Yes, for very good reason network medical device vendors are specific as to what client software modifications can be made. This includes client-side security measures such as service packs, security patches, and antivirus. This is primarily due to FDA regulations which require full software qualification, validation, testing, and documentation. The full scope and diligent execution of an FDA-compliant quality safety process takes time and costs money. This is not like IT operations patching a web server; a patient on the table in a procedure requires all device imaging and monitoring systems to work flawlessly, exactly as designed. Any issues that arise will require an FDA adverse event report from the manufacturer and if the device has been modified from its FDA approved baseline then responsibility may fall on the hospital; then watch as the lawyers pull out all the stops, especially if patient treatment was affected.
I work directly in this field. Once hospital IT get their head around these facts, it's time to think outside of using traditional client-side security mitigation techniques. It's routine for me to find hospital IT networks with no mitigating network security controls controls, no VLAN segmentation, no ACL entries, no routing chokepoints, firewall rulesets with ANY/ANY permitted, and the inevitable infected medical devices. It's a shame for patient safety.
I just went through a similar experience. I bought a new car with a nice sound system, activated the satellite radio trial and was utterly repulsed by the poor fidelity. Similar to this story, however, when I mentioned this to other people that have satellite radio in their vehicles they responded with confusion, not comprehending what I was complaining about.
I've worked in infosec for nearly a decade and it certainly takes a toll. The most stressfull situations, by far, are internal investigations and legal proceedings. Unfortunately, I believe the inevitability of these situations are just a byproduct of human nature -- the fact that computers were used is many times incidental. I've seen eye-opening security situations over the years, even some from individuals that I never would have guessed possible. Despite the incredible stress these situations can present, having the support of senior management, legal counsel, family, friends, and good beer has helped tremendously in my long-term attitude.
You mentioned you're a consultant. Have you considered taking a role to stay with an organization on a more permanent basis? It has been very rewarding for me to look back through my strategic accomplishments over the years. Despite the ever-increasing, disproportionate workload in security I can clearly show progress and in the end that helps give me perspective.
In limited cases will "5. Virtual servers will become an ideal conduit for iSCSI." Virtual host servers with a reasonable consolidation ratio of production, enterprise servers may stress 1Gb/s iSCSI. A SAN with both fibre channel and iSCSI capability is great to leverage iSCSI for *non-virtual* and/or test/dev servers to connect cost-effectively, but in my TCO calculations 4Gb/s fibre channel is a better choice for production virtual host servers. Once 10Gb/s iSCSI becomes less expensive and available in a mid-tier SAN it may begin to drive iSCSI for production virtual servers, but so will faster fibre channel. The trade rag rhetoric on iSCSI lately has over reached.
This article writer for BusinessWeek doesn't seem to grasp the business role of a Chief Security Officer. The author's suggestion for a CSO doesn't come close to the job duties defined in most businesses. It would be a large waste of resources to have a CSO primarily act to "wave the flag for all things related to Mac security, debunking myths, correcting the record, and providing a public face when issues crop up."
The single Apple source the author quoted doesn't seem to grasp the role either. He "said the company would be reticent to assign security issues to any single individual, and that the responsibility of a CSO instead tends to rest with everyone." By that logic, what's the point of a CEO, COO, CFO, or any other chief-level position in the company?
IMHO, the role of a CSO is critical in big business, especially a technology company such as Apple. However, this BusinessWeek writer and the quoted Apple's VP of Software Technology apparently don't understand why. I sure hope somebody in Apple's senior management and/or in the Board of Directors does. Honestly, I'm quite surprised Apple doesn't already have a CSO, but certainly they must already have security management positions and one or more security divisions.
I'm not certain about your situation, but as for me, I think my local property taxes are about the most fair and well-used taxes I pay. What I pay each year in property taxes is much more meaningful to me, my family, and my community compared to what I pay per WEEK in federal taxes.
