Category Archives: History

Food, History, Security

Chromium-6 Found in US Cities

Leave a comment

The Environmental Working Group released a study last month that showed nearly 90% of American cities have unhealthy levels of cancer-causing chemicals in their tap water. Norman, Oklahoma topped the list, just above Honolulu.

Laboratory tests commissioned by Environmental Working Group (EWG) have detected hexavalent chromium, the carcinogenic “Erin Brockovich chemical,” in tap water from 31 of 35 American cities. The highest levels were in Norman, Okla.; Honolulu, Hawaii; and Riverside, Calif. In all, water samples from 25 cities contained the toxic metal at concentrations above the safe maximum recently proposed by California regulators.

The National Toxicology Program has concluded that hexavalent chromium (also called chromium-6) in drinking water shows “clear evidence of carcinogenic activity” in laboratory animals, increasing the risk of gastrointestinal tumors. In September 2010, a draft toxicological review by the U.S. Environmental Protection Agency (EPA) similarly found that hexavalent chromium in tap water is “likely to be carcinogenic to humans.”

Norman, Oklahoma has just studied and given a public response to the EWG findings.

Water samples recently collected by the city of Norman found levels of chromium-6 ranging from 10 to 90 parts per billion, Utilities Director Ken Komiske said Thursday.

Komiske said the findings were no surprise given Norman’s location and well-documented history of having heavy metals in its drinking water.

[…]

Currently, the limit set by the EPA for total chromium in drinking water is 100 parts per billion.

[…]

“It is naturally occurring here … it’s going to be in the soil, it’s going to be in your plants and it’s going to be in your water,” Komiske said. “But is it safe to drink? Absolutely.”

An interesting clue to this story is that Komiske is reported to have tested for chromium-6, but he is quoting an EPA limit for total chromium. The two are not the same and the story does not make it clear.

A similar report comes from Syracuse, New York:

[Onondaga County Health Commissioner Dr. Cynthia] Morrow says comprehensive testing programs are in place, and those tests show the amount of chromium is well below state standards. “We have a huge margin of safety before we have any level of concern and that’s for total chromium,” she said.

Total chromium again.

The question raised by the EWG is not for total chromium. It is specific to chromium-6. The EPA has no maximum contaminant level set for chromium-6.

The story from Hawaii shows a far more detailed and informed report than the above two cities.

The Board of Water Supply found the highest level of chromium-6 in Waipahu and the lowest in Wahiawa.

“You don’t want any chromium-6 in the water because there’s always a risk of cancer, but it’s understanding that at very low levels the risk of getting any kind of illness is very low,” said interim Health Director Neal Palafox. “The water by present science is very safe.”

California has a goal of 0.06 ppb for chromium-6 in drinking water.

The chromium-6 is most likely derived from naturally occurring volcanic soils, according to Gary Gill, DOH deputy director for environmental health. “Levels are far below any EPA action levels at this point,” Gill said. “The goal for any contaminant should almost always be zero — that’s a goal, that’s not a health standard.”

Total chromium levels among the Oahu sites tested ranged from 0 to 4.8 ppb.

“To have citizens and people concerned about anything that’s unsafe in the water is always good and should raise red flags,” Palafox said. “The other part of the responsibility is to help people interpret what it means.”

Again we see an official point to EPA levels, yet they fail to mention there is no EPA level for chromium-6. That is the issue. At least the reporter makes it clear. The EPA defends themselves by claiming they simply have not been able to update their rules with current science since 1992:

The current standard is set at 100 parts per billion. EPA’s regulation assumes that the sample is 100% chromium-6. This means the current chromium standard has been as protective and precautionary as the science of that time allowed. The current standard is based on potential adverse dermatological effects over many years, such as allergic dermatitis.

[…]

…EPA is proposing to classify hexavalent chromium (or chromium-6) as likely to cause cancer in humans when ingested over a lifetime. EPA will make a final determination by the end of 2011.

They are not saying chromium-6 should be allowed at 100 parts per billion, they are just saying they are not disallowing chromium-6 as part of the 100 parts per billion because other forms of chromium are not toxic.

