Video thumbnail (Frame 0) Video thumbnail (Frame 14648) Video thumbnail (Frame 26725) Video thumbnail (Frame 38802) Video thumbnail (Frame 50879) Video thumbnail (Frame 62956) Video thumbnail (Frame 76409) Video thumbnail (Frame 89861) Video thumbnail (Frame 103313) Video thumbnail (Frame 116765) Video thumbnail (Frame 130170) Video thumbnail (Frame 143575) Video thumbnail (Frame 151123) Video thumbnail (Frame 154393) Video thumbnail (Frame 157486)

Formal Metadata

Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Context awareness Perfect group Multiplication sign Distance Perspective (visual) Likelihood function 2 (number) Number Formal language Frequency Sign (mathematics) Mathematics Semiconductor memory Average Profil (magazine) Term (mathematics) Touch typing Energy level Information security Position operator Vulnerability (computing) Remote administration Demo (music) Information Inheritance (object-oriented programming) Moment (mathematics) Coordinate system Bit Connected space Type theory Data management Process (computing) Personal digital assistant Radio-frequency identification Fluidics Interpreter (computing) Website Self-organization Quicksort Cycle (graph theory) Resultant Sinc function
Suite (music) Group action Building Multiplication sign Plotter Water vapor Mereology Information privacy Perspective (visual) Likelihood function Computer programming Software bug Expected value Medical imaging Different (Kate Ryan album) Hypermedia Flag Series (mathematics) Förderverein International Co-Operative Studies Information security Vulnerability (computing) Physical system Remote administration Regulator gene Moment (mathematics) Bit Wave Message passing Digital photography Process (computing) Website Self-organization Right angle Figurate number Quicksort Arithmetic progression Point (geometry) Slide rule Game controller Server (computing) Functional (mathematics) Real number Mass Product (business) Twitter Number Energy level Software testing Default (computer science) Dependent and independent variables Key (cryptography) Incidence algebra Line (geometry) System call Word Spring (hydrology) Algebraic closure Personal digital assistant Password Game theory Table (information)
Building Group action Multiplication sign System administrator Decision theory Direction (geometry) Mereology Food energy Computer programming Hypermedia Encryption Cuboid Software framework Data conversion Extension (kinesiology) Information security Vulnerability (computing) God Email Arm Regulator gene Closed set Shared memory Bit Measurement Proof theory Process (computing) Telecommunication Website Self-organization Right angle Moving average Quicksort Arithmetic progression Resultant Sinc function Row (database) Spacetime Point (geometry) Slide rule Trail Real number Field (computer science) Product (business) Element (mathematics) Goodness of fit Root Causality Term (mathematics) Operator (mathematics) Authorization Energy level Software testing Address space Form (programming) Dependent and independent variables Focus (optics) Demo (music) Information Projective plane Volume (thermodynamics) System call Commitment scheme Integrated development environment Personal digital assistant Statement (computer science) Video game
Axiom of choice Computer virus Group action State of matter Code Direction (geometry) Multiplication sign 1 (number) Replication (computing) Disk read-and-write head Perspective (visual) Computer programming Neuroinformatik Malware Mathematics Computer configuration Analogy Office suite Information security Error message Area Programming paradigm Software developer Electronic mailing list Sound effect Bit Proof theory Chain Order (biology) Configuration space Quicksort Virtual reality Point (geometry) Trail Slide rule Open source Student's t-test Mass Protein Rule of inference Field (computer science) Number Goodness of fit Causality Term (mathematics) Hacker (term) Form (programming) Dependent and independent variables Information Interface (computing) Content (media) Database Faculty (division) Integrated development environment Personal digital assistant Universe (mathematics) Video game Local ring
Computer virus State observer Group action Presentation of a group Code State of matter Decision theory Direction (geometry) Multiplication sign ACID Sheaf (mathematics) Simulated annealing Logic synthesis Computer programming Neuroinformatik Subset Programmer (hardware) Mathematics Malware Spherical cap Computer configuration Software framework Information security Perimeter Covering space Area Programming paradigm Block (periodic table) Software developer Keyboard shortcut Sampling (statistics) Sound effect Physicalism Bit Sequence Connected space Type theory Process (computing) Vector space Telecommunication Order (biology) Phase transition Chain Self-organization Right angle Species Cycle (graph theory) Quicksort Point (geometry) Slide rule Atomic nucleus Functional (mathematics) Vapor barrier Open source Real number Data recovery Motion capture Electronic program guide Control flow Heat transfer Student's t-test Wave packet Number Product (business) Latent heat Causality Robotics Hacker (term) Natural number Authorization Software testing Selectivity (electronic) Metropolitan area network YouTube Form (programming) Software development kit Domain name Dependent and independent variables Stapeldatei Multiplication Matching (graph theory) Scaling (geometry) Information Cellular automaton Uniqueness quantification Projective plane Physical law Mathematical analysis Exploit (computer security) Vector potential Uniform resource locator Film editing Personal digital assistant Universe (mathematics) Computer worm
Computer virus Group action Context awareness Logistic distribution Source code Water vapor Disk read-and-write head Information privacy Computer programming Neuroinformatik Expected value Different (Kate Ryan album) Hypermedia Information security Physical system Cybersex Touchscreen Software developer Digitizing Sound effect Bit Radical (chemistry) Process (computing) Telecommunication Chain Phase transition Order (biology) Arithmetic progression Spacetime Point (geometry) Similarity (geometry) Product (business) Number Term (mathematics) Energy level Selectivity (electronic) Acoustic shadow Address space Computing platform Form (programming) Demo (music) Information Artificial neural network Prisoner's dilemma Neighbourhood (graph theory) Plastikkarte Limit (category theory) Cartesian coordinate system Vector potential Uniform resource locator Word Integrated development environment Personal digital assistant Aerodynamics Musical ensemble Code INTEGRAL Multiplication sign Set (mathematics) Mereology Data transmission Usability Malware Semiconductor memory Analogy Flag Circle Vulnerability (computing) Scripting language Injektivität Email Electric generator Knowledge base Moment (mathematics) Fitness function Data storage device Physicalism Connected space Type theory Computer science Self-organization Right angle Procedural programming Resultant Ocean current Mobile app Game controller Functional (mathematics) Real number Virtual machine Power (physics) Twitter 2 (number) Internetworking Operator (mathematics) Software testing Addition Hazard (2005 film) Cellular automaton Projective plane Planning Incidence algebra Antivirus software Internet der Dinge Local ring
Suite (music) Sensitivity analysis Building Group action INTEGRAL Decision theory Multiplication sign Design by contract Set (mathematics) Propositional formula Mereology Information privacy Perspective (visual) Software bug Neuroinformatik Different (Kate Ryan album) Endliche Modelltheorie Information security Simulation Electric generator Regulator gene Software developer Fitness function Bit Lace Flow separation Connected space Degree (graph theory) Type theory Arithmetic mean Process (computing) Website Self-organization Right angle Quicksort Whiteboard Thermal conductivity Row (database) Point (geometry) Slide rule Functional (mathematics) Computer file Civil engineering Heat transfer Machine vision Theory Number Product (business) Revision control Term (mathematics) Internetworking Operating system Ideal (ethics) Authorization Metropolitan area network Form (programming) Dependent and independent variables Scaling (geometry) Information Copyright infringement Augmented reality Artificial neural network Forcing (mathematics) Interface (computing) Physical law Line (geometry) Electric power transmission Frame problem Word Integrated development environment Personal digital assistant Query language Factory (trading post) File archiver Point cloud Video game Object (grammar) Musical ensemble
Area Cybersex Standard deviation Functional (mathematics) Dependent and independent variables Arm Divisor Information Code Multiplication sign View (database) Sheaf (mathematics) Virtual machine Bit Parameter (computer programming) Information privacy Cryptography Product (business) Type theory Causality Term (mathematics) Internetworking Data conversion Information security
Axiom of choice Group action Disk read-and-write head Information privacy Perspective (visual) Neuroinformatik Expected value Sign (mathematics) Different (Kate Ryan album) Core dump Encryption Videoconferencing Information security Physical system Exception handling Identity management Regulator gene Stress (mechanics) Sound effect Bit Hand fan Message passing Arithmetic mean Process (computing) Telecommunication Phase transition Quicksort Reading (process) Point (geometry) Web page Slide rule Computer file Device driver Control flow Machine vision Element (mathematics) Product (business) Number Latent heat Goodness of fit Term (mathematics) Authorization Energy level Lie group Computer-assisted translation Traffic reporting Address space Information Quantum state Augmented reality Physical law Independence (probability theory) First-person shooter Line (geometry) Statute System call Preconditioner Uniform resource locator Word Personal digital assistant Interpreter (computing) Video game Musical ensemble Family Window Digital electronics Multiplication sign Decision theory 1 (number) Port scanner Design by contract Mereology Formal language Software framework Extension (kinesiology) Position operator Area Covering space Predictability Electric generator Data storage device Data mining Proof theory Tower Hard disk drive System identification Right angle Row (database) Trail Mobile app Existence Functional (mathematics) Service (economics) Link (knot theory) Real number Graph coloring Metadata Theory Internetworking Green's function Ideal (ethics) Software testing Fingerprint Dependent and independent variables Inheritance (object-oriented programming) Cellular automaton Password Internet der Dinge
hi hi it's 10:00 a.m. guys hi okay so quick and dirty intro is I remember you hey quick and dirty intro of the biohacking villages that this is our fourth year last year also I talk fast please let me know if I talk too fast fourth year first year we had nine talks second year we had 27 talks two demos third year we had 37 talks three demos and I came to the realization that we weren't really encompassing the whole medical ecosystem so what we did this year was we have a Topps village next door in palermo we have a medical device hacking village with four different companies that brought their medical devices we have BDA we have ICU medical Philips and thermo Fisher as well as antique medical devices in case you want to look at those and then the village next door to that in Siena we have an implant village implant slash wet lab so you can go on the website which is village VI lae e vio and sign up for the implants and that's going on today all day Saturday morning Saturday morning Saturday afternoon we're having a wet lab with Michael who's doing a talk tomorrow as well as a Badge workshop the badge this year we changed a little bit we did it based on micro fluidics do you know what that is so have you do if you don't come over tomorrow the bench maker is giving a talk about it and he's gonna have a lab to show you guys how to use it really awesome and then Sunday we're going back to implants I think that's all I got so I'm throwing it back to you hi
great news I'm using my voice perfect timing I'm just gonna start off by saying a huge thank you to Nina all the other organizers of the biohacking village and particularly our sign language interpreter who I'm hoping is gonna make me sound a lot smarter please I really please okay so before I get started I'm just gonna have like a quick disclaimer I think there's a there's a decent chance that there'll be people in the room who have participated in perhaps some of the disclosures I'm going to talk about or who work in organizations involved in them you may well have more information about the disclosures than I do I'm sharing sort of an external perspective on any that I wasn't directly involved in it's really just sort of like here's the lessons I grabbed based on what I saw happen so don't judge me too harshly anyway and if you want to kind of educate me after the fact I'd love to learn more about it but please don't stand up and start screaming at me I don't react super well that I gets weary and then it's really awkward for the interpreter she has to deal with that so how am i other than just being swearing in British I'm Jen Ellis I work at rapid7 and my my general sort of thing that I do is I try and figure out how we can create positive social change around security since security is a societal issue so there's a lot of that we do a lot of vulnerability research which we disclose through coordination to try and help people already understand the real risks we also work with the government we try and get policy changed to reflect better cybersecurity practices this is actually me testifying to Congress where I brandished a vulnerable toy which succeeded in making them think I was completely insane so that was good in terms of vulnerability disclosure I have worked in vulnerable to disclosure for I don't know eight years maybe a bit more than that I have probably worked on like you know a couple of hundred vulnerability disclosures in that time the thing that's sort of interesting for me about me on this topic is that I started off on the reputation management side so I was the person in the technology vendor organization who would be like oh this looks like it's bad we should kill it with fire and so to begin with I was like all researchers a bad news we don't like them that's terrifying and then I kind of had my come-to-jesus moment I got converted and now I testified to Congress about how we can protect security research and I have some of my best friends and security researchers so I've done a lot of vulnerability disclosure and one in particular I did in 2016 which I'm sure is your main memory from 2016 because not much happened that year I worked on a particular vulnerability disclosure that was in the medical device sector the reason that I did that was this guy here who some of you may know Jay Radcliffe Jay is a type 1 diabetic and in 2011 his primary care physician recommended that he move on to an insulin pump that would be connected to his body and because he works in security he thought well if I'm connected and things my