Interview: 'Devices based around software we can't control? It's terrifying'

[sincity]

http://cdn.mos.techradar.com/art/magazines/Linux/Issue%20176/LXF176.iview.karen_s_11-470-75.jpg

A cyborg gnome conjures up images of a garden ornament wielding a phased plasma rifle in the 40 watt range, so we're looking forward to meeting Karen Sandler, executive director of the Gnome Foundation and self-professed cyborg lawyer.

What followed was a journey through Gnome 3, security flaws in medical implants and why people shouldn't be jerks online.

Linux Format: I saw your presentation on closed source medical software from two years ago, in which you were talking about proprietary software used in medical implants. The intellectual case for free software there is unanswerable.

Karen Sandler: It was really weird to experience personally, being a lawyer at the Software Freedom Law Center; finding out that I needed this device, then finding out that it was based on proprietary software. Over the course of evaluating whether to get this device and having the magnitude of all of that sink in, I realised that it's not just my medical device; it's not just our lives that are relying on this software: it's our cars, and our voting machines, and our stock markets and now our phones in the way that we communicate with one another. We're building this infrastructure, and it's putting so much trust in the hands of individual corporations, in software that we can't review and we can't control. Terrifying.

LXF: Had you only just got the heart device when you found out that it contained this mystery software?

KS: I found out when I was 31 that I had the heart condition, and then it took me a whole year of struggling with the idea of whether I should get this device. First of all figuring out whether I needed one, getting doctors' opinions and then getting second opinions, and I kept putting it off. I took a whole year, and I finally decided I would get the device.

And then it took me a whole other year to do the research, because every time I read about the failures of these medical devices it affected me so personally. Reading about the failed insulin pumps other software failures on medical devices, people who got lethal doses of insulin… I would start working on it and then have to put the research away, and come back and start again. It took a long time because it was a very emotional issue for me.

LXF: Was that because of a bug?

KS: There were multiple reasons why the insulin pumps failed, one of which was that it was unclear which field was minutes and which was hours for the dosage time, and so people were setting minutes when they thought they were setting hours for the dosages.

I don't know whether you've read about this, but there's a guy called Barnaby Jack, who has done some really cool research in showing how vulnerable these devices are, and he has demonstrated that with an iPhone in a public place you can identify people with insulin pumps and pacemaker/defibrillators and in both cases can deliver a lethal result. I actually have an older device, because I was so freaked out about this. [Note: Barnaby recently died unexpectedly. You can read Karen's Gnome blog comment about it here].

http://mos.futurenet.com/techradar/art/magazines/Linux/Issue%20176/LXF176.iview.karen_s_3-420-90.jpg

LXF: It's pretty crazy that you can interfere with someone's heart by Wi-Fi.

KS: I was so freaked out about this. I kept trying to talk to doctors about it and they wouldn't listen to me, or they just didn't know how to handle the conversation with me. I had one electrophysiologist who I talked to who just hung up the phone on me.

I said that I can imagine that there are classes of people who might be attacked in this way. Think of the people who have these devices: people who have access to really fine medical care. What percentage of our politicians, or our judges, or other people in positions of power have these devices? Dick Cheney had one of these devices. It's not that hard to think about targeting, sending out a signal… so he hung up on me.

I finally found another doctor who understood the issue, and I got one of the older devices. You can talk to it with magnetic coupling. It doesn't have the wireless component. It's starting to run out of battery though, so I'm going to have to get it replaced. I'm going to have to confront it again, because there aren't any of the older devices left, so I'm going to have to get a new one, and they still haven't fixed this problem.

LXF: Have you made any progress on the medical devices?

KS: Only in raising awareness of the issue, which has I think been very helpful. I don't know if it's really because of me, but some of the jokes I have made have made it into other areas. Like, a joke that I had made in my early talks about this was also made on The Big Bang Theory. It probably wasn't me exactly, but I think just me talking about it in tech circles, you know, it captures the imagination.

It's been a plot point in CSI and it's been a plot point in Homeland, the TV show. I'm not so full of myself that I would take credit for these things, but describing the situation and talking about it I think makes people think about it in that way. There's been progress in popular culture and understanding that these devices can be problematic. There's been progress with the FDA in that it's announced now that there could be problems, but there's been very little discussion about the software transparency component to this, and very few efforts to curb the medical device companies.

The most believable reason I've heard for not requiring the device companies to publish their source code is that it will probably expose them to patent liability.

LXF: They wouldn't lose out on licensing fees; I can't imagine that one manufacturer would develop software to be used in another's pacemakers, for example.

KSL: It's a perfect example of where a proprietary business case makes no sense.

LXF: But I think it also sounds like a perfect example of fear, uncertainty and doubt about open source software, that people allow to flourish in business software, for example. Releasing their software and realising that there are these critical problems in the source code that could be taken advantage of.

KS: But these vulnerabilities exist in proprietary software too. This is why I'm so glad that Barnaby Jack and Kevin Fu do their work and demonstrate that these devices, where they're not publishing the code, are totally maliciously hackable. Security through obscurity doesn't work.

