Domain: slashdot.org
Stories and comments across the archive that link to slashdot.org.
Stories · 37,380
-
"Double Irish" Tax Loophole Used By US Companies To Be Closed
An anonymous reader writes: The Irish Finance Minister announced on Tuesday that Ireland will no longer allow companies to register in Ireland unless the companies are also tax resident. This will effectively close off the corporate tax avoidance scheme known as the "Double Irish" used by the likes of Google, Apple, and Facebook to route their earnings through their Irish holdings in order to garner an effective tax rate of, as in Google FY2013, 0.16%. Ireland's new policy will take effect in 2015 for new companies. "For existing companies, there will be provision for a transition period until the end of 2020." -
"Double Irish" Tax Loophole Used By US Companies To Be Closed
An anonymous reader writes: The Irish Finance Minister announced on Tuesday that Ireland will no longer allow companies to register in Ireland unless the companies are also tax resident. This will effectively close off the corporate tax avoidance scheme known as the "Double Irish" used by the likes of Google, Apple, and Facebook to route their earnings through their Irish holdings in order to garner an effective tax rate of, as in Google FY2013, 0.16%. Ireland's new policy will take effect in 2015 for new companies. "For existing companies, there will be provision for a transition period until the end of 2020." -
"Double Irish" Tax Loophole Used By US Companies To Be Closed
An anonymous reader writes: The Irish Finance Minister announced on Tuesday that Ireland will no longer allow companies to register in Ireland unless the companies are also tax resident. This will effectively close off the corporate tax avoidance scheme known as the "Double Irish" used by the likes of Google, Apple, and Facebook to route their earnings through their Irish holdings in order to garner an effective tax rate of, as in Google FY2013, 0.16%. Ireland's new policy will take effect in 2015 for new companies. "For existing companies, there will be provision for a transition period until the end of 2020." -
Firefox 33 Arrives With OpenH264 Support
An anonymous reader writes: Mozilla today officially launched Firefox 33 for Windows, Mac, Linux, and Android. Additions include OpenH264 support as well as the ability to send video content from webpages to a second screen. Firefox 33 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. Full changelogs are available here: desktop and Android." -
Book Review: Scaling Apache Solr
First time accepted submitter sobczakt writes We live in a world flooded by data and information and all realize that if we can't find what we're looking for (e.g. a specific document), there's no benefit from all these data stores. When your data sets become enormous or your systems need to process thousands of messages a second, you need to an environment that is efficient, tunable and ready for scaling. We all need well-designed search technology. A few days ago, a book called Scaling Apache Solr landed on my desk. The author, Hrishikesh Vijay Karambelkar, has written an extremely useful guide to one of the most popular open-source search platforms, Apache Solr. Solr is a full-text, standalone, Java search engine based on Lucene, another successful Apache project. For people working with Solr, like myself, this book should be on their Christmas shopping list. It's one of the best on this subject. Read below for the rest of sobczakt's review. Scaling Apache Solr author Hrishikesh Vijay Karambelkar pages 215 publisher Packt rating 9/10 reviewer sobczakt ISBN 978-1783981748 summary Get an introduction to the basics of Apache Solr in a step-by-step manner with lots of examples Karambelkar is an enterprise architect with a long history in both commercial products and open source technology. As he says, he currently spends most of his time solving problems for the software industry and developing the next generation of products.
The book is divided into 10 chapters. Basically, the first three are an introduction to Apache Solr and cover its architecture, features, configuration and setting up. Chapter One contains many practical cases of Apache Solr, to help beginners understand the topic.
Chapter Four is very interesting and describes a common pattern for enterprise search solutions. These patterns focus on data processing/integration and how to meet the requirements of users (interface, relevancy, general experience).
The rest of the book mainly refers to the central topic, that is distributing search queries and how to scale/optimize a system. The book discusses all Apache Solr concepts like replication, fault tolerance, sharding and illustrates them with helpful examples. The book precisely explains SolrCloud — a bundle of built-in distributed capabilities available from version 4.0.
Chapter 8, dedicated to optimization, drew my attention. It is full of useful tips concerning JVM parameters and manipulating data structures or caching layers as well.
Scaling Apache Solr covers both basic and advanced subjects. The information is well organized, clear and concise. Lots of examples and cases in this book can be absorbed by beginners. I was nicely surprised by the chapter describing integration possibilities. There's some great information about using Solr with Cassandra, MapReduce paradigm or R (programming language for computational statistics) although I would have preferred this subject to be covered in more detail. The book has two more advantages: first, it discusses designing an enterprise search system in general terms and second, it can be treated as an introduction to large volume data processing.
I believe I need to emphasize that many sections related to defining a schema, importing data, running SolrCloud or searching in near real time (NRT) are not just a raw documentation, they also have the author's well-judged advice and comments.
Unfortunately, I felt some of the more advanced topics were not described in enough detail. For example, index merging, documents relevance or using dynamic fields in data structure. Moreover, reading the book, I had a feeling that some parts do not fit the title, such as the section about clustering with Carrot2 or integration with PHP web portal.
I can say that I have read this book with pleasure and satisfaction, which in fact is rare regarding technology publications. For me, as a person who has been working with Solr since version 1.3, it was a great way to review and sort out some of its aspects. On the other hand, I'm pretty sure, that people starting their experience with Apache Solr will take a lot from this book. Although, it is mainly focused on advanced problems, it starts with the basics.
Despite some little imperfections I recommend this book, especially because it describes the concrete technology in an easy-to-read way and also refers to some general architectural patterns.
You can purchase Scaling Apache Solr from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know. -
Book Review: Scaling Apache Solr
First time accepted submitter sobczakt writes We live in a world flooded by data and information and all realize that if we can't find what we're looking for (e.g. a specific document), there's no benefit from all these data stores. When your data sets become enormous or your systems need to process thousands of messages a second, you need to an environment that is efficient, tunable and ready for scaling. We all need well-designed search technology. A few days ago, a book called Scaling Apache Solr landed on my desk. The author, Hrishikesh Vijay Karambelkar, has written an extremely useful guide to one of the most popular open-source search platforms, Apache Solr. Solr is a full-text, standalone, Java search engine based on Lucene, another successful Apache project. For people working with Solr, like myself, this book should be on their Christmas shopping list. It's one of the best on this subject. Read below for the rest of sobczakt's review. Scaling Apache Solr author Hrishikesh Vijay Karambelkar pages 215 publisher Packt rating 9/10 reviewer sobczakt ISBN 978-1783981748 summary Get an introduction to the basics of Apache Solr in a step-by-step manner with lots of examples Karambelkar is an enterprise architect with a long history in both commercial products and open source technology. As he says, he currently spends most of his time solving problems for the software industry and developing the next generation of products.
The book is divided into 10 chapters. Basically, the first three are an introduction to Apache Solr and cover its architecture, features, configuration and setting up. Chapter One contains many practical cases of Apache Solr, to help beginners understand the topic.
Chapter Four is very interesting and describes a common pattern for enterprise search solutions. These patterns focus on data processing/integration and how to meet the requirements of users (interface, relevancy, general experience).
The rest of the book mainly refers to the central topic, that is distributing search queries and how to scale/optimize a system. The book discusses all Apache Solr concepts like replication, fault tolerance, sharding and illustrates them with helpful examples. The book precisely explains SolrCloud — a bundle of built-in distributed capabilities available from version 4.0.
Chapter 8, dedicated to optimization, drew my attention. It is full of useful tips concerning JVM parameters and manipulating data structures or caching layers as well.
Scaling Apache Solr covers both basic and advanced subjects. The information is well organized, clear and concise. Lots of examples and cases in this book can be absorbed by beginners. I was nicely surprised by the chapter describing integration possibilities. There's some great information about using Solr with Cassandra, MapReduce paradigm or R (programming language for computational statistics) although I would have preferred this subject to be covered in more detail. The book has two more advantages: first, it discusses designing an enterprise search system in general terms and second, it can be treated as an introduction to large volume data processing.
I believe I need to emphasize that many sections related to defining a schema, importing data, running SolrCloud or searching in near real time (NRT) are not just a raw documentation, they also have the author's well-judged advice and comments.
Unfortunately, I felt some of the more advanced topics were not described in enough detail. For example, index merging, documents relevance or using dynamic fields in data structure. Moreover, reading the book, I had a feeling that some parts do not fit the title, such as the section about clustering with Carrot2 or integration with PHP web portal.
I can say that I have read this book with pleasure and satisfaction, which in fact is rare regarding technology publications. For me, as a person who has been working with Solr since version 1.3, it was a great way to review and sort out some of its aspects. On the other hand, I'm pretty sure, that people starting their experience with Apache Solr will take a lot from this book. Although, it is mainly focused on advanced problems, it starts with the basics.
Despite some little imperfections I recommend this book, especially because it describes the concrete technology in an easy-to-read way and also refers to some general architectural patterns.
You can purchase Scaling Apache Solr from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know. -
Interviews: Ask Florian Mueller About Software Patents and Copyrights
Florian Mueller is a blogger, software developer and former consultant who writes about software patents and copyright issues on his FOSSPatents blog. In 2004 he founded the NoSoftwarePatents campaign, and has written about Microsoft's multi-billion-dollar Android patent licensing business and Google's appeal of Oracle's Android-Java copyright case to the Supreme Court. Florian has agreed to give us some of his time in order to answer your questions. As usual, ask as many as you'd like, but please, one per post. -
The Correct Response To Photo Hack Victim-Blamers
Bennett Haselton writes As commenters continue to blame Jennifer Lawrence and other celebrities for allowing their nude photos to be stolen, there is only one rebuttal to the victim-blaming which actually makes sense: that for the celebrities taking their nude selfies, the probable benefits of their actions outweighed the probable negatives. Most of the other rebuttals being offered, are logically incoherent, and, as such, are not likely to change the minds of the victim-blamers. Read below to see what Bennett has to say.In a new Vanity Fair interview, Jennifer Lawrence calls the theft of her nude photos a "sex crime". Predictably, a good portion of the 300+ comments posted on TheVerge's article contained an element of victim-blaming -- "maybe people in her position should think twice about taking nude photos? I’m sure it could help" ; "She posted them online. Unless she is a complete rube, she should have known of the security risks" ; "Victims can be blamed for putting themselves into potentially exploitable situations. Something similar might be going to a rave without a friend." ; and more variations on things that had already been said many times ever since the original photo leak on August 31st.
