• (cs)

    This is really bad.

    Yanks eh? Whats next.

  • naterkane (unregistered) in reply to GoatCheez

    this is what gets college kids beat up

  • jdieter (unregistered) in reply to Bus Raker

    A programmer who hasn't heard of Sarbanes Oxley? Holy crap. We have written 50 thousand lines of code and documented 50 million more because of that freakin law.
    (of course, we do get paid by the hour, so I guess I should be happy right?)

  • jdieter (unregistered) in reply to jdieter

    We got a copy of the production database (full of patient info protected by HIPAA) We had to sign all kinds of documents and such. The boss asked "How can we guarantee the security of this data?" My answer was "On windows, since you don't have the source code and it downloads new system code every night, the only way to guarantee the security of your data is to unplug all the cables from the back of the computer". And that's what we do! Any one who thinks anything is safe on a computer they don't have the source code to is a nut case.

  • d (unregistered) in reply to voyager
    voyager:
    When I see things like this I get a real urge to contact the responsible autority and get those idiots removed from the IT genepool. This is actually as scarey as it is funny. There could be muppets like this working at your bank!



    Is te forum software eating aitches too?  I 'ave it on good autority ...
  • ajones (unregistered) in reply to rbriem

    thrown new IronyNotHandledException("The Irony interface is not supported by this device.");

  • (cs) in reply to TomCo
    TomCo:
      TELNET medi-corp.com 80 
  GET /cgi-bin/need_fix.cgi?customerId=169&drugId=71216
  HTTP/1.1 200 OK
  Content-type: text/html
  <html>
  <body>
    Response: File Not Found.
    
  </body>
  </html>

    Please don't ever again use 200 OK as a response for File Not Found, not even in a joke. Good old 404 is what you want.

  • (cs) in reply to RobertJohnK
    RobertJohnK:
    TomCo:
      TELNET medi-corp.com 80 
  GET /cgi-bin/need_fix.cgi?customerId=169&drugId=71216
  HTTP/1.1 200 OK
  Content-type: text/html
  <html>
  <body>
    Response: File Not Found.
    
  </body>
  </html>

    Please don't ever again use 200 OK as a response for File Not Found, not even in a joke. Good old 404 is what you want.

    That reminds me - I ought to figure out sometime how to get Trac to give a 404 instead of a 500 Server Error if you go to a non-existent page.

  • Rhialto (unregistered) in reply to treefrog
    treefrog:
    What if I (client) asked my doctor (the vendor) for the recipe for heroin (for research purposes), then asked for the ingredients, then asked for a syringe; and in each case my doctor just gave me what I needed with only a 'sneaking suspicion' that I was up to something.  Should the doctor be held responsible - at least partially - for enabling me to inject myself with heroin?


    My body is my body. Why the state insists on interfering with it, I don't understand, since it is rather contrary the spirit (but unfortunately not the letter) of the International Declaration of Human Rights.
  • Rhialto (unregistered) in reply to 1st2nd3rd
    Anonymous:

    1st reply to "1st reply to "1st"."

    And

    2nd reply to "1st".

    Last!
  • Jeff (unregistered)

       " ... source code, ostensibly for "disaster recovery."

    They should have required source code escrow in the client agreement.Problem averted.

  • GogglesPisano (unregistered) in reply to Bus Raker

    SOX == The Sarbanes-Oxley Act, a federal law which establishes policies that govern the accumulation and disclosure of corporate financial information.  A large part of the law deals with IT procedures.

  • (cs) in reply to jdieter

    Anonymous:
    We got a copy of the production database (full of patient info protected by HIPAA) We had to sign all kinds of documents and such. The boss asked "How can we guarantee the security of this data?" My answer was "On windows, since you don't have the source code and it downloads new system code every night, the only way to guarantee the security of your data is to unplug all the cables from the back of the computer". And that's what we do! Any one who thinks anything is safe on a computer they don't have the source code to is a nut case.

