Slashdot Mirror
Botnet Attack Shuts Down Hospital Network
aricusmaximus writes "A California student is now facing felony conspiracy charges after
unleashing a botnet attack that shut down the network of a Seattle hospital intensive care unit. This indictment comes a few weeks after another California man pled guilty to similar charges. Both attacks were attempts to make money off of adware affiliate programs. So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"
Colt manufactures guns. Man opens fire in public with a Colt pistol. Who's at fault? The shooter, of course.
I don't want to hear any psychology bullshit claiming it's not their fault--that it's society's fault for making them desire more money. I don't want to hear any bullshit that they didn't know what they were doing or the hospital should have had better security. This is an aggressive act against a public service--the internet. Computer savvy students implement code that shuts down many computers for the purpose of advertising profit. They didn't realize what they were doing? Oh, come on. Even if they didn't, it's a valuable lesson and a few less spammers to ruin the world when they graduate. Tough. You like computers? How about five to ten in federal-pound-me-in-the-ass prison?
I'll bet they wished they had enrolled in Computer Ethics 101 before going on this capital venture. As an additional punishment, they should be forced to code software to stop stuff like this from happening and tailor it for medical equipment/computers.
And what kind of intensive care unit is "shut down" when they can't use computers? It's not like their work would have to grind to a stand still. I don't want to sound like a luddite but are we really that dependent on computers? They're medical professionals, I hope they did just shut down and stop working when the computers crashed.
This student is in deep trouble. He chose actions that had grave consequences and now he'll face the charges resulting from those actions.
Inignot: Your stereo is now his stereo by way of my actions.
Shake: Yes meatwad, with actions.
My work here is dung.
If the hospital didn't have their network locked down (and it's in Seattle so they don't have the usual excuses) then they are in for a world of hurt from the state.
The HIPPA failures alone for allowing this to happen are mind blogglying bad.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"
This is slashdot. The answer to that question is either Bill Gates or George Bush.
If someone gets mugged on the street, you dont blame the victim for carrying money. Or blame society for having to use money.
It is a pity that the US legal system is no longer about justice; it is now about what can be proven.
Suggesting that the hospitals are at fault for failing to secure their networks adequately is assinine. The perpetrators are at fault. Adware companies might provide incentive and the hospitals evidently need to secure their networks, too, but culpability lies solely with the two defectives who committed the crime.
computer industry....software...
the analogies that others might post in this thread may not consider the possibility of doing it all different such that these problems either likley won't exist or they can't.
Want protection from internet problems? Don't connect to it.But even the International Space Station has had its computer problems.
Life support and computers......hmmmmm....
What kind of idiot would blame the other two? No matter what motivates them, or who makes their job easier, they are the ones who are ultimately responsible for their own actions.
I'm not fond of the adware affiliate programs however, I don't believe that they're even remotely responsible for something like this. Responsibility for something like this falls directly upon the student who was launching the botnet attacks and I hope he's severely punished. Attacks like this could cost the lives of those that are receiving critical care at these hospitals.
Obviously, the network could have been more secure but that doesn't change the fact that without assholes launching illegal attacks like this there wouldn't be a problem in the first place.
"A Lisp programmer knows the value of everything, but the cost of nothing." - Alan Perlis
The students are guilty of teh crime, but the adware companies are guilty of conspiricy to comit teh crime - and in this case I think that they are rather more culpable, since they are encouraging more people to do this. By all means prosecute the students (they deserve it), but if you want to fix the problem you need to chop off the monster's head.
James P. Barrett
if you make promotions that encourage antisocial behavior you should be ashamed..
if you try to steal money frm above promitions by using above holes you are ofcourse a thing called criminal.
And the extras: Companies making unsecure products..
In the same way gunshot victims who don't wear body armour are at fault.
If GM sold a car that didn't have locks on the door, and they were always being stolen, they would be facing a class action lawsuit.
But when Microsoft starts selling anti-virus software, and profits from the inherent insecurity of their crap operating system, shareholders applaud, and the public is silent. It's time to start holding Microsoft accountable for all the tens if not hundreds of billions of economic harm caused by their inattention to quality.
Likewise, any IT administrator for a hospital that makes a demonstrably vulnerable OS a critical part of critical hospital operations should be shown the door. Quite frankly, it really doesn't matter if you buy the argument that Windows' security is appalling (it is), or not. Empirically, for whatever reason, Windows is under constant attack. Other operating systems are not. That much, at least, is plain on the face of it. Yet MS apologists are so addicted to their MS crack that, as we see here, they will actually put people's lives in danger. Sickening.
for naming him Christopher.
Aside from whether his name gave him a Jeebus complex, every Christopher I've met has spent time in jail, so he must be guilty.
Chewbacca defense doesn't work either, since he doesn't CHOOSE to live on Endor.
He just got a bad timeshare.
Game: Player 'Donald J Trump' now has AI skill level 'experimental'.
Surely the actual ICU equipment isn't networked at all, and this just inconvenienced the admin and support staff in that dept?
Get your own free personal location tracker
While I agree with some previous posts that most of the fault lies with the student who perpetrated the act, the adware company is an accomplice. They provided the financing to do an illegal act. That's illegal in itself in most places. Maybe they didn't know the students were going to do something illegal, which could be the technicality that gets them off, but it's still scum-of-the-earth low.
The hospital has regulations as to how much security they are required to have for personal health records. Canada has similar legislation, but it covers any personal information that's collected by any company. Now admittedly a DoS attack wouldn't expose any of this information, if that's what it was. I didn't RTFA, but I did RTFS, and it sounds like it could have been, even though it isn't stated explicitly.
So, yes. The fault lies with all of them in varying degrees.
"City hall" in German is "Rathaus" Kinda explains a few things......
All three are to blame, but to different degrees.
The students should be taken out and beaten. Anyone with any level of computer knowledge these days should know such activities are both highly immoral and illegal. This isn't stealing MP3s. And to attack a hospital? How thoughtless can you get? However, it's easy to be tempted by this type of thing, while these students got caught, many more got away with it at some point.
The Hospital should be scolded, but it's hard to know just from the story to what degree. It could range from a slap on the wrist to a lawsuit. If they had good computer security, then the students were just good at getting through. If it was bad computer security, then they need to step up and admit it. In any case, they are a hospital that appears to be running Windows to control their sensitive security systems. Bad choice, and that alone warrants one finger pointed at the hospital, if it's true. However, many hospitals are notoriously underfunded. In any case, I hope the IT staff of the hospital reviews this situation and revamps their software to minimize this risk in the future.
The adware makes should all be taken out and shot. They are the immoral facilitators and the ones who should take the most blame. They are the modern day equivalent of drug dealers. They didn't kill the person taking their drugs, but they knew it eventually would come to that, and they never stopped selling. They put all the risk for the crime on the students, knowing full well they could get caught, and that someone elses computer system would be seriously damaged. Something very gruesome and painful should befall them, before execution.