These comments are mostly being met with angry backlash from other commenters, which is good. But the rebuttals themselves tend to violate the rules of logic and consistency, which is bad. And when victim-blamers can spot the flaws so easily in their opponents' logic, their own minds are unlikely to be changed.
A typical example of a weak "rebuttal" is this cartoon you may have seen shared on Facebook, in which an arrogant man lectures women, "Don't want your nude selfies to leak, ladies? Simple: don't take any! Bothered by street harassment? Don't be so eager to walk down streets." Sorry, but if the second piece of advice was meant to highlight the absurdity of the first, the analogy doesn't work -- because you kinda have to walk down streets, but nobody has to take a nude selfie.
This is a recurring theme in the "rebuttal" comments that I've seen, including those on TheVerge's article -- telling the victim-blamers that they might just as well blame themselves for the risks of walking down the street, or buying something from Home Depot ( burn! ), or having a credit card at all, or owning a valuable object that could be a target of theft. Sample comments: "by that standard... you shouldn’t have had something of value to begin with, or else you were just asking for it to be stolen" ; "Just like when you walk down the street you should be fully aware of the potential to be mugged" ; "So, we will hold you to the very same 'complete rube' test when you fall victim to identity theft or unauthorized charges to your credit cards" ; etc.
All of these "rebuttals" are committing the same logical error: they're drawing an analogy to things that you either have to do (walk down the street) or pretty-much-have to do (own a credit card, own at least one valuable object). This means the victim-blamers have such an easy response -- "Those are all things you have to do; but taking a nude selfie is different, because nobody has to do that!" So the victim-blamers are unlikely to have their minds changed by such an analogy, since their own central premise is so obvious to them: the victims chose to take the nude selfies, and the leak never would have happened if they hadn't.
So, let's respond to the victim-blamers on their own terms, by acknowledging first of all: Of course, they're right. Of course taking the selfies was an optional choice, and of course the only way to stop nude selfies from leaking, is not to take them. But this is ignoring (a) the benefits of taking nude selfies; and (b) the low risk of them getting leaked. (The fact that the pictures did get leaked, does not mean that the selfie-takers misjudged the risk of it happening; rather, it was very unlikely, but the victims got unlucky and it happened to them.)
To begin with the benefits: Jennifer Lawrence explained bluntly in her Vanity Fair interview why she took the photos: "I was in a loving, healthy, great relationship for four years. It was long distance, and either your boyfriend is going to look at porn or he's going to look at you." (Considering how easily she could have gotten away with some platitudes about how "deeply hurt" she was, and how she "thanks all her fans for her support in this difficult period" -- doesn't a quote like that make you think she's decently cool?) OK, so that's the benefit. To her boyfriend at the time, a pretty big benefit.
As for the risks, whenever someone takes a risk of a bad outcome and the bad outcome does happen, it's tempting to think that they misjudged the risks. (I'll bet that a psychological experiment could demonstrate this easily -- have test subjects read stories of people who took a risk that was known to be small, but who got unlucky and fell victim to the bad outcome anyway, and see if the test subjects incorrectly judge the risk-takers to be foolish.) But out of the millions of nude photos that are probably sent between cell phone users every month, a vanishly small proportion of them get stolen in security breaches of cloud storage. (Usually the far greater risk is that the recipient will forward the image to other people until it gets out of control.) There's no reason to think that Jennifer Lawrence and other victims of the hacking scandal underestimated the risk of the photos being stolen from the cloud. If anything, most users are probably over-estimating the risk today, while the news of the breach is fresh in their minds.
In cases where the benefits of an action clearly don't outweigh the risks, that's when "victim-blaming" might be appropriate, even if we don't call it that. If someone leaves their car unlocked and leaves a valuable item in plain view in the front seat, we might feel less sorry for them if they return to their car to find it stolen. But it's a logical error to blame the victim just because they took a risk; the real reason to blame them is that there's no counterbalancing benefit to leaving the car door unlocked, or failing to move the valuable item into the trunk.
By contrast, when victim-blamers say that a woman is "bringing the risk upon herself" (of harassment, or even assault) by going out in a halter top, the logically correct response is not to say that victim-blamer is "clearly" wrong. Because, again, to the victim-blamer, their own premise is obviously true: wearing a sexy outfit in public does increase your risk of harassment, and probably even of being groped or worse. The fallacy is that the victim-blamer is ignoring the benefits of that choice. A woman never knows when she might meet a guy out in public that she's attracted to, and if they hit it off, it helps to have an outfit that says, "I'm a real woman, not a moron who thinks that if I engage in pre-marital kissing then Jesus will set me on fire with a blowtorch." Wearing a halter top has its benefits, which is why some women do it.
So that's it. The correct response to the victim-blamers is not to draw false analogies to "having a credit card" or "walking down the street". The correct response is that taking nude selfies is a perfectly rational choice when the probable benefits outweigh the probable risks. That is, in fact, the only rational defense of any action, ever. But it's not getting any play, because it doesn't fit in a tweet.
-
Raspberry Pi Sales Approach 4 Million
Eben Upton's reboot of the spirit of the BBC Micro in the form of the Raspberry Pi would have been an interesting project even if it had only been useful in the world of education. Upton wanted, after all, to give the kind of hands-on, low-level interaction with computing devices that he saw had gone missing in schools. Plenty of rPis are now in that educational, inspirational role, but it turns out that the world was waiting (or at least ready) for a readily usable, cheap, all-in-one computer, and the Raspberry Pi arrived near the front of a wave that now includes many other options. Sales boomed, and we've mentioned a few of the interesting milestones, like the millionth unit made in the UK and the two-millionth unit overall. Now, according to TechCrunch the Raspberry Pi is getting close to 4 million units sold, having just passed 3.8 million, as reported in a tweet. If you have a Raspberry Pi, what are you using it for now, and what would you like to see tweaked in future versions? -
Raspberry Pi Sales Approach 4 Million
Eben Upton's reboot of the spirit of the BBC Micro in the form of the Raspberry Pi would have been an interesting project even if it had only been useful in the world of education. Upton wanted, after all, to give the kind of hands-on, low-level interaction with computing devices that he saw had gone missing in schools. Plenty of rPis are now in that educational, inspirational role, but it turns out that the world was waiting (or at least ready) for a readily usable, cheap, all-in-one computer, and the Raspberry Pi arrived near the front of a wave that now includes many other options. Sales boomed, and we've mentioned a few of the interesting milestones, like the millionth unit made in the UK and the two-millionth unit overall. Now, according to TechCrunch the Raspberry Pi is getting close to 4 million units sold, having just passed 3.8 million, as reported in a tweet. If you have a Raspberry Pi, what are you using it for now, and what would you like to see tweaked in future versions? -
Birth Control Pills Threaten Fish Stocks
BarbaraHudson writes Experimental research has shown that small amounts of estrogen in waste water can lead to rapid large-scale changes in fish populations. From the article: "The lead researcher of a new study is calling for improvements to some of Canada's waste water treatment facilities after finding that introducing the birth control pill in waterways created a chain reaction in a lake ecosystem that nearly wiped out a freshwater fish. 'Right away, the male fish started to respond to the estrogen exposure by producing egg yolk proteins and shortly after that they started to develop eggs,' she said in an interview from Saint John, N.B. 'They were being feminized.' Kidd said shortly after introducing the estrogen, the number of fathead minnow crashed, reducing numbers to just one per cent of the population. 'It was really unexpected that they would react so quickly and so dramatically,' she said. 'The crash in the population was very evident and very dramatic and very rapid and related directly to the estrogen addition.'" Estrogen pollution in waterways has been an issue for over a decade now. -
Independent Researchers Test Rossi's Alleged Cold Fusion Device For 32 Days
WheezyJoe (1168567) writes The E-Cat (or "Energy Catalyzer") is an alleged cold fusion device that produces heat from a low-energy nuclear reaction where nickel and hydrogen fuse into copper. Previous reports have tended to suggest the technology is a hoax, and the inventor Andrea Rossi's reluctance to share details of the device haven't helped the situation. ExtremeTech now reports that "six (reputable) researchers from Italy and Sweden" have "observed a small E-Cat over 32 days, where it produced net energy of 1.5 megawatt-hours, "far more than can be obtained from any known chemical sources in the small reactor volume."... "The researchers, analyzing the fuel before and after the 32-day burn, note that there is an isotope shift from a "natural" mix of Nickel-58/Nickel-60 to almost entirely Nickel-62 — a reaction that, the researchers say, cannot occur without nuclear reactions (i.e. fusion)." The paper (PDF) linked in the article concludes that the E-cat is "a device giving heat energy compatible with nuclear transformations, but it operates at low energy and gives neither nuclear radioactive waste nor emits radiation. From basic general knowledge in nuclear physics this should not be possible. Nevertheless we have to relate to the fact that the experimental results from our test show heat production beyond chemical burning, and that the E-Cat fuel undergoes nuclear transformations. It is certainly most unsatisfying that these results so far have no convincing theoretical explanation, but the experimental results cannot be dismissed or ignored just because of lack of theoretical understanding. Moreover, the E-Cat results are too conspicuous not to be followed up in detail. In addition, if proven sustainable in further tests the E-Cat invention has a large potential to become an important energy source." The observers understandably hedge a bit, though: The researchers are very careful about not actually saying that cold fusion/LENR is the source of the E-Cat’s energy, instead merely saying that an “unknown reaction” is at work. In serious scientific circles, LENR is still a bit of a joke/taboo topic. The paper is actually somewhat comical in this regard: The researchers really try to work out how the E-Cat produces so much darn energy — and they conclude that fusion is the only answer — but then they reel it all back in by adding: “The reaction speculation above should only be considered as an example of reasoning and not a serious conjecture.” -
Crowdsourced Remake "The Empire Strikes Back Uncut" Now Complete
Two and a half years ago, we posted news of the completion of the Star Wars Uncut project. Now, reader kdataman writes that another fan-made Star Wars movie remake is ready to watch; this time it's Empire: 480 fan-created 15-second clips have been assembled to remake the entire movie, scene for scene (but not always word for word). The variations swing from professional production values to cardboard cutouts, but they are all creative and many are hilarious. Hard to pick a favorite scene but the guys at MTV selected a few highlights. -
Despite Push From Tech Giants, AP CS Exam Counts Don't Budge Much In Most States
