User Tools

Site Tools


Security Now! - Episode 209

SERIES: Security Now!


DATE: August 13, 2009

TITLE: Vitamin D

SPEAKERS: Steve Gibson & Leo Laporte



DESCRIPTION: Steve and Leo kick off the podcast's fifth year with a rare off-topic discussion of something Steve has been researching for the past eight weeks and passionately believes everyone needs to know about: Vitamin D. After next week's Q&A, the podcast will return to topics of Internet security.

INTRO: Netcasts you love, from people you trust. This is TWiT.

LEO LAPORTE: Bandwidth for Security Now! is provided by AOL Music and, where you can get free MP3s, exclusive interviews, and more.

This is Security Now! with Steve Gibson, Episode 209 for August 13, 2009: The Vitamin D Story. This show is brought to you by listeners like you and your contributions. We couldn't do it without you. Thanks so much.

It's time for Security Now!, the show that covers all things secure, privacy and such, with our great friend, mentor, and security guru, Steve Gibson. Hey, Steve.

STEVE GIBSON: Well, usually that's what we cover.

LEO: No security today?

STEVE: Oh, no. We've got a bunch of news, and we're going to run through the news of the week, things that are important and impacting our listeners. But this is the first episode, this is #209, the first episode of year five. And we're going to do something.

LEO: Wow.

STEVE: We're going to do something different this week, and only this week. I don't want to worry and freak out our listeners. But something has really come onto my radar that I almost feel I have an obligation just to share once. You know, that's, I mean, I'm taking action on it with myself, my friends, my family, everyone who's important to me. And so, you know, our listeners are important to me, and I want to, if nothing else, sort of plant a seed that may take root, that it may be a couple years from now when they hear something else, it's like, oh, now I know that's important. Whereas, you know, they might tend to think, well, Gibson's not a doctor, so what does he know about this? And I'm not. I'm just sort of a health hobbyist.

LEO: As we all should be, since it is our health.

STEVE: Well, yes, exactly. I stumbled on something which is, I think, very important. I'm going to be - I'm not going to go overboard about it. But I want to just spend this podcast so that I've said my piece. And I'm going to, I mean, I've done two months' worth of research every day on the issue. And I want to explain what's going on, run through some of the studies which have been done. I've put together a page on GRC which covers this topic so that everything that I'm talking about I've got links to, so people can follow up and do additional research if they're so motivated. If not, I completely understand. You know, there's a whole spectrum of people, from people who just think, oh, well, whatever happens, happens; to people who are real interventionists and taking hundreds of supplements a day; and everything in between. So what I can promise is, as always, a podcast which really, I believe, will be thought-provoking and interesting for anybody who has a body.

LEO: Wow. I can't wait. But before then, is there any security news?

STEVE: Oh, baby.

LEO: [Laughing] I noticed that my Macs all wanted to update today.

STEVE: Yes. You turned on your Mac. I turned mine on earlier and got a big update. What we were taken to by Apple was version 10.5.8. Anything prior to that, whether Mac OS X or OS X Server, has some significant problems. And in the past I've sort of stopped there. But I thought that this was interesting enough, I want to just really quickly run through a brief itemization of what happened today, to give us - to give some balance and to draw some conclusions a little bit about what's going on with Apple. So what was fixed? There was a problem in the bzip2 library. And this is coming from Apple's own page: “Decompressing maliciously crafted data may lead to an unexpected application termination.” And it says, “An out-of-bounds memory access exists in bzip2.”

LEO: That's probably an open source library, I would imagine.

STEVE: Yes. “Opening a maliciously crafted compressed file may lead to an unexpected application termination. This update addresses the issue by updating bzip2 to version 1.0.5.” Next, “CFNetwork: A maliciously crafted website may control the displayed website URL in a certificate warning.” Their description is, “When Safari reaches a website via a 302 redirection, and a certificate warning is displayed, the warning will contain the original website URL instead of the current website URL.” Whoops. “This may allow a maliciously crafted website that is reached via an open redirector on a user-trusted website to control the displayed website URL in a certificate warning. This issue was addressed by returning the correct URL in the underlying CFNetwork layer.” Next, “ColorSync. Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ColorSync profiles.

“Core Types: Issues are not warned before opening certain potentially unsafe content types. This update extends the system's list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious JavaScript payload. This update improves the system's ability to notify users before handling content types used by Safari.”

There's a problem in the Dock. “A person with physical access to a locked system may use four-finger Multi-Touch gestures. The screensaver does not block four-finger Multi-Touch gestures, which may allow a person with physical access to a locked system to manage applications or use Expose. This update addresses the issue by properly blocking Multi-Touch gestures when the screensaver is running. This issue only affects systems with Multi-Touch trackpad.”

RAW image problems: “Viewing a maliciously crafted Canon RAW image may lead to an unexpected application termination or arbitrary code execution. A stack buffer overflow exists in the handling of Canon RAW images. Viewing a maliciously crafted Canon RAW Image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. For Mac OS X v10.4 systems, this issue is already addressed with Digital Camera RAW Compatibility Update 2.6.”

Then there was a bunch of problems in ImageIO. “Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution. A heap buffer overflow exists in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution.” And we had another one of those, this time from an uninitialized memory access issue which exists in ImageIO's handling of OpenEXR images. And then same thing again viewing a maliciously crafted OpenEXR image, multiple image integer overflows exist in ImageIO's handling of OpenEXR imagines. And then even a fourth one, a buffer overflow exists in ImageIO's handling of EXIF metadata. “Viewing a malicious crafted image may lead to an unexpected application termination or arbitrary code execution.” And a fifth one, “Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution.” And here an uninitialized pointer exists in the handling of PNG images. “Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution.”

In the kernel there's a problem with the handling of fcntl system calls which would allow a local user to overwrite kernel memory and execute arbitrary code with full system privileges. So the update fixes that. There's a denial of service problem in inetd-based launchd services which can cause it to stop accepting incoming connections under certain circumstances. This update addresses that. “A format string issue in the login window may lead to an unexpected application termination or arbitrary code execution.”

There's a problem with MobileMe not removing credentials. “A logic issue exists in the MobileMe preference pane. Signing out of the preference pane does not delete all the credentials. So a person with access to the local user account could continue to access any other system associated with the MobileMe account which had previously been signed in for that account.” So the update fixes that.

A problem with networking. “Receiving a maliciously crafted AppleTalk response packet may lead to arbitrary code execution with system privileges or an unexpected system shutdown due to a buffer overflow that exists in the kernel's handling of AppleTalk response packages.” In networking also, “A synchronization issue exists in the handling of file descriptor sharing over local sockets.” So that's not such a big problem.

But finally, in XQuery, “Processing maliciously crafted XML content may lead to arbitrary code execution. A buffer overflow exists in the handling of character classes in regular expressions in the Perl-compatible regular expressions, that is, the PCRE library used by XQuery. “This may allow a remote attacker to execute arbitrary code via a regular expression containing a character class with a large number of characters with Unicode code points greater than 255.”` The update fixes that. So there's a bundle of stuff that was just fixed all at once. They feel less…

LEO: That's how Apple does it, by the way.

STEVE: Yes. They feel less severe to me overall than the kind of things that Microsoft reports, although Apple does also tend to report less openly than Microsoft does. They're not doing the complete level of full disclosure that Microsoft does.

LEO: And they don't have that critical/important distinction and all of that stuff. They just kind of say, this is what we fixed.

STEVE: Yup. And they do not disclose too much about it.

LEO: In fact, they often don't even say that. Yeah, they don't - in fact, I'm surprised you have that much detail, to be honest.

STEVE: Right. So I think we're seeing them opening up more. Overall, things seem to be better. But there are vulnerabilities that are beginning to surface from their use of open libraries. There's another recently surfaced XML, broad XML exploit and problem that we'll talk about in a second. So that takes care of Apple.

