I haven't written very much code that I've opened to friends / others to distribute, but the bit that I have hasn't even had my name in the source code. I don't write "Creditware" and when I think of people who's projects are driven by their egos rather than a desire to just get a job done I think of software packages that are generally full of flashy features with questionable reliability and are the most aggressively defended when people want to add a feature that doesn't align closely with the author's original intent (which makes sense because the more the author's name is attached to it the more you're affecting his/her identity with your feature).
This said, I'm certainly not against respecting authors identities and their wishes WRT maintaining any branding they choose for their product, but if someone's version of a program is going to pop up a page of text enumerating their life story, possibly obscuring some warning message I really should be reading, I'm going to look very hard for alternatives.
DSL was invented to provide a solution to a single specific problem (lack of quantity and quality of copper for long distance runs from the CO to the home). DSL makes some tradeoffs, including very expensive hardware, in most cases low upstream, and in many cases interference in the audio portion of the line that has to be filtered at each extension. If you're wiring an apartment or even a small neighborhood, why not consider pulling a second cat5/6 and providing regular 100mbit ethernet? Your cost dissolves down to a managed switch (and that can be eliminated if you're willing to manually plug/unplug ports from the switch), and the customer end becomes whatever cheap ethernet card they'd have to have anyway to plug the DSL modem in. For the fortune you save in DSLAMs and other expensive telco grade hardware you could probably buy everyone who posts a comment in this article a pizza.
Yes, many of us who are in the industry, or in tangentally related ones, such as myself, are feeling the frustration from HIPAA. Here's the survival guide as I've seen it:
1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.
2) There are a few companies that provide HIPAA compliance insurance, especially for software products developed to support medical information systems. MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products designed for medical users that might be helpful. (No relation to them other than having heard about their products in a.ppt presentation)
3) Solve the problem with vendor pressure. No software provider in the industry wants to admit they're not HIPAA compliant, so grill them on it. They know it's a priority and should (hopefully) be releasing software that will accomodate the new rules.
4) Solve as much of the problem as you can technically. If you're the vendor of the products you use (in house software), redouble your efforts to make as much of the compliance transparent as possible. As you've outlined, most people in the industry do NOT want to deal with the technical aspect of computers, they just use them to get their jobs done. Putting all of the encryption / security management stuff in plain view is only going to make the learning curve more difficult and allow more room for human error (which equates to HIPAA violations and fines for your employer).
5) (this is very much not to be interpreted as legal advice) Patch the big holes first. If you know you can't meet HIPAA by the deadlines, patch the big problems, and the things that will be obvious violations and noticable by people inside and outside the company. There are zillions of possible violations, but if you show due diligence any fines you do receive will hopefully be tempered by the fact that you've done as much as possible to accomodate the law.
Before you embarass yourself again, get a clue. The firewalling properties you perceive in NAT are an illusion, a side-effect of its primary function. NAT makes communication possible where it was not possible before. This is the opposite of what a firewall is designed to do, which is to make communication impossible where it would otherwise have been able to take place.
Since you have gone to the trouble of saying this several times in this article, even going so far as to mock people, I feel it is worth a moment to point out why you are (effectively) wrong.
Your definition of a firewall is very simplistic. Perhaps it is one of a beginning Computer Science student or a mid level manager / sales team member of a firewall product company. I encourage you to take a moment to revise it to more accurately reflect what firewalls do, and to open your mind somewhat to understand perspectives that are not yours. A better definition of a firewall may perhaps be "a piece of hardware or software designed to restrict communication between points as permitted by site policy and as configured by a site administrator".
A firewall can do several things that really do not fit into your more narrow definition of a firewall. Some of these things might be gateways/proxies (SecureIIS is a proxy of sorts that does exactly this), reactive ACLs (a'la Cisco), stateful packet analysis (chained to the appropriate logging or filtering facilities), yes, even completely rewriting the packet with different source or destination addresses (NAT) and or ports (sometimes abbreviated PAT) based on certain rules.
Your arrogance and/or ignorance is blinding you to the fact that NAT is two sided, and that the relevant portion to "firewalling" is the portion you aren't considering. That is, the NAT device can not guess, based on a random incoming packet, where it should send that packet inside the "protected" area, therefore it is forced to discard it.
A fair example of this, I believe, is my own home system, where I have exactly one machine for web browsing, and it is a laptop under the control of my employer - a fine bunch of people but not always on top of the patches for my machine. I have a basic OpenBSD system at home that serves no relevant purpose other than to simply provide me DHCP and ipf/ipnat services. By merely putting this NAT in line with my daily machine, I have been protected from the wave of Code Red and Nimda variants that pounded my cable modem a few months ago. In fact, thinking this through, its easy to come to the (perhaps incomplete) conclusion that all broadband users should be forced to be behind NAT for their own good. While that may be a bit extreme, I can say that NAT was the simplest way for me to provide effective firewalling for 100% of the problems that my machine has been at risk of. (excusing of course the onslaught of E-Mail worms which would have necessitated other forms of filtering had I been running Outlook and friends.)
In conclusion, there is more to firewalling than simple packet filtering (or whatever "make communication impossible" is meant to imply).
Enjoy your new clue.
-Dan
P.S. If your teriyaki glaze really looks like WD-40 please reply to this and I'll e-mail my mom and get her recipe from her and pass it along.
http://www.attrition.org/security/commentary/worm0 1.html
Let me guess. Every one of those 8836 machines with Windows 2000 was "misconfigured", should have had better administrators or should have been behind a firewall. Riiiight. So much for more secure out of the box.
