You're looking at one aspect of the budget. Non-labor expense is usually stuff like paying consulting firms, "cloud services," buying advertisements, paying for training, etc. Capital expense is where you typically book things like servers, enterprise software, storage, etc. So this could be a company who spends a ton of money on marketing crap, or it could just be a company that spends more on external advertising buys and focus studies than it does on sending IT guys to training and outsourcing business apps. Without looking at the total picture it's hard to say what they really invest in.
You say that you are "connected to" the network but you don't say what this relationship actually is. If you are hosted by the hospital (i.e. actually part of their network), then they may have an information security department who is checking all the hosts that are on their network. This may or may not be part of the contract, either as a service provided or something that is required by the contract or hosting arrangement.
If you are not actually part of their network or hosted by them, there may still be something in the contracts that says that they can do this sort of penetration testing with partner companies. It isn't the best idea to accept this as a contract term, but I have seen it requested before and it may have been in there with nobody to notice it.
I would say that whoever handles the arrangement with the hospital should probably talk with their counterpart on the hospital's side about this and learn more about why it is happening and what is done with the information.
With respect to the various posts that have/will happen about HIPAA, I would say that it's totally possible (and desirable) to have a proactive information security policy that can still comply with regulations. Proactive penetration testing is not prohibited.
That's not exactly the point. Sure, if a switch is sparking, then it is broken. The point of this gear is that it has been built such that if it breaks, it won't be able to emit dangerous sparks that might do something like cause an explosion in the presence of a buildup of gas or whatever. It still has to be replaced, just like the non-hardened switch, but it is less risky to deploy in an environment where such hazards might be present.
You don't even need junked-together tin can wi-fi. Assuming there is something in the air to talk to, you could probably just set up a satellite uplink/downlink and not need to worry about distance or anything. The technology for this is readily available and has been deployed all around the world.
The problem is that the government would probably not like this and is also probably very likely to find it and "deal with it" in the same way that they deal with any other communications channel they don't approve of.
And that's part of the point. Why would you want your radiology machines on any sort of main network, regardless of whether they can or can't be updated? There's no reason for them to be widely available and the technology to firewall it off is not expensive when compared to the cost of, say, a collection of medical imaging systems that will sit behind it.
I don't see how this translates to a conflict with net neutrality.
They aren't saying you can't use Usenet, that they are going to block it somehow or that you have to use their Usenet servers at a premium price. They're just saying they aren't going to host it and offer it as part of their service package.
Regardless of whether this is a nice thing to do or not, it doesn't have anything to do with net neutrality.
So the article basically says that they have a machine room with four somewhat standard racks. That's pretty small. Figure that at some point you'll need some network gear which will likely take up at least one of the racks (switches, patch panels to other areas of the building, routers/firewalls), hopefully some UPS gear, a few servers.. four 48U racks doesn't go very far. And it only makes sense nowadays to have a couple larger servers hosting a bunch of virtual machines for mundane things. They would be wise to do that no matter what OS they run, and that more than anything is why you can cut down on the number of physical machines that are installed.
If you read it, you'll see that it's basically an explanation of what information they do and do not have, how their various properties work and what information they store, and how much it will cost an agency to have certain information requests addressed. It doesn't represent some sort of sinister pipeline of information directly from their users' keyboards to the "evil government." If anything it's useful to everyone because it shows exactly what they do and don't save, and it might act as a deterrent for the casual or clueless investigator who watches too much CSI and thinks sending a request off will instantly pinpoint the bad guy by backtracking his DNS through the GPS IP address of his netbook's MAC module or whatever.
That sort of disclosure is on almost every statement that is issued by companies that are regulated by the SEC or some other regulatory body. Go look at any company's annual report, quarterly SEC filings, etc. Even press releases might have that sort of language on it. You basically have to try to spell out everything that could possibly go wrong so that stupid investors who don't understand that every business carries potential risks don't sue you later.
...but I personally would not think it was acceptable for them to edit a resume without collaborating with the candidate. If they want to suggest changes and work with them, that's one thing, but changes without the candidate's knowledge are a totally different matter.
Also, from the interviewer's point, they probably don't have the time or interest to weed through "why" it's wrong. And yeah, they may check in the future, and if stuff does not line up you might be held accountable for it. So even from an interviewer's point of view, it creates a potential problem. I would find another recruiting firm if you think it is beneficial to use one (I don't, necessarily, but it depends on your career and the types of companies you are looking for).
P.S. To question 3 - the recruiter is not your friend.
