Lawyer Demands Pacemaker Vendor Supply Source Code

oztiks writes "Lawyer Karen Sandler's heart condition means she needs a pacemaker to ward off sudden death. Instead of trusting that the vendor will create a flawless platform for the device to operate, Sandler has demanded to see the device's source code. Sandler's reasoning brings into question the device's reliably, stability, and oddly enough, security."

It's not forced on her

[whoda]

She could just let her heart regulate itself naturally.

Re:It's not forced on her

If the pacemaker vendor doesn't want to make the source code available its perfectly within its right to refuse to supply the pacemaker. Lawyer can go look for someone else to acquiesce to her ridiculous demand, assuming she doesn't die waiting for someone to give in, but any delay is entirely of her own creation.

Re:It's not forced on her

[TheRaven64]

If you watch the talk, you'll see that there are several issues with this:

First, the software is known to be buggy. In fact, it is remotely exploitable. One group found an exploit that lets you remotely control someone's heart rate.

Secondly, because this is approved by the FDA, the manufacturer is exempt from liability for this kind of problem. The FDA does no review of the software at all, but their review of the hardware means that the manufacturer is completely immune to lawsuits if someone dies as a result of a bug in their software.

Re:It's not forced on her

[repvik]

But does that imply that someone has the right to force the manufacturer to open up their source code?

Does she require the code to be "opened up"? AFAICT, she wants to check the code, nothing more.

If I was the manufacturer of the device, she'd sign an NDA and get the code. Worst case, she spreads the code and gets sued. Best case, she improves the reliability or security of the code.

I don't really see any problem here.

Re:It's not forced on her

[TubeSteak]

Best case, she improves the reliability or security of the code.

What makes you think anything she can do will improve the security of the code?
How many times have we seen software makers just sit on bugs for months or years before someone publicly shames them into fixing it, usually by releasing exploit code??

Someone just released a pile of metasploit plugins for SCADA systems.
http://www.wired.com/threatlevel/2012/01/scada-exploits/

Wightman and Peterson said they wanted to avoid the kind of situation that Beresford ran into last year when Siemens issued statements to customers downplaying the vulnerabilities he'd found and then swooped in at the last minute before his scheduled presentation to persuade him to cancel it until the company had more time to prepare patches.

"I didn't want a vendor to jump out in front of the announcement with a PR campaign to convince customers that it wasn't an issue they should be concerned with," Wightman said.

Peterson added that "a large percentage of the vulnerabilities" the researchers found were basic vulnerabilities that were already known to the vendors, and that the vendors had simply "chosen to live with" them rather than do anything to fix them..

What good would it do to inspect the code under and NDA?

Re:It's not forced on her

Secondly, because this is approved by the FDA, the manufacturer is exempt from liability for this kind of problem.

Untrue. Just because a product is FDA approved does not absolve a manufacturer from liability. This is not only true for medical devices, but pharmaceuticals as well.

The FDA does no review of the software at all, but their review of the hardware means that the manufacturer is completely immune to lawsuits if someone dies as a result of a bug in their software.

Once again, untrue. As a Software Quality Engineer for a major medical device manufacturer, I can tell you the FDA does review software and has regulations and guidance surrounding software development. In recent years the scrutiny of software based device has increased so much, that companies are having a difficult understanding exactly what the FDA excepts.

Japan does not review software for devices, only hardware. However in order to get your product into the country it must be FDA approved.

Re:It's not forced on her

Actually, it seems she is the one holding the metaphorical gun to her own head, DEMANDING to see the source code before allowing the pacemaker vendor to increase her life expectancy. If the vendor refuses to give in, she has to find a vendor who will dance to her tune, or go without. She has about as much influence on the vendor as a single music fan who refuses to buy from the iTunes store.

Re:It's not forced on her

[superwiz]

Usually, I wouldn't see how this is different from Coke not telling you what's in their secret recipe is. Ie, trade secrets are trade secrets. But if you listen to the interview, she makes, what I see, a compelling point: these devices have WiFi connections.

So they can be potentially controlled by a 3rd party after the fact of installing them in the recipients. Certainly, there are some people who don't understand the full implications of a medical device having a WiFi connection. So no one can claim that a layman would have an informed consent unless independent experts have reviewed the code.

