L. Reese

Can Amazon and Apple Improve Healthcare?

The 2016 annual U.S. healthcare spend was $3.3 trillion dollars. Of this, 32% was spent on hospital care , 20% on physician/clinical services, 10% on prescription drugs, and the remainder went to other professional services including dental, nursing home, and other areas. The details can be found in a PDF from CMS.gov, a U.S. Centers for Medicare & Medicaid Services federal government website. Not only are residents of the U.S. getting fed up with out-of-control prices, so are the companies that provide healthcare benefits.

According to Reuters, Amazon, JP Morgan, and Berkshire Hathaway plan to form a non-profit company with the purpose of driving down healthcare costs for more than a half-million collective employees. Their objective includes a focus on technology for “simplified, high-quality and transparent healthcare ”that is free from profit-making incentives and constraints.” Apple is opening primary care clinics for its employees and dependents called AC Wellness.

I just finished reading the book An American Sickness by Elisabeth Rosenthal, that details the U.S. healthcare system with a look at how for-profit health care and drug companies are taking advantage of a very broken system. The book discusses how and why pricing can vary wildly for the same procedure or drug, and real-world strategies for avoiding being taken advantage of. It makes sense that people like Warren Buffet, Tim Cook, and Jeff Bezos are taking action against a system that does not reveal pricing and makes “shopping around” for an elective  procedure impossible. Surprises are the backbone of U.S. hospital billing practices. The U.S. healthcare system is dysfunctional. In an emergency room we are faced with a dire situation and we can sign away our rights out of desperation and fear.

It sparks a good deal of hope to know that at least some companies are taking action. In a system where a surgeon can legally bill someone $50,000 for three stitches, it makes sense to vote with your wallet, but in the U.S. Healthcare system we are not told costs ahead of time and are often not in a position to argue if life-or-death is the outcome of a hesitation to choose.

Can these companies do health care better? Is capitalism finally forcing a solution to the problem? Cutting expenses and giving people a better healthcare experience seems to be the objective. Based on Apple’s AC Wellness site, it seems like they are looking for people who can design lifestyle plans for Apple employees, manage population health, and integrate clinical practices and technology “that drives patient engagement.”

Last year Apple CEO Tim Cook was wearing an Apple Watch with glucose measuring capability. If pre-diabetics have an incentive to eat so that their blood sugar levels don’t soar, they might be able to manage their diet and exercise so that diabetes (type-2) can be avoided. The Dexcom G5® Continuous Glucose Monitoring (CGM) System already exists as an FDA-approved system that does not require the user to prick a finger to test blood sugar. Instead, a small patch with a hair-like protrusion is affixed so that blood sugar monitoring can be reported every 5 minutes to a smartphone or smartwatch.

Continuous Glucose Monitoring FDA Approved

The Dexcom G5 Mobile Continuous Glucose Monitoring (CGM) System transmits data on blood sugar levels from a patch with a sub-dermal hair-like needle  to a smartphone or smartwatch. (Image: Dexcom.com)

Apple’s vision may extend beyond financial savings for employees. Last December, Apple and Stanford Medicine announced that they had teamed up to use the Apple Watch in a study for detecting atrial fibrillation in wearers. According to the news release from Apple, “As part of the study, if an irregular heart rhythm is identified, participants will receive a notification on their Apple Watch and iPhone, a free  consultation with a study doctor and an electrocardiogram (ECG) patch for additional monitoring.”

One might be able to avoid the dysfunctional U.S. health care system by maintaining good health through regular feedback using technology, but it’s doubtful that any one of us wearing a watch that gives us feedback on our health stats would actually heed the warnings all of, if not most of the time. Being human, we buy a treadmill and use it to hang clothing on. We buy a gym membership with aspirations to go often but then we never find the time. Genetics plays a large part in the good health sweepstakes, too. We attach aspirations to technology that as humans, not all of us can socially adjust to for maximum benefit. But even the unintended by-products of technology might bring change that makes us better and improves the world we live in. I hope so.


Password Regrets


Forget the special symbols and numbers; it takes longer to crack something like “ElephantDogButtercups” at twenty-one characters (for an online platform that allows endless tries) than something that’s 8 characters long and includes special characters. Today, even a humble IoT device like a connected camera needs the basic protection of a password. How many websites have you visited where rules are imposed upon your password selection, requiring the use of at least one special symbol, one capital letter, and a length of at least 8 characters? Some sites reject passwords that resemble the username, and others reject passwords that are too similar to the most 5 recent passwords used. Sites for recipes and loyalty programs all require passwords. How does one keep up with all the passwords, especially if they each have different requirements?

One cannot blame them, as one hacker in your bank account or email can cause serious problems. However, it is true that the majority of people will choose simple, easy-to-guess passwords if allowed. Users often create passwords that are composed mostly of lower case characters. Rules that force users to include special symbols or capital letters will usually be content with a simple substitution in a somewhat predictable way (e.g., “$” instead of “s”). Most will also begin their password with a capital letter and place the required special characters at the end.

