I just logged into the Broad Institute'sChemBank database for the first time in a loooong time and I forgot my password. I clicked on the handy "forgot password" link and in about 30 seconds, I received an email that contained my old password (see pic).
Why is mailing my password problematic? Well, I'm no web-security expert, but this is a major-league no-no. It means that ChemBank's passwords are stored in plain-text (or at best a reversible hash, which is a relatively pointless exercise in obfuscation). It also means that any employee (gruntled or disgruntled) with access to ChemBank's database can likely view a treasure-trove of user passwords that are linked to big-pharma and biotech accounts. And any intruder who gains access to ChemBank's database will unearth that same treasure-trove.
And like everyone else on the planet those big-pharma and biotech users probably employ the same password for several accounts. Therefore, being able to access ChemBank's database likely provides a mechanism for black-hats and ne'er-do-wells to establish beachheads for industrial malfeasance.
The way that it should be done is passwords should be stored as salted 1-way hashes, thereby making it more difficult for the bad guys to figure out everyone's password if they ever do break into your server.
This is also why most reputable websites will NEVER email your password to you when you've forgotten it. Rather, they email you a link that lets you re-set your password. Why don't they mail your password to you? Because if it's properly encrypted, then even they don't know what it is.
The most recent release of Adverse Event Data from FDA's AERS / MedWatch database[1][2] shows the biggest jump in total number of reports submitted ever (if you count by absolute number of reports submitted). It's also one of the biggest percent increases (44.8%) in Adverse Event submissions since the AERS program began. I wish I knew what caused the jump. It's safe to assume that it was unrelated to the Supreme Court's recent ruling [pdf] about Adverse Event reporting related to Zicam as the jump we see in AERS reports took place from July to September of 2010, even before the case was argued before SCOTUS.
I've gotten a handfull of these emails (below) recently from the FDA. It's serious business and I'm glad they're being vigilant, but do you think there are fights over who gets to write these press releases?
Glow Industries, Inc., Perrysburg, OH, announced today that it is initiating a voluntary nationwide recall of the company's product sold under the name of Mr. Magic Male Enhancer from Don Wands. Glow Industries, Inc. is conducting this voluntary recall after being informed by the Food and Drug Administration (FDA) that lab analysis has found the Mr. Magic Male Enhancer from Don Wands capsules to contain Hydroxythiohomosildenafil and Sulfoaildenafil, an analogue of Sildenafil, an FDA-approved drug used in the treatment of male Erectile Dysfunction (ED), making Mr. Magic Male Enhancer an unapproved new drug. These active ingredients are not listed on the product label. Product manufactured containing lot numbers 9041401, 251209 and 8121904 are included in this recall...
I had always assumed these types of companies simply sold snake oil. I never considered the possibility that they were getting their hands on bona-fide analogues of sildenafil and the like. Weird and scary all at once.
Initial upload into FDAble looks like everything was okay.
Interestingly, there are ~111,000 reports in this release compared to ~121,000 for the previous quarter. Not sure how significant this decrease is (is it seasonal? is it just noise? is FDA weeding out duplicates?). Will take closer look later....
Got this from "Webmail (L)" today. Love the personal touch. If I had to guess, some contractor who is now long gone implemented the actual warning letters search engine and now they have to either get that person back there to fix it or try and untangle someone else's spaghetti code themselves. Just a guess, but probably not fun for them either way.
Mr. Danese,
Thank you for your feedback. Our technical team is working hard to resolve the remaining issues. Thank you for sending us emails about the problems you encountered. We expect them to be resolved very soon. Please don't hesitate to contact us when you have a question, suggestion or any issues with our site. We are constantly working to improve the site and appreciate your feedback.
WASHINGTON -- The Food and Drug Administration isn't able to reliably determine how much money it needs to regulate medical products because, among other things, its staff can't track all the adverse-event reports it handles, according to the Government Accountability Office.
I just emailed the FDA asking them for an update regarding their warning letters search engine.
From what I can determine, they have fixed the issue of certain missing warning letters. However, 2 other significant issues (at least) remain. 1. the date filter is still malfunctioning (see previous post here) and the excel document dump is still outputting html (see previous post here).
Our correspondence to Nature Biotech regarding AERS data came out yesterday. I can't post the article due to copyright restrictions, but I'm sure you can pick up a copy at your local newsstand.
FDA has fixed the "beef northwest" issue described in yesterday's post (i.e. if you search for warning letters for "beef northwest" the search engine now returns 1 result (click here for same link as yesterday, but now with correct result).
I don't yet know whether all of the missing warning letters have been restored, but it's a start.
I’ve written a couple of posts on FDA Warning Letters (here and here), but today’s post seems particularly important.
The FDA’s Warning Letter Search Engine is Seriously Flawed. There are at least 2 things that are wrong (in addition to the flaws I outlined earlier).
Certain warning letters that were in the old database have vanished.
The warning letters that are returned when searching by date are often inaccurate.
Allow me to elaborate.
Certain warning letters that were in the old database have vanished If you use the FDA’s Warning Letter Search engine to search for “beef northwest”, you get 0 (zero) results [update: fda has fixed this error--see here]. But there is a warning letter issued to Beef Northwest Feeders LLC issued on August 21, 2007 (see here for the letter). You can also search the FDA’s Warning Letters by Company Name and the record does not show up.[update: fda has fixed this error--see here]
By my estimate there are almost 2,000 missing warning letters (I wrote a small bot that systematically went through the current FDA search engine and recorded warning letter results issued every day from January 1, 1996 to the present day and it returned ~7,700 warning letters, whereas the FDAble Warning Letter Database, made from the FDA’s old search engine, contains ~ 9500 letters).