body I'd kind of like to know what the dealers were there how secure it is so he did a bunch of research on it and at that time he became somewhat known in the security community as a medical device researcher he also like had a lot of learnings from that experience it wasn't like his favorite thing ever because what happened was there was this huge new type about it and understandably patients got really concerned and back in 2011 the medical device research wasn't being done a huge amount the press still sort of like went into a frenzy over it there wasn't a lot of sophistication and so there was this huge hype cycle Jay ended up with patients parents reaching out to him saying hey my kid has one of these devices attached to them should we take it out that's a really awful position for a security research to be put in and it was actually quite traumatic for Jay to be put in that situation he's not a doctor he's not the person who should be making that decision and so the great thing for me working with him in 2016 was he brought all that experience and that knowledge and that thoughtfulness with him when he again started to look at an insulin pump and again it was because his doctor said hey I know you didn't want to have one last time but you should reconsider so there we were five years for and we were looking at the Johnson Johnson animus one touch pit now the way that this bad boy works is there is a device that connects to your body that delivers insulin and then there is a remote control that you would carry with you that communicate to that device and the remote control monitors your insulin level and then it tells the device hey it's time to release insulin it communicates via radio frequency and that radio frequency can be either disrupted or it can be spooked so you can either withhold insulin delivery or you could potentially push a fatal dose that was chased research that's what he discovered so he came to us he he at the time worked with rapid7 doesn't any longer but he did the time came to us and said this is what I found and we were like okay well we should do something about this we should go out but we knew that there were some challenges vulnerability disclosures are not always super popular and so we had a good idea that this one in particular might cause some heartache it was gonna be a little bit different even with the experience that I have and a bunch of rap and seven people have around vulnerability disclosure the number of them that we've done I mean the team that we have have worked on hundreds and the hundreds we knew that this one was going to be a little different and there are a few reasons that I mean the first was we were talking about something that involved life and death and we didn't want to like go crazy and say like people will definitely die like that's it we're definitely gonna kill people with this thing because the reality is that for an attack like this you have to be within a proximity you have to have the right technology you have to know that the individual has the device and you have to know what to do about that so you're talking about super targeted attacks and your average person doesn't have the right profile to be touched to playback so we knew like likelihood was low but potential risk was high and we tried to balance those things still when you're talking about something that can relate to and can resolve in death I give just results in you hand it very differently to how you might if you were talking about something that's to do with networking for example another thing that made this a little bit different a little bit challenging was I don't know if you've heard of Johnson & Johnson but they're kind of a big deal rapid7 on the other hand is you know we're growing right we're growing so we were kind of aware that we were going to be reaching out to this organization that is hundreds of thousands of people would have a very complex organization internally probably would have like a varying amount of security knowledge internally we knew that they would have an army of lawyers an army of columns people who were much like me in my old job where I was like kill it with fire and so we thought that was all going to be quite quite difficult to deal with we also knew that they operated in a highly regulated environment and that that would probably make them more defensive
about getting a vulnerability disclosure because there's a lot of fear about what their regulator is going to do how they're going to respond and when we were doing this disclosure it was not that long after the FDA had come out with their post market guidance so we knew that there was like death but are you gonna be tension around that and then the last thing that really kind of changed the dynamic for us was we knew that with Johnson & Johnson typically when somebody kind of knocks on their door and says hey there's a problem the product they're like and here are five hundred of my closest friends and we have a class-action suit for you and they're not really kind of knocking on the door and saying hey we found a problem in the product and we want to help you fix it so we knew that there was a likelihood that they would probably one not have a reason to trust us and to err on the side of protective ism and conservatism and basically being like here are all the ways please do Jackel them so we were kind of we were apprehensive going into the disclosure we got lucky we got super lucky and the reason we got lucky is because of a guy called Colin Morgan who some of you may know that by the way the subtitle of these slides is and ode to joy' Radcliffe and Colin Morgan who I love and they basically took us through this process Colin had Colin Watson security team at Johnson Johnson he had been engaged with the guys from I am the cavalry some of whom are in this room quick thank you to them for everything they do and he had had his own come-to-jesus moment where he'd been like hey we make stuff that like impacts people's healthcare and their safety and so we should probably think about security from the ground up in that and so he had been on a a two-year journey inside Johnson & Johnson I made it sound like he went to the journey in the center of the world and maybe he did he probably four great battles and he was trying to get Johnson Johnson to like change their processes build a vulnerability handling program and he succeeded so he got them to build this program we happened just coincidentally to knock on their door a week before that program launched which was either really great having already terrible timing depending on your perspective he we ended up being his test case essentially as what happened and so there was a lot of education through the process but because Colin was there and because Colin was very understanding of what vulnerability research is all about he understood where our tent was he gave us the benefit of the doubt he pushed the engineering team to really take it seriously because we had that person internally who could be their advocate for us it made all the difference it was a massive game changer and what it meant was that through the process we were able to constantly come back to this unifying point of how do we protect the patients once we had got the idea that there was like a level playing ground that we both recognized we wanted to protect patients it didn't actually kind of turn extend didn't matter that the details were difficult and we would argue over the details and frankly like Colin I had some pretty late-night phone calls so though we could invent at each other before we got on the call with all the rest of the team the next day where we could be really calm and be like this is what we're doing we should do so because we that opportunity and we had that trust we were able to really prioritize what was best innovations that doesn't mean the word surprises along the way one of the coolest things was that after J&J had verified the vulnerability they decided that they would proactively communicate with patients which I think the FDA told us that that was the first u.s. medical device manufacturer that proactively communicating with patients about a cybersecurity risk so that was great and we were super excited when they told us they wanted to do that and then they told us that they were sending out letters and I felt like I had gone back in time I didn't realize that letters were still a thing and I didn't really know how to process that or plan around it so we had some interesting conversations about at what point does a thing become public because they wanted to have us do the like our part of it at the point that the last letter was received and I was like but the first person who gets the letter is going to take a photo of it and go on Twitter like have you have you met social media which for some of Johnson Johnson is possibly enough so again because we had built this this sort of relationship in this trust and we'd be really kind of partnering with them on timing and all those kinds of things we were able to solve this problem and come to an agreement they actually pushed out there like changed the way that they do the letter sending to fit in with our recommendations and sure enough the first wave went out someone took a picture of it and stuck it onto a chair and I was kind of like I'm just going to send this to you and not comment on it just I'll just leave it there and so it's great we we managed it together and as I said like every time that we disagreed and there were times where we were like no it's this way no it's that way our unifying thought was always how do we protect people best we didn't want to cause panic we didn't want to create an opportunity for adversary's and so we were able to kind of come together to save the world if you will because we took that approach it meant that when they went when we went out story Jen chieh were able to control the message they are able to go out with this really positive message and that meant that the press covered it as like a sort of affirmative action from Johnson those that looked very positive towards patients and in fact the response that we got was very positive people thanked us for taking a really thoughtful approach the advice was not hey you should rip this thing out of your body we were really clear from the beginning about that actually for people who are interested the advice was don't use the remote control you didn't need the remote control for the pump to work you would just have to manually control the pump but it would still work fine so that's what the advice was and we got a lot of people who reached out to us and thanked us the approach that we took on that and we didn't have hysteria for patients nobody asked J if they should take their kids off the thing he didn't he didn't have to deal with the trauma of that and the FDA were also super positive about how all of this when I'm just gonna give you a second to read this I normally hate telling people to read a slide but I think me reading it out would be a little bit weird the nerve it is that the FDA basically said that this is the example that they want other manufacturers and researchers to follow because of the way that it minimized patient impact so it's a quick recap what did we learn from the process I cannot emphasize enough the importance of investing time in building trust and empathy regardless of whether you are on the manufacturers side or the researcher side you need to approach the table with the benefit of a doubt and figure out how to get to common ground for us that common ground was all around what's best for patients it will be different in every scenario but I think that you just need to identify what it can be and use that as your guiding principle another big learning for us that we were really clear on is that just because the thing can cause harm it doesn't mean it will and that we wanted to really avoid creating fear uncertainty and doubt we didn't want to be sensationalists in the way that we communicated this out the the whole incident with the letters highlighted to us this whole thing about expectations and being really clear on the detail if we haven't gone into every detail and really kind of zeroed in on
air then they would have sent our letters and we would have had no clue what was going on and the next thing we know we would have not sort of control of the narrative and it could have blown up on us this is a note to researchers I so rapid7 as I said we do a lot of our ability disclosure we have a published process the process is we go to a bender and we tell them about it and 15 days later we go to cert and then serve clock starts and clip certs clock is 45 days so in total our published timeline is 60 days before we will go public however and there serves us on our website if a vendor is engaged with us and we see that they're taking a seriously and they're working on it we'll obviously try and be flexible with them we have no desire and there's no benefit for anybody here in sort of you know pre-empting and going out before people already particularly when you're doing about something like a medical device because Johnson Johnson were engaged in the beginning and we knew that they were taking it seriously we were happy to wait so in total it took about four months from beginning to end which I don't think is a particularly bad timeline I think that's a completely reasonable one given what we were dealing with I think for researchers you have to decide where your line is I'm going to talk a little bit later on about a disclosure that happened yesterday where I think the timeline has demonstrably been too long and so it is hard as a researcher to decide how much leeway to give I was about say rope but I'm gonna back off from that how much leeway to give the manufacturer on timing and I think you have to judge it based on one the potential harms and to how engage you really think they are and how seriously you really believe they're taking it so public disclosure can be handled in a way that does not cause trauma I think that number six and seven here were probably the biggest learnings for Johnson & Johnson I think that they would never have anticipated that this could be the case going into it based on their prior experience or generally bad things whether it's medical devices or not and so I think this one was a pretty big learning on their site so that's the J&J one that I worked on personally now I'm gonna talk about some others because at the same time that this was going on this was also going on I'm expecting that some of you are fairly familiar with this and so I'm not gonna like pick up on it too much and go into what many muddy waters did or didn't do and who was in the right who was in the wrong on this what I will say is the research itself was done by an another entity not muddy waters and once they had that research they gave it to muddy waters they sold it twenty waters and muddy waters then used it to short some dude stock I think the lesson here that I would take for researchers is there are lots of researchers who find things and they don't know how to handle this closure they don't want to have a little closure they're afraid of legal repercussions they're afraid of taking on a big vendor