My current property tax is ~1% (was ~2% before a primary residence credit) of the value of my land and home. Of that tax >50% pays for the local school system, ~20% for firefighting and police protection, and the remainder goes to the local library, roads, parks, and government offices. Honestly, I'd be willing to pay more if it was used for an even better library, well maintained roads/sidewalks, parks, more teachers, firefighters, and policemen/women. I've known many teachers, firefighters, park rangers, and members of the police force... I have no doubt that they all deserve more money/equipment for the outstanding work they perform for my community.
Not long ago, the local library proposed an expansion project and was voted down because property-owners were in uproar about the 34-cent property tax increase/year. Apparently the public held similar principles as you... it seems a pittance to me. Hell, in comparison, I'd pay an extra $5/year (or more) if it meant the firefighters/police could get to my property faster with better equipment to save my family or my neighbors life in an emergency!
IMHO, property taxes are not the first place to start when trying to reduce the public's tax burden. Look anywere else.
Actually, medical imaging displays are at least 4 megapixels. The cost is high, but doctors demand LCD displays >= 5 megapixels for CT, MRI, and x-ray diagnostic work. Lots of times they are grayscale since that's all they need, but for an artistic, high-megapixel picture display that would look very nice.
I am a security professional and also have an O'Reilly Safari account. I agree completely with you, lylonius. O'Reilly has few good security titles at all. The SSH, OpenSSL, and Kerberos books are the only ones I have kept on my Safari bookshelf for long.
Looking at my bookshelf in the office, the publishers of security titles I actually purchase from so as to have the hardcopy available for reading/reference/travel are New Riders, Syngress, and Auerbach. O'Reilly isn't represented.
With each disclosure:
- V(found) approaches V(all).
- the time (t) in the vulnerability lifecycle between disclosure and fix release becomes a concrete value = t(fix).
- the cost C(pub) can become a quantifiable value.
As a security professional I am more accurately able to evaluate/assess and manage risk for each V(found), t(fix), and C(pub) given above. Furthermore, for every initial public lack of disclosure (or BHD) and large t(fix) value on critical/costly systems or information, I am able to make more meaningful vendor/product recommendations.
While the paper is well written, contains valid analysis, and provides insight into the disclosure issue, I find section 3.3 to be lacking. The author's conclusions and the security industry itself would be strengthened by further work in modeling the range of cost issues due to disclosure for various commercial industries, educational institutions, and government establishments.
In my professional experience, the sum of knowledge I gain from disclosure details provides defensive strength.
Lumpy, I doubt you actually "legally own" much software at all. More than likely you license the software you think you own and using the cracks/keygens that you believe you have a "RIGHT" to use is not only a violation of the license you agreed to upon installation, but possibly even of reverse-engineering statutes (e.g. DMCA).
In response to your rant directed towards developers... don't buy the software if you don't like their methods. Find something else, there's plenty of good software out there that doesn't require cracks/keygens/whatever for enjoyment.
IMHO, it's precisely such an "ownership" and "RIGHTS" delusion that inhibits a more widespread, rapid migration to OSS/FS solutions. If companies and hobbyists were less ignorant to the restrictions they blindly agree to while clicking "yes" to EULAs during installation, they may begin to find themselves attracted to OSS/FS so as to actually retain precisely the "RIGHTS" they think they are entitled to.
I disagree. I do not believe commercial software security certifications are a threat to OSS as you suggest.
A valuable result of the certification process is assurance. The software security certification process is capable of providing a reasonable, varying degree of assurance to a software platform snapshot. The OSS community is capable of creating and performing security evaluations of OSS targets. It's a matter of motivation I suppose.
Rationalize it however you want, but the bottom line is that we do good things because it makes us feel good about ourselves...therefore it is a selfish action with good results.
I disagree with your conclusion. I do good because I believe it will have good results. Many times it does not make me feel good (even indirectly). I value the life of others greatly. If I perceive immense suffering of another individual I am willing to put myself into a fatal situation to reduce that suffering. This is compassion.
