Scott Hanselman

A suggested improved customer interaction with the Apple Store (and Cloud Services in general)

August 13, '11 Comments [39] Posted in Apple | Musings
Sponsored By

Alternative Title: "What good fraud detection looks like"

Save me, Clippy, from Internet Fraud! My recent 'screed' called "Welcome to the Cloud - "Your Apple ID has been disabled" got a number of people talking. Yes, Gruber's DF called it a 'screed' which is a common enough term on his site I suppose. Sure, it was a rant, I'll accept that.

MG Siegler from TechCrunch had these comments, some very valid. Emphasis mine.

But what Hanselman, who happens to work for Microsoft, seems most upset about is that Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like. And then they locked down his account with wording he didn’t like. And they made him go through iTunes to double-check his activity.

And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time. What’s the proposed solution here? The perpetrators clearly had the correct Apple ID and password. I’m not sure what you can do to protect against that. Kill the cloud?

I honestly don't how my Apple ID account was compromised. I had a high-entropy generated site-specific password. I've scanned all my systems for trojans, keyloggers and rootkits. However, that's not the point, nor was it the point of the post (although it was a bit of a rant on my part, admittedly.) The point isn't even Apple-specific, although they are an excellent example.

This security related user interaction could just as easily been on Xbox Live, Amazon Kindle, DropBox, or any of a hundred other Cloud services. Regardless of how the fraud occurred, what happens next is a user interaction point that is an opportunity to make things right for the customer.

Before I worked for Microsoft, I was the Chief Architect at an Online Banking vendor. At our high point, 25% of the retail online banking in the US ran through the system I worked on. We worked half the top ten banks in the country, as well as banks overseas. We worked with anti-fraud systems and the FBI. We designed a number of interesting systems around keeping users safe and informed.

For example, in one system, if your account password is compromised the bad guys could be able log into and see your account balances. However, there was a scale of 'risky operations' from seeing your account numbers (hidden by default) to transferring money internally (risky) to transferring money overseas (very risky) that would throw up gauntlets. Using Bayesian algorithms we would assign a user's session and their activities a risk value. When those values passed a threshold, we get challenge them for more information. The user isn't bothered when they do the stuff they always do from the computers they always use. But if you're suddenly on a new browser from a new system in a new country doing something you've never done before, we'll challenge you. This kind of adaptive real-time fraud detection with security gates is will have to become the norm in user interactions with Cloud Services.

MG Siegler calls me out here:

Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like.

Here is the email and what it made me feel. Then I'll propose a solution.

Your Apple ID was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to
iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.

I read this as:

  • We know what devices you have, and a new device we've never seen before has bought something.
  • If it was you, don't worry, this email was FYI.
  • If it wasn't you, you should go to iforgot.apple.com and change your password and protect your account.
  • Whatever happened was probably your fault and you should be more careful with these tips.

It may very well be my fault, but this user interaction isn't designed to comfort me or to make me feel safer. It succeeding in upsetting me and making me feel not only out of control but also helpless.

Here's a email I would have loved to have received

Congrats on your new iPhone/iPad! We noticed you've made your first purchase, as your Apple ID was just used to buy 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
Ordinarily we wouldn't bother you but we noticed a few things about your recent purchase.

  • You've never purchased an app in Chinese. Your last 492 app purchases have been English.
  • This purchase was from the China Unicom carrier, while your other 3 devices are on AT&T.
  • This purchase originated from a location in Shanghai, while your previous app purchases have originated from Oregon.
  • This application included In-App purchases over $20 and you've set your in-App purchase threshold at $10.

We realize this may be inconvenient, but in instances like these, it's best to be extra careful. We need to associate your new device with your Apple ID. This is a one-time operation. If you made this purchase, please click here to confirm. This email was sent as a safeguard designed to protect you against unauthorized purchases on new devices.
If you did not make this purchase, click here and let us know. The security of your account is important to us and we always recommend you

protect the security of your account.

MG Siegler says:

And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time.

I have, according to iTunes, 492 applications. They have all been purchased on either my iPad or my iPhone. I purchase new apps all the time. In fact, the ratio of my app purchases to my device purchases is 492:2. I realize MG says "people buy new devices all the time" but I would argue that a single confirmation email on the first application purchased on a new device would greatly reduce cases of fraud like this (assuming you don't have a @me email account that the bad guys own.)