they have a day job that doesn't allow time for it they discovered it during the course of their work and their employer doesn't want them to do a disclosure there are all sorts of reasons that researchers don't want to do disclosures themselves we recently did a disclosure in an electronic medical record system on behalf of a researcher who had discovered it in the course of doing his job and his his employee didn't want him to be the one to kind of step down to limelight and and took it on I would just say that as a researcher if you are going to hand your research off to a third party just be really careful with who that third party is and make sure they're aligned with your goals make sure that you're not handing off to somebody who's going to handle in a way that you perhaps wouldn't have wanted and that you're not going to lose control of the narrative in a way that feels concerning to you there are lots of third party bodies that you can work with for example there's ics-cert which I understand is now known all the ICS certs now NPM kick-butt like the function is still there it's just under a different name so you notice the end kick velcro make disclosure for you you could reach out to the FDA and they'll called make disclosure for you there's all sorts of things that you can do if if you want to hand it off to somebody else there's also zdi if you want to if you want to look at another another body the I am the cavalry folks will be happy to help you you can reach out to them and you can also check and see whether the vendor has a bug bounty program and if so you could reach out to the company that manages that so there's lots of lots of different ways you can do it that means that you won't necessarily have to lose control the other thing I think that we can take is a lesson from this is that not everybody is motivated by a concern for patient care so Philips this one happened I want to say around about March this year Philips disclosed a number of vulnerabilities in their imaging systems and I I kind of wanted to talk about this one because this has privacy concerns more than harm concerns and I think like there's a lot of dialogue in the media particularly around medical device vulnerabilities that make it seem like everything is a plot twist from homeland and the reality is like a lot of it's not anything to do with that but it can still have a really big impact the other thing I wanted to flag about this is that Phillips takes vulnerability research really seriously they're actually pretty sophisticated in the way they handle this and because they do it habitually and they've built up really great processes it's become kind of business as usual and I mean that in the like highest possible esteem I don't mean that as like Oh having vulnerabilities the Philips as business as usual everybody has vulnerabilities in their technology because they're made by humans and as we know to hurt to err is human I think the key here is that they've got to the point where they've taken the hysteria out of doing it and so they've got to a point where what they're showing is just real transparency to their customers real accountability to their customers and they're demonstrating that responsibility in addressing these issues really quickly I think that's awesome I think that's what we should all strive to get to frankly GE this happened also in the spring I believe this was a series of technologies from GE to have hard-coded or default passwords I like this one because that is a thing that we have known about for a really long time as a no-no in security but people still do it right and I think what that highlights is that generally speaking there's a pretty big disconnect still between engineering teams and security and I think that there's a lot to be done like if you in this room work and a medical device manufacturer the thing I would urge you to do is you know take Collins journey and figure out how do you go to engineering and build security in from the ground up how do you do secure by design how do you educate them on things like why hard-coded passwords are a really bad idea and I think that we are seeing progress on that there are people who have taken that journey who've taken on that battle and there are lots of people who you know really really care about the product that they build and how it impacts their customers and so they want to get this right but there's still a way to go we still you know even organizations as sophisticated as GE who've been around for a really long time still have challenges with this stuff the other thing that I like about this example is the researcher who disclosed this as a guy called Scott Irvin you guys might know Scott he does a lot of research in medical he's been doing medical device research for a
really long time absolutely as long as Jay has they were a couple of they're like first people doing it and when Scott started he was I think he would be fine with me saying this if you were in the room he was pretty bombastic about it and he was like pretty gung-ho with the vendors about how to address this stuff and that was really terrifying for them and so what he would get is like he'd go to vendors and he had all this goodwill and he wanted to help them fix it and like solve the problem it was all very well intended and they would be like Oh God and they would take a massive step back and then they would disengage and then the process would become slow and unwieldy and not great it was hard to build the trust that we talked about the empathy and Scott has like massively changed that he's built his credibility in his face he's built an approach that is based on building credibility and Trust and now he has this great relationships where he can go out and talk about this stuff and really see people taking it seriously and responding to it really quickly and I have you know a lot of respect for that like a lot of kudos to Scott for doing that so my last example that I'm gonna go through is not a company it's a person again somebody who's doing doing medical research for a really really long time and I'm sure that lots people in the room know about Billy he's the founder of white scope yesterday Billy released some research with his research partner Jonathan bats from QD and the research was on Medtronic pacemakers now the thing that's interesting about this one is that Billy and Jonathan reached out to Medtronic two years ago it took me on ik 10 or 11 months to even verify the vulnerabilities I even with my like hey let's give everybody for the benefit of the doubt and like let's take time and make sure we do this right basically I sound like a goddamn hippie even with that I would say I think that 10 or 11 months is an outrageous amount of time to verify vulnerabilities particularly when you're working with researchers of the caliber of billy and jonathan who I'm sure were absolutely walking them through the process and investing time and effort in helping them understand the risk and what happened I'm sure that they had video demos I'm sure they had great proofs of concept so verifying taking that long is kind of outrageous and now here we are two years after initial vulnerability disclosure and those issues have still not been addressed and I think you know you can understand technology as complex the stuff takes a really long time to develop it takes a long time to fix if the issues are profound however there needs to be a really strong focus on it there needs to be a real response of taking it seriously and I think that this is a situation where although the has signals that they're interested in vulnerability disclosure they have a vulnerability disclosure path on their website all that kind of stuff it seems as though and again this is me third party looking in on air from the outside I don't know what the difficulties are they deal with internally but it does seem as though that commitment to handling the vulnerable disclosures and actually like internalizing them into the product is perhaps not as strong as it seems from their website and I would really encourage them to change that okay so a recap of the learnings that we've had from the third-party disclosures again be careful who you partner with not all medical device disclosures are going to be over nobility is going to be a matter of life or death I'm really really happy to say that that's the case as you build your experience they will become less disruptive which is great because you want less disruption for your your customers I mean ultimately that's the goal right is make your customers happy don't get sued everybody's a winner like that's that's good stuff ICS can help manage the process although end kick I'm sorry I like apparently I was a little behind all the times on that one and kick for those who don't know is MCC I see and if you google it there'll be information about how to work with them and dispose of them there are a lot of known security problems that continue to arise going back to Johnson and Johnson and the one that we worked on the root cause of the issue was that that communication was long encrypted but people have known about encryption for a pretty long time it's kind of a thing I mean it's enough of a thing that the government wants us to backdoor it so there's no excuse not to build encryption in particularly when you're dealing with something this sensitive so the other thing that I wanted to talk about is with all the examples I've given not one of them has required a reauthorization through the FDA of the product and there is this great myth that goes around but I hear all the time of all we can't address this issue because we'll have to back through reauthorization that's just not true in most cases and then the last one is you know having a vulnerability disclosure email address on your website or a form to fill in is not the same as I having an actual process or program where things will really get prioritized and get done internally and you need both a welcome mat doesn't really amount to much if there's like no house on the other side of it so with all of those learnings in mind why does all of this matter I'm guessing that everybody is familiar with what this is if not this is this is what wanna cry look like so you can probably tell from my accent that I'm British want to cry hit hard and when wanna cry hit there are a lot of hospitals in the UK that closed 88-yard hospitals closed a good proportion of those I think 60 ish they had been hit but they didn't know what extent they were gonna suffer they had no way of knowing what level of exposure they had or how bad it would be because they literally didn't know how vulnerable they were what vulnerabilities they had in their environment and that's from what I understand from talking to healthcare organisations that's actually super common there's just a real lack of understanding of what they have and what's going on and as a result with situations like this arise the outcome of it is pretty dire it's more it's disproportionately bad and so you end up with the situation where hospitals close people get turned away they didn't get operations they needed because they didn't know if they're vulnerable this issue is so big and so important that the FDA has spent a whole bunch of time working on it they brought out their post market guidance a few years ago well before wanna cry wanna cry I was like added a lot more scrutiny from governments both in the US and UK around the world but even before that happened the FDA had been working on this post market guidance encouraging vendors to behave in certain ways around security they continued to push for this stuff I would just say I don't know if anyone hears from the FDA but I would like to say a massive thank you to them the work that they've done and particularly the way they've approached it they've partnered with the security community to make sure they're getting right getting it right getting the right expertise into the conversation they have really done great things and they're not now resting on their laurels and going hey like we have a document it's all good which is something that sometimes I like to do instead they are looking for what's the next thing they can do how can they push this further how can they do more and I think that's also another reason to take this seriously is because oh look we have a whole bullied village on it it kind of seems as though people care about vulnerability disclosures in medical devices I'm hoping that's the case other places keynote is going to
have been a bit of a disaster but hopefully you guys care about this and this is a topic that you're interested in and I think there are lots of people who care about it I think that the media also care about it which means that lots of other people care about it because they read about it and also in super sci-fi and scary and that makes people go what's going on and again it's in homeland so that's that that makes me compare about it so it's all like a serious thing on top of that I'm actually gonna see does anybody know what this is okay great the Library of Congress does anybody know why I have a slide with the Library of Congress on it other than Josh is sitting on the front row nodding patents is a it's a close guess yeah yeah it's very good okay so the librarian of Congress makes the final decision on DMCA exemptions and three years ago there was in 2015 the librarian of Congress said we shall have a exemption to the DMCA on on security research provided it's done within this sort of like box of what it should look like which is basically like do it in a safe testing environment that kind of stuff and that was a real game-changer because all of a sudden researchers who'd been sitting on volume hoodies and afraid of disposing them were something like oh hey like I'm not gonna get arrested I should turn again to suppose this and it was a wake-up call for medical device manufacturers who no longer had that like handy DMCA stick to beat people with and so that was a really good thing and it's been part of changing the ecosystem and this exemption is going to I this is a bold statement to make but I'm gonna say this exemption is going to get re approved it's gonna it's gonna roll over it may even go further so as a medical device manufacturer you're going to continue to have people knocking on your door and you need to know that again though you're not alone because there is an organization that has a very out date like every they should say n kik and you can work with them they have guidelines that you can follow on how to do this stuff I think the big thing here is that we are evolving like we have definitely made progress in this field in the years since Jay did his initial research which was 2011 this field has changed to a point of being unrecognizable from what it was and people now are so much more thoughtful about how they do this we see there are medical device manufacturers like Philips like J&J who have really great practices in place now they've got really good at how they do this and you know that is a really major thing that is a really positive thing the environment has changed in the best possible way and it's continuing to evolve again things like the bio hacking village play a