Let me return to your previous usage of Mother Teresa as an example. Her actions were positive and virtuous. They were a prime example of compassion. A compassionate action is not a volition for personal gains ("feeling good"). Compassionate actions are made in order to decrease the suffering of others. A compassionate action may bring suffering to the doer.
shyster, I do not know you, but I find it extremely hard to believe that you only do good things because it makes you feel good about yourself. If this is true, I believe that you have a great need for self-confirmation and emotional reinforcement. That is egotism. Have you been in a situation where you acted because you felt compelled to act with no regard for yourself? Have you ever acted compassionately? I still do not understand why you feel your actions are primarily selfish, let alone why you believe that humans only are capable of doing good selfishly.
Exactly. EVERY action is a purely selfish action. No matter what you do, you do it for yourself. Mother Teresa devotes her life to the sick and the poor...but why does she do it? Becuase it makes her feel good. Not to say that there are no good actions, simply clarifying that they are slefish actions with good consequences....
I disagree with your view, shyster. I have volition to act for others with no regard for myself. In my experience this holds true specifically when I perceive others are undergoing great suffering.
I'll leave your Mother Teresa example aside, but I'll choose a more modern one: civic workers who boldly rushed into the WTC in an attempt to save the lives of others weren't necessarily doing so because it made them "feel good". I encourage you to befriend more nurses & fire fighters (to name only two professions) and ask their opinion on your view. I would also encourage you to educate yourself concerning Mother Teresa's actions and reconsider your statement.
Perhaps every action of yours is purely selfish, but I believe you are grossly mistaken to place that view on the volition of others.
=jombee
Religious theory, scientific theory, & Buddhism
on
Constants Not Constant?
·
· Score: 2, Informative
AC, to answer your inquiry:
Buddhists accept perception and inference as the most important & reliable means of knowledge.
Contrary to this, creationists typically accept verbal testimony and/or scriptual authority as the most important & reliable means of knowledge.
Thusly, Buddhists will not inherently have difficulty with scientific theory/inquiry whereas a creationist would.
Note that Buddhists typically are not concerned with the focus & direction which science typically pursues as it has little to do with the nature of suffering.
=jombee
Slashdot Mirror
Yes, for very good reason network medical device vendors are specific as to what client software modifications can be made. This includes client-side security measures such as service packs, security patches, and antivirus. This is primarily due to FDA regulations which require full software qualification, validation, testing, and documentation. The full scope and diligent execution of an FDA-compliant quality safety process takes time and costs money. This is not like IT operations patching a web server; a patient on the table in a procedure requires all device imaging and monitoring systems to work flawlessly, exactly as designed. Any issues that arise will require an FDA adverse event report from the manufacturer and if the device has been modified from its FDA approved baseline then responsibility may fall on the hospital; then watch as the lawyers pull out all the stops, especially if patient treatment was affected.
I work directly in this field. Once hospital IT get their head around these facts, it's time to think outside of using traditional client-side security mitigation techniques. It's routine for me to find hospital IT networks with no mitigating network security controls controls, no VLAN segmentation, no ACL entries, no routing chokepoints, firewall rulesets with ANY/ANY permitted, and the inevitable infected medical devices. It's a shame for patient safety.
I just went through a similar experience. I bought a new car with a nice sound system, activated the satellite radio trial and was utterly repulsed by the poor fidelity. Similar to this story, however, when I mentioned this to other people that have satellite radio in their vehicles they responded with confusion, not comprehending what I was complaining about.
I've worked in infosec for nearly a decade and it certainly takes a toll. The most stressfull situations, by far, are internal investigations and legal proceedings. Unfortunately, I believe the inevitability of these situations are just a byproduct of human nature -- the fact that computers were used is many times incidental. I've seen eye-opening security situations over the years, even some from individuals that I never would have guessed possible. Despite the incredible stress these situations can present, having the support of senior management, legal counsel, family, friends, and good beer has helped tremendously in my long-term attitude.