Figure 1: Forget special characters. Longer passwords are safer. The graph compares entropy of user-created passwords by length with no restrictions (blue), with restrictions excluding common dictionary words (red), and restrictions excluding dictionary words and with composition rules (green).  (Source: NIST Special Publication 800-63-2)

Last year the Wall Street Journal published an article covering the regrets of “the man who wrote the book on password management.” In 2003, the now-retired Bill Burr, while working at the National Institute of Standards and Technology, wrote “NIST Special Publication 800-63. Appendix A.” The document has since been updated, but Burr’s regrets center around how predictable people can be, when faced with rules on how to write acceptable passwords, most would change their “password” to “Pa$$w0rd.” Hackers have been known to run exhaustive, brute-force password guessing computer programs using the dictionary. Expand that dictionary to include “$” for “s” in every case and you have an expanded solution to guessing a password. The Sony hack began with password-guessing. Re-using passwords from your recipe site on work computers is also an easy way in for hackers.

Password security is measured by something called “entropy,” and relates to the unpredictability of a password. According to the NIST Special Publication (SP) 800-673-2, “Electronic Authentication Guideline.” The report states, “If a password of length l characters is chosen at random from an alphabet of b characters (for example the 94 printable ISO characters on a typical keyboard) then the entropy of the password is bl (for example if a password composed of 8 characters from the alphabet of 94 printable ISO characters the entropy is 948 ≈ 6.09 x 1015 – this is about 252, so such a password is said to have about 52 bits of entropy).” Clearly, a long password with no special characters would have higher entropy, and take longer to guess in a brute-force attack, than a short password with special characters. A lengthy password takes more time to enter, but it holds promise for being easier to remember.

Some rules to remember are to make sure that your passwords are not used across several accounts of varying security levels. A site where recipes are saved can have a simple password that is also used by your junk email address. But reserve the banking password as unique. Changing passwords regularly can be difficult. A former co-worker told me he creates a password by taking the first letter from each word in a poem or song lyric, adds the quarterly date and a letter from the website itself. Passwords across several websites will all have the same characters except for the characters that identify the site where the password is used. “Mary had a little lamb whose fleece was white as snow” could be the basis for a password at Wells Fargo Bank that would be, “Mhallwfwwas2Q18WF.” The entropy is higher with a 17 character password that is not a dictionary word and yet includes no special characters. Those pesky sites that require a special symbol may necessitate consistently substituting symbols for letters.

Many sites have resorted to authenticating a sign-in by sending an authentication code to the user’s phone. This is also subject to hacking, however, if your phone service provider does not have a process for porting your phone number to a new phone or service provider. Without strict procedures in place, it is possible for a hacker to use your name and phone number alone to port your number without your knowledge and then “authenticate” a login or password change for your bank or retirement investment accounts. (This has happened.)

In June 2017, the NIST publication was rewritten, dropping the requirement for special characters. Passwords need to be useful. Completely random assigned passwords tend to get written down on post-its and tacked to the monitor or under the user’s keyboard. The one to put it most succinctly is cartoonist Randall Munroe, who calculated that the entropy for a password “correcthorsebatterystaple” would have an entropy of 44 bits and take about 550 years at 1,000 guesses per second. He calculated that “Tr0ub4dor&3,” with 28 bits of entropy, would take just 3 days to guess in the same manner. The caption of Munroe’s password entropy cartoon states, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” A most convincing argument.

Avoid password regrets, choose a long password and avoid being “that guy” who brought down the company with a password like “password123.”


RISC-V is Not a Company

RISC-V is a new open Instruction Set Architecture (ISA), named thus because it was the fifth RISC instruction set that had been developed at Berkeley. The highly flexible and extensible base ISA base was designed to be simple, clean, and suitable for direct hardware implementation. The base instructions are similar to other RISC instruction sets like OpenRISC or MIPS. RISC-V (pronounced “risk-five”) is an open standard ISA that is royalty-free and free to implement. It’s likely that there is not a significant marketing budget to establish awareness, so it’s not surprising that some can mistake RISC-V for something else. However, RISC-V is not a company, and it is not a CPU. RISC-V began in 2010 as a project at UC Berkeley by Krste Asanović, Professor in the EECS Dept. at the University of California, Berkeley, current Director of the ASPIRE lab, and Chief Architect at SiFive. Asanović wanted a simple ISA without legal issues related to intellectual property. UC Berkeley began using RISC-V in engineering courses.RISC-V Logo

According to the RISC-V Overview in the RISC-V specifications, RISC-V is “a completely open ISA that is freely available to academia and industry; a real ISA suitable for direct native hardware implementation, not just simulation or binary translation; and an ISA that avoids “over-architecting” for a particular microarchitecture style (e.g., micro-coded, in-order, decoupled, out-of-order) or implementation  technology (e.g., full-custom, ASIC, FPGA), but which allows efficient implementation in any of these.” There are many open source projects based on the RISC-V ISA.