A lot of the big banks, insurance companies, payments processors, etc have had mainframes for a long time and a lot of that code really doesn't need too much modernization. The early programmers were a lot more rigorous than the new crowd and some of the candidates for "oldest code still used" could possibly be some mundane thing that compounds interest or something like that. They've surely upgraded to newer hardware but a lot of the old code doesn't necessarily need updating to run on that hardware.
Unless it's bottom of the barrel junk, it will probably have fans. If there are four racks of it, that's what, 168 units of potential space? If it's large stuff like Cisco 6500 chassis, it will have big fans on the chassis and power supply. If it's smaller stuff like 1U Cisco switches or routers, it will probably have those little tiny high RPM fans that make a ton of noise on the back of each one. Firewalls, load balancers, and the like probably also fall under "networking gear" and more and more, those are some form of modified Intel platform. So, probably more fans there too. Something was mentioned somewhere about telecom gear and hey, if it's the PBX's central hardware, there's more fans.
Well, actually this isn't that hard. I know Avaya has a feature called EC500 and I would assume other PBX systems have similar. It basically lets you forward all calls from a given station to a cell phone or whatever other number you want. The phone number that appears on your device is the number that is calling your "desk phone" (extension, station, whatever) and being forwarded to you, so you still see your boss's number. Or there's always VOIP clients too, which to the receptionist would still appear as a normal station on the PBX. She'd have no real idea what was on the other end. It would really not be much hassle at all. This is the beauty of modern phone switches which can support a lot of different types of distributed endpoints while still appearing as one centralized system when need be.
and to be a bit more precise, you don't necessarily need a landline for internet either. I would suspect you have more companies doing similar to my friend's mortgage company, where they all just have a 3G cellular card. Granted it's a very small company. Large companies have economies of scale to lower costs for infrastructure and more people to control which requires more standardization. Little companies could probably give everyone a Blackjack or Treo with an unlimited data plan and not worry too much about land lines at all other than reliable faxing.
If your argument that the population being six times higher in MA means that more people in MA will get hurt with fireworks (which is probably true, although maybe not six times more people)... wouldn't they go to the larger number of hospitals that also probably exist to service such a larger population?
I mean, it's not like there's only one hospital in each state. Certainly a higher population could result in busier hospitals, but it also results in more hospitals. It's sort of a flimsy reason to ban something. Around where I live you can't throw a rock without hitting a hospital. They're everywhere. But they weren't there ten years ago because no one lived here. Now it's busy and hospitals are popping up all over.
If they wanted to ban fireworks because it's a pain in the rear to clean bottle rocket sticks off of your lawn and roof, well, now that's something that's a bit more useful to me. Can't stand all the debris for the week before and after the 4th, geesh.
Most cell phones have a master clear/master reset function already. It requires some significant user intervention (navigate a few menus and then input a PIN code) but it is there. It doesn't do anything for tampering, but then I would imagine just locking the phone would be a significant defense against the average school administrator.
If you can do a regex of what you are looking for, you might be able to put some infrastructure in front of your web apps that controls what goes out.
Some commercial vendors eg. Citrix (Teros), Imperva etc. offer stuff like this in an appliance, and there has to be some sort of thing you could do with Apache and OSS stuff as well depending on your needs. It might not catch everything but hey, your code base is always changing and a one-time audit might not find a problem that shows up six months after the audit is done. Some sort of preventative measure working hand-in-hand with regular audits is probably your best bet in the long run.
While it's running, if it's not in fullscreen mode it actually looks a lot like the MS Virtual PC interface. I suppose that's probably intentional, although that interface was not exactly "pretty."
There are utilities out there (can't remember the name) that let you control-click for right click just like OS X on Windows. Pretty easy to find and it's been around a long time, longer than people trying to run Windows on Macs. Works pretty well, I just can't remember the name.
I would assume something could probably be worked for linux too.
Although the one on networks was not too bad, I'm not quite sure that the professors at my school used it properly. The class ended up being a lot more practice than theory, so everyone knew how things worked but not necessarily why they got that way. I think that teaching the "why" is just as important as the "how" so that people are properly enlightened about how to fix problems effectively, not just "whoops apply a patch and reboot." It seems to me that the book had a lot of that (which looked like wandering) but the profs didn't know how to use it.
The main annoyance I had was that, like many technical references, the books went out of date way too fast so I couldn't resell it. So I still have whatever edition sitting on my shelf, just because it was $70, damnit. Anyone need an explanation of SONET?
He developed Minix along with tons of other research work in distributed systems, networks, and other computer science topics.
If you have a computer science degree you have probably used at least one if not more of his textbooks. He's one of the more prominent computer science researchers of the last couple decades.