"All great wisdom is contained in .signature files"
a seattle hospital administrator was overheard mumbling:
"There's an old saying in Seattle -- I know it's in California, probably in Seattle -- that says, fool me once, shame on -- shame on you. Fool me -- you can't get fooled again!"
My name is Christopher, you insensitive clod!!!
/. staple...)
(My first real chance to use that
And I haven't spent any time in jail, either, so you must know the wrong bunch of Christophers.....
"City hall" in German is "Rathaus" Kinda explains a few things......
I'd blame the mind control parasites
Is there no end to the chaotic suggestion that the victims are at fault? People SHOULD lock their doors, they SHOULD keep their children from strangers, they SHOULD avoid walking down dark alleys late at night. That doesn't mean they are the ones at fault with the burgler, rapist, or thug attack. When you even suggest the fault lies with anybody but the attacker, you only validate them as being victims of lose security. This breeds contemptable statements such as "it wasn't my fault I killed the man, he should of had a gun to stop me". Absurd? I agree, Zonk's suggestion certainly was.
All of the above.
DUH!
The Internet is known to be hostile. Any networks facing the Internet need to be properly secured. And the techniques for doing so are very well known and accessible.
We shouldn't allow people to display such incompetency and/or ignorance. While we can't expect any system to work perfectly, we also can't expect them to fail so horribly, apparently due to a deficient design. This was obvious a very serious flaw with the network, to allow it to fail so easily.
If those in the various fields designing computer-related systems ever wish to be considered engineers in the same vein as mechanical and civil engineers, then they can't let incidents like this go. This is comparable to a bridge collapsing in a faster than normal windstorm, all due to negligence on the part of the designers.
Cyric Zndovzny at your service.
Most likely both.
Patents Drive Free Software as Hurricanes Drive Construction Industry
"But the Northwest Hospital case played out differently in January 2005. ...[]... Meanwhile, the hospital used some old-fashioned backup systems. When electronic file transfers didn't work, nurses ran the files up and down hallways. When key cards wouldn't work, they stood guard and inspected ID badges themselves."
The paging system didn't work and it could have cost them lives. That's an involuntary man-slaughter.
Not sure how those hospitals got infected in the first place (normally they aren't connected to external network), but surely the attackers are clearly responsible.
Instead of punishment in prison, those offenders should learn their lesson by giving sponge bath to elderly men around the clock for life.
"Don't let fools fool you. They are the clever ones."
Justice is about proving guilt. That's why in many legal systems there are prosecutors, whose job is to present claims against the accused. And then there are lawyers to defend the accused. There's usually a judge, and at times juries. I'd hope you realize that this whole show is there for the sole purpose of finding the truth. That is, finding what can be proven. It's not easy an easy task, but it's what justice is all about: proving guilt beyond a reasonable doubt.
Cyric Zndovzny at your service.
Note that what follows below is only based on RTFA wich as usuall when dealing with mainstream press reporting on tech may be wrong or inaccurate or indeed made up on the spot. Nonetheless based on this I conclude the following.
That the student used zombie computers to install adware software that would then generate 'hits' for the students account so that he would be paid. He was using computers he did not own to defraud adware companies by generating false ad hits. This is a wellknown fraud dealing mostly with pay-per-click style ad schemes.
So who takes blaim here and for what? Funny enough that the 'question' left out the first and most obvious cullprit.
I am amazed that MS was not mentioned as one of the cullprits. How often does their software got to lead to crap like this before people will finally ban it for any serious use. Would we accept a hospital that used say oxygen bottles filled by the local scuba diver club? Use alcohol produced in someone's bathtub?
I would very much like to hear that the person responsible for that hospitals computer systems is fired and never allowed to work again. Yes the student is the criminal here who deserves jail time but a sysadmin who installs windows deserves the chair. And yes I would be happy to throw the switch. Hell I would be happy to peddle on a bike to generate the electricity.
If I sound a bit biased against MS it is because I have once again been drafted in working on some piece of crap MS setup because some MSCE idiot made a nice sales pitch. Why don't you just put a sign on your server "Own me!" and be done with it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Some operating systems are suitable for a networked environment and can provide a robust infrastructure. Others are suited for standalone use and only safe with an air gap, that means no sneakernet either.
wow, you certainly are a logical, sensible person. im so admiring of your brave, brave stance against 'stupidity'.
obviously computer criminals should be raped. thats a brilliant solution to the problems of society.
thank you sir for your braveness. if only our soldiers were as brave as you, we wouldnt have lost vietnam.
The student, who caused all this, should be taken out and shot. He's a degenrate menace to society. There is no excuse for what he did.
The hospital, who should've secured their networks, should get a severe scolding and should be required to have thourough security audits once a year - minimum.
The adware company, who is the fuckheads that provided the technology for this idiocy - and who certainly doesn't have good intentions .. should be fined. Severely. Hopefully so the go bankrupt.
ALL OF THE ABOVE! *gasp!* that's right! ALL OF THEM! Here's why:
Student - Aside from the obvious, exploting other people's machines for things is one thing, but exploiting machines in a HOSPITAL is a horse of another color, in addition to him trying to exploit whatever "incentive" offer he was using that is, which is probably against their TOS
The hospital - I severely hope someone in that hospital's IT dept. got a whole series of books on network security shoved up their ass, because if they had secured their network, this wouldnt have happened (atleast to them)
Adware companies - Anything that installs software just to try to sell you stuff is akin to the bastards that call you at the worst possible times, like when you're about to eat, get in the shower, go to sleep, etc. the only difference is you can add your number to the national do not call registry and thus make it illegal for them to call you, but with computers such is not the case. In addition they ought to know that if they offer "incentive" programs, that people will constantly be looking for ways to exploit it to get more money than they ordinarily would (example: that program (the name escapes me) where you used to get paid for leaving a banner up on your desktop that displayed ads, and the people who registered 12 different accounts and ran 12 copies of the thing on their machine while they were at work or asleep just to get more money) and if they didnt offer them to begin with, this wouldnt have happened.
Personally I think anyone who writes adware for a living should be summarily executed for crimes against humanity. I am getting really sick of having people ask me to fix their computers because of these bastard's handywork which people who simply don't know anything about the dark corners of the internet (and I dont directly mean pr0n) where all that lovely little spyware and adware seeps into your computer until you wonder why it takes 10 minutes just to open notepad.
End of Rant
I was just visiting my father in the hospital. Many of the patients had a wireless monitor tracking their heartrates. These heartrates were displayed on a series of computer monitors at the nurse's station. I think they were networked using a bunch of PC's.
I was quoting a main character from the movie. It's funny, laugh. Wait a minute, I may be logical and I may be sensible but I am definitely not
My work here is dung.
My work here is dung.