There was also a problem with Sun's Runtime Environment, the JRE, the Java Runtime Environment, and their development kit, the Java Development Kit. So anyone using Sun's Runtime Environment ought to check in and get an update. I know that normally it plants an icon down, in the case of Windows systems, it plants an icon down in the tray. So it's possible to say, you know, check yourself and get updates. And it's a critical problem that allows maliciously crafted web pages to trigger Java applets. It leverages itself with Microsoft's Active Template Library, which was a problem we've talked about with Visual Studio, in order to execute ActiveX controls, and also involves display of JPEG images. So there's a lot of things involved. But it does affect Apple OS X, Apple's Mac OS X systems, Sun Solaris systems, many UNIX and Linux-based operating systems. And of course Microsoft is no longer doing their own. They're now saying, well, if you want it, get it from Sun. So it affects Windows systems that have that installed, as well.

Microsoft gave us - we just crossed our second Tuesday of the month. And they gave us their typical big batch of goodies. One, two, three, four critical vulnerabilities in Office Web Components that allow remote code execution using a specially crafted web page. Interesting, a vulnerability in Remote Desktop Connection, the standard Microsoft Remote Desktop system, which is used for displaying Windows desktops remotely and also in the, you know, I want help, I'll send you an invitation to access my computer mode. In one mode it doesn't sound very secure. It says the vulnerabilities could allow remote execution if an attacker successfully convinced a user of terminal services to connect to their malicious RDP, Remote Desktop Protocol, server. Well, that seems unlikely. Here, I need you to take over my computer and view my desktop.

LEO: Come on in, guys.

STEVE: Come on in, exactly.

LEO: On the other hand, if you could get a script to execute that would make that do that, maybe that would be a problem.

STEVE: Well, and that's Part 2 is, or, if a visitor visits a specially crafted website, then it's possible to exploit this through scripting that causes the same exploit. So, yes, there is that also, which does seem to be much more problematical. So that's why Microsoft gave it a “critical.” And it does allow them, you know, full takeover of your system.

There's also a new problem, which they fixed, or newly discovered, in Windows Media file processing, allowing remote code execution. Quoting from Microsoft, “Two vulnerabilities could allow remote code execution if a user opened a specially crafted AVI file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” So we're glad that's gone.

And then we've got what appears to be another fix to vulnerabilities in Microsoft's Active Template Library. Remember that we talked about those problems several weeks ago. And so this security update resolves several privately reported vulnerabilities in Microsoft's Active Template Library. The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website. So, yes, this is different than the previous fix, which was where the Active Template Library was not honoring the kill bits, which is the - we've talked about this a number of times, is the way Microsoft prevents their ActiveX controls, which were never intended to be loaded by IE, from being honored and loaded by IE. So but that - turns out there was a way around that.

LEO: Whoops.

STEVE: So that's been fixed previously. And then there's four other just important vulnerabilities that I won't go into. Basically it's the same advice as always, which is keep your Windows updated and currently patched.

We do have a substantial - I mentioned this earlier - a common library flaw in the XML library that a huge number of open source utilities and systems are using. A Finnish security research group discovered flaws in the XML libraries used by, for example, Sun Microsystems' Apache and Python, which are consequently all known to be vulnerable because they have used this. The discovery was made - we sort of talked about this approach before, also. They used a program that they call CROSS, which is Codenomicon, which is the name of their firm, this Finnish security firm, Codenomicon Robust Open Source Software, CROSS. It uses what they call “software fuzzers” to basically test the security of open source programs by throwing manipulated data at them, basically throwing all kinds of things at them and seeing if they crash. And if they do, finding out what happened and whether there's a way to exploit that crash.

So they tested every open source library, and all were found to contain vulnerabilities, although the severity varied from one library to the next. And quoting from them, they said the bugs are, quote, “related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. And this is from the Finnish CERT, the Finnish version of Computer Emergency Response Team, that has been working with these guys to coordinate fixes among the different software providers. They went on to say that there are libraries built on the C language which are at the highest risk because exploits can include the execution attacks in the libraries. They said, quote, “Unfortunately, most libraries out there are written in C. And thus errors such as stack overflows are not that uncommon. When this is the case, exploitability depends on other anti-exploitation features that are available on the platform,” such as ASLR, we've talked about before, Address Space Layout Randomization; DEP, Data Execution Prevention; NX bits, the No eXecute bits which are increasingly available; and so forth.

So what that means is that shortly we will expect updates to Apache and Python and, I mean, literally a whole raft of other tools that are using the XML common library and exposing the features of the library in a way that someone maliciously could use in order to crash or potentially commandeer the system that is using that. So that's not good.

LEO: Yeah.

STEVE: I got a kick out of a new piece of scareware. There's a fake Blue Screen of Death scareware. Just thought I would advise our listeners. And it's interesting because - oh, it was discovered by Sunbelt Software, our guys down, you know, Alex down in Florida. It infects the system through fake codec and Flash Player update packages that have been planted on malicious sites. But what's funny is that it displays on top of the Blue Screen of Death, it displays a red popup warning which directs people, saying we've scanned your system, we've found problems, this is why the Blue Screen of Death has occurred, press here in order to pursue a fix.

Well, you can't have a popup warning on top of a Blue Screen of Death. I mean, that's like the fatal whole system lockup screen of last resort, when there's absolutely nothing Windows can do except drop you back into text mode and display this text page. And you're hosed at that point. So the idea, I mean, my sense is that our listeners are sophisticated enough to go, wait a minute, a Blue Screen of Death with a popup notice? I don't think so. But, you know, there's a certain class of people who may not understand that. Although frankly I would wonder if less sophisticated users know what a BSOD is and why this particular screen would scare them. But anyway, it exists. So if our listeners run across other people who say, hey, I got a Blue Screen of Death, or that thing you talked to me about before, but it's got a red popup notice, what should I do? It's like, oh, well, now we'll know what's going on.

And then in - we have two bits of interesting news. Certainly what made the news since you and I have talked last, Leo, was the denial of service attack that caused a Twitter outage.

LEO: Yes, yes.

STEVE: For many hours.

LEO: Boy, was that a fascinating story, too.

STEVE: Yeah. And of course it also took out, or, like, not to the same degree that Twitter was, but Facebook, YouTube, and LiveJournal were all affected. And there was a lot of misinformation and people wondering what was going on or what the cause was. Some people called it a denial of service attack, you know, like a botnet would launch. I mean, it sort of seemed that way. But later reports showed that there was a spam campaign that went out containing links to specific blog posts on Facebook, YouTube, and LiveJournal. Oh, I mean, and primarily Twitter. And so the theory was that people responding to the spam may have clicked the links, and so it was just a traditional overload of one specific server, presumably, where this one person's blog posts were located. So maybe not a traditional botnet-based denial of service at all but just a whole bunch of people going to the same place.

And apparently Twitter's network is not as robust as, for example, Facebook, YouTube, and LiveJournal. In fact, I read one report that said that Twitter, literally their DNS provider is And it's like, what? That's who they're using? That's who Twitter uses for DNS? That seems rather, you know, bush league to me. So it sounds like maybe Twitter needs to spend some more money on their infrastructure.

LEO: Their infrastructure is messed up big-time.

STEVE: Yeah.

LEO: Yeah. And I think that this is not a good thing for them because when they go down like this - and by the way, they've been up and down ever since. They were down again yesterday for the same reason. It makes people kind of say, well, I guess I'm not going to be considering this a mission-critical application for me.

STEVE: Well, and what's interesting, too, I mean, it's unlike websites where it's like, oh, I can't get there, I'll come back later.

LEO: No, no, yeah.

