New Music Monday: Makeba by Jain
While the Makeba song is already several years old (released in 2015 on Jain’s debut album, Zanaka), it is receiving a lot of recent air play thanks to TikTok. Here’s a session of Jain performing Makeba live using a very creative sampling device. Watch her create the samples from her instant live vocals and then reuse them to create this song.
Jain (Jeanne Louise Galice) is a French singer who came to prominence in 2015 via her debut album, Zanaka. Since then, she has released two additional full length studio albums, Souldier (2018) and The Fool (2023). Let’s take a dive back in time to relive the dance favorite Makeba, but also make it new again.
Fantastic!
↩︎
The design failure of SE Linux?
Buckle up, folks. Let’s embark on a wild and whimsical journey into the quirky world of SE Linux. Oh yes, we’re diving deep into the mysterious realm of this oh-so-important “security” thingamajig, which may sound a bit dull, but trust us, it’s secretly fascinating. Grab your virtual popcorn and Starbucks, sit back, and let’s unravel this enigmatic Linux subsystem together! Let’s explore.
What is SE Linux?
SE Linux stands for Security Enhanced Linux (SEL); a catch phrase more or less. Developers love giving their add-ons names like SE Linux. In reality, what does SE Linux actually do? The name doesn’t really say. It does say it has something to do with security, but short of digging deep into documentation, you really have no idea what SE Linux really is.
Let me start by saying that SE Linux makes Linux incompatible with standard written applications. Why? Security Enhanced Linux attempts to lock down the internals of Linux, but it does so in a way that breaks nearly every single regular application ever written. In essence, enabling SE Linux is sure to break all of your third party apps.
Why does SE Linux break the apps? Because SE Linux is given complete control to restrict access of components down to the function() call level and down to a content serving level. What that means is that a function call like execve() could receive “access denied” if a program were to attempt to use it with SE Linux enabled… yes, even if the program is operating as “root” user. Even serving up HTTP content over a path that shouldn’t have HTTP content could be denied.
Because the “root” user has always had unbridled access to EVERYTHING in an operating system, allowing SE Linux to constrain the “root” user’s access to no more than a regular user automatically breaks the idea of what Linux is.
SE Linux Modes
Before getting too deep into the weeds, someone is likely to point out that there are two modes to SE Linux when operating: 1) Permissive and 2) Enforcing. Unfortunately, the “Permissive” mode isn’t as permissive as one would hope and it’s a more-or-less useless operating mode intended strictly for testing purposes. Even enabling “Permissive” can still break applications simply because “Permissive” isn’t exactly the same has having SE Linux disabled entirely.
When SE Linux is entirely disabled, this is (and was) the natural state of Linux (and UNIX) since the day UNIX was first introduced. The problem is, SE Linux was designed by the NSA (National Security Agency) as patches to Linux and, more specifically, to Linux’s kernel. The NSA isn’t really a software developer. As such, this agency has shoe-horned into Linux a system that not only fundamentally breaks UNIX, it fundamentally changes Linux and UNIX into something other than UNIX.
UNIX was founded on the principal that it should work in a very specific way, a way that enhances computing. Unfortunately, SE Linux has shoehorned its way into the operating system as a watchdog system that’s sole purpose is to get in the way of computing; to be that crossing guard who throws up a STOP sign and prevents you from crossing… even if you’re a firetruck on the way to a fire.
Linux Security
Linux has always been a relatively secure operating system, so long as you maintain good password quality, close down unnecessary and unneeded services, regularly maintain security patches and utilize best practices when installing new software. Combining all of these proactive management best practices with a solid firewall, it’s relatively unheard of for a Linux system to be broken into, let alone exploited with malicious code. Nearly all deployed malicious code found on Linux servers is due to hackers having gained root access to the server and then manually having installed it.
Yet, the NSA felt that it was necessary to effectively break Linux to introduce a “new” watchdog system that watches every system call being used on the operating system. More than just watching it, it must interfere with some of these calls, preventing them from occurring.
This doesn’t just break Linux, it guts Linux into oblivion. It’s no wonder then why the vast majority of sites (and managers) running Linux, disable SE Linux as first thing before deploying a new server. Who wants to have to deal with broken software?
Third Party Software
You would think third party software manufacturers would have embraced SE Linux due to its alleged extra security. Instead, you’d have thought wrong. Most manufacturers still don’t embrace SE Linux due to its hodge-podge nature. It doesn’t help that most systems administrators and systems managers also don’t understand SE Linux or its internals… but that’s not the real problem.
The real problem is the developers. Developers build their software on laptops and other convenient computers running Linux, but they disable SE Linux so that it doesn’t get in their way when writing code. Writing and testing code is difficult enough without having to debug SE Linux when code failures begin. By disabling SE Linux, developers take that annoyance out of the equation. Rightly so. Why have a subsystem enabled that’s sole purpose is to get in your way?
The problem is, without developing code WITH SE Linux running, that throws the problem onto the systems administrators and/or systems engineers to solve after-the-fact. The developer is all, “Here you go” (handing the system engineer the finished software), leaving the systems engineer the problem of attempting to get the software working with SE Linux enabled. Most times, that ask is impossible. A systems engineer doesn’t have access to the source code. So, they can’t guide the developer to rewrite or redo portions of the code to make it compatible with SE Linux.
What that ultimately means is that SE Linux gets disabled on production servers simply to deploy that developer’s code. Without every developer both enabling and understanding SE Linux on their development servers and, most importantly, using it during software development, there is no way a systems administrator or systems engineer can make it work with SE Linux after-the-fact. Software is either designed to work properly within the constraints of SE Linux or it is not.
