Me, you and spies

I’ve been avoiding writing about the Snowden revelations since they starting appearing mostly because people that are much more eloquent than I have said  pretty much everything already. However, I was at the JANET CSIRT conference this week and I was inspired by a talk from @stephenbonner and felt I ought to add my voice as one of the ‘good guys’ in infosec out there, even if it is just shouting into a void.

Stephen Bonner suggested, and I feel he’s right in this, that the majority of money sloshing around the infosec world is spent on offensive capabilities ($50bn in the US, £2bn for the entire UK ‘single intelligence account’) and that therefore their voice is loudest. Those of us whose budgets are tiny often have to defend organisations that have much higher turnovers and assets. The force multiplier works to our disadvantage: we have to do a lot with less whereas members of three-letter-agencies can spend huge sums to achieve relatively little.

To put it on record, albeit after the fact, I don’t think anyone is massively surprised about the extent of government intrusion into our lives, it’s just that we’re surprised how accurate the tin-foil-hat-wearing brigade were. Within my organisation we’ve been warning against putting sensitive data (or indeed any data without adequate protection) into cloud services for exactly this reason; we just didn’t feel comfortable that things like the Patriot Act gave governments carte-blanche if they just uttered the magic password ‘terrorists!’

But what about the terrorists?!

I don’t want to downplay the effect on people’s lives that murder and mayhem cause: I remember being abroad during the 7/7 London tube bombings and unable to get hold of my husband made me sick with worry; I remember the constant fear the IRA instilled during the 90s. But, terrorism is just that – an attempt to bully and threaten by exaggerating your abilities through fear.

The UK has an independent reviewer of terrorist legislation whose job is to provide a degree of balance in the argument. They are entitled to view secret data not available to the public or parliament and are therefore perfectly placed to dispassionately analyse how terror laws work and whether they are proportional.

In their 2012 report they were able to report that the annualised rate of mortality from terrorism in the UK, over the course of the 21st century (so including the tube attacks), is 5 deaths per year. To put this into context there are 5 deaths on UK roads every day and there are more deaths from stinging insects each year than from terrorists.

Governments have a responsibility to protect their citizens, I get that. I’m also not naive enough to believe that some secrecy in a society isn’t necessary, but this is about balance, and we have it way wrong.

“The threat of terrorism is, no doubt, sometimes exaggerated for political or
commercial purposes. It is certainly a powerful rallying-cry for the flourishing
security and surveillance industries.” –  DAVID ANDERSON Q.C. Independent Reviewer of Terrorism Legislation

This is all legal!

We’ve had a debate in the UK twice about the security services storing all of the internets. On both occasions we – as a democracy – decided that on balance our privacy and liberty won out against the risk of not detecting all of the bad guys.

In the US, where a mock court pretends it’s providing oversight, the NSA decided that the Prism programme wasn’t actually convenient and that it was far easier to compromise the internal data centre networks at Yahoo and Google instead. A private citizen hacking a company is, rightly, punished with years in jail, but if a government does it, that’s somehow ok?

GCHQ aren’t even sure if what they’re doing is legal. If you have any doubts about the ethics of what you’re up to, I reckon you’re probably on the wrong side, but hey, it’s not like they don’t have form in usurping scrutiny and due process.

It’s only metadata

OK, two things:

1) I can learn an awful lot from who you email, what the subject lines are, what websites you visit and what search terms you use. It’s said that Google knows you’re gay before you even realise it yourself and although that might not accurate, I’m not convinced I want any government storing a giant database of my friends, sexual desires and allergies. If you don’t think this in itself a problem, how would you feel about CCing every email to me, or maybe getting changed with the curtains open in your bedroom? Probably not great I’d guess – fancy 1.4m people with top secret clearance having access to that? But it’s not as if they’d use that privilege to actually check out prospective dates or their spouses.