STEVE: I mean, Twitter is all about real-time interaction and flow.

LEO: Yeah, exactly.

STEVE: And what of course made the news was that lots of people have become minor Twitter addicts, and they get hooked on this constant flow of nonsense, frankly.

LEO: Well, more to the point - I know you think it's nonsense. It's not. But more to the point, there are a lot of businesses that rely on this and have actually made it a part of their PR strategy. There was one company that was going to do a product launch that morning. And this is how Twitter plans to monetize, I mean, this is key to Twitter's future.


LEO: And if they can't provide a reliable system to do that, people are going to start using Facebook, which is sitting out there going, yeah, we were up. We handled it. Because they were attacked, too.

STEVE: And does Facebook offer a Twitter compatible, I mean, a Twitter-like service?

LEO: More and more so, yeah. They're definitely moving in that direction. And I think what's going to happen, I mean, this is a discussion for a different show, and we certainly talk a lot about it on other shows. But it shows, though, that poor security or poor infrastructure or being attacked can really hurt a business, I mean, really can significantly impact a business. And I think it will impact Twitter very much.

STEVE: Well, and frankly, when this came to mind it was like, wow, I wonder if - first of all, it's a little bit surprising they hadn't been hit before. They are, infrastructure-wise, apparently very vulnerable, so easy to take down. And I was wondering, gee, I mean, again, I don't have any information about this, but whether they might have been - it doesn't look like they were - victims of some blackmail. It's like, hey, you want to stay on the air, it's very important to you guys specifically, especially, to stay on the air. We're going to knock you off unless you pay us. So who knows.

And then my final bit of news comes from some researchers at UC Berkeley, who discovered from poking around that more than half of the Internet's top websites are now using Flash cookies to track users and store information about them, but that only four of those sites mention their use of Flash cookies in their privacy policies. And just to refresh our users' memories, our listeners' memories, traditional cookies are browser cookies. And probably everybody knows about them. There's a UI that's very available and visible on browsers that allows you to manage your cookies, to delete them, to turn them into session cookies so that they're not persistent, to allow some sites to keep cookies and others not to and so forth.

Flash cookies are Adobe/Macromedia's own completely separate channel which allows data to be stored, surprisingly large amount of data actually per website, much more so than cookies, in a channel which is completely separate from your browser. So it will be something that GRC will be addressing. I've got a lot of research that's in the process of getting itself ready to come online, just needs more documentation about browser cookies for educating people. And it has been pointed out to me a year ago, more than a year ago, that Flash cookies are on the rise.

Well, here we are now, more than half of the Internet sites are using Flash cookies. The only reason they would be doing that is that they're no longer happy with the tracking they're getting from regular cookies. And what that means is, since still all browsers default to having cookies enabled, since that was part of the original specification for the web was that a server can give a browser client a cookie, which it will then return in order to identify itself. Well, users don't want to be tracked, so they're turning their browser cookies off. But websites are not accepting their choice not to be tracked. They're saying, well, we're going to track you anyway. Even though you've disabled your browser cookies, we're going to be even more sneaky because our website requires Flash, and everybody pretty much has Flash who's on the 'Net now. So where possible, we're going to give you an even stickier cookie through the Flash mechanism in order to hold onto you. Which, you know, doesn't seem right, but that's what's going on. More than half of the Internet's top sites.

LEO: Wow. All right, Steve. Why, why, why are you so tan? What's going on?

STEVE: Well, okay. To give a little bit of background here, everyone who's been listening to this podcast for years knows that I focus on code writing and computers and technology. A hobby of mine, which I've become increasingly focused on as I've been aging, is health. And in fact really, Leo, it began when I was flying up to visit you in Toronto and appear on Canadian TV with Rogers Cable. I'd be at the airport and seeing people who were really, I mean, older than I, but not lots older than I, who were having trouble moving around. They were already, like, being really careful standing up and sitting down, and moving slowly.

And I thought, okay. I think at that point I was probably 50, or maybe even my very late 40s. And today I'm 54. And I remember just deciding, making a promise with myself that I am not going to be that person when I'm that age. And I'm literally willing to do anything it takes, every single day, so that I'm able to jump around more or less as I am now as I continue aging. And my focus is not on trying to live as long as I possibly can. I'm really not very focused on that at all. I don't care how long I live. I mean, more is better.

But if you think of a chart that shows your quality of life over time, so that the horizontal axis is your life running from birth to death, and the vertical axis is how you feel, your physical well-being. You can imagine somebody who just, like, I don't know, who smokes their whole life, who abuses alcohol and drugs, doesn't take care of himself, they might have a relatively, like, for example, a straight line decline from birth to death, where they just - they don't age well, and they're not having a great time toward the end of their life. My goal would be to keep the slope of that line as horizontal as possible. That is, keep health up as high as I can for as long as I can, and then to have it just drop off a cliff, kill me in a week when it's finally time.

But the point is that you want to, from a math standpoint, you want to maximize the area under that curve. You want - because that's the most health you can have for the length of time that you're alive. So my focus on health, which I've now had really to a much greater degree since I turned 50, because it was like, okay, I've got the time, I've virtualized GRC, my employees are working at home, I'm able to work with a great deal of freedom, I have - there's no excuse not to exercise, not to make sure I'm eating well, and not to do some research, since I've got the Internet now, we all do. And it's just an amazing - it makes this information so much more available. So I subscribe to a number of newsletters. And I've been focused on various aspects of health. I pretty much knew about cardio years and years ago and have tried to keep myself in shape.

And what happened, maybe about three months ago, was just sort of bumped on the radar screen were various mentions of Vitamin D, which was not something I'd ever looked at or thought about. I was actually more aware of things like the B vitamins and their importance because modern food processing tends to kill off the B vitamins. They're fragile. So food is fortified basically to put back in what processing kills. And I knew about E and C. And but somehow Vitamin D had never - this is something I had never really looked at very much. But I finally got to a point a couple months ago where it's like, okay, what's going on with this?

And so I began to poke around and do some reading. And I thought, whoa, wait a minute, this is seeming much more significant than I recognized. And probably about four weeks ago, so about four weeks into this, I decided that this was something that I really needed to understand. And I also at some point figured I need to involve my family and friends and ultimately this podcast. So just for one week I need to beg our listeners' indulgence. I'm going to - I want to share what I have learned and see if, for the sake of information, maybe it will resonate with some people. Maybe at some point in the future when other information surfaces they'll go, hey, wait a minute, I remember Steve talking about this. He thought it was important. These other people think it's important. Maybe that will be enough to catalyze some thought.

So there's so much that's important about this. First of all, there's a real problem with it in that it's not a vitamin at all. Never was.

LEO: Really.

STEVE: Never has been. It is a…

LEO: What is a vitamin? What is the definition of a vitamin?

STEVE: By definition, a vitamin is something which you do not make endogenously. That is, your body does not make it. It's something that you must acquire through nutrition from outside sources.

LEO: It's an amino acid, too, right, isn't that what it means? Vital amino acid? No, maybe not.

STEVE: I don't know where the word comes from. But I do know that it's got to be a dietary source. Well, what happened was that it was discovered because of a chronic deficiency in an unknown substance. As we became more industrialized and people moved from rural settings into cities, and especially as children were employed in buildings, like in factories, they began getting rickets, which is a severe underdevelopment of skeletal bones. Now, what happened was that there was the discovery that cod liver oil cured this malady that children had. And so for generations parents, mothers, would, like, force their kids to have a tablespoon of cod liver oil.

LEO: I remember that from “The Three Stooges.” Or “Our Gang,” yeah. “Our Gang,” yeah.

STEVE: Nasty, oily-tasting stuff. You really don't want it. Because it turns out that this thing called Vitamin D - and it's such a shame that it's been lumped in with the vitamins because it is a steroid hormone.

