I thought I had known the major government contributors to the baby formula crisis. But the following 3 paragraphs tell some things that are new to me:
Regulation is a major reason only four large formula producers control most of the U.S. market. First, parents receiving WIC assistance are allowed to choose only certain brands. Second, consumers must pay a 17.5 percent tariff on any imported formula, which prices countless brands out of the U.S. market. It’s a nice arrangement for the companies — and for their lobbyists — but it raises prices for families and makes it difficult to boost supplies during shortages.
When new formulas enter the market, regulations forbid sellers from letting anyone know about them for 90 days, even as manufacturers may advertise existing formulas all they like. Those first months on the shelf are make-or-break for many new products, which is why existing producers like this otherwise pointless regulation. At times like this, parents might appreciate hearing about new options.
One of those options is toddler formula, which in many cases meets the Food and Drug Administration’s nutritional requirements for infant formula. However, FDA regulations prohibit many manufacturers from recommending this option.
It was an audacious crime in the heart of the nation’s capital that garnered news coverage from outlets across the world: A stealthy red fox — a wild animal native to the D.C. region — managed to break into the heavily fortified flamingo habitat at the Smithsonian’s National Zoo, slaughtering 25 of the exotic pink birds. Now, zoo officials say they’ve caught and killed the culprit. Maybe. Or maybe it was another fox, innocent, but in the wrong place at the wrong time.
Zoo spokesperson Pamela Baker-Masson confirms the suspect was caught in a trap at the zoo on Thursday night or early Friday morning. The fox was humanely euthanized, she says, because zoo staff feared that now that it had learned how to get into the enclosure, and gotten a taste of flamingo, it would strike again, putting all the zoo’s birds at risk. The Washington Post first reported the news of the fox’s death.
Zoo staff are still working to confirm that the captured fox was indeed the culprit, possibly using DNA testing. There was no concern the fox carried rabies or was otherwise sick; it displayed normal, healthy fox behavior, hunting at night. After it was euthanized, the fox tested negative for rabies.
Baker-Masson says the zoo does not routinely set out traps for wildlife, and does not plan to capture and kill every fox that enters the zoo grounds. After all, foxes are common in the District and throughout the region — particularly in Rock Creek Park, where the zoo is located.
“It is the zoo’s goal to coexist with the native species around us, especially because we are adjacent to Rock Creek Park,” Baker-Masson says in an email to DCist.
But this particular fox — if indeed it was the culprit — was an especially skilled predator, she says. Having breached the flamingo exhibit’s defenses — which have successfully repelled predators since the enclosure was designed in the 1970s, and which were replaced and updated just five years ago — this animal demonstrated “a learned behavior which will most likely be repeated and must be considered an ongoing threat,” Baker-Masson says.
Plus, the culprit in this case showed “surplus killing” behavior — killing more prey that it could eat. “The predator(s) had buried its prey, and we anticipated its return,” says Baker-Masson.
But why did the zoo — whose official mission and vision speak of “saving species” and creating “a biodiverse planet where wildlife and nature thrive” — kill an apparently healthy native wild animal, rather than relocating it?
“Relocating the fox was not a viable consideration because of the robust and healthy fox population within the DMV region,” Baker-Masson explains. “Red fox populations exist at near or at capacity in this region and currently are increasing due to their annual birth of kits. Relocating the fox could have jeopardized his wellbeing and/or the foxes already using that home range.”
It’s not the first fox found on federal land in D.C. to be euthanized this year: In April a fox was killed, along with her three kits, after biting multiple people on Capitol Hill. This was a more clear-cut case: the mother fox tested positive for rabies.
D.C. law protects wild animals and discourages against using euthanasia, but the law does not apply to the zoo, as it is on federal property, says Natasha Garcia Andersen, a wildlife biologist with the District Department of Energy and Environment.
“Euthanasia is always the last resort,” says Garcia Andersen. “Unlike other neighboring jurisdictions, we do allow for the relocation of wildlife, and we have areas set up around the District where wildlife can be relocated if they are a problem where they’re at, as long as they’re healthy and not a danger to the public.”
