security research, software archaeology, geek of all trades
262 stories
·
7 followers

Be More Careful on Facebook

2 Shares

Here’s the short version of what I’m about to say: Immigrants and visitors to the US—along with anyone participating in protests or visible resistance to the current administration—are the targets of intrusive governmental surveillance, including surveillance of their social networks. Both immigrants and political dissidents are being vilified by the administration and targeted for draconian and unconstitutional attacks. If your “friends”—or friends of friends—network includes people vulnerable to these attacks, you should assume that your constitutionally protected political speech may be used in bad faith to characterize your contacts as terrorists or criminals, and act accordingly.

Note: If this seems obvious to you, perhaps because you’ve already experienced some flavor of it, know that I wrote this post for your friends and family members and colleagues who haven’t thought about it yet.

So here’s the long version.

Loose lips sink ships

Using social networks to normalize behaviors like calling representatives and generally participating more fully in civic life is a great way to stay motivated—“look at me and my admirable behavior!” totally works—and anything that heartens us in this deeply weird historical moment is a gift.

That said, it’s impossible to tell what information you post on any social network—under any privacy setting—will be viewable by enforcement agencies and other members of the government at any given point. Therefore, you should assume that anything you post can potentially be used not only against you, but against your more vulnerable contacts. If you care about that possibility, you may wish to think carefully about posting things like:

  • exaggerated political speech, including humor, that could be characterized as threatening or dangerous by government workers acting in bad faith
  • protest photos of other people—especially from unpermitted actions—which can be processed using facial recognition systems whether or not you name/tag the people in the image
  • your membership in groups that hold unpermitted protests or other actions that deviate from the blandest possible interpretation of political speech

Methods of civic participation favored by white middle-class Americans are less likely to be criminalized or regarded as especially radical, so postcard-writing parties and entreaties to call political representatives likely fall within safe bounds.

The major exception is if you’re planning to participate in high-risk protests or actions that make it likely that you’ll be arrested for civil disobedience. If that’s the case, you should probably straight-up delete your social network presence or at the very least unfriend/break connections with anyone who shares your views or may encounter immigration agencies, because law enforcement will absolutely go after your social networking data if you’re arrested, and that information could easily be used not only against you, but others. If you’re arrested for political dissent, and especially if you’re charged, vulnerable people could be penalized for a connection to you, so don’t let yourself be used as a means of repression.

But self-censorship is cowardly and aids fascism

Eh. I’m all for people taking informed risks when they’re risking their own safety. But until we know for sure that the administration’s trajectory doesn’t lead to mass internments and deportations, my protected speech on social networks may do harm to others who aren’t as shielded as I am, so being careful with it seems increasingly worthwhile to me. Maybe you feel the same way.

So I should just never say anything political again?

Nah. If Facebook (or Twitter) is your main source of political news, conversation, and encouragement, this will be hard and feel weird. But a lot of things are hard and feel weird right now. Some of this discomfort is good: it can keep us alert, and remind us that most of us are noobs when it comes to activism that brushes up against danger—and that if we’ve never had to censor our political speech out of concern for the risks to others, we’ve been unusually lucky and naive.

Some easy-to-use options that are less easily tracked and abused by intrusive agencies than the major social networks:

  • Signal, an encrypted messaging app from Open Whisper Systems that runs on smartphones and laptops and is very very easy to install and use instead of Messenger, SMS, Messages, or DMs. You can send photos and do group messages, too.
  • In-person meetings, workshops, services, vigils, and so on.
  • Email—even regular unencrypted email—avoids the trap of offering intelligence and enforcement agencies a ready-made graph of personal relationships tied to political allegiances.
  • Writing online outside of social networks. Remember blogs? Still pretty easy to set up, if lacking the rush of posting something where you can be sure your one annoying ex-colleague will see it and feel irritated.

This is not a call to go into hiding, but to question a technical and social system that channels our need for connection into corporate surveillance platforms that become weapons for an authoritarian state. That begins by getting smarter about what we say, and where. Be a danger to your opponents, not your friends.

This is all just alarmist speculation!

It’s totally speculation, though it’s based on a bunch of research and my longstanding suspicion of agencies of control. But I have no interest in trying to make you scared, or to sell you on some kind of super-smart insidery narrative.

So let’s go through the four major points behind my concerns. I’m going to focus on the potential harm to two groups of people: immigrants and visitors to the US, and political dissidents within the US. (A lot of people fall into both groups, which makes them doubly vulnerable.) If you don’t feel like a guided tour, skip to the end.

1. Border control is intrusive and often lawless

The agencies overseeing US border control and immigration are frighteningly powerful and very interested in the political views—and social networking data—of those within its remit. They’re also part of the executive branch of government.

The Department of Homeland Security last year received permission to request social media accounts from all non-citizens at the US border. And when Trump’s executive order barring entry to citizens of many Muslim countries went into effect, US border control immediately began scrutinizing the Facebook pages and demanding that travelers from the affected countries unlock their phones and allow unlimited access by border control agents.

Since I started drafting this post a couple of weeks ago, border control agents have begun demanding that people entering the US unlock their phones so that agents can look through their emails and review private social media feeds and messages. As with so many other border control procedures, it’s not clear that this procedure is legal, but at least one journalist (from Canada, even) has previously been denied entry to the US after refusing to turn over his phone and potentially endanger his confidential sources. (In his case, border patrol agents demanded to see his phone to look for pictures of him “posing with dead bodies.” Imagine the same people finding photos from protests critical of the current administration and how they might elect to respond.)

In an excellent roundup on the whole situation, The Atlantic notes that Israel already profiles visitors and demands access to their email and social media messages to determine whether they’ll be allowed into the country. This is what that looks like when it’s applied to a US citizen at the Israeli border:

Okay, we are going to do something very interesting now!” Her face transformed from a harsh stare to a slight smirk. She proceeded to type “www.gmail.com” on her computer and then turned the keyboard toward me. “Log in,” she demanded.

“What? Really?” I was shocked.

“Log in.”

I typed in my username and password in complete disbelief. She began her invasive search: “Israel,” “Palestine,” “West Bank,” “International Solidarity Movement.”

Looking back, I realize I shouldn’t have logged in. I should have known that nothing I did at this point would change my circumstances, and that this was an invasion of my privacy. Yet all the questions, the feeling that I had to defend myself for simply wanting to enter the country, and the unwavering eye contact of the security officers left me feeling like I had no choice.

