security research, software archaeology, geek of all trades
341 stories

memecucker: eisbecherovka: Last night, one of my former classmates from when I studied Yiddish in...

1 Share



Last night, one of my former classmates from when I studied Yiddish in Lithuania sent out a copy of a letter written by her teachers at the Jacka Kuronia Multicultural Humanist High School in Warsaw regarding the recent law against claiming Polish culpability in the Holocaust. She asked that we share the letter.

You can read the original Polish version here. The English translation hasn’t yet been published, so I’m posting it below verbatim.

We are writing this letter to you, our pupils, as well as to your colleagues in other schools. Although we are also researchers working within the field of history of World War II, this letter is not part of scientific debate. Neither is it an artistic intervention. We are writing this to you as teachers.

You must have seen it yourselves, since the media have been talking about it for a week now: a new law is to be signed by the President of Poland. The law’s essence can be summed up as follows: whoever attributes to the Polish nation, or to the Polish state, co-responsibility for any offense constituting a crime against peace and humanity, or a war crime, will be subjected to penalty. In this letter, as well as in future actions, we are going to break this law.

The concept of the “Polish nation” as well as the institutions of the Polish state (and all other “nations” and states) are co-responsible for the offenses constituting crimes against peace and humanity and for war crimes.

‘Nation’ is a spell capable of turning otherwise non-violent people into unscrupulous murderers convinced of their virtuousness. In its beginnings, early in the 19th century, the word “nation” contained a promise – that of liberating peoples from tyrannical power, of recognizing different cultures and languages, of a common struggle for freedom. But when the triumphant concept of ‘nation’ became bound to the state, when a rebellious call turned into an ideology of authority, not much was left of that promise. The power of the nation-state is based on establishing barriers between people and on the incessant decisions as to who belongs in the imaginary national community and is offered its protection, and who is excluded from it and thus defenseless. The nation-state uses the concept of ‘nation’ to endow its officials with the power to take control over the lives of its subjects and to expose those who are excluded, to death.

That is the lesson history teaches us – the history of Poland included.

It was the Polish state – the Second Republic – that, in 1938, organized a camp in Zbąszyń where thousands of its Jewish citizens expelled from Nazi Germany, who had been instantly deprived of their citizenship by the Polish parliament, were imprisoned. It was the Polish state, represented by the Minister of Education that in 1937 sanctioned the “ghetto benches”, thus dividing the students in university halls on the very basis soon to be used to section people off behind the walls of the Nazi ghettos.

During the war, the Polish state – i.e., the government in London – was for over two years unable to condemn crimes against the Jews, neither on the radio, nor in the clandestine press. Even as the government did so, as late as in June 1942, it still refrained from publishing an open and resolute appeal to Poles that would call upon them to impede the extermination. It did not react accordingly despite mass deportations to death camps and despite the pleas of Shmuel Zygielbojm and Ignacy Schwarzbart, members of the Polish National Council in exile. In March 1943, a few weeks prior to the uprising in the Warsaw ghetto, when two million Jews had already been murdered in the Polish lands, Schwarzbart appealed to the Council: “I feel aggrieved at the Ministry of Interior Affairs, I feel aggrieved for it still has not addressed, in the name of this community of fate […], the Polish society so that – in this horrendous disaster, in this dreadful tragedy – they would support, as much as they can and by means they have at their disposal, morally and materially support the dying Polish Jews”.

Today, institutions of the Polish state prevent people from telling the truth about what happened during the war. Dwellers of many cities, towns, and villages do know about the murders and looting committed by Poles on their Jewish neighbors, and they want to express their sense of guilt. The national ideology which had inspired the crime is now used to enforce silence. Numerous politicians and journalists are telling us that there was an innocent nation and single atrocities committed by individuals. The opposite is the case: there were individuals who behaved in virtuous or in reprehensible ways, and a “nation”: a concept that served as justification for the crime.

We are writing this letter on Friday, February 2nd. The media have shared the news of 90 migrants drowned off the Libyan coast. It was state institutions that had forced these people to seek illegal ways of reaching Europe, it was these very institutions that imprisoned thousands of others in camps very similar to the one in Zbąszyń. These things stem from national egoism and the mere concept of “Polish nation”; the Polish state’s policy claiming to protect the nation against “strangers” has its share in this crime as well. 

There was no community of fate with those condemned to death, one in which Schwarzbart strove to believe. There is no community of fate with those who die at sea and suffer in camps today. It is ‘nation’ that makes this community unachievable.

‘Nation’ is what Polish authorities keep cramming into our heads and pushing down our throats. In the new history curriculum for high schools – after all, not so different from the old one – on a single page of the section describing educational aims of history lessons the word “nation” appears 6 times, the word “fatherland” – 5 times. It contains only one reference to “other” nations and states.

Apart from matters of nation and state, this kind of history as taught at schools has room for nothing. No mention of people crushed by nations nor of their lives and labor, nor of quests for alternative forms of living, alternative forms of community and pursuit of happiness.

Those in power use the concept of ‘nation’ to offer false pride, a false community, and false protection to those who very often are unhappy, bereft of hope, tired with work and burdened with mortgage. They use it to incite contempt, distrust, and hostility towards “strangers”, to authorize “sacred” egoism, to justify lack of empathy and partiality of views. They use it to suppress the search for truth.