In stark contrast to news in Hawaii is a FOX report from Maryland, where an official says there is no need for any safety concern at all until after disaster:

“There is nothing to fear. I’m a Bethesda resident. I drink it all of the time. You’re talking about one test taken at one tap out of 435,000 customers and the level at the tap. There is no science to say what kind of harm this would do to human beings,” said Jim Neustadt with WSSC.

[…]

Why not just test for it? “Because there is nothing that indicates .19 is anything to be concerned about at this time,” said Neustadt.

Nothing indicates risk?

If I lived in Bethesda I would either move away about now or call for Neustadt to test immediately or resign. Even Norman, Oklahoma ran tests before making a public statement on their levels.

Likewise, Maryland fails the Hawaii safety test and education standard because the only data point from Bethesda’s spokesman is that he drinks the water himself; so in just two sentences he completely contradicts himself “I drink it all of the time. You’re talking about one test taken at one tap out of 435,000 customers and the level at the tap.” Either you accept a study methodology or you do not. Which is it?

He also clearly has not read the EPA report that says chromium-6 is considered carcinogenic, and he has not read independent research, let alone the book from 1933 called 100,000,000 Guinea Pigs: Dangers in Everyday Foods, Drugs, and Cosmetics

…the manufacturer is not required to prove that the substances he adds are safe for human consumption; his customers by dying or by becoming ill in large numbers—and in such a way that the illness can be directly traced to the foodstuff involved and to no other cause—must first prove that it is harmful before any action will be considered under the Food and Drugs Act. If prohibition of the poison will not interfere with the business of any large and influential interest, the Government may then take action.

If the poison is such that it acts slowly and insidiously, perhaps over a long period of years (and several such will be considered in later chapters), then we poor consumers must be test animals all our lives; and when, in the end, the experiment kills us a year or ten years sooner than otherwise we would have died, no conclusions can be drawn and a hundred million others are available for further tests.

American regulation of toxicity changed after 1933 because of awareness generated by this book. When a large number of children were killed by poison additive in cough syrup a huge backlash (arguably instigated by the book) led to changes in the laws — poof of safety was increasingly required, rather than proof of harm.

Neustadt must have missed almost 70 years of memos on American health, ethics and risk management. Perhaps he could explain why scientific studies that describe chromium-6 as “toxic” should mean something different in Maryland.

The hexavalent form is toxic. Adverse effects of the hexavalent form on the skin may include ulcerations, dermatitis, and allergic skin reactions. Inhalation of hexavalent chromium compounds can result in ulceration and perforation of the mucous membranes of the nasal septum, irritation of the pharynx and larynx, asthmatic bronchitis, bronchospasms and edema. Respiratory symptoms may include coughing and wheezing, shortness of breath, and nasal itch.

[…]

…health problems that are caused by chromium(VI) are:

– Skin rashes
– Upset stomachs and ulcers
– Respiratory problems
– Weakened immune systems
– Kidney and liver damage
– Alteration of genetic material
– Lung cancer
– Death

Maryland residents may be pleased to hear that a new bill that claims to be based on science instead of one man’s health has been introduced at the federal level to address the risk of chromium-6, timed with the EPA’s re-classification.

S. 79, The Protecting Pregnant Women and Children From Hexavalent Chromium Act of 2011

S. 79 would amend the Safe Drinking Water Act to protect the health of vulnerable individuals, including pregnant women, infants, and children, by requiring a health advisory and drinking water standard for hexavalent chromium.

History, Security

Digital Image Forensics

Leave a comment

NIST Colloquium Series discusses how doctored images are used and revealed in media, politics, science and law…or as Plato asked, how do you believe what you see?

Perhaps my favorite line in the presentation is when Dr. Hany Farid says what worried people about doctored Iranian missile photos was not the number fired, but that the Iranians figured out how to use Photoshop.

In related news the Chinese were just accused (again) of showing Top Gun movie images as real and current military news.

Energy, History, Security

Is the Kochtopus Risk Real?

Leave a comment

Where is Godzilla when you need him? A giant menacing shadowy figure of petrochemical poisons looms over America. It waves its tentacles and weaves it ways into every market, every sector, trying to subdue the environment and overpower resistance. Is it smog? Could it be…is it…The Kochtopus?!

