Slashdot Mirror
Cybersecurity and the Tylenol Murders
HughPickens.com writes: Cindy Cohn writes at EFF that when a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety. It increased its internal production controls, recalled the capsules, offered an exchange for tablets, and within two months started using triple-seal tamper-resistant packaging. Congress ultimately passed an anti-tampering law but the focus of the response from both the private and the public sector was on ensuring that consumers remained safe and secure, rather than on catching the perpetrator. Indeed, the person who did the tampering was never caught.
According to Cohn the story of the Tylenol murders comes to mind as Congress considers the latest cybersecurity and data breach bills. To folks who understand computer security and networks, it's plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson's supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and "poison" our information. The way forward is clear: We need better incentives for companies who store our data to keep it secure. "Yet none of the proposals now in Congress are aimed at actually increasing the safety of our data. Instead, the focus is on "information sharing," a euphemism for more surveillance of users and networks," writes Cohn. "These bills are not only wrongheaded, they seem to be a cynical ploy to use the very real problems of cybersecurity to advance a surveillance agenda, rather than to actually take steps to make people safer." Congress could step in and encourage real security for users—by creating incentives for greater security, a greater downside for companies that fail to do so and by rewarding those companies who make the effort to develop stronger security. "It's as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to "share" its customer lists with the government and with the folks over at Bayer aspirin," concludes Cohn. "We wouldn't have stood for such a wrongheaded response in 1982, and we shouldn't do so now."
According to Cohn the story of the Tylenol murders comes to mind as Congress considers the latest cybersecurity and data breach bills. To folks who understand computer security and networks, it's plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson's supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and "poison" our information. The way forward is clear: We need better incentives for companies who store our data to keep it secure. "Yet none of the proposals now in Congress are aimed at actually increasing the safety of our data. Instead, the focus is on "information sharing," a euphemism for more surveillance of users and networks," writes Cohn. "These bills are not only wrongheaded, they seem to be a cynical ploy to use the very real problems of cybersecurity to advance a surveillance agenda, rather than to actually take steps to make people safer." Congress could step in and encourage real security for users—by creating incentives for greater security, a greater downside for companies that fail to do so and by rewarding those companies who make the effort to develop stronger security. "It's as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to "share" its customer lists with the government and with the folks over at Bayer aspirin," concludes Cohn. "We wouldn't have stood for such a wrongheaded response in 1982, and we shouldn't do so now."
The same people that say it is OK that the NSA weakens security paradigms and that take seriously government demands for backdoors in all crypto systems and that OKs spying on everyone is not about to do a complete 180 and actually do anything to build up security. The corporations can do little for better security while the government is busy weakening and limiting all security tools. So simply making more demands on companies is useless.
There are definitely some important points to be made in the comparison here, but some of them are a bit off. For one, it makes the comparison to sharing customer lists for Tylenol/Bayer Aspirin/etc, but that's a bit off.
There is a value in 'information sharing', it just depends on the information being shared. Sharing the sorts of data associated with an intrusion, so that others can check their networks for similar activity or vulnerabilities? That's a good thing. The comparison here would be having Tylenol's makers share the information on how their supply chain was possibly compromised in the first place, so that we don't wind up having them fix the problem, only for other companies to get hit with the same thing because the details were kept secret.
That's what's important - the information about the vulnerabilities and exploits, not the customer data. This is why we have to be especially wary about nebulous proposals that hand over truckloads of unnecessary data, since there are certainly agencies in the government that would love to have free access to it in order to entirely unrelated things like go on witch-hunts.
At the same time, we have to keep in mind that most companies won't share information about attacks unless they're required to do so. Imagine if Tylenol had just ignored clear signs of a break-in at their plant, and ignored the possibility that thousands or millions of capsules could have been poisoned, and decided to just pretend nothing ever happened, only for it to come to light years later, because that was roughly what has happened in many past instances of major retailers getting hacked.
>> It's a oversimplification to say the creators of software and hardware that make up networks and services must be held accountable for security.
No it isn't. I blame Microsoft. The widows architecture and development culture around windows both encourage/require allowing apps to extend/modify parts of the operating system itself (example: the registry and the windows/system32 directories). Microsoft have been notirious in encapsulating executable stuff in things that should be data-only, such as documents, and designing programs in such a way that then both can and should execute parts of loaded data files.
It's pretty simple. There were alternatives to Tylenol and they knew if they didn't act it would cost them billions. There is no alternative to the internet so people are pretty much stuck with the standards in use. The losses are socalized enough that there isn't much reason for most people to change. If people personally stood to lose tens of thousands of dollars they might take things seriously.
I love Jesus, except for his foreign policy.
"Patriot [sic] act" and the "USA Freedom [sic] act". I am so disgusted that congress acting to circumvent the Supreme Court through technicalities, while changing nothing at all is being called "surveillance reform [sic]". If you ever hoped that Obama's background as a professor of constitutional meant that he would protect the bill of rights like I did, you just got shat on.
Yes, I understand that having the entire world under surveillance all the time is very convenient for law enforcement and keeps us "safer [sic]" than having any right to privacy would. It's just a shame that no one in the government cares.
Also, do you know how many terrorists they caught with the metadata program? They caught ONE taxi driver who wanted to send a couple thousand to Hamas. That's it. Well, now you know what your freedom used to be worth! Less than one taxi driver's donation.
