Welcome to Clinical Trial Confidential.
We believe the clinical trial industry lacks a platform for open, transparent conversation. This lack of transparency inhibits progress. In this industry, that means patients are the ones that suffer.
Here you can choose to register an account, post anonymously or both. It is our hope that the ability to post anonymously will help foster useful conversation by allowing users to express their opinions without fear of retaliation, fear of appearing ignorant and otherwise allowing users to express opinions that may be contrary to their employer or that their position may not permit.
We believe great ideas should stand on their own merit and not the credentials of their author.
We hope these values will foster an environment of collaboration.
Quote from Guest on July 20, 2023, 8:09 pmDo you have a study that uses an ePRO running off an app on a phone?
Are you having troubles achieving that really high compliance goal?
Are annoying CRAs and DMs bombarding you with emails about ePRO compliance?
Or maybe you just have a bunch of dead or fake people you want in your study?
Try this one simple trick, it just might help you!
- Get your misconducting hands on the ePRO phone
- Plane mode on, double check that wifi is off
- Go to phone settings, set the date to whenever there was a data point missing
- Open ePRO app, enter whatever best fits your needs
- Turn on wifi, your bullshit data will plug whatever hole your subject accidentally left in the past
- Go to step 2, repeat as needed
Think that's neat? Here are some more things you can try
- "Enroll" a "subject"
- On screening visit, enter all the data for the lenght of the trial IN DA FUTURE, just keep changing the date in phone settings and reporting whatever you like (careful, that first entry needs to be legit though)
- Or, if ePRO vendor provides the phones, just make that first reporting, stick them in your drawer, before protocol required visits use steps above to calendar surf and fill data as needed
- Turn on the wifi/cellular an watch how your bullshit backdating populates the ePRO database, looking like it's always been there
- If queried, say subject has connectivity issues, compliance/safety/whatever was confirmed in a call (call doesn't even need to happen, just the call log entry needs to be there
- Enjoy
Couple things you should keep in mind:
- always make sure phone is not connected to the internet while you time travel
- Double check you reset the settings to the correct date, if returning the device to subject
- Don't be a dumbass and report future data (or data from 10 years before the beggining of study)
- Don't go for perfection in compliance or whatever reportable metric
Of course the instructions provided are not 100% complete, i've left out just enough so that a very careful analyst could call out this bullshit. Lucky for you, that's rare. I mean, the FDA definately won't pick up on this, unless you really fuck something up.
DCTs are here fellas, what are your top tips for making the most of them?
Do you have a study that uses an ePRO running off an app on a phone?
Are you having troubles achieving that really high compliance goal?
Are annoying CRAs and DMs bombarding you with emails about ePRO compliance?
Or maybe you just have a bunch of dead or fake people you want in your study?
Try this one simple trick, it just might help you!
Think that's neat? Here are some more things you can try
Couple things you should keep in mind:
Of course the instructions provided are not 100% complete, i've left out just enough so that a very careful analyst could call out this bullshit. Lucky for you, that's rare. I mean, the FDA definately won't pick up on this, unless you really fuck something up.
DCTs are here fellas, what are your top tips for making the most of them?
Quote from Guest on July 20, 2023, 8:39 pmP.s.
In case my brand of sarcasm didn't translate thst well to text, i just want to make it clear- we, the clinical trial people, are not malicious, greedy asshats. I mean some obviously are, but not the majority.
This is not intended as an instruction, think more like bug report with instructions for reproduction.
If you are an ePRO vendor, and your product is exploitable like this, goddamn fix it or make sure exploitation gets hella flagged and escalated.
And yes, this exploit has been used for a good while now, but i bet most people are unaware of it. Now, it's public, so off you go, either fix the damn ePRO or keep it where it belongs, in development until ready.
P.s.
In case my brand of sarcasm didn't translate thst well to text, i just want to make it clear- we, the clinical trial people, are not malicious, greedy asshats. I mean some obviously are, but not the majority.
This is not intended as an instruction, think more like bug report with instructions for reproduction.
If you are an ePRO vendor, and your product is exploitable like this, goddamn fix it or make sure exploitation gets hella flagged and escalated.
And yes, this exploit has been used for a good while now, but i bet most people are unaware of it. Now, it's public, so off you go, either fix the damn ePRO or keep it where it belongs, in development until ready.
Quote from Guest on July 26, 2023, 4:35 pmThis assumes that the vendor doesn't record any information in operational logs that preserves sequencing and never does a time check on startup of the application. Been doing - this among other things on the back end that I wouldn't reveal - since the days of Palm Pilots. And subsequently reporting suspected fraudulent activity to sponsors.
This assumes that the vendor doesn't record any information in operational logs that preserves sequencing and never does a time check on startup of the application. Been doing - this among other things on the back end that I wouldn't reveal - since the days of Palm Pilots. And subsequently reporting suspected fraudulent activity to sponsors.