The government should be taking every opportunity to show that attacks like this will be handled sternly. Stick him in a dungeon and give him the Abu Ghraib treatment
Did any ICU patient die during the attack, for any reason? If so, then the prosecutor should look to see if the death was perhaps quickened by the attack itself. Felony murder may be on the table for these meat bags.
"In order to make an apple pie from scratch, you must first create the universe." -- Carl Sagan, Cosmos
While the student attacked the hospital (and he should be glad he got away with conspiracy and not attempted murder), the hospital is at fault for useing a insecure system where a secure and STABLE system should be in place. The hospital deserves to get sued.
We're in a pretty 'ucked up world if someone has to ask who is at fault. Lock him up.
I am not a doctor, nor do I work in the medical field. However I do know people - people in Seattle even - who do work in that industry.
While it's very easy to say something like "Just don't use Windows / Microsoft products" on a site like Slashdot, that statement ignores a rather obvious issue. Exactly how much professional-level medical software is out there for Mac OS? Or Linux. I can tell you the answer to that. Zero. None. Most hospital patient tracking systems originated on DOS and then Windows computers. These are industry standard programs and have been the baseline software for the medical industry for something like 20 years now. You don't just say "You should ditch windows, that's irresponsible of you." Take a second and think of how long it would take to switch over just one hospital to a new OS and having the appropriate software running to take care of things like patient history, billing, insurance tracking, vendor management, security, etc. Now keep in mind that hospitals all around the world - not just the US - have a well-established software base that runs on, you guessed it, Windows and it becomes a bit more difficult just tell a hospital (an industry) "Stop using M$ products."
If a patient moves from Seattle to Los Angeles, their new doctor is expecting the exact same types of files on that patient, readable by the same software. So is that patient's insurance company. So are paramedics who may need to quickly assess a patient's history for things like drug allergies, etc. So are pharmacists.
I agree that Windows is a non-secure and a horrible environment to open to the Intarweb, but let's be honest here. An individual can make the decision "I hate M$ office etc. and I want something better." (And they should.) A professional industry could say that but it's a lot harder to implement that kind of change. And I doubt anyone could easily suggest alternatives at this stage. Maybe that's a good point, though. Industry-standard software of a highly professional nature *should* probably be created for an OS like Linux, or OSX, or anything besides just windows.
I'm being horribly general here but it's not a simple thing to solve just by wiping a hard drive and putting a shiny distro of Debian on instead. How that system is used besides its networking security features is a much bigger deal than protecting against any misguided adware infection. There are known ways of protecting a Windows system and they should be employed.
ad
Because I can! [Brainrub.com]
Yet another slashdot thread where everyone immediately starts screaming "Linux!" "BSD!" the second they hear the term "security breach". Of course, it'd be nice if there were actually a lot of applications for healthcare that run on those OSs - which there aren't. OSS is pretty thin on the ground when it comes to this field.
Why don't you look and see what's involved in hospital IT? I've been there, and it's a major headache for admins. You have administrators who don't really know much about computers and doctors who are frequently the biggest prima donnas in the world when it comes to getting what they want, in a corporate culture which caters to them.
Add in software developers who frequently have no clue as to what's actually needed, how to make a useable UI, and how information flows in a healthcare setting. But they have a hell of a sales pitch to the doctors and administrators, and you're the one who has to make it work.
Now try to secure it. Really! Wait until the first time Doctor X decides they're going to install their personal software on the workstation. Never mind that supposedly they're not allowed to do that - they'll do it anyways and then scream at you when you take it off. Take a wild guess as to who the hospital's going to back!
It's easy to blame the IT people, and the use of Windows, here. Wrong, but easy. They picked it up pretty quickly, and dealt with it. I'm sure they'd have loved to have more control, but unfortunately it's a question of what you're allowed to do, not what you want to do.
Let's say I have a car with a nice stereo in it. I leave the car unlocked all night, and in the morning discover that the stereo is missing, having been ripped out of the dash with what I can presume was a crowbar.
The crowbar company is not at fault. I am not at fault, even if I am stupid for having left the car unlocked. The thief is at fault, the end. My leaving my car unlocked does not give anyone the right to enter my car for any reason.
Just because computers are involved doesn't mean the rules change. If someone sent you a piece of postal mail touting P3N1S ENLARRGMNT, you would throw it away immediately, but for some reason, when it's sent via email, it carries more validity.
Web 2.0 == Giant Blogspam Circle Jerk
So who's really at fault here?
To ask the question is to imply that there is a dispute.
Fill out the posting, but don't but a putz when you do it.
.....expensive brand hospital faced embarassment today when it was revealed that faulty design,installation and lack of maintenance resulted in doors that failed to lock. Although they gave the appearance of being locked, they were never really locked. While security guards were busy at lunch and multicultural sensitivity training sessions, off the street criminals followed doctors and nurses into the hospital and stole drugs, damaged equipment, and completely scattered all the patient files all over the floor, and replaced them with advertising flyers for refinancing your mortgage, hot stock tips and look alike jewelry.
Hospital administrators said "not my fault", as they had contracted with the largest door and lock manufacturer out there. The doctors and nurses said it wasn't their fault because they aren't to be concerned over the proper locking of doors because it isn't their job. The security guards said it wasn't their fault as they were just following orders and were detained elsewhere while the crime was committed and weren't trained to spot unlocked doors if they looked locked. The door maker's lawyer representative said "read the fine print" in the contract, where it states quite plainly and legally that they are not liable to offer doors that act like doors or locks that lock properly. The patients interviewed said they were unconscious so can't be held liable, because they weren't looking. The insurance company refused compensation, saying the hospital was complying with all pertinent and applicable laws in operation. The burglars, once caught, claimed an abusive childhood combined with sugar imbalance, ADHD, and toxoplasmodic brain infections made them incapable of functioning "normally" in society, and besides, as "guest workers" with drug addictions, they are entitled to free hospitral care, so they were just showing up for treatment at the hospital.
But the crime was commited by the kid. Guilty as charged. As for the admin and adware, you don't learn near as much from success as you do from failure. I bet the hospital tightens security after this. As for the adware... Well, they will learn if it fits into their business practices.
I had read about this before and from what this article says there are implementations of network controled invasive patient care out there this one is in kingston Canada.s p?id=37573
http://www.itbusiness.ca/it/client/en/home/News.a
Then it's very obvious that the doctors are at fault. A doctor who doesn't scrub thoroughly enough before performing a surgery cannot blame the infection on the germs. A hospital that relies on a computer system that isn't secure enough cannot blame the crackers.
Microsoft software shouldn't be allowed in hospitals for the same reason pets aren't allowed in surgery rooms. A doctor who insists in having his MS-Windows computer connected to a critical hospital network is like a surgeon who insists in bringing his pet labrador into the surgery room. They may love their software and they may love their dog, nothing wrong with that, but when other peoples' health and life are at stake they are responsible for taking the best precautions, even if it causes them some inconvenience and even it they must follow instructions from people they consider intellectually inferior in some way.