    Wow.  I persume, if you had the source code for the operating system you would go over it line by line and are 100 % confident of your (or your employee's) ability ability to find and fix each and every security hole? 

    No? 

    Well, then surely you would pay someone guarantee that the code is secure -- that would at least transfer legal liablity from yoruself to the third party. 

    No? 

    Perhaps you mean that you plan to trust random strangers to examine the operating system code with uncertain credentials (are you really going to pick up the phone and call MIT to verify that the "Senior Professor of Computer Science" works at MIT?) and uncertain motiviations and assume that if "enough" (how many?) of these secuirty experts agree that the code is secure then it actually is reasonable to treat it as secure?  From a legal standpoint, this provides absolutly no protection in the advent of a breech, and might make matters worse (you could have done #1 or #2, but you chose not to).  Never mind the fact that these so called experts are pratically annonmiuos

    Don't get me wrong -- open source software is, in almost all cases, more secure than closed source software.  However, there is an enormous gap between "more secure" and "completly secure".  The only platform that fits into the later category is the platform that no longer functions ("Write Only Memory").  Even a hard drive removed from its computer and stored in a bank vault is potentially vulnerable.

    Blindly asserting that closed source operating systems are too insecure to be connected to a network while holding confidential information is absurd on its face.  For example, a closed source operating system residing directly behind a dedicated open source firewall is at least as secure as if the only system involved was a closed source system.  This can be accomplished by configuring the firewall to deny all connection requests originating from the protected server (preventing it from dialing home and preventing any trojan style programs integrated into the operating system from "reporting home") or only allow connections to specific hosts on specific ports (which has a very similar effect).  Actually, this configuration should be more secure than the alternative, open source OS installed directly on the network -- you can (have someone, if you lack the skills) the operating system on the firewall customized to eliminate everything except what is necessary to route network traffic between the protected computer and the rest of the network, minimizing the amount of code that needs to be examined.  Note that this firewall won't be running Linux, at least not in any recognizable form.  The first thing that should be eliminated in your firewall operating system is any option for interactive login (root or otherwise) followed all file system support (firewall options will be hardcoded on the boot EPROM).  All you really need is a fragment of a TCP/IP stack -- one that can decode packet headers and knows that packets destined for "123.54.394.32" (hard-coded) on network interfaces "A" should be retransmitted (unchanged) on network inteface "B" and packets received on network interface "B" (possibly with destination x / port y -- both also hardcoded) should be re-transmitted on network interface "A".

    In this scenario, I contend that the closed source system + firewall would be far more secure than any possible "general purpose" open source operating system connected to the internet and yet, if my life dependend upon the secuirty of the data stored in this particular computer, I'd still "unplug all the cables from the system" whenever the data wasn't actually needed.

  • (cs) in reply to Ann Coulter

    Anonymous:
    Manni:
    Are you saying the forum software ate your w's? I'm skeptical.


    Maybe he's using a computer at the White House.

    Nobody's eating W.  That was the Clinton administration.

  • (cs) in reply to treefrog

    treefrog:
    The army general is always held responsible when troops die.

    Not any more.  Neither is the Commander-in-Chief.

  • (cs) in reply to Anonymaly

    Anonymous:
    What's painful are these new startups using the latest development tools to create some impressive "eye candy", requiring those poor developers working for firms that won't upgrade their technology (and understandably so) but still require their team to do all of the same development the latest tools implement just to make sure they "keep up with the Jones'".  Then they complain when it takes about ten days to do what they 'saw' another person do in ten minutes.  Perception is what seems to be the key.

    It's not perception; it's straight talk. "That was done with the latest version of our IDE.  If we try to do it with these eight-year-old tools, it will take us 10 days to do what they did in 10 minutes.  We've asked for updates to our tools for the past five years and been turned down.  When you force us to use eight-year-old technology, you are going to get eight-year-old product.  That's just the way it is.  If you want cutting edge software, provide my team with cutting edge tools."

Leave a comment on “Hungry, Hungry HIPAA”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article