Monthly Archives: August 2019


I am a big fan of the Zero app, which is a tracker for intermittent fasting. It is free, attractive, and has just enough features to keep me engaged and motivated, and no more.

Currently, my favorite feature is its Apple Watch complication, which fills up a ring (similar to the Activity app’s rings) as you progress through your fasting period. I find that filling that ring every day, and the app’s cheerful notifications every morning, really help motivate me to stop snacking or having an extra meal at night.

The only thing I don’t like about it is that it requires you to set up an account with an email address. While the company behind it does not appear to be abusing my privacy in any way, I would prefer that they didn’t require an account. Perhaps they will adopt Sign in with Apple when it becomes available this fall.

If you are interested in Zero, download it from the iOS App Store.

Ransomware Attacks Are Testing Resolve of Cities Across America

I read this article in the New York Times with interest, because I am an information security auditor by trade, and we have been educating companies and regulators about the dangers of Ransomware for what seems like forever, but has probably only been four of five years now.

The part of the article I found most interesting, because I have worked in and for the insurance industry for the past twenty years, relates to cyberinsurance:

Fearing the worst, cities like Lake City, Fla., have bought cyberinsurance, and an insurer paid most of its ransom this summer. But some experts think that is only worsening the problem. “We see some evidence that there is specific targeting of organizations that have insurance,” said Kimberly Goody, a manager of financial crimes analysis for FireEye, a major cybersecurity firm, which says it has responded to twice as many ransomware attacks this year compared with 2018.

I have two main observations about this section:

First, it is galling that the typical fix for ransomware attacks is to pay the ransom, and rely on the good faith of the bad actor who locked away all the data to actually restore the encrypted data.

Second, that attackers are targeting companies that have done the fiscally responsible thing and obtained cyberinsurance to mitigate their ransomware risks is a perverse form of adverse selection. I am sure the cyberinsurance industry is working out ways to incentivize their customers to reduce their ransomware risks, because that is what insurance companies do, but organizational inertia and lack of funding will make it difficult and time-consuming to succeed.

Ideally, companies and municipalities would keep their systems up to date through regular software packaging and hardware upgrades, and would inventory and back up their data, so that ransomware attacks would be less likely to succeed, and so that data could be restored without paying the ransom. Organizations could also reduce their attack surface in other ways, such as replacing Microsoft Windows with ChromeOS for classes of workers, such as call center workers, whose job functions do not require Microsoft Windows. ChromeOS is less likely to be attacked than Microsoft Windows, and its use would encourage centralized data storage and software, which are easier to keep up-to-date and secure.

Beyond hardware and software upgrades, organizations need to train their employees to recognize social engineering attacks, as that is the number one or two attack vector every year. Having gone through that training every year for many years, and having been tested at random by a program at my company, I have learned that social engineering attacks can be almost impossible to discern from legitimate emails and instant messages. I think that no amount of social engineering training is going to be more than 80% effective at preventing phishing and/or ransomware attacks, but 80% is a good start.

The main reason organizations do not put these controls and practices into place is money. The second is organizational inertia. Both can be solved, but only through additional resources and external pressure. As citizens and as customers, we have to demand that the organizations, both public and private, that we interact with, protect their data and our data sufficiently.

The Keto Diet Is Popular, but Is It Good for You?

As a ketogenic dieter, Anahad O’Connor’s article about ketogenic diets is pretty balanced, but his premise, described in the block quote below, doesn’t hold up to much scrutiny:

Low-carbohydrate diets have fallen in and out of favor since before the days of Atkins. But now an even stricter version of low-carb eating called the ketogenic diet is gaining popular attention, igniting a fierce scientific debate about its potential risks and benefits.

I am grateful that ketogenic diets are being treated seriously enough to be written about in a national newspaper. Unfortunately, the New York Times is trying to teach the controversy, when no such controversy actually exists.

Here are some clarifying points about some of the topics discussed or touched upon in the article, from someone who actually follows a sensible, low calorie, vegetable-rich ketogenic diet:

  1. There is no “Keto diet”. There are a variety of ketogenic diets, all with the common element that they tend to put the body in a state of nutritional ketosis at some point (not all day long unless you fast; primarily while you are sleeping). All these diets involve restricting carbohydrate intake to very low levels, ranging from 0 g to about 50 g per day. They differ in meal composition, meal timing, and what foods are allowed or disallowed. Also, in real life, even people on ketogenic diets will eat a high-carbohydrate treat now and then.
  2. Nutritional ketosis is not the same as ketoacidosis.
  3. Ideally, ketogenic diets involve eating a great deal of high fiber (but low starch) vegetables. Imagine telling your doctor that you eat two huge salads per day, with four ounces of meat on them, one ounce of cheese, and a tablespoon or two of olive-oil-and-vinegar dressing. Doctors have told me that it is hard to eat healthier than that.
  4. Ketogenic diets are”high fat”, on a percentage basis, not necessarily on an absolute basis (as in, grams of fat per day).
  5. Similarly, ketogenic diets are not necessarily higher in meat or dairy consumption that the standard American diet.
  6. I have read many, many abstracts and articles about diet and nutrition studies. Almost every study I have come across demonstrates bias or lack of understanding of what ketogenic diets actually look like (they tend not to restrict carbohydrates in test subjects sufficiently), relies on bad data (epidemiological data, or prior studies’ data, self-reported food logs), or have durations that are too short (you need more than a couple weeks to assess a diet change).
  7. Sometimes the scientists’ own conclusions do not seem to be drawn from from the data they collected. This often evidences itself when the study concludes that, despite outcomes being equal or better for ketogenic diets, there is concern about their heart health due to the amount of fat in their diet.
  8. While you may believe there is insufficient evidence that ketogenic diets are healthy (whatever that means), there is ample evidence that the standard American diet (which I understand has spread to most of the world at this point) is obviously not. It it were, there wouldn’t be an obesity epidemic.
  9. I don’t believe it makes sense to adopt an all-meat, or all-meat-and-cheese, diet. My reasoning: Fermentation of high-fiber vegetable matter in the gut is something humans evolved to do, and, for that reason, it is probably a good idea to continue doing so. I would understand if this argument were made more clearly in the article; instead some scientist’s statement that mistakes “high fiber” foods with high carbohydrate foods (i.e. starchy foods) is there, casting doubt about about the diet in a way that doesn’t make logical sense.
  10. Ketogenic diets are not appropriate for some people, due to underlying medical conditions such as Type I Diabetes. This does not mean that that are not appropriate for anybody.
  11. In the end, we are all n = 1 studies. It doesn’t matter what the science says about a diet’s effect on study participants or on populations, it matters how the diet affects you. Many, many people have success with ketogenic diets that they did not have with low-fat diets or with calorie counting. If low-fat dieting or calories-in-calories-out tracking works for someone, it makes no sense to disparage that person’s diet choices, and almost no one would. Ketogenic diets should be treated the same way.

All in all, the article is 80% of good content with 20% of nonsense thrown in for the sake of balance.