My fellow HNers:

It does depress me, daily, that I do not have a career in physics or chemistry or biology or medicine where I could work on "big problems." The simple truth is, I'm not smart enough, I don't work hard enough, and I've been napping when opportunity knocked a few times in my life.

That being said, sometimes a man in a saloon has a few drinks and yells at the television, telling the coach of some football team what to do next. Just because he's drunk and in a saloon doesn't mean he's wrong, just boorish.

I lamented the fact that it's easier to upload and simultaneously tweet about a picture from my phone than it is for Scott to lead a normal life. There are lots of reasons why this is so:

1. The barrier for entry (education, &c) is higher in medicine and bioinformatics.

2. There are regulatory obstacles for businesses.

3. The problems are harder to solve than it may seem to the man in the saloon.

4. Some people feel the monetary incentives are to avoid medicine.

p.s. "Hypocrisy" is one of those empty criticisms, like "Unprofessional." If someone says to you, "smoking is bad," it doesn't matter whether he smokes. Maybe, his advice is actually more relevant if he's an older fellow who smoked and now regrets not making a different choice when he was your age.

  2. There are regulatory obstacles for businesses.

As someone in the biotech space, this is by far the biggest factor. When you are dealing with humans, crashes and bugs mean deaths. Deaths mean increased regulation, often under the mistaken assumption that more rules would prevent engineers from making bugs. Modern testing and build systems might, but regulators aren't keen to change their testing systems, many of which were encoded by legislation decades ago. For example, adaptive clinical trials have been known to be theoretically superior to the Phase I/II/III design for 15 years, yet are still in limbo[1] at the FDA; their proponents are still banned from trying them out. Facebook does not need a Federal Software Assocation to sign off on its new unit testing framework.

Moreover, it is just more stressful to deal with a regulatory climate where any error is assumed to have happened because you were an evil corner-cutting capitalist who didn't allocate enough for safety. This kind of Monday morning quarterbacking is unfortunately usually done by people who've never shipped a drug or device in their lives, like most politicians, journalists, or federal regulators. Twitter, unlike Genzyme[2], is not fined millions of dollars by the FDA when its site is down.

Finally, you have to guess what the law is. There is so much "discretion" [3,4] afforded to regulatory agencies that the threat of fines and seizures over bizarre interpretations of the law by a Carmen Ortiz-style ambitious regulator is never far from your mind. Example [5]:

  [Newsweek:] What exactly would constitute a “medical   
  claim?” Would pointing people to medical research papers 
  [qualify]?

  [FDA]: It depends. There are rules as to how one can do   
  that … Those rules are actually worked out pretty well, 
  and they just would need to make sure they’re staying 
  within the rules.

  [Newsweek:] Are those rules on the Web?

  [FDA]: I don’t know where the policy is. I would have to 
  get it for you. It’s an agencywide policy. I would have to 
  find it for you. And it won’t be that easy for people to 
  follow it…

Another example [6]:

  The agency has urged hospitals to allow vendors to guide 
  them on security of sophisticated devices. But the vendors 
  sometimes tell hospitals that they cannot update FDA-
  approved systems, leaving those systems open to potential 
  attacks. In fact, the agency encourages such updates.

  “A lot of people are very confused about FDA’s position on 
  this,” said John Murray Jr., a software compliance expert 
  at the agency.

And one more [7]:

  In United States v. Park, the Supreme Court held that a 
  responsible corporate official can be convicted of a 
  misdemeanor based on his or her position of responsibility 
  and authority to prevent and correct violations of the 
  Food Drug and Cosmetic Act (FDCA). Thus, evidence that an 
  individual participated in the alleged violations or even 
  had knowledge of them is not necessary.  

Think about that: criminal penalties for violations of laws that "won't be that easy for people to follow", where knowledge or participation in the alleged violations is not necessary. And the law is not static. The FDA also can and does write "guidances" outside of the legislative process which will make your business model illegal overnight or vastly more expensive due to unanticipated regulatory costs. Google does not need to guess what the DNS protocol is or will be in 2013.