huge role in that people like you coming together and looking and stop and talking about it sharing information helps to continue to move us forward and so I want to thank all of you for doing that I think it's really awesome and I think it means that together we'll be able to embrace the future that we all dreamt of where technology is safe to use when we fly around in bubbles thank you okay so or any questions hopefully I told you that questions what what's next for Medtronic yeah I'm obviously they've they're not doing anything after two years what's the next step to get them I think that sorry the question was what's next for Medtronic they they haven't they haven't got where they need to be in the two years since Billy and Jonathan's original disclosure where do they go from here I think that the the answer is energy one since there's a cynical wall in the Muslim my optimistic --kavitha one the capacitor one is that my big hope is that they will continue to work on the issue that they'll continue to take you seriously they'll continue to invest time and effort on it the cynical one is DHS and the FDA are involved and you know they are the FDA is the regulatory authority in this space and I believe that they will evaluate whether action needs to be taken and they'll push Medtronic accordingly any other questions do you think more regulatory frameworks are coming on the road do you think there's a push from the industry to say from the consumer side there's a lot of consumer groups and the lawyers are definitely all over this so do you see that six months from now a new regulatory framework is going to be announced that is really going to push the medical vendors yeah so the question was do I think that there'll be regulatory frameworks coming will it be more legislation etc I think there's certainly an awful lot of discussion about it both in the both in Congress and an administration so Congress is looking at legislation around things like IOT procurement labeling for products basic security hygiene measures for privacy and and adding for protection against arm and there are bills that come out around those things fairly frequently and they're sort of like increasing in in sort of intensity and interest and support every time there's a sort of new major milestone headline those bills kind of come up again and they get discussed more so that's the sort of hell piece and then in the administration as I said the FDA is is really focused on cybersecurity Suzanne Schwartz and south comedy who are here somewhere they led the effort on the post market guidance that absolutely phenomenal really knowledgeable work really close to the community and they're definitely looking at how and they can continue to help with the issues and so you know you have to balance right like nobody wants to create a lot of like very burdensome regulation that has like holds innovation back and the hurts patients that way right like we recognize connected technologies are a thing because there's huge benefits I don't think anybody like thinks otherwise patients definitely benefit from using these technologies but they have to be able to do so safely so the FDA is trying to balance those two elements together and they're likely to kind of go and wander in some direction I feel like mr. Korman here wants to share something - okay great so what he was just saying Suzanne is gonna be around 8 o'clock tonight at do no harm if anybody wants to talk to her about what she's working on and where they're going with this and in terms of regulation Thank You Josh that's you okay it's at the main track octavius 9 oh my god this is so great who else has information they want me to share if you own the white Ford for this project any any other questions so now
without further ado our next feature has been with the bio hacking village since the beginning focusing on the interface between computation and my advisors he is currently working on a doctorate in environmental engineering focusing on microbial partners to isolate pollutants back at the dawn of time he was a graduate historical researcher focusing on WMD warfare but fell into the IT field in order to make ends meet now without further ado I'd like to introduce my friend mr. Burrage attendees today's topic is blue team bio using kill chima kill chain methodology to stop bioterrorism rule notes Who am I as we mentioned I am a PhD student in the biomedical engineering at a very ripe old age I've got 20 years in the IT industry because you got to make make right somehow so my fourth year at the the DEFCON 5 hacking village and in my first year we had some issues technically so we've got official virtual rubber chicken for good luck today's agenda slide we're going to go through bioterrorism get a quick definition talk about some genetic engineering methods talk about the actual kill chain methodology as a as applied in information security and then talk about the various steps that I'm seeing as a bylaw a biology kill chain method recon development weaponization staging and delivery and then we'll have our conclusions so why this talk well first off we're now at the point where were Dean Engineering's actively be used to alter human DNA in the field and last year you know there was a main track taught by the chief medical officer of Intel dr. John Santos regarding genetic diseases to guide digital hacks of the human genome and he presents a nightmare situation about gene engineering techniques which are cheap perfectly reliable and easily accessible his thought was basically if you made genetic engineering as easy as computer programming and as reliable replication can you hear me if you had as reliable of replication as you have with digital copying you can have run into some real issues so the analog is actually malicious code development that's why he brought it to Def Con to discuss and in keeping with that you know I thought well I work on blue team I thought his talk was maybe a little alarmist but he said you know why don't we put our heads together and start thinking of ways to counteract that and I went well gee we have a methodology in place already of several methodologies to deal with malicious code development and the effect of malicious code so let's start exploring directly applying that to this potential situation before it happens we've got a 30 year Head Start let's take advantage of it some current technical news that plays in with this you know there is recently you know the big worry has been whether Chris Burke as nine is potentially described it's been potentially described as a weapon of mass destruction in of itself do the possible effects that you could you that it could bear using it to basically genetically engineer either pathogens or alterations to human DNA and spread them out in the public turns out that it looks like Chris Burke as nine might not be as fault as fault proof as initially feared you wind up getting coding errors when you when you implement Chris Burke as nine genetic change so that would be our first little bit of technical news on the other hand of the the the alarming one in this list is that some Canadian researchers last year reconstituted an extinct horse pox virus for a hundred thousand dollars using mail-order DNA and this is exactly the situation dr. Santos is worried about because you know we're talking you know pox viruses are classically horrible and you know hundred thousand dollars no questions asked I suspect actually these were University researchers if this was somebody off the street without the university affiliation it would probably be it'd have been much more difficult but it still plays up the insider threat aspect of in any security paradigm you know the folks who you expect to be doing things properly are the folks that have the greatest access to do things maliciously so you know when you're dealing in bioterrorism the first place you start worrying about is the faculty at a local micro be at the local microbiology faculty because they're the ones with the expertise and the opportunity and the ability to sneak something out so let's go to a definition of bioterrorism so we can get our terms clear bioterrorism is the use of harmful biological agents to generate a political response I'm operating this out for purposes of this talk from bio warfare because in this case we're assuming the bio air terrorism does not have direct state support possibly in direct State for support but this is not a nation nation states official bio warfare program the reason for that is if you're someplace and you run into your own country's bio warfare program you pretty much have to quality two choices live with it or don't if you wanted to some other countries bio warfare program okay you're going to tell your country hey I've discovered a bio warfare program over at this country and they're gonna either say we know about it or that's interesting you're going to spend a long time talking with some very polite gentlemen to describe exactly how you came across this information and that points out you're dealing in national security issues local sovereignty issues if it's a bio warfare program the locals are either read in or it's authorized you're not going to get any leeway and so we've just pointed out the lack of viable options bioterrorism presumes that your local PD your local National Police and security apparatus are not involved and would like very much to prevent this so as an individual you know bio concerned bio hacker you have a lot more options for how who you can notify and what sort of actions they're going to take now with the new genetic engineering methods we have a new concern which is designer or custom pathogens and we're gonna see how that works in when we're talking about gene modification now for bioterrorism there are three main possible targets crops animals and people basically anything that's biological that relates to life in the target area is up for grabs but what we're doing is we're functionally using biological techniques to change the bits what what you could call the bits of the genetic code to a to a configuration that's not the original one so what it really looks like is a genome data problem and much like dealing with say computer viruses and other forms of malware you've got a pervasive threat that will have a cause harm or alter content and it can be customized so really instead of necessarily a medical biological paradigm you can sit there and switch to guarding this from an information security perspective and that's what we're going to try to do here now real quick we want to go into some of the methods that are used to alter the genome first off you have to have proper information and that is available mostly online mostly open source there a number of databases the blast database the FASTA database and the psi protein classifier you can sit there put in an entry on I want to find the human genome code for tay-sachs disease and post that in it'll bring it right up I want to see the regular
genome code for Abbottabad oestrus which is or a fruit fly or any other common research subject animal or plant it'll pop right up additionally you know you know that that that's great for when you're trying to customize down to a species if you try to customize down to a person or a subset of people you know you can go out now and pick up genome capture devices like the ion of which was demonstrated actually first biohacking village four years ago little little device about the size of USB USB stick you know take a sample put it in there basically had a little PCR that would run at chop up DNA do it sequencing spit out the the the the code or you know the analysis thousand dollars got three uses and then reload kits were at an additional cost there's an additional one called quiet called kiya gem that's available so now you have the ability to go look up a code that you want to implant someplace and go look up the code of the person or for some group of people that you want to plant it into this is a little alarming if you look at things from a security through my obscurity standpoint ten years ago before the human genome project fully completed we didn't have this as a possible action so after you've got your information you want to go to synthesis pretty much all of it's done for for custom genetic code is a liggett liggett nucleotide synthesis there were there were like four different methods that have been generated over the years currently now it's the phosphoramidite method basically you're running in a cycle you D block your amino acid couple it up with a new acid put in a cap oxidize it lather rinse repeat until you're done making that section of genetic code that you want it's generally done commercially because you know unless you're really highly skilled personally as a process chemist you want to have this done commercially and the nice thing is at least for some at least for some of the more dangerous coats that segments we go back to the POC viruses for those Canadian researchers generally they won't synthesize known harmful gene code that's why I said you know if they you know if you're dealing with a university credential you might be able to get somebody to synthesize something that they otherwise wouldn't because I'm a legit researcher this is what I do there's also something called major which is multiplex automated Jenna Jenna make engineering which came out in 2009 for the Wyss Institute at Harvard basically you take a little chunk of single strand DNA and you elect operate which electrically stimulate cells in order to get it to go through the cell barrier and go get that single strand DNA into the nucleus in anneals and you it's assigned melds in at some point and recovers to two and a half hour cycle you can get up 50 edits and usually what this is used for is to create edited genome diversity for doing tests but this also means that you can get a batch of of gene of gene samples pick worked up filter out the one you want and then simply go and replicate that and have that cell replicate itself over and over by conventional methods basically at that point you're just celebrating finally we have to deal with our transfer methods because we've got our our chunks of genetic code that we know that we want basic gene editing all forms are pretty much the same overall process you pick a target domain a location and you define a binding domain that your methods going to group to in order to say that this is right before where we want to insert the connective the custom code we induce the doubles you induce a double strand DNA break at that cleavage domain you add your program DNA and you anneal it and usually there are off target effects basically you don't get a perfect match up you'll have because you're trying to do this in bulk it might have bind to us multiple places and make multiple strand breaks and insert this DNA in multiple spots and that would give you a one-way function because you can't pull them back out as easily as you put them in because you take the risk of taking out the change that you wanted to make in order to take out the changes you don't want and just and the thought then becomes you notice that is the more accurate you make your your transfer method the easier it is actually to reverse