2) GCHQ have decided to store everything anyway. Even though we had debates, twice, about just storing metadata, GCHQ hoover up the whole lot, content and all, under a program called Tempora. The internet’s quite big so they can only store it all for three days, but they then go and select for things of interest and store them for much longer. On a technical level, this is absolutely mind-blowingly-cool, but just because you can do it doesn’t mean you should.

We’re protecting you really

Whilst we’re busy building new “cyber reserve units” to attack we’re not putting a great deal of investment into things like the CPNI. And isn’t there a bit of a conflict of interest – one arm of government telling you to do one thing to protect and the other actively working to subvert that? I’m not entirely sure what monitoring Angela Merkel’s phones has to do with terrorism either.

To make life easier, standards have been subverted and backdoors introduced into major pieces of infrastructure through the Bullrun and Edgehill programs. It’s double standards to complain that Huawei might be up to the same tricks, and of course this then leaves those same flaws open to exploit by the bad guys too.

Secret three-letter-agencies have become self-perpetuating industries; they exist only to prolong their own existence. To do this they have to fight for budget. To justify that, they have to bring in product. Counter terrorism is one of those roles for sure, but their political paymasters aren’t likely to turn down information that helps them at a negotiating table either, just as long as they don’t want to know exactly how they came by it.

What can we do?

Under sustained attack by governments, there’s not a great deal anyone can do, it’s just a matter of time, but we can make it harder for them. We can do better at defending our own networks. We need to make it easier to use encryption by default: the maths is sound even if some implementations are broken. We need to think carefully about cloud computing and take service from those companies that are able to preserve our privacy and ignore those that don’t. Take your business away from US & UK computing firms and they will quickly pressure the politicians. Make it more expensive for the NSA & GCHQ to do their jobs and their paymasters will eventually baulk at the cost.

The previous generation to mine started the internet and considered it a kind of utopia free from interference. The internet is broken and we need a new one.

Show me the data

I was published in the BMJ today, having been asked to write an expanded version of this blog post.


Personal View

I’m a patient: show me the trial data

BMJ 2013; 346 doi: (Published 16 April 2013)

Cite this as: BMJ 2013;346:f2336

The patient Alex Lomas is taking a biological drug for Crohn’s disease, and he wants to know why the maker is trying to prevent disclosure of trial data that may well affect him

I have an obsession with data. I have instruments in my house so I know how hot each room is and to warn me if the fridge door has been open for too long. I record my weight and blood pressure using devices connected to the internet so that I can monitor long term trends. I use my smartphone to track how much walking and exercise I do.

I was diagnosed with Crohn’s disease about 20 years ago, when awareness of inflammatory bowel diseases was not as high as it is today.1 The treatment decisions made at the time of my diagnosis had unfortunate side effects for me as a teenager. High doses of prednisolone led to Cushing’s syndrome, and I was mercilessly teased about my appearance at school. With time came a reduction in the dose of steroids required, but I had to take them throughout my 20s, and control of my symptoms was still inadequate.

As a patient with Crohn’s disease, I take an active interest in my day-to-day health, but I also routinely scan news media and journal sites for new treatments and for changes to current best practice in the management of my condition. I often arrive at appointments with my consultant armed with PDFs printed from the BMJ, the Cochrane Collaboration, and the National Institute for Health and Care Excellence (NICE) to discuss the latest trials and treatment options. Yes, I’m afraid I’m one of those patients.

Three years ago my consultant suggested a new course of treatment with adalimumab (Humira), an anti-TNFα monoclonal antibody. My local primary care trust approved this new drug, which costs £352 per injection, and which I administer myself by injection each fortnight.2 Since I started taking adalimumab I have the least symptoms since diagnosis. I am no longer taking steroids; I have started to recover from 15 years of side effects; and I spend less time in clinical care and off work on sick leave.