For just a taste of how all this plays out, look at the FDA's ongoing attempt to regulate[8] mobile health apps. Who knows what the rules will be, what they will cost, or what the fines are? Look at the FDA's attempt to deny[5] people access to their genome without a prescription. Look at the fact that they issued a record 10000+ 483s in 2011[9], which threaten a business with civil or criminal penalties. Look at the fact that they used these 483s to shut down Teva and Sandoz and Hospira and Bedford at the same time[10], causing a massive shortage of injectables which they blamed on industry profit seeking and used to gain[11] yet more regulation, more power, more budget.

Look, finally, how they claim in an official court filing against family farms producing raw milk that you have "No Generalized Right to Bodily and Physical Health" [12], where they approvingly cite the case of Cowan vs. US, where a terminal cancer patient was denied access to experimental medication, denied the right to opt-out of the FDA:

  There is No Generalized Right to Bodily and Physical   
  Health.

  Plaintiffs’ assertion of a “fundamental right to their own 
  bodily and physical health, which includes what foods they 
  do and do not choose to consume for themselves and their 
  families” is similarly unavailing because plaintiffs do 
  not have a fundamental right to obtain any food they wish. 
  In addition, courts have consistently refused to 
  extrapolate a generalized right to “bodily and physical 
  health” from the Supreme Court’s narrow substantive due 
  process precedents regarding abortion, intimate relations, 
  and the refusal of lifesaving medical treatment. 

  See Glucksberg, 521 U.S. at 721 (warning that the fact 
  “[t]hat many of the rights and liberties protected by the 
  Due Process Clause sound in personal autonomy does not 
  warrant the sweeping conclusion that any and all 
  important, intimate, and personal decisions are so 
  protected”); see also Cowan v. United States, 5 F. Supp. 
  2d 1235, 1242 (N.D. Okla. 1998) (rejecting a claim that 
  the plaintiff had the fundamental “right to take whatever 
  treatment he wishes due to his terminal condition 
  regardless of whether the FDA approves the treatment”).

I know it sounds surreal, but they are arguing here that you only control your own body with respect to abortion, intimate relations, and euthanasia. Everything else is controlled by the FDA, yea even unto your death from cancer.

The only solution here is for hackers to carve out a jurisdiction in which the FDA has no say, where patients are free to be early adopters and startups are free to push the technological envelope. Patients in this zone will need to be mature and understand that these are version 1.0s, and may not help or even actually harm them. But every drug or device or surgery needs someone to be first, and a few brave risk takers could both benefit their own health and push humanity forward. After all, we have thousands of people dying for futile risks in various foreign wars.

So, the limiting reagent is not money, or expertise, or motivation, or smarts. raganwald, you and most of HN are plenty smart enough. It's about the freedom for companies to innovate, for patients to take risks. We need a jurisdiction (a seastead? Singapore? Estonia?) that enables us to push the technological frontier. Everything else will fall into place once we can't be punished for innovating.

[1] http://jnci.oxfordjournals.org/content/104/18/1347.extract#

[2] http://www.fiercepharma.com/story/genzyme-submits-175m-fine-...

[3] http://www.ivdtechnology.com/article/letters-labcorp-show-fd...

[4] http://www.fdalawblog.net/fda_law_blog_hyman_phelps/2011/03/...

[5] http://www.thedailybeast.com/newsweek/blogs/the-human-condit...

[6] http://articles.washingtonpost.com/2012-12-25/news/36015727_...

[7] http://www.gatewayfda.com/fda-regulations/under-park-doctrin...

[8] http://m.spectrum.ieee.org/biomedical/devices/the-fda-takes-...

[9] http://blog.fdazilla.com/2011/11/fda-issues-483-every-50-min...

[10] http://www.forbes.com/sites/aroy/2012/06/15/how-margaret-ham...

