Medical devices don't just include things like implantable equipment (such as implantable defibrillators, pacemakers, pumps, etc.) but analysis equipment, and more recently computer software running on regular PCs (such as electronic patient records, order management systems, digital X-ray system/picture archiving and communications systems), etc.

Implantable devices have been in the public eye recently because they don't use very secure protocols. Typically, the wireless controller transmits a command prefixed by the serial-number of the implanted device. The device then ignores commands which are not prefixed by the appropriate serial number. This is OK for preventing programming the wrong device in a clinic situation, but a hacker could easily perform a replay type attack to cause the device to administer an inappropriate treatment or dose. One reason that manufacturers have given for this is an extremely limited power budget - strong cryptography simply burns too much energy for a device which cannot be recharged.

One problem that has concerned me as a user of medical software is just how poor the security is on a surprising number of products. One product that I use at the moment is part of an electronic patient record system. This system doesn't quite store user passwords as cleartext in the database. However, instead, it encrypts them with a Vigenere cipher (using the username as key). However, because of excess load on the database server, the software very concienciously caches the entire "Users" table as a CSV file on the client computer. Yes, when I discovered the file, it didn't take long for the Mk I eyeball and my recollection of my password history (which was also documented in great detail in encrypted format) to determine the cipher and what was being used as the key. This was subsequently confirmed by running the binary through a decompiler, which revealed a number of other wonders such as potential SQL injection vulns. Of course, none of that really mattered - there was an interesting file called "C:\epr.ini" which contained such lines as:
[ClientDatabaseConnectionString]
Data Source=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=EPRORA)(PORT=1521)))(CONNECT_DATA=(SERVER=DEDICATED)));User Id=SYSTEM;Password=pyramid1;

However, even leaving aside such extraordinarily bad software from small IT contractors, even the big-boys in the healthcare arena seem to have problems with basic testing, and anything even vaguely corner-case will often result in strange behavior - and that's just routine use, I can imagine all sorts of vulnerabilities appearing if these software packages were subjected to serious attack.

In fact, even in healthcare systems which are supposed to be paradigms of good design, implementation is often very poor. Professor Ross Anderson in his book "Security Engineering" mentions a national security system used in the UK for securing health records, where an individual user's smartcard contains an individual certificate and permitted user roles, which interact with the software to release the appropriate records. On the face of it, an excellent system - and one that Anderson mentions as an example in his book. For a user, however, the implementation is a disaster area; it's unreliable (depending on a national authentication server - local caching was broken in the first 11 6-monthly releases) and vulnerable to DOS attacks. Authentication with the national server was hopelessly slow (taking up to 5 minutes) so was useless for doctors in a busy environment such as the ER. The Roles are administered on a national level, with no way to override errors in role allocation before the next 6-month release (e.g. the first few releases did not permit doctors to change the brightness/contrast of an X-ray that they were examining - this function was restricted to sysadmins only) - the user role administrators acknowledged that this was a serious problem, but refused to push out a hotfix, instead it had to wait for the next role release. In reality, the nurse in Anderson's example would not simply be restricted to her patients. Instead, what would have happened is that the first doctor on shift in the morning would have used her smartcard to log in, and then left her smartcard in the terminal for the rest of the day - with every other member of staff that needed patient record access piggy-backing on her login. This procedure was sanctioned by senior hospital management in recognition of the fact that the authentication system was unsuable - and this sharing of logins led to further problems, with annotations being attributed to the wrong person. In the end, the solution was for each person annotating a case record to sign their note with "This note was made by Nurse Doe at 11:41 on 1/2/2010", so that it was clear who had actually written the note.

It's not the wiring per se but power quality. Voltage fluctuations where the mains voltage goes out of spec (brownouts and overvoltage) are a major cause of problems. Electronic power supplies are often heavily stressed by under-voltage conditions, because they increase their current consumption to compensate, resulting in increased heat production in the power supply. Overvoltage can result in internal components being overstressed.

The other problem is high-voltage "spikes" - ultra-short duration (a few microseconds) increases in supply voltage (to 1-2 kV), due to large electric motors (e.g. HVAC compressors) being switched on or off, nearby lightning strikes, etc. These voltage surges won't affect incandescent light bulbs, but will destroy electronic power supplies instantly. Things like PC PSUs are fitted with surge protectors internally, to protect them from this type of spike. Good quality CFLs and electronic lighting ballasts also contain decent surge protection. However, garbage grade CFLs, often leave out these components to save $.10.