your transfer method because you know the fewer strand breaks the fewer chances and the fewer off target effects these are it is to remove one or not have any to deal with and if it's just the one that was put in you can just take it out if you want to three types are zfm zinc finger nucleases basically it's a binding a binding domain that's got a cleavage and it's defined by having the zinc ion in it delivers you delivered as a plasmid and if your target domain wasn't unique it'll bind in multiple places and you'll have multiple gene changes you've got talon which is transcription activator like technically is it's used for gene therapy delivered as an amount mrna and you can combine it with other other methodologies it's generally slower to build a proper talon and because you've got a larger target domain that also makes it very very granular and very specific so you don't have many off-target effects and then finally the most recent one that's been getting all the news is CRISPR clustered regularly interspaced short palindromic repeats it's faster to generate your plasmid or other method to transfer than either zfn or talon and it'll cut at any location because it's using a little bit of small chunk of guide RNA in the plasmid but it does have a large number of off target effects noted as we saw the first in the earlier slide where we were talking about the fact that there are possible toxicity from lost target effects after you've got your transfer method picked out you picked a pick a vector usually it'll be either an Athena or retrovirus and you basically inject it to the around the cell have it infect the cell your change takes place you're worried at that point is that you might have some overexpression because you're trying to get you're putting a large dose in and hoping that it gets to the right cells and maybe you maybe you get two or three doses per cell there are some non viral vectors that you can use that cause less immune response so you can you can actually just inject in this robot DNA you can put it in a polymer or a fat cover the whole point is just get it through the cell membrane into the nucleus now in reality is that I'm using a computer hacking paradigm to try and fight this and the advantages in this case for for doing code changes is to the computer person the programmer there's less formal training required you can edit as you see your project develop there's a lot less infrastructure needed code doesn't mutate until somebody gets a hold of it and changes it and since you're dealing in generally bits and by electronic bits and bytes the consequences when you're caught or a lot lighter which is why for thirty years people have been running rampant as computer hackers the two advantages for a biological attacker are you have concrete effects you are doing real damage if you want to do real damage not to say that a computer hacker can't cause real damage and physical effects but in this case it's you know direct harm to the to the to the to the organism and you can select existing pathogens in the wild and possibly alter them in order to get your effect now to deal with these you know with computer attacks recently you know we've gone
from a perimeter only defense to something called the kill chain framework and the idea for the kill chain is you want to identify all the steps required to have a successful attack and that starts off at reconnaissance and ends with persistence and it goes through you know in recon represents weaponization develop delivery the malware exploitation and it goes all the way - it goes all the way through the actions on the target and persistence and you know as I said with the goal for a kill chain analysis is to identify malicious action as early as possible and choose to react to the threat or to a lot of threat to continue so you can study the methodology and possibly apply elsewhere and then react to the threat and it's not just confined to a computer security there have been variants developed for missile defense for ship for basically against anti-ship missiles you know you have a radar ping you go through a decision framework you have more information to determine whether this is something that's hostile or not you choose whether or not you how you're going to react to this potential hostile circumstance Yury or you reevaluate and continue on and we actually have an analysis and reaction cycle for this you know gather information evaluate it choose your reactions implement your reactions gather more information and keep repeating the cycle until the threat has been neutralized or basically until the threats neutralized or you can't gather any more new information now there's some cautions in dealing with the kill train from chain framework instead of a strictly perimeter based defense you've got limited resources to apply to all of your defenses so you're going to have some restraints on both your monitoring and your response actions the earlier you react the more chance you have of tipping off your opponent and time spent gathering information reduces time spent reacting you know it's it's a trade-off but if we apply this to biology we can form the kill chain which is similar of starting at recon going through the development and testing phase going to weaponization production delivery and we can stop a delivery in this case because after delivery the the advantage that a biological threat has is at that point it's been delivered it is now self acting either it'll work or won't pretty much you're only the only follow-on action for the opponent is do we repeat the cycle so at that point you know you're dealing in post action issues and I'm taking those out of the kill chain because they don't really add to the kill chain analysis and what this leads you know what you find out when you're dealing with any given spot in the kill chain for malicious actor secrecy is inversely proportional to the scale and effort put into that phase if you spend a lot of time on recon you have a lot you have a larger chance of having your guy get caught snooping if you spend a lot of effort in production that means that you're having a lot of resources consumed and you have a facility and there's a greater chance you know that that would draw somebody's attention you spend time on production that's a greater chance of somebody who runs across it so especially for non-state actors you get some serious trade-offs that build up you know when you're a state actor once again this is why I was accepting out biowarfare programs it doesn't matter you control the local police you have the resources at your disposal it's okay we can just move on with this but if you're a small you know a small motivated group that's trying to do something against the lookout of the local authorities you've got to make some decisions and we can take advantage of the decisions that they choose so our phase one is recon what's recon it's getting information either on the target area or the target organisms so collection of biomaterial collection of targeting information biomaterial collection can be either direct sampling or acquisition of waste project products and it is the easiest step to complete we follow on in recon you've got your target selection so this is where you've got direct observation in the use of work the open source intelligence by your malicious actor and it's very similar to stalking and in fact the choke point for that then is treat it like stalking you've got anti-stalking laws anti trespassing laws that you that you can leverage also you can leverage the malicious accurate personal chatter motivated people tend to talk a lot about things that they're motivate by human nature there's an old SNL gag when Eddie Murphy would decided to retire the buffoon character and it was right around the time that John Hinckley shot President Reagan so they were doing that whole thing and one of the questions was do you believe that the man who shot buckwheat shot buckwheat and the answer was that for everybody they every was oh yeah that was all he ever talked about so chatter comes in very early but it is a lot harder to prevent that it is to detect which is just like recon in Samer it you've pretty much got a one-to-one match there the next slide step is development testing which is where you're developing the desired genetic payload you want for your attack do you want to do gene transfer or do you want to do direct damage you need to test to see whether or not it's going to have a desired effect and you can do that either in cell culture or in crop samples note that if you're doing it in prop samples it's a lot more noticeable you've got multiple payload options you know generalize play a targeted plague which in this case is confined to a subset of a population there are viruses that are associated with cancer risk you could try to cause an autoimmune response or you can try to inflict trait modification now the downside from that for the defenses on the defense is the gene sequencer sequencers are becoming less expensive and commercial gene sequencing is now available in common as I said they do monitor for known pathogen sequences and if you're gonna try and do if a group is going to try and do this personally they're gonna need appropriate facilities I know some sort of some biochemistry students who can tell you the exquisite agony of trying to keep mammalian cells from developing from catching viruses that they did not want and dying and absolutely drives them nuts so it's difficult for a small group to do the choke point in this case our reagents of every has to go using nucleus nucleoside phosphoramidites and there was a presentation last year a year by me I mean a Ludo meow look it up on YouTube it was actually a very good presentation where he went directly into this also you know you've got your polymerases both of these you have to order in you're not going to make them yourself unless you are one way little process test step 3 would be weaponization and this would be marrying your payload to your desired transport vector and that pathogen then has to retain its virulence its specificity and the ability to turn it off because it's no use as a political tool if you let it loose and you can't turn it back off then all you are is and I'm the Seidel maniac this is difficult for nation-states to do and that difficulty relates to basically making it so that it stays on target does not mutate and your own population is not affected big choke point in this case for for non bio warfare programs is usable facilities two years ago I did a presentation on
biosafety and we're talking biosafety level 3 and level 4 facilities if you start building one you will have the locals immediately taking a strong interest in you because nobody has a need for a level 4 biosafety facility outside a nation-state by warfare program at this point you're also looking at marrying transmission agents whether it's a prion or a virus or a parasite or a host organizations organism cell to your desired effect you know and it partly sets how you're going to deliver a transmit and deliver this new transmission the selection our airborne waterborne contact injection partly depends on pathogen partly depends on how you're planning on delivering this step 4 would be production this is where you're trying to make your pathogen in bulk this is where you start dealing most mostly in accomplices you can get through phases 1 through 3 as a solo operator whether it's phase 4 a complete you're looking at generally where accomplices start coming in and accomplices multiply the number of opportunities for the defense to catch something and it generally will require additional facilities beyond your initial development facilities because now you're talking both process chemistry bulk process biological activities you've got me you know Culture Media issues cross contamination issues to worry about the analog here would be trying to do any form of illegal substance production you know from your stills to your drug lab or illegal drug labs you'll require at the except for in this case it requires better technique higher project product purity and you're gonna have more difficulty in post-processing and once again the real bio warfare program has the cooperation of locals they're not trying to sneak this around they have dedicated facilities it's nowhere near as difficult for a nation-state finally we've got delivery and infection and this covers your delivery logistics and attack planning if you get if you deliver your product and nobody catches it you have failed so the key issues for the defense our target access and tracking the bad guys operational security once again Chadwick Hicks M you're dealing with a group of motivated people who talk about what motivates them target access you know most of the interesting targets for political activity are generally guarded when they're interesting so you know basically you're trying to sort out how they can what a potential malicious actor is going to try to do aerosol delivery is easiest but it also tends burn away quickest injection is hardest but it's the best targeted and as it turns out the more specific you're targeting the harder it is your to deliver so part of things that the defense gets to do is just monitor known or likely targets for activity based on what you're hearing from shadow operational security is a bear in general and the moment you catch one of the accomplice you know prisoner's dilemma kicks in so you want this oaf as a defense you want to intercept and leverage the communications between the planning cell and the delivery cell as much as possible does that way you can walk it right back there are no current examples of an engineered biological attacks and in fact there's very limited examples of non-state biological attacks the two that I've got here are the 1984 progeny C Salmonella attack and the 2001 America axe attacks which are the only two biological attacks in the past 50 years in the United States that I'm aware of in both cases I'm going to explain why the steps in the kill chain that kind of got skipped over but how you can analogize them so for the regime's incident the goal was to interfere with County elections in a county in Oregon to allow some favorite candidates to win and seize local power the result was 751 cases of food poisoning and they lost the election anyway freak on the Rajneesh II religious group selected restaurants with salad bars they also tried to do some direct uh delivery of pathogens in in drinking water to specific personnel they skipped development because they were using salmonella purchased from a medical supply company for testing cultures and they just recolored that in bulk in order to get their pathogen weaponization is also skipped because they're using a wild-type bio agent production as I said they cultured of bulk amounts in a operationally controlled medical lab and basically took that culture that culture put it in the salad dressing at the salad bars put it in water and they have limited effect the Ameri AXA tax occurred late 2001 after the 9/11 bombings and the goal is near a as understood right now it seems to have been to save the anthrax vaccine program at that was under development there was a false flag attack attempting to pin the the threat on radical Muslims and it was targeted against high visibility targets media operations in congressmen there were five collateral deaths and 17 industries and on the one hand it was successful because the antivirus program fact the anthrax virus program funding got restored on the other hand since the perpetrate lead the perpetrator that you know the perpetrator in question committed suicide and he was an employee and presumably he was doing this to save his own job you don't save your job if you if you shoot yourself while you're under investigation so you can argue that to failure recon was publicly available mailing addresses development skipped again because it was leveraging actual biowarfare bio agent script from the Ames anthrax bio Defense Research strain also weaponization skipped because you're using the active bio way the bio warfare bio agent the doctor Ivan's cultured his his agents for two years from existing research stock and mailed it out to his targets which is why mail nowadays u.s. mail nowadays to certain high priority targets dose will considerably greater a number of steps to treat potential bio hazards but in conclusion you know you can see that we can actually apply that kill chain methodology to a bio threat and as I said you can find these bio cyber similarities and we've got 20 plus years of cyber defense techniques and knowledge available for us to leverage we've got a head start so let's not waste it and we've got a head start in an in an environment where we're at a greater disadvantage on the defense then we would be against a bioterrorist so basically it's the difference it's like stepping down for playing against the NFL to the local high school team we've got our advantages we need to we should move now to really leverage these build out policies build out a knowledge base and build out plans and move forward I've got some references of basically available of hopefully these are little beyond are there any questions I can answer question the outside thank you