theodp (442580) writes "Well, the College Board has posted the 2014 AP Computer Science Test scores. So, before the press rushes out another set of Not-One-Girl-In-Wyoming-Took-an-AP-CS-Exam stories, let's point out that no Wyoming students of either gender took an AP CS exam again in 2014 (.xlsx). At the overall level, the final numbers have changed somewhat (back-of-the-Excel-envelope calculations, no warranty expressed or implied!), but tell pretty much the same story as the preliminary figures — the number of overall AP CS test takers increased, while pass rates decreased despite efforts to cherry pick students with a high likelihood of success. What is kind of surprising is how little the test numbers budged for most states — only 8 states managed to add more than 100 girls to the AP CS test taker rolls — despite the PR push by the tech giants, including Microsoft, Google, and, Facebook. Also worth noting are some big percentage decreases at the top end of the score segments (5 and 4), and still-way-too-wide gaps that exist between the score distributions of the College Board's various ethnic segments (more back of the envelope calcs). If there's a Data Scientist in the house, AP CS exam figures grabbed from the College Board's Excel 2013 and 2014 worksheets can be found here (Google Sheets) together with the (unwalkedthrough) VBA code that was used to collect it. Post your insight (and code/data fixes) in the comments!" -
Despite Push From Tech Giants, AP CS Exam Counts Don't Budge Much In Most States
theodp (442580) writes "Well, the College Board has posted the 2014 AP Computer Science Test scores. So, before the press rushes out another set of Not-One-Girl-In-Wyoming-Took-an-AP-CS-Exam stories, let's point out that no Wyoming students of either gender took an AP CS exam again in 2014 (.xlsx). At the overall level, the final numbers have changed somewhat (back-of-the-Excel-envelope calculations, no warranty expressed or implied!), but tell pretty much the same story as the preliminary figures — the number of overall AP CS test takers increased, while pass rates decreased despite efforts to cherry pick students with a high likelihood of success. What is kind of surprising is how little the test numbers budged for most states — only 8 states managed to add more than 100 girls to the AP CS test taker rolls — despite the PR push by the tech giants, including Microsoft, Google, and, Facebook. Also worth noting are some big percentage decreases at the top end of the score segments (5 and 4), and still-way-too-wide gaps that exist between the score distributions of the College Board's various ethnic segments (more back of the envelope calcs). If there's a Data Scientist in the house, AP CS exam figures grabbed from the College Board's Excel 2013 and 2014 worksheets can be found here (Google Sheets) together with the (unwalkedthrough) VBA code that was used to collect it. Post your insight (and code/data fixes) in the comments!" -
Despite Push From Tech Giants, AP CS Exam Counts Don't Budge Much In Most States
theodp (442580) writes "Well, the College Board has posted the 2014 AP Computer Science Test scores. So, before the press rushes out another set of Not-One-Girl-In-Wyoming-Took-an-AP-CS-Exam stories, let's point out that no Wyoming students of either gender took an AP CS exam again in 2014 (.xlsx). At the overall level, the final numbers have changed somewhat (back-of-the-Excel-envelope calculations, no warranty expressed or implied!), but tell pretty much the same story as the preliminary figures — the number of overall AP CS test takers increased, while pass rates decreased despite efforts to cherry pick students with a high likelihood of success. What is kind of surprising is how little the test numbers budged for most states — only 8 states managed to add more than 100 girls to the AP CS test taker rolls — despite the PR push by the tech giants, including Microsoft, Google, and, Facebook. Also worth noting are some big percentage decreases at the top end of the score segments (5 and 4), and still-way-too-wide gaps that exist between the score distributions of the College Board's various ethnic segments (more back of the envelope calcs). If there's a Data Scientist in the house, AP CS exam figures grabbed from the College Board's Excel 2013 and 2014 worksheets can be found here (Google Sheets) together with the (unwalkedthrough) VBA code that was used to collect it. Post your insight (and code/data fixes) in the comments!" -
ChromeOS Will No Longer Support Ext2/3/4 On External Drives/SD Cards
An anonymous reader writes Chrome OS is based on the Linux kernel and designed by Google to work with web applications and installed applications. Chromebook is one of the best selling laptops on Amazon. However, devs decided to drop support for ext2/3/4 on external drivers and SD card. It seems that ChromiumOS developers can't implement a script or feature to relabel EXT volumes in the left nav that is insertable and has RW privileges using Files.app. Given that this is the main filesystem in Linux, and is thereby automatically well supported by anything that leverages Linux, this choice makes absolutely no sense. Google may want to drop support for external storage and push the cloud storage on everyone. Overall Linux users and community members are not happy at all. -
More Details On The 3rd-Party Apps That Led to Snapchat Leaks
Yesterday we posted a link to Computerworld's reports that (unnamed) third-party apps were responsible for a massive leak of Snapchat images from the meant-to-be-secure service. An anonymous reader writes with some more details: Ars Technica identifies the culprit as SnapSaved, which was created to allow Snapchat users to access their sent and received images from a browser but which also secretly saved those images on a SnapSaved server hosted by HostGator. Security researcher Adam Caudill warned Snapchat about the vulnerability of their API back in 2012, and although the company has reworked their code multiple times as advised by other security researchers, Caudill concludes that the real culprit is the concept behind Snapchat itself. "Without controlling the endpoint devices themselves, Snapchat can't ensure that its users' photos will truly be deleted. And by offering that deletion as its central selling point, it's lured users into a false sense of privacy." -
Ask Slashdot: VPN Setup To Improve Latency Over Multiple Connections?
blogologue writes I've been playing Battlefield for some time now, and having a good ping there is important for a good gaming experience. Now I'm in the situation where I have mobile internet access from two telecom companies, and neither of those connections are stable enough to play games on, the odd ping in hundreds of milliseconds throws everything off. How can I setup a Windows client (my PC) and a Linux server (in a datacenter, connected to the internet) so that the same TCP and UDP traffic goes over both links, and the fastest packet on either link 'wins' and the other is discarded? (Have your own question for the teeming masses? Ask away — be sure to include appropriate detail and context — via the Slashdot submission form.) -
Flash IDE Can Now Reach Non-Flash Targets (Including Open Source)
lars_doucet (2853771) writes Flash CC now has an SDK for creating custom project file formats; this lets you use the Flash IDE to prepare and publish content for (not-the-flash-player) compile targets. Among these new platforms is OpenFL, a fully open-source re-implementation of the Flash API that exports to Javascript and C++ (no Flash Player!), among other targets: When Adobe demoed the custom project feature at Adobe MAX the other night, they brought out Joshua Granick (lead maintainer of OpenFL) to show off a custom OpenFL project format that lets you make Flash Art in Flash CC, then compile it out to Flash, HTML5, and native C++ (desktop+mobile) targets. Maybe Adobe heard us after all? -
FBI Says It Will Hire No One Who Lies About Illegal Downloading
wabrandsma writes with this excerpt from The State Hornet, the student newspaper at Sacramento State On Monday, Sacramento State's Career Center welcomed the FBI for an informational on its paid internship program where applications are now being accepted. One of the highly discussed topics in the presentation was the list of potential traits that disqualify applicants. This list included failure to register with selective services, illegal drug use including steroids, criminal activity, default on student loans, falsifying information on an application and illegal downloading music, movies and books. FBI employee Steve Dupre explained how the FBI will ask people during interviews how many songs, movies and books they have downloaded because the FBI considers it to be stealing. During the first two phases of interviews, everything is recorded and then turned into a report. This report is then passed along to a polygraph technician to be used during the applicant's exam, which consists of a 55-page questionnaire. If an applicant is caught lying, they can no longer apply for an FBI agent position. (Left un-explored is whether polygraph testing is an effective way to catch lies.) -
Liking Analog Meters Doesn't Make You a Luddite (Video)
Chris Gordon works for a high-technology company, but he likes analog meters better than digital readouts. In this video, he shows off a bank of old-fashioned meters that display data acquired from digital sources. He says he's no Luddite; that he just prefers getting his data in analog form -- which gets a little harder every year because hardly any new analog meters are being manufactured. (Alternate Video Link) -
NVIDIA Presents Plans To Support Mir and Wayland On Linux
An anonymous reader writes: AMD recently presented plans to unify their open-source and Catalyst Linux drivers at the open source XDC2014 conference in France. NVIDIA's rebuttal presentation focused on support Mir and Wayland on Linux. The next-generation display stacks are competing to succeed the X.Org Server. NVIDIA is partially refactoring their Linux graphics driver to support EGL outside of X11, to propose new EGL extensions for better driver interoperability with Wayland/Mir, and to support the KMS APIs by their driver. NVIDIA's binary driver will support the KMS APIs/ioctls but will be using their own implementation of kernel mode-setting. The EGL improvements are said to land in their closed-source driver this autumn while the other changes probably won't be seen until next year. -
Interviews: Ask Reuben Paul What Hackers Can Learn From an 8-Year-Old
Reuben A. Paul, aka RAPstar, has something of a head-start when it comes to learning about computer security: his father, Mano Paul, has been a security researcher (and instructor) for many years. So Reuben grew up around computers, seeing firsthand that they're neither mysterious nor impregnable. Reuben, though, has a curious mind and his own computer security interests, and a knack for telling others about them; last month, he became the youngest-ever speaker at DerbyCon, and explained some of what he's picked up so far on what kids can learn about security, as well as what the security field can learn from kids. (One hard to dispute nugget: "Kids are the best social engineers, followed by puppies.") Ask of Reuben whatever you'd like, below (please, one question per post), and we'll get answers to selected questions when we catch up with him at next week's Houston Security Conference. (This year's conference is sold out, but there's always 2015.) -
Axiom Open Source Camera Handily Tops 100,000 Euro Fundraising Goal
The Indiegogo crowdfunding campaign for an open-hardware cinema camera has closed far in the black, though the project continues to accept contributions. The Axiom's designers raised enough (€174,520, topping their €100,000 goal) to fund development of their stretch goals (remote control, active lens mount, active battery mount), and then some. If it actually gets built and catches on, it will be interesting to see what custom modules users come up with. -
A Critical Look At Walter "Scorpion" O'Brien
1729 (581437) writes Back in August, there was speculation that the "real life" Walter O'Brien (alleged inspiration for CBS's new drama Scorpion) might be a fraud. Mike Masnick from Techdirt follows up on the story: "The more you dig, the more of the same you find. Former co-workers of O'Brien's have shown up in comments or reached out to me and others directly — and they all say the same thing. Walter is a nice enough guy, works hard, does a decent job (though it didn't stop him from getting laid off from The Capital Group), but has a penchant for telling absolutely unbelievable stories about his life. It appears that in just repeating those stories enough, some gullible Hollywood folks took him at his word (and the press did too), and now there's a mediocre TV show about those made up stories." Masnick's article is a fascinating look at a man who appears to have conned both TV executives and journalists into believing his far-fetched Walter Mitty fantasies. -
Ask Slashdot: An Accurate Broadband Speed Test?