And now it’s happening to US citizens at the US border as well:

“I travel all the time, and I was never asked to unlock my phone,” said Mr. Elsharkawi, an electronics salesman from Anaheim, Calif. “I have personal photos there, which I think is normal for anyone. It’s my right. It’s my phone.”

Eventually, he relented, and a Homeland Security agent looked through his phone for about 15 minutes, he said.

A NASA scientist, Sidd Bikkannavar, said he had a similar experience to Mr. Elsharkawi’s in January, when he was detained at the Houston airport until he handed over a NASA-issued phone for inspection, he told The Verge.

More broadly, it’s important to remember that US border control is extraordinarily powerful, extraordinarily corrupt, and regularly commits human rights abuses like six hours of illegal, abusive, physician-assisted searches.

In an interview I found quite affecting, WNYC radio producer Sarah Abdurrahman explains what it’s like to be detained by border control with your family, all US citizens. An excerpt from the interview details a record of casual cruelties, even to toddlers:

SARAH ABDURRAHMAN: James Lyle is an attorney at the ACLU of Arizona. He says […] people have reported physical and verbal abuse, as well as denial of food, water or medical care by Customs and Border Protection, or CBP, which is under the Department of Homeland Security.

JAMES LYLE: The accounts are so widespread and so consistent, that it’s very hard to see this as anything other than a systemic problem and not just a couple of bad apples here or there.

SARAH ABDURRAHMAN: Lyle told me the story of four-year-old Emily Ruiz who was detained for 20 hours at Dulles Airport.

JAMES LYLE: She was crying hysterically, and agents refused to let her speak with her parents for over 14 hours. They kept her in a cold room, with no bed, blanket or pillow and didn’t give her anything to eat, other than a cookie and some soda.

SARAH ABDURRAHMAN: Even though she was a US citizen, CBP ultimately deported the little girl. She returned to the US three weeks later and was diagnosed with posttraumatic stress disorder.

JAMES LYLE: The fact is it’s not necessary to abuse citizens and permanent residents or anyone to do the work of a Customs and Border Protection official. And yet, there aren’t any meaningful mechanisms holding Customs and Border Protection officials in check, and so there’s a real sense of impunity.

These stories are shocking, but they’re not scattered incidents—they represent a well-documented pattern of abuses of power.

If this stuff is news to you, as it is to many US citizens, it may be hard to come to terms with. A quick Google search will produce hundreds of personal narratives and media stories about abuses by our border control, or you could check the ACLU’s extensive documentation linked from any of their stories on the subject. You might want to take a moment and get a sense of the scope of the problem, and let it sink in.

If, after that, you accept these statements about border control’s tendency to overreach and current use of social media searches, you should be concerned that social networking data can be used to punish and exclude immigrants and visitors to the US whose contacts post political speech.

A reminder: all of this took place during previous administrations, so this is where we were before the current president was sworn in.

2. The US suppresses political protest, often violently

US law enforcement and governmental agencies have a history of violence toward political dissidents—and of pervasive domestic surveillance.

Consider the state of political protest in the US before this administration. Under the Obama and G.W. Bush adminstrations, peaceful protestors in the US were gassed, beaten, maimed, and jailed without cause. Legal observers and journalists covering protests have been brutalized and charged with rioting.

And our broader history is particularly brutal. Popular culture remembers that police beat and firehosed peaceful civil rights protestors, and set attack dogs on them. We vaguely recall that the National Guard murdered student protestors at Kent State. Few of us know much about the COINTELPRO program in which the FBI secretly directly and illegally attacked political dissenters and organizations within the US for fifteen years; the program was only exposed when a dissenting group burgled an FBI field office and gave the documents they stole to the media.

This is a good point to note that ten US states are attempting to criminalize or increase existing penalties for peaceful civil disobedience tactics practiced largely by Black and progressive groups as economic terrorism. (Among the tactics officials are attempting to criminalize: persistently shouting at current or former politicians).

It’s wonderful that the Women’s Marches last month were blessed with a protective, relaxed police response. But the day before, DC police used intense violence against Inauguration Day protestors, including the elderly and those clearly marked out as legal observers, then charged protesters and journalists with felony rioting. US News and World Report notes that the felony riot charges were justified with a reference to an event that took place after the arrests themselves:

Curiously, the charging papers for the mass-arrested group state a property damage estimate in excess of $100,000 and describe a big-ticket limo fire that occurred Friday afternoon in a different location and after the mass arrests took place.

Many protesters on January 20th were not peaceful; many were. As is often the case in the US, the presence of the former was used to justify the use of physical violence and unconstitutional legal force on the latter.

If you accept that—contrary to our national view of ourselves as a tolerant nation dedicated to free speech—we have selectively and violently targeted political protestors for abuse, you should probably be concerned for the future of political dissenters if our government happens to take a turn toward greater authoritarianism.

As for the question of surveillance, that’s easy. Thanks to whistleblowers, we know a little bit about some of the US government’s domestic surveillance tactics. We know they pursue social network data, both with warrants and without them. Again, this was all true during previous administrations.

This is the best documented and widely discussed piece of the argument, so I’m going to assume you accept this point. If you do, you should probably accept the idea that it’s very likely that all of your social network data will be available to any sufficiently motivated governmental agency.

3. The current administration is uniquely dangerous

Our current president and his administration have demonstrated their desire to make the US more dangerous for both immigrants and dissidents.

After the recent executive order banning entry for citizens of several majority-Muslim countries, the mass revokation of visas, and the chaos that has ensued, I don’t think I need to make much of a case that our president is willing to crash longstanding political and governmental norms to target immigrants. His campaign was built in part on caricaturing Latino and Muslim residents of the US as dangerous criminals, whether they’re recent immigrants or not, and he shows every sign of continuing to hold these positions as president.

The White House, under the guidance of Breitbart’s Steve Bannon, has even announced that it will publish a list of crimes committed by immigrants, a tactic previous used by…Breitbart. (The SPLC has the actual numbers to counter the “extrapolated” aka largely made-up, figures used by white nationalist and other far-right groups to paint immigrants as a force of special evil.)

The president has also repeatedly claimed that popular opposition to his campaign, and now his presidency, is a hoax—that protestors are paid actors or criminals, which casts them as illegitimate threats to democracy. And he’s been pretty clear about which approaches to protest he considers admirable:

When the students poured into Tiananmen Square, the Chinese government almost blew it, then they were vicious, they were horrible, but they put it down with strength. That shows you the power of strength.”