The other problem with CFLs is that they are intolerant to heat. This means that care is needed over the type of fitting. CFLs are not suitable for use in enclosed fittings - they must be open to the air, otherwise you don't get any air circulation and the lamps overheat. While incandescent lamps are frequently-used "base-up", CFLs risk overheating the electronics in the base, when used in this orientation. CFLs are best used "base-down".

If you genuinely think there is an electrical problem at your home - then you want a power quality check. This would normally involve installing a data-logger in your house for a week, to see if there are any significant problems with voltages, spikes, waveforms, etc.

I've taken apart a number of Philips' premium lighting products (both top-end CFLs and also electronic ballasts for fluorescent and high-intensity discharge lamps).

I was pretty surprised to see absolutely nothing but the best components. All the capacitors were either high quality metalized film, ceramic or premium ultra-long-life high-temperature Japanese Al electrolytic from a tier 1 manufacturer.

Similarly, the active components were heavily over-specified 100% avalanche rated rugged MOSFETs, with high quality protection (diode clamps and current limiting resistors) on the gate drives.

While cheap Chinese CFLs often use garbage grade components - I was pretty surprised at the quality of the commercial lighting products - but then I suppose that's why these units command such high prices.

Whitechapel already has a station with 3 lines.

In fact, you know that things are strange in Whitechapel, because the underground trains run overground, and the overground trains run underground.

Illegal it may be, but trespass is not a crime. It is a civil offence only (except in certain circumstances, e.g. high-profile areas, railways, etc.)

I've seen a number of projects like this.

I've seen one landfill with a couple of 1 MW generators selling electricity to the grid. Another, sells the gas to the nearby village for use for heating the community centre.

Most recently, I've seen one where the landfill gas is captured and used to fuel the garbage trucks. (Diesel/CNG dual fuel).

Some of it is. TB requires prolonged treatment. 3 months is regarded as the absolute minimum treatment duration. 6 months is suitable for most cases. 12-24 months is needed for severe cases, or for cases affecting certain organs (brain or spine). Anti-TB antibiotics also have severe side effects - liver damage, nerve damage, permanent eye damage, they severely disrupt the biochemistry of other drugs (potentially causing them to become ineffective, or overactive), etc.

In poorer countries, patients/doctors may not be able to afford a full course of drugs, and may therefore cut it short. Uneducated patients may also stop the treatment when they start to feel better, and not carry the course through to the end (and in poorer countries, there may not be a system for doctors/law enformcenet to trace them and bring them back for treatment).

Additionally, tests for TB have are very time-consuming and expensive. It can take 8 weeks to get a drug-sensitivity test, and that's if the test comes back positive anyway (one of the problems with TB, is that it is very good at hiding, and the bugs are very difficult to grow). Where funding is constrained, diagnosis is simply by looking for the bugs in a sputum specimen with a microscope - which tells you nothing about the sensitivities. There is a signficant cost of incubating the specimens on special growth media for 8 weeks, and a low success rate. Because of this, doctors in these countries may not be able to diagnose drug resistance, except when drugs fail to halt the disease after 6 months.

The avoidance of resistance in anti-biotic treatment is best achieved by mixing multiple drugs of different types. Conventionally TB is treated with a cocktail of 3 or 4 drugs. If, however, you use those 3 drugs, ih a population that is infected with a bug that is resistant to 2 of them, then resistance to the single functioning agent, can develop very rapidly.

Things are changing with advanced test kits and DNA amplification technology, which are able to detect the genes that confer resistance, and give a result, with high accuracy and high reliability within 24 hours. The problem is the significant cost of this testing technique.

If you regularly buy from the major storage vendors, you'd know that they already mark up hard drive prices by up to 400%. I think this just indicates that the raw cost of hard drives has got so high, that even with their generous padding, they are feeling the pinch.

The problem with fluorescent tubes is that they need a sufficient temperature to get the correct mercury vapor pressure in the tube. If the pressure is too low, the discharge current will be too low giving poor light out, and an unstable discharge leading to flickering. The tube will need an abnormally high a voltage from the ballast, this will cause excessive sputtering from the tube filaments, shortening the tube life dramatically.

To an extent, the use of electronic ballasts can help, as electronic ballasts operate in an almost constant-power mode, whereas magnetic ballasts act instead as a current limiter. If the tube pressure is too low, the electronic ballast will still deliver near full power to the tube, whereas the magnetic ballast will severely underdrive the tube, leading to a prolonged warm-up time, during which time the tube is overstressed. Electronic ballasts also prolong the life of the tube and improve efficiency and reduce flicker due to the use of high frequency drive.