This is the fundamental problem with the compatibility level of SE Linux. This is also a primary design failure of SE Linux by the NSA, that and SEL’s failure to actually secure the server. In other words, new subsystems must remain fully backward compatible to what has come before. If it can’t remain backwards compatible, then it ultimately won’t be used… and that’s actually where we are.
DOD and SE Linux
To be certified by the Department of Defense (DOD) per Security Technical Implementation Guide (STIG) compliance, a UNIX system must enable SE Linux as ‘Enforcing’ (the strongest level offered). For those companies who wish to do business with the government, or more specifically with the Department of Defense, STIG compliance is a must. By extension, STIG compliance does mean enabling SE Linux (in among a whole slew of additional DOD security requirements).
Businesses must then make a choice. Seek to do business with the US Government or not. If you’re running Linux operating systems as part of whatever service you intend to offer to the US Government, you must comply with the requirements defined in the Defense Information Systems Agency’s (DISA’s) STIGs (which, as stated above, includes enabling SE Linux… and all that falls out of that).
Are there ways around SE Linux’s Incompatibility?
Yes, but it’s not always easy or fast. Heads up. This is the dull part. So as not to dive too deep into the sysadmin weeds as to why, here’s a comprehensive RedHat guide of SE Linux’s incompatibility (and how to get around it all). However, we will still need to dive deep enough to get this article’s point across.
For example, customizing an HTTP configuration as so (a normal thing to do for Apache HTTP), yet this customization would yield the following problems when SE Linux is enabled:
The http package is installed and the Apache HTTP server is configured to listen on TCP port 3131 and to use the /var/test_www/ directory instead of the default /var/www directory or the default port of 80. # systemctl start httpd # systemctl status httpd ... httpd[14523]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:3131 ... systemd[1]: Failed to start The Apache HTTP Server.
With SE Linux disabled on a Linux system, Apache’s HTTP server would happily start up just fine. With SE Linux enabled and set to ‘Enforcing‘, starting httpd with the above modified config, you’ll see “Permission Denied” at the point when httpd attempts to bind to port 3131.
It gets worse. To modify SE Linux to allow httpd to listen on port 3131, you have to execute the following SE Linux permission modification command:
semanage port -a -t http_port_t -p tcp 3131
That’s just the beginning. Even after executing this semanage command… then restarting HTTP, the change in directory yields the following error when attempting to retrieve content:
# wget localhost:3131/index.html
...
HTTP request sent, awaiting response... 403 Forbidden
Why 403 Forbidden? Well duh…
# sealert -l "*"
...
SELinux is preventing httpd from getattr access on the
file /var/test_www/html/index.html.
...
SE Linux has prevented access to the getattr() function for /var/test_www/html/index.html. This again requires manually reconfiguring SE Linux to allow this new directory location for httpd. Though, we must understand why SE Linux doesn’t like this path and file.
# matchpathcon /var/www/html /var/test_www/html
/var/www/html system_u:object_r:httpd_sys_content_t:s0
/var/test_www/html system_u:object_r:var_t:s0
The SE Linux command matchpathcon (so intuitively named here) determines that the content type used in /var/www/html (the standard default location) isn’t the same as what’s defined for /var/test_www/html. Thus, SE Linux won’t allow HTML content to be served from that customized directory when HTML content is not defined. Can we say, “minutiae?” I knew that you could.
That means redefining the content type for /var/test_www/html to allow serving httpd_sys_content_t type. To do that, a system admin would need to execute the following:
# semanage fcontext -a -e /var/www /var/test_www
BUT, that command executed just above doesn’t actually do it recursively for all files and dirs within /var/test_www. Oh, no no no. Now you have to run yet another command to force recursion to set all sub-directories and files to allow for httpd_sys_content_t type of data. You do that with…
# restorecon -Rv /var/
...
Relabeled /var/test_www/html from unconfined_u:object_r:var_t:s0 to
unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /var/test_www/html/index.html from unconfined_u:object_r:var_t:s0 to
unconfined_u:object_r:httpd_sys_content_t:s0
A systems administrator can spend all of the above time to do all of this additional reconfiguration work each and every time a new web directory is needed…. OR, a systems administrator can disable SE Linux and avoid all of this work.
Janitorial Work
Even if you don’t understand a word of what was said just above, it’s easy to see that it’s an absolute mess. Not only does SE Linux require a systems administrator to configure all of this extra junk, it requires a systems administrator to understand all of the above NEW commands needed to manage SE Linux AND have a firm grasp of all of these commands’ nuances and quirks. Even missing one tiny thing can cause the whole application to break or fail to work in unexplained ways.
For example, the 403 Forbidden error could have led an inexperienced systems admin down a rabbit hole simply because they don’t know that SE Linux is enabled as ‘Enforcing’. Such inexperience might not allow putting two-and-two together to understand that SE Linux is actually the culprit.
It’s easy to see why many, many businesses running Linux make it a policy to instantly disable SE Linux. If your company is not doing business with the government, there’s no need to make your systems administrators do all of this extra work when they could be performing other more critical tasks.
On the flip side, if your business is currently negotiating with the DOD for a contract, then you better get your systems administrators trained up quick on SE Linux. More than this, you better run an audit to determine which software your business uses to determine if this software is easily made compatible with SE Linux. Hint: it probably isn’t easy.
DOD Exceptions?
