Category Archives: Food

Ultra-processed foods harmful “much like an invading bacteria”

New studies are confirming that ultra-processed foods are harmful, which was expected, but in ways that may have no better solution than better transparency leading to bans.

…researchers have theorized that ultra-processed foods increase inflammation because they are recognized by the body as foreign – much like an invading bacteria. So the body mounts an inflammatory response, which has been dubbed ‘fast food fever’. This increases inflammation throughout the body as a result.

How do they classify a food as ultra-processed?

These foods are also not labelled as such on food packaging. The best way to identify them is by looking at their ingredients. Typically, things such as emulsifiers, thickeners, protein isolates and other industrial-sounding products are a sign it’s an ultra-processed food. But making meals from scratch using natural foods is the best way to avoid the harms of ultra-processed foods.

Processed means not raw or made from raw ingredients — many stages of complicated processing such as the industrial polysaccharide polymer “guar gum” often found in inexpensive dairy products to transform their viscosity (prevent proper crystallization and melt).

While it’s true labels on food packaging don’t say processed, when you see ingredients on food more than six things long… you’re typically getting into processing.

Ice-cream for example should be a short list such as this Strauss label:

That company is yelling at you for a reason. Their label is in fact revealing a huge difference from a list of ultra-processed ingredients like this:

Basically if you see guar gum in ice cream it’s a symptom for you to run, don’t walk, away from its ultra-processed “viscosity” not to mention all its other questionable additives.

That might sound like a new idea but it reminds me of a 1516 “purity law” from the Bavarian city of Ingolstadt, which said beer can only contain barley, hops and water (yeast was later added).

Initially this allow list was only within the Duchy of Bavaria and it gradually expanded across German states becoming a modern German law in 1906. Talk about precedent…

Albania Breaks Ties With Iran After 2022 Microsoft Investigation of CVE-2019-0604

The U.S. is very confidently accusing Iran of attacking Albania, based on yesterday’s report by Microsoft about Microsoft’s usual software vulnerabilities and mis-configurations.

Microsoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services. At the same time, and in addition to the destructive cyberattack, MSTIC assesses that a separate Iranian state-sponsored actor leaked sensitive information that had been exfiltrated months earlier. Various websites and social media outlets were used to leak this information. […] A group that we assess is affiliated with the Iranian government, DEV-0861, likely gained access to the network of an Albanian government victim in May 2021 by exploiting the CVE-2019-0604 vulnerability on an unpatched SharePoint Server, administrata.al (Collab-Web2.*.*), and fortified access by July 2021 using a misconfigured service account that was a member of the local administrative group. Analysis of Exchange logs suggests that DEV-0861 later exfiltrated mail from the victim’s network between October 2021 and January 2022.

The report unfortunately is not titled “What are you even doing running Sharepoint in 2021” and instead uses this far more provocative line:

Microsoft investigates Iranian attacks against the Albanian government

Just a decade ago many experts in the security industry warned against investigations being so overtly bold or confident with their attribution statements. The fear was rooted in dubious logic that someone could make a mistake and therefore shouldn’t even try.

I mean if that was sound logic Sharepoint would have never been released to the public. Ok, maybe there’s some truth to that logic.

But seriously, anyone in any history 101 class knows you can’t let perfect be the enemy of good when writing reports about what happened in the past. Of course you can get attribution wrong, which is in fact why you should try hard and make sure you do it well.

It feels like a very long ago time ago (but really only 2014) that I gave a counter-argument to fears about uncertainty, in a presentation to incident response teams in Vienna, Austria basically saying it’s time for attribution.

Looking back at my slides, honestly I think I tried too hard to make data integrity funny. Attribution is less complicated by some unique thing about computers than it is by things about people like this: Americans are more likely to want to intervene in places they can’t find on a map (click to enlarge and have a sad laugh).

Here’s another one, where I poked fun at FireEye for making very crude and rube attribution mistakes and surviving (they’re still in business, right?).

Now look how far the world has come!

Microsoft shakes heavy doses of political science into its computer forensics reports like it’s powdered sugar on a Turkish delight.

