LWN: Comments on "Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)"

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

pizza — Thu, 20 May 2021 15:24:47 +0000

> IIRC there was some loophole that allowed manufacturers to claim their device is functionally similar to another one, and get approved very easily.

Yes, IIRC a sizable number of the hip replacement products on the market have been done this way.

But based on my understanding [1], initial "approval" is only a small part of what regulations cover, because it's not about problems coming up (they _always_ do, given sufficient time) but how they are handled, to the point where if we don't report something we come across, we can be fired on the spot (and depending what/where, thrown in jail!)

[1] I'm in a research group, so I'm largely exempt from most of the regulatory stuff. But I still have to go through general training that covers it.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

intgr — Wed, 19 May 2021 15:36:11 +0000

Well in that case this documentary should interest you. If you end up watching it, I would like to hear your take on it.

> In general medical devices are _very_ heavily regulated

Now that I think about it more, IIRC there was some loophole that allowed manufacturers to claim their device is functionally similar to another one, and get approved very easily.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

pizza — Wed, 19 May 2021 15:22:55 +0000

> medical devices are frequently approved without very thorough studies,

Keep in mind that "medical device" covers everything from an implanted pacemaker to an orthopedic shoe insert and a titanium bone screw to a ultrasound kiosk's custom keyboard.

It's also worth keeping in mind that no matter how thorough the studies, it's still only going to cover a subset of the population, over a limited period of time.

In general medical devices are _very_ heavily regulated, though most of that is concerned with avoiding known issues (eg basic safety, bio-compatible materials) and providing accountability after the fact should something go wrong (proper labeling that includes points of contact, process control, supply chain management, and other things to ensure problems can be peroperly scoped and handled..)

(Disclaimer: My employer is a very big name in medical devices, and I am not claiming to speak for them in any way)

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

intgr — Wed, 19 May 2021 13:42:35 +0000

> Presumably medical equipment has been thoroughly audited at some point (perhaps periodically)

In the US market, that assumption appears false. Medical devices are held to a far lower standard than drugs.

Disclaimer: my understanding is based on the "The Bleeding Edge" documentary. While such documentaries tend to sensationalize things, the main point seemed to hold: medical devices are frequently approved without very thorough studies, and once approved, getting the approval revoked is unreasonably difficult.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

bjartur — Sat, 15 May 2021 10:01:08 +0000

Read but instead of by.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

Flameeyes — Fri, 14 May 2021 16:59:15 +0000

Aww thank you! 😀

It's actually rare to get much feedback nowadays, I guess it would require a lot more engagement with a community, for which I don't really have time right now 😔 But I know a couple of other projects that picked up the protocols from my site, which makes me happy.

I guess it plays with what one wants to get out of their work. I'm happy to "add to the world's knowledge" even though I don't directly get much direct benefits myself, because I have benefitted from others doing the same. But it's also not a sustainable way to make sure that this keeps going… I would say we need a lot more pressure for manufacturers to provide protocol documentation for their stuff.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

midol — Fri, 14 May 2021 15:57:04 +0000

" not fixed by reported" - eh?

Terrible foresight by these journalists.

jospoortvliet — Thu, 13 May 2021 18:03:10 +0000

Honestly quite funny to see somebody make a 'prediction' that's already proven wrong ;-)

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

rgmoore — Thu, 13 May 2021 15:44:56 +0000

Medical software (and also software which drives planes) is like that, too. When flaw is found it's not fixed by reported. And regulations to avoid the issue are sent to users. Found out about that when got test marked as 1972 in year 2000. Apparently system had "year 2000" flaw, but instead of fixing the issue manufacturer advised doctors to got back 28 years (this kept day-of-week same thus only year was wrong and it was so wrong that it was obvious that it's wrong-on-purpose).

To get technical, problems can be fixed, but any kind of change requires going through the approval process again to prove that the changes haven't broken anything. This is true even for trivial changes that really shouldn't have any possibility of introducing new bugs. The regulators don't trust "it's just a bug fix" as an answer and require the new version be approved again. Since that approval process is a major expense manufacturers will refuse to do it unless they're absolutely forced to.