When pressed during his campaign to explain his apparent endorsement of the massacre in Tienanmen, he said he was merely noting the strength of the government’s repressive actions—and called the protests a “riot” in the process. For those who remember only the photo of a man standing in front of a tank, a reminder that the Chinese government killed somewhere between 200 and several thousand unarmed citizens in the Tienanmen protests.

And, famously, our president admires Vladimir Putin’s leadership style.

“He’s running his country and at least he’s a leader, unlike what we have in this country.”

Reminded by his interviewer that Putin’s government kills journalists, the president—then candidate—responded “I think our country does plenty of killing also.” Just as a reminder, when Russian citizens criticize their goverment online, they get jailed, sometimes for years.

Our president is a man who wanted a military parade with pavement-crushing tanks through DC for his inauguration/Day of Patriotic Devotion. He’s jovially discussed beating protestors at his rallies. He has targeted organizations and individuals for public shaming and attacks for crossing or displeasing him, including members of the press.

What does this have to do with your online habits? As protests across the US continue to build, and begin to be normalized as a non-extreme activity, the risk that the president and his administration will enact a retaliatory crackdown on protestors and activists continues to grow. And if they’re going to do it, they’re going to do it before the protests achieve critical mass.

I don’t think that this administration will succeed. If they put a lot of middle-class white protestors in jail, I think they will suffer real political damage. But I think the harm they could do in the meantime is considerable.

If you accept that our president has expressed admiration of violent repression of political dissent, and continues to cast both protesters and immigrants (documented or not) as threats to national stability and security, you should probably be concerned that his leadership will endanger both non-citizens and political dissidents.

4. Facebook will sell you for scrap

It’s very easy to forget what we know about Facebook, and to believe that it’s neutral or even generally in favor of liberty. Tech companies are all about openness, after all, and we’re all on Facebook so it must be okay…

Facebook is a machine for turning your emotional responses into money. It has no values. What it does have is a long record of anti-privacy actions, inviting your friends to snitch on you, collusion with governmental surveillance, facial-recognition databanking, and at least one deliberate attempt to secretly influence users’ emotional states. The European Commission has warned EU citizens not to use Facebook if they prefer that their private data not fall into the hands of US intelligence and law enforcement agencies.

Facebook changes harmful policies when they’re discovered and when grassroots action threatens its profits, full stop. (Twitter, by contrast, has such strong commitments to transparency and free speech that it refusing to kick Nazis off its platform even when their abuses threaten its profits. Whee.)

If you believe Facebook will keep your data safe and never let it be used against you or your most vulnerable contacts, by governmental or private entities, you’re putting your faith in an entity that has demonstrated bad faith for years.

And remember:

You can also delete your account, but Facebook reserves the right to keep information that others have shared about you. Because to Facebook, that information isn’t yours.

So if you know someone who leaves Facebook to protect themselves against any of the risks I’ve outlined, everything you’ve added to the company’s profile of that person remains available to both Facebook and its partners.

Ferocity trumps despair

still of Beyoncé from the video from Hold Up, in which she destroys a surveillance camera and various other things while wearing the most beautiful yellow dress in the world

This woman is holding a baseball bat.

If controlling your speech feels frustrating, let it remind you that we are living through a moment of unusual danger. Do the things (make the calls, fund the lawsuits, do the work of mutual aid). Know your opponents (they’re probably not your fellow voters). Keep connected to your communities. But don’t despair and don’t withdraw.

We are in dicey times, but we’re not dead yet, and even if things don’t get science-fiction bad, we’re going to require resilience and raw cussedness to destroy the cultural, political, and economic machinery that got us here. Much of our courage and support comes from the people we read and talk to and love online, often on the very networks that expose us—and our friends—to genuine enemies of freedom and peace. We have to keep connected, but we don’t have to play on their terms.

Read the whole story
zwol
2 days ago
reply
Mountain View, CA
haloedrain
2 days ago
reply
Pittsburgh, PA
Share this story
Delete

The anatomy of a cow poem, or ‘bredlik’

1 Share

krabbydon:

The poem is generally first person and begins with “My name is…”, unless part of a series; series are structured as dialogues.

Cow poems are in strict iambic dimeter.

A cow poem has the scheme *A*A*B*B.

The cow stanza is a 6-line stanza followed by a 2-line ‘punchline’, varying on “I [do the thing]//I lick the [thing]; much like Benadryl Cabbagepatch, the closer the conformity, the better the effect.

Spelling is more-or-less phonetic, especially for vowels, with some exceptions (classical cow poems make exceptions for “I”, notably) and certainly no numbers; the effect is often described as ‘pseudo Chaucerian’. The grammar too is fairly standard.

Or to put it another way

My naym is pome
And wen you noe
The rouls that mayk
My strukchur floe
And poeits bend
Tou hone ther art

I mayk you smyl
I tuch the hart 

Read the whole story
zwol
5 days ago
reply
Mountain View, CA
Share this story
Delete

Attacking the Phishing Epidemic

2 Comments and 3 Shares

As long as people can be tricked, there will always be phishing (or social engineering) on some level or another, but there’s a lot more that we can do with technology to reduce the effectiveness of phishing, and the number of people falling victim to common theft. Making phishing less effective ultimately increases the cost to the criminal, and reduces the total payoff. Few will argue that our existing authentication technologies are stuck in a time warp, with some websites still using standards that date back to the 1990s. Browser design hasn’t changed very much since the Netscape days either, so it’s no wonder many people are so easily fooled by website counterfeits.

You may have heard of a term called the line of death. This is used to describe the separation between the trusted components of a web browser (such as the address bar and toolbars) and the untrusted components of a browser, namely the browser window. Phishing is easy because this is a farce. We allow untrusted elements in the trusted windows (such as a favicon, which can display a fake lock icon), tolerate financial institutions that teach users to accept any variation of their domain, and use a tiny monochrome font that can make URLs easily mistakable, even if users were paying attention to them. Worse even, it’s the untrusted space that we’re telling users to conduct the trusted operations of authentication and credit card transactions – the untrusted website portion of the web browser!.

Our browsers are so awful today that the very best advice we can offer everyday people is to try and memorize all the domains their bank uses, and get a pair of glasses to look at the address bar. We’re teaching users to perform trusted transactions in a piece of software that has no clear demarcation of trust.

The authentication systems we use these days were designed to be able to conduct secure transactions with anyone online, not knowing who they are, but most users today know exactly who they’re doing business with; they do business with the same organizations over and over; yet to the average user, a URL or an SSL certificate with a slightly different name or fingerprint means nothing. The average user relies on the one thing we have no control over: What the content looks like.

I propose we flip this on its head.