LXF: It seems silly to continue with this interview. Everything else is going to seem banal in comparison with having potentially buggy software implanted in your vital organs.

KS: OK, so we'll bridge to desktop environments from this: I was at a Usenix conference right after I gave that talk, a Usenix healthcare conference where I was asked to be on a panel with a gentleman who is in cyber security at the FDA.

That was amazing because one of the talks I heard at the conference was a woman who was showing an app that she'd made for her iPhone where the phone could talk to her insulin pump. She had a fitness program on the iPhone where she could keep track of everything she ate and all of her exercise. The iPhone could talk to her insulin pump and monitor her blood sugar levels, and basically tell her how she was doing with the exercise and her eating with respect to her blood sugar levels.

And first I was like "that's kind of cool" but then I realised: "Oh wow. Her iPhone is talking to her insulin pump!" We're relying on Apple for our health! To talk to our medical devices? When did that happen? We're building crazy amounts of infrastructure, and we're doing it by entrusting all this stuff to these companies.

LXF: There's the Microsoft guy over there [we all turn and wave at the Microsoft guy who is having a chat with someone on the other side of the room. He waves back]

KS: In a previous world we would have had a lot of government oversight and we would have had real infrastructure that was publicly motivated. We're making choices now that are going to be hard to go back on. We're building standards and we're building reliance on different kinds of software, and people don't even think about it. Software is just a tool right? Like a hammer? No one would think about the ethics or morality of a hammer.

But it's just not the case with software. If software isn't reviewable then we're in trouble. We need to build on free and open platforms, and that's why I moved to Gnome. Because now we use our computers for everything, and therefore they have to be usable, by everyone. If we keep making solutions that are not easy for everyone to use, we'll never get adoption. And if they're not built by an independent, non-profit driven structure, we're just making bad choices as a society.

When I first saw Gnome 3, I thought: this is the answer we are looking for. It's sleek, it's pretty, it is easy to use and it is different from anything that free software has done before. Two years later it still feels the same way. I love showing off Gnome. When I use it on aeroplanes people go "What is that? That looks so cool!" I think it uses the best of the PC and the Mac paradigms, so people can come in from both sides, and it's very easy for me to transition from society-critical software to the desktop, because Gnome is an ideological approach to computing and making sure that everyone has access to it.

In a free software non-profit world we can care about accessibility; we can care about things like bringing in more voices; we can care about all the privacy issues; we can care about things that may not be in the bottom-line interests of particular companies, because we're free software and non-profit.

http://mos.futurenet.com/techradar/art/magazines/Linux/Issue%20176/LXF176.iview.karen_s_15-420-90.jpg

LXF: Does it bother you that a lot of people are not too impressed by Gnome 3?

KS: You know, I think people have strong opinions about it, and people have been slowly coming to it. Gnome 3 was already well underway by the time I became executive director. And by the time I took the job Linus Torvalds had already said his negative comments about Gnome 3, and there was a storm of negative press.

There's something - I think it's press in general, but I think it's even more so in the tech press - negative press gets picked up so hard, and there was sort of this feeding frenzy (no one really covered when Linus started using Gnome 3 again, for example). And so it was really slow going at the beginning, but I think more and more people have come back, given it a chance and found it to be this great environment. It's just so pretty looking to start with, and it's so easy to use, so people who want to give it a try wind up being quite enthusiastic about it…

I'm not pointing any fingers, but because there's been a lot of fragmentation in the area it's actually made things a lot worse, because it's made, I think, people who maybe would have been formerly partners fan the flames a little bit. And I think that's sad, and I think that we should find all opportunities to work together to advance the GNU/Linux desktop together.

Gnome is very well known and differentiated by the fact that we actively dive into the stack and try to fix problems from the bottom-up. It's one of the things that Gnome is really well known for and one thing that I'm really proud of about our community. That's why there's a great Wayland track at this year's GUADEC (the Gnome Users and Developers European Conference). Systemd, PulseAudio, all sorts of great stuff that has come out of our community because of that philosophy, and this philosophy in particular is something that we should try to highlight and work together so that we have less duplication across the stack.

We as a whole are such a tiny, tiny percentage of the market, and when we can't give a clear answer to someone about what they should use or where they should start, you have 10 different projects going off in different directions, it's tough. I only care that free and open source software wins at the end of the day. I'm with Gnome because I think it's awesome. I think it's The One, but if another free software solution wins at the end of the day I don't mind so much; I just think we need to figure out what that is and all work together.

LXF: On the subject of all working together, can you tell us a bit about the Gnome outreach programme for women? My first question was going to be: "Why does the sex of the person who wrote my distro matter?" But then when I looked again at the numbers, it's kind of obvious that there's something wrong.

KS: It's amazing. Only 25% of all software developers are women. That includes all proprietary software. It used to be 30%. So you start out with that, which seems like a low number already, but OK, that's kind of understandable, women are less into software, I don't know what the reasons are, but OK. Then you look at students, and only 18% of computer science graduates are women. That also used to be a little bit higher, but whatever, It's sort of like OK, that's even less good; and then you look at free and open source software and all of the stats on the involvement of women are dramatically lower. The most I've even seen is 5% quoted but usually 3% or even 1% are the numbers used. It's an order of magnitude off.

