Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cybersecurity and the Tylenol Murders

Posted by samzenpus on from the best-practices dept.

HughPickens.com writes: Cindy Cohn writes at EFF that when a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety. It increased its internal production controls, recalled the capsules, offered an exchange for tablets, and within two months started using triple-seal tamper-resistant packaging. Congress ultimately passed an anti-tampering law but the focus of the response from both the private and the public sector was on ensuring that consumers remained safe and secure, rather than on catching the perpetrator. Indeed, the person who did the tampering was never caught.

According to Cohn the story of the Tylenol murders comes to mind as Congress considers the latest cybersecurity and data breach bills. To folks who understand computer security and networks, it's plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson's supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and "poison" our information. The way forward is clear: We need better incentives for companies who store our data to keep it secure. "Yet none of the proposals now in Congress are aimed at actually increasing the safety of our data. Instead, the focus is on "information sharing," a euphemism for more surveillance of users and networks," writes Cohn. "These bills are not only wrongheaded, they seem to be a cynical ploy to use the very real problems of cybersecurity to advance a surveillance agenda, rather than to actually take steps to make people safer." Congress could step in and encourage real security for users—by creating incentives for greater security, a greater downside for companies that fail to do so and by rewarding those companies who make the effort to develop stronger security. "It's as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to "share" its customer lists with the government and with the folks over at Bayer aspirin," concludes Cohn. "We wouldn't have stood for such a wrongheaded response in 1982, and we shouldn't do so now."

74 comments

  1. Downside for companies by Anonymous Coward · · Score: 0

    greater downside for companies that fail to do so

    In the US? lol

    1. Re:Downside for companies by Tablizer · · Score: 1

      Plutocrats will "encourage" law-makers try every other technique first before they have to spend profits to change themselves.

      --
      Table-ized A.I.
    2. Re:Downside for companies by Anonymous Coward · · Score: 0

      Security? That's easy. All you have to do is give your users a year of free credit protection when you get hacked, right? LOL....

  2. Citizen, I notice your resistance by Anonymous Coward · · Score: 0

    That must mean you have something to hide.

    Perhaps you are the one who contaminated those pills?

    1. Re:Citizen, I notice your resistance by mark-t · · Score: 1

      It is worth noting, I think, that absolutely *everyone* has something to hide... Even if only from people who might abuse such knowledge.

      And that even *if* the government were compltely trustworthy (and I do not allege that they are, but hypothetically,even if they were), if they can see your confidential information, then it is theoretically also possible for someone with less noble intentions to do so as well, and if they exploit it before they are caught, the damage can sometimes be utterly irreparable.

      --
      File under 'M' for 'Manic ranting'
    2. Re: Citizen, I notice your resistance by valdezjuan · · Score: 1

      I agree that everyone has something to hide, just as everyone is a target of 'cyber' attacks. However, while I have not yet read the full bill and the linked article is a bit sparse on actual fact, sharing attack data would be tremendously helpful. If private companies are able to share STIX/IOC's (with information deemed private stripped out) that information would be very useful. While I worked for an Amazon sub, we couldn't even get attack data amoungst companies that were, essentially the same. Currently if you were to ask your biggest competitor to share data, you will get a 'No, thanks' at best. Most of this seems to be from lawyers/compliance people that seem to think sharing the data will make the sky fall. There are some private companies attempting to do this but the solutions are immature and not really ready for any sort of meaningful exchange. Facebook is doing their Intel sharing but it hasn't gotten off the ground yet.

      I would agree that the government is probably not the best clearing house for true threat data. Look at infraguard & cert, sure they send out useful data but it's usually late and if you want the really interesting bits, you need a clearance (which working at a private company is practically a non-starter). The security industry needs to figure this out for itself before the fed steps in and makes it the same black hole sharing data with them currently is.

  3. what did you expect? by samantha · · Score: 5, Insightful

    The same people that say it is OK that the NSA weakens security paradigms and that take seriously government demands for backdoors in all crypto systems and that OKs spying on everyone is not about to do a complete 180 and actually do anything to build up security. The corporations can do little for better security while the government is busy weakening and limiting all security tools. So simply making more demands on companies is useless.

    1. Re:what did you expect? by ajzimm3rman · · Score: 0

      Big Government will always desire to be the Top Dog when it comes to controlling Anything. It's ironic we find cyber-warfare now becoming a political topic, not too long after the government started taking an interest in controlling it.

