[jasonjei]

I guess my confidence in the telerobot is lowered by the fact that the protocol doesn't ensure authenticity of surgery instructions. It leads me to believe what other flaws (including those outside the scope of security) exist.

Hopefully, we're still testing these surgeries on mice and not men.

[andrewstuart2]

A VPN with only two valid certificates means that the guy holding the other cert (assuming you have one of them) is definitely who he says he is.

[jasonjei]

You are right, but I'm alluding to the intrinsic security flaw of the robot. What other flaws could exist? They need not be security related.

[pavel_lishin]

Yeah, I sure would hate for a cosmic ray to flip a bit while an instruction is en route, and instead of gently cutting out my appendix, having the robot suddenly deprive me of a kidney.

[tedunangst]

How likely is that, versus the possibility that the surgeon operator has an aneurysm or seizure mid procedure. Or the nurse hands the surgeon the wrong chart?

[jasonjei]

I think the point is that no additional software/hardware error is added on top of the human error. Human error + software/hardware error should come as close as possible to an operation using human hands (only human error). Ideally, the benefit of a hardware/software product should produce lower human error too.

Without knowing anything about the hardware/software and transport messaging layer, it could be very likely or unlikely depending on how well or poorly the product is implemented.

[tedunangst]

Are you confident that telesurgery developers are better at encryption and authentication than VPN developers?

[jasonjei]

No, did I imply so? Just saying that I have very little confidence in the bot. I'm saying the intrinsic security flaw of the robot allows me to believe there are more serious defects. These do not need to be security related. The test cases not passing could lead to death.

I've made no commentary on VPN. Just commenting the communication protocol without augmentations (VPN, TLS, certificate, or otherwise) instills little confidence in the rest of the product. I wouldn't want to be operated under the bot.

[tedunangst]

I'm afraid I don't see the connection between the decision not to implement encryption and the presence of death causing defects.

[jasonjei]

> I'm afraid I don't see the connection between the decision not to implement encryption and the presence of death causing defects.

That's fine. Everyone is entitled to his/her opinion. I view the failure to implement encryption as a fatal error and an indication the code audit hasn't been thorough. Given that this is a telesurgery product, I'm quite confident encryption, trust, and authenticity are central to safe medical procedures carried over network. Otherwise, why would we bother with TLS when we access our online banking?

I'm just not confident I would want to undergo a surgery with a telesurgery robot with the "decision not to implement encryption."

[jauer]

We bother with TLS for accessing online banking because we don't manually build site-to-site VPNs between our house and our bank, unlike hospitals which have dedicated IT staff, a ton of security appliances of all types and, if they are in the same metro, often have dedicated waves or dark fiber between them.

[jasonjei]

The very problems that plague the unprotected networks to the site-to-site VPNs are the same: all it takes is one piece of malware. In fact, the complacency is the alarm. Just because you are in a "protected" network doesn't mean there aren't bad actors. The bad actors can get in, all they need is to find where your walls have a crack. There's a reason we call it Computer Insecurity.