LEO: Really.

STEVE: It is a very - in fact, it is the most powerful steroid hormone in the human body. It is so powerful that when measured, the units of measurement of the active form - and I'll explain what the metabolic process is in a second. But the metabolic form is measured in picograms per milliliter. That is, we have grams, then we have milligrams is a thousandth, micrograms is a millionth, nanograms is a billionth, picograms is a trillionth. So it's on the order of 20 to 50 trillionths of a gram in our blood. I mean, amazingly little of this goes a long way. But it is found in almost no dietary sources. That is, we cannot get D from our diet. It turns out that fatty fish is a source of D. But where it comes from, the way we get it, is from the sun.

And which I think is really interesting because the first known application for Vitamin D, and really the only place where it has received lots of attention, is in our body's calcium metabolism. You know, it's generally felt that all life on earth came from the seas, first started in the oceans, evolved in the oceans, and then literally crawled out onto land and needed to adapt. Well, the ocean is a rich calcium bath. And so calcium is a fundamental component of the way we operate. And our bodies, the human body manages and maintains the concentration of calcium to the best of its ability within relatively narrow margins. We need to have enough calcium from our diet, which it's easy to get. But you have to have Vitamin D in addition to calcium in order to build bone. D is inextricably linked to calcium metabolism. And so but for a long time, for hundreds of years, that's the only thing that we knew that it did.

Well, looking back at sort of early humanity, we also know that we evolved in sub-Saharan, equatorial East Africa. That's where man, that's sort of the cradle of humankind. It is believed that when we were coming out of being apes covered with fur, that as we evolved to be larger and have more muscle mass, we began to have a problem with cooling because we were generating, our larger muscles were generating too much heat. So evaporative cooling wasn't - it was having a problem if we were covered with fur. So we literally lost our fur in favor of skin and more evaporative capability.

The problem with that was that we were then being exposed to intense sunlight since our skin was no longer being protected by fur. So what started out as being lighter skinned, we ended up developing a much more rich melanin content. Melanin is the pigmentation in skin. And so we ended up literally becoming black in order to deal with the constant powerful equatorial sun in East Africa. And the blackness of our skin allowed us to tolerate the sun.

But ever since the beginning, we were also using sun, that is, the ultraviolet radiation, for fundamental chemical reactions which take place in our skin. A precursor of cholesterol called 7-dehydrocholesterol, or 7-DHC, that exists in our skin in abundance in youth, and we lose it as we get increasingly older, that 7-dehydrocholesterol, when it is zapped by an ultraviolet photon, it converts, that 7-dehydrocholesterol is converted into an early form of what unfortunately we have labeled Vitamin D. It's not stable in that form, and so it shortly changes its bonds around and just under thermal isomerization converts into something called cholecalciferol, which is the form of Vitamin D that you can also get in a supplement. That's transported to our liver, where our liver changes it through a process known as hydroxylation into the Vitamin D which is measured in our bloodstream, something called 25-hydroxy Vitamin D. And that's sort of the bulk storage form of this chemical.

Our kidneys takes it the next step further, hydroxylates it again, and turns it into this super potent steroid hormone. Now, that's involved directly, it's that hormone which is involved with the regulation of calcium metabolism and our bones. It turns out, though, that many other organ systems in our body also have the ability to deal directly with Vitamin D. And this is the information which is finally, due to the advancing of our medical science, finally becoming clear to people.

I want to shift gears here for a second and run through a number of recent studies which have been done, just to give people some sense for the pervasiveness of the influence of this. I have a - I'm holding a textbook, 450 pages, titled “Vitamin D: Physiology, Molecular Biology, and Clinical Applications.” I've read so many journal articles and studies that I'm becoming sort of well-versed with the names of these people. And in fact, if I look at a book, a popular text on Vitamin D, it's like, oh, yeah, I know where that chart came from, I remember seeing that chart in the original source material.

LEO: Wow.

STEVE: So this is Chapter 13, where he's talking about non-calcemic actions of 1,25 dihydroxy Vitamin D3. Okay, that's the output from our liver, I'm sorry, the output from our kidney, the final stage, which is this powerful steroid hormone. And he says, “Under historical perspective, when 1,25(OH)(2)D was discovered, it was assumed that specific Vitamin D receptors would be present in calcium-regulating organs, including the intestine, bone, and kidney. In 1979, Stumpf et al….” and then he has a reference to the back of the chapter, where he talks about that study, ”…reported on the localization of radiolabeled Vitamin D in Vitamin D-deficient tissues and found that the radiolabeled Vitamin D was localized in the nuclei of cells in the small intestine, kidney, and bone, exactly as expected.

“But remarkably, they also find, by autoradiographic analysis of frozen sections of tissues, that this radio-tagged Vitamin D was also present in cells in the gonads, thymus, pituitary gland, pancreas, stomach, breast, teeth, placenta, and skin. This observation was the impetus for the identification of the Vitamin D receptors, called VDRs,” and this is at the genetic level, “in all of these tissues, as well as in several tumor cell lines of leukemia, breast cancer, melanoma, squamous cell carcinoma, colon cancer, and prostate cancer. VDR activity was also detected in cells related to immunity, including circulating monocytes, activated T and B lymphocytes, and macrophages,” which is all part of the way our immune system functions.

So to give some sense for what is beginning to be understood, I've just jumped to Chapter 22 under “Epidemiology of Cancer Risk in Vitamin D.” It reads: “A nested, case-controlled study was conducted using subjects from the Johns Hopkins Operation CLUE Cohort. This cohort consisted of 25,620 health adult residents of Wash….” Yeah, it does say “health adult.”

LEO: It should be healthy, obviously, yeah.

STEVE: Yeah, ”…healthy adult residents of Washington County, Maryland, who provided samples of serum, meaning their blood, between 1974 and 1975. Serum samples were thawed for all cases of colon cancer.” So what happened is, decades later, the study was done. So serum samples from back in '74/'75 “were thawed for all cases of colon cancer, and for two controls per case,” meaning other people who did not have colon cancer, “and matched for age, race, sex, county of residence, and date of serum collection. Sera,” meaning plural of serum, blood samples, “were analyzed blindly for 25-hydroxy Vitamin D.” Okay, that's that main circulating Vitamin D, which is what's measured. That's the output of the liver before it goes into the kidney. That's sort of the storage form. “Individuals whose 25-hydroxy Vitamin D levels were greater than 20 nanograms per milliliter,” and I'll talk about these numbers in a second, get this, “greater than 20 nanograms per milliliter had one third the risk of colon cancer…”

LEO: Wow, one third, wow.

STEVE: “…one third the risk of colon cancer compared with those with lower concentrations.” Okay. So there's one. A different study, this is from the American Journal of Clinical Nutrition 2004, reads most - to give some context I'll sort of give a little more coming into this.

“Most humans depend on sun exposure to satisfy their requirements for Vitamin D. Solar ultraviolet B photons,” that is, UVB, “are absorbed by 7-dehydrocholesterol in the skin, leading to its transformation to pre-Vitamin D3, which is rapidly converted to Vitamin D3. Season, latitude, time of day, skin pigmentation, aging, sunscreen use, and glass,” that is, the presence of, you know, glass between you and the sun, since UVB is blocked by glass, “all influence the cutaneous production of Vitamin D3. Once formed, Vitamin D3 is metabolized in the liver to 25-hydroxy Vitamin D, and then in the kidney to its biologically active form, 1,25(OH)(2)D.