  4. Wrong Analogy by Anonymous Coward · · Score: 0, Insightful

    I have 2 big problems with this story:

    1. Wrong Analogy - psychos putting poison into over the counter meds has little if anything to do with protecting personal data from public and private distribution. It does OTOH scary conjure images that incite rash actions. Bravo to the EFF for profiting on the ensuing hysteria.

    2. It uses the words "ours" and "We" with the largest brushstroke possible. Could the author at least have tried to discuss the topic of data security without simple collective generalizations? Is it not possible that some institutions are effectively protecting this data (eg. banks) and perhaps others are not (eg. classmates.com)? Maybe these institutions know more than the EFF about what people care about disclosing.

    1. Re:Wrong Analogy by Anonymous Coward · · Score: 0

      Sorry but banking institutions are not 'effectively protecting' anything, especially your data.

    2. Re:Wrong Analogy by war4peace · · Score: 2

      Maybe not in the States, where you still have swipe credit cards. Which don't require a PIN code to work!
      And I agree with the GP, the analogy is horribly built.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    3. Re:Wrong Analogy by Harlequin80 · · Score: 2

      Agreed this is a terrible terrible analogy.

      One is the securing of a relatively simple process where every step of the chain can be viewed in full in real time. You are also able to seal whole sections of the process away from external factors in such a way that breaching it secretly is almost impossible and comes with huge risks to the attacker.

      When it comes to data protection or just IT in general the systems are far far more complex. Every piece of code is run through a compiler which turns it into a black box which may or may not introduce a vulnerability. You are having to use hardware and drivers you cannot control or pull apart AND the risk to an attacker is almost zero. An attacker can hit your system endlessly with no real risk of reprisal because, until they compromise you, they are lost in the noise of the script kiddies.

    4. Re:Wrong Analogy by Pubstar · · Score: 1

      Even outside of that, I doubt that most other banks (like large corporations) really understand what is going on sometimes at the bottom of the organizations. When I was working for a large bank in the US doing Win XP to Win 7 migrations, I had access to the list of all users IDs and the names associated with them, departments they worked at, systems they had access to, and the password reset tool that worked on any account. Oh yeah, and I was a contractor. They even let me take unencrypted financial data home - I was station to work somewhere, then deploy in another building 20 miles away, but between where I worked and where I lived. My boss let me take home the unencrypted machines and just drop them off in the morning. Security was such a joke.

    5. Re:Wrong Analogy by sound+vision · · Score: 1

      This article is about proposals doing the rounds in the US Congress... so yes, in the United States.

  5. Bad analogy is bad by Anonymous Coward · · Score: 0

    Bad analogy is bad.

    Nice adopting the tactics of your enemies though. Using an alarming example to foster support for your agenda, ensuring an emotional response and not a rational one.

  6. 1982 is an interesting comparison in other ways by Anonymous Coward · · Score: 0

    In 1982, a much smaller % of the population was on the internet (which wasn't much more than a decade old at that point, long before the WWW), but the ones who were had VASTLY more technical understanding than the average netizen today. The worst aspects of today's internet: Orwellian commercial and governmental surveillance, censorship by various nations, ad-infestment of everything, etc, would simply not have been tolerated on the 1982 internet.

    1. Re:1982 is an interesting comparison in other ways by Anonymous Coward · · Score: 0

      The analogy presented has NOTHING to do with the internet in 1982 so your argument is moot

    2. Re:1982 is an interesting comparison in other ways by Anonymous Coward · · Score: 0

      It has to do with the average net citizen today, so a comparison to the past is not moot. Lower technical literacy is the biggest variable that's changed to make everything suck, now.

    3. Re:1982 is an interesting comparison in other ways by Anonymous Coward · · Score: 4, Interesting

      Orwellian commercial and governmental surveillance, censorship by various nations, ad-infestment of everything, etc, would simply not have been tolerated on the 1982 internet.

      Yeah, right.

      Meet Executive Order 12333: The Reagan rule that lets the NSA spy on Americans

      ...the executive order [EO 12333] authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

      Now you say that that only pertains to data that is scooped up in foreign communications, but you have to realize that in modern telecommunication networks, data often transverses borders as packets are routed to phone switches that may be physically located in, say, Canada. So call from you in Nevada to your mom in Michigan may be recorded if your call is routed through a phone switch in Toronto, Canada.