LXF: Why do you think there's such a massive gulf there? I would have expected it to be the other way round; free software is supposed to be inclusive and happy.

KS: I don't want to get too much in detail about wondering why, because everything that I talk about is anecdotal. There aren't great surveys and research that show it.

LXF: That's a problem in itself.

KS: Yes, that is a problem, but I don't have that information. Actually the Ada Initiative is working towards getting more concrete data.

LXF: Doesn't GitHub collect information on the sex of its contributors?

KS: Do you want it to? I think there are studies that show that when you ask people to provide their gender, you're first of all asking them a binary question, which is not necessarily the right way to go because many people feel like they don't fit into one gender or another.

LXF: In the UK you can't go to the dentist, for example, without filling in a form that asks for your sex. It's annoying, but I can understand why they're doing it.

KS: You'll also find that of the people who don't respond, a much higher percentage of them tend to be women. So that skews the results as well. It's really tough to get a handle on those numbers. I'd rather just think about all the reasons that could possibly be the case and try to find acceptable solutions to them.

That's what we've been doing. You know, if people are jerks on mailing lists, women in particular get turned off. Anecdotally, that seems to be the case. You now what? People shouldn't be jerks on mailing lists. We should have friendly communities where people don't feel like they're going to be harassed.

LXF: But everyone benefits when people aren't jerks on the internet.

KS: Everyone benefits. And that's what we've found with the outreach programme for women. Each of the things that we've tried to overcome, we've found, makes our community better for everyone. So why not just do that?

LXF: What else do you do to make the community better for everyone?

KS: We have one big session at GUADEC - it's like a keynote basically, a keynote lightning talk session - where all the Google Summer of Code and Outreach Programme for Women participants just present their work. And it's great. For a lot of people English is their second language, so giving that talk is a major challenge. But then they have the confidence that they have presented in that way and the whole community has seem their work, and knows what they're doing and knows why they're there. That's great, and it has helped a lot with having people feel like they're more integrated into our community.

Actually it's not just have them feel that way, but really be more integrated, because when somebody else is working on something related to it they know that they should talk to that newcomer as well. We have an outreach programme for women and we've extended it to other free software projects and so we have 18 different projects that are participating through different distros. So we've got Debian and Fedora, and we've got the Linux kernel, and Wikimedia.

LXF: Subversion?

KS: Yes, as I understand it, Subversion didn't have any women contributing to it at all before it took part in our outreach programme for women, which is amazing. And the Linux kernel has a terrible track record in attracting women to participate. Now this summer there are seven women who are contributing to the Linux kernel actively through the programme.

So it's a programme that works, but one of the things is that we've been learning all these lessons at Gnome and we're trying to do the best that we can to give all our newcomers a shot. Not all of those things are going to be as incorporated into the other projects. We encourage other free software projects to make efforts to incorporate and newcomers at their conferences, but I'm sure they don't do the exact same thing as we do, and they're finding out what works for them.

We do now require that a $500 stipend is added into the internship, so the internship amount is now $5,500: $5,000 for the internship and $500 for travel. And that's because if you bring these women to events where they can meet the people they're working with, they're much more likely to stick around and form the relationships that we need in order to improve our communities.

So we can have the program, but if we don't actually keep some of these women and integrate them into our communities there's no point in doing any of it. We're trying to do the best we can at Gnome to make things better, but I think the different participants in the outreach programme for women will find their own way.

LXF: We're sold. How can we help?

KS: If you know smart women, just tell them about the programme. They can either potentially get involved in some way or another. We actually got a number a of great applicants from friends of mine posting on social networking, who were not even in free software. Just getting the word out means that women who are qualified…

There are exceptionally talented women who will go to proprietary software jobs without even giving free and open source software another thought. It'll get them thinking…

If you're in a free software project, consider joining us, and if you're working in a company, please, please, please, ask about sponsorship.

http://rss.feedsportal.com/c/669/f/415085/s/3585997c/sc/4/mf.gif

http://res3.feedsportal.com/social/twitter.png http://res3.feedsportal.com/social/facebook.png http://res3.feedsportal.com/social/linkedin.png http://res3.feedsportal.com/social/googleplus.png http://res3.feedsportal.com/social/email.png

http://da.feedsportal.com/r/186528155121/u/49/f/415085/c/669/s/3585997c/sc/4/rc/1/rc.img
http://da.feedsportal.com/r/186528155121/u/49/f/415085/c/669/s/3585997c/sc/4/rc/2/rc.img
http://da.feedsportal.com/r/186528155121/u/49/f/415085/c/669/s/3585997c/sc/4/rc/3/rc.img

http://da.feedsportal.com/r/186528155121/u/49/f/415085/c/669/s/3585997c/a2.imghttp://pi.feedsportal.com/r/186528155121/u/49/f/415085/c/669/s/3585997c/a2t.imghttp://feeds.feedburner.com/~r/techradar/software-news/~4/48c0x0u3ZfY