  • The attackers were observed operating out of Iran
  • The attackers responsible for the intrusion and exfiltration of data used tools previously used by other known Iranian attackers
  • The attackers responsible for the intrusion and exfiltration of data targeted other sectors and countries that are consistent with Iranian interests
  • The wiper code was previously used by a known Iranian actor
  • The ransomware was signed by the same digital certificate used to sign other tools used by Iranian actors

[…] A group that we assess is affiliated with the Iranian government, DEV-0861…
[…] The geographic profile of these victims—Israel, Jordan, Kuwait, Saudi Arabia, Turkey, and the UAE—aligns with Iranian interests and have historically been targeted by Iranian state actors, particularly MOIS-linked actors.
[…] The cyberattack on the Albanian government used a common tactic of Iranian state sponsored actors…
[…] The wiper and ransomware both had forensic links to Iranian state and Iran-affiliated groups. The wiper that DEV-0842 deployed in this attack used the same license key and EldoS RawDisk driver as ZeroCleare, a wiper that Iranian state actors used in an attack on a Middle East energy company in mid-2019.
[…] Multiple other binaries with this same digital certificate were previously seen on files with links to Iran, including a known DEV-0861 victim in Saudi Arabia in June 2021
[…] The messaging, timing, and target selection of the cyberattacks bolstered our confidence that the attackers were acting on behalf of the Iranian government. The messaging and target selection indicate Tehran likely used the attacks as retaliation for cyberattacks Iran perceives were carried out by Israel and the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania that seeks to overthrow the Islamic Republic of Iran.
[…] The messaging linked to the attack closely mirrored the messaging used in cyberattacks against Iran, a common tactic of Iranian foreign policy suggesting an intent to signal the attack as a form of retaliation. The level of detail mirrored in the messaging also reduces the likelihood that the attack was a false flag operation by a country other than Iran.

Done and dusted. Need I continue?

It is nice to see such definitive and detailed work about attribution as if it’s a normal investigation with regular analysis methods… but it’s even nicer to read Albania has announced they’re cutting ties with Iran. And then… to see the U.S. follow-up with announcements about sanctions, it’s like why didn’t Microsoft start doing this way back in 1986 instead of for decades completely ignoring security as a get-rich scheme?

Red Means Dead: U.S. Political Affiliation Correlated to Disease

The U.S. Center for Disease Control (CDC) has published data showing a large political party is killing its members like a primitive cult drinking Jel Sert’s Flavor Aid. Can you guess which one? Here is a clue from ABC.

“…the 10 states with the highest vaccination rates all voted for Biden in 2020, while nine of the 10 states with the lowest vaccination rates [did not].”

It really begs the question for who in the security industry did not vote for the party that stood for national safety and preserving life, given the other one actively opposed basic security.

The ABC goes on to say there was a vast discrepancy between red and blue beliefs as death correlated to political regions. Notably, the differences were measured in “access to adequate healthcare, and the disproportionate impact of the virus on communities of color.”

People taking drinking the red stuff experienced less healthcare, more racism.

And again, given our industry is supposed to care about information integrity, we have to wonder who voted for America having a national security breach of this magnitude.

…vaccination rates and receptivity to mitigation measures have also been influenced by factors including misinformation.

Can someone ethically be a security professional who goes on Fox news to whinge about stopping breaches (that have marginal likelihood and severity) while voting for a party that attacks the country en masse (killing literally millions)?

Once a vaccine was widely available the death rates shot up nearly 40% in “red” states. This is basically a United States security dashboard where user groups who refuse baseline precautions on political grounds alone are going permanently offline at an alarming rate.

Speaking of misinformation, Jel Sert’s official grape Flavor Aid page says its primary ingredient on the left side is sugar made from cornstarch (Dextrose), yet the nutrition label doesn’t list sugar at all on the right side.

Source: Jel Sert

Very strange, given that dextrose powder has about 4 calories per gram just like table sugar (sucrose) and quickly raises blood glucose levels. This 4 gram package mixed with water gives 16 calories of sugar and basically nothing else (including attempts to hide the sugar as vitamin C).

Dextrose is said to lead directly to weight gain, diabetes and heart disease if you believe the science in a large-scale study from April 2014 in JAMA Internal Medicine. Such warnings about the dangers of dextrose were echoed again in 2017 by BMJ OpenHeart. So how can a sugar product have a prominent list that doesn’t include sugar?

[FDA requirement to put on a nutrition facts list] added sugars include sugars that are added during the processing of foods (such as sucrose or dextrose)… For most Americans, the main sources of added sugars are sugar-sweetened beverages…

Again speaking of misinformation, Elon Musk originally said in early 2020 that COVID19 would be gone by April, and then in late 2020 that he did not believe in safety measures and would not get a vaccine. Two years later he has both gotten the vaccine and twice been tested positive for COVID-19.

If this sounds like misinformation from a prominent political voice in America, it gets even worse. News reports say he used his bully pulpit to convince people their lives didn’t matter.

…he spent months criticizing public health measures aimed at curbing the spread of the coronavirus, promoting misinformation about COVID-19 such as insisting it wasn’t very deadly, and baselessly casting doubt on the effectiveness of vaccines.

In fact, Elon Musk said in the most political way he would move his entire operations to a “red” state after California said it was applying pandemic precautions (as well as investigating racism) to protect his workers from abuse and death.