In 2015, RISC-V was officially kicked off by the newly formed RISC-V Foundation as a zero cost, royalty- and paperwork-free ISA. The  mission statement of the RISC-V foundation is “to standardize, protect, and promote the free and open RISC-V instruction set architecture and its hardware and software ecosystem for use in all computing devices.” Rick O’Connor is the executive director of the RISC-V foundation.

The RISC-V Foundation, with more than 100 members, believes that the RISC-V ISA has potential to dominate the computing world from embedded and small form factor, all the way to warehouse data servers. The foundation creates and manages working groups to guide future development of the architecture. RISC-V Foundation members include Berkeley Architecture Research (BAR), Google, Microsemi, Nvidia, Qualcomm, Western Digital, IBM, IDT, Lattice, NXP, Samsung, Express Logic, Huawei, Siemens, Lawrence Berkeley National Laboratory, Mentor, Segger, and Princeton, IIT Madras, National Singapore Universities.

An ISA is a critical interface where hardware meets software. There seems to be a consensus on instruction sets these days. No one has built a new commercial CISC ISA in more than 30 years, and there is widespread agreement that the RISC architecture is best for general-purpose ISA. However, although there seems to be a lot of open source or open standards in many other areas, until recently, there has been no open source ISA for open and free implementation. RISC-V is set to fill the void.

Today, there are three different RISC-V instruction sets with address sizes in 32-, 64-, and 128-bits. Perhaps 128-bit addressing is deemed unneeded by some. However, the 128-bit ISA was created to ensure that RISC-V could successfully go there, and in reality, seems to have some application in addressing for huge flash drives and in security. The RISC-V base ISA has a minimal instruction set of less than 50 hardware instructions. There are also some optional standard extensions that include integer multiply and divide, atomic memory operations, compressed instruction encoding to make code size smaller, and single-, double-, and quad-precision floating point. RISC-V reserves opcode space for the unique instructions of SoCs, if needed. RISC-V is the smallest IA for 32- and 64-bit addresses. On average, RV32C, the compressed version of the 32-bit RISC-V instruction set, is 34% smaller than other 32-bit ISAs and RV64C (RISC-V 64-bit compressed) is 42% smaller than other 64-bit ISAs.

What is available for working with RISC-V?

There are several RISC-V ISA specifications available online, including user level, privileged and compressed RISC-V instruction set specifications. The RISC-V toolchain is a standard GNU cross compiler toolchain (GCC/glibc/GDB ) ported for RISC-V. RISC-V supports Linux (or…Linux supports RISC-V). RISC-V is also found in Yocto, and there is a verification suite. One of the best hardware tools for RISC-V, widely used in the universities, is Chisel. Chisel is a hardware construction language using a scala-embedded metaprogramming language. Chisel simultaneously produces a software simulator, an FPGA emulation, and a GDS Layout. Chisel is ideal for reuse (shared lines of code), and a BSD-licensed open source tool that’s available at https://chisel.eecs.berkeley.edu/.

The time is right for an open ISA with a standard base. Sun created one years ago, but it faded. The continued rise of SoCs seems to have reinitiated the attractiveness of an open ISA that wasn’t as strong with the Sun attempt. Moore’s law is ending which means we will be moving to domain specific architectures. The definition of an ISA is that it is a vital interface where hardware meets software. Additionally, after several decades, computing seems to have reached a consensus favoring Reduced Instruction Set Computers (RISC). Even Complex Instruction Set Computers (CISC) are using RISC “under the hood.” Nevertheless, ISAs add a necessary but considerable amount of cost to computing. To port software from one ISA to another is expensive. There are many different ISAs for the many Systems-on-Chip, but ISAs do not affect system performance or energy efficiency as much as algorithms, compilers, circuit design, or fabrication processes, making RISC-V a good candidate for open and free implementation.

The Case for RISC-V

RISC-V can provide a shorter time-to-market, fewer errors given more developers are looking at it, lower cost from reuse, and transparency that makes it difficult for governments to add secret trapdoors. Arm has no fabrication plant, and yet is nearly ubiquitous in smartphones and beyond. Arm has successfully proven that a company can sell the IP for an instruction set or processor and others will fabricate it. It is much easier for designers to take an open ISA and change it or add proprietary sections for reuse.

An industry-standard ISA lends itself to a larger population of engineers with collective experience, a vibrant ecosystem, and community forums forming around a shared basis. Architecture research and education would be more realistic and able to leverage fully open hardware and software stacks. Open source makes products such as the Internet of Things less expensive. RISC-V can span the small to the large in computing. Historically, standards bodies have cooperated together for many other open technologies, but not an ISA. Until now.