When Apple released Apple Pay on the Web, they did something really unique, but it wasn’t the payment mechanism that was revolutionary to me – it was the authentication mechanism. It’s not perfect, but it does have some really great concepts that I think we can, and should, adopt into browser technology.  Let’s break down the different concepts of Apple’s authentication design.

Trusted Content

When you pay with Apple Pay, a trusted overlay pops up over the content you’re viewing and presents a standardized, trusted interface to authenticate your transaction. Having a trusted overlay is completely foreign to how most browsers operate. Sure, http authentication can pop up a window asking for a username and password, but this is different. Safari uses an entirely separate component with authentication mechanisms that execute locally, not as part of the web content, and that the web browser can’t alter. Some of these components run in a separate execution space than the browser, such as the Secure Element on an iPhone. The overlay itself is code running in Safari and the operating system, instead of being under the control of the web page.

A separate trusted user interface component is unmistakable to the user, but many such components can be spoofed by a cleverly designed phishing site. The goal here is to create a trusted compartment for the authentication mechanism to live that extends beyond the capabilities of what can typically be done in a web browser. Granted, overlays and even separate windows can be spoofed, and so creating a trusted user interface is no easy task.

Trusted Organization

From the user’s perspective, it doesn’t matter what the browser is connecting to, only what the web page looks like. One benefit Apple Pay has over typical authentication is that, because the execution code for it lives outside of the web page (and in code), it has control over what systems it connects to, what certificates it’s pinned to, and how that information gets encrypted. We don’t really have this with web-based authentication mechanisms. The phishing site might have no SSL at all, or might use a spoofed certificate. The responsibility of authenticating the organization is left up to the user, which was simply an awful idea.

Authenticating the User Interface

Usually when you think about an authentication system, you think about the user authenticating with the website, but before that happens with Apple Pay, the Apple Pay system first authenticates with the user to demonstrate that it’s not a fake.

In the case of Apple Pay, the overlay displays your various billing and shipping addresses and credit cards on file; sensitive information that Apple knows, but a phishing site won’t. Some of this is stored locally on your computer so that it’s never transmitted.

We’ve seen less effective versions of this with “SiteKey”, sign-on pictures and so on, but those can easily be proxied by the man-in-the-middle because the user is relying on the malicious website to perform the authentication. In Apple’s model, Apple code performs the authentication completely irrespective of what content is loaded into the browser.

No Passwords Transmitted

The third important component to note of Apple Pay is that passwords aren’t being sent, and in fact aren’t being entered at all. There’s nothing to scam the user out of except for some one-time use cryptograms that aren’t valid for any other use. While TouchID is cool, there are also a number of other forms of password-less authentication mechanisms you can deploy once you’re executing in trusted execution space.

One of the most common forms of password-free authentication is challenge/response. C/R authentication has been around for a long time, and allow legacy systems to continue using passwords, but greatly reduces the risk of interception by not sending the password. As much as a fan of biometrics fused with hardware I am, this isn’t very portable. That is, I can’t just jump on my friend’s computer and pay for something with Apple Pay without reprovisioning it.

Let’s assume that the computer has control over the authentication mechanism, instead of the website. The server knows your password, and so do you. The server can derive a cryptographic challenge based on that password. Your computer can compute the proper response based on the password you enter. Challenge/response can be done many different ways. Even the ancient Kerberos protocol supported cryptographic challenge response. That secure user interface can flat out refuse to send your password anywhere, and so a phishing site would have to convince the user to type it not just into a different site, but into a completely different authentication mechanism that they’ll be able to identify as different. Sure, some people are gullible to this, but a lot fewer than are gullible to a perfect copy of a website. That small percentage of gullible people is a smaller problem to manage.

Why don’t we use challenge/response on web pages today? For one, because we’re still authenticating in untrusted space (the browser window). The user has no idea (and doesn’t care) what happens to their password when they type it into some web browser window, and it’s just as easy to phish someone no matter what authentication mechanism you’re using in the background. What makes this feasible now is that in our ideal model, we’re doing authentication in trusted execution space – space that’s independent of the web page. This changes the game. Take the Touch Bar for example. TouchID is authenticated on the Touch Bar, but password entry could also be authenticated on it from the web browser.

An Optimal Authentication Mechanism

The ultimate goal is to condition the user to a standardized interface that can both authenticate the validity of the resource as well as authenticate itself to the user before the user is willing to accept its legitimacy and input a password.

Conditioning the User

A user interface element that is very difficult to counterfeit can also be quite difficult to create, but the benefits are considerable: If someone spends enough time around real money, they’ll be able to spot a counterfeit with a much higher success rate. On the other hand, having to look at a dozen different, poorly implemented authentication pages will condition users to accept anything they see as being real.

Our ideal authentication mechanism has an unmistakable and unreproducible user interface element. The user visits a website requiring authentication, and that website includes the necessary tags to invoke the browser’s authentication code, executed separately. Regardless of the website, this standardized authentication component is activated with a standard look; as a trusted component of the browser. Plain Jane, this could easily be an overlay that appears over the portion of the web browser that’s out of reach by the website (e.g. the address bar area). Get a bit fancier, and we’re talking about incorporating the Touch Bar or other “out of band” mechanisms on equipped machines to notify the user that an authentic authorization is taking place.

Get the user used to seeing the same authentication mechanism over and over again, and they’ll be able to spot cheap counterfeits much easier. Needle moved.

Authenticating the User Interface

The user interface itself needs to be authenticated with the user in ways that make cheap knockoffs stand out. Since the browser controls this, and not the website itself, we can do a number of different things here:

  • Display the user’s desktop login icon and full name in the window.
  • Display personal information specified by the user when the browser is first set up; e.g. “show me my first card in Apple Pay” or “show me my mailing address” whenever I am presented with an authentication window.
  • Display information in non-browser areas, such as on devices equipped with a Touch Bar, change the system menu bar to blue or green, or present other visual cues not accessible to a web browser.
  • Provide buttons that interact with the operating system in a way that a browser can’t (one silly example would be to invert the colors of the entire screen when held down).
  • Suspend and dim the entire browser window during authentication.

Authenticating the Resource

Authenticating the resource that the user is connecting to is one of the biggest challenges in phishing. How do you tell the user that they’re connecting to a potentially malicious website without knowing what that website is? We’re off to a good start by executing code locally (rather than remote website code) to perform the authentication. Because of this, we can do a few interesting things that we couldn’t do before:

  • We can validate that the destination resource is using a valid SSL certificate. Granted, this can be spoofed, however it also increases the cost of running a phishing site; not just in dollars, but in the amount of time required to provision new SSL certificates against the amount of time it takes to add one to a browser blacklist.
  • We can automatically pin SSL certificates to specific websites when the user first enrolls their account, and keep track of websites they’ve set up authentication with, so that we can warn them when asked to authenticate on a website that they never enrolled on.
  • Existing black lists and white lists can now be tied to SSL certificate information, allowing us to make better automated determinations on the user’s behalf.
  • We can share all of this information across all of the user’s devices e.g. via iCloud, Firefox’s cloud sync, and so on, to make it portable.

Other elaborate things we can do with protocol might include storing a cached copy of an icon provided by the website when the site is first provisioned, giving the user a visual cue. In order for a phishing site to copy that visual cue, the user would have to step through a very obvious enrollment process that is designed to look noticeably different from the authentication process. Icons for any previously unknown sites could display a yellow exclamation mark or similar, to warn the user. In other words, that piece of content can only be displayed by websites the user has previously set up, because we’re in control of that content in local code.

We can also do some things that we are doing now, but better. For example, we can display the organization name and website name very clearly in our trusted window, in large text, and perhaps with additional visual cues, such as underlining similarities to other websites (e.g. PayPai.com) in red, and highlighting numbers in red (e.g. PayPa1.com). There’s no other content now to distract the user, because this is all happening in a trusted overlay, presumably even dimming the browser window.

The user will still receive warnings when authentication on someone else’s computer, and this is a good thing. The idea is to draw attention to the fact that your’e conducting a non-standard transaction and could potentially be giving our your credentials.

The goal with all of this is to remove the website content as the authenticating component. This is the #1 visual element the end-user is going to use to determine the legitimacy of a website: what it looks like. What I am suggesting is to dim that content completely and force them to focus on some very specific information and warnings.

 

Authentication With and Without Passwords

To improve upon our ideal authentication mechanism, we can deploy some better authentication protocols. Sending passwords back and forth can be omitted as a function of this mechanism. Websites adopting this new authentication mechanism present a great opportunity to force better protocol alternatives. Password authentication can be removed completely, using biometrics, when possible.

Two-Factor Authentication can be phished, but requiring it at enrollment (either by SMS, email, or authenticator) can dramatically limit a victim’s exposure to phishing. Requiring a secondary form of authentication for any passworded mechanisms will certainly diminish the success rate of a phish, and also increase the cost, requiring the man in the middle to be present and able to log in at that very moment.

For passworded authentication, challenge/response using cryptographic challenges can be forced, because we are running local code, and not website code. Once you’ve resolved that this standard will not support sending passwords in any way, shape, or form, you can reduce the transit attack surface significantly.

Conclusion

The overall benefit of an authentication mechanism that executes locally as a component of the browser (and potentially the operating system), rather than as a component of the website, is significant. This would mean the standardization of user interface components, protocol and security elements, resource validation, and provide a single point of entry to examine for further anti-phishing efforts that could extend far beyond URL validation, as we’re limited in doing now.

Given, this won’t address many other forms of social engineering. It’s very easy to send an email telling someone their account is limited, and direct them to some insecure site, but the idea is to condition and familiarize the user with one common set of authentication visuals so that they will question the legitimacy of any alternative visual elements if they appear. At the present, the visual elements between a legitimate authentication page and a malicious one are identical. This approach sets out to stop that.

Not only would such a scheme greatly diminish the overall effectiveness of phishing attacks, but it would simultaneously help to get rid of all the awful custom code by organizations doing authentication completely wrong. We see this every day; authentication has become a hodge podge of developer ineptitude. Placing this responsibility on the browser’s code, rather than the website’s, will help to provide what would hopefully become an accepted standard (should a working group address this subject), and at the very worst a few web browsers “doing it wrong” and needing to be fixed, than thousands of websites all needing to be fixed.

As long as people can be tricked, there will always be phishing (or social engineering) on some level or another, but there’s a lot more that we can do with technology to reduce the effectiveness of phishing, and the number of people falling victim to common theft.

 

Read the whole story
zwol
8 days ago
reply
This is maybe a little too Apple centric and needs a bunch of UX testing but I endorse the basic idea. (Persona could have become this, if it had ever gotten the corporate backing it needed.)
Mountain View, CA
acdha
8 days ago
Persona still seems like one of the larger unforced errors which Mozilla has made in the last few years. There was so much potential for making the web a better place and then it was abruptly cancelled just as it was starting to get traction, pushing everyone that much further into the Google/Facebook systems.
acdha
9 days ago
reply
Washington, DC
Share this story
Delete
1 public comment
jimwise
10 days ago
reply
...

4chan: The Skeleton Key to the Rise of Trump

1 Comment and 2 Shares
4chan: The Skeleton Key to the Rise of Trump Trump’s younger supporters know he’s an incompetent joke; in fact, that’s why they support him. An Italian…
Read the whole story
acdha
9 days ago
reply
There was one a time I thought we'd be able to stop hearing about 4chan in some halcyon future…
Washington, DC
zwol
8 days ago
reply
Mountain View, CA
Share this story
Delete

The little yellow box that has made thousands of operations safer

3 Shares

Enlarge / At the hospital of Meaux 77 in France, this nurse shows a child a pulse oximeter device that measures the rate of oxygen in the blood. (credit: BSIP/UIG Via Getty Images)

Millions of people are left dead or disabled by surgical complications each year when one simple piece of kit could have saved them. For Mosaic, Jane Feinmann discovers how it has helped transform medicine in Mongolia. Her story is republished here under a Creative Commons license.

Gundegmaa Tumurbaatar glimpsed her son only for an instant as he was carried into the aging Soviet-built hospital where she works. It was one of the first fine days after the grueling Mongolian winter, and she had left Gunbileg, aged three, and his older brother playing outside, telling them to be careful. Now, he was moaning in pain and covered from head to toe in filth and blood. A passer-by had brought Gunbileg to the hospital after seeing the two boys trying to jump over an open manhole above a sewer—watching in horror as the younger boy had fallen into the jagged pit on his abdomen. By the time Gundegmaa saw him, he was in shock, his belly frighteningly distended, an internal hemorrhage putting him at imminent risk of cardiac arrest.

She learned the details of his injuries later: his spleen, the delicate fist-sized organ that sits just below the ribs and which acts as a blood filter as part of the immune system, was ruptured. “His tummy must have caught on something sharp inside the hole in the ground,” she says. But she didn’t need to be told how serious this was. As soon as she saw him, Gundegmaa, a midwife at the hospital, knew that this was a potentially fatal internal injury. Suddenly, the life she and her husband, Batsaikhan Batzorig, had created with such effort looked about to turn to dust.

