (Radiographics)

That can mean no more blood pressure pills, no more potassium pills, an end to excruciating leg cramps, a return to a regular heartbeat, more energy, even loss of excess weight, partly through being more active but also, possibly, through reduction of cortisol production (but that topic is too complex for this humble blog post).

The role of AVS

After confirming that my body was producing too much aldosterone through blood and urine tests, my primary care doctor referred me to a nephrologist who ordered Adrenal Vein Sampling (AVS) to confirm that the adenoma was the cause of this and not a general adrenal malfunction involving both glands. (You don't want an adrenal glad removed if that is not going to stop the excess aldosterone production.)

The AVS procedure is tricky, requiring interventional radiology (not invasive radiology, a term I used in error when talking to several people about this). A tube is inserted into a major vein (femoral vein in my case) and threaded to the adrenals where a series of blood samples are taken. The doctor doing this is guided by a live X-ray view of your veins using a contrast. Not only are the veins thin, but the support staff have to get things just right with the labeling of samples and so on. In other words, you want an experienced team doing this if at all possible, otherwise you don't get a result and have to go through it again.

Speaking of "going through it", you will need to set aside a day off work for AVS, followed by a day of taking it easy. That's because a. you will be given a strong anesthetic and b. you don't want the vein to pop open due to sudden movements. I went in early for mine (5:30AM) and expected to be back at work in the afternoon. Nope. Could not drive and was clearly still feeling the effects of the wonderful "twilight zone" drugs they use to sedate you (you don't go all the way under, just into a very nice place, and not at all like Twilight Zone the TV series).

I read one blogger's account of AVS before I went for mine and it was very helpful, although not exactly reassuring. Partly this was due to my (now cured) ignorance of the word "catheter" which I used to think meant only those tubes they stick into the most sensitive organs, but no, it just means any tube, in this case the one that went into my femoral vein in this procedure. To be honest, I never felt a thing.

I also read about getting shaved, but that was only a small patch of groin north of the family jewels. The prep work was mainly the shave, some blood draws, an IV for the contrast, and paperwork. The actual procedure only took about an hour and then I was required to rest horizontally for two hours to let the vein heal up. The good news is that you can eat right away (blessings on the nurse who brought me a turkey sandwich). You will likely feel hungry because you have to fast, starting at midnight the night before (no food or liquids, although you may be able to take your BP meds--ask your doctor--I didn't take mine and so BP read very high on admission, but not too high to prevent it going ahead).

How common is primary aldosteronism? A lot more common than most doctors realize. I think anyone with essential hypertension should get the basic urine and blood tests for this condition to rule it out. Although my cardiologist confessed to knowing very little about it, and both my primary care physician and the nephrologist said they have not seen it very often, consider this statement in 2009, from the The Journal of Clinical Endocrinology & Metabolism:

There is an increasing requirement for adrenal vein sampling, which is driven by the appreciation that primary aldosteronism is far more common than previously recognized (1–3). Many centers throughout the world are reporting a prevalence of between 5% and 10% in unselected hypertensive patients (4–8). 

So, check it out...and stay tuned. If I am a candidate for adrenalectomy I will describe the operation and my results for the benefit of anyone else who is going down this road.

 

Sorry I've been out of touch (my adrenal adenoma is to blame)

Just a quick post to let folks know that I came through my recent medical procedure unscathed (apart from a small hole below the belt line that is healing nicely). For the sake of other folks out there who may need to undergo adrenal venous sampling I am writing up the procedure, the reason for it, and the possible long term prognosis, which is very good.

I also wanted to extend a broad apology to those friends and family with whom my communications in recent years have been less than stellar. I have been beating myself up for some time over this, but recent medical adventures have led me to see things differently:

• I have been feeling seriously fatigued for several years now, leaving me with little energy at the end of the workday/week to reach out and communicate.
• I assumed that this lack of energy was due to the demands of a stressful life (dealing with Chey's disabilities, the aftermath of the 2008 financial disaster, the demands of a new job--on which I've been working many evenings and weekends, the stresses of moving 3,000 miles to a new city, and so on).
• I also thought to myself: "this must be what getting old is like"
• In fact, it appears that I have been suffering the effects of something called primary aldosteronism due to an adrenal adenoma, of which there will be more blogging later.