From TFA:
For example, Johnson & Johnson developed new product protection methods and ironclad pledges to do better in protecting their consumers in the future. Working with FDA officials, they introduced a new tamper-proof packaging, which included foil seals and other features that made it obvious to a consumer if foul play had transpired. These packaging protections soon became the industry standard for all over-the-counter medications. The company also introduced price reductions and a new version of their pills — called the “caplet” — a tablet coated with slick, easy-to-swallow gelatin but far harder to tamper with than the older capsules which could be easily opened, laced with a contaminant, and then placed back in the older non-tamper-proof bottle.
Packaging for over the counter drugs became safer because Johnson & Johnson invested a 100 million dollars to protect their customers with tamper-resistant seals on their packaging and harder to contaminate pills, which showed the rest of the industry how do it as well. Congress passed the law mandating that the rest of the industry follow suit only after Tylenol successfully did it first. In addition, and this is important, the FDA worked with Johnson & Johnson for the common goal of protecting consumers.
With computer security, though, you have the US government that is openly hostile to allowing users to completely secure their systems. For one thing, you have the law enforcement and intelligence branches of the government that lobby Congress for more surveillance laws, and also actively subvert standards for encryption, OS security, and security applications as well as weaponizing exploits of software vulnerabilities. And even when there are companies leading way on how to provide secure applications and services, you have the government stepping in forcing it to compromise its security. Lavabit is just one public example of the government's zeal to snoop overriding consumer's need for secure communication.
Another thing is you have the software industry lobbying Congress against passing laws which would apply product liability rules to software applications. Software companies have been thwarting efforts to hold them accountable for ages. All software has bugs, but a lot of bugs are just howlers that might not have got through to release if companies were held a little responsible for the harm they can cause.
Nope, the Tylenol case and the case for secure computers and networks are not the same. In the Tylenol case, the gov and drug industry had a common goal to protect the consumer. In the case of computer security, the gov and software industry have their own goals, but they're not to protect the common user.
Maybe not in the States, where you still have swipe credit cards. Which don't require a PIN code to work!
And I agree with the GP, the analogy is horribly built.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
..never was, never will be.
If we the people want our data safe, we have no choice but to keep ever vigilant about defending against laws that allow the government access to data we don't wish be open.
Thank you Dr Paul.
Orwellian commercial and governmental surveillance, censorship by various nations, ad-infestment of everything, etc, would simply not have been tolerated on the 1982 internet.
Yeah, right.
Meet Executive Order 12333: The Reagan rule that lets the NSA spy on Americans
...the executive order [EO 12333] authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.
Now you say that that only pertains to data that is scooped up in foreign communications, but you have to realize that in modern telecommunication networks, data often transverses borders as packets are routed to phone switches that may be physically located in, say, Canada. So call from you in Nevada to your mom in Michigan may be recorded if your call is routed through a phone switch in Toronto, Canada.
I was 22-23, there was a guy at work 10-15 years older that hated me. Why? I don't know. But I was the kind of guy that anything you threw at me I threw 2x back. When this Tylenol poisoning hit I bought a bottle of Tylenol and put it on his desk. No note, nothing, just the bottle.
I ran into him some 20 years later. He told me he didn't know why he didn't like me and apologized for being an ass. I told him I put the Tylenol bottle on his desk, he said "shit Jim, I knew that as soon as I saw it".
Nope. The guy they caught wrote a ransom note demanding $$$ to stop poisoning the bottles. He got caught and sent away for extortion. AFAIK they never did charge anyone with the actual murder.
Nope. The guy they caught wrote a ransom note demanding $$$ to stop poisoning the bottles. He got caught and sent away for extortion. AFAIK they never did charge anyone with the actual murder.
Indeed. And, he lived in New York whilst the poisoned capsules were found in and around the Chicago area.
Johnson and Johnson's handling of the total recall[tm] was wildly applauded at the time, perhaps in contrast to the number of stars we are currently awarding to the nationwide surveillance alliance.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
The worst aspects of today's internet: Orwellian commercial and governmental surveillance, censorship by various nations, ad-infestment of everything, etc, would simply not have been tolerated on the 1982 internet.
This is nonsense. In 1982, the Internet was almost entirely government funded and run, and there were rather severe restrictions on what it could be used for, and what type of speech was allowed. For instance, any sort of commercial speech was restricted, it was difficult to be anonymous or even pseudonymous, and people could lose their connections, with little recourse, for being offensive. As usual, the "good 'ole days" where not as good as you falsely remember.
Agreed this is a terrible terrible analogy.
One is the securing of a relatively simple process where every step of the chain can be viewed in full in real time. You are also able to seal whole sections of the process away from external factors in such a way that breaching it secretly is almost impossible and comes with huge risks to the attacker.
When it comes to data protection or just IT in general the systems are far far more complex. Every piece of code is run through a compiler which turns it into a black box which may or may not introduce a vulnerability. You are having to use hardware and drivers you cannot control or pull apart AND the risk to an attacker is almost zero. An attacker can hit your system endlessly with no real risk of reprisal because, until they compromise you, they are lost in the noise of the script kiddies.
That theory only works if there were deliberate poisonings of copycats. The distribution was too narrow, and the incidents too spread out to account for all of the poisonings with a single industrial accident. Unless Tylenol committed murder as part of a cover-up.
Learn to love Alaska