Started in the ’70s, spreading today

Gundegmaa and Batsaikhan were both born in the small town of Ondorkhaan in Khentii Province—one of the coldest spots on the Mongolian Steppe and 330 km of often deeply pitted road away from the capital city, Ulaanbaatar. They had married soon after leaving school, and their first child was born 12 years ago.

Back then it was a grim time in Mongolia, which was still in the grip of the desperate poverty that hit when 70 years of Soviet influence ended in the early 1990s. Russian forces had withdrawn from the country, taking with them the loans that had kept Mongolia afloat. It was fortunate that there were, and still are, hundreds of thousands of nomads in the country, around a quarter of the population. With their livestock—25 million cows, horses, sheep, and goats—at least people didn’t go hungry.

But the couple worked hard to build a life together. First, Gundegmaa enrolled at the nursing school in Ulaanbaatar that had been established under the Soviet ‘Semashko’ healthcare system. Her husband remained at home with their baby—and then three years later they swapped roles 'round, so that by 2010 both had jobs with the local hospital. He was a senior nurse; she was a midwife.

Their hometown was also on a roll, it being the capital of the province where the 12th-century Mongol warrior Chinggis Khan (known as Genghis Khan elsewhere) is thought to have been born. During the Soviet era, Mongolians were forbidden even to utter the name of the man they now regard as their national hero. But in 2013, the town known as Ondorkhaan was grandly renamed Chinggis City by an act of parliament. Gundegmaa and her family could visit a new museum featuring a replica of the great leader’s ger, the traditional tent made of white felt, of this nomadic people. The town’s playgrounds, as throughout Mongolia, have figures of children (of both sexes) engaged in the ‘three manly sports’—horse riding, wrestling, and archery—that Chinggis Khan considered essential daily activities for his warriors.

Just two weeks before Gunbileg’s accident, the family had moved into their first proper home, a flat in one of the new high-rise blocks.

On duty the day of the accident was Dr Mendbayar Lkhamsuren, an experienced surgeon with more than 4,200 operations under his belt since he started working at the hospital in 2000—including, crucially, four previous cases involving a ruptured spleen. Through his training in safe surgery, Mendbayar has a genuine humility about the work he undertakes. “When I wake up in the morning, I reflect on the fact that I’m only human and that I’m just as capable of making mistakes as anyone else,” he tells me.

Mendbayar and his surgical team worked fast to remove the spleen and stem the bleeding, and Gunbileg survived. Now aged four, he needs to have all his jabs: without his spleen, he’s at increased risk of infectious diseases such as pneumonia and flu. But he is brimming with health and optimism and has a passionate attachment to “my doctor Mende.” When I meet him in the antenatal department of the hospital, keeping close to his mother, he lifts up his long white jacket, just like his hero’s, which covers a prominent scar on his tummy.

A major contributory factor to his survival is a very bright idea that is changing emergency healthcare for people living in low- and middle-income countries.

As Gunbileg was carried into the emergency room in May last year, a nurse placed on his finger a small peg-like device attached by a wire to a battered-looking yellow monitor the size of a mobile phone. “Don’t be taken in by appearances,” the hospital’s anesthetist says as she sees me squinting to inspect it during my visit last October. “That device has been used every single day for the past four years. It’s saved hundreds of lives. And it’s still going strong.”

The device is a pulse oximeter. Invented by Japanese scientists in the early 1970s, this non-invasive device, which attaches via a clip to the top of the patient’s finger, accurately measures blood oxygen saturation—the percentage of hemoglobin in the blood that is oxygenated—and displays the figure on the monitor along with the patient’s pulse rate. The device’s audible beep reassures the team that all is well, with the pitch dropping if there’s a problem, allowing the anesthetist to ‘hear’ any changes in oxygen saturation levels.

In high-income countries today, pulse oximeters are part of the furniture in recovery rooms, ambulances, accident and emergency departments, and many hospital wards—wherever patients’ symptoms are serious and unpredictable. Its most important role, however, remains where it first began: in the operating theatre. “Oximetry is a key component in the revolution in anesthesia care that has brought down the death rate from anesthesia by over 95 percent in a generation,” says Dr Atul Gawande, the Boston surgeon, bestselling author, and New Yorker magazine writer. In the early 1970s, one in 10,000 people per anesthetic administered died while under the gas in the USA: thousands of people were dying every year. By the 1990s, when pulse oximetry was routinely used, that was closer to the current figure of less than one in 100,000.

Yet the benefits of pulse oximetry have failed to spread throughout the world. More than 77,000 operating theatres in low- and middle-income countries were carrying out surgery without a pulse oximeter according to a survey carried out in 2010, two decades after pulse oximetry became routine in affluent countries.

Meanwhile, the rate of surgery in these countries has been increasing. The annual number of operations globally increased from 234 million in 2004 to an estimated 359 million in 2012 according to the World Health Organization (WHO), which reported that the 38 percent increase in ‘surgical volume’ is occurring almost exclusively in low- and very-low-resource countries. And rightly so, says Gawande. “Of course this rate of surgery is needed,” he says. “More people die every year from conditions that can be effectively treated with surgery than from HIV, malaria, and tuberculosis combined. And surgery is essential for reducing maternal mortality and deaths from road traffic accidents.”

The problem is that while the rate of surgery is increasing, so is the rate of those damaged by surgery. Research published in the Lancet in 2009 shows that more than 7 million people are left dead or disabled from complications due to unsafe surgery every year—with the risk of complications and deaths from essential operations up to 1,000 times higher in low-resource settings.

All but the newest recruits to the Mongolian anesthesia community understand the background to these statistics. Dr. Unurzaya Lkhagvajav, a former president of the Mongolian Society of Anesthesiologists, qualified as an anesthetist in 1980 and reckons she has provided anesthesia for 30,000 operations. The equipment she had available to keep a patient safe during most of these operations was a stethoscope, a watch with a second hand, and a pencil. “The only way to know if a patient’s blood was oxygenated was to take the patient’s pulse throughout the operation and check the colour of the fingernails: if they were pink, the patient was in good health,” she recalls. “It was exhausting work. And once the operation was over, the need to monitor blood oxygen levels is just as important. The only way to check for post-surgical complications was to sit with the patient all night. And of course that wasn’t always possible, not when you had a long shift the next day.”

