Most of the discussion targets devices that are randomly-hijacked because they are built on garbage.

AFAIK, no one has hacked a device to get it to harm a patient or to suck data/code from it.

Some hackers are interested in the personal information in some medical records because it's worth something in the Medicare-fraud business, but that's more of a medical-records systems thing, where one would adopt financial-industry standards (not avionics).

Security is poor in medical devices because there's less risk: No money/power from hacking them means less risk of attack, so half-measures "work".

So the government does what it minimally can get away with. HIPAA et al are relatively low standards (mainly designed to avert medicare fraud). Even for devices requiring FDA premarket approval, the FDA only checks that you seem to have followed a procedure that you defined per their vague heuristics; in most cases the FDA won't even verify that your risk-tracing is complete. They simply don't have the bandwidth for validation, no less a security audit.

My guess is that until the secret sauce is in the software (i.e., not in drug molecules that are hard to manufacture correctly, or strongly tied to unreplicable sensors in something like an MRI), medical devices will remain a security backwater. Currently most DNA analysis is based on open-source software or at least published algorithms, with proprietary code only for performance optimizations, but who knows what next-generation sequencing will bring.

Unless hackers already are already in Bethesda hospital devices, waiting for the President's annual checkup...

I gave up on working in two major open-source projects because they were already controlled by their corporate sponsors. Voting and online discussion is largely sham governance; all real issues are arranged out-of-band. It doesn't even take a majority if you're careful.

Further, projects run by their objectives, since people who disagree leave. So making time a primary factor selects compliant developers.

But since OS has evolved into a way of proving yourself capable and compliant so you can get a good job, it's a classic win-win!

This report is about two things: (1) most "software developers" are just incremental writers or hacking on trivial systems; (2) companies want a perfect match between young (cheap?) developers and the companies' technologies.

What if it's a new/small company seizing the advantage of a freely-available new/exciting approach? Sure, there will be lots of self-schooled practitioners (and if they're not educated to think they know better, they're cheaper and more compliant).

But mostly companies work with legacy technologies in mish-mash systems, and they have a hard time finding people who know or love the technology. This is a variation on the "skills gap" that drives H1-B programs. The reality is that companies don't want to invest in training, particularly when developers leave as soon as they can find better work. My guess is, the companies would be better off providing work guarantees to older developers who wanted job stability, but that wouldn't fly at the C-level.

Now, should colleges teach practical skills? No. They're best learned in real practice, with real clients. Colleges will never be up-to-date with technology or business trends. Schools should focus on developing insight and analysis required to solve large problems and cut through B.S.

Be good at what you do, but don't forget to take care of yourself.

Success and happiness depends on realizing work is not a meritocracy. Your co-workers and customers have their own agendas. You can laugh about it or cry about it, but accept it and decide how you'll make your way. If you choose a path of integrity, you at least have pride when you lose. But expect that co-workers lacking integrity will learn to destroy you, and others will learn to depend on you, particularly if you are any good. Neither will support you.

Overall, luck is random, which means the more you try, the luckier you'll be. If you learn your lessons and cut your losses, it'll be a net gain. But there's little point in random bouts of luck. The only way to become something is to imagine that and start doing it -- which means giving up good things that don't help, and not devoting yourself to someone else's cause.

And if you are successful at any scale, you'll be leveraging many things - a social network, opportunities/timing, investments and investors - that require constant maintenance and leave few degrees of freedom.

(There's no rest for the wicked, and the righteous don't need it.)

Programmers tend to stay naive about this because they trained in rationality, code all day, interact mainly with other coders, and believe their work evaluations couched in pseudo-objective, individualistic measures and backed by money. But to others in the business (yes, even at Google), coders are monkeys at a keyboard, and the only question is how many you need.