This is a single example of an Apple interaction, but I would expect nothing less from my Xbox, from my Kindle, or from my Bank. In fact, I get notifications from Gmail that make me feel better about my interaction with them, not worse. Recently I logged into my Google Apps account and a small red banner was at the top that said "You are forwarding email to foo@foo.com. Why is this notice here?"

gmail redirect notice 

I saw this Gmail notice and said to myself, "rock on." I didn't realize I was forwarding emails with certain keywords to another account. This could be an attack vector for bad guys to siphon information out of a compromised email account. And the "why is this notice here?" link is subtle brilliance. Inform the customer and answer common questions.

Gmail also has a "notify me of suspicious activity" setting. I receive this when I am overseas or after coming back. Also brilliant. You don't usually go to Poland, so here's how to protect yourself.

gmail_warning  gmail-redirect-notice[1]

I expect my cloud services to let me know in a way that escalates appropriately with the threat when something that doesn't' match my patterns happens.

The meta-points are

  • The Cloud(s) and all its services are protected only by our passwords and the most basic of fraud systems.
  • Cloud services are totally centralized, which makes them a big target, but they have activity information about what we're doing online that isn't being utilized to keep us safe.
  • We, the Users, need to demand better, more secure interactions from the cloud vendors that we put our trust in.
  • It sucks to lose access to your cloud data.

What are your thoughts, Dear Reader?

Thanks to Matt Sherman for the Alternative Title! ;)

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Welcome to the Cloud - "Your Apple ID has been disabled."

August 12, '11 Comments [104] Posted in Apple | Musings
Sponsored By

Welcome Hacker News, Slashdot, DF and TechMeme. Be sure to read the follow up post on "What Good Fraud Detection Looks Like."

Your Apple ID has been disabled. Evil.

So Apple is America's most valuable company. They are, like everyone else, betting the company on the cloud. You may be familiar with the cloud, as it's where all your valuable stuff is. The stuff that you may lose access to at any moment.

The most valuable companies have your valuable data in the cloud. We may think the cloud is decentralized, but it's not. It's totally centralized. All the valuable data is now in one place with one password that's connected to your one bank account. We've centralized and simplified fraud and the public pays for it.

I've got email in Gmail, Music in Spotify, files in DropBox, documents in SkyDrive, photos in Flickr, and media and Apps in the Apple Cloud.

I got this email out of nowhere yesterday.

Dear Scott Hanselman,
Your Apple ID,
scott@hanselman.com, was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to
iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.
Regards,
Apple

After confirming the email path via headers and checking all the links as well as the HTML source of the email (seriously, you expect my Mom to do this?) I decided it was legit.

The phrasing of this email is irritating and wrong-headed. Here's why.

  1. They know it's a device they've never seen before.
  2. They let it happen anyway.
  3. They tell me it's for my good in a self-congratulatory way.
      This email was sent as a safeguard designed to protect you against unauthorized purchases.
  4. But, if I didn't make this purchase, rather than a Dispute button or Fraud link, they recommend I change my password.

Evil AppStunning.

I changed my password and went into the Apple Cloud of past purchases via the App Store. Note that it's "Not On This iPhone." It's actually not on any of my devices, because I never bought it.

If you look at the App, you'll note that it's got a sudden rash of negative reviews from folks who have apparently also been hit by this issue. Someone buys this app (no idea how) and then uses in-app purchase to steal money.

The part I can't get my head around is this. My password is/was rock solid. I use a password manager, my passwords are insane and have high entropy. Not to mention that Apples knows what devices I have and still allowed the purchase.

Next, I got a Paypal Email thanking me for my $40 purchase from Apple. As an interesting data point, I haven't received an iTunes receipt for these illicit purchases.

Instead, I look in iTunes. Odd that we have to go into iTunes to see purchase history instead of a website.

And there they are. A whole series of in-app purchases for an App I don't have on a phone that doesn't exist.

Evil Receipt

Evil Music.I looked into Recent Purchases on my phone and found a bunch of music and videos I never purchased either. 

Another data point is that the error I get is "This Apple ID has been disabled," NOT "This Apple ID has been disabled for security reasons." Just search around. Everyone has had this problem. Some folks have told me they reset their password every time they buy an app! Others have just given up. We'll never see this fixed until Gruber gets the error.

According to iTunes I've got 479 apps. I've got movies, TV shows, and music. All this is in the Cloud. You know, that amazing thing where all our stuff is stored so we can get to it from anywhere? The Cloud where everything is moving towards, that utopian future where there's no DRM and unlimited storage. Freedom, commerce, and media for all. Except I can't access the cloud. And I have no idea how to fix it.

