Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Saturday February 03 2018, @02:30PM   Printer-friendly
from the while-(will):live dept.

Karen Sandler of the Software Freedom Conservancy delivered a keynote presentation last week at linux.conf.au 2018 (LCA) in Sydney, Australia. Specifically she spoke about her multi-year odyssey to try to gain access to the source code for the pacemaker attached to her heart and upon which her life currently depends. Non-free software is having an increasingly (negative) impact on society as people entrust more of their lives to it. That software is found in an increasing number of places, both high and low, as all kinds of devices start to run fully networked microcomputers.

In her first LCA keynote 6 years ago, Karen first told the people of LCA about her heart condition and the defibrillator that she needed to have implanted. This year she described her continued quest to receive the source code for the software running in her defibrillator, and how far she has been able to get in obtaining the source code that she's been requesting for over a decade now.

Source : Karen Sandler Delivered Keynote at Linux.conf.au


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by JoeMerchant on Saturday February 03 2018, @02:58PM (8 children)

    by JoeMerchant (3937) on Saturday February 03 2018, @02:58PM (#632536)

    Sorry to say, Karen, but security though obscurity is a thing, and it's a big part of what's keeping pranksters from slipping up behind you with a little programmer wand and stopping your heart with a cell-phone app.

    If you are able to obtain a copy of the (incredibly simple) source code in your implantable device, then so are many other people, and if it's that easy to do, somebody with bad intent will do it, and then publish an Instructable about how to cause every implantable defibrilator passing the anti-theft panels at WalMart and your local library to shock their implantees as they walk through.

    When Dick Cheney got an implant, there was serious talk about customizing it just to prevent these kinds of possibilities - and I think it was done. Most people don't have as many targets painted on them as Dick Cheney, so the level of concern is a bit lower for the general population.

    So, Karen Sandler - when you raise enough awareness of these issues to gather $10M USD, you _might_ have enough of what the industry pays attention to to enter talks with a smaller, scrappier implant company about developing an open source variant of an existing device. I don't think you're looking at a net-profitable venture, but after the development cycle, that open source variant of the implant might attract a couple of extra points of market share, from the 2% of people in the world who even have an inkling of why what your are saying is important.

    --
    🌻🌻 [google.com]
    Starting Score:    1  point
    Moderation   +1  
       Troll=1, Interesting=1, Underrated=1, Disagree=1, Total=4
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2, Touché) by Anonymous Coward on Saturday February 03 2018, @04:08PM

    by Anonymous Coward on Saturday February 03 2018, @04:08PM (#632561)

    Most people don't have as many targets painted on them as Dick Cheney

    Except maybe his hunting partner.

  • (Score: 0) by Anonymous Coward on Saturday February 03 2018, @04:09PM (5 children)

    by Anonymous Coward on Saturday February 03 2018, @04:09PM (#632563)

    Sorry to say, Karen, but security though obscurity is a thing

    Encryption keys and passwords in the hands of users is one thing, but security through obscurity controlled completely by a third party is just asking for disaster. If the pacemaker security is that weak, then these companies need to be held liable immediately.

    What's even more important, though, is freedom. All software should respect users' freedoms. As a society, we need to encourage education and independence; proprietary software is antithetical to those values.

    from the 2% of people in the world who even have an inkling of why what your are saying is important.

    Personally, I think we're doomed. If only 2% of the people in the world (if that) care about whether or not the computing devices that they interact with (even indirectly) every day of their lives are black boxes, then we're just asking for disaster. Bring on the planet-destroying meteor, because I can't handle that much ignorance and stupidity.

    • (Score: 2) by JoeMerchant on Saturday February 03 2018, @04:28PM (4 children)

      by JoeMerchant (3937) on Saturday February 03 2018, @04:28PM (#632572)

      Pacemaker security is that weak. Good luck holding them liable, where are the damages? It is a disaster waiting to happen, luckily most (not all) pacemakers, defibrillators and similar devices are not network connected - though most are wirelessly programmable via near-field devices.