Warning letters returned when searching by date are often inaccurate If you use the FDA warning letter search engine to search for all warning letters issued from 11/1/1996 to 10/31/1997 you get 152 results.
If you expand your search by 1 day (11/1/96 - 11/1/97) you get 876 results. Here’s a hint: The FDA did not issue 724 warning letters on 11/1/97- it was a Saturday.
I don’t know why the first search yields only 152 results, but it’s clearly wrong, and to be honest, given the errors throughout I’m not confident in the 876 results returned in the 2nd search-The FDAble database says there were 1,008 warning letters issued from 11/1/96 and 11/1/97.
To summarize all 3 posts we have the following problems with FDA Warning Letters Search Engine.
Certain warning letters that were in the old database have vanished.
The # of warning letters returned when searching by date is often inaccurate.
Warning Letter Responses also appear to be missing from the new database.
Downloadable Results are presented as Excel files, but are actually HTML.
Warning Letter results return a maximum of 1,000 records, but this limit is not explicitly noted on the web-site.
I have an email in to FDA asking them to repair and notify others who may have been led astray.
This is only tangentially related to health informatics...unless you feel that public display of your credit card # is dangerous to your financial health.
Today, I used the FAX machine at my local public library. The FAX machine is run by a company called FAX24, and the instructions are pretty standard.
pick up the phone on the FAX machine
Dial *3
Listen to the instructions
Enter your credit card number on the keypad
Enter your credit card expiration date on the keypad
Enter the destination FAX #
Add your sheets and press START
Works like a champ, and at the end the machine releases a small confirmation printout to tell you whether your transaction was OK or whether it failed.
Today was the first time I really looked at the printout.
There's my Credit Card # and expiration date prominently displayed.
I wonder how many people toss this confirmation printout into the trash on their way out of the library.
Is it me or does everyone think this is a major no-no?
But what happens when 2 people request results within the same second? This will probably never happen, but it's a bad idea to dynamically name files like this.
I posted earlier about creating a plugin for Mozilla's Firefox that allowed users to search the FDA and CDCwebsites and FDAble's search engines by right-clicking on a highlighted word.
Turns out that you can submit a plugin, but it's considered experimental until you've received reviews.
You also have to write a short justification of why your plugin is worthy of release to the public at large.
1. download the plugin. 2. if you're on a web-page that contains a drug name or other health related term, highlight the term 3. right-click on the highlighted term and choose whether you'd like to use the term to search, the FDA, CDC or FDAble search engines.
FDA used to have a collection of web-pages that allowed you to search the warning letters and responses that it had issued to various food & drug scofflaws and ne’er-do-wells all the way back to 1996.
There were certainly some strange choices made with the old system that they used.For one thing, they separated the “old” warning letters (those > 1 year old) from the new ones (<= 1 year old) and you had to use a separate search engine for each collection of reports.
With the new search engine, they’ve combined old and new so that both can be searched from one form. However, this appears to be the only thing that they got right with the upgrade.
Another peculiarity was that if you used the old system to download an Excel table of warning letters filtered by date, you got a CSV file that was mistakenly tagged with an .xls extension.This transgression is no big deal as CSV will be read easily by Excel even if it’s mis-tagged, but whoever built the new version seems to have taken the mislabeling one step further (see below). If you dig deeper into the web-pages, you find all sorts of weirdness.
First, your searches are capped at 1,000 results no matter how big the true size of results.The search-form doesn’t say that it will only return the first 1,000 results, but it does.And this initially led to confusion on my part because I was trying to see if the system would retrieve all 9,000+ warning letters that should be in the system.It only returned 1,000.
This is a bit dangerous b/c if a user searches for all warning letters from 1996 to 2009 s/he may mistakenly conclude that there have only been about 1,000 reports issued.What’s the deal?I seriously doubt they’re low on computing power.
The same holds true if you try to download an Excel table of the warning letters (you only get 1,000 results) no matter what you try.
And here’s the really strange bit.Remember how I said that the old system delivered a CSV file that was mis-labeled as an xls file?
Well, the *new* system again lets you download what is ostensibly an Excel file, but it’s not an xls file.It’s also not a CSV file like the old system.And no, it’s not one of those new-fangled Microsoft Office 2007 xlsx files.It’s a file marked with an xls extension, but if you open it up with notepad, you’ll find that it’s HTML !
Specifically, they’ve packaged the HTML table that is returned when a user searches their web-interface for warning letters and passed it off as Excel.Why?I have no explanation, except sheer laziness.
Finally, this section of the FDA’s website is titled “Warning Letters and Responses”[emphasis mine] and there used to be a way to search the responses to the warning letters…and the downloadable 'csv' file would list the location of letters received by the FDA in response to their warning salvos.
Also, they moved the URLs for all of the html versions of their warning letters, thereby breaking all of the fdable warning letter links.It’s not like the FDA is legally obligated to inform me of these changes, but when they do stuff like this they end up breaking the links for anyone/everyone who has ever bothered to link to their warning letter data. (time for me to get back to work…).
The comment about Bristol still stands. The rest is now vanilla.
See for yourselves.
#Added for Bristol-Myers on Sept 2005 User-agent: vspider Disallow: /
#For all other crawlers User-agent: * Disallow: /Management/ # don't crawl healthcheck Hit-rate: 30 # wait 30 seconds before starting a new URL request default=30 Visiting-hours: 23:00EDT-05:00EDT #index this site between 11PM - 5AM EDT Concurrent-hits: 2 # limit concurrent active URLS to 2 for each index server
Posts