Slashdot Mirror
I haven't written very much code that I've opened to friends / others to distribute, but the bit that I have hasn't even had my name in the source code. I don't write "Creditware" and when I think of people who's projects are driven by their egos rather than a desire to just get a job done I think of software packages that are generally full of flashy features with questionable reliability and are the most aggressively defended when people want to add a feature that doesn't align closely with the author's original intent (which makes sense because the more the author's name is attached to it the more you're affecting his/her identity with your feature).
This said, I'm certainly not against respecting authors identities and their wishes WRT maintaining any branding they choose for their product, but if someone's version of a program is going to pop up a page of text enumerating their life story, possibly obscuring some warning message I really should be reading, I'm going to look very hard for alternatives.
-Dan
DSL was invented to provide a solution to a single specific problem (lack of quantity and quality of copper for long distance runs from the CO to the home). DSL makes some tradeoffs, including very expensive hardware, in most cases low upstream, and in many cases interference in the audio portion of the line that has to be filtered at each extension. If you're wiring an apartment or even a small neighborhood, why not consider pulling a second cat5/6 and providing regular 100mbit ethernet? Your cost dissolves down to a managed switch (and that can be eliminated if you're willing to manually plug/unplug ports from the switch), and the customer end becomes whatever cheap ethernet card they'd have to have anyway to plug the DSL modem in. For the fortune you save in DSLAMs and other expensive telco grade hardware you could probably buy everyone who posts a comment in this article a pizza.
-Dan
How is this not the lead story on every site? every day?
/. at least two more days.
I've got US$10.00 on it being the lead story on
Yes, many of us who are in the industry, or in tangentally related ones, such as myself, are feeling the frustration from HIPAA. Here's the survival guide as I've seen it:
.ppt presentation)
1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.
2) There are a few companies that provide HIPAA compliance insurance, especially for software products developed to support medical information systems. MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products designed for medical users that might be helpful. (No relation to them other than having heard about their products in a
3) Solve the problem with vendor pressure. No software provider in the industry wants to admit they're not HIPAA compliant, so grill them on it. They know it's a priority and should (hopefully) be releasing software that will accomodate the new rules.
4) Solve as much of the problem as you can technically. If you're the vendor of the products you use (in house software), redouble your efforts to make as much of the compliance transparent as possible. As you've outlined, most people in the industry do NOT want to deal with the technical aspect of computers, they just use them to get their jobs done. Putting all of the encryption / security management stuff in plain view is only going to make the learning curve more difficult and allow more room for human error (which equates to HIPAA violations and fines for your employer).
5) (this is very much not to be interpreted as legal advice) Patch the big holes first. If you know you can't meet HIPAA by the deadlines, patch the big problems, and the things that will be obvious violations and noticable by people inside and outside the company. There are zillions of possible violations, but if you show due diligence any fines you do receive will hopefully be tempered by the fact that you've done as much as possible to accomodate the law.
-Dan
Since you have gone to the trouble of saying this several times in this article, even going so far as to mock people, I feel it is worth a moment to point out why you are (effectively) wrong.
Your definition of a firewall is very simplistic. Perhaps it is one of a beginning Computer Science student or a mid level manager / sales team member of a firewall product company. I encourage you to take a moment to revise it to more accurately reflect what firewalls do, and to open your mind somewhat to understand perspectives that are not yours. A better definition of a firewall may perhaps be "a piece of hardware or software designed to restrict communication between points as permitted by site policy and as configured by a site administrator".
A firewall can do several things that really do not fit into your more narrow definition of a firewall. Some of these things might be gateways/proxies (SecureIIS is a proxy of sorts that does exactly this), reactive ACLs (a'la Cisco), stateful packet analysis (chained to the appropriate logging or filtering facilities), yes, even completely rewriting the packet with different source or destination addresses (NAT) and or ports (sometimes abbreviated PAT) based on certain rules.
Your arrogance and/or ignorance is blinding you to the fact that NAT is two sided, and that the relevant portion to "firewalling" is the portion you aren't considering. That is, the NAT device can not guess, based on a random incoming packet, where it should send that packet inside the "protected" area, therefore it is forced to discard it.
A fair example of this, I believe, is my own home system, where I have exactly one machine for web browsing, and it is a laptop under the control of my employer - a fine bunch of people but not always on top of the patches for my machine. I have a basic OpenBSD system at home that serves no relevant purpose other than to simply provide me DHCP and ipf/ipnat services. By merely putting this NAT in line with my daily machine, I have been protected from the wave of Code Red and Nimda variants that pounded my cable modem a few months ago. In fact, thinking this through, its easy to come to the (perhaps incomplete) conclusion that all broadband users should be forced to be behind NAT for their own good. While that may be a bit extreme, I can say that NAT was the simplest way for me to provide effective firewalling for 100% of the problems that my machine has been at risk of. (excusing of course the onslaught of E-Mail worms which would have necessitated other forms of filtering had I been running Outlook and friends.)
In conclusion, there is more to firewalling than simple packet filtering (or whatever "make communication impossible" is meant to imply).
Enjoy your new clue.
-Dan
P.S. If your teriyaki glaze really looks like WD-40 please reply to this and I'll e-mail my mom and get her recipe from her and pass it along.
http://www.attrition.org/security/commentary/worm0 1.html
h s.html
Let me guess. Every one of those 8836 machines with Windows 2000 was "misconfigured", should have had better administrators or should have been behind a firewall. Riiiight. So much for more secure out of the box.
http://www.attrition.org/mirror/attrition/os-grap
Anyone with conscious knowledge of these numbers can not say that Windows is more secure than anything out of the box, because it just plain isn't.
--
Back your zealotry up with facts, not fanaticism.