For extremely cold environements, you need to use low temperature fluorescent tubes. These use a different gas mix and mercury charge, this ensures that the discharge is stable and tube parameters appropriate at temperatures as low as -40 C.

They work just fine. In fact, their higher efficiency makes them a better choice than incandescent for use in fridge/freezer lighting - which is why most commercial fridges/freezers for display use use LEDs.

it's worth pointing out in this case what the reason was that prompted the jury to award such a high award in the first place.

Both of the plaintiff and the defendant in this case are software development companies. In both cases, they produce CAD software for home and home design use. In this particular case, the particular software packages in question were those for kitchen design.

Real view were developing a freeware CAD package which would be supported by premium-priced furniture, appliance and decoration add-ons. In contrast, 20-20, which was already a major player in this market, sold a fully featured package for $4200.

The infringement in this case was that real view had illegally downloaded a pirate copy of 20-20's flagship product, and then used that as part of their development process for their own product. In particular, they effectively cloned the GUI and a number of other features, so that users who had previously used 20-20's product could switch to the new real view product without retraining.

You saw the car commercial because the uploader of the cute cat video requested that adverts be displayed before their video.

Youtube does sell advertising - and normally does it via not-too-indiscreet overlays. They do have an option for pre-video commercials. However, this is NOT the default, the video uploader must explicitly request this type of ad. The exception is where the video uploader has used 3rd party copyright content (either by using it from the youtube material library, where mandatory ads are the price video producers pay for using it; or the youtube CMS has detected content that matches reference material supplied by a copyright holder, and where that copyright holder has requested advertising income for that material's reuse).
   

Hospitals are often quite badly prepared for this sort of thing. A big problem is the number of computerised "medical devices" where the vendor insists on a very specific update policy (or very specific restrictions on 3rd party software).

I worked at one hospital where Confiker took the whole IT system down. A big problem in repairing the damage was that there were a lot of PACS (digital X-ray/CT/MRI viewing/storage) workstations where the PACS vendor would not permit the relevant windows updates or a 3rd party anti-virus to be installed on the servers/workstations. They relented after a 24 hour stand-off, after they realised that they was nothing they could do to keep the system happy enough to meet the SLA without the updates and a suitable anti-malware.

I work at another hospital now, where similar lack of updates due to comparability with old business apps prevents updates. E.g. The PCs still run XP SP1 (even the brand-new quad core xeons). There also doesn't appear to be funding for updating anti-malware - the hospital use Sophos 7 (which became unsupported last year).

This hospital has chronic problems with virus/malware infestation on a number of office machines - but while IT can clean the computers manually, there seems to be a reservoir if infection on file-servers, USB drives, etc. So the infections come straight back after a manual deletion. This hasn't caused a catastrophe locally, so management don't seem to care, but it is a major annoyance, as infected documents frequently end-up getting e-mailed out to other hospitals/doctors and destroyed without trace by the recipient's e-mail system. Docs have been known to put the files on a USB stick, take it home, clean it with an up-to-date virus scanner and then e-mail it out.

I don't understand the "brute force" claim. In the article, they later explain:

"Note how the 'root' user tries to login at 15:21:11, fails a couple of times and then 8 minutes and 42 seconds later the login succeeds. This is more of an indication of a password bruteforcing rather a 0-day. "

This makes no sense to me. 2 attempts at a login, and then the 3rd succeeds? How is that brute force? Or is it just extraordinary luck (or an inept password policy).

While I don't regularly perform penetration testing, my current understanding of brute-forcing SSH passwords, is that it requires thousand or millions of attempts, with the hope that an IDS doesn't spot the attempted ingress and lock-down firewalls, etc.

To me, this looks more like a 0-day. A few probes with potentially exploitative malformed logins, until they find one that works on the specific kernel/SSH version.

I'm guessing that you don't make stuff with an MTBF of 10 years. An MTBF of 10 years means that each year 10% of the items are breaking down and requiring repair/replacement due to some form of break down. In most industries, with products that unreliable you'd be out of business pretty quick.

MTBF is a completely different measure to expected lifetime. The expected lifetime is just that - how long the device is expected to work for, before its performance becomes unacceptable (i.e. when the device becomes worn out).

MTBF measures how reliable a device is *during* its expected lifetime (i.e. before the device becomes completely worn out).