      If only 2% of the people in the world (if that) care about whether or not the computing devices that they interact with (even indirectly) every day of their lives are black boxes, then we're just asking for disaster.

      We've been asking for disaster for decades now. Since it hasn't happened yet, we seem to keep asking harder... someday it will get here.

      --
      🌻🌻 [google.com]
      • (Score: 3, Informative) by canopic jug on Saturday February 03 2018, @04:41PM (3 children)

        by canopic jug (3949) Subscriber Badge on Saturday February 03 2018, @04:41PM (#632581) Journal

        It is a disaster waiting to happen, luckily most (not all) pacemakers, defibrillators and similar devices are not network connected - though most are wirelessly programmable via near-field devices.

        Not any more. Towards the second part of her presentation she told about being faced with having to replace the device. All the new models had wireless. Not a single US vendor was willing to provide the option to turn it off, some refused even to talk about it. She lucked out in that her doctor found a European supplier authorized for use in the US which had a single model with that option.

        --
        Money is not free speech. Elections should not be auctions.
        • (Score: 0) by Anonymous Coward on Saturday February 03 2018, @10:06PM (2 children)

          by Anonymous Coward on Saturday February 03 2018, @10:06PM (#632688)

          You WANT that.
          Devices haven't been put-it-in-and-forget-it for ages.
          At my last device check, they found 11 irregular events recorded (none of any consequence[1]).
          Wireless also allows them to check the condition of the device (e.g. ability to react to demand; battery condition) and to tweak the device to changes in your physiology.

          [1] Probably just me reacting to one of our Libertarian's idiocy.

          -- OriginalOwner_ [soylentnews.org]

          • (Score: 0) by Anonymous Coward on Sunday February 04 2018, @04:27AM (1 child)

            by Anonymous Coward on Sunday February 04 2018, @04:27AM (#632789)

            Wireless is a good idea, but what's the security like?

            Those who rely on security through obscurity often use questionable security practices, stuff like attempting to roll their own crypto algorithms. I'm not talking implementation (which is a bad enough idea), I'm talking about algorithm. I've seen enough vendors who think they're hot shit and too good for algorithms like AES and RSA that have been publicly vetted and are widely used to make me queasy.

            That's why they don't want anybody to look at the source. They don't want anybody to know how negligent (and sometimes downright incompetent) they've been with security best practices.

            • (Score: 0) by Anonymous Coward on Sunday February 04 2018, @07:24PM

              by Anonymous Coward on Sunday February 04 2018, @07:24PM (#632996)

              That's assuming they have any security at all.

              I work with some devices regulated as medical devices. The first generation of wireless has no actual security whatsoever. The only thing protecting the devices is that you have to know the propriety protocol to communicate with them. And you have to know the correct frequency to talk to them and a proper radio to do so. Basically security by obscurity. At least the need for the right kind of radio prevents a stock cell phone or laptop from talking to them, though radios are widely available if you know what you need.

              Second generation uses Bluetooth, which has some security built-in. Though on the downside Bluetooth is documented and well understood, so someone who wanted to try to attack them would know the protocol to talk to them and Bluetooth radios are everywhere. Security still isn't perfect, in the sense that the devices will pair and communicate with any device that tries to communicate with it withing a couple minutes of power-up, though (in theory) the devices should reject any communications from unpaired devices after that. On the other hand, first generation devices will talk to anything that knew how to speak to it at any time.

              By the way, the first generation devices are still considered current and are sold alongside the next generation. Though there's also non-wireless versions too.

  • (Score: 2, Disagree) by letssee on Saturday February 03 2018, @10:11PM

    by letssee (2537) on Saturday February 03 2018, @10:11PM (#632691)

    What a load of bullshit.

    Pacemaker software is not very complicated. well it might be, but it's not very complicated to secure.

    The current gen is a closed source mess. You don't need the source code to break them, just fuzz them with random wifi/bluetooth/zigbee and you *will* crash it.

    Everybody with bad intent can crash a pacemaker right now, the way they are secured now (that is, hardly) because the security was made by monkeys without supervision.

    I'd want the source as well, then you can at least *know* your own vulnerabilities.