Protect your neck, Dear Readers. For now, today, I am here and my things are in the cloud and never the twain shall meet.

If you have stores about fraud or hacking, tell me your stories at http://myappleidhasbeendisabled.tumblr.com

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

NuGet Support for Visual Studio 2008

August 10, '11 Comments [12] Posted in NuGet | NuGetPOW
Sponsored By

macgyvertoolWell, not really. A better title would be "How to Cobble Together NuGet Support for Visual Studio 2008 with External Tools and a Prayer." The point is, there are lots of folks using Visual Studio 2008 who would like NuGet support. I'm exploring this area and there's a half-dozen ways to make it happen, some difficult and some less so. The idea would be to enable some things with minimal effort. It'll be interesting to see if there are folks in the community who think this is important enough to actually make it happen. Of course, the easiest thing is to just use 2010 as it sill supports .NET 2.0, 3.0, 3.5, and 4, but not everyone can upgrade.

Someone could:

  • Backport the existing NuGet Package References dialog to 2008 using that version's native extensions (not VSiX)
  • Create MEF (Managed Extensibility Framework) plugins for the nuget.exe command-line to update the references in a vbproj or csproj
  • Use PowerShell scripts and batch files to get the most basic stuff working (get a package and update references.)
    • Maybe write a shim to get DTE automation working...

But that's coulds and maybes. Let's talk about the MacGyver solution.

Launch Visual Studio 2008 and go to Tools | External Tools.

External Tools in Visual Studio

Make a new Tool with these values:

  • Title: NuGet Install
  • Command (I'm assuming this is in the PATH): nuget.exe
  • Arguments: install your.package.name -excludeversion -outputDirectory .\Packages
  • Initial directory: $(SolutionDir)
  • Use Output window: Checked
  • Prompt for arguments: Checked

Next, right click in the Tookbar area and create a new Toolbar called NuGet. From Commands, drag in the correct Tools | External Tool button. Right click it and design to taste:

Creating a new Toolbar with "NuGet Install" on it

Now, when you click Install Package, you should change your.package.name to whatever the you want is, and click OK. Note the output in the console window below.

NuGet in Visual Studio 2008

At this point, because we are only integrating the command line too, you don't get the references added automatically. And where's the packages? Well, they are here, one directory up under Packages. It's still up to you to add the reference yourself and make sure it's the appropriate one (I refer you again to the wish list above.)

The NuGet packages

If you are feeling extra fancy, you can even add a few macros and links in your Toolbar to send you to the NuGet site for searching.  Here's a Visual Studio 2008 macro that launches your default web browser and takes you to http://www.nuget.org/List/Packages.

Public Module NuGet
Sub LaunchNuGetSite()
Dim p As New System.Diagnostics.Process()
p.Start("http://www.nuget.org/List/Packages")
End Sub
End Module

Then make toolbar buttons for those extra buttons, like this one for going to the NuGet site and searching:

More buttons for NuGet

Thoughts, Dear Reader?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Ajax Control Toolkit July 2011 Release - Now on NuGet

August 9, '11 Comments [13] Posted in ASP.NET | ASP.NET Ajax
Sponsored By

Say what you will about the Ajax Control Toolkit. Some like it, some don't, but it got 1.15 MILLION downloads last year. Is the ACT dead? Not yet, and there's ongoing work around WebForms, jQuery and an ACT style of programming. More on this soon.

installpackage

There's like 40 different controls in the Ajax Control Toolkit. They continue to be updated and have cross-browser support. The first release this year added IE9 support. This new July 2011 release adds a a new HTML Editor and more complete browser support including (from Stephen Walther's blog):

The HTML Editor Extender works on all modern browsers including the most recent versions of Mozilla Firefox (Firefox 5), Google Chrome (Chrome 12), and Apple Safari (Safari 5). Furthermore, the HTML Editor Extender is compatible with Microsoft Internet Explorer 6 and newer.

How do you use it? Now that the AjaxControlToolkit is in NuGet, it's easy either from the Package Manager Console, or from the GUI.

Installing AjaxControlToolkit from NuGet

You COULD register the AjaxControlToolkit at the top of your page:

<%@ Register TagPrefix="act" Namespace="AjaxControlToolkit" Assembly="AjaxControlToolkit"%>

But the NuGet package already added that to your web.config!