Does the DOD allow for exceptions? Yes, but limited and likely only for a limited time. Meaning, if you can’t enable SE Linux right away due to software limitations, you’ll need to document exactly why. Even then, your team better have a plan to get SE Linux implemented soon or else your contract might dry up. It only takes another vendor to step up that IS fully compliant with DISA STIGS for your company to lose its contract.
Does SE Linux improve security?
This is actually a very good question. The short answer is, no. SE Linux requires a system administrator to drastically increase workload to manage application permissions. However, SE Linux also forces an administrator to explicitly define permissions for each application down to incredible minutia. Once that long-tailed convoluted configuration is complete, the application then works again like it always has (i.e., without SE Linux).
Here’s the key! Because most exploits rely on standard app functionality to work, SE Linux would happily allow an exploit to occur simply via performing that application’s normal functions. The only exception would be is if the systems administrator explicitly disallowed use of specific system function calls. However, if an application uses that function call even once during normal operation, having the system administrator disallow that call could cause the application to fail in very unexpected ways, possibly even leading to an OS cascade failure / core dump.
Further, SE Linux is effectively an enhanced permissions system, but it does nothing to watchdog an application’s behaviors to ensure that the application itself is functioning correctly or normally.
What this further means is that a system administrator would need to become a software developer to read through and understand the entire application’s source code to know when or if an application uses a specific function call that the administrator wishes to deny. While many systems administrators can be programmers, not all of them are. More than this, many systems administrators who can code are barely more than novices. Were a systems administrator actually a software developer in disguise, then why would they remain a systems administrator by trade? Thus, most systems administrators know enough to read some code (i.e., novice), but not enough to actually write complex code.
Let’s take this one step further. Putting a system administrator in the position of unilaterally denying access to specific function calls is not what systems administrators are tasked to do. That’s defining policy. That’s not an SA’s job. Expecting an SA to take on this type of job turns an SA into a security manager or policy manager, not a systems administrator. Systems administration is exactly how those two words sound: administration of systems. Meaning, management of systems, making sure those systems operate fine, occasionally install software and/or operating systems, manage configurations of systems and debug it all when it doesn’t work correctly. Systems administrators are even tasked with winding down old hardware and systems to dispose of them.
Systems administrators don’t make policy, but will enforce policy as defined by managers… so long as that policy makes sense and doesn’t interfere with the operation of the network, server or application. However, not all systems administrators are knowledgeable enough to foresee if any specific policy change might end in bad results.
Policy Implementation
Here’s a situation that can get systems administrators into hot water easily. Managers all congregate and decide to implement a new policy that execve() cannot be called from within any application. The policy is handed to a systems administrator to implement. The SA is relatively new and doesn’t understand either the systems fully or the software operating on those systems. The SA does understand SE Linux enough to implement the change as requested and, thus, does so.
Within an hour (or less), the company’s primary paid application is down, the servers are behaving erratically, memory is spiking and the systems are actually crashing and rebooting. Effectively, the business’s servers are down.
Here’s a situation where the company’s executives made an unwise and untested decision and forced implementation down onto a person with very little experience. The person happily obliged thinking the managers already knew it would work. Why would these managers expect a new SA to jump through many hoops testing all of this? The SA would assume that if the request landed on his/her desk, it must already be tested.
Yet, it wasn’t. Here’s the rub. Because the SA did the actual work to implement the change to the systems, the SA will be held responsible for the outage (possibly up to and including termination). Ideas from managers never get blamed. The people who get blamed are the systems administrators who “should have known better” and, specifically, the person who actually “pulled the trigger” by performing the configuration change.
Enabling SE Linux as ‘Enforcing’ is the same situation. If you ask your SA team to implement this change without performing any testing, then expect your business to go down. Almost no applications are properly configured to handle SE Linux set to ‘Enforcing’ prior to enabling it.
Heading down the SE Linux Road
If a company wishes to implement SE Linux as ‘Enforcing’, then you best test, test, test and then test some more. You can’t just turn SEL on like a light and expect it all to work just as it had. Making this decision means testing. More than this, it means ensuring all systems administrators are not only familiar with SE Linux itself (and its commands), but also are familiar with all applications installed and running on the company’s servers.
Once SEL is enabled, the applications are likely to begin failing unless the systems administrators have already configured those specific applications under SEL before.
What have we learned?
Let’s explore all that we’ve learned about SE Linux.
- SE Linux is a deep dive permissions system add-on for Linux. It primarily enhances security through obscurity. We already know that security through obscurity doesn’t work.
- SE Linux is fraught with peril. Unless systems administrators are properly trained to both understand SEL and how to configure apps under SEL, enabling SEL can lead to problems.
- SE Linux doesn’t improve security because once apps are configured under SEL, they are just as vulnerable to being exploited as if SEL were not enabled.
- SE Linux increases workload for systems administrators because not only do they need to do their normal Linux administration jobs, they must also deep dive into SE Linux a lot to make sure it is and remains correctly configured and functional.
- SE Linux is an overall hassle to manage.
- SE Linux is not required unless you’re attempting to win a contract with the United States Department of Defense.
Overall, the design behind SE Linux seemed to have noble intentions. Unfortunately, SE Linux is actually much the same as requiring someone to spend time hanging padlocks off of a chain-link fence as illustrated in this article’s opening. Unfortunately, those padlocks don’t serve to protect that fence. The fence is still doing all of the protection work.
However, these padlocks symbolize the exact way that SE Linux attempts to protect an operating system. The operating system is the chain link fence… and the OS does all of the protection. The padlocks (SEL) only serve to clutter up that fence, but don’t actually do much of anything to improve security.