First time accepted submitter kyrcant writes Is there a way to accurately really test my "broadband" connection? I don't trust the usual sites, the first ones I found via Google. I suspect (and found) that at least some of them are directly affiliated with ISPs, and I further suspect that traffic to those addresses is probably prioritized, so people will think they're getting a good deal. The speeds I experience are much, much slower than the speed tests show I'm capable of. For a while I thought it might be the sites themselves, but they load faster on my T-Mobile HTC One via 4G than on my laptop via WiFi through a cable modem connection. Is there a speed test site that has a variable or untraceable IP address, so that the traffic can't be prioritized by my ISP (call them "ConCazt")? If not, which sites are not in any way affiliated with ISPs? Is there a way to test it using YouTube or downloading a set file which can be compared to other users' results? (Have your own question for the teeming masses? Ask away — be sure to include appropriate detail and context — via the Slashdot submission form.) -
No Nobel For Nick Holonyak Jr, Father of the LED
szotz writes Nick Holonyak Jr. doesn't want to go gently into that good night. Widely regarded as the father of the LED (for his work on early visible-light devices), he's been making strongly-worded comments about being passed over for the Nobel Prize. His wife said he'd given up on getting it. But, he says, this year's physics award, to inventors of the blue LED, was just plain 'insulting'. The history the LED goes beyond and back further than Holonyak (all the way to the beginning of the 20th century), but a number of his colleagues are disappointed and/or surprised by the snub. -
Goodbye, World? 5 Languages That Might Not Be Long For This World
Nerval's Lobster writes As developers embrace new programming languages, older languages can go one of two ways: stay in use, despite fading popularity, or die out completely. So which programming languages are slated for history's dustbin of dead tech? Perl is an excellent candidate, especially considering how work on Perl6, framed as a complete revamp of the language, began work in 2000 and is still inching along in development. Ruby, Visual Basic.NET, and Object Pascal also top this list, despite their onetime popularity. Whether the result of development snafus or the industry simply veering in a direction that makes a particular language increasingly obsolete, time comes for all platforms at one point or another. Which programming languages do you think will do the way of the dinosaurs in coming years? With COBOL still around, it's hard to take too seriously the claim that Perl or Ruby is about to die. A prediction market for this kind of thing might yield a far different list. -
Google Takes the Fight With Oracle To the Supreme Court
whoever57 writes Google has asked the Supreme Court to review the issue of whether APIs can be copyrighted. Google beat Oracle in the trial court, where a judge with a software background ruled that APIs could not be copyrighted. but the Appeals court sided with Oracle, ruling that APIs can be copyrighted. Now Google is asking the Supreme Court to overturn that decision. (Also of interest.) -
Open Invention Network Grows Despite Patent Troll Death Knell
snydeq writes Membership in the Open Invention Network, a software community set up to protect Linux against patent aggressors, has grown dramatically in the past year just as the tide seems to be turning on patent trolls. "Why all this interest in OIN? It offers little protection against nonpracticing entities — patent trolls who are organizationally small companies, even if the threat they pose is expensive and large. But it does offer protection against an equally insidious threat: big trolls," writes Simon Phipps. "The big corporations show up with their giant patent portfolios, threatening legal doom if royalties aren't paid. Attaching royalties to product or service delivery is a serious issue for companies, reducing margins long-term — especially in business models where the monetization is separated from the product. But OIN neutralizes that strategy for those building with open source, as the big corporations in the network both license their patent portfolios in and commit not to litigate against the open source software in the Linux System Definition. The bigger it gets, the better it protects." -
It's an Internet-Connected Wheelchair (Video)
If you're in a wheelchair, wouldn't it be nice to have your chair automatically alert a caregiver if changes in your heart rate or another vital sign showed that you might be having a problem? And how about helping you rate sidewalks and handicapped parking spaces to help fellow wheelchair users get around more comfortably? Steven Hawking endorses the idea, and the Connected Wheelchair Project, in this short video. (You can see our interviewee, David Hughes, at 0:58 and again at 1:38.) This is an Intel project, in conjunction with Wake Forest University, run by student interns. | Besides helping wheelchair-dependent people live a better life, the Connected Wheelchair Project may help prevent Medicare fraud, says Hughes in our video interview with him. Falsified requests for durable medical goods are a huge drain on Medicare's budget. What if a connected wheelchair spent all of its time far from the home of the person to whom it was assigned? That would be a red flag, and investigators could follow up to see if that wheelchair was in legitimate hands or was part of a scam. | The Connected Wheelchair is still proof-of-concept, not a commercial product. Will it see production? Hard to say. This may never be a profitable product, but Intel CEO Brian Krzanich has said that that this project is an example of how “the Internet of Things can help change lives.” (Alternate Video Link) -
AMD Building New GPU Linux Kernel Driver To Unify With Catalyst Driver
An anonymous reader writes: AMD is moving forward with their plans to develop a new open-source Linux driver model for their Radeon and FirePro graphics processors. Their unified Linux driver model is moving forward, albeit slightly different compared to what was planned early this year. They're now developing a new "AMDGPU" kernel driver to power both the open and closed-source graphics components. This new driver model will also only apply to future generations of AMD GPUs. Catalyst is not being open-sourced, but will be a self-contained user-space blob, and the DRM/libdrm/DDX components will be open-source and shared. This new model is more open-source friendly, places greater emphasis on their mainline kernel driver, and should help Catalyst support Mir and Wayland. -
US Says It Can Hack Foreign Servers Without Warrants
Advocatus Diaboli tips news that the U.S. government is now arguing it doesn't need warrants to hack servers hosted on foreign soil. At issue is the current court case against Silk Road operator Ross Ulbricht. We recently discussed how the FBI's account of how they obtained evidence from Silk Road servers didn't seem to mesh with reality. Now, government lawyers have responded in a new court filing (PDF). They say that even if the FBI had to hack those servers without a warrant, it doesn't matter, because the Fourth Amendment does not confer protection to servers hosted outside the U.S. They said, "Given that the SR Server was hosting a blatantly criminal website, it would have been reasonable for the FBI to 'hack' into it in order to search it, as any such 'hack' would simply have constituted a search of foreign property known to contain criminal evidence, for which a warrant was not necessary." -
GNOME 3 Winning Back Users
Mcusanelli writes: GNOME 3, the open source desktop environment for Linux systems that once earned a lot of ire, is receiving newfound praise for the maturity of GNOME Shell and other improvements. The recent release of version 3.14 capped off a series of updates that have gone a long way toward resolving users' problems and addressing complaints. One of the big pieces was the addition of "Classic mode" in 3.8, which got it into RHEL 7, and Debian is switching back as well. -
GNOME 3 Winning Back Users
Mcusanelli writes: GNOME 3, the open source desktop environment for Linux systems that once earned a lot of ire, is receiving newfound praise for the maturity of GNOME Shell and other improvements. The recent release of version 3.14 capped off a series of updates that have gone a long way toward resolving users' problems and addressing complaints. One of the big pieces was the addition of "Classic mode" in 3.8, which got it into RHEL 7, and Debian is switching back as well. -
NVIDIA Launches Mobile Maxwell GeForce GTX 980M and GTX 970M Notebook Graphics
MojoKid writes: When Nvidia launched their new GeForce GTX 980 and 970 last month, it was obvious that these cards would be coming to mobile sooner rather than later. The significant increase that Maxwell offers in performance-per-watt means that these GPUs should shine in mobile contexts, maybe even more-so than in desktop. Today, Nvidia is unveiling two new mobile GPUs — the GeForce GTX 980M and 970M. Both notebook graphics engines are based on Maxwell's 28nm architecture, and both are trimmed slightly from the full desktop implementation. The GTX 980M is a 1536-core chip (just like the GTX 680 / 680M) while the GTX 970 will pack 1280 cores. Clock speeds are 1038MHz base for the GTX 980M and 924MHz for the GTX 970M, which is significantly faster than the previous gen GTX 680M's launch speeds. The 980M will carry up to 4GB of RAM, while the 970M will offer 3GB and a smaller memory bus.
From eyeballing relative performance expectations, the GTX 970M should be well-suited to 1080p or below at high detail levels, while the GTX 980M should be capable of ultra detail at 1080p or higher resolutions. Maxwell's better efficiency means that it should offer a significant performance improvement over mobile Kepler, even with the same number of cores. Also with this launch Nvidia is introducing "Battery Boost" as a solution for games with less demanding graphics, where battery life can be extended by governing clock speeds to maintain playable frames, without overpower the GPU at higher than needed frame rates. -
Twitter Sues US Government Over National Security Data Requests
mpicpp sends news that Twitter is suing the U.S. government to fight their rules on what information can be shared about national security-related requests for user data. Service providers like Twitter are prohibited from telling us the exact number of National Security Letters and FISA court orders they've received. Google has filed a challenge based on First Amendment rights, and Twitter's lawsuit (PDF) is taking a similar approach. Twitter VP Ben Lee says, "We've tried to achieve the level of transparency our users deserve without litigation, but to no avail. In April, we provided a draft Transparency Report addendum to the U.S. Department of Justice and the Federal Bureau of Investigation, a report which we hoped would provide meaningful transparency for our users. After many months of discussions, we were unable to convince them to allow us to publish even a redacted version of the report." -
Send Your Own Radiosonde 90,000 Feet Into the Sky (Video)
Radiosonde, weather balloon, near-space exploration package... call it what you will, but today's interviewee, Jamel Tayeb, is hanging instrument packages and cameras below balloons and sending them up to 97,000 feet (his highest so far), then recovering them 50 or 60 miles away from their liftoff points with help from a locator beacon -- and not just any locator beacon, mind you, but a special one from a company called High Altitude Science with "unlocked" firmware that allows it to work with GPS satellites from altitudes greater than 60,000 feet, which typical, off-the-shelf GPS units can't do.