However, anecdotes are not the foundation of evidence based medicine, and nor are they a rational basis for evaluating the cost of a treatment. On 1 April 2013 responsibility for commissioning transferred from my primary care trust to the local clinical commissioning group, bringing into sharp focus the question of whether the NHS is getting value for money in continuing my treatment.

Equally importantly, I want to be able to evaluate the benefits and risks of these costly pharmaceuticals with which I inject myself regularly. Biologicals are relatively new, and have failed spectacularly in clinical trials.3 Who knows what 20 or 30 years of data from clinical use might bring? The most recent Cochrane review of biologicals looked at nine studies, and, although it found that they were effective, it noted that none of the trials allowed for an assessment of long term adverse events nor had any trials been undertaken that compared efficacy among the available biologicals.4 My consultant recently told me that no trials had been done to determine what the minimum effective dose of adalimumab was, nor would there likely ever be; a drug company has no interest in showing you can take less of something.

Part of NICE’s approval for the use of adalimumab in treating Crohn’s disease was the recommendation that a register of patients being treated with biologicals be set up to track long term outcomes and relapse rates after withdrawal of treatment, something patient groups welcomed.5 Unfortunately it seems that such registers are fragmented, with registers of patients with rheumatoid arthritis held independently from registers of patients with inflammatory bowel disease, or are still at pilot stage.6

As a patient, I need clinicians to interpret trial data and systematic reviews of new and existing treatments so we can come to appropriate decisions about my treatment, but what if even experts don’t get to see the whole picture? How can we even know what trials are being run?

I was therefore dismayed to learn that Abbvie, the maker of adalimumab, are seeking a legal injunction to prevent the European Medicines Agency from disclosing trial data submitted during the drug’s approval process.7 With such a new drug, it is vital that all data, whether it’s good news or bad, are made available so that I, my consultant, and the care commissioning group can make informed decisions about the efficacy and cost effectiveness of treatments.

As the drug industry and medical profession as a whole move towards the registration of all trials, and the publication of all trial data—in no small way thanks to the All Trials initiative (—this decision by Abbvie is a backwards step and is offensive to trial participants, patients, and the wider public who ultimately pick up the tab.


Cite this as: BMJ 2013;346:f2336


  • Competing interests: I have read and understood the BMJ Group policy on declaration of interests and have no relevant interests to declare.

  • Provenance and peer review: Not commissioned; not externally peer reviewed.


  1. Molodecky NA, Soon IS, Rabi DM, Ghali WA, Ferris M, Chernoff G, et al. Increasing incidence and prevalence of the inflammatory bowel diseases with time. Gastroenterology 2012;142:46-54.
  2. Adalimumab. British National Formulary.
  3. Goodyear M. Learning from the TGN1412 trial. BMJ 2006;0:38797.635012.47
  4. Behm BW, Bickston SJ. Tumor necrosis factor-alpha antibody for maintenance of remission in Crohn’s disease. Cochrane Database Syst Rev2008;1:CD006893.
  5. NACC. A good decision from NICE on antiTNF treatments for Crohn’s disease. 2010.
  6. Alrubaiy L, Williams J, Morgan J. P422. The Biologics Register for inflammatory bowel disease in the UK: setting the clinical dataset and the IT infrastructure. ECCO, 2013.
  7. Kmietowicz Z. Drug firms take legal steps to prevent European regulator releasing data. BMJ2013;346:f1636.


A patient’s plea for data

I have an obsession, and that obsession is data. I instrument my house so I know how hot or cold it is, whether things move or not, how much data I’m sending over my internet connection and my blood pressure, weight and BMI.

As a patient with Crohn’s disease I similarly obsess over trial data, learning what does and doesn’t work (thank you Cochrane) and turning up at my consultant’s armed with PDFs. Yes, I am one of those patients.