The people who chose to execute the attack and created it are at fault, simple and done right there.
The analogies explaining this are too many to count, my favorite would be that by that standard I would be to blame if someone came in through my window and shot me in order to steal my TV, with my accomplice being the pawn shop he will sell the TV to. Poor misunderstood burglur.
I'm a fiscal conservative, it's a pity we don't have a political party anymore
Never!
The fact that there have been so many security holes over so long a time to make it worth the while of some miscreant to write the software to make botnets at all is evidence enough that there is something seriously wrong with using windows for ANYTHING remotely mission critical.
all the monitoring info was radio relayed to a monitoring statin at the central desk, where a single nurse monitored it full time. The unit had a staffing ratin of one nurses per three patients; the monitoring nurse was one of them If they had lost that connection, they would not have had sufficient staff to keep every patient adequately monitored. They didnt have sufficient staff to personally monitor the patients anyway, even with the electronic monitoring helping them out. The nurses were acutely aware of this, and were not happy about it.
In order, I would rank:
the student
the adware companies
the hospital IT staff
THE STUDENT (80% blame)
has no excuse for his actions. He deserves the prison sentence he will no doubt get.
THE ADWARE COMPANIES (15% blame)
Just when I thought they could not be any more despicable, they prove me wrong. (One of the tasks I deal with is cleaning up, or even re-imaging, spyware infested Windows PCs.)
THE HOSPITAL IT STAFF (5% blame)
Come on! What were they thinking of when they exposed such critical, sensitive systems to the internet! I have previously worked in a company where some people had two PCs on their desks - one with internet access, and the one with the sensitive info was NOT exposed to the internet, even via a firewall!
Hopefully the hosital will have a "lessons learned" roundup in a non-confrontational manner, looking at the mistakes made, and revise their IT security policy accordingly. Hopefully, there will also be no firings - it is more important to learn the lessons than to fire a scapegoat.
Democracies do not care about the individual's beliefs. Democracies do care about the individual's actions and holds the individual responsible.
The only thing new in this world is the history that you don't know.[Harry Truman]
No, the shooter got off, too. "Your Honor, guns don't kill people, my client's gun didn't kill anyone, it was the bullet."
This is a load of shit.
Anyone with any experience in hospital IT will realise that critical systems in the ICU are standalone and it's not possible to affect them via a network. The worst that can happen is _maybe_, and I stress _MAYBE_, that the patient admin software, which largely concerns itself with billing etc. isn't available. There is no story here.
It doesn't matter whose fault it is. If the perpetrators commited a defined crime, they receive the judgement prescribed by law. It the adware companies encouraged someone to do something unethical, well until that's a crime, there's nothing to do about that.
On the other hand, if someone fails to take precautions to secure their house, and they get broken into, sure the crook goes to jail. But their house still was broken into, and unless they do something to secure their house, it'll happen again. Doesn't matter whose fault it is. what matters is what can be done to prevent it from happening again.
"We are all geniuses when we dream"
- E.M. Cioran
> What kind of idiot would blame the other two?
Maybe... an insurance company?
Breakfast served all day!
Most hospital patient tracking systems originated on DOS and then Windows computers
;)
Or some custom app written in 1982 that runs on a dying mainframe.
If a patient moves from Seattle to Los Angeles, their new doctor is expecting the exact same types of files on that patient, readable by the same software. So is that patient's insurance company. So are paramedics who may need to quickly assess a patient's history for things like drug allergies, etc. So are pharmacists.
You do realize that they already have that interoperability - in paper files?
The whole push for computerized records is fairly recent and complete conversion won't happen for a fair bit of time.
And you hit the nail on the head - instead of coding yet another window manager, or making yet another distro for home users, maybe a couple people should start coding something for the medical industry. Of course, this might not work so well when one of the developers realizes that billions can be made in this segment of the market.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
We are the ones who are responsable. Because, we, the technological elite, have done nothing to prevent this type of situation from occuring. And we have the power to do so. But we don't have the spine to accept our responsibilities for the technology that we create.
Who should go to jail or at least get tossed out of school? The students of course. For unleashing deliberately an uncontrolled technology for profit without making any preparations for the consequences.
If you are a chemical company and you dump poison into a stream or pump it into the air to get rid of industrial surplus, and this directly causes death and destruction, then you are responsible (at least in the civilized world). You make sure of the effects of what you do before you do it.
Same with software. The days are just about over where people will accept unwanted consequences of bad software as unforseen 'acts of God'. The time is coming to an end where you can publish any junk with a tiny print disclaimer stating that you as the software creator are not responsible for anything that the software does.
Same with malware. The software company that put out this adware program should be sued out of business, and the programmers should be blacklisted for creating an application that was outside of acceptable guidelines. And we as the technical elite should set and enforce the guidelines. This is an idea whose time has come and no one else can do it but us. This is the only way that this type of thing will stop. And if the adware program sellers don't like it, too bad. We created the net; we control the net; we take responsibility for what assholes do on the net; we punish the assholes who don't follow our guidelines. That is the way it should be. It would improve the position and respect that geeks get in society.
Blaming the hospital is like blaming 911 equipment makers for the situations that caused people to call 911 (an emergency telephone code that contacts help in the USA). No one would blame electrical equipment manufacturers for the acts of a criminal deliberately cutting the power in a hospital.
Call me naive, but why is a critical system such as this even accessible from outside the hospital in the first place?
I'm not talking firewalls, filtering, passwords, etc. I mean why is there a physical path from outside in? Except for electric power, why is this network not isolated from off-site? I would think that physical isolation would be the most effective "firewall" from Internet-based intrusion.
I ask simply because I don't understand why there is even the possibility of such a connection.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
I'm tired of seeing this analogy. It isn't even close to the mark. If you RTFA, you'll see the student got $100k from the adware company. So, a better analogy would be: Maffia boss offers 100 grand for your head. Jimmy the Tulip nails you and collects prize. Would you say the Maffia boss was innocent? The law doesn't say so. Louis Lepke, for instance, died at the electric chair in Sing Sing, not because of someone he killed, but because of someone whose murder he ordered.
The true victims here are the patients. The hospital, the adware companies, the companies that supplied the software to the hospital, the doctors, they are all criminals, they all cooperated with the student that broke into the hospital system.
This "let's not blame the victims" meme is incorrect, and it's not in the spirit of modern legislation. In many cases, according to the law in most places, the victim *is* guilty, if he did not take adequate precautions to avoid a crime or an accident. You must wear seatblets, you cannot disable your airbags, bikers must wear helmets, etc. In the same way, having a computer system without adequate security protection should be a misdemeanor. And where human lives are in danger it should be a felony.