In 2008 Gawande, at the request of the WHO, led a group of expert nurses, anesthetists, and surgeons to create the Surgical Safety Checklist. Essentially, it is a communications framework designed to eliminate human error in the operating theatre in the same way as the aviation industry has made flying safe for passengers. But alongside behavioural change to ensure effective teamwork and, for instance, that appropriate bloods and equipment are easily accessible and antibiotics administered, there’s a single piece of the kit, the pulse oximeter, that is mandated by the checklist. Without it, the WHO decided, surgery is simply unsafe.

In 2011, with the support of prominent medical institutions, Gawande helped to found the charity Lifebox to make safe surgery a reality throughout the world. “We started by doing work that reduced the cost of robust, hospital-grade pulse oximeters for low-income countries by over 80 percent to just $250,” he explains. The Lifebox oximeter can withstand extreme heat and cold, and the battery is functional for at least 12 hours. Crucially, it is also tough and can be dropped from table height without breaking. “It’s not going to break down soon after arrival, a serious problem with medical equipment in low-resource countries,” says Gawande.

Studies suggest that the WHO checklist, when used correctly with pulse oximetry, reduces complications and mortality by 30 percent. By providing pulse oximeters in low-resource settings, Lifebox estimates that it has contributed to making surgery safer for 10 million patients. Through donations, Lifebox has distributed nearly 15,000 oximeters to hospitals in settings where even the cheapest and most fragile oximeter is unaffordable. But it’s much more than this, Gawande says. “If all we were doing was parachuting in a bunch of pulse oximeters, we wouldn’t have such a tremendous impact.” Instead, through a volunteer network of anesthetists from high-income countries, Lifebox has supplied thousands of anesthesia providers in low-income countries with safety skills training. “Once you introduce the device and safety training into the riskiest part of the hospital system, you begin to build confidence that there are professional values at work aimed at generating better, safer care,” Gawande explains. “It gives clinicians confidence that they can take on more difficult cases. And people begin to believe that turning to hospitals when you are in desperate trouble is safe, that these are places you want to go.”

(credit: Roderick Mills)

New ideas

Dr. Ganbold Lundeg was surprised when he first read the Bible—and not pleasantly. It was 1993, a low point in Mongolian history, when post-Soviet medicine, like the country itself, was floundering. Ganbold, a lecturer in anesthesia at the Health Sciences University of Mongolia, wasn’t alone in wondering whether the Bible, much promoted by a visiting surgeon and missionary from Arkansas, Dr. Albert ‘Buck’ H Rusher, might offer an answer. So he decided to learn English in order to read it.

The American’s Bible classes were a hit with the Mongolian medical community. “Some doctors were converted to Christianity without reading the Bible,” recalls Ganbold. “I wanted to read it first.” He enrolled at an international school, attending the one English-language course in the whole of Mongolia at the time. “I’d heard so much about the Bible,” he recalls. But the text, particularly the Old Testament, was unimpressive, “just like the fairy stories we heard as children.”

Yet he has never regarded as wasted the time he devoted to reading how Moses led his people through the Red Sea. Learning English gave him access to English-language medical journals, to which he was able to subscribe with the support of the missionary. “Even in the 1990s, these journals were regarded as subversive—they always arrived opened. I once had a visit from a member of the KGB who wanted to know why I was receiving them.”

Most importantly, he says, speaking English enabled him to make a personal connection that has undoubtedly helped to save hundreds, perhaps thousands of lives. In 1999, a Melbourne-based anesthesiologist, Dr. David Pescod, arrived in Ulaanbaatar to attend a medical conference. On that first visit, Pescod survived on mutton fat and vodka and spent two weeks listening to lectures in Mongolian interspersed with electricity cuts, all in –20 degree Celsius temperatures. The only other fluent English speaker present was Ganbold, who asked Pescod to return to deliver a lecture the following year. Pescod kept going back, forging links there together with a group of Australian colleagues, and what he learned about anesthetic practices in Mongolia surprised him.

Mongolian surgical training and practice, he realised, were based on outdated, frankly dangerous 40-year-old Russian texts, with patients being given inappropriate anesthetic drugs and at insufficient doses. Pescod settled down to write a series of anesthesia textbooks designed specifically for Mongolian hospitals.

In 2004, Ganbold’s department, supported by the Australian team, started to implement the WHO’s Emergency and Essential Surgical Care programme, aimed at strengthening surgical services outside the capital city. “Many people think that surgery is something very special that cannot be delivered in a developing country or in a rural area,” he says. “But when we build up safe conditions, educate people, and train them appropriately, then doctors and nurses can deliver safe surgery in a very small hospital anywhere in Mongolia.”

The recent safe surgery developments have built on this innovation. In 2011, the WHO Surgical Safety Checklist was made mandatory by the Mongolian health department. By 2012, funding from Australian and New Zealand anesthetists had paid for 116 Lifebox pulse oximeters: 64 in Ulaanbaatar, three in Chinggis City, and the others distributed throughout the country. The oximeters themselves have been physically delivered by Lifebox, which also provides teaching materials for a one-day course on pulse oximetry that is now incorporated into a week of training on safe anesthesia that Pescod and his team continue to provide each year in Ulaanbaatar and throughout Mongolia.

Lifebox pulse oximeters have been handed out to surgical teams at ‘inter-soum’ hospitals, the large district hospitals such as the one in Chinggis City, as well as at smaller soum (township) hospitals, enabling local staff to respond to emergencies. At one level, it means that around 200 people a year with acute appendicitis are treated in Khentii Province instead of having to travel to Ulaanbaatar—the only location able to carry out appendectomies until four years ago. At the other extreme, emergency patients like Gunbileg receive urgent life-saving surgery.

In January 2014, Ganbold became one of 25 clinical experts advising the Lancet Commission on Global Surgery—“the proudest achievement in my professional career”—with its aspiration to make safe surgery and anesthesia a human right available to all. Mongolia is now cited by the Lancet Commission as a potential model in promoting safe surgery and anesthesia for other medium-sized countries such as Myanmar and Laos, and even for India and China.

Ganbold’s great ambition is to open 20 hospitals with functioning operating theatres by 2020 by building up services in strategically located provincial clinics. If that means going cap in hand to wealthy countries and organisations, that’s what he does. In Ulaanbaatar, we visit the UK ambassador to Mongolia, and Ganbold explains to her how the UK government could provide assistance with the minimum of funding. The UK firm Diamedica has pioneered the production of basic anesthesia machines that can be used virtually anywhere without electricity or even medical gases. Ganbold urges the ambassador to consider funding such machines for hospitals in remote Mongolia. She agrees to consider the idea.