First, as many have said, there is a lot to FIPS and just because something meets a FIPS evaluation doesn't mean that it is implemented securely. However, the same could be said for open source as well. Basically, if you have some regulatory or management mandate (marketing perhaps? there are a lot of corporate reasons), you may be forced into the FIPS stuff. If not, you might have more room to choose something else.
However, the important thing is to determine your security goals and design around them as well. For example, if you need super-uber-crypto and you have a password embedded in a file somewhere, you're leaving a huge hole that you may want to fill with some sort of hardware credential storage. Or if you use weak keys, it may be trivial to break your crypto. Or, if you don't plan for some sort of escrow, someone might cause data to become unrecoverable if you lose the credentials. FIPS won't stop those sort of problems and neither will open source, although the additional formality associated with implementing a FIPS compliant system might help clear up some of the policy and procedural issues (because the software/hardware may force it on you).
Ultimately, unless you have a specific reason to use FIPS or want the additional "peace of mind" that the additional review can bring, you could go either way as long as you're careful about how the ultimate solution is implemented.
Definitely seconded. We had an annoying paging system that anyone could use at the old office. People all had pagers, mostly had cell phones, most were at their desk, but others still insisted on calling the receptionist and asking for them to be paged overhead. Or they'd get a phone call and just bounce it over to the receptionists instead of sending it directly to the person, and they'd page for that too. Developers (and others) would install cardboard over the speakers, turn them down, even physically disconnect them!
Then one day there was a tornado that blew (literally) right past the office. Security paged everyone to take cover. Lots didn't hear the page because they had disabled the speakers. No one was hurt, but a lot of people were pretty scared to be sitting at their sixth floor window when a tornado flew by about 500 feet away. After that, every speaker was repaired, validated, and turned WAY up, then Security took over the intercom and no one else may use it. This carried over to the new building as well.
It is so much nicer working here after they turned that off. It literally sounded like an airport terminal. Even the old grocery store I worked at gave their managers and critical staff in-building cordless phones to cut down on the overhead usage.
Slashdot Mirror
You're looking at one aspect of the budget. Non-labor expense is usually stuff like paying consulting firms, "cloud services," buying advertisements, paying for training, etc. Capital expense is where you typically book things like servers, enterprise software, storage, etc. So this could be a company who spends a ton of money on marketing crap, or it could just be a company that spends more on external advertising buys and focus studies than it does on sending IT guys to training and outsourcing business apps. Without looking at the total picture it's hard to say what they really invest in.
You say that you are "connected to" the network but you don't say what this relationship actually is. If you are hosted by the hospital (i.e. actually part of their network), then they may have an information security department who is checking all the hosts that are on their network. This may or may not be part of the contract, either as a service provided or something that is required by the contract or hosting arrangement.
If you are not actually part of their network or hosted by them, there may still be something in the contracts that says that they can do this sort of penetration testing with partner companies. It isn't the best idea to accept this as a contract term, but I have seen it requested before and it may have been in there with nobody to notice it.
I would say that whoever handles the arrangement with the hospital should probably talk with their counterpart on the hospital's side about this and learn more about why it is happening and what is done with the information.
With respect to the various posts that have/will happen about HIPAA, I would say that it's totally possible (and desirable) to have a proactive information security policy that can still comply with regulations. Proactive penetration testing is not prohibited.
That's not exactly the point. Sure, if a switch is sparking, then it is broken. The point of this gear is that it has been built such that if it breaks, it won't be able to emit dangerous sparks that might do something like cause an explosion in the presence of a buildup of gas or whatever. It still has to be replaced, just like the non-hardened switch, but it is less risky to deploy in an environment where such hazards might be present.
4 x 1TB drives, for a RAID 0 stripe.
How do you handle backing up the 4TB of data?
You have the same backup problem with a mishmash of drives that you cobble together on your own...
You don't even need junked-together tin can wi-fi. Assuming there is something in the air to talk to, you could probably just set up a satellite uplink/downlink and not need to worry about distance or anything. The technology for this is readily available and has been deployed all around the world.
The problem is that the government would probably not like this and is also probably very likely to find it and "deal with it" in the same way that they deal with any other communications channel they don't approve of.
And that's part of the point. Why would you want your radiology machines on any sort of main network, regardless of whether they can or can't be updated? There's no reason for them to be widely available and the technology to firewall it off is not expensive when compared to the cost of, say, a collection of medical imaging systems that will sit behind it.
I don't see how this translates to a conflict with net neutrality.