For the last three years I’ve been taking Humira to manage my Crohn’s disease and I’m super pleased with the results – I’m better than I have been for years. Humira is an interesting drug and comes from a family of biologics that are a relatively recent development and consequently cost a small fortune (at current BNF rates that’s £352 per injection and I take one every two weeks). Not only do I want to be sure the treatment is medically effective I also want to demonstrate that despite its high cost, the overall “return on investment” is worth the NHS paying for it (by the fact I spend less time in hospital and that I’m a productive member of the workforce).

But more importantly I want to know that these really exciting monoclonal antibodies I’m injecting into myself aren’t going to cause me harm in the long run. They’re pretty new things so we don’t really have any idea what they may or may not do to me over 20 or 30 years (early signs with the first widespread anti-TNFα drug, Infliximab, suggest no problems but who knows) particularly as there have been some exciting failures with biologics.

As a patient with a vested interest in these things I’m a big supporter of All Trials, an initiative my friend Ben Goldacre plays a big part in, which aims to ensure all medical trials are registered and reported (please go sign the petition, I’ll be here when you’re done). I’m therefore pretty upset to see that AbbView (the makers of Humira) are suing the European Medicines Agency to prevent disclosure of data. Patients, trial volunteers, regulators and governments deserve to have the full facts in front of them when decisions affecting your life and health have to be made.

A month with a Windows phone

I was recently given the choice of a new work phone and decided on a HTC 8x, mostly to see how Windows phone 8 behaves. My thoughts in summary format:

  • I do love the live tile UI – having an at-a-glance indication of stuff (like weather, calendar, tube status) is a really nifty and innovative thing. It works much better on a phone or tablet interface than it does on a desktop computer though.
  • The app store is a mixed bag but functionality wise it’s great with a unified search that brings in results from apps, music, games all in one place, the ability to browse the store from another computer’s web browser then “push” that app to your phone and best of all is trial mode where you get a free time-limited or functionality-restricted version of the app to use to decide whether it works or not. On the other hand, it’s lacking a lot of the content but I have found apps for all my major needs like evernote, foursquare, twitter and lastpass.
  • In a similar vein, IE10 is ok but it’s a shame there’s no version of Chrome available as IE10’s tab switching is clunky.
  • It took me a while to work out some of the UI – the “back” button also seems to do a lot of things, including task switching which I find I bit clunky. It’s also lacking a decent way of scrolling back up to the top (on android and iphone I’m used to tapping the top of the screen in some way).
  • Integration with a desktop computer is basic (but the phone app is still “preview 2”? really?) but gets you there, especially as it’s just a mass storage device allowing you to drag and drop your music straight onto the device. This alone is worth considering switching away from Apple in my opinion.
  • Skydrive integration is seamless, office documents just get copied back and pictures get uploaded perfectly with no messing and you can see it all dropbox-like on the web or via the syncing apps on the desktop. This is really one of the most important things Microsoft have done right and it puts iCloud to shame.
  • On the hardware level the HTC 8x is probably the best windows 8 phone right now (the lumia 920 is just too big) – the feel of it is lovely with its rubberised back – but I just can’t quite get the knack of the buttons. The volume rocker gives you no tactile indication of which way is up and down and often I find myself mashing the volume when I’m going for the lock switch on the top. Little things, but they do detract a bit.
  • Battery life is not too shabby; I easily get a couple of days use between charges (and that’s without turning the power-saving mode on).
  • The camera is ok, but just ok. The Microsoft “Blink” app is a nice camera app that starts taking photos before you even press the shutter and allows you to select the best version. On a similar note I like the way camera and photo apps plugin to the central photos hub and allow you to mess with filters and upload stuff from one place.
  • The screen is not too bad, the colours are certainly nice and vibrant and the white balance is good. It’s not quite as sharp as the iphone 5’s screen though (HTC on the left, iPhone 5 on the right – click for bigger!):

Overall it’s a nice experience but it’s let down in a couple of areas and you just get that feeling that it’s just not quite finished, but give it six months and it’ll be great.

Would I buy one? Absolutely.
Would I replace my iPhone 5 with one? Not just yet.