The good news is that primary aldosteronism--talk about a disease that needs a catchier name--can be treated and, in some cases, cured. That could mean I get back to 100%! Staying in touch will no longer be such a challenge.

I got the diagnosis in April, however it has taken me a fair amount of time to put the implications into perspective. At first I was hung up on the fact that this should have been diagnosed years ago. Right now I am focusing on the positive, the fact that it was finally diagnosed, and I have good access to some good doctors who can treat it.

Yesterday I took a big step toward treatment by undergoing AVS, which will determine if one of my two adrenal glands is responsible for pumping out excessive amounts of the hormone called aldosterone. Thanks to a CT scan I already know that there is a lump, called an adenoma, on one of those glands. That lump could be the culprit. Oddly enough, that condition, an aldosterone  producing lump on an adrenal gland, is called Conn syndrome.

I plan to write up more of what I have learned about primary aldosteronism. Readers and Googlers may benefit from this because, from what I can tell, this is an under-diagnosed condition. For now, please accept my apologies for sub-par performance in the friend and correspondent department. I hope to be able to do better.

I leave you with a list of primary aldosteronism symptoms that I have been experiencing, some for many years:

• High blood pressure not well controlled despite multiple medications
• Chronic low potassium or hypokalemia
• Abnormal heart rhythm and atrial fibrillation (my heart sounds like my dog's)
• Sodium retention, increasing blood pressure, causing swollen ankles, legs
• Muscle cramps and muscle weakness
• Decreased cardiac output associated with elevated renin levels

If I am lucky, my AVS results will indicate than an adrenalectomy can eliminate these symptoms. Stay tuned!

Cobb's blog is back, after dealing with WordPress and Linux server hacks

If you have missed this blog lately, that's because it was offline for several weeks while I rebuilt it after a nasty case of criminal hacking forced it off the 'net. What's that you say? You're shocked that a server belonging to security expert Stephen Cobb got hacked. Well, I'm not. Not surprised that is...because I don't spend all of my time being a security expert.

In the very earliest days of the Internet I made a conscious decision to live at least part of my online life like an "ordinary" person, that is, someone who is not well-versed in the risks of being online or the strategies for mitigating those risks. And sure enough, living like that can lead to problems.

You don't need to attend a cybercrime conference in Argentina to know that there are a lot of bad guys out there, armed with an extensive array of easy-to-use attack tools with which to perpetrate whatever online mayhem makes them the most money. But I did attend such a conference, a very fine conference put on last week by the APWG (Anti-Phishing Working Group) and sponsored, I am proud to say, by my current employer, ESET (the Latin American office of ESET, but ESET all the some).

One of the many valuable things I learned at the conference (full title: Computer eCrime operations Summit VII) was that my own impression of a rising tide of nastiness preying on Linux webservers was in line with the data that is being collected by groups like APWG. Indeed, from my hotel room in Argentina I published a timely blog post by my Canadian colleague, Pierre-Marc Bureau, on new Apache backdoor malware (the image of a back door at the top of the post was actually taken from a photo I snapped from the window in my hotel room).

From malware like that, to the mass compromise of webservers that is behind the ongoing Brobot attacks on American banks, the focus of malicious attention on Linux boxes, many of them running WordPress, many of them rented from hosting providers, is now clear. In fact, reporting of the latest APWG survey, released at the CeCOS event, leads with this finding:

A new phishing survey by the Anti-Phishing Working Group (APWG) reveals that phishers are breaking into hosting providers with unprecedented success, using these facilities to launch mass phishing attacks.

Now, as for this blog right here, it does not get a lot of traffic. Let's face it, I don't keep the content very fresh. But that didn't stop some criminal scumbag somewhere from breaking into the computer that serves up this content. No files were erased and no personal data was stolen (because there is no private data on that box). But a collection of malicious .php scripts were installed in the directory of an unused WordPress theme on an even more neglected domain. These scripts enabled the criminal hacker who put them there to use the box to launch DDoS attacks on other systems.