    4. Re:1982 is an interesting comparison in other ways by Anonymous Coward · · Score: 0

      The OP said that tech literacy amongst those with Internet access was higher, not amongst the population at large.

    5. Re:1982 is an interesting comparison in other ways by niftymitch · · Score: 1

      Orwellian commercial and governmental surveillance, censorship by various nations,......

      ...the executive order [EO 12333] authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

      Now you say that that only pertains to data that is scooped up in foreign communications, but you have to realize that in modern telecommunication networks, data often transverses borders as packets are routed to phone switches that may be physically located in, say, Canada. So call from you in Nevada to your mom in Michigan may be recorded if your call is routed through a phone switch in Toronto, Canada.

      It is interesting that the set of agencies commonly made reference to as the TLAs
      at this point have near total control over most of the routing infrastructure and could
      change routes such that the data passes through an international resource.

      I find it amusing that my "location services" often get my location wrong by three time zones.
      One time my location was N. Virginia another time some place in MD and I believe
      I have been triangulated west and south of the Golden Trumpet just west of one
      of the largest holes in the earth known to exist in N. America.

      These routing anomalies mostly appeared to be the phone and ISP folk shaping traffic
      in ways to give "data" truth to their position that internet transparency and net neutrality
      now I wonder... wonder should I click PA or not...

      --
      Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
    6. Re:1982 is an interesting comparison in other ways by Anonymous Coward · · Score: 0

      Technical literacy in the 80s was way worse than now.

      It was almost infinitely higher among those with internet access, trust me. 82 was well before the Eternal September.

    7. Re:1982 is an interesting comparison in other ways by ShanghaiBill · · Score: 2, Informative

      The worst aspects of today's internet: Orwellian commercial and governmental surveillance, censorship by various nations, ad-infestment of everything, etc, would simply not have been tolerated on the 1982 internet.

      This is nonsense. In 1982, the Internet was almost entirely government funded and run, and there were rather severe restrictions on what it could be used for, and what type of speech was allowed. For instance, any sort of commercial speech was restricted, it was difficult to be anonymous or even pseudonymous, and people could lose their connections, with little recourse, for being offensive. As usual, the "good 'ole days" where not as good as you falsely remember.

    8. Re:1982 is an interesting comparison in other ways by war4peace · · Score: 1

      Which makes no sense as a comparison.
      Tech literacy amongst those with Internet access was higher because Internet Access availability was lower. The OP is confusing the cause with the effect.

      Cause: internet Access required technical literacy.
      Effect: Only those with technical literacy were accessing the Internet.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    9. Re:1982 is an interesting comparison in other ways by war4peace · · Score: 1

      Of course it was, but you're confusing the cause and the effect.
      The logical buildup is crap.
      I could say that cars are for the poor nowadays because in the early 1900s all cars belonged to the rich and It'd be wrong.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    10. Re:1982 is an interesting comparison in other ways by Anonymous Coward · · Score: 0

      This a thousand times. What people need to understand is that a large amount of the data gathering by the NSA is done under this executive order. The Patriot Act gets all the headlines and attention, but 12333 is where the real problem lies.

  7. Inexact Comparisons by Fire_Wraith · · Score: 5, Insightful

    There are definitely some important points to be made in the comparison here, but some of them are a bit off. For one, it makes the comparison to sharing customer lists for Tylenol/Bayer Aspirin/etc, but that's a bit off.

    There is a value in 'information sharing', it just depends on the information being shared. Sharing the sorts of data associated with an intrusion, so that others can check their networks for similar activity or vulnerabilities? That's a good thing. The comparison here would be having Tylenol's makers share the information on how their supply chain was possibly compromised in the first place, so that we don't wind up having them fix the problem, only for other companies to get hit with the same thing because the details were kept secret.

    That's what's important - the information about the vulnerabilities and exploits, not the customer data. This is why we have to be especially wary about nebulous proposals that hand over truckloads of unnecessary data, since there are certainly agencies in the government that would love to have free access to it in order to entirely unrelated things like go on witch-hunts.

    At the same time, we have to keep in mind that most companies won't share information about attacks unless they're required to do so. Imagine if Tylenol had just ignored clear signs of a break-in at their plant, and ignored the possibility that thousands or millions of capsules could have been poisoned, and decided to just pretend nothing ever happened, only for it to come to light years later, because that was roughly what has happened in many past instances of major retailers getting hacked.