↩︎
Analysis: Jack Smith’s 2020 Election Indictment
Let me start this article out by saying that I am not a Republican, nor do I much like Donald Trump either as a politician or as a person. He’s a vile, pathological lying, bigoted and overall crass person. The man literally has almost no redeeming values. With that said, I also don’t like when even the vilest of persons, like Donald Trump, isn’t getting a fair shake. Let’s explore.
Jack Smith’s 2020 Election Indictment
I recently published a news article discussing this very indictment. I’ve withheld making any comments over this indictment solely because that information was newsworthy. Meaning, passing along this information timely to Randocity’s readers was important. Yes, it is important. However, there are some problems with this indictment that few news channels are discussing. The first and biggest problem is…
Presidential Immunity
Many of the statements included in Jack Smith’s indictment were made while then President Trump was still a sitting President. He made the statements while officially holding the office of President of the United States.
The President of the United States is entitled to Absolute Presidential Immunity, shielding the President from lawsuits while performing business as President. However, some in the judicial system believe that Presidential Immunity is not absolute, meaning that criminal conduct performed by the President (outside of Presidential job responsibilities) may not be immune from prosecution.
I’m not convinced that that’s the correct course for the United States. While I don’t want rogue Presidents performing illegal criminal actions, I also don’t want the DOJ able to apply spurious lawsuits on either a sitting President or, more importantly, a former President after-the-fact.
The question remains, were the statements that President Trump made regarding January 6th and those involving the placement of fake electors considered within the job role of President? While I would love to say, “No”, I am not in a position to make that judgement. Only a court can. That means it’s the responsibility of Jack Smith to have a court determine if Trump’s statements are admissible towards the case he is bringing. Meaning, many of the statements made by Trump included in Jack Smith’s indictment were made while Donald Trump was still President.
The question is then whether the statements are protected by Presidential Immunity. Jack Smith would need to first establish if any or all of Trump’s statements can be admitted as evidence or if they must be excluded as part of Presidential Immunity that Trump held at the time.
“At the time”
Here’s another problem that is born out of the above. Presidential Immunity is clearly active while a person is actively holding office as President of the United States. Once a person leaves office and becomes a former President, all of the acts performed AS PRESIDENT should still remain protected under Presidential Immunity. If not, it means that as a former President, all actions made by a then President can, at the time they become an ex-President, become fodder for criminal litigation.
If America starts trying and convicting each and every President as soon as they leave office, where are we as nation? More than this, does Presidential Immunity really exist? No. Actions performed by a President during his or her tenure in office must remain sacrosanct even after leaving office. Those actions were performed while faithfully executing the duties as President. Even when the person leaves office and becomes an ex-President, those Presidential years remain a sacrosanct bubble protected by Presidential Immunity in perpetuity. That means that an ex-President cannot be tried for actions performed WHILE President after becoming an ex-President.
This should go without saying. If America allows the justice system to begin prosecuting every former President for actions performed while in office, who would ever want to become President?
However, any person who is not President CAN be tried and convicted for actions performed while NOT President, either before being elected or after becoming an ex-President.
Jack Smith is Barking up the Wrong Tree
There were many ways a lawsuit could manifest against Donald Trump involving January 6th, such as involving Treason and Sedition, neither of which are named in Jack’s current lawsuit as charges. Both Treason and Sedition are high enough and serious enough crimes that these charges would easily negate Presidential Immunity by a landslide. After all, no President should need to ever perform Sedition or Treason in the execution of Presidential duties and responsibilities.
On the other hand, the four counts levied by Jack Smith are as follows:
- 18 U.S.C. § 371 — Conspiracy to Defraud the United States
- 18 U.S.C. § 1512(k) — Conspiracy to Obstruct an Official Proceeding
- 18 U.S.C. §§ 1512(c)(2), 2 — Obstruction of and Attempt to Obstruct an Official Proceeding
- 18 U.S.C. § 241 — Conspiracy against Rights
These obstruction and plain-old conspiracy charges don’t instantly negate Presidential Immunity. In fact, these charges are a bit open for being contested. These above crimes are not necessarily serious enough to warrant dropping Presidential Immunity over them and can also be interpreted in ways that make the prosecutor appear prejudicial (i.e., biased) towards the defendant.
Thus, the indictment Jack Smith has brought is fraught with problems, specifically around statements and actions made and also the specific charges being levied, all while Donald Trump still actively held Presidential Immunity.
Unnamed co-conspirators hold no such immunity from prosecution. These people should be brought up on charges for the actions they performed and statements they made around the 2020 Election, including newscasters and congressional members. However, Donald Trump’s statements and actions shouldn’t be used to prosecute Donald Trump while Trump still held Presidential Immunity, at least not until Jack Smith has a court determine which statements (and actions) ARE and ARE NOT protected by that Immunity. Until the Presidential Immunity issue is resolved, Jack Smith is barking up the wrong prosecutorial tree.
In fact, Jack’s whole indictment now actually does look like a witch hunt as Donald Trump suggests. Without first resolving whether Trump’s statements were protect by Presidential Immunity, transcribing those statements into an indictment is extremely risky and premature AND makes Jack Smith look like he’s rushing to get this lawsuit done, but quite improperly and with prejudice.
A prosecutor can’t simply dismiss steps because they’re inconvenient or slow the process. Unfortunately, making missteps like this only serves to weaken Jack’s case against Donald Trump, probably giving Trump the opportunity to have the entire case dismissed based on prejudicial treatment.