Ironically, up to that point the attack was not noticed by the system administrator (me) nor the hosting provider who owns the server and rents it to me. But when the DDoS capability was activated, the hosting provided was alerted, possibly by the victim of the DDoS attack, and I was informed that the server had been taken offline. That's where the fun--no sorry, the opposite of fun--began for me, but I will write that up another time. For now, here are some lessons learned:

• If you have a rented webserver somewhere--like a virtual private server, hosting slice, or web hosting account--that you have not touched or upgraded in a while, you might want check on it now.


• If you are a hosting provider, ask yourself if you could be doing more to help your customers avoid getting hacked like this. I know my provider could have done a lost more than they did.


• Do you know the current backup status of your rented webserver? Are daily backups being made? Do they include the entire servers? Does that mean the databases powering your WordPress blog[s] are backed up?


• If you use WordPress on your own/rented server, have you set the WordPress Database Backup plugin to email a database bakcup to you on a regular basis? (This saved my bacon when my machine had to be wiped out to remove malware and any potential backdoors.)


• Avoid storing any personal information--such as customer data--on your rented server.  More than 45 states now have data breach notification laws which might apply to you if your server is hacked and it did have confidential personal data on it.

Speaking of private data and privacy, I have just revived my "Privacy Think" blog, partly to coincide with Privacy Awareness Week. In my latest post I highlighted the availability of my privacy book, the first few chapters of which are still a decent primer on privacy for business, despite being about ten years old (and are still free to download).

So Long 2012: Year of multiple infosec anniversaries

30 years ago this month, December 1982, I sat down at my first personal computer, a KayPro II, and started learning word processing, spreadsheets, databases, and something called an operating system (in this case CP/M). I got my first book contract 5 years later, in other words, 25 years ago this year. Within 5 years I had written a dozen books on word processing, spreadsheets, and database management. In 1992, my first book on computer security came out, so 2012 is the 20th anniversary of that event.

Mine was not the first book on computer security, but I think it was the first book to address personal computer security in a comprehensive manner, from physical security to power supply, anti-theft to antivirus, risk assessment to contingency planning. Previous computer security books had been written for previous generations of computers, mainframes and minis. I looked at things from a desktop and portable computer perspective and provided a blueprint of what the "layered defense" of a personal computer system might look like.

[caption id="" align="alignright" width="380" caption="Company photo of KayPro II (from the delightful "Obsolete Technology Website" at www.oldcomputers.net)"][/caption]

BTW, my first computer, that KayPro II, was a "portable" computer. (Yes, it weighed 26 pounds, but the keyboard could be fastened across the 9 inch screen and the unit could be carried using a built in handle.) The KayPro II enjoyed an anniversary this year as well: it was introduced in 1982. Fun fact: There was no KayPro 1. The name KayPro II was used to one-up its main rival, the Osborne 1.

Another fun fact is that the KayPro was built in San Diego, which is where I live these days. The original manufacturer was a company called Non-Linear Systems, founded by Alan Kay, who also founded the Rotary club of Del Mar in San Diego County. And to return to the theme of anniversaries, the company that brought me to San Diego, ESET, had two anniversaries of its own this year. The founders of ESET created their first antivirus technology 25 years ago and the company was founded 20 years ago.

To round out this roundup of 2012 anniversaries, the twentieth DEF CON was held this past summer. The now legendary hacker conference/convention first happened in 1993 and was called, logically enough: DEF CON I. My first DEF CON was DEF CON III in 1995. I was invited to speak and had a great time doing so. It was a pleasure to return in 2012 and see so many friends, despite the huge crowds.

Finally, 2012 marks 10 years since I published my book on privacy: Privacy for Business, a modest attempt to provide businesses with a primer on digital privacy issues. While some of the information in the later chapters is a bit dated, the principles covered in the early chapters still apply and you are free to download a PDF of the book. Again, I was not the first person to write a book on privacy in the digital age, but I think it is fair to say that I was one of the first people in computer security to signal the huge impact that privacy concerns would have on the evolution of security. I certainly enjoyed the time I spent in the early days of HIPAA and GLB and such, educating privacy people about security and security people about privacy.

I have also enjoyed the symmetry and happy coincidence of so many anniversaries this year but it is now time to say goodbye to 2012, a year of milestones remembered, and look forward to what the next 10, 20, 25 and 30 year markers may bring.

Boxing Day: The play time holiday (that comes with a touch of giving)

I was born and raised in England, where the day after Christmas Day is Boxing Day. It is a national holiday and also my favorite day of the year. 

When I went to live in America in the 1970s I was disappointed to find that Boxing Day was not a holiday and, shockingly, employers expected you to work that day.

Back then, many Americans were unfamiliar with Boxing Day, just as a lot of people in England were unfamiliar with Thanksgiving Day. In recent decades there has been a growing transatlantic awareness of the basic facts of these two days, as provided in Wikipedia (see Boxing Day and Thanksgiving Day). However, the facts cannot be expected to evoke the feelings that come from living those days, year after year.

Over the years, when Americans asked me about Boxing Day, they got my version, which I tended to universalize as "this is how Boxing Day is in England." I now realize I was giving them "what I liked about the Boxing Days that I enjoyed in England in the 1950s through the early 1970s."

So, this Boxing Day, I wanted to give a sense of how it was for me as a boy, without pretending to know if this is what it was like for other children, or what it is like in England today. I will start with the meaning of the term, as I understood it: Boxing Day comes from the tradition of rich people boxing up the Christmas leftovers and taking them to the poor people on the day after Christmas. 

I should note that not everyone agrees that this is origin of the term "boxing" as applied to this day. However, the archetype of this "boxing" behavior is represented in the series of British stamps on the right. 

The story they illustrate is that of "Good King Wenceslas," immortalized in the Christmas carol of the same name. The first line of that carol is "Good King Wenceslas looked out on the feast of Stephen." (For the tune and the rest of the verse, see below.)

The feast day of Saint Stephen is December 26, a.k.a. Boxing Day, the day on which the Saint Wenceslas miracle occurred. This involved the high-born Wenceslas and his page taking alms to the poor, in the snow. (It is a story that I have previously referenced for the strange reason noted here.)

To understand my love of Boxing Bay you need to know what my Christmas Day was like back in the 1950s and 60s. It began with going downstairs on Christmas morning to find gifts under the Christmas tree (after the age of nine it began with me trying to stop my younger brother getting up before dawn to go downstairs). 

After unwrapping our gifts and waking our parents--not always in that order--there would be an abbreviated period of playing with new toys, cut short by the need to tidy up the house for Christmas dinner and get ourselves ready for church.

After the Christmas morning service at church, where we would see an assortment of friends and family—and talk about the presents we had received that morning—we would embark on a series of house visits taking Christmas presents to relatives. This always included at least one great aunt and my dad's parents. (My mum's mum lived with us and usually stayed at home on Christmas morning to ease the Christmas dinner through the final stages of preparation.) 

After these visits, which involved a lot of good manners and sitting properly, we eventually got home to the Christmas dinner. After that, it was time to watch the Christmas programming on television. (These were often shows created for that particular Christmas, going out live; in other words: watch it now or never see it, ever, no repeats.) 

And that's about where Christmas Day ended. In our house children went to bed many hours before grownups. But we didn't mind because we had been blessed with new toys. We had done our duty to family. We had been entertained. 

On the other hand, Christmas day seldom provided a whole lot of time to play. So then came Boxing Day! No shops open, no need for dad to go to work. Plenty of time to play, inside with our toys, but also outside if weather permitted. If there was snow then it was time for tobogganing. If there was no snow, there might be a friendly game of rugby or football (soccer). 

Of course, there were Christmas leftovers to fuel the day, and, for most families, an opportunity to relax and enjoy the spirit of the season. At least, that's how I remember it. And that's how I have tried to keep Boxing Day, despite the fact that it was not a 'standard' holiday in America, where I have lived for big chunks of my adult life.