<pages>
<controls>
<add tagPrefix="ajaxToolkit" assembly="AjaxControlToolkit" namespace="AjaxControlToolkit" />
</controls>
</pages>

Although I think the prefix should be "act," so I'll change it. Then, just use the controls on your page in ASP.NET WebForms. For example, here's how you turn a standard TextBox into a Color Picker:

<act:ToolkitScriptManager ID="manager" runat="Server" />
<asp:TextBox ID="txtColorPicker" runat="server" />

<act:ColorPickerExtender TargetControlID="txtColorPicker" runat="server" />

The ToolkitScriptManager only needs to be on the page once.

Textbox turned into a ColorPicker

This is just one example. Check out the dozens of controls at the Ajax Control Toolkit Sample site.

Enjoy!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Hackers can kill Diabetics with Insulin Pumps from a half mile away - Um, no. Facts vs. Journalistic Fear mongering

August 5, '11 Comments [54] Posted in Diabetes
Sponsored By

UPDATE: Jay Radcliffe, the researcher discussed in this post, has emailed me, a little upset. In the interest of transparency I've included our email thread at the end of this post so that Jay's perspective on any inaccuracies may be seen. I encourage you to draw your own conclusions.

There's a story making the rounds on Twitter right now. Engadget "reports" researcher sees security issue with wireless insulin pumps, hackers could cause lethal doses.

Wait till you see what researcher and diabetic Jay Radcliffe cooked up for the Black Hat Technical Security Conference. Radcliffe figures an attacker could hack an insulin pump connected to a wireless glucose monitor and deliver lethal doses of the sugar-regulating hormone.

First, a little on my background. I've been Type 1 diabetic for 17 years. I've worn an insulin pump 24 hours a day, 7 days a week for over 11 years and a continuous glucose meter non-stop for over 5 years. I also wrote one of the first portable glucoses management systems for the original PalmPilot over 10 years ago and successfully sold it to a health management company. (Archive.org link) I also interfaced it (albeit with wires) to a number of portable glucose meters, also a first.

Engadget's is a mostly reasonable headline and accurate explanation as they say he "figures an attacker could..." However, Computerworld really goes all out with the scare tactics with Black Hat: Lethal Hack and wireless attack on insulin pumps to kill people.

Like something straight out of science fiction, an attacker with a powerful antenna could be up to a half mile away from a victim yet launch a wireless hack to remotely control an insulin pump and potentially kill the victim.

The only thing that saves this initial paragraph is "potentially." The link that is getting the most Tweets is VentureBeat's "Excuse me while I turn off your insulin pump," a blog post that is rife with inaccuracies (not to mention a lot of misspellings). Here's just a few.

  • "Insulin pumps use wireless sensors that detect blood sugar levels and then communicate the data to a screen on the insulin pump."
    • Way too broad. Pumps don't. Some CGMs (continuous glucose meters) communicate with special integrated pumps. The most popular integrated system is a Medtronic Paradigm. Most other CGM system have a separate "screen" device that's separate from the pump.
  • "The sensor has to run on a 1.5-volt watch battery for two years."
    • Nope. The Medtronic receiving sensor needs to be charged ever 3 to 6 days. The pump battery is usually a AAA that lasts a few weeks.
      UPDATE: The Dexcom receiver is recharged every 3 days but the body transmitter is warrented for a year with a small watch battery.

One useful paragraph in the VentureBeat post points out again that Jerome wasn't able to decode the message. Here, emphasis mine.

Then Radcliffe went through the process of deciphering what the wireless transmissions meant. These transmissions are not encrypted, since the devices have to be really cheap. The tranmissions [sic] are only 76 bits and they travel at more than 8,000 bits per second. To review the signal, Radcliffe captured the signal with a $10 radio frequency circuit board and then used an oscilloscope to analzye [sic] the bits.

He captured two 9-millisecond transmissions that were five minutes apart. But they came out looking like gibberish. He caputred [sic] more transmissions. About 80 percent of the transmissions had some of the same bits. He reached out to Texas Instruments for help but didn’t have much luck. He told the TI people what he was doing and they decided not to help him.

That was as far as he got on deciphering the wireless signal from the sensor, since there was no documentation that really helped him there. He couldn’t understand what the signal said, but he didn’t need to do that. So he tried to jam the signals to see if he could stop the transmitter. With a quarter of a mile, he figured out he could indeed mess up the transmitter via a denial of service attack, or flooding it with false data.