In fact, she says, she did speak with zoo staff after the killing of the flamingos, while the fox was still on the loose. They discussed relocation, and Garcia Andersen suggested releasing the fox far from the zoo — possibly on the other side of the Anacostia River — to prevent its return.
D.C. law does not prohibit euthanizing healthy wild animals, though it makes it impractical in most cases. A resident with a fox problem could, theoretically, capture and euthanize the animal legally, but only if they had access to means to humanely kill and dispose of the animal, following guidelines from the American Veterinary Medical Association. Most residents, Garcia Andersen says, wouldn’t have the tools to lethally inject or gas an animal. And transporting the wild animal across state lines, dead or alive, would be banned under federal law.
A person who kills a wild animal in an inhumane way could be charged with animal cruelty.
Most residents dealing with pesky wild animals in D.C. hire licensed animal control companies, which are regulated under the District’s Wildlife Protection Act of 2010. That law states that such companies “shall recommend and employ nonlethal means in preference to lethal means for the control of problem wildlife,” and that wild animals shall be “euthanized if relocation or rehabilitation are not feasible.”
A company that violates the law and inhumanely kills a wild animal could be subject to hefty fines. What’s more, most companies operating in the District don’t have the practical ability to legally euthanize animals, says Garcia Andersen, because they would have to have euthanasia equipment on their vehicle, and have permission to transport the dead animals to another state for disposal.
The vast majority of “problem wildlife” caught in D.C. are handled with nonlethal methods, says Garcia Andersen. The latest data available, from 2020, show that 450 wild animals were handled by wildlife control companies. Of those, just 16 — all raccoons — were euthanized. Squirrels made up the largest category of “problem” animals, accounting for 303 of the animals in 2020, 249 of which were relocated, while 54 were “excluded,” meaning they were fenced out of the attic or garage or crawlspace where they’d taken up residence.
Other “problem” animals included birds (17), bats (14), and groundhogs (7). There were no foxes reported.
The wildlife protection law does not apply to invasive commensal rodents, such as rats or mice. After its passage, the law was misunderstood or mischaracterized by Ken Cuccinelli, then attorney general of Virginia and Tea Party darling. Cuccinelli claimed that the District was using the law to send rats to Virginia, and compared undocumented immigrants to the invasive rodents. The mistaken claim was also taken up by conservative talk show host Rush Limbaugh, who called Councilmember Mary Cheh (D-Ward 3), the law’s author, a “babe,” and sparked a wave of hate mail to her.
Residents with problematic wild animals — fox or otherwise — can find a list of licensed wildlife control companies on DOEE’s website.
This story was updated to include new information from the zoo.
Environmental reporting is funded in part by John and Martha Giovanelli.
Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level. But many government employees aren’t issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here’s one example.
A sample Common Access Card (CAC). Image: Cac.mil.
KrebsOnSecurity recently heard from a reader — we’ll call him “Mark” because he wasn’t authorized to speak to the press — who works in IT for a major government defense contractor and was issued a Personal Identity Verification (PIV) government smart card designed for civilian employees. Not having a smart card reader at home and lacking any obvious guidance from his co-workers on how to get one, Mark opted to purchase a $15 reader from Amazon that said it was made to handle U.S. government smart cards.
The USB-based device Mark settled on is the first result that currently comes up one when searches on Amazon.com for “PIV card reader.” The card reader Mark bought was sold by a company called Saicoo, whose sponsored Amazon listing advertises a “DOD Military USB Common Access Card (CAC) Reader” and has more than 11,700 mostly positive ratings.
The Common Access Card (CAC) is the standard identification for active duty uniformed service personnel, selected reserve, DoD civilian employees, and eligible contractor personnel. It is the principal card used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems.
Mark said when he received the reader and plugged it into his Windows 10 PC, the operating system complained that the device’s hardware drivers weren’t functioning properly. Windows suggested consulting the vendor’s website for newer drivers.