They aren't saying you can't use Usenet, that they are going to block it somehow or that you have to use their Usenet servers at a premium price. They're just saying they aren't going to host it and offer it as part of their service package.
Regardless of whether this is a nice thing to do or not, it doesn't have anything to do with net neutrality.
So the article basically says that they have a machine room with four somewhat standard racks. That's pretty small. Figure that at some point you'll need some network gear which will likely take up at least one of the racks (switches, patch panels to other areas of the building, routers/firewalls), hopefully some UPS gear, a few servers.. four 48U racks doesn't go very far. And it only makes sense nowadays to have a couple larger servers hosting a bunch of virtual machines for mundane things. They would be wise to do that no matter what OS they run, and that more than anything is why you can cut down on the number of physical machines that are installed.
If you read it, you'll see that it's basically an explanation of what information they do and do not have, how their various properties work and what information they store, and how much it will cost an agency to have certain information requests addressed. It doesn't represent some sort of sinister pipeline of information directly from their users' keyboards to the "evil government." If anything it's useful to everyone because it shows exactly what they do and don't save, and it might act as a deterrent for the casual or clueless investigator who watches too much CSI and thinks sending a request off will instantly pinpoint the bad guy by backtracking his DNS through the GPS IP address of his netbook's MAC module or whatever.
That sort of disclosure is on almost every statement that is issued by companies that are regulated by the SEC or some other regulatory body. Go look at any company's annual report, quarterly SEC filings, etc. Even press releases might have that sort of language on it. You basically have to try to spell out everything that could possibly go wrong so that stupid investors who don't understand that every business carries potential risks don't sue you later.
...but I personally would not think it was acceptable for them to edit a resume without collaborating with the candidate. If they want to suggest changes and work with them, that's one thing, but changes without the candidate's knowledge are a totally different matter.
Also, from the interviewer's point, they probably don't have the time or interest to weed through "why" it's wrong. And yeah, they may check in the future, and if stuff does not line up you might be held accountable for it. So even from an interviewer's point of view, it creates a potential problem. I would find another recruiting firm if you think it is beneficial to use one (I don't, necessarily, but it depends on your career and the types of companies you are looking for).
P.S. To question 3 - the recruiter is not your friend.
A lot of the big banks, insurance companies, payments processors, etc have had mainframes for a long time and a lot of that code really doesn't need too much modernization. The early programmers were a lot more rigorous than the new crowd and some of the candidates for "oldest code still used" could possibly be some mundane thing that compounds interest or something like that. They've surely upgraded to newer hardware but a lot of the old code doesn't necessarily need updating to run on that hardware.
Unless it's bottom of the barrel junk, it will probably have fans. If there are four racks of it, that's what, 168 units of potential space? If it's large stuff like Cisco 6500 chassis, it will have big fans on the chassis and power supply. If it's smaller stuff like 1U Cisco switches or routers, it will probably have those little tiny high RPM fans that make a ton of noise on the back of each one. Firewalls, load balancers, and the like probably also fall under "networking gear" and more and more, those are some form of modified Intel platform. So, probably more fans there too. Something was mentioned somewhere about telecom gear and hey, if it's the PBX's central hardware, there's more fans.
Granted, the Brooklynites have some alien tastes, but they're still generally human.
Well, actually this isn't that hard. I know Avaya has a feature called EC500 and I would assume other PBX systems have similar. It basically lets you forward all calls from a given station to a cell phone or whatever other number you want. The phone number that appears on your device is the number that is calling your "desk phone" (extension, station, whatever) and being forwarded to you, so you still see your boss's number. Or there's always VOIP clients too, which to the receptionist would still appear as a normal station on the PBX. She'd have no real idea what was on the other end. It would really not be much hassle at all. This is the beauty of modern phone switches which can support a lot of different types of distributed endpoints while still appearing as one centralized system when need be.
and to be a bit more precise, you don't necessarily need a landline for internet either. I would suspect you have more companies doing similar to my friend's mortgage company, where they all just have a 3G cellular card. Granted it's a very small company. Large companies have economies of scale to lower costs for infrastructure and more people to control which requires more standardization. Little companies could probably give everyone a Blackjack or Treo with an unlimited data plan and not worry too much about land lines at all other than reliable faxing.
If your argument that the population being six times higher in MA means that more people in MA will get hurt with fireworks (which is probably true, although maybe not six times more people)... wouldn't they go to the larger number of hospitals that also probably exist to service such a larger population?