very much the biohacking village for allowing us to be with you here today and so it is much more than simply me but you will in fact be speaking with my co-panelists dr. suzanne schwartz from the FDA Commissioner Rebecca slaughter from the Federal Trade Commission and professor Stephanie Powell from West Point and we have a little bit of technological excitement going on because in one of our three panelists appears with us today in cyborg form so as with every live demo excitement will occur but we'll hopefully be able to make everything work but before I introduce in carbon form our well two out of three carbon forms of our esteemed panelists I'd like to share a little bit of introductory information with you on this concept of the Internet of bodies which may be unfamiliar to many of you and this is a term that kind of started using coming out of some of my earlier work and basically the ideas are connecting the Internet of Things into the world of body attached body embedded and body melded devices so as we're saving all the things in the Internet of Things we are also starting to creep into the human body as a platform for development and applications the defining features of the current Internet of Things which is no news to this audience we rely on internet connectivity gratuitously we think everything is better with Bluetooth and bacon there are extreme levels of known vulnerabilities they're already causing harms we have enabled new methods of data collection aggregation and repurposing and this in particular has led to privacy problems and we have consumer ability diminishing in terms of the ability to opt out of these additional methods of data collection and leveraging I have a very deep voicemail okay that's very exciting in particular we have in particular we have hidden price terms that are appearing in the way that products are being sold so you can't really tell whose security is better just by looking at the product in a store for example and so self-help on the part of consumers who struggle to find the power-on button sometimes is relatively limited so one of the challenges that you see in policy spaces frequently is the definitions of security and privacy get blended but at the end of the day and I don't need to define these terms for this community but at the end of the day in terms of a policy set of discussions what we are asking or should be asking in security policy is whether Ellis's system successfully defended against Eve's attacks was the failure foreseeable and what were the legal duties that pertained in terms of fixing the harm that occurred and preventing it with privacy we have negotiated a new syncretic promises of reasonable expectations the first setting whatever was at first I can also see okay so as a consequence we have different questions that are being asked in security and in privacy and this distinction is lost in many cases in policy circles and in legal discussions and so when you run into your friendly neighborhood lawyer make sure they understand the distinction between security and privacy so this starts to matter as a legal matter in part because of reciprocal security vulnerability so as we all know in this room you know think about Mariah right it was pointed at reddit and Twitter but next time it could be a nuclear power plant an electrical grid etc so the same types of vulnerabilities and compromises that exist and the private sector can ultimately impact the public sector and vice-versa so we have the Internet of Things starting to do real damage just by way of memory lane some of you undoubtedly remember the April Fool's joke of 2013 ha toaster I oh ha ha hilarious 2017 we have articles about toasters breaking the internet we have BBC warning about compromises on toasters and we are in the world where computer code is starting to directly impact humans and we forget sometimes though not in this room that code is written by humans for humans and that mistakes happen often you undoubtedly know about Alexa ordering dollhouses this is the first the story of the first smart home in Germany where Professor Raul Rojas had accidentally tossed his own house because of one lightbulb he thought it was kind of hilarious his computer scientist wife less so we know that malware is increasingly user friendly in terms of being able to deploy it and Mirai has caused many problems and sometimes the creators of these technologies lose control of them in particular in terms of this room we're all very aware of the epidemic of malware spreading around hospitals and ransomware and that's where we start to see the connection between code and human bodies so we have we have the risk to physical safety happening as a result of computer code and so here we start to see the blue screen of death become literally a blue screen of death undoubtedly many of you know about the incident where a patient's heart procedure was interrupted because of a virus scan we have cases where fitness apps are revealing military secrets so we're human bodies are deployed and we have the Internet of Things transitioning into this type of Internet of bodies where human flesh is connected and reliant upon the internet for some aspect of its functionality or safety and that starts to change the stakes especially in a legal context so the Internet of bodies if we were to put a definition on it is the creeping technological reliance and vulnerability of human bodies unsought toward where and the internet for their integrity and functionality so in other words all of the unfixed problems of IOT are now blending with the unresolved legal and ethical messiness of prior generations of med tech and legal issues related to the human body and that is complicated so we've had and are having three stages of these IOB technologies the first stage we're all very familiar with the quantified self the fit it's the Google glasses the Apple watches etc it's optional the risk is primarily driven by repurposing of data privacy and security harms but generally we're not talking about physical safety directly being impacted the Strava location disclosure incidents notwithstanding the second generation of internet of bodies technology is we're already seeing so we're an early second generation digital pills that report the progression of the pill and its release of medicine from the inside of our stomachs pacemakers that are hardwired into our bodies cochlear implants that communicate using bluetooth digital prosthetics limbs that rely on their no connectivity for some aspect of their functionality or otherwise communicate with an external machine artificial pancreas is in the first the first one of which has already been approved and of course Internet connected hospital equipment often keeps human bodies alive so these technologies are less optional they are connected to the physicality of the human body physical harms are entirely possible as a consequence and the next generation we're already starting to see in medical trials stage 2.5 second generation late second generation things like brain prosthetics where you have an external computer that
can modify the sensation to say a patient's spine or a doctor can remotely recalibrate the degree of sensitivity of an implanted device the third stage we are not quite at and it's the situation where you have in theory melding of the human body and the externalized cloud ether brain it's Elon Musk's neural lace it is the idea of a cortical interface some version of next-generation humanity so this is sort of the progression and as I said we're somewhere in the second stage now who glass is still around it's on factory floors DoD is building an Iron Man suits that sometimes is powered in ways that make decisions that override the human body inside potentially based on early reports and so we see these buggy bits and buggy bodies potentially leading to physical harm so imagine Mirai not on DVRs or cameras imagine it on a set of injected contact lenses just for fun you put lenses in for augmented reality gaming and they get harnessed in the botnet botnets of body parts are a reasonable anticipated consequence here imagine wanna cry and artificial pancreas Asst senior citizens not knowing how to send Bitcoin to the person holding their pancreas hostage this is unfortunately somewhat foreseeable based on the way that we know medical device manufacturing has progressed and we have now gotten to the point where there is excellent active consideration of these issues by the FDA we saw the first recall over a security issue and we know that these are the types of issues that we will see continuing into the future in particular we'll hear from one of our panelists about the implications for criminal law so these transfers of technology from outside the body to the inside of the body will have tremendous legal implications and this is a case where someone was convicted based on data from his own pacemaker and we know that companies through their patent filings patent me meaning patent PA Tem T that's what I'm saying that they are experimenting in research and development with various kinds of inside eye devices whether it is to directly enhance your ability to perceive or for gaming or for recording the reality is around you so some of it is the soft archival concern and interests that existed with quantify itself but now it's less visible to the outside person who may be the object of that recording so the big question that we're left with and I'll just throw some of these ideas out there and shift quickly to our esteemed group of panelists these third-generation technologies in particular start to raise questions about where our own minds end and where someone else's ideas again and not to be too philosophical but conte as this idea of autonomy and we think about the autonomy of the human being there's also another idea that he has called half autonomy and it's about self self-governance it's about the ability to think through things in for lack of a better term a disconnected way to ensure that it's really your processing of the ideas internally to prepare you for exercises of autonomy to act in ways that are consistent with your own moral processing once you are in the world and making decisions whether it is voting or it is the way that you treat other people or your conduct as a professional in a corporate environment so autonomy self-governance really can't be exercised cop says without this prior self self governess this have time and when you have your brain always on and connected to a cloud the query is whether you can ever really be sure that the ideas are fully yours okay and so we know that these experiments are underway neural lace cortical interfaces and so this brings us to a host of legal questions which I will just hint at with this slide and then leave you in the capable hands of our panelists we have regulatory questions about where different agencies Authority overlaps and how to ideally ensure that consumers are not hurt and with the first duration IOB those devices that were deemed to be lifestyle devices those were primarily the regulate wealth I would say regulated enforcement conduct was carried out by the Federal Trade Commission and the FDA deemed many of those devices those first generation devices to not be medical devices and so therefore was adopting a hands-off approach but second-generation devices where things go inside the body that's starting to be a different story with contracts think about every EULA you've ever clicked on on a website now imagine that that EULA that you're clicking on is attached to the injected lenses in your eyeballs that have an internet connection the stakes start to be a little different if you can't understand what you're clicking YES on what does that mean in terms of the possible harm to your vision your participation in a botnet of eyeballs that could take down a power grid this sounds like sci-fi but yet if you look at past attacks as we all know it's unfortunately not that far-fetched patents and patent assertion entities trolls have been very aggressive and enforcing their IP rights what will that mean when the allegedly infringing patent is in a body part how much can legal process force you to stop using a device for example in bankruptcy whose benefit is served when these devices and the contract rights that spring from them are sold off open question and how to build civil recourse in tort we know that civil cases around security have been slow to emerge so these are open questions for us to where is the line between augmentation medical correction what are our new tech baselines and who are the winners and the losers how are we changing our relationship of our bodies to the rest of the world so we're entering a stage we have an Internet of situated things and bodies and what this really asks and this is where I'll leave you it asks us to ask ourselves and our communities what is our ideal of the human body in the next generation of technology our human body is a bug or a feature are they something that we need to get rid of and replace with robotic parts or are they something that we need to preserve and extend with tools essentially in their current form depending on who you ask you have a different set of responses on this sliding scale of techno humanity if you will some people of course think that we're all just a simulation in which case just you know pass me that she's in the wine almost call it a day but if you are somewhere else on the scale and you think that the same human-machine symbiosis point is the ideal place to stop then you're going to have a different set of policy and legal prescriptions for the way that we want to build the next generation of technology and security than the people who believe in a post humanist ideal for example and we don't even have a consistent definition for some of these stopping points right so this is a bigger discussion over whether human bodies are a good thing or just a last generation operating system that needs to be replaced so with that I will stop here and bring up our esteemed panelists and to those of you who have my phone number please don't text me during this because one of the panelists is on skype so I will ask each of our panelists to