The hospital should also be held responsible for its security weaknesses. When you set up a server to deal with visa or master card numbers, there is a large list of requirements. These include not having the machine directly accessible from the Internet, it needs to be locked down physically, with unique logins for each user, and a camera ensuring its physically safe. Each computer on the network needs to be firewalled, as is the server which must have incoming and outgoing traffic firewalled. Now if a hospital cant meet basic security needs, im sure the attacker did not target a hospital, its negligence for them to have a catastrophic failure. This is like, say, not buckling up a child and getting hit by a drunk driver. Obviously the driver is at fault, but so is the parent. ps microsoft sucks, they should have used linux.
Let's set the argument regarding who is at fault aside for a moment. Let's even set aside the "this wouldn't have happened on a non-Microsoft OS" hyperbole. My main question is this:
WHY WERE THE HOSPITAL'S COMPUTERS CONNECTED TO THE INTERNET IN THE FIRST PLACE?
I can't think of a single reason that the computers containing confidential information, personal medical records, and systems necessary for the day-to-day running of the hospital weren't on a stand-alone network in the first place. There are probably some tools that require internet connection, but why weren't these tools run on separate computers? It's fairly easy to transfer data from an internet-connected computer to a non-internet-connected computer (and vice-versa) with floppy discs, removable drives, CDs, DVDs, etc. It may create a small extra step every once and a while, but it's not like the dangers of computers being hacked over the internet is unknown. Even if it did not create an ethical dilemma to have patient records possibly available to a competent internet hacker, the threat of massive lawsuits should such information be stolen should be enough to create some justifiable paranoia about internet attacks. Also, if someone had died because of a slowing of communications within the hospital due to the current hacking, the hospital probably would have been faced with a wrongful death suit. Whether the hospital lost such a lawsuit or not, it would still cost a lot of money and effect the bottom line.
Come on, people, this should be a case of enlightened self-interest. It may be the robber's fault if the robber comes into your house through an unlocked door, but the insurance company won't cover your losses if you left the door unlocked. Locking your doors can be a bit inconveninent if you have to get the door open again while carrying an armload of groceries, but it's worth the security in the long run.
Some "genius" decides to save money (always a good plan) and use the existing cable system to enable communication between the entry points and the security computer.
You can laugh all you want, but my boss right now would take the savings and rely upon me to make sure that everything else was fully patched, anti-virused, locked down, etc.
After all, I'm salaried and hardware / cable installation costs real money.
Yes, there are far more steps to change software on medical equipment than on the average workstation ...
So the answer is to NEVER allow INCOMING connections to that network. It must be 100% isolated from any incoming, outside connections.
This requires far more attention be given to designing the network and such. But when lives are on the line, you just do it.
"So who's really at fault here? The students?"
Yup. Motive, means, opprotunity. S/he went ahead and performed a crime. This is the easiest to prosecute under the very slow-to-adapt laws that exist at the moment.
"The hospital for not securing their computers and network?"
Yup. Not taking due care with patients' lives is a felony, IIRC. This is as bad as not requiring your doctors to have a degree or wash their hands. The hospital is lawfully required to set safe standards.
"Or the adware companies for providing the incentive?"
Yup. These folks are guilty of a different crime, but still guilty. I don't know why there aren't more police aresting people and charging them with theft of service. Ad-ware is almost exactly like spam in terms of its side effects and damage.
Everyone is guilty! Only the student will be prosecuted, unless some smart lawyers get on it.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
I had read about this before and from what this article says there are implementations of network controled invasive patient care out there this one is in kingston Canada.s p?id=37573
http://www.itbusiness.ca/it/client/en/home/News.a
The students are at fault, above all else. But I can't believe that the IT department of the hospital was so incredibly foolish as to put everything on the same network. Access control for the doors, computers in the ICU, the system that handles paging doctors...all on the same net instead of broken out by system? What the hell? Did the system at the nurses' station in the ICU NEED to have direct connectivity to the card reader on the door?
I don't think for an instant that the students who exploited systems at the hospital are in any way excused by the fact that the hospital set themselves up for a good hard screwing once they got exploited. But anyone...ANYONE...in a role of designing networks and systems needs to face the facts that such people do exist, are out there, and are very busy. You have to plan for certain "what if" situations, and this is a textbook example of one such scenario. That the IT department of the hospital put all of their eggs into one networking basket as they did is utterly inexcusable, and they too share some blame for planning a system on the proverbial assumption that there are no bad people in the world.
For your security, this post has been encrypted with ROT-13, twice.
but then realized that "security vulnerabilities" would not exist if there were no dirtbags exploiting them
Yes they would - security vulnerabilities are defects/holes in the software and they would exist regardless of whether or not they were exploited. (If a lock manufacturer makes locks that are easy to pick, those locks are easy to pick regardless of whether anyone actually uses that fact to break into something. Your 'tree falls in a forest' logic is wrong, unless you believe in 100% relativism, which anyone who has ever bumped their toe against something in the dark will be able to tell you is nonsense.)
Perhaps you were thinking of "exploits". But if you can't even get the most incredibly basic security terminology right, I'm not sure you are qualified to be saying anything about computer security at all.
It's your fault I just smashed your window with a rock. You should have hired guards to keep me away
Everyone keeps using this "you should lock your house" type of analogy. This analogy is completely flawed, because the "house" isn't the hospital's. The "house" belongs to the hospital's clients, as they are the ones entrusting their lives and their private information and so on to the hospital (and paying for precisely that).
If you don't secure your own computer and it gets hacked and you lose your backups, that's one thing - it's your own fault. But it's a whole other thing entirely if you pay another company specifically to look after your data, and they are negligent in protecting their network (e.g. not applying patches, using Windows, connecting it all to the open Internet) and it gets hacked and your data is lost or ends up in the hands of hackers. Would you still think it's your own fault? I don't think so.
The hospital has a responsibility and duty to its clients to look after the data (and their lives) properly, and in fact are most likely required by law to do so too. It's not the hospital's own data and owners' lives at stake. It's someone elses.
So if someone from a country where there are no laws against attacking computers does this, what are you going to do about that? Or if the police there don't care and you can't get them arrested.
You could just sit there complaining... or you could fix your computer!
It's your choice...
(Though luckily for us, it's not!)
The crowbar company is not at fault. I am not at fault, even if I am stupid for having left the car unlocked. The thief is at fault, the end.
This is a bad analogy. Sure, if you're talking about your own car, and you failed to lock it, the thief is at fault. But it's your own car, and nobody paid you to properly look after it.
But your analogy is flawed because it's not the hospital's "car" at risk here: It's the private information and the very lives of the clients of the hospital, that have been entrusted to the hospital's care, and that the clients are paying the hospital to properly take care of.
If you don't implement proper security for your own stuff, you're on your own when you get hacked. But hell, when you are being paid by other people specifically to implement proper security for their stuff, you'd better damn well make sure to implement "reasonable" security, or you are liable, very possibly even legally.
The analogies explaining this are too many to count
Yeah, and this is precisely the problem with analogies, they create cute "sound bites" that people can latch onto without having to properly think something through. Your TV analogy is flawed, because the hospital isn't expected to be "looking after it's own stuff" here and it isn't the hospital's "own stuff" that is at risk ... it's the lives and private info of the clients of the hospital, who pay the hospital specifically with the expectation that they do properly look after those things.