Here's a balloon launch video from Instructure, a company that helps create open source education systems. The point of their balloon work (and Jamel's) is not that they get to boast about what they're doing, but so you and people like you say, "I can make a functioning high altitude weather balloon system with instrumentation and a decent camera for only $1000?" This is a lot of money for an individual, but for a high school science program it's not an impossible amount. And who knows? You might break the current high-altitude balloon record of 173,900 feet. Another, perhaps more attainable record is PARIS (Paper Aircraft Released Into Space) which is currently 96,563 feet. Beyond that? Perhaps you'll want to take a crack at beating Felix Baumgartner's high altitude skydiving and free fall records. And once you are comfortable working with near space launches, perhaps you'll move on to outer space work, where you'll join Elon Musk and other space transportation entrepreneurs. (Alternate Video Link) -
Studies Conclude Hands-Free-calling and Apple Siri Distract Drivers
New submitter operator_error writes with a story at the L.A. Times that echoes some previous research on the relative risks of hand-held vs. hands-free phones by drivers, and comes to an even grimmer conclusion: In many cars, making a hands-free phone call can be more distracting than picking up your phone, according to a new study from AAA and the University of Utah. In-dash phone systems are overly complicated and prone to errors, the study found, and the same is true for voice-activated functions for music and navigation. A companion study also found that trying to use Siri — the voice control system on Apple phones — while driving was dangerously distracting. Two participants in the study had virtual crashes in an automotive simulator while attempting to use Siri, the study's authors reported. In response, Toyota said the study did not show a link between cognitive distraction and car crashes. "The results actually tell us very little about the relative benefits of in-vehicle versus hand-held systems; or about the relationship between cognitive load and crash risks," said Mike Michels, a Toyota spokesman. Meanwhile, many states treat hand-held devices very differently from hands-free ones; in New York, for instance, both texting and talking on a hand-held mobile phone are put in the same category, while talking on a hands-free device is covered only by more general distracted driving laws. If the Utah study is correct, maybe that's backwards. (And some evidence suggests that phone use in cars is not quite the straightforward danger that it's sometimes presented as, despite the correlation of phone use with accidents.) -
Studies Conclude Hands-Free-calling and Apple Siri Distract Drivers
New submitter operator_error writes with a story at the L.A. Times that echoes some previous research on the relative risks of hand-held vs. hands-free phones by drivers, and comes to an even grimmer conclusion: In many cars, making a hands-free phone call can be more distracting than picking up your phone, according to a new study from AAA and the University of Utah. In-dash phone systems are overly complicated and prone to errors, the study found, and the same is true for voice-activated functions for music and navigation. A companion study also found that trying to use Siri — the voice control system on Apple phones — while driving was dangerously distracting. Two participants in the study had virtual crashes in an automotive simulator while attempting to use Siri, the study's authors reported. In response, Toyota said the study did not show a link between cognitive distraction and car crashes. "The results actually tell us very little about the relative benefits of in-vehicle versus hand-held systems; or about the relationship between cognitive load and crash risks," said Mike Michels, a Toyota spokesman. Meanwhile, many states treat hand-held devices very differently from hands-free ones; in New York, for instance, both texting and talking on a hand-held mobile phone are put in the same category, while talking on a hands-free device is covered only by more general distracted driving laws. If the Utah study is correct, maybe that's backwards. (And some evidence suggests that phone use in cars is not quite the straightforward danger that it's sometimes presented as, despite the correlation of phone use with accidents.) -
Studies Conclude Hands-Free-calling and Apple Siri Distract Drivers
New submitter operator_error writes with a story at the L.A. Times that echoes some previous research on the relative risks of hand-held vs. hands-free phones by drivers, and comes to an even grimmer conclusion: In many cars, making a hands-free phone call can be more distracting than picking up your phone, according to a new study from AAA and the University of Utah. In-dash phone systems are overly complicated and prone to errors, the study found, and the same is true for voice-activated functions for music and navigation. A companion study also found that trying to use Siri — the voice control system on Apple phones — while driving was dangerously distracting. Two participants in the study had virtual crashes in an automotive simulator while attempting to use Siri, the study's authors reported. In response, Toyota said the study did not show a link between cognitive distraction and car crashes. "The results actually tell us very little about the relative benefits of in-vehicle versus hand-held systems; or about the relationship between cognitive load and crash risks," said Mike Michels, a Toyota spokesman. Meanwhile, many states treat hand-held devices very differently from hands-free ones; in New York, for instance, both texting and talking on a hand-held mobile phone are put in the same category, while talking on a hands-free device is covered only by more general distracted driving laws. If the Utah study is correct, maybe that's backwards. (And some evidence suggests that phone use in cars is not quite the straightforward danger that it's sometimes presented as, despite the correlation of phone use with accidents.) -
Professor Kevin Fu Answers Your Questions About Medical Device Security
Almost a year ago you had a chance to ask professor Kevin Fu about medical device security. A number of events (including the collapse of his house) conspired to delay the answering of those questions. Professor Fu has finally found respite from calamity, coincidentally at a time when the FDA has issued guidance on the security of medical devices. Below you'll find his answers to your old but not forgotten questions. Fu: I apologize for the year-long delay, but my queue has rather overflowed after part of my house collapsed. See slide #11 for more information on the delay.
Medical device security is a challenging area because it covers a rather large set of disciplines including software engineering, clinical care, patient safety, electrical engineering, human factors, physiology, regulatory affairs, cryptography, etc. There are a lot of well meaning security engineers who have not yet mastered the culture and principles of health care and medicine, and similarly there are a lot of well meaning medical device manufacturers who have not yet mastered the culture and principles of information security and privacy. I started out as a gopher handing out authentication tokens for a paperless medical record system at a hospital in the early 1990s, but in the last decade have focused my attention on security of embedded devices with application to health and wellness.
I huddled with graduate students from my SPQR Lab at Michigan, and we wrote up the following responses to the great questions. We were not able to answer every question, but readers can find years worth of in-depth technical papers on blog.secure-medicine.org and spqr.eecs.umich.edu/publications.php and thaw.org.
Cochlear Implants
by mcspoo
How secure are Cochlear implants and their processors? Any chance I'm going to hear the voice of God (without the tooth implant, ala Real Genius?)
Fu: Classic cochlear implants are mostly analog circuits with some external supporting software. However, newer implants on the drawing board are looking at how to enable audiologists to adjust implant settings remotely from the cloud. There are, of course, some significant security and privacy issues that need to be resolved. But there are also good reasons for remote access. Namely, patient's bodies change overtime and an audiologist must tune the implant settings manually today. Remote control may simplify the life for patients from a demographic that may have difficulty making office visits.
Cochlear implants are amazing little devices to enable profoundly deaf patients to partially restore hearing. See the cover of Biodesign: The Process of Innovating Medical Technologies by Zenios, Makower, Yock. Also see Ultra Low Power Bioelectronics by Rahul Sarpeshkar. Cochlear implants consist of two major pieces: (1) an implant in the skull that directly stimulates the auditory nerve, and (2) a less resource-constrained external device worn on the scalp. The external device clips onto the scalp with a magnet to keep the implant paired. Think of the implant as special circuitry to wirelessly deliver sound as electrical impulses. Think of the external device as the source of power, sound inputs, and control.
I met a relatively young flight attendant a few years ago who had a cochlear implant. He explained that one day he suffered a routine cold that got worse and caused a rare infection that destroyed his auditory nerve. He lost his hearing. The cochlear implant sufficiently restored his hearing such that he and I could have a normal conversation.
You can imagine the complex security and privacy questions that will need to be considered when future devices go all "Internet of Things" or "TerraSwarm."
PCA Pumps?
by Digital Ebola
Have you explored changing the dosages on drug pumps? Either through exploiting the device directly or by exploiting the database backend? I reference the Hospira pumps that run Linux, allowing one to telnet to them as root with no password authentication. Hospira did issue an update to that but since pumps are so numerous, I'm sure that many hospitals have been slow to update. Thanks!
Fu: Pumps for medicine are amazing. Most people who have visited a hospital or seen a TV show should be aware of the plain old IV drip of saline solution to hydrate patients by gravity. It gets more interesting when a computer-controlled pump takes over from gravity. There are all sorts of pumps ranging from bed-side pumps to implantable pumps.
A PCA pump is short for a patient-controlled analgesia. I believe this question is referring to a bed-side pump rather than an implant. For instance, a patient may receive a PCA pump to deliver controlled pain medication such as morphine. Typical user interfaces consist of a "more please" button that delivers a bolus of drug via an IV.
A number of researchers have analyzed the attack surfaces for insulin infusion pumps, a special kind of externally worn pump for diabetics. Several faculty have done outstanding work in this space several years ago, and more recently a number of smart blackhat researchers have demonstrated the problems in ways more easily understandable by the general public. I think it's fair to say that manufacturers initially underestimated the importance of security requirements engineering during the early concept phases of product engineering. That said, the manufacturers are doing some amazing engineering. There is a game of catch-up, but I am optimistic that the manufacturers will improve by following the new U.S. FDA guidance on cybersecurityin good faith. Some manufacturers apparently have been thinking about security for a while. For instance, members of the insulin pump team at Medtronic recently were issued a medical device security patent filed way back in 2007!
Now on to the real question: what about the backdoor of the pump? No one likes to advertise the unsavory backdoors built into products---some by design and some by accident. It's out of sight, out of mind. On old CAT scans, you'll sometimes even find an "lp" Unix account enabled without a password. I don't know about this particular pump in question, but I would not be surprised if there are some ports left open for debugging or communication with online drug libraries. You will likely find some interesting traffic, perhaps not cryptographically protected, if you listen to the network. If you do find a problem, please be responsible and patient. Finding a vulnerability in a web browser is significantly different from finding a vulnerability in a medical device. The direct consequences on patients must be taken into account, and security researchers not collaborating with a physician are likely skating on thin ice. I recommend that researchers notify the FDA so that they may communicate the problem to the manufacturer. Call up the FDA people listed on the FDA cybersecurity guidance. Or file a MedWatch 3500 report. It once took a year for FDA to process one of my security reports; they are somewhat understaffed. FDA has tens of thousands of employees, but only about two of them focus on security. So be patient. They are good people doing the best they can with their scare resources. Remember, your U.S. readers elected the people who set the budget.
Clinical Data Systems
by DeathGrippe
Most clinics, hospitals, insurance companies and dental offices are extensively computerized and networked. Based on your experience, how often are these systems compromised?