The Saicoo smart card reader that Mark purchased. Image: Amazon.com
So Mark went to the website mentioned on Saicoo’s packaging and found a ZIP file containing drivers for Linux, Mac OS and Windows:
Out of an abundance of caution, Mark submitted Saicoo’s drivers file to Virustotal.com, which simultaneously scans any shared files with more than five dozen antivirus and security products. Virustotal reported that some 43 different security tools detected the Saicoo drivers as malicious. The consensus seems to be that the ZIP file currently harbors a malware threat known as Ramnit, a fairly common but dangerous trojan horse that spreads by appending itself to other files.
“Seems like a potentially significant national security risk, considering that many end users might have elevated clearance levels who are using PIV cards for secure access,” Mark said.
Mark said he contacted Saicoo about their website serving up malware, and received a response saying the company’s newest hardware did not require any additional drivers. He said Saicoo did not address his concern that the driver package on its website was bundled with malware.
In response to KrebsOnSecurity’s request for comment, Saicoo sent a somewhat less reassuring reply.
“From the details you offered, issue may probably caused by your computer security defense system as it seems not recognized our rarely used driver & detected it as malicious or a virus,” Saicoo’s support team wrote in an email.
“Actually, it’s not carrying any virus as you can trust us, if you have our reader on hand, please just ignore it and continue the installation steps,” the message continued. “When driver installed, this message will vanish out of sight. Don’t worry.”
Saicoo’s response to KrebsOnSecurity.
The trouble with Saicoo’s apparently infected drivers may be little more than a case of a technology company having their site hacked and responding poorly. Will Dormann, a vulnerability analyst at CERT/CC, wrote on Twitter that the executable files (.exe) in the Saicoo drivers ZIP file were not altered by the Ramnit malware — only the included HTML files.
Dormann said it’s bad enough that searching for device drivers online is one of the riskiest activities one can undertake online.
“Doing a web search for drivers is a VERY dangerous (in terms of legit/malicious hit ratio) search to perform, based on results of any time I’ve tried to do it,” Dormann added. “Combine that with the apparent due diligence of the vendor outlined here, and well, it ain’t a pretty picture.”
But by all accounts, the potential attack surface here is enormous, as many federal employees clearly will purchase these readers from a myriad of online vendors when the need arises. Saicoo’s product listings, for example, are replete with comments from customers who self-state that they work at a federal agency (and several who reported problems installing drivers).
A thread about Mark’s experience on Twitter generated a strong response from some of my followers, many of whom apparently work for the U.S. government in some capacity and have government-issued CAC or PIV cards.
Two things emerged clearly from that conversation. The first was general confusion about whether the U.S. government has any sort of list of approved vendors. It does. The General Services Administration (GSA), the agency which handles procurement for federal civilian agencies, maintains a list of approved card reader vendors at idmanagement.gov (Saicoo is not on that list). [Thanks to @MetaBiometrics and @shugenja for the link!]
The other theme that ran through the Twitter discussion was the reality that many people find buying off-the-shelf readers more expedient than going through the GSA’s official procurement process, whether it’s because they were never issued one or the reader they were using simply no longer worked or was lost and they needed another one quickly.
“Almost every officer and NCO [non-commissioned officer] I know in the Reserve Component has a CAC reader they bought because they had to get to their DOD email at home and they’ve never been issued a laptop or a CAC reader,” saidDavid Dixon, an Army veteran and author who lives in Northern Virginia. “When your boss tells you to check your email at home and you’re in the National Guard and you live 2 hours from the nearest [non-classified military network installation], what do you think is going to happen?”
Interestingly, anyone asking on Twitter about how to navigate purchasing the right smart card reader and getting it all to work properly is invariably steered toward militarycac.com. The website is maintained by Michael Danberry, a decorated and retired Army veteran who launched the site in 2008 (its text and link-heavy design very much takes one back to that era of the Internet and webpages in general). His site has even been officially recommended by the Army (PDF). Mark shared emails showing Saicoo itself recommends militarycac.com.