Note that this kind of extreme conservatism makes life easier for people interested in accessing the data, like the hackers on SleepyHead/OSCAR. Once something has been successfully reverse engineered, the developers can be confident it isn't going to change. If the manufacturer is reluctant to make changes for anything less than life-threatening bugs, they certainly aren't going to do it just to thwart third-party hackers.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

UniversalSuperBox — Thu, 13 May 2021 14:18:48 +0000

There's a lot of peanut gallery in open source. Startups come and go, some better funded than others. People love to tell you what you're doing wrong, but not what you're doing right. So let me be the change: Thank you so much for this project. Even having these protocols written down is nothing short of amazing for people you and I have never met... I hope that someday we'll have software that makes it possible for people to use these meters to empower themselves without the negative baggage of having to go to the doctor to even learn what your own body is doing.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

khim — Thu, 13 May 2021 12:27:21 +0000

> Presumably medical equipment has been thoroughly audited at some point (perhaps periodically)

Wouldn't believe that for a second. It's probably not as hopeless as these IoT thingies, but I'm 100% sure there are bunch of papers, crazy amount of bugs — and these same papers make it more-or-less impossible to fix bugs. Remember that:

It turns out that the Dual EC DRBG implementation in OpenSSL is fatally flawed, to the point where using it at all will either crash or stall the program. Given that the FIPS-certified code cannot be changed without invalidating the certification, and that the bug has existed since the introduction of Dual EC DRBG into OpenSSL, it is clear that no one has actually used that algorithm from OpenSSL. It did, however, pass the testing required for the certification somehow.

Medical software (and also software which drives planes) is like that, too. When flaw is found it's not fixed by reported. And regulations to avoid the issue are sent to users. Found out about that when got test marked as 1972 in year 2000. Apparently system had "year 2000" flaw, but instead of fixing the issue manufacturer advised doctors to got back 28 years (this kept day-of-week same thus only year was wrong and it was so wrong that it was obvious that it's wrong-on-purpose).

This worked perfectly till everything become connected. Today… I fear about what may happen because of that habit… but I doubt anyone would change anything till some extremely serious incident would happen.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

pizza — Thu, 13 May 2021 10:38:09 +0000

you left out:

5. The lawyers, who will find any excuse to sue the manufacturers [*] over any perceived flaw even if it's entirely due to end-user modification.

Also, with (4), the regulatory regime punishes folks who try to actively update and support their products, because _any_ change is riskier (in both the short and long term) than doing nothing. (see #5)

[*] Because the manufacturers have the deepest pockets.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

NYKevin — Thu, 13 May 2021 07:44:09 +0000

I think the fundamental problem is that the set of people who need this software, and the set of people with software engineering skills, have very little overlap. Whereas, for example, plenty of software engineers need a web browser, a multimedia player, an operating system.

You end up with four groups of people who are unable to effectively collaborate with one another, because they all want different things:

1. The patients, who mostly aren't software engineers and mostly just want a solution.
2. The software engineers, who mostly expect to get paid for this sort of work.
3. The suits, most of whom would rather sell to manufacturers than to end users. Or if you're cynical, they would prefer to sell to investors and get out before the house of cards falls down.
4. The manufacturers, who are (usually) operating in a low-competition oligopoly and don't care how painful things are for end users, as long as the doctors and the FDA are willing to say "meh, good enough I guess."

But then you can start talking about why the doctors don't care, why the FDA doesn't do anything, etc. The real problem isn't with open source, it's that the entire American healthcare system is fractally wrong.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

ringerc — Thu, 13 May 2021 01:06:17 +0000

Any open source license would do, really. If it was BSD licensed, it'd be just as easy to fork it and go on from there.

I'm glad it was open source.

Terrible foresight by these journalists.

linuxrocks123 — Wed, 12 May 2021 23:50:31 +0000

The article is from 2018. Your fears did not come to pass.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

Flameeyes — Wed, 12 May 2021 20:08:37 +0000

Hah, this had me looking back at some unrelated health-connected projects, and as they say, the more things change, the more they stay the same.

Context: in my free time I reverse engineer the protocols used by glucometers (think: diabetes), so that you can download your data without the original proprietary apps. I do this as a spare time, so there's pretty much no organization behind that, but that way I have done that has been pretty much unconnected to companies, vendors, and more structured project organizations. So while I don't have the fancy analytics that projects like Tidepool or Nightscout tend to work on, what I am at much wider liberty to do is publicly _describe_ those protocols: https://protocols.glucometers.tech/ — https://github.com/glucometers-tech has code to download the data, but it's pretty much a proof of concept and a toy project for me.

Thing is, a few years ago I almost entirely stopped working and writing about this after a… shall we say interesting headbutting with a project that was trying to be more vendor-friendly, but turned out to be more "we'll open source what we work on behind closed doors" kind of approach: https://flameeyes.blog/2016/04/02/last-words-on-diabetes-... — I did continue writing glucometer download software and reverse engineer stuff because I enjoy it, but I stopped trying to engage with more coordinate projects because it's too much energy for a spare time idea.

I just went to check whatever happened to that project… their website is now talking about being a "hub for Open Source" — all the references to the original diabetes work are gone (despite the name being very much linked). All of their repos that were migrated from GitHub to Gitlab stopped being updated around the same time as I tried engaging with them.