It’s this persistence in seeking out and achieving the best that keeps Pescod coming back to Mongolia, he says. “Unlike other countries where I have lectured, eventually everything we bring to Mongolian anesthetists has been engaged and usually improved,” he tells me.

Dr. Bilguun Unurbileg, a senior lecturer in anesthesiology at the Health Sciences University of Mongolia and Ganbold’s number two, says that’s down to their nomadic ancestry. “Mongolians are hard-wired to reach out for new ideas. That’s the result of centuries of living in the middle of nowhere, entirely reliant on yourself to care for your family. It’s how we survive.”

Reaching rural patients

Two thousand miles south of Ulaanbaatar, Assam in northeast India has twice the country’s already high average maternal mortality rate: there are around 300 deaths per 100,000 pregnancies in Assam, compared with 174 in India as a whole and just nine in the UK. Three-quarters of these deaths occur among the 800,000-strong female workforce employed in Assam’s tea gardens, where the high number of perinatal emergencies is the result of the harsh conditions of the working day. Even when women and their babies do get successful surgery in the nearest properly equipped hospital, post-operative care remains hazardous, partly because of the lack of pulse oximetry in recovery wards.

“Healthcare for mothers working in tea gardens is pathetic,” says Dr. Surajit Giri, a consultant anesthetist and critical care physician based at Demow Community Health Centre near Sivasagar, northern Assam. He is employed by the Indian government as part of its recently established National Rural Health Mission. But he’s well aware of the deficiencies of the service. Demow is the only clinic providing care for seven tea gardens—and has only one operating theatre, with basic obstetric intensive care facilities.

Last October, Giri helped to organise (and attended) a ‘Train the Trainers’ workshop in Dibrugarh, organised by Lifebox, focusing on the benefits of pulse oximetry in post-operative care—an area local practitioners had identified as being one where they most needed support. UK consultant anesthetist Dr. Neeraj Bhardwaj talked 68 local anesthetists through a one-day ‘Safer Anesthesia’ workshop. And at the end of the day, each practitioner was able to go back to work with their own new Lifebox pulse oximeter.

The day after receiving the Lifebox oximeter, Giri made it mandatory for nurses at the health centre to monitor oxygen saturation levels in newborn babies, using the neonatal probe that comes with the adult oximeter for an extra $25. Already, he says, healthcare is safer. “That day, a baby was delivered that was shown by the probe to have just 58 percent oxygen saturation. The nurse immediately shouted for my help to resuscitate the baby, which I rushed to do—and it soon started crying healthily, maintaining oxygen concentration without assistance. Without the oximeter, that would not have happened. If five minutes had gone by before we took action, the baby would probably have survived, but with a disabling brain injury.”

The Dibrugarh course is the first event of a three-year initiative funded by the Stavros Niarchos Foundation that will eventually hand out 675 Lifebox pulse oximeters, with appropriate training, initially in three regions of India: Bihar, Odisha, and Assam. It’s the start of a journey to transform surgery in a country where currently 7,000 out of 155,000 operating theatres lack pulse oximetry.

“Of course Lifebox pulse oximeters increase the safety of patients,” says Giri. “But they also increase the security and confidence of anesthetists to join rural services, which they haven’t done before because of lack of technology and poor infrastructure.”

(credit: Roderick Mills)

Ger life can continue

Ankhbaatar was 38 weeks pregnant when, lifting a heavy load while setting up camp in her felt-walled ger (or yurt), she felt a sudden sharp pain in her abdomen. It was September 2015, and she knew straight away that her baby was at risk.

The nomad family’s ger was pitched in Khovd Province in western Mongolia. It’s a natural paradise: a vast area of snow-covered peaks, rocky deserts, and salt lakes that is an adventure playground for tourists in the summer and a favoured location for Mongolia’s nomads to graze their herds of sheep, goats, and yaks.

Ankhbaatar used her mobile phone to summon the rural soum doctor from a small surgery a 20 km off-road drive away. He examined her and confirmed that she had suffered a placental abruption, the pressure from the load she was carrying almost certainly causing a swathe of blood vessels that feed the fetus to detach from the wall of the uterus.

“The rural doctor reported that the fetus was distressed and that it was out of the question for the mother to travel to us,” recalls Dr. Nansalmaa, an obstetrician based in the main hospital in the city of Khovd. So the obstetric team, Nansalmaa, an anesthetist, and a neonatologist went to Ankhbaatar’s ger, together with the basic equipment needed to carry out an emergency caesarean section, including an oxygen concentrator and suction machine, an operating lamp, a Honda electricity generator, and, perhaps most importantly, a pulse oximeter.

Within hours of an incident that until recently would have consigned Ankhbaatar (not her real name) and her baby to becoming yet another obstetric fatality, both mother and baby survived thanks to safe spinal anesthesia followed by a caesarean section.

Ger surgery is rare. But when necessary, it happens without fuss. For nomadic patients, that instills confidence: not just in the healthcare system, but also in their chosen traditional lifestyle. That’s what I discover when I call on Tumurdavaa Gursed in the ger that was the location for her emergency surgery eight years ago, when she was close to death due to a ruptured ectopic pregnancy. She too was unable to travel and would have died had the emergency surgical team not already been in operation and ready to travel through the night to carry out the emergency operation—albeit without a pulse oximeter—at first dawn.

I sit on the low bench used for the operation, reflecting on the commitment of the team back then—carrying out a two-hour operation in a roasting hot ger, the anesthetist bent almost double throughout to monitor his patient.

Tumurdavaa, serving boiled horse with blood pudding and potatoes along with fresh cream and biscuits, is silent as we eat. I take it for shyness at first, but then realise it’s simply a lack of interest in small talk. When I ask her about her brush with death, she talks at length, eloquent in paying tribute not only to the medical team but also to the impact of the policy of safe surgery on nomadic life. “I’m so joyful and reassured,” she tells me, “that I can continue living blissfully beside my animals.”

Read Comments

Read the whole story
zwol
12 days ago
reply
Mountain View, CA
acdha
12 days ago
reply
Washington, DC
Share this story
Delete

Tech and the Fake Market tactic – Humane Tech

1 Comment and 2 Shares
Tech and the Fake Market tactic In one generation, the Internet went from opening up new free markets to creating a series of Fake Markets that exploit society,…
Read the whole story
acdha
13 days ago
reply
A really important thing to help educate your rejected officials about
Washington, DC
zwol
13 days ago
reply
Mountain View, CA
Share this story
Delete
Next Page of Stories