Instead, I would have preferred if Jack Smith had had a court first determine whether the statements transcribed are or are not, in fact, protected by Presidential Immunity. Let’s resolve this issue first. If some or all statements are protected by Presidential Immunity, then the statements cannot be held as evidence against Donald Trump or against Donald Trump’s alleged actions for the charges being levied.
Better, revise the charges to include Sedition and Treason so that there is no question as to whether Presidential Immunity is involved.
↩︎
News: Donald Trump Indicted over 2020 Election
Donald J. Trump is, once again, criminally indicted on 4 counts for his participation involving the 2020 election and in attempting to overturn the peaceful transition of power. Jack Smith says everything he needs to say about Mr. Trump’s indictment. Let’s listen.
Below is the full text of the Department of Justice’s most recent indictment. If your device is unable to read the embedded PDF inline, please click the link to download and read it separately.
↩︎
Is Canola Oil Safe?
This question has been asked many times and in this article, we’ll seek to discover the unique qualities of this oil; an oil which is now quite frequently used in cooking and prepackaged products. We’ll also examine if this oil has any potentially unsafe aspects. Let’s explore.
Rapeseed Oil vs Canola Oil
Both Rapeseed and Canola Oils are derived from the same flowering plant; the Rapeseed plant. It is a yellow flowering plant that is became commonly planted in Canada, where Canola oil was discovered. Hence, the contraction of the two smaller wordlets “Can” for Canada and “ola” for oil.
From Wikipedia:
Rapeseed, also known as rapeseed oil, is a bright-yellow flowering member of the family Brassicaceae, cultivated mainly for its oil-rich seed, which naturally contains appreciable amounts of erucic acid.
Source: Wikipedia
“What exactly is erucic acid”, you ask? Good question. According to Wikipedia, “Erucic acid is a monounsaturated omega-9 fatty acid.”
Among scholars and researchers, the debate rages whether erucic acid is toxic to humans. According to the FDA, the amounts of erucic acid in Canola oil have been sufficiently reduced to be labeled as GRAS (generally recognized as safe). Does that mean erucic acid is safe for human consumption? As stated above, the debate still rages.
For example, from Wikipedia’s erucic acid page:
Studies done on laboratory animals in the early 1970s show that erucic acid appears to have toxic effects on the heart at high enough doses. However, more recent research has cast doubt on the relevance of rat studies to the human health of erucic acid. Rats are unusual in their inability to process erucic acid, and the symptoms in rats caused by a diet with high levels of erucic acid have not been observed in pigs, primates, or any other animals. An association between the consumption of rapeseed oil and increased myocardial lipidosis, or heart disease, has not been established for humans. While there are reports of toxicity from long-term use of Lorenzo’s oil (which contains erucic acid and other ingredients), there are no reports of harm to people from dietary consumption of erucic acid.
Breaking the above down, there have apparently been multiple studies going as far back as the 1970s. However, apparently more recent studies have concluded that erucic acid may or may not be toxic to humans in the same way it has been shown to be toxic in rats. This is allegedly supported by the fact that pigs, primates and “any other animals” (left undefined in this Wikipedia article [and study?]) have not been associated with the same effects as those observed in rats.
Clinical Studies
The above clearly opens more cans of worms than it closes. Studies that conflict with one another generally mean something is up with one or more of the studies. What this generally means is that either the test conditions were not the same and/or the testing protocol was substantially altered between one study and the next. Studies, like many things in life, are created, implemented and, most importantly, paid for by humans with an agenda.
Many of these erucic acid studies are actually produced by money-making food producers with a vested interest in ensuring their products remain viable, saleable commodities in the marketplace. How that typically manifests in clinical studies is by performing clinical tests with extremely narrow constraints so as to eliminate potential conflicting data from surfacing during the testing protocol.
Specifically, new studies have learned from the older more broad studies, which the newer studies then typically exclude testing for factors that would conclude negative outcomes. In other words, it’s not what they’re saying to you about their test conclusions, it’s what they hide from you about the operation of that clinical test outcome. Excluding negative testing outcomes from the testing method only serves to mislead the public.
This hiding of information is tantamount to lying. Testing methods shouldn’t be so narrow focused that they allow consumers (and researchers) to jump to the wrong conclusions about the test results. Yet, that’s the state of clinical testing being performed today. It’s not about performing clinical tests that produce broad results, but about producing clinical tests that produce very specific, very narrow, but very beneficial test results to the benefactor. In other words, the buyer of the clinical test can game the test results in their favor.
Levels of Erucic Acid in Rapeseed vs Canola Oil
In life, all things in moderation. Generally, most consumables don’t kill you… at least not instantly. For example, minuscule amounts of lead and arsenic exist in our food supply. These very tiny amounts aren’t short-term toxic to humans. Thus, this is why the FDA can label foods with these tiny amounts as GRAS. The same likely holds true for erucic acid. In large quantities, erucic acid likely does become toxic to humans, in the same way as ingesting large quantities of arsenic and lead can.
The rapeseed plant contains between 20 to 54% erucic acid. This means that crushing the seeds and extruding the oil directly from the rapeseed plant will produce an oil that contains between 20% to at least 50% erucic acid.
Newer studies attempt to refute the earlier 1970s studies, which generally found that the levels of erucic acid in rapeseed oil was toxic to humans… extrapolated from their rat testing. The newer studies now believe, apparently, that erucic acid in the percentages found in rapeseed oil are not apparently toxic to humans, because it was not found to be toxic to pigs, primates or “other animals” (whatever those are) even though rats exhibit a different, apparently more toxic outcome.