…the University of Massachusetts at Amherst’s Political Economy Research Institute named Koch Industries one of the top ten air polluters in the United States.

[…]

Koch Industries owns Brawny paper towels, Dixie cups, Georgia-Pacific lumber, Stainmaster carpet, and Lycra, among other products. Forbes ranks it as the second-largest private company in the country, after Cargill, and its consistent profitability has made David and Charles Koch—who, years ago, bought out two other brothers—among the richest men in America. Their combined fortune of thirty-five billion dollars is exceeded only by those of Bill Gates and Warren Buffett.

One of my big beefs, pardon the pun, with the Kansas-based duo is that they fail the libertarian test.

They claim to be advocates of a completely free market — only the strongest should survive through “creative destruction” (their term) — yet their history of wealth tells a very different story.

When their father failed in the market, he quit and found a more generous source of income. Regulations might have helped Fred innovate in America, but an easier path to get rich lured him away — Russia.

Fred attended M.I.T., where he earned a degree in chemical engineering. In 1927, he invented a more efficient process for converting oil into gasoline, but, according to family lore, America’s major oil companies regarded him as a threat and shut him out of the industry. Unable to succeed at home, Koch found work in the Soviet Union.

It might be said he was unfairly shut out of the market, but this begs the question of what market is completely fair and why he did not try to reform the market? He failed in the existing market, and instead of using creative destruction to improve he quit the competition and gave himself to Stalin. That arrangement apparently did not work out so well for Fred, who soon realized his financial benefactor now was calling all the shots (pun not intended).

In the nineteen-thirties, his company trained Bolshevik engineers and helped Stalin’s regime set up fifteen modern oil refineries. Over time, however, Stalin brutally purged several of Koch’s Soviet colleagues. Koch was deeply affected by the experience, and regretted his collaboration. He returned to the U.S. In the headquarters of his company, Rock Island Oil & Refining, in Wichita, he kept photographs aimed at proving that some of those Soviet refineries had been destroyed in the Second World War. Gus diZerega, a former friend of Charles Koch, recalled, “As the Soviets became a stronger military power, Fred felt a certain amount of guilt at having helped build them up. I think it bothered him a lot.”

Fortunately for Fred, he managed to get rich thanks to Stalin. But his decisions bothered him so much it became a grudge that he passed on to his children.

Here I think it appropriate to mention the younger Bush Presidency connection to problems raised by the elder Bush. The elder Bush invaded Iraq, but failed to depose Saddam Hussein, for example. The younger Bush then re-lit and carried his father’s torch to the point where it blinded him; who today believes that the current war with Iraq was really about the search for WMD? Could the Koch sons make a similar mistake in judgment?

I fear the same totally irrational view of current events now infects the Koch corporate offices in Wichita. They probably seek to avenge their father; they want to win the battles in a war that ended over 60 years ago. Although there are many possible paths they could choose, it seems they may just want to find a target to pin with a 1950s hatred of the “Reds”.

The Koch father, no matter how well intentioned he was with his grudge, unfortunately tended to work himself up over nothing. He joined extreme political movements and vowed to fight the evil Communist agents taking over America, like a decorated war General elected President and the “colored man”

Members considered President Dwight D. Eisenhower to be a Communist agent. In a self-published broadside, Koch claimed that “the Communists have infiltrated both the Democrat and Republican Parties.” He wrote admiringly of Benito Mussolini’s suppression of Communists in Italy, and disparagingly of the American civil-rights movement. “The colored man looms large in the Communist plan to take over America,” he warned. Welfare was a secret plot to attract rural blacks to cities, where they would foment “a vicious race war.” In a 1963 speech that prefigures the Tea Party’s talk of a secret socialist plot, Koch predicted that Communists would “infiltrate the highest offices of government in the U.S. until the President is a Communist, unknown to the rest of us.”

He admired suppression by Mussolini? That’s like saying he admires the use of WMD. The Italian leader made indiscriminate use of chemical weapons and viruses on civilians, which decimated the Horn of Africa. He even bombed hospitals. Koch was either ignorant of the facts or blinded by his rage. Either way, his admiration was misplaced.