Fu: I find a good rule of thumb to measure security of a clinical environment: count the number of Windows XP boxes. Why? Because these devices are more vulnerable to run-of-the-mill, conventional malware. At one large hospital, medical devices based on Windows XP were re-infected about every 12 days if the box is not protected. With "bandaid" approaches like firewalls and anti-virus, the devices can last longer before re-infection. Alas, you can't make good wine out of bad grapes. Windows XP lacks meaningful security requirements. Microsoft learned its lessons, and has improved the security requirements and approaches over the years. Microsoft ended all support for XP on April 8th of this year.
That said, Linux ain't no picnic either. All operating systems have risks and benefits. I believe the root of the problem is that software security lifecycles for consumer grade operating systems do not align well with the product lifecycles of medical devices. Medical devices need to remain safe and effective for a very long time.
What can I do if I have one?
by AmiMoJo
Say I have an implant that could be hacked, what can I do to protect myself? Are any vendors more reputable than others when it comes to security? Is tinfoil effective? Should I demand my doctor replaces known vulnerable equipment?
Fu: I think patients can take comfort in knowing that FDA has written meaningful guidance on cybersecurity that is likely a game changer for manufacturing. Also, I find that engineers at most medical device manufactures sincerely want to improve the security of their products. This positive attitude is unlike what one will find in adversarial industries like electronic voting where it's more common to see manufacturer denial of risks rather than mitigation risks. I've seen some large medical device manufacturers vendors organize security teams composed of dozens of employees across engineering, sales, marketing, you name it, the whole company. They are beginning to understand that information security and privacy has to become part of the corporate culture if the products make use of modern communication and computer technology.
On the other hand, I don't think you'll ever find a hack-proof computer---whether it be a laptop, smart fridge, or medical device. I used to believe that a computer buried in concrete was secure, until I buried one in the concrete foundation of my house and powered it up wirelessly. You could also go to your car dealer and replace your car with a crash-proof car after you run into a tree. You might get funny looks. A manufacturer cannot eliminate risk, but it can be smart about minimizing risk. For instance, one of the best ways to minimize security risk is to have meaningful security requirements during the concept phase of device engineering. The requirements won't prevent security problems, but lack of security requirements will prevent the product from having meaningful security down the line. One can argue that it's a lot cheaper to engineer security from the start rather than to retrofit, but that argument is no longer necessary since draft FDA guidance on cybersecurity is abundantly clear on expectations for security risk management during the manufacture of new devices.
If I were prescribed a medical device, I would accept it. Why? Anything with a computer is hackable by some adversary. So worrying about whether an implant can being hacked does not help answer the basic question: how to balance risk. If you are prescribed a medical device, then likely your doctor determined that you have a significant, predisposed risk. For instance, you might have a significant risk of sudden cardiac arrest. In general, you are much safer with a device than without.
Re:Start-ups
by Anonymous Coward
How good is malwaresoftware and the WattsUpDoc system at finding something potentially harmful on a device?
Fu: WattsUpDoc is a system that detects malware by analyzing patterns in the power outlet. It's basically a phase shift on the AC power line caused by reactive power and varying loads of the connected computer. The details get hairy and are written for the experts, so I'd refer you to the scientific paper. The beauty is that no software changes are required for the device being monitored (e.g., medical devices).
We published our report on WattsUpDoc at the USENIX HealthTech workshop. There is also a related paper on detecting web browser activity from the power lines. The performance surprised me: 95% accuracy for known malware, and 85% accuracy for previously unknown malware (unlabeled samples of a malware infection that were not in the training set). It works well because medical devices tend to do a small number of different things when working normally. We can detect the deviation.
Should the local IT team have full control over a system
by Joe_Dragon
Should the local IT team have full control over any system in place / should vendors be forced to let systems have AV and OS updates installed on them with out delays?
Fu: Hi Joe the Dragon. I shall call you Trogdor This is a good question, but it technically is a leading question because computing systems created by medical device manufacturers force the IT team to choose between bad and worse. In a more ideal world, we wouldn't need to worry about viruses in the first place. So let me go on a tangent for a moment. Buffer overflows? Maybe that medical device should not be written in C. SQL injection error? Maybe you shouldn't be running a web server with an embedded database inside a life-critical medical device in the first place. The IT folks catch a lot of blame ranging from breaches to clinician complaints of mucking up the clinical workflow. There's some truth to that, but realize that the IT folks are stuck with what they can buy or make.
Ok, now your question: Do you give IT the keys? I'm not gonna be tricked into answering that one. It depends. I think the most effective organizational structures are ones where the clinical safety teams and the IT security teams learn to speak each others' languages. The manufacturers need to be forthcoming about offering regular security updates for underlying 3rd party software if they make the business choice to use COTS software. Hey, COTS software is cheap for a reason. The best situation is when the leaders of these teams do not hesitate to call each other. That said, the most secure system might also be the most unsafe. The most safe system might be the least secure. There are cases where one might forgo security because a safety issue trumps. What if you lock out access to a hypothetical pacemaker after three failed password attempts? Probably not a good idea if you think for a moment. A secure system that cannot deliver care is neither safe nor effective. Striking the balance is tricky.
I have a long rant on software updates (NSFW).
Safer Programming Language
by Anonymous Coward
The C programming language is most often used for embedded devices. The language is poorly specified. Compilers sometimes have issues, and programmers find a zillion creative ways to make mistakes. MISRA C and its enforcement is a bag of hurt in the absence of certified tools. Has there been any work to define a more safe/sane programming language for embedded devices?
Fu: Yes, but it's certainly hard to find in the medical device community. My colleagues from aviation software safety brag about their safer languages and practices, and I do think it's a good idea for the medical device community to borrow ideas from avionics. However, there are a couple roadblocks.
First, there's a crapton of legacy software out there. Try this experiment: walk into the C suite (not the programming language, the corporate suite), then declare that you need to stop product development for 9 months in order to convert to architectures that have better security properties. I know of only one company that did this (hint, it's an automotive company).
Second, the universities are at fault. I once asked a senior engineer at a medical device manufacturer why they wrote in C and assembly for their implantable medical device firmware. The engineer explained, that's who they can hire! The universities produce the graduates, and we are not training them sufficiently for trustworthy computing. When we teach students C and C++, we are handing them loaded weapons. Many of the students are talented and can respect the unchecked power of C and assembly. It's especially good for high performance systems and hand-optimized inner loop code. However, if we want to see improvements in choices of programming languages, universities need to produce engineers who understand the risks of different programming languages. No one language is perfect for every situation. I highly recommend reading Prof. John Knight's book on Fundamentals of Dependable Computing for Software Engineers to learn about how to match the programming language to the risks.
What to do when security is unfixable?
by Anonymous Coward
Seeing the abysmal state of computer security, even basic computer reliability expectations (which Dijkstra already noted, years ago), it's no surprise that embedded systems are no better. Simply because you usually don't see them and are thus less likely to notice just how poorly and insecurely the software is done. So how do we convince these people in the medical apparatus industry to leave well alone with the networking and wireless and bells and whistles, and simply deliver us machinery that does what it does, keep us alive, and not also surf the 'web for cat videos, or leave the door open for someone to come along with the latest exploit kit? Why do these things have to be connected at all?
Fu: A couple responses. A lot of medical devices are not networked in the sense of our home computers on the Internet. Many are connected with sneakernet. Yet the malware still can get in. Sleep labs are notorious for malware because patients bring in USB sticks of music, plus unwanted bonus material. I know one large medical device that was offline, but got infected by Conficker during the split second that the vendor temporarily enabled the Internet connection to download a software update. Sad.
Keep in mind that manufacturers create products because they think they can sell them. If consumers did not express interest in questionably secure products, then we'd see better security. If insurance rates were tied to cybersecurity hygiene, we'd see security economics at work. Unfortunately, security and privacy are out of sight and out of mind as you point out. For instance, hospitals often demand the bells and whistles. I witnessed one physician checking Gmail and the web on a medical records system during surgery. I didn't have a chance to explain the risks of drive-by downloads as he was occupied teaching a young resident how to catheterize the anesthetized patient. I know another hospital system where they let radiologists check email on the medical devices because staff wanted access to email, and there wasn't enough desk space for a second computer.
I have a set of slides on wireless where I make the argument that wireless is like bacon. People think it makes everything taste better. Wireless communication and network connections do serve an important role, but one needs to make a case-by-case judgement for each device. I like the concept of wireless to reduce infection rates during surgical implantations of defibrillators and pacemakers. About 1-2% of implantations result in major complications such as infection, and about 1% of these cases are fatal. Wireless does introduce security risks. While the security architectures can be greatly improved, I'd rather be insecurely alive than securely dead from an infection.
Medical device security vs. Open standards?
by Anonymous Coward
In the ever increasing world of consumerized technology (Apps, smartphones, smarter cars etc.), how do you see medical device security staying relevant and cutting edge while maintaining adequate security? More and more people can and probably will ask "why can't I use with my ?". For instance,could a secure, but open interface be created for Insulin pumps which would allow an end-user app to aggregate multiple data sources into a better snapshot of that person, while still being secure and protected from hijacking by a 3rd party?
Fu: I agree that the natives will get restless if they perceive security as a problem rather than a solution. However, consumers have become accustomed to crap in a hurry during the 1990s transition from postcards to hyperconnected electronic communication. I think it will be difficult to create magic walled gardens or magic interfaces that "add" security because security is not a product, it's a property and a process. I see three areas where one can improve the trustworthiness of medical device software: early concept phases, post market surveillance, and all the fun stuff between (design, implementation, testing, verification, validation, etc.). There's a significant security focus on the implementation and finding bugs, but by that time much of the fate is sealed by the requirements engineering. I think more time should be spent at the concept phase on hazard analysis, risk management, etc. so that implementations are less likely to have security problems. Then spend time on post-market surveillance so you can measure the shifting effectiveness of the security mechanisms as the threats evolve.
Today, the worries are mostly conventional malware slowing down medical devices or causing malfunctions. We've begun to see signs of nation state threats, and we should use our time carefully as threats rarely decrease in severity.