“The Army Reserve started using CAC logon in May 2006,” Danberry wrote on his “About” page. “I [once again] became the ‘Go to guy’ for my Army Reserve Center and Minnesota. I thought Why stop there? I could use my website and knowledge of CAC and share it with you.”
Danberry did not respond to requests for an interview — no doubt because he’s busy doing tech support for the federal government. The friendly message on Danberry’s voicemail instructs support-needing callers to leave detailed information about the issue they’re having with CAC/PIV card readers.
Dixon said Danberry has “done more to keep the Army running and connected than all the G6s [Army Chief Information Officers] put together.”
In many ways, Mr. Danberry is the equivalent of that little known software developer whose tiny open-sourced code project ends up becoming widely adopted and eventually folded into the fabric of the Internet. I wonder if he ever imagined 15 years ago that his website would one day become “critical infrastructure” for Uncle Sam?
On Thursday, the US Department of Energy (DOE) announced the latest program to come out of the bipartisan infrastructure funding package that was passed last year. In this case, the money is going to foster the development of a technology that we'll almost certainly need but is currently underdeveloped: capture of carbon dioxide from the air and its stable storage. The infrastructure law set aside $3.5 billion for direct air capture, and the DOE plans to use that to fund four facilities spread across the US.
Direct air capture has suffered from a bit of a catch-22. Most scenarios for limiting end-of-century warming assume we'll emit enough carbon dioxide in the next few decades to overshoot our climate goals and will therefore need to remove some from the atmosphere. That would necessitate the development of direct air capture technologies. But, at present, there's no way to fund the operation of a facility to do the capturing, so the technology remains immature and its economics poorly understood.
The DOE's funding has the potential to change some of that. It has a total of $3.5 billion to spend in the years 2022 through 2026. It plans to use that to fund four carbon-capture and storage centers spread across the US, each with the capability of permanently storing a million metric tons of carbon dioxide a year.
The funding will handle the entire process: the facility that removes and concentrates the carbon dioxide; any pipelines or transport hardware needed to get to where it's used or stored; and any equipment needed to do the storage. The funding is agnostic about the method used for capture and storage, mentioning that chemical capture, removal by biomass, and sequestration in the ocean are all options.
The entire project will be subject to life-cycle analysis to determine the actual capture potential of any projects. This will include all the materials and energy involved in building and operating the facility, any emissions due to land use changes, and the duration of the sequestration of the carbon dioxide. If, for example, underground storage will be used, then leakage from the storage area will be considered. Similarly, sequestration via chemical reactions will need to have their efficiency monitored, and incorporation into a product will need to have the product's lifespan taken into account.
The current call for proposals will seek to fund projects at the same time that feasibility studies are conducted and permits obtained; another competitive evaluation will occur before things move on to the design and construction phase. The DOE says projects will be evaluated by metrics including estimated cost per ton of CO2 handled, the overall handling capacity, and potential for long-term employment. Location will also be a major factor. The DOE would like to have two placed in regions that are currently producing fossil fuels, to have all of them placed in areas with a high geological carbon storage potential, and to have the four spread out in different regions of the country.
Current plans are to have construction start in 2026 and operations begin by 2029. Obviously, problems could arise due to a change of administration in the intervening years. But once the sites are chosen, these projects are likely to find defenders in Congress that will make shutting them down more difficult.
Once constructed, the biggest challenge will be the plant operations. Carbon capture makes far more climate sense if it's coupled with renewable energy, but the DOE doesn't appear to have that as a consideration when evaluating these proposals. And the economics of direct air capture remains problematic. Various combinations of carbon taxes, materials produced by chemical reactions involving CO2, and a desire for high-quality carbon offsets could all help tilt the balance toward profitability. But so far, none of these has emerged on a large enough scale to fund multiple high-capacity projects like these.