I mean, it's not like there's only one hospital in each state. Certainly a higher population could result in busier hospitals, but it also results in more hospitals. It's sort of a flimsy reason to ban something. Around where I live you can't throw a rock without hitting a hospital. They're everywhere. But they weren't there ten years ago because no one lived here. Now it's busy and hospitals are popping up all over.
If they wanted to ban fireworks because it's a pain in the rear to clean bottle rocket sticks off of your lawn and roof, well, now that's something that's a bit more useful to me. Can't stand all the debris for the week before and after the 4th, geesh.
Most cell phones have a master clear/master reset function already. It requires some significant user intervention (navigate a few menus and then input a PIN code) but it is there. It doesn't do anything for tampering, but then I would imagine just locking the phone would be a significant defense against the average school administrator.
If you can do a regex of what you are looking for, you might be able to put some infrastructure in front of your web apps that controls what goes out.
Some commercial vendors eg. Citrix (Teros), Imperva etc. offer stuff like this in an appliance, and there has to be some sort of thing you could do with Apache and OSS stuff as well depending on your needs. It might not catch everything but hey, your code base is always changing and a one-time audit might not find a problem that shows up six months after the audit is done. Some sort of preventative measure working hand-in-hand with regular audits is probably your best bet in the long run.
While it's running, if it's not in fullscreen mode it actually looks a lot like the MS Virtual PC interface. I suppose that's probably intentional, although that interface was not exactly "pretty."
Did the research include an investigation as to why jalapeno poppers are more addictive than many street drugs?
/. is concerned.
I think that's one of the most important issues regarding cream cheese, at least as far as
There are utilities out there (can't remember the name) that let you control-click for right click just like OS X on Windows. Pretty easy to find and it's been around a long time, longer than people trying to run Windows on Macs. Works pretty well, I just can't remember the name.
I would assume something could probably be worked for linux too.
Although the one on networks was not too bad, I'm not quite sure that the professors at my school used it properly. The class ended up being a lot more practice than theory, so everyone knew how things worked but not necessarily why they got that way. I think that teaching the "why" is just as important as the "how" so that people are properly enlightened about how to fix problems effectively, not just "whoops apply a patch and reboot." It seems to me that the book had a lot of that (which looked like wandering) but the profs didn't know how to use it.
The main annoyance I had was that, like many technical references, the books went out of date way too fast so I couldn't resell it. So I still have whatever edition sitting on my shelf, just because it was $70, damnit. Anyone need an explanation of SONET?
He developed Minix along with tons of other research work in distributed systems, networks, and other computer science topics.
If you have a computer science degree you have probably used at least one if not more of his textbooks. He's one of the more prominent computer science researchers of the last couple decades.
First, as many have said, there is a lot to FIPS and just because something meets a FIPS evaluation doesn't mean that it is implemented securely. However, the same could be said for open source as well. Basically, if you have some regulatory or management mandate (marketing perhaps? there are a lot of corporate reasons), you may be forced into the FIPS stuff. If not, you might have more room to choose something else.
However, the important thing is to determine your security goals and design around them as well. For example, if you need super-uber-crypto and you have a password embedded in a file somewhere, you're leaving a huge hole that you may want to fill with some sort of hardware credential storage. Or if you use weak keys, it may be trivial to break your crypto. Or, if you don't plan for some sort of escrow, someone might cause data to become unrecoverable if you lose the credentials. FIPS won't stop those sort of problems and neither will open source, although the additional formality associated with implementing a FIPS compliant system might help clear up some of the policy and procedural issues (because the software/hardware may force it on you).
Ultimately, unless you have a specific reason to use FIPS or want the additional "peace of mind" that the additional review can bring, you could go either way as long as you're careful about how the ultimate solution is implemented.
Definitely seconded. We had an annoying paging system that anyone could use at the old office. People all had pagers, mostly had cell phones, most were at their desk, but others still insisted on calling the receptionist and asking for them to be paged overhead. Or they'd get a phone call and just bounce it over to the receptionists instead of sending it directly to the person, and they'd page for that too. Developers (and others) would install cardboard over the speakers, turn them down, even physically disconnect them!
Then one day there was a tornado that blew (literally) right past the office. Security paged everyone to take cover. Lots didn't hear the page because they had disabled the speakers. No one was hurt, but a lot of people were pretty scared to be sitting at their sixth floor window when a tornado flew by about 500 feet away. After that, every speaker was repaired, validated, and turned WAY up, then Security took over the intercom and no one else may use it. This carried over to the new building as well.
It is so much nicer working here after they turned that off. It literally sounded like an airport terminal. Even the old grocery store I worked at gave their managers and critical staff in-building cordless phones to cut down on the overhead usage.