Instrumenting your house

I recently bought a bunch of wireless sensor tags from a guy in California. The little sensors communicate movement and temperature back to a ‘tag manager’ that you plug into your router. There’s then a cute little web/IOS/android app that allows you to configure them and also receive notifications when they get too hot or are moved.

My main reason for doing this is that we keep temperature-sensitive medication in the fridge at home and the paranoia in me wanted some way of knowing if the fridge door has been left open, or that the compressor has failed.



Whilst pretty straightforward to get going, I’ve found configuring them to be a steep learning curve: the UI has an amazing array of configurable options (which is a good thing) but due to the shear number of them and the inherent delay of seeing updates it can be a bit confusing to see the results of your fiddling. I was also thrown by the fact the temperature sensor in the tags needed calibrating first. The power state of the tags also seems to vary wildly, perhaps that’s related to the cold of the fridge, which makes it difficult to know how long the battery is going to last.

I’m still not yet at the level where I completely trust the tags to alert me when something bad has happened but I don’t think it’ll be too long until that’s the case, but if you’re looking for a neat little solution that tells you where things are, or how hot something is, I think these are definitely worth a punt.


Nice to see Apple finally gets it. A bit.

Nice to see Apple finally gets it. A...

It wasn’t long ago that editing a document in Apple’s own flagship apps, like Pages and Numbers, meant that your data was now firmly locked away inside (unless you wanted to start emailing it back to yourself) although there were plenty of Office-editing apps that could.

Now you can at least save your edits straight back into a supported app like Dropbox or FileExplorer which can save and sync to home and corporate network drives via CIFS. Maybe the ipad now starts to become a viable content creator and not just a content consumption device.

The following service is taking more than 4 minutes to start and may have stopped responding

I recently bought a new Canon all-in-one to replace an ageing Canon inkjet and separate flatbed scanner and although the printer itself is pretty good the software leaves a lot to be desired, but it’s usable.

Today I noticed that after restarting for patching my Windows 7 desktop sat preparing to install updates for 10 minutes, which was odd. I put it down to the updates but further restarts today gave similar systems – 10 minute waits for the desktop.

The event log flagged:

Event ID: 7022
Source: Service Control Manager
Type: Error
Description: Server service hung on startup.


The following service is taking more than 4 minutes to start and may have stopped responding: Server

A bit of searching led me to KB319127 which is still applicable to Windows 7 (although the reg keys are slightly different). Having added in the spooler service as a dependency on the server service, the machine now starts in a normal time. Obviously the same weirdness with the vendors mentioned in the KB article is still applicable to Canon drivers.

Learning to fly

Anyone that knows me has suffered my flying hobby for the last nine months; I’ve wanted to get my private pilot’s license (PPL) for a while and it was only last year that I was able to obtain my medical and afford the lessons. I thought that I’d do a writeup of my experiences along with some pointers if you’re tempted to do the same.

The first decision I had to make was a choice between the NPPL and a full JAA PPL. While the former has less stringent medical and training requirements (you merely need to get your GP to agree to the same conditions as professional lorry drivers) it does limit you to flying only during the day and in the UK. Whilst 99% of flights I’ll ever make will meet this criterion I decided to go for the full JAA PPL partly because I had vague notions of flying down to my parents in the south of France, but also I think the training course will take a similar amount of time.

This led me onto getting my Class 2 medical: I have Crohn’s disease which (if not in remission) is usually something that would disqualify me. You will need to visit an AME who will assess you (vision, hearing, ECG, bloods, urine etc) and if you’re in excellent health will issue your medical there and then. If you’re like me you’ll get your case referred to the CAA directly who will then require reports from every medic you’ve ever seen before making a decision, luckily in my favour. I would strongly advise that if you’re considering spending a lot of money on learning to fly you get your medical before doing anything else.