Perhaps Fred Koch did not concern himself with the welfare of Africans, dismissing them as more of the “colored man” who “looms large”.

The Koch sons now running his empire do not seem to reflect upon their father with any disdain for his philosophy at all. It does not appear that they have distanced themselves from his admiration of fascism or from his rhetoric against civil rights and welfare; thus we today find a mutation from Fred Koch into a formidable Kochtopus.

The Kochtopus has entered new battles. It has rallied against clean energy innovation in America, for example. Imagine a Fred Koch today, just graduating from MIT and hoping to bring his new ideas for energy to market to reduce emissions. Who would oppose the need for his ideas and try to shut him out? The Kochtopus would, because energy innovation to reduce emissions is some kind of evil government plot, apparently.

…97 percent of the $8.2 million raised by the [Yes on Proposition 23] forces has been given by oil-related interests and 89 percent of that money has come from out of state. Three companies, Koch Industries, Tesoro, and Valero — another Texas-based oil company — have provided 80 percent of those funds.

“There are three companies from out of state that have a very specific economic interest in rolling back our clean energy economy and jobs,” Thomas Steyer, a San Francisco hedge-fund manger who is co-chair of the No on 23 campaign, said during a conference call Friday.

“I am a businessman,” he added. “I believe in the free enterprise system. I believe in profit. But companies have to accept the rules that are placed on them.”

Steyer, founder of Farallon Capital Management, has pledged $5 million of his own money to the No campaign.

If Proposition 23 had passed, the Fred Koch’s of today would likely have to go to China or other countries to innovate with clean energy, just like Fred had to go to Stalin.

“If the Yes on 23 folks win, we’re going to change the framework for investment here,” said Steyer. “We’re going to change our ability to create new industries. Those industries are going to go elsewhere, probably not in the United States. Probably specifically our biggest competition in this is China.”

Oh, the irony of so-called libertarianism. First the Koch family gets rich from government aid, then they try to shut down regulations that would help others with new ideas who could be in competition. They also spin studies that try to cast doubt on the need for cleaner energy or more regulation to protect health; it’s a play right out of the oil company book of the 1930s that their father was so angry about.

The sons should be backing innovation and new ideas and fighting for regulation that protects the market. They should be promoting welfare programs and proving Communism evil and wrong by example — show how success in a fair market can spur growth and help reduce harm. Instead they are playing right into the hands of their harshest critics.

The Kochtopus is demonstrating an obsession with consolidation of wealth, deregulation and monopolization, fueled by misplaced pride in anti-Stalinism, which is quickly earning it the reputation of one of the more ironic and tragic stories in America.

Look around. Do you see signs of the Kochtopus, ready to take control and stop you from suggesting new ideas or helping others?


Excuse me, which way to the boardroom?

History, Security

PCI Council Does Not Ban MD5

2 Comments

The PCI Council seems to suggest in today’s Assessor Update that extensive use of MD5 is a reason not to prohibit its use:

…the PCI DSS and PA-DSS do not explicitly prohibit the use of MD5, acknowledging the prevalence of MD5 as a cryptographic technology in the marketplace. Additionally, it may be possible to mitigate some of the risks associated with MD5 through the implementation of additional cryptographic controls or security measures. For example, the susceptibility of MD5 hashes to rainbow table lookups can potentially be mitigated through the proper use of strong, unique salts.

They then, of course, say it is up to the QSA or PA-QSA to assess the risk with their client.

They could have said they same thing about SSLv2.

Section 4.1 of the PCI DSS, until the end of 2008, was open to interpretation for SSL. However, the Assessor Update Nov08 clarified that use of SSLv2 for protection of sensitive information is prohibited.

…it is imperative that an ASV identify the use of SSL 2.0 to transmit cardholder data as a failure

The difference between the two probably comes down to two factors:

  1. available options
  2. ease of upgrade

SSLv2 was required only by browsers before 1997. Options for SSLv2 therefore have not only been around for a decade, but SSLv3 or later has been the default for applications since at least 2005. Despite possible workarounds, the advocated path was an upgrade.