Re:It's not forced on her

[Bright+Apollo]

21 CFR Part 11. The FDA does in fact force pharmas and medical device makers to review and QA/QC software. There is no such shield from the FDA. You either lied or made it up, but you're sad either way.

--#

Re:It's not forced on her

[TheRaven64]

Watch the video - it's a claim that she made. If she is wrong, then you should correct her.

Re:It's not forced on her

[JoeMerchant]

But does that imply that someone has the right to force the manufacturer to open up their source code?

Does she require the code to be "opened up"? AFAICT, she wants to check the code, nothing more.

If I was the manufacturer of the device, she'd sign an NDA and get the code. Worst case, she spreads the code and gets sued. Best case, she improves the reliability or security of the code.

I don't really see any problem here.

The problem is in the perception. If she finds "areas to improve" in the code, what does the manufacturer say to the tens (perhaps hundreds) of thousands of implantees with the code that "could be improved?" Swapping out the device before it's normal end of life is an additional surgery, which carries a slight but non-zero chance of death.

Re:It's not forced on her

[Hognoxious]

Lawyer, liar, it's all the same to me.

Re:It's not forced on her

[Hognoxious]

But if you listen to the interview, she makes, what I see, a compelling point: these devices have WiFi connections.

Tinfoil vest.

Re:It's not forced on her

[cdrguru]

Two things here come immediately to mind. Let's assume that whatever is running in this system is non-trivial. If it was 1000 lines of code it could be validated the way they used to validate the Shuttle programming - mathematically. So it is probably 30,000 lines of code or more.

First thing is how would anyone "look" at that volume of code without spending months going through it and learn anything from it? What sort of interrupt-driven race conditions can exist and how would you even begin to understand them without some kind of hardware simulation platform? This sounds like someone that heard something about programming in college 10 years ago and thinks this would be really cool.

Second thing is probably why this company would not want to participate: very likely a pacemaker is pretty much down to commodity hardware and the only thing that differentiates one from another is the software. If they allow their software (the only thing of any value in the whole company), they stand to lose control of it. Once it gets into Chinese hands their product will be duplicated cheaply and they will be out of business forever. Sure. they could sue for the whole capitalization of the company - but they wouldn't get it.

Re:It's not forced on her

[pimpsoftcom]

Mod Parent Up. I am currently a software developer with an FDA regulated product, and we have to sign a form explaining what we did when we check in. Yes, a hand written form, showing and explaining what was changed, how it was changed, and its impact on the product. Not just your normal check-in comments; this is a multiple page form/essay that what we checked in is what we said we checked in. Every time. The FDA has STRICT rules about software quality and security due to what in the FDA regulated software industry is known as "negative impact events".. basically anything that hurts the patient or has the ability to risk the patients health, even if they just have a worry (as stress can create physiological pain, etc). In this case, the security exploit by itself would be so negative that it can get a product pulled and the company selling it fined into oblivion. If anything the company that build this software is trying to cover its ass, and will fight as much as it can to not release the source code.. or risk death by FDA audit. And yes they exist; all FDA projects get audited sometimes, but when it happens its a massive company wide effort not to piss off the auditors or show them things they donty ask for explicitly as they are usually only raping with no lube.. it can get MUCH worse.

Re:It's not forced on her

[AK+Marc]

If she dies because of the actions or inactions of the company, the company could be successfully sued, as they knowingly took an action that resulted in the death of a person. The car analogy is:
You are driving down the road, you see someone preparing to jump from the bridge above you. You choose to not stop and the examination reveals they were killed by the impact with your car, if you had stopped, they likely would have died from the impact with the road. You would be held liable, as your failure to stop caused the death, even if the death was imminent anyway.

Re:It's not forced on her

[Suddenly_Dead]

Coke has its "secret" recipe on every can, by law (not all of it, but what's in it, the part you asked for).

No they don't. A lot of it is hidden under "natural flavours". We know they use a flavouring agent from the Coca leaf, for instance, but that doesn't appear in the ingredients list. Exactly what colouring agent they're using also doesn't appear.

Re:It's not forced on her

[shilly]

Jesus Christ on a bike, I know this is a US site but you are all being just a teensy bit US-centric here. I'm pretty sure that, what with the article appearing on a .com.au site, she's Australian. And therefore different rules may apply

Re:It's not forced on her

[tftp]

If I was the manufacturer of the device, she'd sign an NDA and get the code.

If I were the manufacturer, I'd tell her that the code can be reviewed inside of my SCIF, under supervision of one of my employees. If she pays for the costs incurred she can come and read the code all day long, every day. Of course nothing material leaves the SCIF, and she may not take notes.

Re:It's not forced on her

[HornWumpus]

So in your world, if some idiot holds a gun to your own head and demands all my money his heirs can sue me when I tell him: 'wait a second while I get the money' then come back with a gun of my own (after all he are armed) and a video camera and tell him 'fuck off! you're going to be on Rotten.com!'

Even if the video includes me telling the idiot to 'fuck off' I'm legally free and clear.

Your analogy is just simply wrong. If someone jumps onto the freeway in front of you, you are not liable. Their heirs will pay to fix your car. No reasonable person would expect him/her to jump. Should I lock up my brakes every time someone is walking on the sidewalk of an overpass?

Re:It's not forced on her

[tengu1sd]

The FDA does no review of the software at all, but their review of the hardware means that the manufacturer is completely immune to lawsuits if someone dies as a result of a bug in their software.

Once again, untrue. As a Software Quality Engineer for a major medical device manufacturer, I can tell you the FDA does review software and has regulations and guidance surrounding software development. In recent years the scrutiny of software based device has increased so much, that companies are having a difficult understanding exactly what the FDA excepts.

The FDA provides minimal guidance on software. I'm working with a Medical Application Vendor now who insists that we install MS SQL Server 2005 SP3 (which is out of support) for their new released product. This is what the FDA approved. The FDA also has guidelines for commercial off the shelf software that require vendor comply with security updates. That isn't really a priority once something is approved, you see. Strictly speaking, the FDA considers devices using commercial off the shelf software to be end of life when any software vendor ends support. Medical Application Vendor's take is they have FDA approval, don't worry. We'll wind up installing this, but with enough conference calls and meetings to point auditors and lawyers at the vendor.

Re:It's not forced on her

[complete+loony]

She gave a keynote talk at linux conf au, the talk is now available on youtube.

Re:It's not forced on her

[evil_aaronm]

I also work for an FDA regulated company - blood chemistry immuno diagnostics device - and we are certainly audited, periodically, but not to the extent that you portray. We have code check-in forms and the auditors look at traceability: can they show that the files checked in were traced back to a particular defect record or change request item, etc. And our check-in forms are simple "Who wrote this change? Who reviewed it? Who's the manager signing off on it." That's about it. No justifications, no explanation of changes - except changes due to issues found during a review - no summaries of potential impact, or anything really substantive.

Re:It's not forced on her

[SeaFox]

1) Does she have the device already, or is she still evaluating products? If she hasn't already had the device implanted the parent's point still applies. As a business they don't have to give her anything, and as a consumer she is within her rights to take her business elsewhere.

2) If the software is already "known" to be buggy, and remotely exploitable why would you want to consider this device maker to start with? she should already be looking for someone else. And furthermore why wouldn't the FDA have already taken action on this maker?

Sounds like this woman is an ambulance-chaser trying to make her own ambulance.

first, we kill all of the lawyers

This sort of demand is why lawyers are disliked. The life science industry has to follow the FDA directive to perform a source code review. It is very unlikely that the source code in these devices have any remaining bugs due to the length of time that these devices have been used.
In addition to the source code for the software running the device, which is most likely to be extremely robust given the long time that these devices have been in use (+25 years), she might as well ask for the manufacturing process details for the battery, the casing, the electronic components, and the design of the microprocessor.
This is pointless since any qualified experts on the code are likely to be working for the device manufacturer.

Re:first, we kill all of the lawyers

[NatasRevol]

Did you just seriously say that there are no more software bugs in their code?

You're the reason lawyers exist.

Re:first, we kill all of the lawyers

[Stormthirst]

No - lawyers are disliked because they charge absorbent fees for sitting in an office and talking, or standing in a court and talking. They make nothing, and have the moral values of a squashed tomato*

You're assuming that the device she's due to have fitted is exactly the same design and construction as the ones they used 25 years ago. This is obviously false. For example, the original pacemakers paced the heart all the time, and as a result had a very limited battery life. Pacemakers these days are far more intelligent, and sense when a regulating beat is needed.

Having said that, your point about the qualified experts still holds.

* I'm probably going to get sued now by some lawyer representing squashed tomatoes for defamation of character.

Re:first, we kill all of the lawyers

There are many assumptions here that should be questioned.

Source code reviews are highly imperfect ways to ensure stable and accurate software, and good ones are extremely hard on the developers involved. Techniques like test driven development and paired programming offer a much better solution at lower cost.

New medical devices are released all the time and they have new code operating them, even if that general type of device has been in use for decades. New models with new or modified code have new bugs.

Perhaps owners of electronic devices that have caught fire or misbehaved in other physical ways have learned to start inquiring about manufacturing, mean time between failure and other manufacturing and quality issues.

I have worked in the medical software industry for thirty years as a developer, and was at one time an employee of Medtronic. I have a Medtronic pacemaker/defibrillator embedded in my chest which can be remotely accessed and controlled. I am professionally qualified to study and understand my device's software, development and testing methodology, and security issues - but Medtronic declined to share with me their source code when asked. The technical manuals for my devices which appear to provide all necessary information for hacking my pacemaker/defibrillator are available online.

I think that more can and should be done with oversight of medical device manufacturers and their software than the FDA currently requires, but this is true of all mission critical software like military and aerospace systems as well. The problem is neither uppity lawyers nor uncaring medical device manufacturers but instead the way we build software. Anyone with personal experience in the software industry who relies on a programmable medical device but who is not concerned over the accuracy and stability of the software running it is not thinking clearly.

Re:first, we kill all of the lawyers

I assume you meant to say "exorbitant" although you could say that lawyers excel in absorbing their clients' money.

Re:first, we kill all of the lawyers

[Opportunist]

Why the heck would someone put a real time clock into a pacemaker?

That's the stupid question I've been asked time and again in 1999. But will $device work in 2k? With $device being something that has no chance in hell to have a RTC.

Re:first, we kill all of the lawyers

[beelsebob]

The point I was making was "I've tested it for 25 years" is not a proof in any way that it's bug free. It being the 3rd of march 2012 was simply an example of a condition that's never been tested in those 25 years... Others might include sun storms, unseasonable warmth, a certain bacteria in the patient, ........

Re:first, we kill all of the lawyers

[Lumpy]

I loved those questions. My answer was always , "No it will fail dangerously, you had better give it to me so I can dispose of it safely"

I had in my office 3 toasters and other assorted silly things all tagged with the big red "NOT Y2K SAFE" sticker on them.

Re:first, we kill all of the lawyers

[beelsebob]

Sure you can make sure your tests have 100% code coverage, but that doesn't mean you've proved your program correct. Example, here's an (incorrect) program to print "Hello World" iff argv[1] exists and begins with 'a':

int main (int argc, char ** argv)
{
    if (argv[1][0] == 'a')
    {
        printf("Hello World");
    }
    return 0;
}

I test it with two inputs... "apple", and "cat", I achieve 100% code coverage, but the program is still erroneous, and crashes if I don't provide any argument.

Re:first, we kill all of the lawyers

[Zironic]

That's branch coverage, what you also want is input domain partitioning.

CTL-ALT-DEL

[ColdWetDog]

Oh, come on. The source code is not going to tell you a whole lot, it would be only comprehensible to experts and it says nothing about the little hardware bits. Does Mr. Lawyer want Medtronics to go over the schematics with him? Explain the physics?

Sometimes you just have to settle down and let things go. Yes, regulatory agencies should review operations of medical devices closely. No, they don't need to peek inside.

I don't even think the FAA looks at the code for the flight control computers on airliners. They test the planes (or actually they watch the manufacturer test the planes) but they don't get every part off the aircraft and look at it under a microsope.

Re:CTL-ALT-DEL

[CAPSLOCK2000]

Oh, come on. The source code is not going to tell you a whole lot, it would be only comprehensible to experts and it says nothing about the little hardware bits.

Experst are for hire.

I'm not an architect. The blueprints of my house are useless to me, but I can hire an architect to read them for me. That architect can than tell me if the house I'm living in is well designed or not. He won't be able to tell if the building-materials are of sufficient quality, but if the design is not sound the materials used don't even matter.

I'm dissappointed in Slashdot. One would expect that over here people would see the value of having access to the source of the software that keeps you alive.

Re:CTL-ALT-DEL

[rtfa-troll]

No, they don't need to peek inside.

Think about how much cheaper for everybody it would have been to have one small government testing lab verifying medical implants that it is going to be having to replace all of the breast implants in France / UK etc. etc. Think how much compulsory insurance is going to cost.

This is typical of the corporate welfare attitude that small people have to pay for the mistakes of big companies but no big company has to pay for anything.

Re:CTL-ALT-DEL

Before I started reading the comments, I knew it would skew heavily against the lawyer because, well... he's a lawyer. No other reason.

You dweebs here on /. get your panties in a bunch about *any* product for which source code is kept private. Operating systems, video card drivers, voting machines, etc.

But oh, god forbid a lawyer advocates for his client, WHOSE LIFE DEPENDS ON THIS FRIGGIN' DEVICE, and you go all 4chan on him.

No, the lawyer is NOT going to review the code. He's going to get a pacemaker software nerd to do that for him. That's assuming not all the pacemaker software nerds are posting this bullshit about him on /.

Really, the measure of your character is whether you stick to your stated beliefs (code should be available for review), even when the people trying to exercise those beliefs don't belong to your clique.

Idiots.

Re:CTL-ALT-DEL

[Teancum]

With statements like you've made in this post, you would be surprised what the FAA does require when they issue a flight worthiness certificate. No, the inspectors from the FAA don't review every line of code nor do they demand x-rays and microscopic details of all critical parts, but manufacturers to keep track of much of that information and have it stored away "just in case" there is an accident investigation board held on that aircraft that is being made. This is even more true when somebody sell a vehicle to the U.S. government.... where the paperwork for most vehicles weighs more than the vehicle being delivered.

No, I'm not kidding here either. There are warehouses larger than most aircraft hangers (including more than a few former aircraft hangers themselves) that hold boxes and pallets of this paperwork. Some of it has been put into microfilm or digitized.... but that seems to just increase the stack of paperwork even more. When the proverbial stuff hits the fan, all of that is examined including every single line of code used in the flight control computers as well.

The situation is analogous here, where if somebody dies from a pacemaker or life-saving device, that all of that will come out into the open. That somebody is being preemptive and expecting this ahead of time is the only difference. Good engineers document everything they do. Lousy engineers sort of pretend to document everything..... but the worst thing you can do is to sit in a deposition and have to explain to a room full of lawyers why you didn't make the documentation when a major screw up happens. I've seen it happen, and it isn't pretty.

Re:CTL-ALT-DEL

[Opportunist]

When having to side with closed source or lawyers, the choice is quite easy. Hell, when choosing sides between lawyers and mass murderers it is.

Re:CTL-ALT-DEL

[Vairon]

I agree comment posters *seem* to acting very hypocritical today but it could be possible that a different set of people are objecting for a different set of reasons.

Also just to correct something which keeps being misrepresented in comments this laywer is a female. She also has an engineering degree and is a programmer. She intended to review the software herself with the help of fellow programmers.

Also people might be interested to know that she worked as a pro bono counsel for the Software Freedom Law Center from 2005 until 2011 and now works as an executive director for the GNOME foundation. She still accepts pro bono cases from the SFLC and is the SFLC treasurer.

http://www.softwarefreedom.org/about/team/
http://www.youtube.com/watch?v=5_pRH8lzaQo

Who owns data that an implanted device collects

[davidannis]

A related story on NPR today points out that as a patient you don't have access to the data collected in and about your own body. The story focuses on one man's attempt to see his own data. He's looking for someone with technical skills to help him get at the data. Seems to me that somebody on /. should be able to help. http://www.onthemedia.org/2012/jan/20/who-owns-data-inside-your-body/

Re:I trust my life to Boeing every time I fly

[rtfa-troll]

Yet I don't demand to audit their code.

Well, if you don't demand that somebody audits their code you are pretty stupid. Unaudited code and code which is proprietary and never shared with outside bodies (this doesn't have to mean the public; just at least someone external) just doesn't have a place in any critical parts of our infrastructure. It is as irresponsible as it would be if Boeing didn't have to hand over the mechanical specifications of their planes, which of course they do. However, If you had read the article you would have seen this quote:

Regulatory authorities don't see or review the software either.

She simply has to trust that the vendor is telling the truth and doing things right.

I think you will find that aircraft software, whilst it isn't open source and available to everyone, gets a bit more review than that.

Apart from that, the plane code isn't part of you and is, as a passenger, something you just visit for a short time. I think people have a right to understand fully, to the level of their own ability, things that are made part of their body.

FDA requirements (21 CFR 820)

[jbeaupre]

It's called software validation and it's a pain in the ass. It's such a pain for medical devices that everyone avoids it unless absolutely needed. Which is why medicine is 10 years behind when it comes to electronics.

For a "quick" overview, here's a start: http://www.fda.gov/RegulatoryInformation/Guidances/ucm126954.htm

thump

10 thump
20 thump
30 sleep 1s
40 go to 10

Answering questions from TFA

[Nidi62]

How do we know the software works as advertised? How do we know it's secure?

Well, let's see, what is the failure rate of pacemakers? A quick Google search brought this result (http://www.post-gazette.com/pg/06116/685028-114.stm):

In one study, Dr. Maisel and FDA researchers analyzed reports that pacemaker and ICD manufacturers were required to submit to the federal agency between 1990 and 2002. During that period, more than 17,000 malfunctions resulted in removal and replacement with a new device, researchers found. Battery, capacitor or electrical problems accounted for half the failures. Thirty deaths were attributable to pacemaker malfunction and 31 deaths to malfunctions in ICDs. The annual replacement rate for pacemaker malfunctions decreased during the study period, from 9 per 1,000 implants in 1993 to 1.4 in 2002. But the ICD replacement rate, after decreasing from 38.6 in 1993 to 7.9 in 1996, increased in the latter half of the study, peaking in 2001 at 36.4.

So, there is a failure rate of 1.4 per 1000 in 2002, and half of those were related to hardware issues. Only 30 people ended up dying. This article (http://circ.ahajournals.org/content/105/18/2136.full) claims 3,000,000 people worldwide with pacemakers in 2002, with 600,000 implanted yearly. That means in 2002 .001% of people with pacemakers died. Assuming hardware failure accounted for half of that, then the chances of being killed by a software defect in a pacemaker is extremely small. So, I'd say it's safe to assume that the hardware "works as advertised".

Re:Answering questions from TFA

[TheRaven64]

Perhaps instead you should read the paper that this woman wrote. It lists statistics for the number of pacemaker recalls for software defects, and some of the reasons - pretty scary how poor quality the software is, as many of them would have been caught by even basic testing.

I admit that the fact that it's possible to remotely stop Dick Cheney's heart using simple off-the-shelf hardware seems like it might be a useful feature...

wow

[unity100]

It is very unlikely that the source code in these devices have any remaining bugs due to the length of time that these devices have been used

hahahahaahaha ahaahah.

you spoke like someone who has zero experience in software development.

Re:I trust my life to Boeing every time I fly

[hedwards]

GP lives in their flight path. Around here it's difficult to impossible to find a place to live where a rather large plane doesn't fly overhead on a regular basis.

Not even the FDA has audited the code yet

[SgtChaireBourne]

If you read the article or ones on the same topic from last year, you'll find that the reason she is making the request is that not even the FDA has audited the code. It's just there.

Other embedded hardware has been found to be easily crackable and able to deliver fatal doses of medication. Someone has to audit the code, since the FDA is not doing it, Karen is making an issue of it. In these cases, there is no excuse for the code not being 100% open. People's lives hang in the balance.

Re:Not even the FDA has audited the code yet

[green1]

I must say I was shocked when I found out that the settings on these things can be modified wirelessly. While it's very convenient for the hospital to be able to make changes without surgery, it's also more than a bit worrysome from a security standpoint...

Special lawyer rights

[loufoque]

It she weren't a lawyer, we wouldn't even be speaking about it.

It's funny how lawyers seem to have extra rights in our society. They can make demands, we cannot.

It's not surprising a lawyer has a defective heart

[trout007]

I thought they had their hearts removed when they passed the bar at the same place that performs MBA lobotomies.

Modern pacemakers have WiFi built in.

[Vellmont]

The summary is pretty bad, but one of the more salient points is that modern pacemaker/debrillators have Wi-Fi in them. Yes, WiFi. According the the recording, someone at defcon has already managed to hack into an insulin pump equipped with WiFi and been abe to manipulate the delivery rate (which could kill the patient). So the security concerns aren't completely unwarranted.

Demanding the source code is a bit silly. How many people are really going to be able to review the source code for a pacemaker/debriliator? Very very few. Even if they do, there's a hell of a lot more to a pacemaer/debrillator than the software, so why is it just the software that's her concern?

A more sane approach would be demanding the software follow basic security rules like not allowing the wi-fi connection to ever change anything in the medical device. (It's supposed to be a reporting mechanism so the doctor can follow the progress of the patient). I can't believe she has anylegal grounds to demand source code, so this is a fight for the minds of the public rather than a legal one. Demanding source code is a bit silly since most of the public doesn't even understand that there is such a thing as source code. The public is by now very aware of security problems and hackers, so ensuring that the wi-fi is read-only would be an easier battle to win.

Re:It's not surprising a lawyer has a defective he

[NevergoldMel]

The MBA lobotomy is a very precise operation, they only remove the parts of the brain that remember to pay taxes and how to truthfully report corp. earnings.

Re:I trust my life to Boeing every time I fly

[JobyOne]

Actually, people do that sort of thing *all the time*.

I have a coworker who can't have wheat or dairy, and it takes a lot of questioning for her to get a meal at a restaurant. My mom is allergic to soy (including soybean oil), and since soy pops up in the darndest places that means it also takes a lot of questioning for her to get a meal at a restaurant. No, they don't audit the cooks, but they do demand information about what they're about to put in their body, up to a point required to ensure their own health to the best of their own knowledge and abilities.

What were you saying about fantasies? I think you have a few.

Re:Open source pacemker anyone?

[Opportunist]

You're in luck, I know a lawyer who wants one.

Re:It's not surprising a lawyer has a defective he

[newcastlejon]

The MBA lobotomy is a very precise operation, they only remove the parts of the brain that remember to pay taxes and how to truthfully report corp. earnings.

You forgot empathy.

Re:It's not surprising a lawyer has a defective he

[paiute]

The MBA lobotomy is a very precise operation, they only remove the parts of the brain that remember to pay taxes and how to truthfully report corp. earnings.

You forgot empathy.

If you had measurable empathy in the first place, they wouldn't have let you in.

Re:makes sense

[TheRaven64]

And, as she said in the talk:

• The device sends data unencrypted (isn't that a HIPA violation?).
• The device accepts external commands without authentication (WTF?).
• An attacker can relatively easily cause cardiac arrest in someone implanted with one of these.
• FDA approval means that the manufacturer is not liable for any of the above.

My pacemaker appears to have a real-time clock

[ODBOL]

My heart rate is controlled by a pacemaker at this moment. I do not have access to the specifications, so I cannot determine directly whether it contains a real-time clock. But the behavior seems to require one. The pacemaker stores records of its behavior and its sensor readings, and transmits them whenever its short-range radio can reach a satellite/cellular interface. It is extremely likely that a real-time clock in the pacemaker is used to time-stamp the data that are transmitted at unpredictable times hours after they are recorded.

Re:My pacemaker appears to have a real-time clock

[itsme1234]

You seem to insist with this idea that somehow logging is totally separated and not part of the "operation" when most likely it is. You can probably design a "desktop" system where no matter what you do with the logger you can't affect the system logging (for example put it on another network, another power grid, put some kind of one-way firewall and log over UDP). But here you have very tight constraints and I'm positive that any logging is done using the same CPU, RAM, flash, power supply as what you call "operation". You can of course sandbox to some extent some of the operations if you have enough resources but I somehow doubt this is the case.

Re:It's not surprising a lawyer has a defective he

[newcastlejon]

*facepalm*
Of course! Curse this properly formed brain of mine.

Re:I trust my life to Boeing every time I fly

[JoeMerchant]

...and incidentally every time one of their products flies over my house to land at the DC area airport I live close to.

Yet I don't demand to audit their code.

There is also a pilot and co-pilot in command of the aircraft. Most of the time they're sober enough to recover any software glitches before a crash, and they're usually awake during takeoffs and landings.

I saw her talk

Last year at OSCON. Sadly the line was too long for me to shake her hand and say thanks for starting this.

There's a few points I'd like to add, many already covered.

1) She's qualified to do this. Not to review the software. But she has plenty of good colleagues for that.

She's a director of GNOME (I know, I know...), former GC of the SFLC, an attorney... and ... from listening to her talk, she either genuinely gets software -- or someone that did wrote her whole speech for her.

