New Super Bugs

February 28, 2010

I’ve written here a few times before about the development of antibiotic resistance in bacteria, and many people will have heard about infections caused by methicillin-resistant Staphylococcus aureus (MRSA).   The New York Times now has a report that a new class of antibiotic-resistant organisms is being encountered in hospital settings.  These organisms fall into a broad class of bacteria that are known as Gram negative, because they do not absorb a crystal violet dye used in the Gram staining procedure.  (This is not just an esthetic curiosity.  The two classes of bacteria behave differently because the structure of their cell walls is different.)  Although these infections are, at this point, nowhere near as common as those resulting from MRSA infection, they are potentially a grave threat, because there are very few treatment options available.

…there are several drugs, including some approved in the last few years, that can treat MRSA. But for a combination of business reasons and scientific challenges, the pharmaceuticals industry is pursuing very few drugs for Acinetobacter and other organisms of its type, known as Gram-negative bacteria. Meanwhile, the germs are evolving and becoming ever more immune to existing antibiotics.

Vancomycin, for example, is a very powerful antibiotic that can be used to treat some MRSA infections, but it is not effective at all against Gram-negative organisms.   One of these bacteria, Acinetobacter baumannii, can cause severe infections of the urinary tract and the bloodstream.  Another, Klebsiella pneumoniae, which has been increasingly found in hospitals, can (as its name suggests) cause a serious pneumonia.

When a patient is diagnosed with one of these infections, the treatment options are severely limited.

Doctors treating resistant strains of Gram-negative bacteria are often forced to rely on two similar antibiotics developed in the 1940s — colistin and polymyxin B. These drugs were largely abandoned decades ago because they can cause kidney and nerve damage, but because they have not been used much, bacteria have not had much chance to evolve resistance to them yet.

Sometimes the trade-off is dire: the patient may be forced to run a high risk of kidney failure in order to treat the infection.

The introduction of antibiotics made such an enormous difference in the treatment of infections that it is hard to conceive of how dangerous they once were.  It has been very rare, in the recent past, for patients to die from infections if they had any sort of competent medical care.  If we succeed, through our own stupidity and carelessness, in making antibiotics less effective, we will get reminded that infections are serious much more quickly than we would like.

Let 100 Kilowatts Bloom

February 27, 2010

One of the events making the technology news this week was the unveiling, by start-up company Bloom Energy, of its new fuel cell electric power system, called the Bloom Box energy server.  Based on solid-oxide fuel cell technology, each server can generate 100 kW of electrical power, using a fuel such as natural gas.  The company claims that its version of this fuel cell technology has several new features, including lower-cost materials (no platinum or other expensive metals), high electrical efficiency, and fuel flexibility.

Fuel cell technology has several attractive features, and has been used by NASA in the space program, but has never caught on in a big way because the hardware has tended to be very expensive.  As Ars Technica points out in their report on the announcement, there are good reasons that this is so:

Nearly every aspect of putting something like this together is problematic. The catalysts usually involve the use of precious metals, like platinum, which significantly boosts the costs. The entire apparatus is put together with materials that have radically different properties, but have to form complete seals, and maintain that seal over a very large temperature range.

Although, as I noted above, the company claims that precious metal catalysts are not required, the operating temperature of the Bloom Box is reported to be around 1000° C, so you probably won’t want one in your kitchen.  (Bloom has provided very little in the way of technical detail of how the device works, so evaluation of its claims is close to impossible at this point.)

Returning to the question of cost, it appears that the 100 kW unit’s price is in the $ 700,000 – 800,000 range.  It appears that this is too expensive to make the device competitive with conventional electric power supplies, according to the report in Wired:

In fact, a long-term R&D collaboration between the Department of Energy and multiple solid-oxide fuel-cell manufacturers, the Solid State Energy Conversion Alliance, estimates that fuel cells will need to cost $700 per kilowatt of peak capacity to compete unsubsidized with the grid. Bloom’s product costs 10 times that.

This is before taking into account tax credits and subsidies offered by the US government and the state of California.  The company claims that, taking these into account, the lifetime cost of electricity from its device, over a ten-year period, will average about $0.08 per kW-hour.  It also seems plausible that manufacturing costs would decline at least modestly over time.

Still, the aim of having economic incentives for alternative energy sources is in large part to promote experimentation with different technologies.  And Bloom has gotten some significant potential customers interested, according to an article in Technology Review:

In addition to Google, eBay, and Walmart, Bloom’s customers include Bank of America, Coca-Cola, Cox Enterprises, FedEx, and Staples. A 400-kilowatt system powers a building at Google that contains an experimental data center.

A certain degree of healthy skepticism is probably in order; I personally doubt that any single technology will be the “silver bullet” that slays our energy and environmental problems.  We should remember, though, that it took Thomas Edison about 14 months and 1,200 experiments to come up with a working incandescent light bulb.  As Edison certainly knew, it’s just as important to find out what doesn’t work.

NYC Blows First Subway

February 26, 2010

It was 140 years ago today that the first passenger-carrying subway was opened in New York City.  As an article at Wired reports, it was a demonstration project that ran from a station on Broadway, in the basement of Devlin’s Clothing Store, to Murray Street, a distance of a few hundred feet.  The system, which featured pneumatic propulsion, much like the pneumatic tubes you can see today at bank drive-through  windows, was built by Alfred Beach:

Beach first demonstrated pneumatic transit at the 1867 American Institute Fair, and sought to build a pneumatic transit system underground to relieve surface-level congestion with a system consisting of, in Beach’s words, merely “a tube, a car, a revolving fan!”