You mentioned you're a consultant. Have you considered taking a role to stay with an organization on a more permanent basis? It has been very rewarding for me to look back through my strategic accomplishments over the years. Despite the ever-increasing, disproportionate workload in security I can clearly show progress and in the end that helps give me perspective.
In limited cases will "5. Virtual servers will become an ideal conduit for iSCSI." Virtual host servers with a reasonable consolidation ratio of production, enterprise servers may stress 1Gb/s iSCSI. A SAN with both fibre channel and iSCSI capability is great to leverage iSCSI for *non-virtual* and/or test/dev servers to connect cost-effectively, but in my TCO calculations 4Gb/s fibre channel is a better choice for production virtual host servers. Once 10Gb/s iSCSI becomes less expensive and available in a mid-tier SAN it may begin to drive iSCSI for production virtual servers, but so will faster fibre channel. The trade rag rhetoric on iSCSI lately has over reached.
=jombee
This article writer for BusinessWeek doesn't seem to grasp the business role of a Chief Security Officer. The author's suggestion for a CSO doesn't come close to the job duties defined in most businesses. It would be a large waste of resources to have a CSO primarily act to "wave the flag for all things related to Mac security, debunking myths, correcting the record, and providing a public face when issues crop up."
The single Apple source the author quoted doesn't seem to grasp the role either. He "said the company would be reticent to assign security issues to any single individual, and that the responsibility of a CSO instead tends to rest with everyone." By that logic, what's the point of a CEO, COO, CFO, or any other chief-level position in the company?
IMHO, the role of a CSO is critical in big business, especially a technology company such as Apple. However, this BusinessWeek writer and the quoted Apple's VP of Software Technology apparently don't understand why. I sure hope somebody in Apple's senior management and/or in the Board of Directors does. Honestly, I'm quite surprised Apple doesn't already have a CSO, but certainly they must already have security management positions and one or more security divisions.
= jombee
I'm not certain about your situation, but as for me, I think my local property taxes are about the most fair and well-used taxes I pay. What I pay each year in property taxes is much more meaningful to me, my family, and my community compared to what I pay per WEEK in federal taxes.
My current property tax is ~1% (was ~2% before a primary residence credit) of the value of my land and home. Of that tax >50% pays for the local school system, ~20% for firefighting and police protection, and the remainder goes to the local library, roads, parks, and government offices. Honestly, I'd be willing to pay more if it was used for an even better library, well maintained roads/sidewalks, parks, more teachers, firefighters, and policemen/women. I've known many teachers, firefighters, park rangers, and members of the police force... I have no doubt that they all deserve more money/equipment for the outstanding work they perform for my community.
Not long ago, the local library proposed an expansion project and was voted down because property-owners were in uproar about the 34-cent property tax increase/year. Apparently the public held similar principles as you... it seems a pittance to me. Hell, in comparison, I'd pay an extra $5/year (or more) if it meant the firefighters/police could get to my property faster with better equipment to save my family or my neighbors life in an emergency!
IMHO, property taxes are not the first place to start when trying to reduce the public's tax burden. Look anywere else.
= jombee
Actually, medical imaging displays are at least 4 megapixels. The cost is high, but doctors demand LCD displays >= 5 megapixels for CT, MRI, and x-ray diagnostic work. Lots of times they are grayscale since that's all they need, but for an artistic, high-megapixel picture display that would look very nice.
= jombee
I am a security professional and also have an O'Reilly Safari account. I agree completely with you, lylonius. O'Reilly has few good security titles at all. The SSH, OpenSSL, and Kerberos books are the only ones I have kept on my Safari bookshelf for long.
Looking at my bookshelf in the office, the publishers of security titles I actually purchase from so as to have the hardcopy available for reading/reference/travel are New Riders, Syngress, and Auerbach. O'Reilly isn't represented.
= jombee
With each disclosure :
- V(found) approaches V(all).