Let me just say that erucic acid is an acid. Acids in larger quantities are generally not great for the human body when consumed. If you want to know erucic acid’s chemical formula or other sciency details, feel free to head on over to Wikipedia to check it out.
The Business of Science
Consumer products are a business; a very lucrative business to be specific. When that business falls into consumables such as foods, supplements and drugs, the United States government gets involved. Such oversight involvement includes agencies like the FDA (Food and Drug Administration), USDA (United States Department of Agriculture) and even such agencies as the CDC (Center for Disease Control). Each of these departments defines protocols for handling certain aspects of how businesses may operate safely with regards to human consumables within the United States.
The FDA, for example, defines specific requirements for food and drug producers when introducing new products to market. Many of these requirements include clinical testing and clinical trials. These clinical studies determine potentially ill effects as well as positive benefits from a food or drug consumption. The requirements of using clinical studies opens up a new business; the business of science.
You might be thinking, “Aren’t such narrow studies which choose to hide important details a form of gaming the system?” You’re not wrong. The problem is, as long as a study is performed in a technically complete way using proper scientific methods, the FDA must accept it as a genuine study. The FDA doesn’t determine if the study was gamed or if the person(s) paying for the study biased the study in a way that misled the FDA (and ultimately consumers).
It gets worse. If multiple studies are needed and each are gamed in the same way, this situation makes it even more difficult for the FDA to claim a problem. In other words, the FDA must accept all studies presented as genuine and valid so long as the studies employ proper protocols, including reaching conclusions… even when those conclusion are intended to mislead or are, indeed, invalid.
Yes, the FDA’s system can and has been gamed. We’ll need to understand how and why it happens. When millions, if not potentially billions of dollars are on the line, gaming the science is the least of that business’s worries. In other words, if a business doesn’t choose to game the science, their product might not ever be sold.
I can hear all of those who work in the scientific testing professions groaning now over “conspiracy theories” in these statements. To those people I say, look around more closely. Are you really that naïve and idealistic? While there are some businesses who actually intend to hold onto business ethics, there are many businesses that absolutely do not and will not. Even for those (plausibly deniable?) naïve CEOs of businesses that claim they are ethical, it only takes one bad actor in the management ranks to ruin all of that. Anyone who truly believes a CEO’s purported “rogue manager theory” did all the scummy business work alone is deluded. The orders for this kind of bad business comes from the top, but this scheme is simply a way to afford the CEO plausible deniability. Swallowing this plausible deniability junk from a CEO is stupid, actually. Who truly believes that any CEO doesn’t know exactly what their underlings are doing? If he or she doesn’t, then he or she shouldn’t be and isn’t a CEO.
Unfortunately, as businesses (or, more specifically, CEOs) put more pressure on managers to produce, managers find ways to cut corners to get things done quicker and faster. That can mean gaming systems to get past certain hurdles to complete processes faster and, more importantly, successfully. Thus, business ethics are entirely at the whim of various managers within an organization. If the pressures of getting something done fast and successfully outweighs the business ethics of the actual situation, then out the window go ethics. No employee wants to be the one to put their job on the line because they were the person who upheld business ethics, choosing to do something in the ‘right way’. When such an employee is slow in producing results, a CEO hears all about it.
In the science world, that likely means gaming a study (or set of studies) to get it (them) done faster and with the intended results. Instead of studying all aspects of a specific food product’s features and safety, the science might be geared to look at only a very tiny part of it. From here, it gets worse. Because study producers are PAID by businesses holding a conflict of interest, studies are likely to be rarely free of tampering and bias in the client’s favor. What service organization taking money for services rendered intentionally chooses to upset a buyer? That’s not good for a business reputation. This is the business of “buying” science.
Theranos as an Example
While Theranos’s tiny blood vial testing idea might seem like an outlier for medical business ethics, the reality is that Theranos simply got caught at it. Many other unethical businesses never get caught, primarily because they pay politicians (to hide their tracks well) to keep from getting caught. Theranos’s execs simply failed to understand the game they were playing; a game that led to their demise.
The one place where Theranos was exonerated was against the patients who had their lives put at risk by Theranos’s unethical and unsafe testing practices. The court said no on that charge, but instead caught Theranos’s executives in a web of fraud against investors. Oh no, mustn’t hold Theranos accountable to patient safety, but by all means let’s pay the investors back. America’s priorities are entirely screwed up. Again, money.
Money vs Safety
And that’s exactly where we are today. The food and drug area of business in the United States is all about making money at the expense of human safety. That’s clear. Watch any of the TV advertisements for any drug. You’ll notice somewhere in the middle of the advertisement, the announcer will list off a litany of dangerous side effects, many including death.
The same goes for foods and supplements. Because the supplement industry is entirely unregulated, anything can be placed into these supplements. There’s no efficacy or safety studies required at all for these products, yet more and more so-called MD doctors are advocating and even advertising for such supplements. Again, money.
As for food stuffs, they fall under the same pitfalls as drugs, but it all unfolds in a different way. For example, if a food contains only sugar alcohols, it can be claimed to be sugar free. That sugar free label is the way the game is played. Even though a sugar alcohol is still a type of sugar and is acted on the body as though it were sugar AND because the product does not specifically contain sucrose, the product, according to the FDA, can be labeled as sugar free. The FDA essentially doesn’t class sugar alcohols as “sugar”. THIS RIGHT HERE is the game.