Now, to the security issue. One has to read these articles and blog posts very carefully. It's easy Link Bait to say "A hacker can kill diabetics wirelessly without them knowing it!" (I assume we'd figure it out at some point, though.) While Jerome Radcliffe, the gentleman who did the proof of concept, is no doubt very clever, the folks who are blogging this fear mongering should do their homework and read the details. Jerome is presenting some of his findings at the BlackHat conference. Here's his abstract with emphasis mine. Note also that SCADA means "supervisory control and data acquisition." He's saying that we "cyborgdiabetics" (my term) are human control and data acquisition systems as data-in/control-out controls our health, well-being and ultimately our lives.

As a diabetic, I have two devices attached to me at all times; an insulin pump and a continuous glucose monitor. This combination of devices turns me into a Human SCADA system; in fact, much of the hardware used in these devices are also used in Industrial SCADA equipment. I was inspired to attempt to hack these medical devices after a presentation on hardware hacking at DEF CON in 2009. Both of the systems have proprietary wireless communication methods.

Could their communication methods be reverse engineered? Could a device be created to perform injection attacks? Manipulation of a diabetic's insulin, directly or indirectly, could result in significant health risks and even death. My weapons in the battle: Arduino, Ham Radios, Bus Pirate, Oscilloscope, Soldering Iron, and a hacker's intuition.

After investing months of spare time and an immense amount of caffeine, I have not accomplished my mission. The journey, however, has been an immeasurable learning experience - from propriety protocols to hardware interfacing-and I will focus on the ups and downs of this project, including the technical issues, the lessons learned, and information discovered, in this presentation "Breaking the Human SCADA System."

Just to be clear, Jerome has not yet successfully wirelessly hacked an insulin pump.

UPDATE: See below email thread. Jerome says he can change settings and pause the pump. This may be via the USB wireless interface one uses to backup settings and send their blood sugar to their doctor. That's an educated guess on my part.

He's made initial steps to sniff wireless traffic from the pump. I realize, as I hope you do, that his abstract isn't complete. Hopefully a more complete presentation is forthcoming. I suspect he's exploiting the remote control feature of a pump. This is a key fob that looks like a car alarm beeper that some pump users use to discretely give themselves insulin doses. However, I feel the need to point out as a pump wearer myself that:

  • Not every Insulin Pump has a remote control feature.
  • Not every remote-controllable insulin pump has that feature turned on. Mine does not, for example.

In this AP article reposted at NPR called Insulin Pumps, Monitors Vulnerable To Hacking they give us more of the puzzle which confirms that Jerome was - in at least one hack attempt - using the optional remote control feature of the pump. A feature that few turn on. Their tech is a little off as well with talk of a 'USB device,' probably an Arduino with an RF shield.

Radcliffe wears an insulin pump that can be used with a special remote control to administer insulin. He found that the pump can be reprogrammed to respond to a stranger's remote. All he needed was a USB device that can be easily obtained from eBay or medical supply companies. Radcliffe also applied his skill for eavesdropping on computer traffic. By looking at the data being transmitted from the computer with the USB device to the insulin pump, he could instruct the USB device to tell the pump what to do.

Finally, another piece of the puzzle is found at SCMagazine's scary "Black Hat: Insulin pumps can be hacked" article where they open with:

"A Type 1 diabetic said Thursday that hackers can remotely change his insulin pump to levels that could kill him."

ZOMG! Someone can remotely control my insulin pump? They continue...

"Radcliffe, now 33, explained that all he requires to perpetrate the hack is the target pump's serial number."

Oh, you mean the serial number that I use to pair with the transmitter to use the highly touted remote control function? This is like saying "I can open your garage door with a 3rd party garage door opener. Just give me the numbers off the side of your unit..."

What Jerome has done, however, is posed a valid question and opened a door that all techie diabetics knew was open. It is however, an obvious question for any connected device. Anyone who has ever seen OnStar start a car remotely knows that there's a possibility that a bad guy could do the same thing.

For example, literally last month I personally exchanged emails with a friendly hacker who successfully hacked the web services for the Filtrete Touchscreen WiFi-enabled Thermostat. Harmless? Perhaps, but his hack could successfully remotely control a furnace or AC in the house of anyone with this device. Any control device that's connected to the "web" or even "the air," in the case of insulin pumps, is potentially open for attack.

I appreciate the message that Jerome is trying to get out there. Wireless medical devices need to be designed with security in mind. I don't appreciate blogs and "news" organizations inaccurately scaring folks into thinking this is a credible threat.