A better anology would be if you specifically pay a security company to watch your stuff, and your house gets broken into because the security guards just didn't even bother to pitch. Would you tell that security company "no problem, it's completely the thief's fault"? I don't think so.
If I pay a hospital a lot of money to look after my life (and my private information), I do expect them to take every reasonable measure to in fact do so. And if they don't do so they are in fact liable for not doing so.
Or blame society for having to use money.
no. but i might blame a drug dealer who passivly suggests that they might rob people for more drug money.(while that seems like an extreme version of adware companies, shooting someone is far worse than hacking someone.)
I was just going to say that!
I'm not sure if there are any IT standards for hospitals, but there should be. I can see PCs becoming infected and causing some *PC* problems, but what are they doing on the same network as critical services? Being able to open an operating room door or page a doctor is pretty important stuff IMO.
This would have been an extremely minor problem had things been designed with this (common!) scenario in mind, and it wouldn't have cost a zillion dollars more. This would have also been an extremely minor problem (if a problem at all) had the hospital been enforcing a very simple security policy including anti-virus software.
Was the hospital negligent? Considering that people are entrusting their health care to the hospital and that there were simple measures that could have prevented something like this from occuring: yes. Should the kid who caused the problem get smacked around too? Yes, definately, complete with no computer access as part of his parole conditions. Should the spyware/adware/getrichwithoutgettingup companies share some of the blame? They all should have been wiped off the face of the planet years ago.
While most certainly it is the boy's fault that the network went down, does the hospital have any liability if the equipment had a lethal failure (ie. a patient died as a result). In tort law, did the hospital take necessary steps to ensure the safety of its tenants in the event of a failure. If nothing else, this might server as a warning to IT dependent hospitals of placing too much faith in technology, and to make sure that the technology is secure enough to ensure the safety of their patients.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
Of course the students and adware companies were wrong but the scariest part of it was that the hospital - is getting off so easily - even in the land of geeks. What would be the reaction if the hospital had left its records, medications, instrumentation out in the open and physically rather than just electronically accessible to the public? If someone had died - who do you think would be sued - the idiot who tried to pawn the heart monitor or the hospital for leaving it on the street?
For those not familiar with the health system here - it is a private one. The motive for hospitals is to maximize profit while minimizing costs. Since there is relatively little public accountability through the government, and individual patients are largely unaware of the relative quality of hospitals, health care insurers are the ones that keep costs from getting too high and malpractice suits keep quality of care from getting too low. Mistakes can cost money - but admitting mistakes can cost a lot more and thus the level of cover-your-butt here is amazingly high.
In such a CYA environment, I question two things - the assertion that noone was hurt - and that the bot attacks were the ones that brought the network down. Both of these things may be true but are also things that administrators would say to prevent lawsuits. The fact that the staff was able to adapt so well to the computers being down suggests to me that this is not the first time that it has happened. In any case, there is no question that the computer network is poorly setup and that is almost certainly the fault of the administration. The docs can get away with small things like putting screensavers on their machines but it would take a high level admin who wanted to save money by using the same OS across the board and/or wanted remote connectivity so that his crackberry could work more easily to really screw things up. If there are lawsuits - things will probably change - not necessarily to do things in a sane matter - but so that they can't be sued. The same calculation (effect on lawsuits) will also be used to decide whether and who will be fired/scapegoated over this - and it won't be the admin with the crackberry. At worst he/she might be made to go on a junket to Japan to learn how to run a hospital more like a automotive assembly line...
'nuff said.
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
Health Insurance Portability & Accountability Act
How about "all of them"? Our society likes to attribute guilt to a single party (or even a single person, aka scapegoat) whenever possible and convenient. Makes the task of appearing to make progress and fixing things much easier, I guess.
Shit happens when idiots collide.
Yes.
Also, add "the lawmakers", for not killing adware right out of the gate.
I've fallen off your lawn, and I can't get up.
who is guilty?
The students are guilty
Adware companys are just scum
and well the hospital has a small case of stupidity
Well, you're somewhat right.
I worked for a company that sold GE's medical software product (Millbrook/Centricity) and it runs on Windows. However, there are a few *nix based products out there, such as Versyss, however they being phased out for the new and shiny Windows products. I recalled our sales staff really needing to shine on the doctors while they supposedly make a ton of money, they refuse to spend enough money in IT. When the sales force has to sell servers that are below what the engineering team would want to sell, we're forced to support it.
Most of you wonder why the ICU net is attached to the Internet. EMR (Electronic Medical Records) are replacing the vaults of paper files on patient records which are too easily lost or misplaced. The easiest way to make sure everyone has access and can transfer records to providers, outside specialists and billing companies is via EMR. Go visit the doctor next time and see if he has a tablet PC in the exam room. That's what it's there for, and you won't see the doctor come in with your chart in hand.
Bottom line
Mr. Maxwell should be the poster boy that while working at Wal-mart sucks, it's better then the next 10 years in prison which he more than deserves and I sincerely hope he gets.
Sales people need to educate doctors on spending enough for security. Doctors are notoriously cheap (I worked with enough to realize this) and don't see a difference between a $800 server and a $5000 server other than the pricetag.
I don't blame the IT staff at all for this. Most likely they are underpaid and overwhelmed trying to plug enough holes as it is without some schmoe like Maxwell making life even more difficult. I'm sure a WUS (Windows Update Services) or some sort of patch management would have closed some/all of the OS holes exploited, but that's usually left to unautomated processes and I'm sure the IT guy never made it down to the ICU to fire up Windows Update.
I'm just glad I left medical IT and found a far better position elsewhere.
Hear hear. There's plenty of fault to go around.
Here's another analogy that should make it even clearer:
A bank puts its customers' deposits in a bushel basked behind a non-armor plate-glass window and closes for the night. A thief comes by, breaks the glass with a hammer, grabs the money, and runs.
Who's to blame?
- The bank?
- The thief?
- The manufacturer of the hammer?
- The manufacturer of the plate glass window?
- The car dealership selling the luxury car the thief wanted?
It's pretty obvious to me:
- The thief, for breaking in and stealing the money, and
- The bank, for not exercising due dilligence in protecting its depositors' money.
The same with the hospital, which has an obligation to exercise due dilligence in protecting its patients' health and the infrastructure which directly affects the provision of its medical treatments.
Yes the student was at fault, too. But it's a big wide world out there. With something like five billion people in it and a significant fraction of them having network access, there are plenty of bad and/or irresponsible people with a network presence.
This constitutes a threat as pervasive as weather, or disease. It's up to people who run institutions like banks and hospitals to take this into account. They must take reasonable precautions to protect the health - physical or financial - of the people who have entrusted it to their care.