Quote from brad on July 26, 2023, 4:47 pmQuote from Guest on July 26, 2023, 4:35 pmThis assumes that the vendor doesn't record any information in operational logs that preserves sequencing and never does a time check on startup of the application. Been doing - this among other things on the back end that I wouldn't reveal - since the days of Palm Pilots. And subsequently reporting suspected fraudulent activity to sponsors.
is this a pretty standard practice? guess it's good to know there are some checks and balances. is fraudulent activity very common?
Quote from Guest on July 26, 2023, 4:35 pmThis assumes that the vendor doesn't record any information in operational logs that preserves sequencing and never does a time check on startup of the application. Been doing - this among other things on the back end that I wouldn't reveal - since the days of Palm Pilots. And subsequently reporting suspected fraudulent activity to sponsors.
is this a pretty standard practice? guess it's good to know there are some checks and balances. is fraudulent activity very common?
Quote from Guest on July 28, 2023, 5:32 amQuote from Guest on July 26, 2023, 4:35 pmThis assumes that the vendor doesn't record any information in operational logs that preserves sequencing and never does a time check on startup of the application. Been doing - this among other things on the back end that I wouldn't reveal - since the days of Palm Pilots. And subsequently reporting suspected fraudulent activity to sponsors.
Consider this, all the best data for busting these shenanigans could be considered privacy issues, geolocation, syslogs and so on.
Time checks and clock comparisons can all be easily messed with. These could indicate that something went wrong, but are easy to dismiss.
More importantly, who do you think is interested in looking for something like this? FDA won't sift through logs and dumps (heh, they both mean poop) without a reason, and i'm not even sure ALL the raw data is available to them. Sponsors seem to prefer claiming a bug/glitch/dunno lol, unless there are more obvious signs. Same goes for everyone sposored by the sponsor sponsoringly.
Quote from Guest on July 26, 2023, 4:35 pmThis assumes that the vendor doesn't record any information in operational logs that preserves sequencing and never does a time check on startup of the application. Been doing - this among other things on the back end that I wouldn't reveal - since the days of Palm Pilots. And subsequently reporting suspected fraudulent activity to sponsors.
Consider this, all the best data for busting these shenanigans could be considered privacy issues, geolocation, syslogs and so on.
Time checks and clock comparisons can all be easily messed with. These could indicate that something went wrong, but are easy to dismiss.
More importantly, who do you think is interested in looking for something like this? FDA won't sift through logs and dumps (heh, they both mean poop) without a reason, and i'm not even sure ALL the raw data is available to them. Sponsors seem to prefer claiming a bug/glitch/dunno lol, unless there are more obvious signs. Same goes for everyone sposored by the sponsor sponsoringly.
Quote from Guest on July 28, 2023, 6:46 pmQuote from brad on July 26, 2023, 4:47 pmQuote from Guest on July 26, 2023, 4:35 pmThis assumes that the vendor doesn't record any information in operational logs that preserves sequencing and never does a time check on startup of the application. Been doing - this among other things on the back end that I wouldn't reveal - since the days of Palm Pilots. And subsequently reporting suspected fraudulent activity to sponsors.
is this a pretty standard practice? guess it's good to know there are some checks and balances. is fraudulent activity very common?
Well it's absolutely not as common as whipping up a paper diary in the parking lot. This takes much more know-how, and in general, is supposed to be impossible.
The claim that ePROs are safer, that is what makes them more dangerous. They will be not checked as carefully, and the checking itself requires a heck of a lot more brain power (artifical or beer & BBQ powered, but with a hint of intelligence)
If these exploits are kept in secrecy, some cheeky fellers might get away with them. Making them public might cause more fraud, but that will lead to awareness, and that should lead to solutions.
It's gotta get worse before it gets better, right?
Quote from brad on July 26, 2023, 4:47 pmQuote from Guest on July 26, 2023, 4:35 pmThis assumes that the vendor doesn't record any information in operational logs that preserves sequencing and never does a time check on startup of the application. Been doing - this among other things on the back end that I wouldn't reveal - since the days of Palm Pilots. And subsequently reporting suspected fraudulent activity to sponsors.
is this a pretty standard practice? guess it's good to know there are some checks and balances. is fraudulent activity very common?
Well it's absolutely not as common as whipping up a paper diary in the parking lot. This takes much more know-how, and in general, is supposed to be impossible.
The claim that ePROs are safer, that is what makes them more dangerous. They will be not checked as carefully, and the checking itself requires a heck of a lot more brain power (artifical or beer & BBQ powered, but with a hint of intelligence)
If these exploits are kept in secrecy, some cheeky fellers might get away with them. Making them public might cause more fraud, but that will lead to awareness, and that should lead to solutions.
It's gotta get worse before it gets better, right?
Quote from brad on July 28, 2023, 7:29 pmQuote from Guest on July 28, 2023, 6:46 pm
It's gotta get worse before it gets better, right?
thank you for service
o7
Quote from Guest on July 28, 2023, 6:46 pm
It's gotta get worse before it gets better, right?
thank you for service
o7