We don't know what brand pump was experimented on, and fortunately the gentleman isn't giving away the technical details. If you are a diabetic on a pump who is concerned about this kind of thing, my suggestion is to turn off your pump's remote control feature (which is likely off anyway) and turn off your sensor radio when you are not wearing your CGM. Most of all, don't panic. Call the manufacturer and express your concern. In my experience, pump manufacturers do not mess around with this stuff. I'm not overly concerned.

All this said, I'd love to have him on my podcast. If you're reading this and you're Jerome Radcliffe, give me a holler and let's talk tech.

Of course, all this talk would be moot if we cured diabetes. In encourage you to give a Tax Deductable Donation to the American Diabetes association: http://hanselman.com/fightdiabetes/donate

Also, feel free to show people my "I am Diabetic. Here's how it works" educational video on YouTube with details on how I setup a pump and continuous glucose monitoring system every 3 days. http://hnsl.mn/iamdiabetic takes you right to the YouTube video.

UPDATE: In the interest in full disclosure, here is my email thread with Jay. As I've said, I'm happy to update the article, as am I doing here, with all perspectives. This was as much a blog post about the media and that meta-point as it was about the tech. Given that I had to piece this post together from several other posts and articles just to get an idea of what the big picture is, kind of makes my point about the problems of hyperbole in the media. Again, my concern is more about sensationalism than it is about the tech. I have no doubt a pump CAN be hacked. Any connected device can be hacked.

Here's our thread from earliest to latest:


From: Jerome Radcliffe

I *can* hack an insulin pump. I can suspend it, change all the settings remotely. I did that on stage. I'm quite disappointed that you did not verify any of the information in your article. People do die from hypoglycemia. Is it an extreme example? Yes. It needs to be. These devices need to be researched for security flaws. To talk about why someone might hack a pump misses the point.


From: Scott Hanselman

I'm sorry, I only found the articles I linked to, plus the abstract that said you hadn't. I tried to verify everything to the best of my ability to Google. Would you send me some newer links and I'llr update my post? My post was meant as an analysis of the news coverage more than the attack. Send me new info?

Thanks!


From: Jerome Radcliffe

I understand your position. but as a blogger/journalist there is a certain level of responsibility to publishing facts. You come off as hypocritical blaming the media for being inaccurate on diabetics being killed by pumps, and write a piece riddled with inaccuracies on my research.
1. There is a CGM that runs on a 1.5v battery for two years. You state that my research is wrong. It is not.
2. Check CBS in las Vegas's web site. They have a video of the demo. Several media outlets reported that demo.
My name is fairly unique and my email address is easy to acquire. I would have rather you contact me for clarification rather then publish a critique of my research that is far from accurate.


From: Scott Hanselman

A random blogger and a trained journalist are certainly different things, I'm sure we can agree on. I do certainly want to improve the post and add the facts and am more than happy to do so.
I'm not sure where I said "your research is wrong" in my post, but I will re-check it. Again, most of my post is quotes from actual journalists who presumably interviewed you and I quoted them. I also quoted your black hat abstract.
I searched twitter for Jay and Jerome Radcliffe but didn't find you and wasn't able to find your blog, I suppose because of the flood of new links and stories.
This CGM runs for 2 years without recharging? Perhaps I'm confused about semantics. I've had a number of CGMs, some 1.5V and all the ones with embedded batteries needed recharging. I'll check around. Again, however, my assertion wasn't against you at all, rather the journalists whose stories were inaccurate.
I feel like we are getting off on the wrong foot here. I thought I wrote a post about how other journalists and bloggers were sensationalistic and inaccurate in their coverage. My post isn't meant as, nor should it read as, a personal attack on your hard work. As I said earlier, I'm more than happy to make updates and edits and fall on my sword with any inaccuracies. I'm even happy to post our email exchange.
Be well!


From: Jerome Radcliffe

Anytime you publish, blog or newspaper, you should be responsible for the content. There is no difference between a trained journalist and a blogger. You can't duck your own criticism of responsible reporting because you feel like your [sic] just a random blogger. The fact you are so critical of my work, you have been getting a lot of press. Your article was in the Slashdot headline, which is one of the most popular sites on the Internet. The fact is your article was highly critical of my work, and highly inaccurate. Even after I specifically told you about the inaccuracies in your writing you have not corrected them.
It's really hard for me not to be offended in this case. For the last three days I have had to answer people's questions, many have cited your article based from the Slashdot coverage.


Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.