Microsoft software is NOT rated for life-critical applications and its security flaws are well known. What the HELL was a hospital doing putting life-critical information on it, or letting it share a network with life-critical systems AND the rest of the internet?
I don't know about the rest of you. But just as I wouldn't deposit my money at a bank that leaves it sitting behind a plate-glass window overnight, I'm not going to schedule any medical procedures at a hospital that let this happen, then gave no visible sign of accepting any responsibility for the failure, blaming it entirely on the intruder.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Adware companies might provide incentive and the hospitals evidently need to secure their networks, too, but culpability lies solely with the two defectives who committed the crime.
Well, not quite. Let's look at an analogous IRL situation. Mob Boss tells a Thug, "If Luigi's warehouse were to, like, accidentally catch on fire, then I might spontaneously give you a monetary gift, *wink wink*". So Thug goes and burns down Luigi's warehouse, and Mob Boss pays him $5000. Then:
Thug goes to prison for committing arson; AND
Mob Boss goes to prison for conspiracy to commit arson; AND
Luigi gets hit with a massive lawsuit from his clients for failing to install a sprinkler system.
You are right that the perpetrators are guilty. However, in this case the adware company and the hospital almost certainly have some criminal and/or civil liability.
This is nothing new, hospital used to "open" their networks with modems in the 80's. Doctors use it to perform remote diagnostics, adjust stuff remotly etc... it's good as long nothing goes wrong. I'm not a big fan of that kind of stuff because of the lack of authentification. A password is not enough for that kind of stuff. There should be somekind of second authenfication ex: the doctor is asked to call on a voice line and repeat some words to verify it's really him.
I can't think of a single reason that the computers containing confidential information, personal medical records, and systems necessary for the day-to-day running of the hospital weren't on a stand-alone network in the first place.
Really? I can think of several right off the top of my head. Take a look at http://www.spheris.com/ or http://www.medquist.com/. These are just two of a number of companies that are out there, but they're among the biggest in their field.
There are a lot of healthcare organizations that use outsourced services for transcription, electronic document management, coding, even records storage. The answer to your question is that they would connect them to the Internet because that's the way they can get access to their charts, documents, and other information.
To me 1) keycards for the doors 2) intensice care units 3) doctors pagers are three different systems, which (at least 1) and 2)) fall into the category "critical infrastructure". Commonly such systems have to be built that a failure of a part of the system should not to an interruprion of the whole system. This is a commonly known criteria. Coupling all three systems to a single personal computer, which makes them shut down if having a problem is absolutely inacceptable. The telephone netowrk e.g. is build in this principle. I never, not even during a power blckout ever had no phone connection. The locking system of the building should not require any connection to operate, but should be an independend microcontroller system, which is pretty independent and keep the keys during a power failure and take up operation w/o any measure from the outside. Why an intensive Care Unit is connected to the internet is completely unobviuos to me; Anyway alo this unit ahould support a operation based only on the normal phone system and should be self-sustained. Nevetheless, the main fault is the attackers.
>a hospital ought to 'lock the doors'... Not least because if they have a system that literally controls whether people live & die,
Not to mention an explicit statutory duty. The HIPAA security rule requires all sorts of measures to protect health care systems. The rules require more than just confidentiality for patient records: the rules also require protecting the availability of computer systems. There are requirements for backups, for incident recovery plans, even for details like making sure you can get into a hosting facility after a disaster.
There's no either/or here. The criminals committed a crime, they should be treated accordingly. The hospital (may have) broken a government regulation, in which case they should be fined(*). The adware companies (may have) been involved in a criminal conspiracy, in which case they should be tossed to the courts to figure out what to do with them. Criminals are, yes, responsible for their own actions. So is everyone else.
(*) And maybe sued. HIPAA doesn't provide for private lawsuits *BUT* one court has accepted an argument that breaking the HIPAA security rules is negligence, which does allow for private lawsuits.
You can build a Linux-based router (xBSD-based or whatever).
You can buy a Cisco router (or any other brand).
You can implement VLAN's.
You can buy more switches/hubs and physically separate the networks.
There are so many different options that it isn't really worth it to list them all. Just choose one and do it. But do NOT allow your critical machines to access the Internet or any machine that has accessed the Internet.
FFS. If you need to ask, you need to check your moral bone.
Author, Shell Scripting : Expert Re
So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?
I blame the sick people.
I object to that article, and to the next reply.
How about this one: A hospital does not have to be a single building or even a single cluster of buildings. There may be numerous branch clinics, rehab centers, affiliated offices, etc. that make up the hospital. If a hospital grows, but real estate isn't available next to the existing facilities, they may add the buildings a block or two over. In Chicago, the Northwestern University Hospital network has clinics, rehab centers and therapy centers all over the place - think different suburbs. So, if they can't connect to the Internet, they should have to build their own private network to connect their different facilities, and isn't economically feasible.
Oh, wait, you mentioned they could maintain separate systems - one on the Internet and one internal only, and they could transfer the data that way. Unfortunately, that isn't a feasible solution - all locations would be required to maintain their own separate copies of the records, so an Internet outage wouldn't prevent records from being obtained. This would be a logistical and administrative nightmare.
In addition, patient records also have to be accessed by insurance companies, ambulance companies and other health care providers. Without automated access this would require dozens of "CD transfers" from secure systems to another. A nurse administers medication and it needs to be sent to billing, the insurance company and added to their medical record. This needs to happen automatically, unless you feel there should be hundreds of employees burning CDs and moving them to a different machine.
Regarding the "known Internet threat", there is also a known threat with not being able to access a medical record in a timely fashion. This is a single high-profile case of the dangers of connecting to the Internet, but there are many cases of the dangers of not having timely access to medical records. These dangers are why there are medic alert bracelets.
Finally, I don't know who your insurance company is, but mine will cover me if I leave my door unlocked or if I have stuff that's out in my yard (picnic table, deck furniture, grill, etc.). In fact, where I used to live in Canada, there were cars stolen every week when people started them to warm them up and went back inside to keep warm. They were all covered by insurance, and that is unlocked, running and unattended. I think your final paragraph is just FUD designed to make it seem like it is the hospitals fault when it isn't.
The simple fact is, if hospitals don't connect to the Internet to share information, costs will go up since there will need to be a person transfering information manually, and they need to be paid. Also, there will need to be twice the number of systems maintained, which means more capital and maintenance costs. It will also mean more deaths, since some situations require medical information -NOW-, and not after someone has burned a CD and physically moved it.
This is why we invented things like encryption, firewalls and IDS systems. They might not be perfect, and can't protect against everything, but they can reduce the risk to an acceptable level. Perfect security doesn't exist.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
>>So who's really at fault here? The students? The hospital for not securing their computers and network?
I can't believe hospital systems are linked to the internet and email. In the good old days, we weren't even permitted to have modems connected to mission-critical systems. These systems should be required, by hospital certification authorities, to be physically isolated from any email or web connections. Firewalls are a joke, for protecting sick people in the context of today's security threats. With only slight loss of convenience, staff can have separate workstations and networks to access their email and use the web.
danger, will reobinsion... danger, will robinson...