[11] http://www.fda.gov/Drugs/DrugSafety/DrugShortages/ucm050796....

[12] http://www.organicpastures.com/pdfs/FDA%20dismissal%20docume...

I've already posted my "almost got arrested for using zsh" story, so here's another one:

I used to work at a large public university. One day, a grad student brought me his laptop and asked if I would take a look at it because "the Internet [was] really slow." It turned out that his computer was part of a botnet controlled via IRC, and it was being used to attack hosts on the Intertubes.

After sniffing the IP address + port of the IRC server and the channel name and password the botnet was using, I joined the channel with a regular IRC client. "/who #channel" listed thousands of compromised clients, including hundreds with .edu hostnames. (One university had a dozen hosts from .hr.[university].edu in the channel. Sleep tight knowing your direct deposit information is in good hands.)

There was no way I could notify everyone, so I concentrated on e-mailing abuse@ the .edu domains. In my e-mails, I explained who I was and where I worked, that one of our computers had been compromised by hackers (yeah yeah terminology), and that in the course of investigating, I found that computers at their university had also been compromised by the same hackers. I also included a list of the compromised hostnames at their university and the IRC server's information so their networking people could look for other compromised hosts connected to the IRC server if they wanted to. Relatively basic IT stuff.

I didn't get replies from the majority of the universities I sent messages to, including the .hr.[university].edu one. I got a few thank yous, but I got just as many replies from IT Security Officers and CIOs (including at big name universities) accusing me of hacking their computers and demanding that I stop immediately or face legal action.

Those people just didn't understand, and they were in charge of (or ultimately responsible for) their universities' IT security efforts... It was completely mind-boggling to me at the time.

I dunno, 1. and 2. seem like a cop out to me. When crappy freeware Windows installers provide a checkbox (checked by default, of course) to opt out of Bonzai Buddy or a million Ask.com toolbars or some bullshit malware scanner, they are still shitty and sketchy, and it's disappointing to me to know that YC is now behind a company that makes such software. And saying this crapware is popular does little to assuage my concerns. If users are "choosing" to install these things, it's unclear to me how informed or aware of a choice they're making. I bet successful viruses and worms are also popular by this metric.

By the way, here's an example of what we're talking about: http://imgur.com/8SGXUPP. Oracle bundles the ask toolbar with Java installs now. This is the default state, i.e., the box is default-checked. Why, users love the ask toolbar, they probably have a 95% install rate!

Essentially he's asking why person-hours are expended on things that make the most money rather than things that are important, for some definition of important.

There are several answers to that.

1. The most obvious is that people need to make a living. People can and do work at some discount in order to work on things they think are important, but it rarely stretches as much as 10x. I expect most workers either don't care or can't afford to.

2. A lot of people do work for nonprofits (the biggest of which is the government), but the number of such jobs is constrained by the amount of money nonprofits can raise.

3. The number of people employed on frivolous things seems larger than it is, because e.g. things designed for entertainment are by their nature more visible than infrastructure. So it is dangerous to draw conclusions based on anecdotal evidence.

At my last company us developers complained that we were getting interrupted too much, so the boss asked us to keep a list of interruptions. By lunch on the first day we all had 3+ pages, so he believed us and we implemented the following:

Each week, one pair of programmers would be designated the "consulting developers", and a big sign would be put above their desk. They were the only developers that could be interrupted for the week, allowing the rest of us to get a lot of work done. If the consulting developers needed to ask something of other developers, we tried to save it up for lunch, as we mostly all ate together anyway.

This made an enormous difference to our productivity, which everyone in the company took notice of when the number of "development days" we got done each week increased dramatically.

At the start we thought of "sacrifice one for the good of all" and we didn't look forward to our turn. As time went on it actually turned out differently. We usually enjoyed the "consulting" time as it meant a break from the routine of working on endless tickets, and it also kept us in touch with what the rest of the company was doing with regards to deploys, environments, configs, etc. etc.

AFAIK they still do it today