It’s hard to verify claims of food origin these days. Yet another audit confirms the problem — in England about a third of food labels are said to be a unverifiable or false.

Local Government Regulation inspectors tested 558 items in 300 shops, restaurants, markets and factories.

They found misleading labels including “Welsh lamb” which actually came from New Zealand, “Somerset butter” from Scotland and “Devon ham” from Denmark.

And then you might find someone selling Cheddar not made in Cheddar, England and Budweiser not from the Czech Republic….

This seems like better news than finding out your food is laced with poison, or that it was repacked after being declared rotten, or even that it was obtained unethically; but it still creates a curious breach of trust.

I can imagine several ways to address this, aside from RFID labels and real-time tracking databases. The most successful approaches likely will emphasize change in demand with encouragement to consumers to build trust with growers and re-learn traditional supply limitations (e.g. no lamb except in the spring).

Jim Bird yesterday raised the same critique of web application firewalls (WAF) that we have seen since they were first introduced — they are non-trivial and not-perfect:

For some teams, especially teams that are not building out-of-the-box simple web apps, and Agile teams that are following Continuous Delivery with frequent deployments to production, or Continuous Deployment updating production several times a day, that’s a lot of work.

And WAFs add to operational cost and complexity, and there is a performance cost as well. And like a lot of the other appsec “solutions” available today, WAFs only protect you from some problems and leave others open.

I do not disagree in principle, but this is just another way of saying we want something more effective for less cost.

As long as we’re posting our wishes why not push the onus back onto developers? Can’t they just develop more useful and secure code for less cost?

It has to be simpler. It’s too hard to write secure software, too easy for even smart programmers to make bad mistakes – it’s like having a picnic in a minefield. The tools that we have today cost too much and find too little. Building secure software is expensive, inefficient, and there is no way to know when you have done enough.

There aren’t any easy answers, simple solutions. But I’m still going to look for them.

Can’t hurt to look, right? There has to be an easy assembly-line way to make coding more like making a picnic basket from McDonalds instead of all the complicated and messy work of cooking in a kitchen…even for a day in the minefields. Good analogy, Jim. That security problem was easy to solve in the real world, right?

Clearing minefields is a long, slow, time-consuming process, and there is no room for error.

Oh well, move along. Nothing to see here. Don’t look at Jim’s poor analogy blown to bits.

Interesting also that the latest and least costly mine detection systems could also be the most dangerous to a picnic…but I digress.

Mines might be too extreme an example — risk of failure too catastrophic. What about just wearing special shoes on picnics to be healthier? Looks like they might also have run (pun not intended) into some technical problems.

The Environmental Protection Agency says they have settled with the manufacturer of Crocs over a case of unproven health claims.

Perhaps Henry Ford put it best, when he famously said the cost of practicing security was never justified:

Security is bunk. If you are safe, you don’t need it: if you are breached it is too late.

Ok, I confess I adapted that. He actually was speaking about the cost of exercise to stay healthy…

Exercise is bunk. If you are healthy, you don’t need it: if you are sick you should not take it.

On the contrary, the low cost of exercise (while you don’t “need” it) may in fact be part of the benefit. You invest while you are healthy as a preventative measure because if you try to use shortcuts or put it in later you will not achieve the same return on investment.

Back to the WAF, Jim might find that “a lot of work” spent on security for the firewall might actually be worth it in terms of understanding security of his apps better, improving them overall, as well as preventing breaches and known attacks. I wager he will find the cheap and easy cure for application security around the same time that he finds the cheap and easy cure for health.

Even if you find it, it might not go where you want today (Photo by me)

I suppose everyone now and again takes a shot at lawyers. Here’s one of my favorites:

Client: “I hear your hourly rate is really expensive. If I give you $600 could you answer two questions for me?”
Lawyer: “Yes. Now what’s the second question?”

But the NRA might find their latest magazine cover messaging on lawyers could backfire:

I am pretty sure their imagery actually suggests that if you kiss a frog with a briefcase you will get a handsome environmentalist — a hunter who intends to shoot only cleanly and accurately.

Lead is for followers, I use copper

The controversy is actually related to poisoning from lead bullets. Copper is argued to be a more sensible choice for hunters because lead shot or bullets cause serious damage or death to non-target animals, the hunters and their families.

Studies show that huge numbers of water-fowl are unnecessarily poisoned by lead shot.

Based on the survey’s findings, the ban on lead shot reduced lead poisoning deaths of Mississippi Flyway mallards by 64 percent, while overall ingestion of toxic pellets declined by 78 percent over previous levels.

The report concludes that by significantly reducing lead shot ingestion in waterfowl, the ban prevented the lead poisoning deaths of approximately 1.4 million ducks in the 1997 fall flight of 90 million ducks. In addition, the researchers state that approximately 462,000 to 615,000 acres of breeding habitat would have been required to produce the same number of birds that potentially were saved by nontoxic shot regulations that year.

There is also the secondary poison effect. Hunts for prairie dogs will poison raptors (e.g. eagles) that feed on the shot animals filled with lead fragments. This, of course, begs the question of why anyone who reads the latest ecology evidence would hunt prairie dogs since they prevent soil erosion and support larger game, but I digress. Even the US military is migrating away from lead on their firing ranges because of poison concerns.

The quickest route to innovation often comes from regulation — the latest bullet technology now surpasses lead performance.

During testing, the M855A1 performed better than current 7.62mm ball ammunition against certain types of targets, blurring the performance differences that previously separated the two rounds.

The projectile incorporates these improvements without adding weight or requiring additional training.

According to Lt. Col. Jeffrey K. Woods, the program’s product manager, the projectile is “the best general purpose 5.56mm round ever produced.”

The only scientist I could find who supports lead ammunition sits on the board of the NRA. That reminds me of how the inventor of leaded gasoline tried to prove in 1925 that the string of deaths obviously from lead were not his fault — he washed himself with leaded gasoline, and promptly fell seriously ill from lead poisoning. Unfortunately it took another 50 years, and the huge costs in clean-up and health-care (US$43.4 billion a year), before America finally fixed combustion design properly…by regulating lead. The same goes for paint.

Each dollar invested in lead paint hazard control results in a return of $17–$221 or a net savings of $181–269 billion.

Although the properties of copper means bullets behave differently on impact the point is that non-toxic metals are equally effective at killing targets without potentially damaging more than what is intended.

If you like the outdoors and you have a choice, why handle and throw a poison around? There is no good reason, not even cost.

The use of lead bullets is so hard to support it actually makes that frog (or even a toad) look a lot more attractive than it should.