    1. Re:Inexact Comparisons by ajzimm3rman · · Score: 0

      "Imagine if Tylenol had just ignored clear signs of a break-in at their plant, and ignored the possibility that thousands or millions of capsules could have been poisoned, and decided to just pretend nothing ever happened, only for it to come to light years later, because that was roughly what has happened in many past instances of major retailers getting hacked." I find it interesting the article compares people DYING to getting hacked. It's just another ruse to push a Big Government solution onto the market, which will slow everything down, and solve nothing.

    2. Re:Inexact Comparisons by cellocgw · · Score: 1

      There is a value in 'information sharing', it just depends on the information being shared. Sharing the sorts of data associated with an intrusion, so that others can check their networks for similar activity or vulnerabilities? That's a good thing. The comparison here would be having Tylenol's makers share the information on how their supply chain was possibly compromised in the first place, so that we don't wind up having them fix the problem, only for other companies to get hit with the same thing because the details were kept secret.

      Except it wasn't. The poisoning turned out to happen inside a home, and the public was never in any danger. So, we ended up with a huge cost increase on every single product, dangerous or not, along with multiple layers of "safety" straps,coatings, etc. which are incrediblyannoying to remove and do very little to improve the alleged tamper-proofness of the product itself. Really: do you think some creep could manage to drop poison pills into hundreds of nsaid bottles in CVS stores (assuming no tamper-proofness) without anyone ever noticing?

      --
      https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
  8. Oversimplified by whitelabrat · · Score: 1

    It's a oversimplification to say the creators of software and hardware that make up networks and services must be held accountable for security. There is an inherent state that many of the bugs that get exploited are unknowable until somone stumbles upon them. Either the software's creator or the bad-actor finds it first and that's where the trouble lies.

    I think the larger issue is the design of the internet is way too open and without any accountability.

    1. Re:Oversimplified by JustNiz · · Score: 2

      >> It's a oversimplification to say the creators of software and hardware that make up networks and services must be held accountable for security.

      No it isn't. I blame Microsoft. The widows architecture and development culture around windows both encourage/require allowing apps to extend/modify parts of the operating system itself (example: the registry and the windows/system32 directories). Microsoft have been notirious in encapsulating executable stuff in things that should be data-only, such as documents, and designing programs in such a way that then both can and should execute parts of loaded data files.

    2. Re:Oversimplified by Anonymous Coward · · Score: 0

      I think you're right. Plus, when people are dying, that changes the stakes. Folks were dying because of cyanide laced medication. Please show me how innocent bystanders are dying because of a software security bugs in consumer software.

    3. Re:Oversimplified by rrr00bb5454 · · Score: 1

      We have been trying to handle security by wrapping various "condoms" around software that doesn't defend itself from bad input. That allows it to be used without fixing it. But this whole strategy is about to break with the widespread use of encryption. We currently protect traffic by inspecting it to observe abuse of the recipient of a message; and yes, it's functionally identical to surveillance in how it works. Ultimately, we need to do something like what LANSEC suggests, and require very strong input handling that is limited to "in the language" inputs. It's an admission that Postel's Law needs an update. We need to be extremely conservative in what we accept, and presume that all out of spec inputs are designed to put us into an illegal state.

    4. Re:Oversimplified by Anonymous Coward · · Score: 0

      When windows was first created, programmers were allowed to do everything, since being able to do so allowed you to do clever things. Perhaps that was good 20 years ago, not so much anymore. The problem is, you patch or fix windows, that clever thing that is useful broke and its windows fault. They can't win.

    5. Re:Oversimplified by war4peace · · Score: 1

      Blame the widows, not the orphans!

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    6. Re:Oversimplified by ajzimm3rman · · Score: 0

      Virtualized registry has been around since Vista. 2003 office and above has blocked auto-macros from running.

    7. Re:Oversimplified by JustNiz · · Score: 1

      >> They can't win.

      Sure they can but it might mean they have to end backwards compatability to do it, which would be fine if they were serious about security afterwards.

      End doing shit like having a registry and allowing apps to create files everywhere in the OS, and having things such as USB keys ever being able to auto-execute. Get rid of useless crap like UAC that just gives the illusion of security by being annoying to users, and instead use a better (I'd suggest linux-like) security model and package management system that prevents user apps ever being able to install themselves as a part of the OS or mess with the OS's configuration at all. Get rid of any apps such as office that by accident or design execute data files on loading. Get rid of hidden directories like ApplicationData. Stop using UUIDs everywhere, and stop running things using proxy parent tasks such as svchost as both obscure what is really going on.
      For end-users the best and quickest answer is to do as anyone with a clue has been doing for years: Drop windows and upgrade to Linux.

    8. Re:Oversimplified by AK+Marc · · Score: 1

      There is an inherent state that many of the bugs that get exploited are unknowable

      I'd agree if 99% of exploits weren't one of a basic set of vulnerabilities. "I never though someone would get a Privilege escalation though a buffer overflow from an improperly sanitized input." The threats aren't "bugs" A "bug" is bad code that allows a threat a vector of attack.

      Computer security is saying that you secure doors and windows on a house only after each of them has been broken in, and only in the minimum way to prevent the previous attack from working. "Oh, they got in with a credit-card jimmy of the lock? We'll fix that on this window, but the other windows are safe because nobody has tried them yet."

      There are lots of places the trouble lies, and whether an author or bad-actor finds bad code first isn't top of the list.

      --
      Learn to love Alaska
    9. Re: Oversimplified by Anonymous Coward · · Score: 0

      I think it's a bit foolish to think that Linux or any other OS or software is more secure. They can all be broken, and are.

      It's especially problematic when folks get a false sense of security where where there is none. One must begin by assumming you are not and never are.

      Thats a common mistake in the industry where they think they are secure because they decide they are.

    10. Re:Oversimplified by Anonymous Coward · · Score: 0

      Even encryption is just another "condom", if the software doesn't defend itself.

    11. Re:Oversimplified by Anonymous Coward · · Score: 1

      Computer security is saying that you secure doors and windows on a house only after each of them has been broken in, and only in the minimum way to prevent the previous attack from working.

      But, that is exactly what we actually do.

      If you were to use state-of-the-art methods to break into one of Johnson and Johnson's manufacturing facilities, I doubt the locks on the doors would keep you out. By state of the art, I mean any technology of any kind available to anybody anywhere, including tanks, aircraft, and so on.

      The reason that Johnson and Johnson doesn't have to defend against tank platoons is that governments already provide protection against these kinds of attacks. The same is not true of IT security. Somebody in a remote country can launch an attack on Johnson and Johnson's VPN gateway using any technology available, and the US (or other hosting country) will not proactively block the attack from reaching them, or take action against the state the attack was launched from the way they would if tanks dashed across a border to hit one of their factories.

      I fully get that there are reasons that this is the case. I just don't think it makes sense to say "IT depts must be lazy since we secure physical sites all the time."

    12. Re:Oversimplified by rrr00bb5454 · · Score: 1

      Exactly. Encryption hides the conversation from external observation, which won't prevent one party from sending malicious data to the other. In fact, it weakens security in the sense that visibility into these kinds of problems is lost. This is why in a corporate setting, you may be asked to surrender to surveillance of your network connections for legitimate security reasons.

  9. Let's examine your interesting comparison by rmdingler · · Score: 1
    Regarding the Tylenol tampering murders: (maybe) started by a lone wolf who was never caught (although some folks were who already wanted to kill their spouses either jumped on the imitation bandwagon or planted the random poisoned bottles themselves).

    Regarding the inevitable use of the internet for data collection: yeah, someone was first, but a metric fuck ton more suspects.Governments, corporations, recruiters, employers, prospective suitors, suspicious spouses, etc.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  10. Market forces at work by trout007 · · Score: 3, Insightful

    It's pretty simple. There were alternatives to Tylenol and they knew if they didn't act it would cost them billions. There is no alternative to the internet so people are pretty much stuck with the standards in use. The losses are socalized enough that there isn't much reason for most people to change. If people personally stood to lose tens of thousands of dollars they might take things seriously.

    --
    I love Jesus, except for his foreign policy.
    1. Re:Market forces at work by trout007 · · Score: 1

      There were plenty of drugs with acetaminophen back then. Excedrin did with a combination of asprin and caffeine. There were others but obviously Tylanol was the most popular.

      --
      I love Jesus, except for his foreign policy.
  11. Exactly the same thing in going on with the by Cafe+Alpha · · Score: 2

    "Patriot [sic] act" and the "USA Freedom [sic] act". I am so disgusted that congress acting to circumvent the Supreme Court through technicalities, while changing nothing at all is being called "surveillance reform [sic]". If you ever hoped that Obama's background as a professor of constitutional meant that he would protect the bill of rights like I did, you just got shat on.