I'd encourage computer science students to work for a medical device manufacturer or FDA rather than the latest Silicon Valley startup. The problems will be interesting and will bring great personal satisfaction. For creative students who enjoy writing and open ended problem solving in health care, apply to graduate schools that carry out medical device security research! Best wishes. -
Professor Kevin Fu Answers Your Questions About Medical Device Security
Almost a year ago you had a chance to ask professor Kevin Fu about medical device security. A number of events (including the collapse of his house) conspired to delay the answering of those questions. Professor Fu has finally found respite from calamity, coincidentally at a time when the FDA has issued guidance on the security of medical devices. Below you'll find his answers to your old but not forgotten questions. Fu: I apologize for the year-long delay, but my queue has rather overflowed after part of my house collapsed. See slide #11 for more information on the delay.
Medical device security is a challenging area because it covers a rather large set of disciplines including software engineering, clinical care, patient safety, electrical engineering, human factors, physiology, regulatory affairs, cryptography, etc. There are a lot of well meaning security engineers who have not yet mastered the culture and principles of health care and medicine, and similarly there are a lot of well meaning medical device manufacturers who have not yet mastered the culture and principles of information security and privacy. I started out as a gopher handing out authentication tokens for a paperless medical record system at a hospital in the early 1990s, but in the last decade have focused my attention on security of embedded devices with application to health and wellness.
I huddled with graduate students from my SPQR Lab at Michigan, and we wrote up the following responses to the great questions. We were not able to answer every question, but readers can find years worth of in-depth technical papers on blog.secure-medicine.org and spqr.eecs.umich.edu/publications.php and thaw.org.
Cochlear Implants
by mcspoo
How secure are Cochlear implants and their processors? Any chance I'm going to hear the voice of God (without the tooth implant, ala Real Genius?)
Fu: Classic cochlear implants are mostly analog circuits with some external supporting software. However, newer implants on the drawing board are looking at how to enable audiologists to adjust implant settings remotely from the cloud. There are, of course, some significant security and privacy issues that need to be resolved. But there are also good reasons for remote access. Namely, patient's bodies change overtime and an audiologist must tune the implant settings manually today. Remote control may simplify the life for patients from a demographic that may have difficulty making office visits.
Cochlear implants are amazing little devices to enable profoundly deaf patients to partially restore hearing. See the cover of Biodesign: The Process of Innovating Medical Technologies by Zenios, Makower, Yock. Also see Ultra Low Power Bioelectronics by Rahul Sarpeshkar. Cochlear implants consist of two major pieces: (1) an implant in the skull that directly stimulates the auditory nerve, and (2) a less resource-constrained external device worn on the scalp. The external device clips onto the scalp with a magnet to keep the implant paired. Think of the implant as special circuitry to wirelessly deliver sound as electrical impulses. Think of the external device as the source of power, sound inputs, and control.
I met a relatively young flight attendant a few years ago who had a cochlear implant. He explained that one day he suffered a routine cold that got worse and caused a rare infection that destroyed his auditory nerve. He lost his hearing. The cochlear implant sufficiently restored his hearing such that he and I could have a normal conversation.
You can imagine the complex security and privacy questions that will need to be considered when future devices go all "Internet of Things" or "TerraSwarm."
PCA Pumps?
by Digital Ebola
Have you explored changing the dosages on drug pumps? Either through exploiting the device directly or by exploiting the database backend? I reference the Hospira pumps that run Linux, allowing one to telnet to them as root with no password authentication. Hospira did issue an update to that but since pumps are so numerous, I'm sure that many hospitals have been slow to update. Thanks!
Fu: Pumps for medicine are amazing. Most people who have visited a hospital or seen a TV show should be aware of the plain old IV drip of saline solution to hydrate patients by gravity. It gets more interesting when a computer-controlled pump takes over from gravity. There are all sorts of pumps ranging from bed-side pumps to implantable pumps.
A PCA pump is short for a patient-controlled analgesia. I believe this question is referring to a bed-side pump rather than an implant. For instance, a patient may receive a PCA pump to deliver controlled pain medication such as morphine. Typical user interfaces consist of a "more please" button that delivers a bolus of drug via an IV.
A number of researchers have analyzed the attack surfaces for insulin infusion pumps, a special kind of externally worn pump for diabetics. Several faculty have done outstanding work in this space several years ago, and more recently a number of smart blackhat researchers have demonstrated the problems in ways more easily understandable by the general public. I think it's fair to say that manufacturers initially underestimated the importance of security requirements engineering during the early concept phases of product engineering. That said, the manufacturers are doing some amazing engineering. There is a game of catch-up, but I am optimistic that the manufacturers will improve by following the new U.S. FDA guidance on cybersecurityin good faith. Some manufacturers apparently have been thinking about security for a while. For instance, members of the insulin pump team at Medtronic recently were issued a medical device security patent filed way back in 2007!
Now on to the real question: what about the backdoor of the pump? No one likes to advertise the unsavory backdoors built into products---some by design and some by accident. It's out of sight, out of mind. On old CAT scans, you'll sometimes even find an "lp" Unix account enabled without a password. I don't know about this particular pump in question, but I would not be surprised if there are some ports left open for debugging or communication with online drug libraries. You will likely find some interesting traffic, perhaps not cryptographically protected, if you listen to the network. If you do find a problem, please be responsible and patient. Finding a vulnerability in a web browser is significantly different from finding a vulnerability in a medical device. The direct consequences on patients must be taken into account, and security researchers not collaborating with a physician are likely skating on thin ice. I recommend that researchers notify the FDA so that they may communicate the problem to the manufacturer. Call up the FDA people listed on the FDA cybersecurity guidance. Or file a MedWatch 3500 report. It once took a year for FDA to process one of my security reports; they are somewhat understaffed. FDA has tens of thousands of employees, but only about two of them focus on security. So be patient. They are good people doing the best they can with their scare resources. Remember, your U.S. readers elected the people who set the budget.
Clinical Data Systems
by DeathGrippe
Most clinics, hospitals, insurance companies and dental offices are extensively computerized and networked. Based on your experience, how often are these systems compromised?
Fu: I find a good rule of thumb to measure security of a clinical environment: count the number of Windows XP boxes. Why? Because these devices are more vulnerable to run-of-the-mill, conventional malware. At one large hospital, medical devices based on Windows XP were re-infected about every 12 days if the box is not protected. With "bandaid" approaches like firewalls and anti-virus, the devices can last longer before re-infection. Alas, you can't make good wine out of bad grapes. Windows XP lacks meaningful security requirements. Microsoft learned its lessons, and has improved the security requirements and approaches over the years. Microsoft ended all support for XP on April 8th of this year.
That said, Linux ain't no picnic either. All operating systems have risks and benefits. I believe the root of the problem is that software security lifecycles for consumer grade operating systems do not align well with the product lifecycles of medical devices. Medical devices need to remain safe and effective for a very long time.
What can I do if I have one?
by AmiMoJo
Say I have an implant that could be hacked, what can I do to protect myself? Are any vendors more reputable than others when it comes to security? Is tinfoil effective? Should I demand my doctor replaces known vulnerable equipment?
Fu: I think patients can take comfort in knowing that FDA has written meaningful guidance on cybersecurity that is likely a game changer for manufacturing. Also, I find that engineers at most medical device manufactures sincerely want to improve the security of their products. This positive attitude is unlike what one will find in adversarial industries like electronic voting where it's more common to see manufacturer denial of risks rather than mitigation risks. I've seen some large medical device manufacturers vendors organize security teams composed of dozens of employees across engineering, sales, marketing, you name it, the whole company. They are beginning to understand that information security and privacy has to become part of the corporate culture if the products make use of modern communication and computer technology.
On the other hand, I don't think you'll ever find a hack-proof computer---whether it be a laptop, smart fridge, or medical device. I used to believe that a computer buried in concrete was secure, until I buried one in the concrete foundation of my house and powered it up wirelessly. You could also go to your car dealer and replace your car with a crash-proof car after you run into a tree. You might get funny looks. A manufacturer cannot eliminate risk, but it can be smart about minimizing risk. For instance, one of the best ways to minimize security risk is to have meaningful security requirements during the concept phase of device engineering. The requirements won't prevent security problems, but lack of security requirements will prevent the product from having meaningful security down the line. One can argue that it's a lot cheaper to engineer security from the start rather than to retrofit, but that argument is no longer necessary since draft FDA guidance on cybersecurity is abundantly clear on expectations for security risk management during the manufacture of new devices.
If I were prescribed a medical device, I would accept it. Why? Anything with a computer is hackable by some adversary. So worrying about whether an implant can being hacked does not help answer the basic question: how to balance risk. If you are prescribed a medical device, then likely your doctor determined that you have a significant, predisposed risk. For instance, you might have a significant risk of sudden cardiac arrest. In general, you are much safer with a device than without.
Re:Start-ups
by Anonymous Coward
How good is malwaresoftware and the WattsUpDoc system at finding something potentially harmful on a device?
Fu: WattsUpDoc is a system that detects malware by analyzing patterns in the power outlet. It's basically a phase shift on the AC power line caused by reactive power and varying loads of the connected computer. The details get hairy and are written for the experts, so I'd refer you to the scientific paper. The beauty is that no software changes are required for the device being monitored (e.g., medical devices).
We published our report on WattsUpDoc at the USENIX HealthTech workshop. There is also a related paper on detecting web browser activity from the power lines. The performance surprised me: 95% accuracy for known malware, and 85% accuracy for previously unknown malware (unlabeled samples of a malware infection that were not in the training set). It works well because medical devices tend to do a small number of different things when working normally. We can detect the deviation.
Should the local IT team have full control over a system
by Joe_Dragon
Should the local IT team have full control over any system in place / should vendors be forced to let systems have AV and OS updates installed on them with out delays?
Fu: Hi Joe the Dragon. I shall call you Trogdor This is a good question, but it technically is a leading question because computing systems created by medical device manufacturers force the IT team to choose between bad and worse. In a more ideal world, we wouldn't need to worry about viruses in the first place. So let me go on a tangent for a moment. Buffer overflows? Maybe that medical device should not be written in C. SQL injection error? Maybe you shouldn't be running a web server with an embedded database inside a life-critical medical device in the first place. The IT folks catch a lot of blame ranging from breaches to clinician complaints of mucking up the clinical workflow. There's some truth to that, but realize that the IT folks are stuck with what they can buy or make.