Because the FDA allows for and endorses deceptive labeling, it allows food producers to play games with their ingredient labels, allowing them to place such deceptive labels that make their foods appear to be more healthy than they actually are.
There are many, many such labeling games available to food producers. Some of these labeling games make it seem like the food product is “organic” or “sugar free” or “healthy”, when in fact the product is none of those things, making the situation quite the opposite.
Why does this game exist? Again, money. Food producers stand to lose millions, if not billions, if these ambiguous labeling games were to become honest instead of snake oil. If the government were truly looking out for public’s safety, these labeling ambiguity games wouldn’t exist for manufacturers to play against consumers. Yet, they do exist… and here we are.
Is Canola Oil Safe?
Because conflicting studies exist, some of those studies conclude that one of Canola Oil’s ingredients, erucic acid, isn’t safe for human consumption. The conflicting studies choose to claim that because negative reactions have occurred only in rats and not in pigs, primates and “other animals”, that erucic acid should be safe for human consumption.
Of course, that conclusion is a leap. If limited human testing has been performed, then the studies are all best guess. Humans are not pigs, not apes, not “other animals” and definitely not rats. Studies tested on animals may suggest the possibility that a causal link exists, but there’s no definitive way to know until or unless adequate testing has been conducted on humans.
Though, testing has been conducted on humans, but not in a study. Because the FDA has granted GRAS status to Canola oil based on these conflicting studies, that means that we consumers of this oil are now a live, real world rats for a study. Unfortunately, because we’re consuming Canola oil without proper or adequate human studies, there’s no way to know how much, if any, erucic acid is safe for human consumption. Again, the previous animal studies only suggest that erucic acid MAY be safe for humans… potentially based on false logic.
For more answers on this topic, we’ll need to reach out to our friends in Australia to read a monograph on this subject:
Rats were fed rapeseed oils at up to 70% of the calorie content of their diet. The rats were reported to have developed myocarditis.
[…]
It has been suggested that the rat is not an appropriate model for determining whether erucic acid may pose a risk to human health (Corner 1983). A number of reasons have been put forward for this. Firstly, most of the rat studies involve feeding oils at a concentration of around 20% or more by weight in the diet. A level of 20% approximates human lipid consumption. It has been suggested that rats are physiologically incapable of metabolising such concentrations of oil in the diet (Grice and Heggtveit 1983).
But, then the monograph makes this assertion:
The toxicity of erucic acid is virtually always considered in the context of the toxicity of rapeseed and mustard seed oils, which can contain high levels of erucic acid. Most humans would be exposed to erucic acid by the inclusion of these oils in the diet.
What this states is that erucic acid is not a natural component of pretty much any other food in the human diet. Meaning, consuming Canola oil is the sole way to actually consume erucic acid. As a result, humans wouldn’t consume erucic acid in any way other than via consuming Canola oil. But, the monograph also goes on to make this sort-of disclaimer:
This, however, can complicate the interpretation of the study results, making it difficult to ascertain whether the observed effects are directly attributable to erucic acid, or to some other component (or combination of components) in the oil.
No, actually what this disclaimer is truly attempting to say, but doesn’t outright say, is that because the oil is consumed with many other foods at the same time as the oil, there’s no way to know what food may have caused any issue in any specific human. In other words, there’s no way to nail down that any specific malady is associated with the consumption of erucic acid.
It’s a standard disclaimer argument made by “scientific” people and more specifically, by businesses when they need to sell their product to consumers. Basically they use weak logic, “Our product is safe because even if you do choose to consume it, there’s no way to ascertain if our product actually caused your malady.” Why is that? Well duh… because it hasn’t been adequately tested on humans using similarly detailed studies applied to rats and other animals.
With that said, of the human testing that has been done, the monograph does state this:
In humans, the digestibility of erucic acid containing oils is 99% (Deuel et al 1949, Vaisey et al 1973). In the adult female rat, however, the digestibility of HEAR oil is only 77% (Deuel et al 1948).
Okay. Human digestion of oil containing erucic acid is 99%, way more than the 77% digestion in rats. That could be an overall bad thing. It would mean digesting more of this oil, faster. Digesting more of the Canola oil means that more erucic acid is now available for potential damage. BTW, the HEAR oil acronym means high erucic acid rapeseed oil. Canola oil is considered low erucic acid rapeseed or LEAR oil.
Canola oil should contain around 2% erucic acid by volume compared to rapeseed oil which contains 30-60% erucic acid by volume. Let’s keep going.
The paper goes on to state:
Erucic acid is poorly oxidised by the mitochondrial β–oxidation system (reviewed in Sauer and Kramer 1980).
[…]
In humans, it has been shown that isolated heart mitochondria metabolise erucic acid more slowly than oleic acid (Clouet et al 1974), confirming that rates of erucic acid oxidation are decreased in humans, similar to experimental animals.
[…]
In [the] liver, the presence of erucic acid appears to induce the peroxisomal β-oxidation system (Lazarow 1994).
What this portion is saying is that because erucic acid is poorly oxidised in some human tissues, particularly in the heart, the erucic acid can hang around longer and potentially cause more damage. Oxidation from tissues means that there are processes to break down and eliminate the component from the human body faster, such as this speed being faster in the liver than in heart tissues, according to this monograph.
The paper concludes, after a lot of discussion around rats, pigs and monkey research, which you can read for yourself, with the following statement:
The heart appears to be the principal target organ for toxic effects following short-term
exposure to edible oils containing erucic acid. The most common observed effect, among
rats, pigs and monkeys, is myocardial lipidosis.