“Vitamin D deficiency is an unrecognized epidemic among both children and adults in the United States. Vitamin D deficiency not only causes rickets among children, but also precipitates and exacerbates osteoporosis among adults and causes the painful bone disease osteomalacia. Vitamin D deficiency has been associated with increased risks of deadly cancers, cardiovascular disease, multiple sclerosis, rheumatoid arthritis, and Type I diabetes mellitus. Maintaining blood concentrations of 25-hydroxy Vitamin D above 80 nanomoles per liter,” which is, in the literature, sometimes they describe the concentration as nanomoles per liter, but often also as nanograms per milliliter. The conversion is 2.5. So 80 nanomoles per liter is about 30 nanograms per milliliter.

It says, “Not only is the maintenance important for maximizing intestinal calcium absorption, but also may be important for providing the extra renal 1-alpha hydroxylase that is present in most tissues to produce 1,25(OH)(2)D(3).” What he's saying there is that this is necessary for Vitamin D to act directly on all these other tissues, rather than being used for calcium regulation, calcium homeostasis. “Although chronic excessive exposure to sunlight increases the risk of non-melanoma skin cancer, the avoidance of all direct sun exposure increases the risk of Vitamin D deficiency, which can have serious consequences. Monitoring serum 25-hydroxy Vitamin D concentrations yearly should help reveal Vitamin D deficiencies.”

So that's sort of a bit of overview. But here's another - this is titled “Prospective Study of Predictors of Vitamin D Status in Cancer Incidence and Mortality in Men.” And I'm going to skip the preamble and just - and I have all of this, I've got links to all of this on the page at GRC. It says, “For multivariate models, an increment of 25 nanomoles per liter in predicted Vitamin D level was associated with a 17 percent reduction in total cancer incidence.” I lost my track here. Oh, incidence. And they go into the statistics, a 29 percent reduction in total cancer mortality with a relative risk of .71, that is, if you had an increase in serum D levels; and a 45 percent reduction in digestive system cancer mortality, 0.55. And then they summarize, showing that the results were similar when they controlled further for body mass index and physical activity level. So basically saying that when all other influences were removed, Vitamin D level in the blood had a direct bearing on cancer incidence.

And there's, like, studies which describe similarly that higher levels of Vitamin D are connected to lower levels of many different types of cancer - pancreatic, colon, rectal, stomach, prostate, lung, breast, bladder, uterine, esophageal, kidney, multiple myeloma, I mean, it just goes on and on and on. There was one doctor who is at the Atascadero - he's an M.D. and psychiatrist at the Atascadero State Mental Hospital, John Cannell. Because he knew that Vitamin D positively influenced mood, you know, we've all heard of seasonal affective disorder, where people get kind of moody and gloomy in the winter, not surprisingly, when there's much less exposure to sunlight and when the sun is at a greater angle, not as often or as much overhead. It turns out that the atmosphere absorbs UVB. And so if the sun is not almost directly overhead, you're not getting much Vitamin D.

So he had his ward on Vitamin D just for its psychological benefits. A 'flu went through the hospital that was bad enough that wards needed to be quarantined. He said - I've seen two interviews where he mentions how the ward to one side of him had such a 'flu outbreak that it was quarantined, the ward to the other side of him, and the ward across the hall, as well as on the floor below. He knew that his patients had had social interactions with the inmates in the other wards and that the nurses were cross-covering his ward and the other wards. So he figured that his people were similarly being exposed to this influenza. Not one single patient that he was treating in his ward came down with the 'flu, despite the fact that it was epidemic and to the level of quarantining. And now as a consequence everyone at Atascadero receives Vitamin D supplementation because of the strong evidence for its immunizational effect.

So I mentioned to you, when we were briefly talking about this last week, that there's even a theory now about where Caucasians came from because it is believed that humans evolved in Africa with deep, dark, melanin-rich skin, which balanced the strength of the equatorial sun. Now we understand that this hormone, which unfortunately has been mislabeled a vitamin, which is I think largely responsible for a lot of people thinking, oh, well, you know, I probably get enough of this in my diet, I'm not going to worry about it, this hormone has always been generated by the sun's UVB interaction with our skin. And as we evolved, our population grew, we began to migrate away from equatorial Africa, north.

What we now believe happened is that, as we left the equator, the UVB radiation that we evolved under - I mean, literally, just like oxygen, I mean, that important. As I run through, I look at all these things that we are beginning to understand are relating to low levels of Vitamin D. You might think, wait a minute, how can Vitamin D fix that? Well, that's asking the question wrong. It's that we always had much higher levels of Vitamin D in our blood than we do now because we evolved naked in the sun. I mean, and even now, here we are in industrialized mode, basically living in dark UVB blackout caves called our homes and offices, where no UVB radiation gets in, where we're getting much less sunlight than we were even a couple hundred years ago, when we were out farming and getting exposure to the sun.

And of course unfortunately, even more recently, there's been a great public relations campaign warning about the dangers of skin cancer. You must put on sunscreen when you go outside. So there's actually been many other things even recently which have begun to happen which confuse people. For example, autism, it's been noted that it's on the rise. One theory is that, oh, well, we're just diagnosing it more. We're more aware of it, so we're looking more closely. However, what they have found is that the incidence of autism directly correlates with the latitude of the mother of autistic children during pregnancy. The further away mothers are from the equator, the greater incidence of autism in their children.

LEO: Now, correlation doesn't equal causation.

STEVE: No, that's a very good point. And that's something we have to keep in mind. My favorite example of that is that - imagine that someone knew nothing about, you know, like an alien came down, knew nothing about the way we operate and was looking, was like watching the street, a random street in New York, and noticed that suddenly everyone put their umbrellas up and, oh, look, then windshield wipers all began going on the cars. Well, if you didn't know any better, you didn't understand anything about what was really going on, you could say that raising umbrellas caused windshield wipers to go on.

LEO: Right, right, right.

STEVE: When in fact…

LEO: It's the other way around.

STEVE: It's completely different. I mean, there's something else that is related. But, and see, one of the problems with where we are - and, I mean, we're beginning to understand the significance. The problem is that you cannot patent Vitamin D. It is incredibly difficult to perform expensive studies.

LEO: Right, there's no incentive to do this.

STEVE: Yes, there is no financial incentive. There was a study that was done - so it's left to universities and research hospitals that have limited funding, especially now. There was a study between the years of 2000 and 2005 that took 1,179 women in Nebraska, which I think I recall is at 41 degrees north latitude. This was a double-blind, randomized, placebo-controlled study. That's the gold standard of studies. It divided the women in half. It gave half of them a placebo and calcium, and the other half 1,100 IU per day of Vitamin D and calcium. If you ignore - oh, and these were all - in the year 2000, when this began, they were all, as far as anyone knew, cancer free. If you ignore and throw out the first year of any cancers that were found, on the premise that those were already in the process of developing, during the rest of this study the women who were taking the Vitamin D plus calcium had 0.23 percent incidence of any type of cancer. 0.23.

LEO: I presume that's well below normal.

STEVE: Compared, no, I mean, compared to the other half of women.

LEO: Oh, I see.

STEVE: So if the other half of the women, you established their rate as 1.0, so it's less than one quarter the number of incidents of cancer. So these studies exist. They are being published by Harvard and conducted by Harvard, in the American Journal of Clinical Nutrition, I mean, not flaky, strange publications that no one's heard of, major fundamental research. But the problem is, you can't patent Vitamin D.

The other problem is that the rate of production of Vitamin D as we age really falls of. Now, I should mention something that I haven't said before, and that is that just this morning I had my fourth weekly test. I didn't get in the mail my third results, which would have indicated where I was after my second week. But what I did starting four weeks ago, I'm sorry, three weeks ago today, literally, was I had a reference Vitamin D level taken. I knew, after all the research I was doing, that I was going to be putting myself on Vitamin D, to a much greater level of Vitamin D than is in my multivitamin.