You can see this every day as you look at politicians and listen to their childish, muddling, and all too often vile speeches aimed at stirring up, in you, some enmity towards the people you could and would cooperate with and befriend. It is you who are right; do not let anyone tell you different: each and every one of you is a thinking and feeling person, you are facing the future which you need to envisage and build together, and which has to be better than what you have been given.

Sebastian Matuszewski

Piotr Laskowski

Teachers at J. Kuroń Multicultural High School, members of the Research Group on Editing the Ringelblum Archive.

En français 

Read the whole story
1 day ago
Mountain View, CA
Share this story

A few notes on Medsec and St. Jude Medical

1 Comment and 3 Shares

In Fall 2016 I was invited to come to Miami as part of a team that independently x0000_sjm_quadraassuramp20crt20dvalidated some alleged flaws in implantable cardiac devices manufactured by St. Jude Medical (now part of Abbott Labs). These flaws were discovered by a company called MedSec. The story got a lot of traction in the press at the time, primarily due to the fact that a hedge fund called Muddy Waters took a large short position on SJM stock as a result of these findings. SJM subsequently sued both parties for defamation. The FDA later issued a recall for many of the devices.

Due in part to the legal dispute (still ongoing!), I never had the opportunity to write about what happened down in Miami, and I thought that was a shame: because it’s really interesting. So I’m belatedly putting up this post, which talks a bit MedSec’s findings, and implantable device security in general.

By the way: “we” in this case refers to a team of subject matter experts hired by Bishop Fox, and retained by legal counsel for Muddy Waters investments. I won’t name the other team members here because some might not want to be troubled by this now, but they did most of the work — and their names can be found in this public expert report (as can all the technical findings in this post.)

Quick disclaimers: this post is my own, and any mistakes or inaccuracies in it are mine and mine alone. I’m not a doctor so holy cow this isn’t medical advice. Many of the flaws in this post have since been patched by SJM/Abbot. I was paid for my time and travel by Bishop Fox for a few days in 2016, but I haven’t worked for them since. I didn’t ask anyone for permission to post this, because it’s all public information.

A quick primer on implantable cardiac devices 

Implantable cardiac devices are tiny computers that can be surgically installed inside a patient’s body. Each device contains a battery and a set of electrical leads that can be surgically attached to the patient’s heart muscle.

When people think about these devices, they’re probably most familiar with the cardiac pacemaker. Pacemakers issue small electrical shocks to ensure that the heart beats at an appropriate rate. However, the pacemaker is actually one of the least powerful implantable devices. A much more powerful type of device is the Implantable Cardioverter-Defibrillator (ICD). These devices are implanted in patients who have a serious risk of spontaneously entering a dangerous state in which their heart ceases to pump blood energen_icd_900x960-dpheffectively. The ICD continuously monitors the patient’s heart rhythm to identify when the patient’s heart has entered this condition, and applies a series of increasingly powerful shocks to the heart muscle to restore effective heart function. Unlike pacemakers, ICDs can issue shocks of several hundred volts or more, and can both stop and restart a patient’s normal heart rhythm.

Like most computers, implantable devices can communicate with other computers. To avoid the need for external data ports – which would mean a break in the patient’s skin – these devices communicate via either a long-range radio frequency (“RF”) or a near-field inductive coupling (“EM”) communication channel, or both. Healthcare providers use a specialized hospital device called a Programmer to update therapeutic settings on the device (e.g., program the device, turn therapy off). Using the Programmer, providers can manually issue commands that cause an ICD to shock the patient’s heart. One command, called a “T-Wave shock” (or “Shock-on-T”) can be used by healthcare providers to deliberately induce ventrical fibrillation. This capability is used after a device is implanted, in order to test the device and verify it’s functioning properly.

Because the Programmer is a powerful tool – one that could cause harm if misused – it’s generally deployed in a physician office or hospital setting. medtronic-programmerMoreover, device manufacturers may employ special precautions to prevent spurious commands from being accepted by an implantable device. For example:

  1. Some devices require that all Programmer commands be received over a short-range communication channel, such as the inductive (EM) channel. This limits the communication range to several centimeters.
  2. Other devices require that a short-range inductive (EM) wand must be used to initiate a session between the Programmer and a particular implantable device. The device will only accept long-range RF commands sent by the Programmer after this interaction, and then only for a limited period of time.

From a computer security perspective, both of these approaches have a common feature: using either approach requires some form of close-proximity physical interaction with the patient before the implantable device will accept (potentially harmful) commands via the long-range RF channel. Even if a malicious party steals a Programmer from a hospital, she may still need to physically approach the patient – at a distance limited to perhaps centimeters – before she can use the Programmer to issue commands that might harm the patient.

In addition to the Programmer, most implantable manufacturers also produce some form of “telemedicine” device. merlin-at-home-2These devices aren’t intended to deliver commands like cardiac shocks. Instead, they exist to provide remote patient monitoring from the patient’s home. Telematics devices use RF or inductive (EM) communications to interrogate the implantable device in order to obtain episode history, usually at night when the patient is asleep. The resulting data is uploaded to a server (via telephone or cellular modem) where it can be accessed by healthcare providers.