introduce themselves briefly and describe how you are connected to issues of security and bodily integrity Thanks Susan I asked you to go first of all buzz around here yeah all right there we go we're gonna go we're gonna can you hear me yeah good afternoon and my name is Suzanne Schwartz I'm at FDA's Center for Devices and Radiological health and I'm here with one of my colleagues from the center dr. Seth Carmody is sitting up in the front row as well our team at FDA has taken on the role of medical device cybersecurity from the FDA's piracy response outreach education perspective to just a couple of words also introductory about FDA FDA's mission specifically is to protect and promote the public health EA has multiple centers within the large organization several of those centers are specifically what we call product centers such as ours Center for Devices and Radiological health and what that means in terms of the product center is that we have the authority we have the authority to review and to regulate medical devices those devices that are going to be coming on the market as well as the authority and the post market sense to make sure that those devices which are being used which are deployed which are available for patients that they are remaining safe and effective and that if there are any concerns around those devices that those concerns are further analyzed that information is looked at carefully and then the appropriate next steps are taken based upon that information so medical device cybersecurity as with the framing that Andrea gave is you can imagine with a lot of the newer advances the extraordinary therapies that we see in treatments interventions and diagnoses that are available today contain computers are connected are interoperable are interconnected and they present some challenges from a security perspective we have had to address and we continue to address those that are the legacy devices devices that were built and developed and put it on the market and they're actually in clinical use in hospitals years ago and those devices many of them were not built with the security that we would want to see in them today and yet they are performing extremely important life functions and there are also huge investments by hospitals and healthcare organizations and then we have of course the newer the novel technologies and the opportunity really to be able to make sure that before these devices actually get out there in clinical use that a very careful very thoughtful of rigorous and appropriate security approach is taken with respect to threat modeling and the kinds of assessments that need to be done to assure that by design the security is built into the device I will stop right there by way of introduction and ok let's try some how we're doing with our sway board connection here [Music] second could you tie okay can we hear yes okay yes I think we're good so would you be great enough to tell us a little bit about the mission of the FTC the approach that the FTC has taken to protecting consumers in terms of the different Internet connected devices such as the lifestyle devices the fits etcetera and a little bit about the FTC's perspective generally towards security and privacy enforcement yeah sure hi my name is Rebecca slaughter I'm a commissioner on the Federal Trade Commission and I'm gonna apologize in advance not only am I not with you in person I am here in person with my four month old baby so I think I have a sleep but you know that's always like a dicey proposition so let me tell you a little
bit about the FCC and data security and the Internet of bodies so the FTC's mission is to ensure a fair and competitive marketplace in two ways we profess we protect consumers from unfair methods of competition and we protect consumers from unfair and deceptive acts or practices affecting commerce so I don't know the body's really sounds more in what we think of as their consumer protection isn't that unfair and deceptive acts or practices section of what we do as it sounds unfair and deceptive acts and practices can be decided divided into unfair acts practices and deceptive acts and practices I will tackle deceptive first because it's yes a deceptive act or practice is one that deceives consumers so in terms of data privacy and security that means clean misrepresenting what your device does how you handle the data on the device how you will protect the device physically lies to consumers about your product that's true in any products also in Internet of bodys products unfairness is a little bit more complicated but we can treat failure to maintain reasonable security as an unfair after practice in certain circumstances reasonableness is a flexible standard that depends on the sophistication of the business the type of data in question how sensitive it is factors like that when we are evaluating unfair you basically have to determine whether perhaps is causes or it's likely to cause substantial harm to consumer whether that harm is unavoidable by the consumers and whether the arm is not outweighed by countervailing benefits competition and all consumer so thinking about this in terms of the Internet of bodies this could this our general mission could be applied in terms of
failure to actually describe information practices so what information is being collected how long it's being stored so that's access to it failure to reasonably secure sensitive data so for example if you're thinking amount of medical device that reads on the geolocation and or her for them there was something like that if that's not kept de cura and then unwanted safety or health risks that it rise from devices such as susceptibility to hacking that impacts critical functions like Andrea was mentioning in her introduction those are all areas where I could envision FCC enforcement under are unfair deceptive acts or practices hatred machine okay great thank you and Stephanie tell us how these kinds of issues might play out in a criminal context sure and because I work for the army cyber Institute I have to say that these are my personal views and are not the views of the United States Army or the u.s. code okay so Andrea has introduced us to this concept of Internet of bodies and you've heard about some of yo B's propensity to damage human bodies and minds and that we should start considering what the appropriate consumer safety responses are legal and otherwise I'm going to add another layer to all of this like it or not law enforcement but a one IRB generated data under circumstances as well and while I do not intend to spend my time talking about the crypto Wars and the going dark debate and let me just say I don't I am NOT even buying the rhetoric of going dark for this is of this conversation but I am sure you all appreciate that arguments from very respective researchers have been made that say look law enforcement
even if you're having challenges intercepting text messages or voice calls there's all this metadata out there that's coming from the internet of things well guess what it's gonna come from the internet Oh bodies as well so
as we contemplate the various generations of IOB the Andrea identified
body external body internal and body melded we have to think about how the Fourth and Fifth Amendment's of our Constitution may regulate law enforcement access to this data now as you all probably recall the Fourth Amendment protects us from unreasonable searches and seizures but for us the Fourth Amendment to be triggered as a protection we have to actually have a search a search must occur and a search is a legal term of art if there is not a search there's no Fourth Amendment protection and a lot of IOT metadata arguably falls outside of the scope of the Fourth Amendment because of something called third party doctrine and that in its most simple terms and in its most aggressive interpretation of the part of the government says well if you share certain kinds of metadata with various third parties you lose protection in that data now all of you say please take wait a minute the Supreme Court just came down with the wonderful carpenter decision right if you're familiar this happened end of June of this year a long litigated issue the issue of whether cellphone location data could be acquired by law enforcement without a warrant well in this particular case there were on there 127 days where the passport will sell data and the court said that we have a reasonable expectation of privacy in the whole of our movements and the court basically said anything 7 days or more of location data is a Fourth Amendment search and generally speaking there are some exceptions but when you have a Fourth Amendment search the only way to make it reasonable because the Fourth Amendment protects against unreasonable searches the way we most make it reasonable is by getting a warrant and so now I don't I don't want to be too optimistic because there tower dumps or something the case didn't address the use of sting rays but I think it's fair to say it is a very positive opinion in terms of technologies that have the ability to track us and certainly to do long-term tracking how that case plays out over time remains to be seen and so how that case may apply to IO be generated data also amazed to be seen I don't want to be overly optimistic and say well look that that data is being generated from an advice inside your body granite very concerning from our privacy maybe even a security perspective but it remains to be seen how much carpenter will help or give guidance with respect to that kind of data so um let's look at a real situation a real case that Andrea brought up to say what point would law enforcement you know concretely want this data all right so that the the mayor we had a guy you know hire who well his house had a fire and he reported to the authorities that this was all a surprise that you know in fact he was he was busting open windows and throwing things out of windows and you know yelling at people in the house get out get out there's a fire and well unfortunately his cat died too but law enforcement for whatever reason you know didn't necessarily believe what he was telling them and so a body internal device under Andrea's framework a pacemaker was well a little bit of a switch if you will according and again I'm going from and from news reports not an actual court record but according to news reports a a doctor who could interpret this pacemaker data said that the readings did not match someone who was surprised by the fire who was under stress and you know trying to get people and belongings out of the the house and so we've taken the liberty of just tweaking with Casey greens wonderful little cartoon here and you know our our friend main thing may trying to look like he everything is fine he may tell authorities otherwise but his pacemaker data may come up so um what about the what what might the fifth amendment say about a case like this or about other kinds of I or II know you probably remember that the Fifth Amendment based among other things is a good a minute basically says that no one shall be compelled to be a witness against him or herself in a proceeding and it's not just a specific criminal proceeding if you're in you know if your subpoena to testify it civil case and what you say might incriminate you that that would be protected under the Fifth Amendment but of course there are always elements you can't just say well I I take the fifth and and have that be over for something to truly be covered protected by the Fifth Amendment there are three elements that must apply it must be compelled if you're going to law enforcement voluntarily then you're not you know you're not being forced against really what the information to be gained visa be your communication must be incriminatory if it doesn't incriminate you then the Fifth Amendment doesn't cover it and it also must be a testimonial communication or and that is normally though the sort of critical element that gets litigated again not quite as applicable here but I am sure this community at follows you know whether or not the Fifth Amendment would protect the password to your encrypted password to your smartphone and and my my answer to you and I'm happy to discuss it more layer later is lawyers answer well it depends under certain stuff in Stanton might be testimonial under certain circumstances it might not be now in this particular place this is data that's being acquired presumably from a third party so we don't have a Fourth Amendment issue and it's not testimonial so our little friendly our friend up here is kinda out of luck with respect to his pacemaker data but we in this was you know a fairly straightforward example as we start to consider the the third-generation body Melda that Andrea talked about and we think about how technologies may meld and reveal things about our thoughts it's certainly reasonable to ask how are our thoughts protected by the fourth or fifth amendment or or various kinds of brain scans for example you know if a perpetrator breaks into a house and the occupant and owner of the house grabs a hammer and starts to hit the perpetrator on the head the particular the perpetrator you know then is able to overpower the owner of the house and and unfortunately kills the owner and all of that caught on video if law enforcement you know can't make out the face of the perpetrator if they find a suspect in enough time and and he's been here he or she has been hit hard enough maybe they want to examine through some kind of scan internal damage that might have been done to the brain is that protected under the fourth or fifth amendment certainly under the fifth amendment it would be a very hard sell I would say because that kind of identification that that kind of examination would be more like just a fingerprint or DNA or if there were you know external wounds its identification it's not really about tests about testimony what if however there's a more advanced technology and we if some investigators or scientists were to show that alleged perpetrator pictures you know still pictures taken from the video of the attack and you could read the how the alleged perpetrator was reacting when would amendment cover that may be even more interesting question with the fifth of does