Saturday, April 16, 2011

The Broad Institute's ChemBank Database Stores Passwords as Plain Text


I just logged into the Broad Institute's ChemBank database for the first time in a loooong time and I forgot my password. I clicked on the handy "forgot password" link and in about 30 seconds, I received an email that contained my old password (see pic).

Why is mailing my password problematic? Well, I'm no web-security expert, but this is a major-league no-no. It means that ChemBank's passwords are stored in plain-text (or at best a reversible hash, which is a relatively pointless exercise in obfuscation). It also means that any employee (gruntled or disgruntled) with access to ChemBank's database can likely view a treasure-trove of user passwords that are linked to big-pharma and biotech accounts. And any intruder who gains access to ChemBank's database will unearth that same treasure-trove.

And like everyone else on the planet those big-pharma and biotech users probably employ the same password for several accounts. Therefore, being able to access ChemBank's database likely provides a mechanism for black-hats and ne'er-do-wells to establish beachheads for industrial malfeasance.

The way that it should be done is passwords should be stored as salted 1-way hashes, thereby making it more difficult for the bad guys to figure out everyone's password if they ever do break into your server.

This is also why most reputable websites will NEVER email your password to you when you've forgotten it. Rather, they email you a link that lets you re-set your password. Why don't they mail your password to you? Because if it's properly encrypted, then even they don't know what it is.

Sunday, March 27, 2011

The Number of Adverse Event Reports filed into the FDA's AERS / MedWatch Program Rose 45% Quarter over Quarter


The most recent release of Adverse Event Data from FDA's AERS / MedWatch database[1][2] shows the biggest jump in total number of reports submitted ever (if you count by absolute number of reports submitted). It's also one of the biggest percent increases (44.8%) in Adverse Event submissions since the AERS program began. I wish I knew what caused the jump. It's safe to assume that it was unrelated to the Supreme Court's recent ruling [pdf] about Adverse Event reporting related to Zicam as the jump we see in AERS reports took place from July to September of 2010, even before the case was argued before SCOTUS.

Thursday, August 19, 2010

Who gets to write these Press Releases?

I've gotten a handfull of these emails (below) recently from the FDA. It's serious business and I'm glad they're being vigilant, but do you think there are fights over who gets to write these press releases?

Glow Industries, Inc. Issues Nationwide Recall of Mr. Magic Male Enhancer from Don Wands Amended

Glow Industries, Inc., Perrysburg, OH, announced today that it is initiating a voluntary nationwide recall of the company's product sold under the name of Mr. Magic Male Enhancer from Don Wands. Glow Industries, Inc. is conducting this voluntary recall after being informed by the Food and Drug Administration (FDA) that lab analysis has found the Mr. Magic Male Enhancer from Don Wands capsules to contain Hydroxythiohomosildenafil and Sulfoaildenafil, an analogue of Sildenafil, an FDA-approved drug used in the treatment of male Erectile Dysfunction (ED), making Mr. Magic Male Enhancer an unapproved new drug. These active ingredients are not listed on the product label. Product manufactured containing lot numbers 9041401, 251209 and 8121904 are included in this recall...

I had always assumed these types of companies simply sold snake oil. I never considered the possibility that they were getting their hands on bona-fide analogues of sildenafil and the like. Weird and scary all at once.

Tuesday, July 28, 2009

Q1 2009 AERS data released today

FDA released the Q109 AERS data today.

Initial upload into FDAble looks like everything was okay.

Interestingly, there are ~111,000 reports in this release compared to ~121,000 for the previous quarter. Not sure how significant this decrease is (is it seasonal? is it just noise? is FDA weeding out duplicates?). Will take closer look later....

Wednesday, July 22, 2009

FDA Responds about its warning letters search engine

Got this from "Webmail (L)" today. Love the personal touch. If I had to guess, some contractor who is now long gone implemented the actual warning letters search engine and now they have to either get that person back there to fix it or try and untangle someone else's spaghetti code themselves. Just a guess, but probably not fun for them either way.

Mr. Danese,

Thank you for your feedback. Our technical team is working hard to
resolve the remaining issues. Thank you for sending us emails about the
problems you encountered. We expect them to be resolved very soon.
Please don't hesitate to contact us when you have a question, suggestion
or any issues with our site. We are constantly working to improve the
site and appreciate your feedback.

Thank you,
Webmail (L)

Tuesday, July 21, 2009

The Food and Drug Administration isn't able to reliably determine how much money it needs

WASHINGTON -- The Food and Drug Administration isn't able to reliably determine how much money it needs to regulate medical products because, among other things, its staff can't track all the adverse-event reports it handles, according to the Government Accountability Office.

Full story here.


Friday, July 17, 2009

Drums fingers on table...

I just emailed the FDA asking them for an update regarding their warning letters search engine.

From what I can determine, they have fixed the issue of certain missing warning letters. However, 2 other significant issues (at least) remain. 1. the date filter is still malfunctioning (see previous post here) and the excel document dump is still outputting html (see previous post here).