Upgrading from SSLv2 is a trivial setting on servers. One reason often given by organizations to avoid change is the cost of development but there is none for SSL because a change was required from the start. Clients can automatically negotiate the upgrade. However, there still may be support calls due to error messages or warnings. This has been offset by servers configured to provide instructions or self-help to reduce support requests.

In comparison to SSL, MD5 has many available options (even though less obvious than SSL), so it passes the first criteria. It probably is said to be too difficult/costly to change because it was built into applications without any upgrade path for the hash function. Thus, the Council must really base their decision upon this second issue.

This makes for an interesting dilemma for an Assessor. The PCI Council is stepping away from the risk assessment themselves because they say they are “acknowledging the prevalence” of MD5 rather than any security or safety of the hash function.

I doubt most Assessors would use prevalence alone as a measure, whether or not it is “possible to mitigate some of the risks”. Some of the risks? An Assessor would probably say a more appropriate measure of risk, when asked to approve an increasingly vulnerable control like MD5, is the rise and prevalence of threats.

In 2007 Google was given a simple UI that matched md5 strings to prove a point that collisions were more common than we might have wanted to believe. Attacks up to this time were mostly theoretical.

Cheap and large storage continued to rapidly expand and hold massive rainbow tables for unsalted MD5. Two terabytes for just $100, for example, makes it hard to believe that rainbow tables could be outrun (e.g. expand the range of symbols for a hash) since table sizes simply increase at almost no cost.

In 2008 the theoretical attacks on MD5 became more real. A researcher claimed free MD5 attack software could run at 1.4 billion cycles per second. A race for the fastest MD5 crack engine heated up, using compute speed with simple code to crack hashes using a long salt. Last year saw a number of free attack tools that target salted MD5 and take advantage of ATI and nVidia multi-GPUs.

NVidia 8800gt, % applies to MD5

2 hashes: v0.23 = 302.9M/s, v0.24 = 311.3M/s
500.000 hashes: v0.23 = 295.6M/s, v0.24 = 302.5M/s

NVidia gtx465, % applies to SHA-1

2 hashes: v0.23 = 376.9M/s, v0.24 = 430.3M/s
500.000 hashes: v0.23 = 366.8M/s, v0.24 = 418.3M/s

The author of bcrypt adds some color to the evolution of threats against MD5

It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database.

Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed.

Thus, while the PCI Council advises Assessors to take a risk-based approach with clients, there in fact seem to be no countermeasures or compensating controls to make MD5 suitable for cardholder data protection. The best path in terms of “implementation of additional cryptographic controls” to meet the intent of PCI compliance is a move to a stronger hash function or to an encryption algorithm (e.g. do not list MD5 as a control that can protect cardholder data).

That is probably why Bruce Schneier put it so succinctly two years ago (December 31, 2008):

I’m not losing a whole lot of sleep because of these attacks. But — come on, people — no one should be using MD5 anymore.

US federal agencies suggested MD5 was not even worth using in 2004.

There are known MD5 collisions and weaknesses, and MD5 is not recognized by FIPS 140-2, Security Requirements for Cryptographic Modules. The NSRL data provides an MD5 to SHA-1 mapping to facilitate the migration away from MD5.

Then they migrated away from SHA-1 last year, because of threats.

[D]ue to advances in technology, NIST plans to phase out of SHA-1 in favor of the larger and stronger hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) by 2010.

Organizations that have not made their hash function easily modified/upgraded will only be in an even more difficult pickle when the Council finds the courage to finally ban MD5, or a specific breach is linked to the hash function. The latest guidance from the PCI Council, however, moves more risk into the hands of the Assessor at the same time it makes it much harder for Assessors to emphasize a prepared fallback position (e.g. SHA-256) for those who claim to be unable to move from MD5.

Prevalence in the marketplace could as easily have given the Council reason to push for change, just like with SSLv2. Instead they seem to call it a reason for pause.

Updated to add: Confusion may come from whether MD5 is allowable within other security processes. A TLS tunnel, for example, can protect MD5 hashes. This is like saying a TLS tunnel can protect ASCII-encoded data, however. Sensitive data (hashed or encoded, etc.) that requires a strong tunnel for its protection is therefore weak on its own; it would be imperative then to identify the use of MD5 to protect cardholder data as a failure.