One of the problems with supplementation, and there is a problem with supplementation, is that Vitamin D can be toxic in very high doses. It is fat soluble, so it's not excreted from our body on an ongoing basis. So like any fat-soluble vitamin, there's a concern that it will build up in your tissues over time. Nobody has ever become Vitamin D toxic from sun exposure. But it has been determined that, for example, half an hour in the sun will generate about 10,000 IU, 10,000 international units' worth of Vitamin D, which then over the course of a couple days enters your bloodstream.

Well, I knew that I was going to be starting - I was going to be adding some substantial Vitamin D to my daily regimen after all this research that I have done. But I had no idea what my current Vitamin D level was. And I wanted to play with generating it by the sun because once I started supplementing, once I added Vitamin D to my diet, well, I would never stop. And there were other things that I had added where I was thinking, gee, I wish I'd taken a measure beforehand so I could know what it was before. So I thought, let's sort of play with this.

So I found out to my tremendous shock that I am, or, well, am as far as I know even now, substantially deficient. There's four levels of Vitamin D terminology that the medical community uses. You have deficiency, then you have insufficiency, sufficiency, and toxicity. So you obviously don't want to be toxic. You don't want too much. What you want is to be sufficient, and really neither insufficient nor deficient. And I am deficient. I mean, I'm…

LEO: Really.

STEVE: I have a great diet. I eat lots of salads. I like fish. I sort of avoid meat. I'm not afraid of it, but I'm doing everything I should. I have regular annual checkups. My cholesterol is where it should be, blood pressure is where it should be, a little higher than I would like it. But it turns out that adequate levels of Vitamin D lowers blood pressure. In fact, it turns out that there is a seasonal sine wave cycle of blood pressure. The extent, the amplitude of the sine wave varies with latitude, and it is synchronized to the calendar. It is well known that…

LEO: Huh, wow.

STEVE: …blood pressure goes down in the summer and goes up in the winter. It is also, of course, we know that people tend to get colds in the winter, and they get the 'flu in the winter. Why? Well, maybe, and we don't know this, but it's because our Vitamin D stores are depleted. There was one study that attempted to demonstrate that watching too much television caused autism, that is, watching TV and autism were related. And it's interesting because it turns out that the people who did the study didn't actually interview people for how much television they watched. Instead they used the rainfall figures in the area.

LEO: So they correlated it to rainfall, not TV watching. That's just…

STEVE: And they said, well, we don't really know how much TV kids are watching. But probably if it's raining…

LEO: Figure they're inside, yeah.

STEVE: …they're inside. What they were inadvertently doing was they were measuring probably the amount of sun that these kids were getting. And that's where the correlation was. And in fact, when this was pointed out, they have revised their study in order to correct that. So the proper level of Vitamin D is something which is still unknown, believe it or not. The way the RDA, the Recommended Daily Allowance, was established was that because we really didn't know, the one thing we did know was that a tablespoon of cod liver oil would prevent rickets. And since it had been given for so many generations, for so many years, and not caused a problem, they said, well, how much Vitamin D is in cod liver oil? It turns out it's 400 IU. So that's what they said, okay, we'll just say that that's the recommended daily allowance, 400 IU.

The problem is that being in the sun for half an hour supposedly generates 10,000 IU. So substantially more. And in fact, studies have been done of lifeguards, and farmers in Puerto Rico, that measure the actual level of Vitamin D they have in their blood. And in this common term of nanograms per milliliter, they're in the order of 50 to 70. So the current clinically accepted range is 32 to 100. A hundred - I read the study, and I've got a link to it on my page, where the guy who did this, who set the 32 to 100, and you can read all about how it was established. And he says, well, I just set 100 sort of arbitrarily because it's higher than we generally see in anybody who has a lot of constant sun exposure. We don't know that it shouldn't be higher or that any higher level is toxic. But it would seem that a hundred is sort of a good place because that's all we know at this point.

Anyway, my first test showed me at 23.6 nanograms per milliliter. And a week later, after a week of sun, where I'm spending half an hour in noonday sun, completely exposed, I mean, 100 percent, baby, the way I was born, dropped to 21.3. I'm guessing that this is just, you know, it's just the tolerance of the lab test. I hoped by this time to have the results of the second week, which would be the third test. And a week from now I should have the results after the third week of the fourth.

But for whatever reason, it doesn't look like I'm seeing any production. In the studies I've read, when you do get sufficient sunlight, your Vitamin D level jumps up. It does take many weeks for it to reach whatever maximum it's going to. So it's sort of an exponential rise. But I would have certainly expected to see something after seven days of regular exposure. It looks to me like I'm unable to produce Vitamin D through being out in the sun. It's disturbing to me that after five years with my internist, my doctor who was assigned to me, I mean, he was fast to give me a blood test and a so-called CBC, a complete blood count, to look at all of the things that are typically considered. I know exactly what my HDL and LDL and triglycerides and all that stuff is. He never checked my Vitamin D. Now, maybe if something were, like, really off, like my blood calcium was off, he would have said, well, let's check your Vitamin D.

LEO: That's what Dr. Mom was saying, is what about your serum ionized calcium?

STEVE: Yeah. And that's where it should be. So maybe that…

LEO: Interesting.

STEVE: Maybe that would have brought him to do it. But clearly I'm at a level now that is way low, based on current thought. I would like to raise my 21 to something between 50 and 70, and somewhere, you know, like 60 being a goal. And that's what I will likely begin doing.

LEO: And you think that sunbathing is the key.

STEVE: No, no, no. Remember, this was just an experiment. I only wanted…

LEO: Because there's other risks associated with that, of course.

STEVE: Well, yes. There are three types, interestingly, there are three types of skin cancer. You have squamous cell carcinoma, basal cell carcinoma, and malignant melanoma. Malignant melanoma is the cancer that everyone worries about. Interestingly, though, it generally appears on areas of the skin that are covered by clothing, probably because statistically most of us have more than the majority of our skin covered. The squamous cell carcinoma and basal cell carcinoma is the kind that we see on our hands, arms, and face. It's also the kind that your dermatologist can freeze off easily, and it's not a big deal as long as you've got someone looking at your skin from time to time, like your doctor takes a look at you to make sure that you don't have any of that.

So the UV radiation definitely damages skin. It can be carcinogenic. And it does generate Vitamin D. What is believed is that, as we migrated away from the equator, because we are so dependent upon Vitamin D, that it became a powerful natural selection factor in our evolution. And, you know, we know that our evolution took millions and millions of years. It looks like from the studies that we've done, that as we left the equator and populations moved north up into Europe, that we depigmented in something like several tens of thousands of years, maybe like 50,000 years. Because suddenly the high melanin content we had, which was protecting us from the sun at the equator, was also now blocking our ability to produce Vitamin D, which is a critical, I mean, an absolutely critical component, I believe, of human health.

We know when it's really low that you develop chronic problems with calcium management and bone. Your body takes calcium from your bones to preferentially manage your blood calcium level because that's even more important. So your bones represent essentially a calcium well, or a calcium repository that, if you don't have enough Vitamin D and/or calcium in your diet, there are mechanisms that'll pull calcium from your bones, which you don't want. But now we're learning that it's very likely that this very powerful and necessary hormone has been incorporated into many other systems in our body.

And I imagine that many of us listening to this podcast are in the same position I was. I mean, I'm not a sunbather. I'm not out in the sun. I actually, I mean, I get a little bit of sun. I'm not afraid of it. And I want to make sure I don't burn. But the problem is that, again, we're in an information deficit because studying these things costs money. And you can't patent the sun. You can't patent sunlight.

LEO: There's an analog because we know that salt is very good for treating a lot of things like cold sores and so forth. But nobody's going to study that because salt is free and cheap and unpatentable.

STEVE: But what's really interesting is there are Vitamin D analogs which the pharmaceutical companies are exploring.

LEO: Sure, yeah.