As someone who works Programming Healthcare Equiptment, here's a list off the top of my head why we like to have our systems on a Broadband connection-
1) Training- We have Remote Training and users can be trained via Voip/VNC style setup in their own rooms, with or without patients in the room with the equiptment.
2) Maintainance- We can log in remotely to upgrade software, upgrade firmware, tweak settings (all this of course with the hospital's knowlage, but it saves a trip by a Field Technician)
3) Proactive Monitoring- Logged data is downloaded on a regular basis to monitor the current state of the equipment, so we can catch small problems before they become big problems.
4) Debugging- We can remotely download logs to troubleshoot equiptment.
I'm sure if I thought harder, I could come up with a few more, but they all boil down to the following-
More equiptment uptime with less cost.
and the CD/DVD argument doesn't hold water when the system is in Europe and the Engineers are in the USA/India/China.
But of course, our equiptment doesn't run Windows, and never will.
There's plenty of blame to go around. Just make sure that it gets shared fairly. Equally would be a good place to start.
I think we've pushed this "anyone can grow up to be president" thing too far.
> So who's really at fault here? The students? The hospital for
> not securing their computers and network? Or the adware companies for providing the incentive?
Just because it turns out Darth Vader is a whiney teenager doesn't mean he shouldn't be painfully and publically executed, nor the creative adult mastermind who used his creative powers to envision the whole fiasco.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
To blame the Hospital is the same as
blaming the driver who lost his car for not having an alarm system
blaming the woman who got mugged for not knowing Karate
blaming the family who got robbed for not having bigger locks
To blame the adware company is the same as
blaming gun manufacturers for gun-related deaths due to their cheaper weapons and easy availability.
As much as I would like to blame them, it is still to me a question of Ethics vs Legality
The VA published the "Medical Device Isolation Architecture Guide" as guide to securing hospital networks. http://www.himss.org/Content/files/VA_VLAN_Guide_0 40430.pdf
f ights.html
Medical equipment vendors are required to follow a rigorous certification process for any patches applied to deployed equipment. Unfortunately, with the high volume of Windows updates, many vendors have balked at certifying each and every one.
For more info, see http://www.networkworld.com/news/2004/080904patch
I wish Microsoft would release a Security Rollup update every six to nine months containing all previously released critical updates since the prior service pack. Then, vendors could perform a single certification for the Rollup update and these vulnerabilities could be prevented.
Look, just because some app would be Java, ("web"-app; through a browser,) it doesn't automatically make it _depend_ on the internet.
So if they'd gone with a java-pager or whatever you meant in your post, it'd been insane to run it on the internet, anyways..
-I'm sure (atleast in the reply to this post) you meant something "completely else", so; sorry..
A horse can't be sick, you know, even if he wants to.
This kind of guilt is nothing that is lessened when shared.
Instead of fractions ( 1/3 the students, 1/3 the hospital, 1/3 society), you end up with 1 "unit of guilt" for the students. Add one for the hospital if you like. (However, being a bad admin is not a crime, yet.)
Someone else's guilt is not making the students less guilty.
Let use the (now crowded) gun shop again. The thief who just shot your neighbor's baby daughter is not "less guilty" because the gun shop wasn't as secure as we think it should be. The gun shop should be punished, possibly closed - but this is a totally different issue. The killer had a bad childhood ? Sure - many law-abiding people did, too.
The stupid burns us.
Blaming the adware companies?
I suppose, next, you'll be saying that the real culprits in mugging are all the stores that accept cash? COME ON FOLKS! Providing an "incentive" for millions of behaviors, some of which are harmful, some of which are not, does not put you at fault.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Characterized by a narrow, often ostentatious concern for book learning and formal rules: a pedantic attention to details. --American Heritage Dictionary
Ignorance is curable, stupid is forever.
I thought I did get the point - my argument was that the guilt was shared, but that it didn't make them any less guilty.
:)
I think we're arguing the same point here
Mark
Liked this comment? Why not buy me something nice
Mark,
Indeed !
In fact my apologies - we seem to fight the same battle.
(How reading a message in the peace of home helps with understanding...)
Best,
Jens
so that they can comunicate the information to other systems... Duh.
30 freaking years ago the Medlab(r) system connected (via tty protocal) the SMA and the Coulter to the order entry system so that the tests were requested at the nurses station, bar coded sticky labels printed out for the phelbotomists and running the samples through 'em updated the billing system. If we were still trying to use this same technology today the buildings would colapse under the weight of all the twisted pair. Wireless connected PDAs being used so that pointy haired suits can get their email doesn't seem to make nearly as much sense as allowing doctors to access a patients chart from somewhere other than the foot of the patients' bed, and how many nurses (on H1B visas) would it take to keep those charts current. If the machines didn't talk to each other people would have to pass all that information. Using people to propagate information creates a band pass filter. They can only pass on what they understand and even then they will only transmit what they think is important.
Has bandwidth become a commodity that needs to be rationed in inverse proportion to the importance of the use, If the information is really important you can't use IP to pass it. I would think that there the IS personel at the hospital could block off traffic to the outside world, but I suspect that the people that make the hospital work need to be able to send and receive email and ftp files back and forth to vendors and vendors need to ssh in to perform diagnostics and maintenance and stuff like that there.
The deal is when you're out there sowing your bot seeds how do you know when your sticking on a regular bean counter's pc or a pc that is plugged up into a network with mission critical applications?
yeah, if NASA was in charge of treating illness and injury... well I don't think it would work very well to say the least. I'm sure there are some very smart people working for NASA but I don't think there would be very many of them I would want sewing my flesh. Heck, there probably isn't that many of them I would want driving the wagon to haul my bleeding butt to the hospital. Let the rocket scientist stick to their remote controled toys and find me people with strong and gentle hands to set my broken bones.
I remember the uproar over Hillary wanting to get the goverment involved in a large scale social service funded by the tax payer. When you start talking about how NASA would run this I conjure up images of a sci-fi book I read when I was a kid. the author posed a high tech variation on Hitler's final solution - take all the miserable people and launch them away in rockets thereby ending all misery at least for those not launched.
Long time ago, so I have nothing current to offer. They did outsource IT to Siemens, which hired the current staff. (What's the benefit? Let someone ELSE be the bad guy for cutting salary? How else would they profit on the deal and save the hospital money? Dunno...I don't know for sure if salaries or staff were cut)
As an IDS guy, I will say it's pretty significant that they caught him. Maybe the firewall should have had a more robust ruleset, but they had the foo to track the bozo down. Or at least to collect enough info to pursuade the FBI to do so.
When I was there, we moved from 100+ workstations on a single collision domain (hubs daisy-chained) to a switched net, from serial line terminals to client-server stuff over IP.