Oh well.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

sub2LWN — Wed, 12 May 2021 19:13:07 +0000

The inaccessible data and proprietary formats bit makes me wonder how much extant equipment falls into the "no obvious bugs" (rather than the "obviously no bugs") bucket. Presumably medical equipment has been thoroughly audited at some point (perhaps periodically) but I wonder how often doctors look at stacks of opaque electronic apparatus and scratch their heads.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

donbarry — Wed, 12 May 2021 18:48:41 +0000

The very fact that the project *was* released under the GPL proved its saving.

Perhaps a good reply might be: "Friends discourage friends from relying on non-GPLed software because of the ability of disgruntled actors to take their toys and leave."

I welcome the initial contribution, I welcome the continued community maintenance. As someone who finds the software useful myself, I'm grateful to all the positive contributions along the way.

Terrible foresight by these journalists.

gspr — Wed, 12 May 2021 18:31:22 +0000

Defunct EU? What kind of troll are you?

Terrible foresight by these journalists.

scientes — Wed, 12 May 2021 17:00:20 +0000

This shows what happens when the government is actively anti-law, which is the situation we are in regarding copyleft licenses, where governments don't have any interest in something that doesn't permit them to consolidate power, or just be a beurocratic Pain In The Ass like the defunct EU.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

hei8483j — Wed, 12 May 2021 11:17:21 +0000

I was privately involved a bit in this project for a while. I got the impression that the then lead developer hadn't really anticipated the community involvement. It was his pet project and he wasn't able (or didn't want) to delegate work to other interested people. I think it was a too large project for one person to handle, so naturally other interested people soon began complaining when things happened too slowly. In the end it was quite a rage quit and I feel sorry, because he is a talented person, maybe too overworked and had occasional health issues. Now the new project has a couple of mostly maintenance and clean-up releases behind, nothing big, but it remains to be seen if they manage to continue development. At least OSCAR is polished and works fine for the moment.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

amw — Wed, 12 May 2021 11:05:25 +0000

To save other people from having to look this up, CPAP turns out to stand for Continuous Positive Airway Pressure.

Terrible foresight by these journalists.

beagnach — Wed, 12 May 2021 09:22:03 +0000

Bit dramatic there... especially considering that the article explains that various manufacturers are already well aware of the project and have been for several years.

Terrible foresight by these journalists.

Subsentient — Wed, 12 May 2021 09:19:51 +0000

They wanted a nice headline, but never considered how the exposure would affect the project they were lauding in their article. Or maybe they did, and decided to take the selfish option.

If the CPAP manufacturers hear about these projects enough, they will absolutely crush these FOSS projects like insects and bring the full force of western law against these developers, preferably throwing them in jail for some obscure FDA technicality. Think I'm being dramatic? Watch and see. It's bound to happen now. I'll definitely be keeping an eye out for the story in my news feed.

It is better that this software remain unknown and help some people, than they get annihilated by the OEMs and help no one.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

madhatter — Wed, 12 May 2021 06:49:23 +0000

I watched this train wreck at the time, and it looked (and still looks) to me like a classic cathedral/bazaar collision: the lead developer wanted to do occasional, perfect releases, while (parts of) the user community wanted frequent, rough-and-ready releases. The normal and well-understood solution is a fork, but apparently Watkins hadn't anticipated that, and took it as a personal betrayal and a deep slight. As a CPAP user and free-software enthusiast, it still breaks my heart that Watkins just-about-final word on the subject was (expired SSL certificate warning):

If there is one tiny bit of hard learned advice I can leave behind from all this, it would be: Friends don’t let friends release full blown complex applications under the GPL

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

hikingpete — Wed, 12 May 2021 00:00:56 +0000

Thanks for the link, I really enjoyed learning about SleepyHead. I was surprised though to discover that the article was from 2018, and the original developer has left the project since. Mark Watkins tells his story at https://jedimark.net/2019/02/08/sleepyhead-project-shutdown/, while you can find a different take at https://sleepapneaessentials.com/what-happened-to-sleepyh.... The SleepyHead software is now succeeded by OSCAR, which seems to be quartered at https://www.sleepfiles.com/OSCAR/.

While reading the summaries of the drama above, I cannot help but reflect on the recent Tag1 interview with Linus Torvalds, specifically where he comments "I think I've been pretty good at finding people to trust, and then doing just that - trusting them and not micro-managing them overly much."

Anyway, although I don't use SleepyHead software, my thanks to Mark for his outstanding work and dedication, and kudos again to Linus Torvalds for keeping Linux going these many long years.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker (Vice)

stumbles — Tue, 11 May 2021 21:50:37 +0000

I applaud Mr. Watkins.