STEVE: Uh-huh. They're making little tiny tweaks…

LEO: You can make money on that.

STEVE: Exactly, because that they can patent. And in fact there are now some effective psoriasis medications which are all based on Vitamin D analogs. So they tweaked the molecule a little bit. There is a problem with high levels of Vitamin D because, as I mentioned, it is toxic in really high levels. But they want to use the very powerful, the 1,25(OH)(2)D, which is what your kidney produces. They have found that it is extremely good at fighting cancer. The problem is, if you gave someone enough of it to fight cancer, it would turn you into limestone. So that's not a good thing.

So what they're trying to do is they're trying to find a variant of this Vitamin D which will have the effects they want and mitigate the effects they don't. If they can do that, then they can patent it and create a new drug. I'm not averse at all to using the medical system, if I need to. I'd much rather stay healthy, not need major surgical intervention of any kind. And so Vitamin D will be part of my regimen going forward.

And the takeaway, I think, would be, for those listeners who have a doctor, who are the kinds of people who know what their cholesterol is and so forth, next time you go, say hey, let's find out what my Vitamin D level is. And I'm sure that if my doctor knew that I was 21, he'd say, oh, I mean, even the blood test results shows the level, 32 to 100, and shows me as extremely low. He would have said, oh, well, we probably need to put you on some Vitamin D, give you some Vitamin D supplementation, and we'll retest in 90 days. There's no indication that it could hurt. And my sense is it can only help.

LEO: So you're going to start taking supplements.

STEVE: Yes. In fact, today. I did my last - I've done my three weeks in the sun. I don't have the results…

LEO: I still like getting the sun, and now - I have Italian skin. So, and of course I get checked every year for skin cancer. But I like getting some sun. I just - it feels good.

STEVE: Well, it turns out that it also releases, being in the sun releases a - shoot. It's a form of narcotic.

LEO: Yay. No wonder it feels so good.

STEVE: No, I mean, again, it's not surprising, I mean, we were meant to be in the sun. We evolved in the sun. I think more than anything else from a…

LEO: Yeah, it's a natural - it does, it feels good. It feels like this is where I should be. Same thing with the ocean. I feel good when I'm at the ocean. It's where I should be.

STEVE: Well, and, I mean, we grew up with our parents saying, oh, go outside and get some sunshine, it's good for you.

LEO: Not anymore. Not anymore.

STEVE: Not anymore.

LEO: Oh, our kids are slathered with sunscreen. They wear big bonnets. I mean, they don't get the sun anymore.

STEVE: Yeah. I mean, so there really has been a change. There is study after study that demonstrates that cancer, autism, allergies, diabetes, an amazing number of maladies have latitudinal correlations. And they've even noticed, for example, that even at a high latitude, if you're at a high altitude, then the incidences of these problems drop because you've got less atmosphere between you and the sun. And the other problem is, you cannot get sun that matters in the morning or in the afternoon. It's got to be when the sun is almost directly overhead.

LEO: Oh, that's interesting.

STEVE: The reason is that there's this beautiful gap in atmospheric absorption, right through what we not surprisingly call the “visible spectrum.” And you know, we call it the visible spectrum because that's what we see. But you'll notice we don't see in the ultraviolet. I mean, the ultraviolet and the visible are, like, they're the same range of radiation. We don't see in the ultraviolet because it's dark most of the time in the ultraviolet. It's only briefly light for a few hours around noon. And then the sun's angle becomes such that the UV radiation, the UVB, which is between 290 and about 320 nanometers, it's almost completely cut off.

So evolution would never give us vision which is only useful for a couple hours during the day. Instead we see in the visible spectrum, which is not absorbed the way UVB is. And so we're able to, for example, hunt by moonlight or see from the time the sun comes up to the time the sun sets, which is much more useful. But at the same time, that visible radiation doesn't have the energy and doesn't have the wavelength to interact with us chemically the way UVB does. So we need that UV radiation.

And again, I want to make sure that people understand, I'm not suggesting, I'm not promoting spending time in the sun. I was about to say that I've read some studies, but again we're in a study deficit here, that say that by the age of 50 our ability to produce Vitamin D cutaneously, endogenously in our skin, has fallen by half; and that by the age of 65 it's down to 25 percent of what it was. So you cannot get the D you need through sunlight.

And you did notice, maybe you weren't kidding, that I'm a little tanner. I've been - I was looking at how much sun I was getting and whether I was tanning. After three weeks of half an hour a day, I have tanned a bit. Not too much. But the problem is, tanning is a regulating mechanism. Tanning is the production of this melanin polymer, which is 99.9 percent efficient at absorbing UVB. Melanin absorbs UVB and turns it harmlessly into heat. So it protects our skin from DNA damage. Unfortunately, it also protects it from generating Vitamin D.

LEO: Oh, interesting.

STEVE: So here's the problem. I'm clearly receiving enough sun because I'm adapting to it. My skin is darkening, which is my body's attempt to down-regulate the amount of UVB radiation that I receive. In the process, it's down-regulating my ability to produce Vitamin D. So my point is that, as I get older, and what happens is we lose the cholesterol in our skin. You know how, like, so-called, you get thin-skinned? It is a loss of cholesterol in our skin which reduces our ability to produce Vitamin D, yet we're still going to be able to get tan. You don't lose your ability to tan. So what that says is that, when you're no longer young and able to produce as much Vitamin D as you did, no amount of sun can give it to you because your body is going to tan and down-regulate not only, well, down-regulate all the UVB that gets into your skin and to further cut off D. So I think the only solution is to monitor your Vitamin D levels and supplement.

Now, the good news is, because it's not patented, because it's inexpensive to make, it's very inexpensive. One of my favorite suppliers is a company called Now Foods. And my favorite place for buying stuff is Great service, great delivery, very good prices. Now Foods has a 5,000 IU Vitamin D which their label recommends you take one every three days. Taking Vitamin D infrequently like that works because it has on the order of about a three- or four-week half-life in our body. It lasts a long time because it's fat-soluble. So our liver takes it up, and our fat tissues, all of our adipose tissues dissolve the Vitamin D.

It's very easy to swallow because remember how concentrated it is. We're only talking about micrograms of D. It's made in huge vats of olive oil because it's fat soluble. So they start with a huge vat of olive oil, pour a carefully measured amount of Vitamin D in, then dissolve that Vitamin D, and then they produce these little tiny gel caps. So 120 of those costs $8.80. Well, if you take one every three days, that's a year's supply of Vitamin D in a useful dose. That would be 1,666 IU per day. The U.S. government has said even that 2,000 IU per day is an absolutely safe dose. Many nutritionists feel that that's way too low. But follow the label, and then you're getting a useful amount of Vitamin D for $8.80 for a year.

LEO: Yeah, yeah.

STEVE: I've looked at this stuff. And if I had to take one thing, if I were - I was going to say on a desert island. But even on a desert island, I don't think I can any longer make a sufficient amount of Vitamin D by being in the sun because I'm going to tan, and that's going to cut off what I would have been able to make.

LEO: Is there a risk to supplementing? Can you overdo it?

STEVE: Yes. The risk is at the high end. And in fact this is the conundrum, is that our government has - our government does put D in stuff.

LEO: Milk.

STEVE: It puts D in milk. And…

LEO: Aren't we getting, because we're all drinking Starbucks, getting a lot more milk than ever before?

STEVE: Well, here's the problem, is milk has actually gone out of fashion. And we're not drinking the kind of milk we do. Believe it or not, rickets has made a comeback in the last few years.

LEO: That's unbelievable.

STEVE: Because children are not drinking milk. Parents are not…

LEO: It's soda pop.

STEVE: Exactly. Exactly. And sugary fruit drinks. So the government mandates that 400 IU be put in a quart of milk. And the problem is you would have to drink about 10 quarts of milk a day…

LEO: Okay, I don't drink that much.