Myocardial lipidosis is a condition where fats accumulate in the heart reducing the force by which the heart can contract… or, in essence, it weakens the heart muscle’s ability to pump blood through the system. Oils containing erucic acid, then, stick around longer in the heart muscle. How long it remains in the heart is a question unanswered by this paper. Some studies do suggest that it does oxidize over time and will eventually work its way back out of the heart. The question is, how long will that take
Is that weeks? Months? Years? Better testing would need to be done.
Fast and Junk Foods
Easy and quick bagged and boxed meals, such as potato chips or mac-and-cheese may contain small traces of Canola oil. Food manufacturers can and do use Canola oils as part of producing bagged, frozen and boxed meals and other grocery store foods.
For these types of prepackaged foods, you’ll need to read the label closely. Most labels are required to list Canola oil as an ingredient. However, because most potato chips today are manufactured with varying oils including soybean, corn, peanut, palm kernel or canola oils, you won’t know which oil was used when the bag or box says “vegetable oil with one of the following:”. Because manufacturers leave the door open to using multiple oils to craft such foods, you don’t know if Canola oil is in the bag.
If you’re buying a bottle labeled as “Vegetable Oil”, you should read the ingredients to find out what it contains. It’s most likely to be soybean oil, but it could be a mix of various oils including corn, soybean and/or canola.
The point is, when you see “vegetable oil” on any package label, you should avoid buying that product if you don’t want to potentially consume Canola oil.
Is Canola Oil Genetically Modified?
One final aspect which hasn’t been discussed as yet, besides the erucic acid potential toxicity, is that Canola oil also exists as a genetically modified organism (GMO) to be herbicide resistant and bug unfriendly. This allows for bigger crop yields and, of course, higher amounts of money when sold.
There is also another GMO aspect, but is used in limited manufacturing use cases. There is also a high laurate genetically modified rapeseed plant version. The high laurate component gives the oil a quality not unlike cocoa butter, which means this version of the Canola oil can be used in replacement where cocoa butter might be used as an ingredient, typically in confectionery uses. If you’re searching to buy candy and the ingredient list shows “Laurical” as an ingredient, the confection contains Canola oil and, by extension, erucic acid.
If you’re concerned over eating GMO based foods and wish to eliminate GMOs from your diet, Canola oil is worth removing for this reason alone, let alone that it also contains erucic acid.
Of course, Canola oils being placed into products for external use purposes, such as in body lotions or cosmetics, these don’t get internally consumed. It’s up to you whether you wish to apply such to your skin. Though, some people have found it very difficult to wash Canola oil out of stained clothing, which may have to do with the erucic acid.
Should I Eat Canola Oil? Is it safe?
As we circle back around to this article’s original question, these answers are really left up to you to decide. Should you choose to consume oils without erucic acid (i.e., peanut, corn, olive, avocado, soybean), you don’t need to worry about possible myocardial lipidosis consequences from erucic acid causing oil build up in the heart tissues. That doesn’t mean that peanut or corn or soybean oils don’t come with their own myocardial consequences. As said above, all things in moderation.
The question is, just how myocardial toxic is erucic acid? Studies are inconclusive. However, studies do suggest that oils containing erucic acid do build up in the heart, which is never a good thing. If your family has a known genetic predisposition to heart conditions, then avoiding Canola oil is probably your best long term health strategy involving Canola oil.
In addition to myocardial lipidosis, other heart affects may as yet be unknown. Building these lipids up in the heart could cause other later issues such as heart arrhythmia or other medical complications over time. There are not yet enough long term human studies on the affects of erucic acid in the body. The lack of these studies is partly due to the intentionally narrow-focused positive-benefit studies produced by Canola oil producers. These same producers have no incentive to produce negative studies; studies which might cause their products to be removed from the market. Thus, any further studies would have to be paid for independently of these food producers. Clearly, no one outside of these oil producers has any incentive to perform these additional erucic acid studies on behalf of the consuming public.
With that said, I choose to avoid Canola oil as much as possible because there are too many unknowns with this oil product, including the fact that can be a GMO product. In other words, if it has Canola oil on the ingredient list, I don’t buy the product. Unfortunately, many popular potato chip manufacturers these days list Canola oil as a possible ingredient. The same goes for many prepackaged food items found in the grocery store.
The best choice is to buy the oil you prefer to use, such as olive oil, and make your own foods from scratch at home using your own choice of oil. When I fry or bake, I prefer to use olive oil.
When buying from fast food restaurants, there’s no real way to know for sure if a food contains Canola oil. You can ask a staff person for the oils the restaurant uses to fry its foods, but there’s no way to know if Canola oil may used in other ways. For example, when you buy a salad and they hand you a packet of salad dressing or even when they hand you extra packets of mayonnaise. These packets might contain Canola oil. If the salad dressing comes already on the salad, then you really won’t know what’s in it. The ingredients lists on these packets are so small as to be practically unreadable without a magnifying glass. While fast food restaurants are now beginning to offer up calorie amounts, they are not yet listing ingredients for the foods they serve.
As non-Canola oils do not contain erucic acid, cooking with these oils is one less potential health problem to worry about. The issue, though, is that it can be difficult to avoid consumption of Canola oil entirely as it is becoming more and more ubiquitous, with prepackaged foods and with fast food restaurants. With that said, the less often you consume Canola oil containing products and then only in very small quantities, such long term health consequences may be drastically reduced or possibly even avoided.
Why risk your health over conflicting studies and a questionable oil when you don’t have to?
↩︎
Random Thoughts - Randocity! 
leave a comment