This is unfortunately consistent with him also telling the public lies about transportation safety, allegedly profiting from cutting corners in the low-quality deceptive Teslas that caused hundreds of preventable deaths… perhaps making it the Flavor Aid of cars.

All food for thought.

FCC Declares Kaspersky “threat to U.S. national security”

Remember when Kaspersky in 2018 lost an obviously stupid lawsuit that claimed the U.S. government shouldn’t be able to prohibit products harmful to society?

U.S. District Court Judge Colleen Kollar-Kotelly wrote in her May 30 opinion that U.S. networks and computer systems are “extremely important strategic national assets” whose security depends on the government’s ability to act swiftly against potential threats, even if such actions cause adverse affects for third-party providers like Kaspersky Labs. “These defensive actions may very well have adverse consequences for some third-parties. But that does not make them unconstitutional,” Kollar-Kotelly wrote.

On a related note, Americans I know personally who foolishly agreed to attend Kaspersky CEO’s invite-only security “bash” on a tropical island… ended up with food poisoning and severe illness. Projectile vomit.

True story.

Well, the big news today is that under a 2019 law the FCC has just formally added AO Kaspersky Lab along with China Telecom and China Mobile to a national security threat list.

Kaspersky earlier this year was also in the news when the German government issued a warning, and again when their CEO gave a rather tone-deaf message about Russia invading Ukraine.

“Better to have stayed silent than to have called an invasion a ‘situation’ that requires a ‘compromise’,” Rik Ferguson, of rival cyber-security company TrendMicro, tweeted.

That makes me like TrendMicro.

Think of Kaspersky in terms of a security software vendor telling customers that a serious breach is a situation needing compromise when attackers are Russian. Who would really want to use that vendor versus one that actually defended against being breached?

Some also may remember Kaspersky’s handling of the infamously traitorous General Michael Flynn by giving him large cash payments.

Flynn also received $US11,250 ($14,667) from Kaspersky Government Security Solutions, Inc., described as the US subsidiary of Kaspersky Lab, a Russian cybersecurity firm, according to the documents.

Yes, he was traitorous. Any U.S. General full well knows how businesses and criminal enterprises in Russia are direct extensions of Russian intelligence whenever the Kremin chooses. It’s really no understatement to call Flynn a traitor.

As I told journalists in 2017 (clumsily, I admit): while Mandiant is close to NSA, Crowdstrike is close to FBI, we can’t compare the collaborations with Russia because Putin’s dictatorial control model is completely different from congressional contracts and hand-outs.

Israeli intelligence had since 2014 sounded the alarm to anyone in the U.S. willing to listen to intelligence.

Source: “How Israel Caught Russian Hackers Scouring the World for U.S. Secrets”, New York Times

Perhaps also worth mentioning here, since we’re talking about remembering things, Facebook around 2014 started to carefully audit anyone who came to their site… and then actively pushed Kaspersky code as “free” help.

The problem with Facebook is thousands of active phishing scams but the social media giant has partnered with popular security software developer firm Kaspersky so that users could identify and remove malware from their computers.

Popular security software developer firm Kaspersky? According to what population?

Let’s be honest here.

The real question is whether users could identify and remove the threat from the relatively unheard of Kaspersky software being pushed upon them by Facebook’s security team? I guarantee the vast majority of users had never heard that name before Facebook made it a required “checkpoint” to login.

Moreover, does having a problem with phishing on Facebook sound anything close to being a relevant reason to push an unfamiliar Russian content scanning tool onto people?

No. No, it does not. Now read this:

In a Facebook post, Facebook’s Software Engineer Threat Infrastructure Team head Trevor Pottinger explained: “To make this programme even more effective, Kaspersky Lab is bringing their expertise… we will offer Kaspersky Malware Scan for Facebook… in the past three months, we have helped [run Kaspersky code on] more than 2 million people’s computers.”

Facebook safety “checkpoint” hit millions of users. Was it Russian surveillance or just Russian code meant “to help”?

Facebook knew exactly who had run the Kaspersky code. They boasted about knowing how many people ran it.

You’ll never guess what happened next.

When called to account for their very precise user tracking and audit practices, Facebook tried to plead total ignorance as if there had been no factual basis to loudly boast “more than 2 million” users had Kaspersky pushed onto them.

Source: CNN

The dubious and forked-tongue of Facebook “help” came not long after they hired an unqualified CSO, and Moscow Times in 2015 ran the headline “Kaspersky Plans Push for Sales to U.S. Government” (link now unreachable)… which was countered by the even more salacious headline “Russian antivirus firm faked malware to harm rivals – Ex-employees“.

Faked malware to harm its own employees and rival companies while pushing into U.S. Government sales. No wonder that now-disgraced Facebook CSO, known for failing to disclose the largest breaches in history, was so welcoming.