Ok, now your question: Do you give IT the keys? I'm not gonna be tricked into answering that one. It depends. I think the most effective organizational structures are ones where the clinical safety teams and the IT security teams learn to speak each others' languages. The manufacturers need to be forthcoming about offering regular security updates for underlying 3rd party software if they make the business choice to use COTS software. Hey, COTS software is cheap for a reason. The best situation is when the leaders of these teams do not hesitate to call each other. That said, the most secure system might also be the most unsafe. The most safe system might be the least secure. There are cases where one might forgo security because a safety issue trumps. What if you lock out access to a hypothetical pacemaker after three failed password attempts? Probably not a good idea if you think for a moment. A secure system that cannot deliver care is neither safe nor effective. Striking the balance is tricky.
I have a long rant on software updates (NSFW).
Safer Programming Language
by Anonymous Coward
The C programming language is most often used for embedded devices. The language is poorly specified. Compilers sometimes have issues, and programmers find a zillion creative ways to make mistakes. MISRA C and its enforcement is a bag of hurt in the absence of certified tools. Has there been any work to define a more safe/sane programming language for embedded devices?
Fu: Yes, but it's certainly hard to find in the medical device community. My colleagues from aviation software safety brag about their safer languages and practices, and I do think it's a good idea for the medical device community to borrow ideas from avionics. However, there are a couple roadblocks.
First, there's a crapton of legacy software out there. Try this experiment: walk into the C suite (not the programming language, the corporate suite), then declare that you need to stop product development for 9 months in order to convert to architectures that have better security properties. I know of only one company that did this (hint, it's an automotive company).
Second, the universities are at fault. I once asked a senior engineer at a medical device manufacturer why they wrote in C and assembly for their implantable medical device firmware. The engineer explained, that's who they can hire! The universities produce the graduates, and we are not training them sufficiently for trustworthy computing. When we teach students C and C++, we are handing them loaded weapons. Many of the students are talented and can respect the unchecked power of C and assembly. It's especially good for high performance systems and hand-optimized inner loop code. However, if we want to see improvements in choices of programming languages, universities need to produce engineers who understand the risks of different programming languages. No one language is perfect for every situation. I highly recommend reading Prof. John Knight's book on Fundamentals of Dependable Computing for Software Engineers to learn about how to match the programming language to the risks.
What to do when security is unfixable?
by Anonymous Coward
Seeing the abysmal state of computer security, even basic computer reliability expectations (which Dijkstra already noted, years ago), it's no surprise that embedded systems are no better. Simply because you usually don't see them and are thus less likely to notice just how poorly and insecurely the software is done. So how do we convince these people in the medical apparatus industry to leave well alone with the networking and wireless and bells and whistles, and simply deliver us machinery that does what it does, keep us alive, and not also surf the 'web for cat videos, or leave the door open for someone to come along with the latest exploit kit? Why do these things have to be connected at all?
Fu: A couple responses. A lot of medical devices are not networked in the sense of our home computers on the Internet. Many are connected with sneakernet. Yet the malware still can get in. Sleep labs are notorious for malware because patients bring in USB sticks of music, plus unwanted bonus material. I know one large medical device that was offline, but got infected by Conficker during the split second that the vendor temporarily enabled the Internet connection to download a software update. Sad.
Keep in mind that manufacturers create products because they think they can sell them. If consumers did not express interest in questionably secure products, then we'd see better security. If insurance rates were tied to cybersecurity hygiene, we'd see security economics at work. Unfortunately, security and privacy are out of sight and out of mind as you point out. For instance, hospitals often demand the bells and whistles. I witnessed one physician checking Gmail and the web on a medical records system during surgery. I didn't have a chance to explain the risks of drive-by downloads as he was occupied teaching a young resident how to catheterize the anesthetized patient. I know another hospital system where they let radiologists check email on the medical devices because staff wanted access to email, and there wasn't enough desk space for a second computer.
I have a set of slides on wireless where I make the argument that wireless is like bacon. People think it makes everything taste better. Wireless communication and network connections do serve an important role, but one needs to make a case-by-case judgement for each device. I like the concept of wireless to reduce infection rates during surgical implantations of defibrillators and pacemakers. About 1-2% of implantations result in major complications such as infection, and about 1% of these cases are fatal. Wireless does introduce security risks. While the security architectures can be greatly improved, I'd rather be insecurely alive than securely dead from an infection.
Medical device security vs. Open standards?
by Anonymous Coward
In the ever increasing world of consumerized technology (Apps, smartphones, smarter cars etc.), how do you see medical device security staying relevant and cutting edge while maintaining adequate security? More and more people can and probably will ask "why can't I use with my ?". For instance,could a secure, but open interface be created for Insulin pumps which would allow an end-user app to aggregate multiple data sources into a better snapshot of that person, while still being secure and protected from hijacking by a 3rd party?
Fu: I agree that the natives will get restless if they perceive security as a problem rather than a solution. However, consumers have become accustomed to crap in a hurry during the 1990s transition from postcards to hyperconnected electronic communication. I think it will be difficult to create magic walled gardens or magic interfaces that "add" security because security is not a product, it's a property and a process. I see three areas where one can improve the trustworthiness of medical device software: early concept phases, post market surveillance, and all the fun stuff between (design, implementation, testing, verification, validation, etc.). There's a significant security focus on the implementation and finding bugs, but by that time much of the fate is sealed by the requirements engineering. I think more time should be spent at the concept phase on hazard analysis, risk management, etc. so that implementations are less likely to have security problems. Then spend time on post-market surveillance so you can measure the shifting effectiveness of the security mechanisms as the threats evolve.
Today, the worries are mostly conventional malware slowing down medical devices or causing malfunctions. We've begun to see signs of nation state threats, and we should use our time carefully as threats rarely decrease in severity.
I'd encourage computer science students to work for a medical device manufacturer or FDA rather than the latest Silicon Valley startup. The problems will be interesting and will bring great personal satisfaction. For creative students who enjoy writing and open ended problem solving in health care, apply to graduate schools that carry out medical device security research! Best wishes. -
NASA Asks Boeing, SpaceX To Stop Work On Next-Gen Space Taxi
BarbaraHudson writes Due to a challenge by Sierra Nevada, NASA has asked the winners for the next earth-to-orbit launch vehicles to halt work, at least temporarily. "After rewarding Boeing and SpaceX with the contracts to build the spacecrafts NASA is now asking the companies to stop their work on the project. The move comes after aerospace company Sierra Nevada filed a protest of the decision after losing out on the bid. Sierra Nevada was competing against Boeing and SpaceX for a share of the $6.8 billion CCP contracts. The contracts will cover all phases of development as well as testing and operational flights. Each contract will cover a minimum of two flights and a maximum of four, with each agency required to have one test flight with a NASA representative on board.... According to NASA's Public Affairs Office, this legal protest stops all work currently being done under these contracts. However, officials have not commented on whether-or-not the companies can continue working if they are using private funds." -
Darth Vader, Yoda, Chewbacca Aim To Invade Ukraine's Govt. In Upcoming Elections
An anonymous reader writes The BBC and RT report that 16 men named after the Star Wars character "Darth Vader" are running for parliamentary elections in Ukraine later this month. In addition, a Chewbacca, Palpatin, Padme Amidala and Grand Jedi Master Yoda will stand in the snap October 26 polls. All of them have been nominated for parliament by the Internet Party of Ukraine. "This is not the first time Darth Vader has stood for election in Ukraine. In April, a man going by that name tried running for presidency, but his application was rejected by the Central Electoral Commission. One official suggested that his campaign could be an attempt to make a mockery of elections in Ukraine - possibly by Russia." -
Ask Slashdot: Is There an Ethical Way Facebook Can Experiment With Their Users?
An anonymous reader writes: This summer, news broke that Facebook had conducted an experiment on some of their users, tweaking which posts showed up in their timeline to see if it affected the tone of their later posts. The fallout was extensive — Facebook took a lot of flack from users and the media for overreaching and violating trust. (Of course, few stopped to think about how Facebook decided what to show people in the first place, but that's beside the point.) Now, Wired is running a somewhat paranoid article saying Facebook can't help but experiment on its users. The writer says this summer's blowback will only show Facebook they need to be sneakier about it.
At the same time, a study came out from Ohio State University saying some users rely on social media to alter their moods. For example, when a user has a bad day, he's likely to look up acquaintances who have it worse off, and feel a bit better that way. Now, going on social media is going to affect your mood in one way or another — shouldn't we try to understand that dynamic? Is there a way Facebook can run experiments like these ethically? (Or Twitter, or Google, or any similarly massive company, of course.) -
The Single Vigilante Behind Facebook's 'Real Name' Crackdown
Molly McHugh sends this story from Daily Dot: When Facebook issued an apology this week for suspending user accounts that had what it alleged to be fake names, it pinned the whole debacle on one person. This "individual," Facebook reasoned, sewed confusion into its flawed reporting system—intended to protect against bullying and online abuse. Facebook Chief Product Officer Chris Cox explains that Facebook was caught “off guard” by a lone actor who reported “several hundred” accounts as fake. According to our source, who claims to have spent "hours and hours" systematically reporting Facebook users from the drag community and beyond, thousands of accounts were suspended—and they've been at it for weeks. ... Given the timing and the accounts suspended, they believe that they are in fact the mystery "individual" who threw a wrench into Facebook's system, noted in Facebook's explanation of the events. "Considering the hours and hours I spent reporting accounts over the course of the past month, it is likely that I am." -
Redbox Streaming Service To Shut Down October 7th
An anonymous reader writes: Redbox, the company behind the giant red boxes at malls and grocery stores that dispense DVD and game rentals, partnered with Verizon in 2013 to launch a video streaming service to compete with Netflix. This naturally led to accusations that Verizon was throttling Netflix to tilt the scales in favor of Redbox. Well, as of Tuesday, they're packing it in. Redbox's streaming service will shut down at the end of the day on October 7th. They'll be refunding all current customers, though that number took a hit over the past several months as a credit card fraud problem caused Redbox to shut down their billing servers. This meant no new customers could sign up, and existing customers couldn't renew their subscriptions. -
Redbox Streaming Service To Shut Down October 7th
An anonymous reader writes: Redbox, the company behind the giant red boxes at malls and grocery stores that dispense DVD and game rentals, partnered with Verizon in 2013 to launch a video streaming service to compete with Netflix. This naturally led to accusations that Verizon was throttling Netflix to tilt the scales in favor of Redbox. Well, as of Tuesday, they're packing it in. Redbox's streaming service will shut down at the end of the day on October 7th. They'll be refunding all current customers, though that number took a hit over the past several months as a credit card fraud problem caused Redbox to shut down their billing servers. This meant no new customers could sign up, and existing customers couldn't renew their subscriptions.