What can go wrong?

Before we get into specific vulnerabilities in implantable devices, it’s worth asking a very basic question. From a security perspective, what should we even be worried about?

There are a number of answers to this question. For example, an attacker might abuse implantable device systems or infrastructure to recover confidential patient data (known as PHI). Obviously this would be bad, and manufacturers should design against it. But the loss of patient information is, quite frankly, kind of the least of your worries.

A much scarier possibility is that an attacker might attempt to harm patients. This could be as simple as turning off therapy, leaving the patient to deal with their underlying condition. On the much scarier end of the spectrum, an ICD attacker could find a way to deliberately issue dangerous shocks that could stop a patient’s heart from functioning properly.

Now let me be clear: this isn’t not what you’d call a high probability attack. Most people aren’t going to be targeted by sophisticated technical assassins. The concerning thing about this  the impact of such an attack is significantly terrifying that we should probably be concerned about it. Indeed, some high-profile individuals have already taken precautions against it.

The real nightmare scenario is a mass attack in which a single resourceful attacker targets thousands of individuals simultaneously — perhaps by compromising a manufacturer’s back-end infrastructure — and threatens to harm them all at the same time. While this might seem unlikely, we’ve already seen attackers systematically target hospitals with ransomware. So this isn’t entirely without precedent.

Securing device interaction physically

The real challenge in securing an implantable device is that too much security could hurt you. As tempting as it might be to lard these devices up with security features like passwords and digital certificates, doctors need to be able to access them. Sometimes in a hurry.

This shouldn’t happen in the ER.

This is a big deal. If you’re in a remote emergency room or hospital, the last thing you want is some complex security protocol making it hard to disable your device or issue a required shock. This means we can forget about complex PKI and revocation lists. Nobody is going to have time to remember a password. Even merely complicated procedures are out — you can’t afford to have them slow down treatment.

At the same time, these devices obviously must perform some sort of authentication: otherwise anyone with the right kind of RF transmitter could program them — via RF, from a distance. This is exactly what you want to prevent.

Many manufacturers have adopted an approach that cut through this knot. The basic idea is to require physical proximity before someone can issue commands to your device. Specifically, before anyone can issue a shock command (even via a long-range RF channel) they must — at least briefly — make close physical contact with the patient.

This proximity be enforced in a variety of ways. If you remember, I mentioned above that most devices have a short-range inductive coupling (“EM”) communications channel. These short-range channels seem ideal for establishing a “pairing” between a Programmer and an implantable device — via a specialized wand. Once the channel is established, of course, it’s possible to switch over to long-range RF communications.

This isn’t a perfect solution, but it has a lot going for it: someone could still harm you, but they would have to at least get a transmitter within a few inches of your chest before doing so. Moreover, you can potentially disable harmful commands from an entire class of device (like telemedecine monitoring devices) simply by leaving off the wand.

St. Jude Medical and MedSec


So given this background, what did St. Jude Medical do? All of the details are discussed in a full expert report published by Bishop Fox. In this post we I’ll focus on the most serious of MedSec’s claims, which can be expressed as follows:

Using only the hardware contained within a “Merlin @Home” telematics device, it was possible to disable therapy and issue high-power “shock” commands to an ICD from a distance, and without first physically interacting with the implantable device at close range.

This vulnerability had several implications:

  1. The existence of this vulnerability implies that – through a relatively simple process of “rooting” and installing software on a Merlin @Home device – a malicious attacker could create a device capable of issuing harmful shock commands to installed SJM ICD devices at a distance. This is particularly worrying given that Merlin @Home devices are widely deployed in patients’ homes and can be purchased on eBay for prices under $30. While it might conceivably be possible to physically secure and track the location of all PCS Programmer devices, it seems challenging to physically track the much larger fleet of Merlin @Home devices.
  2. More critically, it implies that St. Jude Medical implantable devices do not enforce a close physical interaction (e.g., via an EM wand or other mechanism) prior to accepting commands that have the potential to harm or even kill patients. This may be a deliberate design decision on St. Jude Medical’s part. Alternatively, it could be an oversight. In either case, this design flaw increases the risk to patients by allowing for the possibility that remote attackers might be able to cause patient harm solely via the long-range RF channel.
  3. If it is possible – using software modifications only – to issue shock commands from the Merlin @Home device, then patients with an ICD may be vulnerable in the hypothetical event that their Merlin @Home device becomes remotely compromised by an attacker. Such a compromise might be accomplished remotely via a network attack on a single patient’s Merlin @Home device. Alternatively, a compromise might be accomplished at large scale through a compromise of St. Jude Medical’s server infrastructure.

We stress that the final scenario is strictly hypothetical. MedSec did not allege a specific vulnerability that allows for the remote compromise of Merlin @Home devices or SJM infrastructure. However, from the perspective of software and network security design, these attacks are one of the potential implications of a design that permits telematics devices to send such commands to an implantable device. It is important to stress that none of these attacks would be possible if St. Jude Medical’s design prohibited the implantable from accepting therapeutic commands from the Merlin @Home device (e.g., by requiring close physical interaction via the EM wand, or by somehow authenticating the provenance of commands and restricting critical commands to be sent by the Programmer only).

Validating MedSec’s claim

To validate MedSec’s claim, we examined their methodology from start to finish. This methodology included extracting and decompiling Java-based software from a single PCS Programmer; accessing a Merlin @Home device to obtain a root shell via the JTAG port; and installing a new package of custom software written by MedSec onto a used Merlin @Home device.

We then observed MedSec issue a series of commands to an ICD device using a Merlin @Home device that had been customized (via software) as described above. We used the Programmer to verify that these commands were successfully received by the implantable device, and physically confirmed that MedSec had induced shocks by attaching a multimeter to the leads on the implantable device.

Finally, we reproduced MedSec’s claims by opening the case of a second Merlin @Home device (after verifying that the tape was intact over the screw holes), obtaining a shell by connecting a laptop computer to the JTAG port, and installing MedSec’s software on the device. We were then able to issue commands to the ICD from a distance of several feet. This process took us less than three hours in total, and required only inexpensive tools and a laptop computer.

What are the technical details of the attack?

Simply reproducing a claim is only part of the validation process. To verify MedSec’s claims we also needed to understand why the attack described above was successful. Specifically, we were interested in identifying the security design issues that make it possible for a Merlin @Home device to successfully issue commands that are not intended to be issued from this type of device. The answer to this question is quite technical, and involves the specific way that SJM implantable devices verify commands before accepting them.

MedSec described to us the operation of SJM’s command protocol as part of their demonstration. They also provided us with Java JAR executable code files taken from the hard drive of the PCS Programmer. These files, which are not obfuscated and can easily be “decompiled” into clear source code, contain the software responsible for implementing the Programmer-to-Device communications protocol.

By examining the SJM Programmer code, we verified that Programmer commands are authenticated through the inclusion of a three-byte (24 bit) “authentication tag” that must be present and correct within each command message received by the implantable device. If this tag is not correct, the device will refuse to accept the command.

From a cryptographic perspective, 24 bits is a surprisingly short value for an important authentication field. However, we note that even this relatively short tag might be sufficient to prevent forgery of command messages – provided the tag ws calculated using a secure cryptographic function (e.g., a Message Authentication Code) using a fresh secret key that cannot be predicted by an the attacker.

Based on MedSec’s demonstration, and on our analysis of the Programmer code, it appears that SJM does not use the above approach to generate authentication tags. Instead, SJM authenticates the Programmer to the implantable with the assistance of a “key table” that is hard-coded within the Java code within the Programmer. At minimum, any party who obtains the (non-obfuscated) Java code from a legitimate SJM Programmer can gain the ability to calculate the correct authentication tags needed to produce viable commands – without any need to use the Programmer itself.

Moreover, MedSec determined – and successfully demonstrated – that there exists a “Universal Key”, i.e., a fixed three-byte authentication tag, that can be used in place of the calculated authentication tag. We identified this value in the Java code provided by MedSec, and verified that it was sufficient to issue shock commands from a Merlin @Home to an implantable device.

While these issues alone are sufficient to defeat the command authentication mechanism used by SJM implantable devices, we also analyzed the specific function that is used by SJM to generate the three-byte authentication tag.  To our surprise, SJM does not appear to use a standard cryptographic function to compute this tag. Instead, they use an unusual and apparently “homebrewed” cryptographic algorithm for the purpose.

Specifically, the PCS Programmer Java code contains a series of hard-coded 32-bit RSA public keys. To issue a command, the implantable device sends a value to the Programmer. This value is then “encrypted” by the Programmer using one of the RSA public keys, and the resulting output is truncated to produce a 24-bit output tag.

The above is not a standard cryptographic protocol, and quite frankly it is difficult to see what St. Jude Medical is trying to accomplish using this technique. From a cryptographic perspective it has several problems:

  1. The RSA public keys used by the PCS Programmers are 32 bits long. Normal RSA keys are expected to be a minimum of 1024 bits in length. Some estimates predict that a 1024-bit RSA key can be factored (and thus rendered insecure) in approximately one year using a powerful network of supercomputers. Based on experimentation, we were able to factor the SJM public keys in less than one second on a laptop computer.
  2. Even if the RSA keys were of an appropriate length, the SJM protocol does not make use of the corresponding RSA secret keys. Thus the authentication tag is not an RSA signature, nor does it use RSA in any way that we are familiar with.
  3. As noted above, since there is no shared session key established between the specific implantable device and the Programmer, the only shared secret available to both parties is contained within the Programmer’s Java code. Thus any party who extracts the Java code from a PCS Programmer will be able to transmit valid commands to any SJM implantable device.

Our best interpretation of this design is that the calculation is intended as a form of “security by obscurity”, based on the assumption that an attacker will not be able to reverse engineer the protocol. Unfortunately, this approach is rarely successful when used in security systems. In this case, the system is fundamentally fragile – due to the fact that code for computing the correct authentication tag is likely available in easily-decompiled Java bytecode on each St. Jude Medical Programmer device. If this code is ever extracted and published, all St. Jude Medical devices become vulnerable to command forgery.

How to remediate these attacks?

To reiterate, the fundamental security concerns with these St. Jude Medical devices (as of 2016) appeared to be problems of design. These were:

  1. SJM implantable devices did not require close physical interaction prior to accepting commands (allegedly) sent by the Programmer.
  2. SJM did not incorporate a strong cryptographic authentication mechanism in its RF protocol to verify that commands are truly sent by the Programmer.
  3. Even if the previous issue was addressed, St. Jude did not appear to have an infrastructure for securely exchanging shared cryptographic keys between a legitimate Programmer and an implantable device.

There are various ways to remediate these issues. One approach is to require St. Jude implantable devices to exchange a secret key with the Programmer through a close-range interaction involving the Programmer’s EM wand. A second approach would be to use a magnetic sensor to verify the presence of a magnet on the device, prior to accepting Programmer commands. Other solutions are also possible. I haven’t reviewed the solution SJM ultimately adopted in their software patches, and I don’t know how many users patched.


Implantable devices offer a number of unique security challenges. It’s naturally hard to get these things right. At the same time, it’s important that vendors take these issues seriously, and spend the time to get cryptographic authentication mechanisms right — because once deployed, these devices are very hard to repair, and the cost of a mistake is extremely high.

Read the whole story
1 day ago
Both a disturbing case study and a beautiful example of how to write up security case studies for a general audience
Mountain View, CA
1 day ago
Washington, DC
Share this story

Meeting Blur


Wednesday afternoon. 3:30. Tanya and I walking through a complex political scenario involving Product and Engineering. Nothing devious. Just complex. Many moving parts. I’ve had some version of this conversation five times today.

The whiteboard is my savior. I’m using it to draw a picture that anchors the core points of the situation. Those core points change from conversation to conversation, and I update the picture to capture this emerging reality.

The problem is, the picture captures my reality and not theirs. When it comes to complex political scenarios, you need to keep track of who knows what. Again, nothing nefarious. No ill intent. Just an honest attempt to shape the narrative productively.

Tanya says something important. Really important. It’s high on the Richter scale of thought, and I need to update my entire thinking in a moment. Problem is, I’ve had this conversation five times today, and suddenly I can not remember what was said by whom, when, and where.

Welcome to Meeting Blur.

Too Much

As a leader, you have disproportionate access to developments in your team and company. Nothing surprising here. You are the representative of your team, so you get invited to a lot of meetings for representatives. These meetings contain synthesized information about what is going down in the company right now.1

Because of your access to all this information and your disposition as a person who gets shit done, you sign up for things. Often you will sign up for too many things. Because your job is to get shit done, you often will be in denial about having too much to do. I want to talk about how I know I’m in this state and the unexpectedly dire consequences.

Meeting Blur. When the number of meetings exceeds your ability to remember what was said by whom, when, and where. Let’s forget for a moment why there are so many meetings2 and focus on your mental state. You’re a bright emotionally intelligent human. You walk into a meeting and have a credible mental profile of each human at the table. Why are they here? What do they want? How do they feel about the topic at hand? All of this information is front of mind and readily accessible.

This is what leaders do. We compile every single moment into a vast internal story about the state of the company. We use this informative narrative for good, not evil.

For me, Meeting Blur occurs when I can no longer compile these moments. The amount of incoming data exceeds my ability to compile the story. Wait? Does Tanya know this? No, Stuart said it this morning, and no one knows that thing, yet. Right? Maybe…


But I get shit done, I got this. This is a blur blip.

No, it’s not.

If I fail to recognize my overloaded mental state at the moment, I will undoubtedly recognize it later… in the middle of the night. My eyes pop open at 3:13 am like I’m in the middle of meeting with Tanya. I’m compiling, I’m working the problem, and my brain is fully engaged. In fact, it’s clear that my brain has been working the issue for some time, but it was 3:13 am when the compilation was complex enough to wake me.

For years, I diagnosed the 3:13 am wake-up call as stress. It is stress, but the root cause is bad leadership.

On the Topic of Operational Excellence

Let’s forget about the deleterious effects of not getting enough sleep and talk about why this is a leadership failure. You are about to violate leadership rule #8: “You sign-up for things and get them done. Every single time.”

When you achieve Meeting Blur, something has gotta go. Your plate needs at least one less big rock, and that means failing on a commitment. Sure, you can give the work to someone else or perhaps delay another project to give yourself breathing room. There are any number of time-saving moves you can pull, but remains a leadership failure because you do not have a good internal measure for what you can and can not do.

Leaders set the bar for what is and is not acceptable on their team. They define this bar both overtly with the words they say, but more subtly with their actions. There are two scenarios when you’ve achieved Meeting Blur and need to act. You can not change anything and do all of your work poorly, or you can drop some of that work which equates to a missed commitment. While I believe you agree the optics on both scenarios are bad, what is worse is that by choosing either course you signal your team that these obvious bad outcomes are acceptable.

Seem harsh? Yeah, I’m a bit fired up because I think leaders often vastly underestimate the impact of actions we consider inconsequential. Let’s play it out once more: Thinking I am responsible and helpful. I sign up for things. I do this repeatedly and sign up for too many things. Over time, I realize I’m in overloaded, so I miss commitments. Where’s the flaw? Because I could not initially correctly assess how much work I could do, I’m signaling to my team it’s ok to miss commitments. What?

Yes, I am glossing over the complexity of situations that are obviously more complex. There is always situational nuance. There is always complexity that is discovered only by doing the work. Given all of these guaranteed unknowns, a credible leader needs to work to be clear about one key variable: their own capabilities.

  1. This is why when you go to these meetings, you must report back to the team. What happened? What’d we learn? What’s happening next? Everyone on your team knows this meeting happens, but only you know what happened. Share the knowledge. Free leadership points. 
  2. Actually, let’s not. How many meetings are you having a day? How many people are in these meetings? Do they all need to be there or have meetings become the means by which forward progress occurs.? Shit, you have a problem. 
Read the whole story
7 days ago
Mountain View, CA
7 days ago
Washington, DC
Share this story

Fighting Erasure: Women SF Writers of the 1970s, Part II


Once more into the past, this time armed with a more comprehensive list of women who debuted in the 1970s¹. In fact, my list has become long enough that I am going have to tackle the authors letter by letter, moving forward. In this case, I am looking at women authors who debuted between 1970 and 1979 and whose surnames begin with G.


Sally Miller Gearhart

Gearhart may be best known now for her political activism and her decades of scholarly work. The Sally Miller Gearhart Chair in Lesbian Studies at the University of Oregon is named for her. SF fans unacquainted with her work might do well start with The Wanderground, a novel about feminist separatism set in a near future. Any of you planning to write a feminist separatist novel (or found a separatist feminist community) might want to explore prior art, including Gearhart’s contributions.


Mary Gentle

Author photo by JohnDallman

The least-aptly surnamed author in speculative fiction, Gentle is prolific, talented, and in no sense gentle. The best starting point for Gentle is her 1983 two-cultures-in-contact story, Golden Witchbreed, the first in the Orthe series. Caveat: you might want to be wary of the sequel, which expands on the setting in ways that many fans of Golden Witchbreed have disliked and loudly protested.


Dian Girard

Under her maiden name Girard, Dian published a number of short pieces in venues like Amazing, Galaxy, and Jerry Pournelle’s 2020 Vision². As J. D. Crayne, she made a lateral move into mystery—yet another loss for SFF and gain for the mystery genre. (The mystery audience is ten times the size of SF’s; mystery writers can often indulge in such luxuries as food, clothing, and shelter.) Her story “Eat, Drink, and Be Merry,” which sets one determined woman against a society determined to monitor her diet for her, would be an excellent starting point for Girard… if it had not been out of print for more than four decades.


Lisa Goldstein

A better-read reviewer than I would almost certainly recommend reading Lisa Goldstein’s award-winning The Red Magician. However, I have not yet gotten around to it; the book has been living in my Everest-emulating Mount Tsundoku since it came out in 1983. I can, however, recommend A Mask for the General, which relates an artist’s unconventional struggle against the brutal autocrat who has ruled America ever since an economic crisis undermined American faith in democratic institutions³.


Jeanne Gomoll

Editor, artist, and essayist Gomoll’s body of science fiction is comparatively small; I don’t think I’ve read any of it. No worries, because the Gomoll I would recommend is her non-fiction (but SF-related) essay “An Open Letter to Joanna Russ,” available online here. In it she discusses yet another example of the sort of historical erasure I am hoping to, in turn, erase.


Eileen Gunn

Gunn’s fiction has thus far been of the short variety; the trick with such authors in this collection-and anthology unfriendly world—curse you, Roger Elwood!— can be to find something still in print. Happily with Gunn, this is no problem. Her 2004 collection Stable Strategies and Others contains (among other works) the 1989 Hugo Award Finalist “Stable Strategies for Middle Management,” the 1990 Hugo Award Finalist “Computer Friendly,” the 2004 Nebula Award winner “Coming to Terms,” and the 2006 Nebula Award Nominee and James Tiptree Jr. Award Shortlisted novelette (co-written with Leslie What) “Nirvana High.”



The best part of having greatly expanded my list of women who debuted in the 1970s is that I can now appreciate just how much I do not know, Learning new things gives me an endorphin rush, so I look forward to new and better drug highs. Please help. I am unfamiliar with the following authors and would invite useful commentary:


1: Nota bene: this series only covers women whose published careers began between 1970 and 1979. If their career began before 1970 or after 1979, then they fall outside my target range.

2: Which I will review on my own site Sunday, Jan 5th, 2020, probably about 3:30 AM. Kitchener time. Because stuff and things.

3: A Mask for the General is inextricably entangled in my mind with Pat Murphy’s The City, Not Long After, which also pits artists against autocrats.

In the words of Wikipedia editor TexasAndroid, prolific book reviewer and perennial Darwin Award nominee James Davis Nicoll is of “questionable notability.” His work has appeared in Publishers Weekly and Romantic Times as well as on his own websites, James Nicoll Reviews and Young People Read Old SFF (where he is assisted by editor Karen Lofstrom and web person Adrienne L. Travis). He is surprisingly flammable.

Read the whole story
6 days ago
Washington, DC
7 days ago
Mountain View, CA
Share this story

Cities in Flight: James Blish’s Overlooked Classic

1 Comment

James Blish was a popular science fiction writer and critic who began his literary career while still in his mid-teens. Not yet out of high school, Blish created his own science fiction fanzine, and shortly thereafter became an early member of the Futurians, a society of science fiction fans, many of whom went on to become well-known writers and editors. From the ’40s to the ’70s, Blish submitted a slew of fascinating tales to a variety of pulp magazines, including FutureAstounding Science Fiction, Galaxy Science FictionThe Magazine of Science Fiction and Fantasy, and Worlds of If, just to name a handful. Although Blish’s most widely recognized contribution to the science fiction genre may be his novelizations of the original 1960s Star Trek episodes (to which his talented wife Judith Lawrence contributed), his magnum opus is undoubtedly the numerous “Okie” tales written over the span of a decade and merged together into the four-volume series known as Cities in Flight.

To give you some background, it was in 1991, when I entered Junior High School—a brave new world indeed—that I first discovered James Blish. For it was then, to celebrate Star Trek’s 25th anniversary, that Blish’s adaptations were compiled in three thick paperback volumes, each containing a full season’s worth of episodes. As I recall, the first book, which collected season one, was purple; the second was red, and the third was blue. I purchased the first two volumes at SmithBooks in the summer of 1992. I enjoyed them immensely; I read and reread them repeatedly, never tiring of them. (I finally managed to snag the third—in pristine condition, to my delight—at a used bookstore a decade later.) And the extra insights and background exposition by Blish, however perfunctory or limited (which in many respects, they were) made me feel as though I actually knew the characters personally.

After reading these novelizations in the early ‘90s, I set out to find other science fiction works by Blish. Recognizing that he was an author from before my time, and a prolific one, I decided that my best bet would be to check out used bookstores, which were more than likely to carry at least a modest selection of his books. I was right, as it turned out, and took the opportunity to pick up a couple of other novels by Blish: VOR (a story of the first time an alien being crash lands on Earth, and then insists that it wishes to die) and Jack of Eagles (a tale about an ordinary American man who discovers he has enhanced psionic powers). Both of these relatively short novels are intriguing in their own right. It was also at a used bookstore that I first came across the Cities in Flight omnibus—although I confess that upon initial perusal it looked very formidable to my fourteen-year-old eyes.



James Blish, born in 1921 in East Orange, New Jersey, was a gifted writer of science fiction and fantasy. As mentioned above, his interest in these genres began early. At the age of fifteen, Blish began to publish The Planeteer, a monthly science fiction fanzine he both edited and contributed to from November 1935 to April 1936. For each issue, Blish penned a science fiction tale: Neptunian Refuge (Nov. 1935); Mad Vision (Dec. 1935); Pursuit into Nowhere (Jan. 1936); Threat from Copernicus (Feb. 1936); Trail of the Comet (Mar. 1936); and Bat-Shadow Shroud (Apr. 1936). In the late 1930s, Blish joined the Futurians, a body of sci-fi writers and editors based in New York City who significantly influenced the development of the sci-fi genre between 1937 and 1945. Other members included sci-fi giants Isaac Asimov and Frederik Pohl.

Blish’s first published story, Emergency Refueling, appeared in the March 1940 issue of Super Science Stories, a pulp magazine. Throughout the 1940s, such magazines were the main venue in which his stories saw print. It was between 1950 and 1962, however, that Blish published his crowning achievement, the Cities in Flight tetralogy. In 1959, Blish won the Hugo Award for Best Novel for A Case of Conscience, and was nominated in 1970 for We All Die Naked. He was also nominated for the Nebula Award on three occasions: in 1965 for The Shipwrecked Hotel, in 1968 for Black Easter, and 1970 for A Style in Treason. Also in 1970, Avon Books collected the four Cities in Flight novels and rereleased them together, for the first time, in one hefty volume.

The very commercially successful Star Trek novelizations of the original 1960s television episodes that remain Blish’s best-known work were released over a ten-year period—from 1967 to 1977—in twelve slim volumes, each with multiple printings to accommodate the widespread demand. In addition to these popular, highly-readable short stories, he also wrote the first original adult Star Trek novel, Spock Must Die!, which was released in February 1970 by Bantam Books, one year after the original television series was—to the dismay of loyal viewers—canceled by NBC. And although it was not widely known to the general public, Blish also used the pseudonym William Atheling, Jr. to write critical science fiction articles, as well.

As a final note, I thought it apt to include an interesting fact about Blish: In 1952, he originated the term “gas giant” to describe immense gaseous planets when he altered the descriptive text of his 1941 tale Solar Plexus. The relevant passage reads: “… a magnetic field of some strength nearby, one that didn’t belong to the invisible gas giant revolving half a million miles away.”



Cities in Flight, Blish’s galaxy-spanning masterpiece, was initially published as four separate books well over a half-century ago. It should be noted, however, that the four original books were not written in sequential order. According to James Blish, “The volumes were written roughly in the order IIIIIV, [and] II over a period of fifteen years…”

The first novel, They Shall Have Stars, was published in 1956; the second, A Life for the Stars, was published in 1962; the third, Earthman, Come Home, was published in 1955; and the fourth, The Triumph of Time, was published in 1958. Finally, in 1970 the “Okie” novels, as they were dubbed thereafter, were skillfully woven into a single epic-length tale and published in an omnibus edition as Cities in Flight.