For context on why this all might sound so evil the two founders of Kaspersky served as Russian intelligence (KGB). Twice there have been major disagreements at the executive level and its CEO has had major exodus of talent as he consolidated control and refused to be transparent, allow other views, or resolve disputes.

So while it’s really good to see Kaspersky finally being handed the kind of label it has always deserved, I’m disappointed that a heavily Russian-backed Russian-asset like Facebook wasn’t included (as I’ve warned about publicly since at least February 2011 and why I deleted my Facebook account in 2009).

After this FCC explicit ban on Kaspersky should we get to call it the most anti-democratic software ever? Or does that crown remain on Facebook (not least of all for peddling Kaspersky)?

Also, US sales of Kaspersky (under $50m) is tiny compared to the UK (over $500m), so maybe the real question is how much exposure does American national security have to British system compromise.

Feudalistic Threats to Web 3.0

When I’m asked to explain Web 3.0 I always try to start by explaining that the world is far more diverse than just coins and financial assets.

This is similar to my old saw about history being more detailed than just who won what war and why. Culture is not just coinage.

The entirety of the human experience, which arguably will be predominantly expressed via the web if anywhere in technology, is vast and rich beyond monetary action. Only about half of transactions even involve money at all.

Yet, for many people their only topic of interest or focus on technology is how to capitalize as quickly as possible on anything “new”. Beware their depictions of the Web solely as finance instead of encompassing our most rich and interesting possibilities.

Geolocation data, as just one facet, has long been recognized as a source of power and authority. Think of it in holistic terms of the English and Dutch cracking the secretive Portuguese spice trade routes and upending global power, instead of just focusing on the spices being traded.

Knowledge is a form of power, which have been expressed as political systems far more vast than markets alone could ever encompass.

Here is an example to illustrate how oversimplification of humanity down to financial terms becomes an ethical quagmire, highlighting some very important mistakes of the past.

Ukraine cancelled a Crypto airdrop.

…“a lot of people” were abusing the possibility of an airdrop by sending minuscule donations “just to benefit” themselves. This is a common tactic among crypto investors, known as airdrop farming.

Farming is in fact the opposite of what is described here. Growing food at low margin so that others may gain has somehow been framed backwards: extraction of value from someone else’s plan to help others.

In other words “airdrop farming” is far more like “airdrop banking” as it has nothing in common with farms but a lot in common with banks. It begs a question why there there was any direct return and benefit of “donations”, given what has been said in past about that loop.

Appropriation of the term “farming” in this context thus reads to me as propaganda; we may as well be in a discussion of Molotov’s WWII bombs as a delivery of bread baskets.

Likewise in the same story Kraken’s CEO displayed complete ignorance by saying his company would be on the side of Russia in this war and could not help Ukraine because in his mind political Bitcoin only has “libertarian values”.

Exchanges including Coinbase, Binance, KuCoin, and Kraken all refused Fedorov’s February public request that they freeze all Russian accounts, not just those that were legally required by recently-imposed sanctions. The companies said such an action would hurt peaceful Russian citizens and go against Bitcoin’s “libertarian values,” as Kraken CEO Jesse Powell put it.

Calling Bitcoin libertarian is like calling diamonds bloody.

In fact, Bitcoin is notoriously slow-moving (terrible for payments) and notoriously volatile (terrible for currency) just like blood diamonds being extracted from dirt at artificially low cost to artificially inflate their value to a very small group desperate for power.

Mining doesn’t have to be an exercise in oppressive asset hoarding with a total disdain for the value of human life, but Kraken clearly displays here they operate intentionally to repeat the worst thinking in history.

So what values are we talking about really? Proportionality (tailoring response to the level of the attack, avoiding collateral impact) is not a libertarian concept, obviously, because its a form of regulation (let alone morality).

Note instead there is complete lack of care for victims of aggression on the principle of protecting “peaceful” among aggressors, with absolutely no effort to prove such a principle.

It’s sloppy and exactly backwards for a Bitcoin CEO to claim he cares about impacting others. The inherent negative-externality of Bitcoin means it carries a high cost someone else has to pay, proving that if Kraken cared about “peaceful” Russian civilians it would shutdown all Bitcoin since it harms them all while benefiting few if any.

Systemically redistributing transaction costs from selfish individuals to society instead, while claiming to be worried about societal impact of an individual action is… dangerously reminiscent of “nobles” and “clergy” of pre-revolutionary France who ignorantly stumbled into their own demise.

The Web already is so much more than a narrow line of thought from the ugly past of feudal thinking, and 3.0 should be more broadly representative of the human condition instead of boxed in like this by selfish speculators trying to get rich quick through exploitation and manipulation of artificially constrained assets.