I don't go to the stores on Boxing Day. I don't work, if I can possibly avoid it. I just spend the day relaxing, maybe communicating with friends. There is no set agenda for Boxing day. You make it up as you go along, it's a Do-It-Yourself holiday (and not a bad day to try one of the DIY projects you've been looking forward to). This year I had a lingering cold and sore throat on Boxing Day and so I spent most of the day reading fiction and writing non-fiction, including this blog post.

As you may have noticed, my celebration of Boxing Day does not follow in the footsteps of Wenceslas. I didn't take any alms to the poor. However, this year I did make time on this day to re-invest some of my micro-loan funds at Kiva. I also took some time to acknowledge my great good fortune in being able to spend this day the way I wanted to. 

So there it is, I'm not looking to start a Boxing Day movement or fight the rampant commercialism of Boxing Day, depressing as that can be. I'm just saying Boxing Day is my favorite day of the year, and now you have some idea why.

Good King Wenceslas: the Carol 

1,000 MPH on Land? The SSC Bloodhound takes aim

At the end of the English street where I was born sat the Alvis factory, turning out automotive works of art in a part of the world--The Midlands--that still harbors some of best engineering talent in the world. I've been a car nut and land speed record junkie since I was a boy, no doubt encouraged by learning that one of the legendary record holders was John Cobb (exact connection to family tree not known).

John Cobb was the first person to take a ground vehicle over 400 mph, back in 1947, and arguably held the land speed record longer than anyone (1939 to 1964). Cobb's Railton Special, with its twin W12 Napier aircraft engines, was the height of internal combustion-powered, wheel-driven technology. After Craig Breedlove put a turbojet in Spirit of America around 1963, the focus of land speed records shifted to jet propulsion. That is what took Andy Green and ThrustSSC through the sound barrier in 1997. Where do you go after breaking the sound barrier? How about 1,000 mph, the target speed of the BloodhoundSSC shown in this amazing computer visualization.

The power system for BloodhoundSSC is complex to say the least, incorporating a Cosworth V8 gasoline engine, a jet engine, and a rocket. Yes, a rocket. In fact, Gary Gabelichused a rocket to take his Blue Flame to 630 mph in 1970, setting a record that stood until 1983 when Richard Noble hit 634mph in Thrust2. BloodhoundSSC was originally designed as a rocket car but a jet engine was added for greater control.

The Cosworth V8, made in the Midlands and currently used in a number of Formula One racing cars, will not drive any wheels; its job is to pump rocket fuel and support the electrical and hydraulic systems on this huge vehicle.

The first attempt on the world land speed record with BloodhoundSSC should take place in 2013. To learn more about this extreme automotive adventure, check out the official BloodhoundSSC site.

Facial recognition technology and the Right of Publicity: Could this hot tech trend violate state laws?

If someone uses a photograph of your face for commercial purposes they could be breaking the law. In an odd way, this statement connects two areas of my life, information security and movie making. Photographs of faces are used in some security systems and lots of movies. When you make a movie it is standard procedure to ask permission to use a person's picture. You record that permission with an "Image Release" that is signed by the person, or their guardian if they are under 18. Here is part of a standard release like the one we used for our movie:

"I grant permission to The Movie and its producers, to take and use visual/audio images of me for their production. The images may be used in any manner or media such as publication, promotions, broadcasts, advertisements, posters and theater or home video distribution. I wave any right to inspect or approve the finished images...I release The Movie and its producers and agents...from any claims, damages, or liability which I may ever have in connection with the taking of and use of the images or printed material used with the images."

The reason for such broad language is the breadth of a legal right with which many Americans are not familiar: The Right of Publicity or RoP. Now might be a good time for venture capitalists and Silicon Valley engineers to familiarize themselves with RoP. Why? Consider what my good friend and colleague Cameron Camp recently wrote about over on the ESET Threat Blog: the use of facial recognition for commercial purposes. Cameron provided some interesting commentary on a startup venture that had the following idea, something that might sound like a cool marketing ploy but which might also be, as I will argue, illegal:

Networked cameras in shops scan the faces of customers and try to match them with faces of Facebook users who have signed up for special deals.

At first blush this sounds like an automated version of my brother's butcher. The analogy goes like this: My brother works from home so he tends to be the one cooking dinner and, because he and his wife like to live in small villages in Europe, he buys the meat for those meals fresh, almost every day of the week, not in a weekly trek to a big supermarket. So my brother gets to know his local butcher and the local butcher rewards local customers with special deals, made on the spur of the moment, based on a form of facial recognition that I like to call: "Hi Mike, how's it going?"

The problem with the computerized version is that having your picture taken by a digital camera is a lot different from your local butcher memorizing your face in his brain. Transferring that digital image over the public Internet to a vast server farm that might be thousands of miles away, possibly in a different country, introduces concerns way beyond any misgivings you might have about the butcher remembering your face. Consider what has to happen to reward people who have opted in to this facial-deal scheme:

1. Take a picture of every customer.


2. Isolate the face within each image and send to a server which can scan it against a database of known faces belonging to people who have opted in.


3. Return a result when there is a match.

In other words, you are photographing people in such a way that their identity is clear, then using those photographs for commercial purposes (specifically deciding who gets a particular deal but in general promoting your business so it is more appealing than your competition). Now consider this piece of law, on the books since 1903, namely Article 5, Section 50 of New York State Consolidated Laws:

Sec. 50. Right of privacy. A person, firm or corporation that uses for advertising purposes, or for the purposes of trade, the name, portrait or picture of any living person without having first obtained the written consent of such person, or if a minor of his or her parent or guardian, is guilty of a misdemeanor.

I know this statute is labeled "Right of privacy" but lawyers assure us it is the basis of the Right of Publicity. The key words are: Uses the picture of any living person for the purposes of trade.

So, if you design a facial recognition deal scheme based on photographing everyone, regardless of permission, in order to pick out specific individuals who have given permission, you would seem to be violating this law and the Right of Publicity, which is enshrined in many state statutes, as described on the Right of Publicity website, rightofpublicity.com:

As of this writing, nineteen states recognize the Right of Publicity via statute (California, Florida, Indiana, Illinois, Kentucky, Massachusetts, New York, Nebraska, Nevada, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Virginia, Washington and Wisconsin). The majority view is that the right exists by common law in every state that has not defined its position through legislation. The American Law Institute’s Third Restatement of Unfair Competition (1995) §46 also recognizes the Right of Publicity as a distinct and viable legal theory.

I don't want this blog post to come across as an attack on a particular startup or technology, but I do note that one of the states in the above list is Tennessee, which is where the startup described by Cameron is located. One might argue that the Right of Publicity is more widely known in Tennessee than some other states because Tennessee law extends the right to deceased persons, Elvis Presley being the most frequently cited example. Unfortunately, this emphasis on celebrity cases leads some people to assume that only celebrities have a Right of Publicity but this is not the case. Numerous states have made this quite clear: You don't have to be famous for use of your face, without permission, for commercial purposes, to be against the law.

Facial recognition technology is currently hotter than hot in VC and startup circles, partly driven by Facebook's massive accumulation of facial data (it reportedly scans 300 million photos a day for faces). The hottness of facial recognition seems to have increased of late despite the fears expressed by privacy advocates. Yet I don't hear many people loudly proclaiming that commercial facial recognition, through its requirement that non-opt-in faces be checked for opted-in faces, violates the Right of Publicity. (There are some instances of people raising aspects of this point: Tim Bukher, Derek Bambauer, and hopefully it was considered at the FTC forum on the topic.)

Of course, I need to put the standard disclaimer out there: I am not a lawyer. On the other hand I have spent 25 years thinking hard about the spaces where privacy, security, and technology intersect. I have also started several successful companies and produced an award-winning movie. While it is entirely possible that I am missing something that invalidates my argument, I have a strong hunch that some forms of facial recognition violate the Right of Publicity.

(Unless someone points out a big hole in my argument I will try to write more about this topic when I get time, perhaps looking at how facial recognition in a commercial security system is affected by RoP, but my immediate task is to review the terms and conditions over on Facebook to make sure they include, as I suspect they do, permission to use my face for commercial purposes--I'm sure the lawyers at Facebook took heed of RoP, right?)