    Yes, I understand that having the entire world under surveillance all the time is very convenient for law enforcement and keeps us "safer [sic]" than having any right to privacy would. It's just a shame that no one in the government cares.

    Also, do you know how many terrorists they caught with the metadata program? They caught ONE taxi driver who wanted to send a couple thousand to Hamas. That's it. Well, now you know what your freedom used to be worth! Less than one taxi driver's donation.

  12. Apples and Oranges by Anonymous Coward · · Score: 3, Insightful

    From TFA:

    For example, Johnson & Johnson developed new product protection methods and ironclad pledges to do better in protecting their consumers in the future. Working with FDA officials, they introduced a new tamper-proof packaging, which included foil seals and other features that made it obvious to a consumer if foul play had transpired. These packaging protections soon became the industry standard for all over-the-counter medications. The company also introduced price reductions and a new version of their pills — called the “caplet” — a tablet coated with slick, easy-to-swallow gelatin but far harder to tamper with than the older capsules which could be easily opened, laced with a contaminant, and then placed back in the older non-tamper-proof bottle.

    Packaging for over the counter drugs became safer because Johnson & Johnson invested a 100 million dollars to protect their customers with tamper-resistant seals on their packaging and harder to contaminate pills, which showed the rest of the industry how do it as well. Congress passed the law mandating that the rest of the industry follow suit only after Tylenol successfully did it first. In addition, and this is important, the FDA worked with Johnson & Johnson for the common goal of protecting consumers.

    With computer security, though, you have the US government that is openly hostile to allowing users to completely secure their systems. For one thing, you have the law enforcement and intelligence branches of the government that lobby Congress for more surveillance laws, and also actively subvert standards for encryption, OS security, and security applications as well as weaponizing exploits of software vulnerabilities. And even when there are companies leading way on how to provide secure applications and services, you have the government stepping in forcing it to compromise its security. Lavabit is just one public example of the government's zeal to snoop overriding consumer's need for secure communication.

    Another thing is you have the software industry lobbying Congress against passing laws which would apply product liability rules to software applications. Software companies have been thwarting efforts to hold them accountable for ages. All software has bugs, but a lot of bugs are just howlers that might not have got through to release if companies were held a little responsible for the harm they can cause.

    Nope, the Tylenol case and the case for secure computers and networks are not the same. In the Tylenol case, the gov and drug industry had a common goal to protect the consumer. In the case of computer security, the gov and software industry have their own goals, but they're not to protect the common user.

    1. Re:Apples and Oranges by phantomfive · · Score: 1

      And that's ignoring the fact that computer security is nearly intractable to begin with. Even if you have an air-gap, it can still be breached.

      So if the companies aren't even trying (which they aren't......increased liability can help with that, though), there's no way they'll succeed.

      --
      "First they came for the slanderers and i said nothing."
  13. It is not the govt's job to keep our data safe.. by zr · · Score: 2

    ..never was, never will be.

    If we the people want our data safe, we have no choice but to keep ever vigilant about defending against laws that allow the government access to data we don't wish be open.

    Thank you Dr Paul.

  14. Tylenol Story by ajzimm3rman · · Score: 0

    It's obvious the private market responded quicker than the government regarding the Tylenol story. The laws passed afterwards achieved nothing. The response had already been implemented. What goes to show is that our private industry is keeping up as much as the individual companies deem necessary. If tomorrow all ATM's started being hacked easily, there would be responses nation/worldwide. But that simply isn't happening. I guess what I mean to say is, if the need is there, companies will work with each other to help achieve what is necessary. Does it pay for a company to risk its assets more than necessary? At this time some are being targeted more than others. Not Everyone is. Government will achieve nothing but slow whatever it regulates or taxes down. The underachievers work in government...not the other way around.

  15. why do people get this wrong? by gillbates · · Score: 1, Informative

    The Tylenol killer was caught. I remember hearing about it on the CBS evening news - HE did it in an attempt to get the stock price to fall, in order to make money on his short options.

    --
    The society for a thought-free internet welcomes you.
    1. Re:why do people get this wrong? by Snotnose · · Score: 3, Interesting

      Nope. The guy they caught wrote a ransom note demanding $$$ to stop poisoning the bottles. He got caught and sent away for extortion. AFAIK they never did charge anyone with the actual murder.