- the time (t) in the vulnerability lifecycle between disclosure and fix release becomes a concrete value = t(fix).
- the cost C(pub) can become a quantifiable value.
As a security professional I am more accurately able to evaluate/assess and manage risk for each V(found), t(fix), and C(pub) given above. Furthermore, for every initial public lack of disclosure (or BHD) and large t(fix) value on critical/costly systems or information, I am able to make more meaningful vendor/product recommendations.
While the paper is well written, contains valid analysis, and provides insight into the disclosure issue, I find section 3.3 to be lacking. The author's conclusions and the security industry itself would be strengthened by further work in modeling the range of cost issues due to disclosure for various commercial industries, educational institutions, and government establishments.
In my professional experience, the sum of knowledge I gain from disclosure details provides defensive strength.
=jombee
Lumpy, I doubt you actually "legally own" much software at all. More than likely you license the software you think you own and using the cracks/keygens that you believe you have a "RIGHT" to use is not only a violation of the license you agreed to upon installation, but possibly even of reverse-engineering statutes (e.g. DMCA).
In response to your rant directed towards developers... don't buy the software if you don't like their methods. Find something else, there's plenty of good software out there that doesn't require cracks/keygens/whatever for enjoyment.
IMHO, it's precisely such an "ownership" and "RIGHTS" delusion that inhibits a more widespread, rapid migration to OSS/FS solutions. If companies and hobbyists were less ignorant to the restrictions they blindly agree to while clicking "yes" to EULAs during installation, they may begin to find themselves attracted to OSS/FS so as to actually retain precisely the "RIGHTS" they think they are entitled to.
= jombee
I disagree. I do not believe commercial software security certifications are a threat to OSS as you suggest.
A valuable result of the certification process is assurance. The software security certification process is capable of providing a reasonable, varying degree of assurance to a software platform snapshot. The OSS community is capable of creating and performing security evaluations of OSS targets. It's a matter of motivation I suppose.
= jombee
I disagree with your conclusion. I do good because I believe it will have good results. Many times it does not make me feel good (even indirectly). I value the life of others greatly. If I perceive immense suffering of another individual I am willing to put myself into a fatal situation to reduce that suffering. This is compassion.
Let me return to your previous usage of Mother Teresa as an example. Her actions were positive and virtuous. They were a prime example of compassion. A compassionate action is not a volition for personal gains ("feeling good"). Compassionate actions are made in order to decrease the suffering of others. A compassionate action may bring suffering to the doer.
shyster, I do not know you, but I find it extremely hard to believe that you only do good things because it makes you feel good about yourself. If this is true, I believe that you have a great need for self-confirmation and emotional reinforcement. That is egotism. Have you been in a situation where you acted because you felt compelled to act with no regard for yourself? Have you ever acted compassionately? I still do not understand why you feel your actions are primarily selfish, let alone why you believe that humans only are capable of doing good selfishly.
=jombee
I disagree with your view, shyster. I have volition to act for others with no regard for myself. In my experience this holds true specifically when I perceive others are undergoing great suffering.
I'll leave your Mother Teresa example aside, but I'll choose a more modern one: civic workers who boldly rushed into the WTC in an attempt to save the lives of others weren't necessarily doing so because it made them "feel good". I encourage you to befriend more nurses & fire fighters (to name only two professions) and ask their opinion on your view. I would also encourage you to educate yourself concerning Mother Teresa's actions and reconsider your statement.
Perhaps every action of yours is purely selfish, but I believe you are grossly mistaken to place that view on the volition of others.
=jombee
AC, to answer your inquiry: Buddhists accept perception and inference as the most important & reliable means of knowledge. Contrary to this, creationists typically accept verbal testimony and/or scriptual authority as the most important & reliable means of knowledge. Thusly, Buddhists will not inherently have difficulty with scientific theory/inquiry whereas a creationist would. Note that Buddhists typically are not concerned with the focus & direction which science typically pursues as it has little to do with the nature of suffering. =jombee