My next step was finding a flying school. My requirements were a little tricky in that I wanted somewhere reasonably easy to get to via public transport from central London and I’d looked at the usual suspects (Biggin Hill, Denham, Damyns Hall) but a chance reply to a post on an internet forum led me to look at RAF Halton. Although it’s way out in the Chilterns it’s pretty easy to get to and takes me 1.5 hours door-to-door on the train which is about the same time as a car. The club is excellent and while it has a rather undeserved reputation of being frosty (being a military airfield flyins are deterred) members and instructors alike are all very supportive and friendly.

So it was that I started flying in late September 2011 in a bright yellow Cessna 152 and I blogged at the time when I completed my first solo. I had always approached flying with the attitude that if I only flew solo once then I’d be satisfied even if money, health or aptitude stopped me progressing further, but of course I didn’t just stop there. I used the winter months to study for and pass all seven written exams and took full use of any ground school evenings offered by the club. I would say that my weakest exams were in Navigation and RT but the rest are certainly very easy to self study for. Bear in mind that everything may change with EASA so speak to your school about the syllabus and which books to buy.

Asides from the minimum number of hours required (45 – 10 of which must be solo including 5 hours cross country, 2 of spin & stall awareness and 2 hours instrument flying) you must complete a solo “qualifying cross country” which is a minimum of 150nm with two full stops away from home. I ended up doing mine at the end of March which took me from Halton to Gloucester, up to Leicester then back home again. At each stop you get a certificate signed by the controllers to say that you landed and a grading of your safety and landing ability.

The solo nav is certainly a testing time and requires you to be fairly proficient at using the radio as well, something that took me a fair amount of time to get used to although I think that is fairly normal. My last hurdle was the radio practical which is done on a computer simulator with you as the pilot and the examiner playing the part of all the other aircraft and controllers. I almost flunked it but to give you an idea of the contents take a look at CAA safetysense leaflet 22 which includes an example route at the end which is pretty similar to what you’ll be faced with (albeit using entirely fictitious places).

The weather in April and May has been pretty dreadful so it’s taken me a few more hours than planned to get around to the final part – the skills test – just be aware that flying in the UK will throw up a lot of cancelled flying days! But, finally the day dawned to do the test with an examiner earlier this week. The test looks at your ability to plan a route (including take off/landing performance and mass/balance), general aircraft knowledge (how much fuel, battery voltage etc), diversion planning, general handling (steep turns, stalling, slow flight) and simulated emergencies like practice forced landings.

The weather on Thursday was marginal with a 20kt wind forecast to get up to 30kts later in the day but as it was pretty much straight down the runway I decided to proceed with the test. The examiner was great and put me at my ease so we headed up and did the circuit flying part of the test first whilst the wind was comparatively light. This went ok (not my best ever landings but not surprising given the wind) then we headed off on the first leg of the navigation part. The wind wasn’t quite as forecast so I found myself off track but corrected and gave a revised ETA to the examiner and managed to arrive at the first turning point within a minute of what I’d said. Half way through the second leg I was given a diversion to plan that took us back towards home – this didn’t go so well with strengthening winds meaning that I was 2 or 3 miles off course as I neared the end point, but recovered with a newly revised ETA and just made it within the allowed 3 minutes deviation. The rest of the general handling went fine (albeit with two attempts at forced landings with the strong wind) then I was told to rejoin the circuit and land. After landing the examiner shook my hand and told me I’d passed!

I guess the last thing to say is about costs. I spent just over £6,500 on flying hours and instruction along with £700 on books, equipment, exams and membership fees. This is not a cheap hobby!

What next? I’m not sure – this was always meant to be solely for fun; I don’t want to spend vast amounts more on a commercial pilot’s license for very little return (flying instructors earn less than £20 an hour for example) so I think I’ll continue flying my little Cessna for a few more hours then convert onto a four seat machine like the PA-28 Warrior which is much more comfortable for longer trips. See you in the skies!