Beach had received permission to build a package delivery tunnel under Broadway, and quietly built his passenger line also.  The station and passenger carriage were apparently quite well appointed, and touring the system and its tunnel were popular pastimes.

At the time, pneumatic propulsion was one of the contenders for building underground railways.  In London, the idea was explored by the Post Office as a means of transporting mail across the central area, bypassing the congested streets; it was apparently a technical but not a commercial success.  (A later version was built, starting in 1915, using electric traction.)  The London Underground opened its first lines in 1863, but those initial segments (some of which are still part of the Metropolitan Line) were in shallow tunnels, built using “cut and cover” techniques, because initially steam traction was used, and thus adequate ventilation was quite important.

Unfortunately, nothing really came of Beach’s demonstration project. There was apparently some considerable political wrangling within the Tammany Hall machine of the time, and wealthy real estate owners preferred elevated railways, fearing that the boring of tunnels would damage their buildings’ foundations.  Some of these elevated lines were built, but it would be 34 years before the Interborough Rapid Transit company opened the first underground subway line beneath Broadway.

Point & Click Malware

February 25, 2010

About a week ago, I wrote about a newly-discovered botnet attack that had compromised something like 75,000 computers in 2500 organizations.  That attack was carried out using a variant of the “Zeus” malware package, and was notable for its sophistication, and for its focus on stealing banking and login credentials.

The attacks themselves, and the people that initially craft them, have become much more sophisticated over the years.  As always, there is an “arms race” between the attackers and the security folks responsible for protecting the target systems.  But the people who actually launch the attacks don’t have to be all that sophisticated.  Now, according to an article in Technology Review, the necessary software to mount a very sophisticated attack has been packaged as a product available over the Internet.

In 2005, a Russian hacker group known as UpLevel developed Zeus, a point-and-click program for creating and controlling a network of compromised computer systems, also known as a botnet. Five years of development later, the latest version of this software, which can be downloaded for free and requires very little technical skill to operate, is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information.

The developers of this malicious software are becoming just as good at packaging and marketing it as the legitimate software vendors.  The Zeus platform now supports “plug-ins” and “extensions”, just like, say, Firefox.  Some of these add-ons are “exploit packs”, which contain code to exploit vulnerabilities in particular operating systems or applications.   There is, apparently, a wide variety of add-ons available:

Some add-ons focus on phishing attacks–delivering the images and Web pages needed to create fraudulent banking sites, for example. Other add-ons give bot operators the tools to create spam campaigns.

Want to steal credit card numbers or bank login info?  There’s probably an app for that.  The platform kits also include tools to help obfuscate the contents of the finished malware package, making it less susceptible to detection by anti-virus and anti-spyware programs.

The net result of all this is that now, even technically inept crooks can easily obtain fairly sophisticated attack tools; and, at this point, the Bad Guys are winning the arms race.  In addition to using anti-malware tools and firewalls to protect systems, it is also a good idea to carefully monitor the traffic on your network.  (This requires, of course, that you have a pretty good idea of what normal traffic looks like.)   Identifying the command-and-control traffic between compromised machines and the botnet “controllers” is often the best way to track down an infection.

A Place at the Periodic Table

February 24, 2010

According to an article at the Web site, the International Union of Pure and Applied Chemistry [IUPAC] has announced that element 112 in the periodic table will officially be named Copernicium, in honor of the astronomer Nicolaus Copernicus, who formulated a heliocentric theory of the cosmos, most notably in his book De Revolutionibus Orbium Coelestium (On the Revolutions of the Heavenly Spheres).   The new element’s symbol will be Cn; its weight is 277 times that of hydrogen, making it the heaviest element officially recognized and named by the IUPAC.   It joins a collection of heavy elements named after scientific pioneers, including Einsteinium (Es), Fermium (Fm), Mendelevium (Md), and Bohrium (Bh).

The new element was first produced in February, 1996, by a team at the GSI Helmholtzzentrum für Schwerionenforschung in Germany.

Top 25 Most Dangerous Bugs for 2010

February 24, 2010

This year’s list of the 25 Most Dangerous Programming Errors has been published by the CWE project, which is a cooperative venture between the MITRE Corp., the SANS Institute, and numerous software security experts in the US and Europe.

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

It is based, in part, on the Common Weakness Enumeration data, maintained by MITRE in conjunction with the US Department of Homeland Security, and on the SANS list of Top 20 Attack Vectors.  The error list is meant to help educate developers, managers, and software customers about the kinds of too-common errors that cause so many security flaws in software.  The list contains detailed discussion of the errors, along with information about the circumstances and environments in which they are most common, and advice on mitigating their impact.

Reading through the list can be a sobering experience.  The venerable buffer overflow bug is still in the number 3 position (although it is down from number 1 last year), which is a bit depressing since it was a buffer overflow vulnerability that was exploited by the very first Internet worm (the Morris worm) back in the late 1980s.  The number 1 and 2 positions this year are occupied by two other old favorites: cross-site scripting, and SQL injection.  It has been said that the invention of writing and the printing press allowed knowledge to be captured and passed along to future generations.  Software development managers know that this theory is sometimes less than totally apparent in practice.

Still, it is a hopeful sign, I think, that this kind of information is being collected and published.  If software is to become a real engineering discipline, a body of knowledge about what works and what doesn’t is essential.  The plural of “anecdote” is not “data”.

%d bloggers like this: