Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Open Source The Courts Linux Your Rights Online

Free Software, a Matter of Life and Death 197

Posted by kdawson from the serious-as-it-gets dept.
ChiefMonkeyGrinder writes "Software on medical implants is not open to scrutiny by regulatory bodies. Glyn Moody writes: 'Software with the ability to harm as well as help us in the physical world needs to be open to scrutiny to minimise safety issues. Medical devices may be the most extreme manifestation of this, but with the move of embedded software into planes, cars and other large and not-so-large devices with potentially lethal side-effects, the need to inspect software there too becomes increasingly urgent.' A new report 'Killed by Code: Software Transparency in Implantable Medical Devices' from the Software Freedom Law Center points out that, as patients grow more reliant on computerized devices, the dependability of software is a life-or-death issue. 'The need to address software vulnerability is especially pressing for Implantable Medical Devices, which are commonly used by millions of patients to treat chronic heart conditions, epilepsy, diabetes, obesity, and even depression.' Will making the source code free to scrutiny address the issue of faulty devices?"
This discussion has been archived. No new comments can be posted.

Free Software, a Matter of Life and Death More

Free Software, a Matter of Life and Death

Comments Filter:

  • Same article different day (Score:5, Informative)

    by guruevi ( 827432 ) on Tuesday July 27, 2010 @02:11PM (#33048460)

    Dupe! This was covered a couple of days ago.

  • Re:Same article different day (Score:3, Informative)

    by betterunixthanunix ( 980855 ) on Tuesday July 27, 2010 @02:16PM (#33048552)
    And as people pointed out the first time around, medical devices are tested extensively before being deployed. I am an ardent free software supporter, but the safety/reliability issue is simply the wrong argument. I would say the more important argument when it comes to medical software is control -- do you really want to have a corporation that you have absolutely no control over to be in control of a device that sustains your very life? What happens if that company goes bankrupt, and the source code dies with the company? What if they decide they want to start charging people a yearly fee for using their pacemakers (a situation that does not seem too far fetched, given what I have seen proprietary software companies do in the past)?

  • Re:Favorite Quotes from TFA (Score:1, Informative)

    by xemc ( 530300 ) on Tuesday July 27, 2010 @02:32PM (#33048782) Homepage

    The article also links to: http://cio-nii.defense.gov/sites/oss/Open_Source_Software_(OSS)_FAQ.htm#Q:_Doesn.27t_hiding_source_code_automatically_make_software_more_secure.3F [defense.gov]

    Excerpt:

        Q: Doesn't hiding source code automatically make software more secure?

    No. Indeed, vulnerability databases such as CVE make it clear that merely hiding source code does not counter attacks:

            * Dynamic attacks (e.g., generating input patterns to probe for vulnerabilities and then sending that data to the program to execute) don’t need source or binary. Observing the output from inputs is often sufficient for attack.
            * Static attacks (e.g., analyzing the code instead of its execution) can use pattern-matches against binaries - source code is not needed for them either.
            * Even if source code is necessary (e.g., for source code analyzers), adequate source code can often be regenerated by disassemblers and decompilers sufficiently to search for vulnerabilities. Such source code may not be adequate to cost-effectively maintain the software, but attackers need not maintain software.
            * Even when the original source is necessary for in-depth analysis, making source code available to the public significantly aids defenders and not just attackers. Continuous and broad peer-review, enabled by publicly available source code, improves software reliability and security through the identification and elimination of defects that might otherwise go unrecognized by the core development team. Conversely, where source code is hidden from the public, attackers can attack the software anyway as described above. In addition, an attacker can often acquire the original source code from suppliers anyway (either because the supplier voluntarily provides it, or via attacks against the supplier); in such cases, if only the attacker has the source code, the attacker ends up with another advantage.

    Hiding source code does inhibit the ability of third parties to respond to vulnerabilities (because changing software is more difficult without the source code), but this is obviously not a security advantage. In general, “Security by Obscurity” is widely denigrated.

  • Re:Same article different day (Score:4, Informative)

    by kipd ( 1593207 ) on Tuesday July 27, 2010 @02:47PM (#33048932)
    Yes... No bugs, thoroughly tested: http://www.ccnr.org/fatal_dose.html [ccnr.org]

  • Re:I've got to say... (Score:3, Informative)

    by jgagnon ( 1663075 ) on Tuesday July 27, 2010 @02:53PM (#33049000)

    Make sure you leave it off for at least 15 seconds before turning it back on...

  • Re:Where is this ideal world where the FOSS? (Score:1, Informative)

    by Anonymous Coward on Tuesday July 27, 2010 @03:10PM (#33049200)

    The typical FOSS argument usually involves living in a perfectly ideal world. You know, the kind of world where highly qualified individuals scour the internet for code to audit. And where Russian (et al) hackers don't scour open source code looking for exploits to cash in on.

    No, that's the strawman FOSS argument. Most of us FOSS guys are living in the real world, where neither of those things happen.

      FOSS doesn't rely on people "scouring the internet" - just the coders and users of a program tracking down bugs in a natural way, which will usually turn up problems in a timely manner.
      Some security group about 7 or 8 years ago ran a study of a few different webservers and their code flaws -- the result was that they all started out with a similar number of bugs, but the open source project slowly pulled ahead of the closed source project, as its bugs got fixed more often and faster.

      Also, Russian hackers don't "scour open source code looking for exploits" because finding a bad piece of code is an entirely separate issue to finding out how to exploit a flaw. Just because you've found an unchecked boundary or something doesn't necessarily mean you even can exploit it, and it generally doesn't do more than give you a hint of how it might be exploited.
      Which is a huge waste of time, compared to actually banging on the compiled program with automated tools looking for something that works.

  • Re:Makes sense (Score:3, Informative)

    by Hatta ( 162192 ) on Tuesday July 27, 2010 @03:10PM (#33049202) Journal

    This code doesn't necessarily have to be FL/OSS in my mind - let them keep the copyright

    Authors of open source software retain their copyright.

  • Re:I've got to say... (Score:4, Informative)

    by Monkeedude1212 ( 1560403 ) on Tuesday July 27, 2010 @03:14PM (#33049244) Journal

    I wish we could up-vote comments ourselves, I'd give this a ++.

    We do. You just have to earn them, that's all. And once you earn them, you can waste them on as many +funny's as you want.

Slashdot Top Deals

So you think that money is the root of all evil. Have you ever asked what is the root of money? -- Ayn Rand

Close