    2. Re:why do people get this wrong? by rmdingler · · Score: 2

      Nope. The guy they caught wrote a ransom note demanding $$$ to stop poisoning the bottles. He got caught and sent away for extortion. AFAIK they never did charge anyone with the actual murder.

      Indeed. And, he lived in New York whilst the poisoned capsules were found in and around the Chicago area.

      Johnson and Johnson's handling of the total recall[tm] was wildly applauded at the time, perhaps in contrast to the number of stars we are currently awarding to the nationwide surveillance alliance.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    3. Re:why do people get this wrong? by Snotnose · · Score: 1

      So the original (incorrect) post is modded at +3, while both mine and the guy saying I'm right are at +2. Thanks, moderators, for fact checking.

      Wikipedia says I'm right and OP is wrong.

    4. Re:why do people get this wrong? by Technician · · Score: 1

      I guess I get the 3rd competing story for how it most likely happened..

      A man poisoned his cronically ill wife and placed more poisoned pills on store shelves to produce the doubt he didn't murder his wife.

      Who actually did the poisoning was not proven due to the number of cases.

      "As the tampered-with bottles came from different factories, and the seven deaths had all occurred in the Chicago area, the possibility of sabotage during production was ruled out. Instead, the culprit was believed to have acquired bottles of Tylenol from various supermarkets and drug stores over a period of several weeks, added the cyanide to the capsules, then returned to the stores to place the bottles back on the shelves. In addition to the five bottles that led to the victims' deaths, three other tampered-with bottles were discovered."

      Source Wikipedia. http://en.wikipedia.org/wiki/C...

      --
      The truth shall set you free!
    5. Re:why do people get this wrong? by BlueStrat · · Score: 1

      So the original (incorrect) post is modded at +3, while both mine and the guy saying I'm right are at +2. Thanks, moderators, for fact checking.

      Wikipedia says I'm right and OP is wrong.

      If it were not for your relatively low UID number, I'd say "you must be new here".

      Facts and logic are fungible and elastic among Slashdotters when they negatively impact stubbornly-held (but incorrect nonetheless) worldviews, politics, (anti-)religious beliefs, and ideologies.

      To a large extent Slashdot negative moderation serves the same purpose as sticking one's fingers in one's ears and going "lalalala I can't hear you!".

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    6. Re:why do people get this wrong? by dunkelfalke · · Score: 1

      when they negatively impact stubbornly-held (but incorrect nonetheless) worldviews, politics, (anti-)religious beliefs, and ideologies.

      You don't say.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  16. Back in the day (off topic) by Snotnose · · Score: 2

    I was 22-23, there was a guy at work 10-15 years older that hated me. Why? I don't know. But I was the kind of guy that anything you threw at me I threw 2x back. When this Tylenol poisoning hit I bought a bottle of Tylenol and put it on his desk. No note, nothing, just the bottle.

    I ran into him some 20 years later. He told me he didn't know why he didn't like me and apologized for being an ass. I told him I put the Tylenol bottle on his desk, he said "shit Jim, I knew that as soon as I saw it".

    1. Re:Back in the day (off topic) by sexconker · · Score: 1

      Your parents named you "shit Jim"?

    2. Re:Back in the day (off topic) by Anonymous Coward · · Score: 0

      Your parents named you "shit Jim"?

      Maybe that is why he didn't like him.

    3. Re:Back in the day (off topic) by Anonymous Coward · · Score: 1

      Is that so off-topic, after all? Imagine if you did the same thing today. The coworker, or someone else in the office, reports the Tylenol bottle as being suspicious. Everyone gets locked down in the office, the police are called, a hazmat crew comes out and looks around. Security camera footage from your office is confiscated. The Tylenol bottle is fingerprinted and swabbed for DNA. And if they find anything that ties you to that bottle, you're off to prison for a few years for making terroristic threats, or some other nonsense charges.

    4. Re:Back in the day (off topic) by Snotnose · · Score: 1

      Dad thought he was hitting the backdoor when I was conceived.

      / Dad doesn't read /.
      // Mom's dead
      /// no way they'll hear I said that :)

  17. incenstives? by Anonymous Coward · · Score: 0

    "by creating incentives for greater security...".?
    huh? and we pull the incentives out of whose a$$?
    I know, let's create one 'organization' that will manage and implement all technology communication related devices.
    "...one ring to rule them all...."

