Slashdot Mirror
Hackers Corrupt Data For Cloud-Based Medical Marijuana System (bostonglobe.com)
Long-time Slashdot reader t0qer writes:
I'm the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked... What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1,000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot"...
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.
"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.
"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
"I was gonna keep our clients' data secure . . . but then I got high . . ." -- Afroman, https://www.youtube.com/watch?...
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
then
If the first was true, the second wasn't necessary.
I assume HIPAA rules apply since this is medical usage. Were they adhered to?
You have a very classical 'marijuana needle' view of marijuana users. Most users I know, myself included actually get a sort of zen state of mind and do a lot of work. Cleaning, dishes, cooking, programming, these are all things I and others do much more of in a significantly more focused way.
The art of chemical mental alternation is a very large domain. College students use various drugs to enhance mental activity. The sales and marketting world several years ago had a significant problem with quaaludes.
Perhaps less humorous judgmental off the cuff remarks, and a more informed opinion would help you understand.
Stoners do scramble, they scramble and work and work and work like everyone else. There are no prototypical stoners who just sit around and smoke pot because it is no longer a survivable thing to do, you'll lose your home and starve and we are all far too scared to allow that to happen.
Being stoned isn't a scooby do moment for everyone, for some people it's a much more zen focused time to accomplish tasks. Scrambling fits directly into their psychological profile along with professionalism in the quality of the work they do, you can only actually find such quality among the obsessives.
A gigantic target for hackers with every clients info in one place.
Great job.
You can only perjure yourself in a court of law, under oath.
You can be charged with lying to a federal officer. Not perjury, but still a problem if it happens to you.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
HIPAA rules do not describe how to secure your data. It only tells you that you need to secure your data and the procedures to follow when you're not compliant. It doesn't prescribe a particular encryption or what needs to be encrypted.
Case in point, most hospitals do not use encryption when exchanging private health information (because systems from idiots like EPIC are simply incapable of it). HIPAA just says you have to document it and mitigate. In most cases, the mitigation is "our internal network is secure, external sites use VPN" and then it doesn't matter the external VPN vendor only supports DES (yes, still single DES in 2016/2017), it's documented as being "encrypted", any hacking would be the result of 'evil hackers' which they can't do anything against and then it becomes the FBI's responsibility to catch the criminals, the hospitals have done their due diligence and don't need to report breaches because they have gone according to HIPAA standards.
Custom electronics and digital signage for your business: www.evcircuits.com
The federal perjury statute says a person is guilty of perjury if they lie in either of these two types of instances"
A) They've taken an oath in front of *any* court or competent *person* in any circumstance in which federal law allows an oath.
Or
B) Any written statement declaring "under penalty bof perjury", including a DMCA notice and certain customs forms.
Here's the actual text of the statute:
Whoeverâ" ...
(1) having taken an oath before a competent tribunal, officer, or person, in any case in which a law of the United States authorizes an oath to be administered, that he will testify, declare, depose, or certify truly, or that any written testimony, declaration, deposition, or certificate by him subscribed, is true, willfully and contrary to such oath states or subscribes any material matter which he does not believe to be true; or
(2) in any declaration, certificate, verification, or statement under penalty of perjury
* In a DMCA notice, the complainant swears under penalty lf perjury that they are the copyright holder or the copyright holder's representative. They do NOT swear under penalty of perjury that a jury won't later determine that it's fair use or any other issue of law.
> medical
> cloud-based
OK.
pr0n - keeping monitor glass spotless since 1981.
Huh?!?!? Are you saying the stuff she lied about was immaterial to the investigation? She was being being investigated for sending classified information via a non-secure email system. She said "I did not send material marked classified over non-secure email". How the hell is that immaterial to the subject of the investigation?
PS, as is often the case with the Clintons, her words were *very* carefully chosen to say one thing to anyone listening, while technically saying something completely different, in her mind. She said "I never sent material *marked* classified. She [unlawfully] removed the markings, in most cases (but not always, so it was a lie both ways).
Their marijuana data will vanish in a puff of smoke?
Check out my sci-fi/humor trilogy at PatriotsBooks.
Now, if the charges were lying and deception it'd be a different story . . . but then again, compared to the PEOTUS she's friggin' Mother Teresa. I hope you enjoyed the 1950's, 'cause that's where we're heading now. A shame our PEOTUS has no decency, sir.
The Director of the FBI, who is appointed by the President, said two things of import in his announcement:
A) Mrs. Clinton was "extremely careless" with classified information. (Being negligent with classified information is a federal crime).
B) He would not recommend prosecution. (Of the person who was about to become his boss, in all likelihood.)
So basically the FBI announced she was guilty, but they weren't going on record as recommending that the (expected) new boss be prosecuted.
Prosecutions for *perjury* are rare, for practical reasons. Less than 1% of people who clearly commit perjury are prosecuted for it.
Hypocrisy- I don't think that word means what you think it means. Well that or there is a lot more to this story than what is printed on this page.
Even if we buy into the suggestion that the GP is a "lock her up" fan (there is evidence in word or text of law of wrong doing, Comey inserted a mens rea test into the application of a law which the law in question specifically avoids in order to say no charges are warranted because Hillary didn't mean to break the law. The only people not questioning that are Hillary supporters and never trump'rs) , I still don't see the hypocrisy here- or even a connection to the new AG or some Alt Right team member- whatever that is supposed to mean anyways.
Or, you know, it's just hard to secure things.
I'm not saying they couldn't do a better job, but there are a lot of competing requirements. For example, for medical information, how far do you lock it down? If there is someone crashing in a hospital, you have to be able to pull up their information - or they might die. For credit cards, not only are there a ton of retailers that have to access them, but they also have to handle companies with shared cards, different state and federal regulators, and a ton of different banks that have to be able to create, issue, and revoke $CREDIT_CARD_BRAND.
Oh, and let's not forget that there is a LOT of money available for that kind of information, so disgruntled employees are also a danger. Or even happy employees, that just want $METRIC_FRACK_TONS of money.
So, sure - they could probably do better; but it is not a simple problem.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
Fuck you. No one deserves to have a piece of shit corrupt their data "because I can."
People that do shit like that on purpose deserve a bullet to the back of the head.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
" In 99.9999% of cases it has nothing to do with medicine or treating any illness. "
Oh come on! That's an exaggeration and you know it. It's "medical marijuana" because it requires a prescription.
The f***ing FDA doesn't give a damn about The People. It is owned by the big pharmaceutical corporations! A majority of Congress is likewise owned based on their recent bi-partisan vote to keep the ban on importing drugs from Canada. Note that these same corporations are funding anti-decriminalization efforts all over the country. They obviously think "medical marijuana" is effective in treating some conditions. Even if they have a treatment of their own, it's likely that medical marijuana would be able to undercut their ridiculous prices.
That aside, there are definitely cases where medical pot has proven effective where conventional medicine has failed:
https://www.scientificamerican...
Note that if you saw someone with epilepsy walk into a medical marijuana clinic, they would most likely look like a normal, healthy person.
Epilepsy can be notoriously difficult to treat. Prescription medication is a crap shoot. The neurologists throw drug after drug at the patient *hoping* that something will work. The drugs can have serious side effects however, so the treatment can be almost as bad as the disease. People with "generalized seizures"(which affect the entire brain) are not candidates for surgery either because you can't point to any particular spot for an operation.
Epilepsy sucks! If "medical marijuana" can restore the quality of life for people with severe seizures, I don't care how many people use the loophole to get their jollies.