STEVE: …in order to get a physiologically useful amount of Vitamin D. But here's the problem. If the government - because this is a powerful steroid hormone. If the government did…

LEO: They can't put more in, yeah, yeah.

STEVE: Exactly. If the government did raise the levels of D that were in our food supply, there's a wide variation in the amount of different types of food that different people eat. Maybe there is someone who drinks quarts of milk a day.

LEO: So they could be doing themselves harm if they had to much of it.

STEVE: If there was too much…

LEO: If they were supplementing and they drank four quarts a day and they were getting out in the sun and on and on and on.

STEVE: Yeah, I mean, I think that the only, I mean, the really responsible thing to do is to get a test. You can buy your own, as I have been doing.

LEO: Oh, really. Oh, these aren't with your doctor.


LEO: Do you draw blood? How do you get…

STEVE: Oh, yeah. I go to a lab every Wednesday morning, to LabCorp. There's a group called Life Extension Foundation, They offer retail blood testing services. So you pay them, they mail you the forms, and then you take that to a lab nearby. They take a vial of blood. And then about five days later, normally - this was late in this third test, but normally it takes five days and you get the results. And I think it's $67 for a nonmember, $47 for a member. So if you were going to do several of these, I think membership is $75 a year, so you get a discount.

LEO: See, I know what people listening - what I will do is, I'm not going to get tested. I'm just going to go out and buy some Vitamin D tabs. Is that a bad idea?

STEVE: I don't think so. As long as you follow the label, you cannot be toxic because…

LEO: Don't overdo it.

STEVE: …for example, Walgreens will have 1,000 IU, and it'll probably say take one or two a day. And follow the label, and you're fine. This 5,000 IU from Now Foods says take one every three days. Because, I mean, well, for example, because it has the half-life it does, some doctors will megadose their patients monthly, like give them 100,000 IU - but I'm not recommending that. You absolutely would only do that under a doctor's care. But my point is that you can take a large dose and then let it be acquired by your system and then used over time as your blood level drops. It's just easier for me, for example, to do one every three days. Or I will be monitoring my blood level, so I will probably take more because I'm wanting to find out what level I need to take in order to put my blood where it should be.

So again, ask your doctor for a Vitamin D test. Get one for yourself. Or think about getting some real D. I should mention that there are two types of D that you can purchase. There's D2, which is called ergocalciferol; or D3, which is cholecalciferol. D3 is what we make. Cholecalciferol is the only kind you really want to take. It is essentially biologically identical to what we manufacture. There is some concern, for example, I think it's not kosher, believe it or not, because it's made by irradiating the lanolin from lamb's wool.

Ergocalciferol is made from irradiating fungus. So it's 100 percent plant based, but it's Vitamin D2. And some studies have said that it only raises your Vitamin D levels about 25 percent as high as D3. So D3, which is what we make when sun hits our skin, is substantially more effective than D2. So I imagine what you would find, you know, for example, that this Now Foods Vitamin D is Vitamin D3. Walgreens drugstores in their little health section, what you want to look for is the cholecalciferol. And 1,000 mg per day is without question safe. The U.S. government says that up to 2,000 is safe. Nutritionists believe safe dosages are far higher. I wouldn't go there unless you knew what your blood levels were, you want to make sure. It is possible to be hypersensitive to Vitamin D. There are some genetic conditions that could cause complications at much higher levels.

LEO: Yeah, we should emphasize, we're not physicians. You should check with your physician before you do anything. And probably ask your physician what he thinks and get a D test. Are there natural food sources? I like to get this stuff from food. Can I eat a lot of broccoli or something?

STEVE: No. That's just it, Leo. It is not in our food supply. It's interesting, the only way the Eskimos were able to keep their relatively high level of pigmentation is eating oily fish. They have a diet high in fish, and fish is the only source. Three and a half ounces of salmon has about, I think it's 380 IU of Vitamin D. And again, there are studies that have been done that estimate we use about 4,000 IU a day. I've seen numbers like 3,800, 4,000, something like that. So again, you would need to be eating an awful lot of salmon, what, 35 ounces of salmon a day, which you might get tired of after a few days.

LEO: And it might not be good for you for other reasons.

STEVE: Exactly. So also it turns out that cod liver oil is really not the best source. It does give you Vitamin D. It also contains the other fat soluble vitamin, Vitamin A. And a lot of Vitamin A can be a problem. And also Vitamin A genetically looks very much like Vitamin D, and there have been reports that say that A can block the positive effects of Vitamin D, that is, other than on calcium metabolism, where we know that it's effective. So getting A in the form of beta-carotene is really what you want because your body is able to convert as much as it needs over to A.

Anyway, that's my readout on D. I think it's important. It's not a vitamin. I think it's had a bad rap by being misnamed a vitamin by early, early medical science that didn't know what it was, but just said, oh, well, it's a nutritional thing because it's in cod liver oil. In fact, it's not anywhere else in our diet because we evolved in the sunlight. We need it, otherwise all kinds of things start not working as well as they should.

And there was in fact, it was funny, I was talking to some friends at Starbucks a week or two ago, and one of the people said they'd just seen a news blurb saying that 70 percent of U.S. children are Vitamin D deficient. I mean, it is a problem. But the conundrum is, because it is a powerful hormone, we can't put it in our food supply. We weren't meant to get it really in our food supply. There's barely enough now to prevent rickets, and it's not even doing that anymore because people aren't - they're staying away from dairy products more than they should. But if we put a lot more in, then there'd be the possibility that people could reach toxic levels of it.

So, I mean, it needs to be done. Young people in the sun is probably what you want to do, although there's a concern about skin cancer, which is to some degree warranted. So I don't really see a way other than using supplements and doing it with care and wisely. I think it's important.

LEO: Steve Gibson. You know, this is a little bit of a departure for the show, but I think a fascinating topic. And I can see why you were anxious to share it with us. Thank you.

STEVE: Well, so I didn't give the web page. I'm in the process, as I record this, of - I have a lot of it. All the pages are assembled here at home. I haven't yet put them up on the site. But it'll just be

LEO: All right.

STEVE: And that will get anybody who wants to read this research. I've captured PDFs of all of this. They're all online. People can poke around, read this for themselves. And I hope maybe I've given, if nothing else, people something to think about.

LEO: I'm going to run out and get some Vitamin D, I can tell you that right now. Steve, thank you so much for joining us. Steve's page is That's where you'll find SpinRite, the world's finest hard drive maintenance and recovery program. If he won't do it, I will, I'll plug it. Also lots of great free stuff. And by the time you hear this, probably, for all the notes from this.

You'll also find, if you go to GRC, 16KB versions of this show, so you can, you know, for people who don't have a lot of bandwidth. We've got transcripts you can share with friends. It's all there at We're here. We do this show live, and you're invited to join us every Wednesday. We do it around 2:00 p.m. Eastern time on And of course you can download the show after the fact from iTunes and all the other podcast aggregators. It's absolutely free. But join us Wednesdays at 2:00 p.m.,

STEVE: One thing I did want to add is that to send me stuff is And I would be very interested in any feedback that people have about this topic. Next week is our Q&A. I would imagine that, if there's sufficient interest in this, as will be demonstrated by feedback on the topic, that the Q&A will be wrapping up loose ends about this.

LEO: Good.

STEVE: Which would be great.

LEO: Great. Steve, have a sunny and lovely day.

STEVE: Thanks, Leo.

LEO: And we'll see you next time on Security Now!.

Copyright © 2009 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED. This work is licensed for the good of the Internet Community under the Creative Commons License v2.5. See the following Web page for details:

security_now_episode_209.txt · Last modified: 2014/12/04 19:05 by