the Fifth Amendment reaches far as those kinds of mental privacy issues suffice to say that these issues are not completely settled and that Criminal Procedure nerds and I like to call myself one of them um we're thinking through these kinds of things and I think we're only going to need to think more about them as these three generations of IOB technologies become more prevalent in our world thank you thank you thank you very much for those insightful insightful comments and so let me give back our third panelist her cord okay all right we are back in business now and let's start taking any questions from the audience if there are any a okay let's let's start up here and we'll just yes you think you're injured that's important one before our little arsonist read is the possibility of colony she's a technical link encryption something illegal like their contract with the company that made the pacemaker he could have had I don't think contracts are going to if the fourth or fifth amendment if I should say I don't think contracts are going to compete law enforcement other things we're great so that case as you well know ended in a really interesting way frankly the the FBI was able to hire a third party vendor to break in to the phone the question though it is important because it's still being litigated right it doesn't even know that case our San Bernardino shooter was dead so there was no way to try and compel him to provide his password however under there are sort of two lines of cases that are developing one from the Eleventh Circuit where you had a situation where a an individual was suspected of having a lot of child pornography and and law enforcement was able to get into some of his devices but not all of them and they were they couldn't he use TrueCrypt on certain external hard drives and when law enforcement sought to compel him to open up those hard drives in other words to decrypt it to decrypt them he raised a Fifth Amendment privilege the Eleventh Circuit basically determined that in that case harshly because of the use of TrueCrypt the government agent could not I don't want to use the word that you don't have to be definitive but it was the government really say are there shewill Bibles on that case or is it you know just a bunch of nothings it it's it's TrueCrypt essentially creating potential evidence that is unable to decipher to a point where law enforcement can't even offer a reasonable prediction that such files in that case the Eleventh Circuit determined that they decrypt that the decryption would be testimonial in another case in the Third Circuit you not 100% same facts but close enough for purposes of our discussion the the Third Circuit looked at the situation and they did this in footnote so it's called dip-tuck but it's pretty strong dicta they said unlike the Eleventh Circuit the government didn't have to show that it was you know likely that those kind those kinds of files were on the external drives all the government had to show was that the defendant in this case it was a defendant knew the password and and in both of these cases what they were talking about was something called the foregone doctoring and basically that means is if you are merely asking someone to do something and the government sort of already knows that that this exists in other words the act of depravity doesn't give the government any new kind of testimonial information or admission then it falls outside of what is considered testimonial under the Fourth Amendment but it is not it is not a civil area [Music] you're more can you give me can you give me an example to make you smarter faster yeah and I think what we're pushing towards as a frontier that honestly speaking we have not been you know working through not to say that we that we shouldn't be but we're not there yet we're certainly not there yet I'd say that and one thing to really kind of complete the introduction on FDA there are certain definitions that are statutory definitions and legal definitions that give the FDA authority and kind of prescribe if you will what what is a medical device and what are you know what are drugs and what are biologics and that's where our remit is from as a public health agency in terms of really again coming back to that assurance of safety and effectiveness so when we talk about medical devices and I'm I'm not using the exact statutory language here but we're talking about devices that are diagnosing treating mitigating mitigating illness in other words it has a very clear in the statute language around it providing something to help a patient who is injured or ill providing a cure diagnosing a disease diagnosing an injury treating and mitigating and I think that the lines really start to blur when we get into these areas of augmentation or enhancement if it's not specific to not specific to dealing with a injury or a underlying illness or an underlying you know and again here I'm using language that very generically defect of sorts right that with that individual as a patient is in need of addressing in some manner yes please so my sound was a little bit cut off but I think the general question was about these devices that would say your intelligence or do something like that I want to point out that that's an area where the STC has taken and would take a careful look to make sure that the claims that no one makes about a device whether it's an Internet of bodies device or and over-the-counter pill that's not regulated by the FDA or anything else I mean we would look at carefully for and to make sure that the claims are substantiated you can't lie for the existence of scientific proof behind it so we've brought a fair amount of enforcement actions against makers of products that are supposed to help people that would detect claim to could detect melanoma or mobile apps that claim to could treat acne and and where those claims can't be substantiated that would constitute a deceptive fact that the FDA FTC could enforce against you nor the device or product is not regulated by the FDA I mean one question I had that I have deleted here as a resemble piece of the arson situation it's discrimination so the men who have a sneaker business to be for choice but to have a case they arise and because of that one could argue for example that he was starting to get the Internet and the vice theory proposed out and then say a different system doesn't have this device we could never pull that that on so I just wanted open its that question beyond just commend improve the locations of self information what is your take on discrimination so it's a very interesting question I mean if I am just looking at classic fourth and fifth Amendment doctrine it to the best of my knowledge doesn't recognize discrimination that doesn't mean that you know communities of color are often or communities that don't have certain kinds of resources often are targeted more by by law enforcement activities than others I don't know that the Fourth and Fifth Amendment are going to be the ways to address that and I I do very much take the concern that you know you don't generally have a choice about whether to use a peacemaker nevertheless traditional core than Fifth Amendment law doesn't to the best of my knowledge any case I've ever read acknowledged that that kind of distinction and actually [Music] well I mean I guess the when when you raised your question the the first thing that came to my mind is frankly again thinking about communities that are impacted more by law enforcement actions that others you know just thinking back about law enforcement policies and then are kinds of policing that is that is not a new problem that is not a problem just raised by I would be but frankly something we've been struggling with for a while I am NOT a fan but stingrays have long been an interest of mine I've written on that with a technologist and it I was asked the question the other day about how the use of stingrays which I am almost certain than everyone in this room knows that a stingray is a device that is a big cell tower it can trick your phone into believing is it's your real cell tower so your phone and give it information as if the phone was talking to us you know we are bones are better at resisting these kinds of devices is when when they are operating in 4G but people who don't have the resources might for a long time have phones that are backward compatible to 2g and because of that may be more susceptible to one horseman use those same ways so I take your point very much I think it is a problem that goes far beyond just I agree that we've been grappling with for ones so the sort of thing things that we can do with it like during the mattress computer and all need to be able to learn learn about her yet whatnot means when computer I can step away from as a kid it was my life I'm 18 right nothing you know with that theory about watching what happened when you start to know the inventing systems with enough so where the parent-child like how do you turn a lot okay - okay - independence in my tribe of interest encounter just lots in dignity a second part would be you know it cousins would give us some pretty tentative beginning what if there are some countries that they say boy I had been allowed to this level do we do it to keep up and so on the first point about children and the choices of parents to say give their kids a little extra storage for a school that is something that we might get a little window of sort of a presage from the cochlear implant cases so there have been cases that have been litigated out over whether children should be in some cases against their wishes or against the birth parents wishes implanted with a cochlear implant and courts have struggled with these cases and so in general the wishes of the the parents are respected but the child's opinion depending on the age of the child is also recognized so it's not going to be clean and this goes to the question I was raising about technological baselines slipping so if you think about it 100 years ago not everyone had glasses who had vision issues and today it's a precondition of getting a driver's license that if we need glasses to reach a certain level of vision clarity we are obligated to wear those glasses or we don't have the legal right to drive a car so there's a codification of these tech baselines that are you know just socially constructed like so many other things different cultures will probably reach different technological baselines and that's kind of why I left those big ethical questions hanging out there about what is the desirable human of the next generation that we should strive for as a society and where does mechanical doping come into the picture [Music] do you want to explain the copy or the planner or should a lawyer stumble through it the ideal solution appears [Music] a cochlear implant is for anyone that has an issue with hearing if it's technological device for that demented it either children or dolls into the cochlea of a person's ear and many parents are deciding that for their children without their children's knowledge with them too young to even decide we don't know the whole whole story behind any of those decisions but these they are parallel to glasses if you well so parents think that this kind of implant is fine at the benefit to the child but the issue in the deaf community as well is some people want to make it illegal for them for parents to just automatically an implant their child because many of those children are growing up without sign language without a deaf identity which leads to its own problem so that's kind of the gist of the cochlear implant are there any FDA yeah well unless one of the panelists wants to address the second one I'm not but the third one the third one of whether there have been to what extent have there been FDA approvals of IOP devices and what is kind of the next generation of devices have there been any malfunctions that we know of and recalls and along those lines so the examples that and she provided in the original slide which had under I guess with the phase two implantable devices certainly FDA has approved those devices that include Atlantic insulin pumps pacemakers neuromodulators there's a good number of of devices that do Rezai that are within the body and they go through a rather rigorous process in terms of again looking at the device's performance looking at the kinds of testing around those devices and now of course also incorporating security as part of that just like any other [Music] [Music] [Music] [Applause] you don't trust my questions around the gap between FDA's stoven FTC still say there's a dime that is effective and there's 20% chance of infection because of the techniques using citation one of the responsibilities FDA and that's basically this possibility that as functional medical safety regulations so I'll come back to if it's a medical device if it's deemed to be a medical device its regulated by the FDA and if it's not a medical device you know we will work with the FTC in areas where there some blurred lines or some hazy lines and that's been going on for you for several years already but with respect to an implant or any kind of a device that is considered to be a by regulatory definition a medical device that is under the FDA's jurisdiction and so safety becomes a prime area of our review and investigation and follow-up over the course of the lifetime of that device being on the market so my questioning and all that we use for example healthy equals eating natural prescription and how do you handle something that has a benefit for us halation but also can be applied to healthy people to see what can you repeat the question again I've missed the beginning of it I'm talking about over prescribing of medications and off-label use for example with healthy people see you know there's no fever at all and how the FDA human a device that has a benefit for a specific population but they could also so we consider off-label use in the hands of the clinicians the page the physicians who prescribe those particular treatments and that happens a lot and you know doesn't have to be the kind of case that you're talking about but physicians will recognize the use of a drug or a device in an area where it was not necessarily you know cleared for marketing or approved for but it that it may have benefit in the hands and that physician that physician can through what's considered to be practice of medicine prescribed that particular treatment intervention an FDA does not you know has no authorities in that particular area thank you for the great discussing here a question that I think we're focusing a lot on protecting individual individual ones we've seen I'll achieve go back you go Road if you're that cyborg could have medical devices that are connected and you are in fact the one unbeknownst to the person part by the sidewalk is the one doing the security denial service or something along that effect how do you stop that without stopping individual that's part of this life kind of an excellent question that we hope the security community will come up brilliant solutions for and I think that is a fantastic point on which to end thank you all very much for joining us and thank you to their wonderful family