The stories which compose the Cities in Flight saga were inspired by the Great Migration of “Okies” (a colloquial and unflattering appellation for rural Americans from Oklahoma) to California in the 1930s due to the Dust Bowl. The latter is a term referring to the intense dust storms—so-called “black blizzards”—that devastated farmland in the Great Plains during the Great Depression. And to some extent, Blish was influenced by Oswald Spengler’s major philosophical work, The Decline of the West, which posited that history is not divided into epochal segments but cultures—Egyptian, Chinese, Indian, etc.—each lasting approximately two millenia. These cultures, Spengler averred, were like living beings, who thrive for a time and then gradually wither away.

Cities in Flight tells the story of the Okies, albeit in a futuristic context. These Earthmen and women are migrants who voyage through space while living in enormous, detached cities capable of interstellar flight. The purpose of these nomadic folk is rather prosaic—they are driven to search for work and a viable lifestyle due to the worldwide economic stagnation. Powerful anti-gravity machines known as “spindizzies,” built into the bottommost layer of these city-structures, propel them through space at post-light speed. The result is that the cities are self-contained; oxygen is trapped inside an airtight bubble of sorts, which harmful cosmic material cannot penetrate.

Blish’s space opera is tremendous in its scope. The full saga unfolds over several thousand years, features many ingenious technological marvels, and stars dozens of key protagonists and many alien races who are confronted by ongoing predicaments that they must overcome through ingenuity and perseverance. The story vividly conveys both Blish’s political leanings and his disdain for the present condition of life in the West. For instance, Blish’s loathing of McCarthyism—which was then at full steam—is evident, and in his dystopian vision, the FBI has evolved into a repressive, Gestapo-like organization. Politically, the Soviet system and the Cold War still exist, at least in the first installment, although the Western government has done away with so many personal freedoms as to render the Western social order a mirror of its Soviet counterpart.

They Shall Have Stars is the first of the four novels. Here, the far reaches of our own solar system have been fully explored. However, mankind’s desire to proceed even further into the unknown is made possible through two vital discoveries: one, anti-aging drugs which allow the user to prevent senescence; and two, anti-gravity devices that facilitate galactic travel. Hundreds of years have elapsed by the time of A Life for the Stars, the second installment, and mankind has developed sufficiently advanced technology to permit Earth’s largest cities to break away from the Earth itself and set off into space. The third novel, Earthman, Come Home, is related from the viewpoint of centuries-old New York mayor John Amalfi. The societal changes resulting from centuries in galactic transit have not been favorable; by this time, the space-roaming cities have regressed to a savage, chaotic state, and these renegade societies now endanger other enlightened offworld civilizations.

The last of the four novels, The Triumph of Time, continues from Amalfi’s perspective. The New York city-in-flight is now passing through the Greater Magellanic Cloud (a dwarf galaxy some fifty kiloparsecs from the Milky Way), although a new threat of galactic proportions is impending: a cataclysmic collision of matter and anti-matter that will destroy the universe. This is known as the Big Crunch, a theoretical scenario in which it is hypothesized that the universe will eventually contract and collapse in on itself due to extraordinarily high density and cosmic temperatures—the reverse of the Big Bang. If interpreted in religious terms, the ending parallels the beginning of the Old Testament’s Book of Genesis—or rather, presents its inescapable opposite.

Truth be told, Blish’s space epic is a rather pessimistic conception of mankind’s future. And although it is undeniably dated by today’s standards—some amusing references to obsolete technology are made (slide rules, vacuum tubes, etc.)— present-day readers will still appreciate the quality of the literature and, as a benchmark example of hard science fiction, find it a memorable read.



For a generous sample of James Blish’s finest work spanning a three decade-long career, I personally recommend The Best of James Blish (1979), which I recently acquired online. It is a carefully selected collection of short stories, novelettes, and novellas, which in the opinion of some readers, including my own, tend to surpass some of his lengthier works. For convenience, here is a list of its contents: Science Fiction the Hard Way (Introduction by Robert A. W. Lowndes); Citadel of Thought, 1941; The Box, 1949; There Shall Be No Darkness, 1950; Surface Tension, 1956 (revision from Sunken Universe, 1942 and Surface Tension, 1952);Testament of Andros, 1953; Common Time, 1953; Beep, 1954; A Work of Art, 1956; This Earth of Hours, 1959;The Oath, 1960; How Beautiful with Banners, 1966; A Style in Treason, 1970 (expansion from A Hero’s Life, 1966); and Probapossible Prolegomena to Ideareal History (Afterward by William Atheling, Jr., 1978).

Thomas Xavier Ferenczi is a man of diverse background. Born in Edmonton, Alberta, he has studied management, pharmacology, and law. As an author, he has written a science fiction screenplay, Extraterrestrial, and his most recent project is a techno-thriller, Conspiracy. He is also a writer in many other genres, including legal and historical non-fiction. He has a particular affinity for the science fiction tales of the late 19th and early 20th centuries. A bookworm, he can often be found in a coffeeshop, diner, or pub with his nose buried deep in a novel or textbook. He currently resides in Western Canada.

Read the whole story
10 days ago
If the Futurians only got one book to represent them in some abridged library of 20th century literature, Cities in Flight would be my pick.
Mountain View, CA
Share this story


1 Share

Read the whole story
26 days ago
Mountain View, CA
Share this story
Next Page of Stories