2) This is a real, not a hypothetical problem.

People commenting without RTFA need to understand--These devices are 802.11 enabled. Remote exploits /have/ been demonstrated.

This is not a wholly uncommon situation -- one of my coworkers has a daughter with a computerized glucose pump that has also had remote compromise demonstrated.

And even a trivial interest in breathatlizers reveals there has been...myriad incidences of these devices not just being a total failure of design, but having rollover and similar bugs in their implementations.

3) People may be correct that it would be hard to get people to understand the code. That is wholly irrelevant and a false front of an argument. I don't care what your medical experience is in your industry or company. What your experience with regulators or lawsuits are. There's companies that commit fraud, lie, cheat, steal. They exist. This is indisputable. There's places where MBA's and biologists that can barely write a hello world by themselves compose pointer arithmetic, hit compile, hit test, and go home at the end of the day. I've worked at places like that on applications that could kill if they failed. It is why I do not as of two years ago.

I presently work with a woman that could not compose a CSV in a basic ETL from another filetype without help. She has the language being used using on her resume. Her workflow involved copy/paste off of the internet, and then changing one line at a time, saving it as file.### and trying to run it. If it didn't crash, she'd examine the output and try to put in what she thought would fix it. If it did, she'd try to find the error. When I offered a hand, she was currently at over her 500th revision.

So let me be damend clear -- even an unqualified person can do a basic code review just by running a fucking linter on it and looking at the warnings. Because if it generates one or a million -- that says something about the quality right there.

Why? Because unless you're in a business whose core business *IS* software, my personal experience is that 80% plus of the developers have never heard of one, and 95% don't know how to use it if they have. And that is why my code has less bugs than my colleagues.

Now -- even if my experiences are anecdotal, and "invalid" -- I've just proven the existence of the problem.

This is her life we're talking about. Her life entrusted to a piece of cybernetics that has had a demonstrated remote exploit.

Please /., have a little bit of humanity for once. This isn't about corporate profits, NDAs, lawsuits. This is about someone asking to read something to make an informed choice about their continued existence.

Re:I trust my life to Boeing every time I fly

[electroniceric]

In the 90s, the FDA realized that even if it could see the could, there was no way it could realistically audit code for all the devices it is required to review annually. So they switch from attempting to verify devices directly to insisting that devices be design and developed under a very high quality engineering paradigm.

So instead of looking at code trying to find problems, what they do is demand artifacts of a very disciplined design development and test process, reasoning that if people are in fact actually writing out test cases, doing internal code reviews with documented changes arising from them, maintaining requirements traceability matrices linking each line of code to a user requirement and then a lower level system requirement, then that process will result in better code than the FDA could accomplish by their own audit or that of a 3rd party. So the woman should be asking to see the details of the company's FDA submission, presumably under NDA from the company.

Now, whether the FDA is employing Design Control in a strict enough way is definitely a fair question - in particular the 510k (predicate device) submission process has left a lot of loopholes (due to its risk class, a pacemaker does not go through 510k, it goes through the more demanding PMA process). But to suggest that she or someone she hires will just be able to wade through the code to decide if she thinks it's high quality seems to me more like grandstanding than anything else.

Re:I trust my life to Boeing every time I fly

[zevans]

Actually, people do that sort of thing *all the time*.

They do... and restaurants often say "we can't be sure, so you'll have to eat elsewhere" because they can't be bothered with it. So by your analogy (which I like) there is a risk that pacemaker manufacturers will do the same.

Re:Open source pacemker anyone?

[Vairon]

That's really rude. The lawyer this store is about, Karen Sandler, worked pro bono for the Software Freedom Law Center helping to protect people's software freedoms. Which would normally be considered a very good and moral thing around here, would it not? She currently works for the GNOME foundation.

Re:Who will do the audit, and how?

[Vairon]

http://www.youtube.com/watch?v=nFZGpES-St8 OSCON 2011
http://www.youtube.com/watch?v=5_pRH8lzaQo Freedom: From my heart to the desktop
http://www.youtube.com/watch?v=GcWlD2Y6HNM OSCON 2010 Free Software on Medical Devices: Unchain My Heart

Karen Sandler, the lawyer this article is about is also a programmer and has an engineering degree. She works for the GNOME foundation and before that the Software Freedom Law Center...I think she can find a few people who are also programmers to help her as well.