    1. Re:incenstives? by Anonymous Coward · · Score: 0

      "by creating incentives for greater security...".? huh? and we pull the incentives out of whose a$$? I know, let's create one 'organization' that will manage and implement all technology communication related devices. "...one ring to rule them all...."

      you're damned if you do and damned if you don't.

  18. ...as a kid when it happened... by Anonymous Coward · · Score: 1

    This is all second hand info, of course, but as a kid I knew a worker at the 'pill' factory.
    That chemical is used to clean the pill dies. The theory produced was that it was an
    industrial accident (yes, the makers confirmed that that chemical is used to clean the
    dies, but downplayed its significance - do the research!). It was my first experience of
    a major corporation ducking responsibility and I was taught a good lesson from it.

    Because of the egregious way in which people died from the accident, the company
    would have been successfully sued into nothingness. It was far more cost-effective
    to take the path they took then to admit wrong-doing; that a criminal had contaminated
    the medicine. Yes, "good" things came from it, but too many needlessly lost their
    lives as a result.

    1. Re:...as a kid when it happened... by AK+Marc · · Score: 2

      That theory only works if there were deliberate poisonings of copycats. The distribution was too narrow, and the incidents too spread out to account for all of the poisonings with a single industrial accident. Unless Tylenol committed murder as part of a cover-up.

      --
      Learn to love Alaska
  19. Different World by Anonymous Coward · · Score: 0

    Cindy Cohn writes at EFF that when a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety.

    It was a completely different mentality back then, Johnson & Johnson took measures to ensure consumer safety. Today's corporations won't even consider that an option. Look at BP during the whole Deepwater Horizon fiasco, they deliberately delayed solving the problem for as long as they could while the execs at the top tried to figure out ways they could profit from the disaster.

    I'm sure that others have already mentioned that the biggest enemy are oppressive governments like the US who deliberately and continually sabotage world security for their own petty goals.

  20. Professionalize computer science degrees by Anonymous Coward · · Score: 0

    Engineers in many fields have the opportunity and obligation to take an exam to become formally licensed. No such degree track is available today for computer sciences makers

  21. Re:It is not the govt's job to keep our data safe. by Anonymous Coward · · Score: 0

    If we the people want our data safe, we have no choice but to keep ever vigilant about defending against laws ...

    So how much did you donate to the 'Ban the bomb' fund? What about writing to your elected representative outlining your disapproval of his policies? Alas, the price of vigilance is perpetually under-estimated. After making the boss happy, then the police and government, then the family, most people aren't interested in bad laws that will affect them on an unknown day in the dimly known future. It's much easier to watch 'American idiot' (reality shows have only 3 premises, where most of them can be titled 'idiot') and forget tomorrow is another struggle to 'keep up with the Joneses'.

  22. Cohn should stick to what he knows by Jawnn · · Score: 1

    Because the list of things she knows clearly does not include the concept of "community based threat intelligence". The sharing of threat intel, especially among industry peers (financial services, healthcare, etc.) can be a very powerful tool. If the security people at Acme Widgets and Cogswel Cogs alert me that their seeing a specific attack coming from a particular IP address, we here at Spacely Sprockets can proactively take steps to defend against that attack.

    FTFA:
    "Opening debate of the bill on Wednesday, Rep. Devin Nunes, R-Calif., chairman of the House Permanent Select Committee on Intelligence, noted that the legislation “does not provide the government with any new surveillance authorities.” “It only authorizes the sharing of cyber threat indicators and defensive measures – technical information like malware signatures and malicious code,” he said. “In fact, before companies share with the federal government, they must remove all personal information that might be attached to cyber threats. If companies don’t follow those requirements, they will not receive liability protection.”

    By what stretch does Ms. Cohn call such activity "surveillance"?

  23. Be careful about what you wish for by GuB-42 · · Score: 1

    "trusted computing", locked bootloaders, ... controversial stuff like this are all improvements in security that are easy to mandate, are pushed by big companies and closely match the Tylenol example (where tamper resistance was the solution).

  24. The same, but not the same as the author thinks by al0ha · · Score: 1

    The Tylenol safety problem of the 80s and the privacy protection concerns we have today are not synonymous in the way the author depicts them to be; in both cases the response is about the bottom line. Tylenol knew if it didn't respond appropriately, and huge profits could have been lost. In the case of securing private information, if the powers that be were actually to do that, huge profits could be lost. Got it yet?

    --
    Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