In general, if the next lower layer can't be trusted, the security of whatever you're evaluating is screwed.
By way of example, at my previous job I used a linux boot floppy to change the local administrator password on a Windows NT4 system, thus owning the machine at the next boot. By an extension of your standard, this represented a Windows vulnerability, because whatever measures Windows may have taken to prevent such a thing (like NTFS) were ineffective.
I think that's a clear mis-assessment of the true vulnerability: the problem wasn't that Windows couldn't handle tampering, but that the machine itself was physically unprotected from tampering. (Fortunately, I was an authorized tamperer.)
Likewise, it is unreasonable to expect any app to successfully defend itself from its host OS. Firefox might make OS-level tampering harder, but it cannot prevent it. Therefore I agree with the grandparent poster that this is not a firefox vulnerability.
A freind of mine once wrote a message with a much lower refresh rate... he planted trees. Somewhere in northeastern Washington, aliens (or pilots) may be startled to see a certain naughty word beginning with "f" spelled out over a couple acres.
Hmm. Actually, I ought to get the coordinates and check google maps...
This actually might be good news over the next few years. A large and key bloc of Republican voters (the Christian right) is going to be very, very annoyed about this ruling. If they start supporting copyright reform in a big way because of this, substantial changes might be possible for once.
"Once the battery is devoid of charge, the landmine is safe for handling by a small child."
That's good... during the timeframe in which the various explosive compounds remain stable. I'm not sure about these particular compunds, but explosives are notorious for becoming unstable over time. If one of these mines is plowed up by a farmer in 80 or 200 years, will it still be safe to handle? (And by "safe to handle" I mean that it needs no special precautions at all... the farmer can simply toss it in a rock pile, burn it, or disassemble it for scrap without risk of any detonation.)
If not, then the problem of unexploded ordinance is merely postponed for future generations who may have forgotten that there was ever a minefield there.
Self-destructing mines would be a much better choice than self-deactivating. Self-destructing has its own problems, of course... a full detonation may still injure a bystander. The best solution would be to trigger a low-order detonation or slow burn while the mine is still buried.
"Landmines are awful, but letting genocidal dictators rule the world is worse."
Land mines are a genocidal dictators' best friend. They offer very little value to anyone trying to remove genocidal dictators.
When science gives us a self-deacivating minefield, or one that can distinguish a combatant from a civillian from a cow, then we'll have real progress.
No warranty expressed or implied, including warranties of merchantability or fitness for a particular purpose. Product may not actually be the smoothest ride from here to Boros for them that can pay, but is generally accepted as smooth enough. Caveat emptor. Offer void where prohibited. Your mileage may vary. See dealer for details.
Far from being an "... absolute misjudgment of the seriousness of the matter", this librarian correctly realized that it was a serious matter which she was not qualified or empowered to judge. She deferred to the courts, which are only appropriate and authorized arbiter of police search powers.
The second does make sense. Several times in the past, exploits have been discovered in other systems, and when the OpenBSD team looks into their stuff they realize that a previous code audit fixed the problem before it was even known. Their habit of fixing whole classes of coding errors throughout the system, instead of just particular instances in particular places, has really served them well in this regard.
But you're right, this exploit seems likely to be embedded in a binary blob. If so, then Theo's aggressive policies regarding blobs will have been very handily vindicated. I'm looking forward to finding out.
No, no, nononono. I was trying to say that it'd be a big surprise if the problem affects OpenBSD, even if every other OS on the planet is affected. Sorry if I was unclear.
Most likely (now that I think about it more) is that the vulnerable wireless hardware is unsupported under OpenBSD, or is supporetd by a not-vulnerable blob-free driver. (Even if the OpenBSD driver is vulnerable, I'd be very surprised indeed if the problem turns out to be exploitable enough to qualify as a remote hole.)
It sounds like this will be either the second remote hole in the default install for OpenBSD, or another example of them saying "Yeah, we fixed that a couple years ago."
Actually, they have expressed to me that they do want to be educated, but that's not in their contract with him. When that contract expires, he's gone.
Some payment for his expertise in product selection is of course reasonable. But that's not how this is structured.
All this guy is doing is adding an unnecessary layer to the transaction and driving up the end-user's cost. I have other reasons to think that he's milking this particular cash cow that I won't go into here. Suffice it to say that he has found several ways to profit by his customer's continued ignorance, and he acts to keep them in the dark rather than educate them. (The customer probably should work to get a clue themselves, but that's yet another story.)
It may be legitimate capitalism, but I wouldn't feel right about doing it.
I am familiar with a business that gets all its IT services through a one-man contracting operation. It's in the contract that this guy will provide them with all their hardware, at a 5% markup over his cost. So instead of just telling them what to buy and letting them call up Insight or whomever, he buys it for them, tacks on 5%, and gives them the bill.
The value-add is pretty near nil, but the cost add really lines the guy's pocket.
"The truth is you sign a lot over when you sign HIPPA [waivers]"
Actually, no. There is no generic HIPAA waiver. For the most part, HIPAA doesn't require the patient to sign anything, except to authorize specific disclosures in unusual circumstances.
I think what you're talking about is a clinic's Notice of Privacy Practices, which each provider or clinic is required to present to you at least once. By signing it, you simply acknowledge that you have received such notice, not that you agree with the clinic's policies therein. You can refuse to sign an NPP, and the provider should still treat you if you refuse. (The reason they want you to sign it is so that they can prove to their auditor that they offered it to you... a refusal is almost as good for their purposes, so long as they keep record of the refusal.)
There is no waiver of HIPAA rights accomplished by signing that form. Under the law, any provider is allowed to share your information with other HIPAA-covered entities for the purposes of Treatment, Payment, and healthcare Operations without your specific authorization. You have no power to affect TPO disclosures by signing or not signing anything.
If you want proof, go to any HIPAA-covered clinic or hospital. Go to the front desk, and ask for a copy of their Notice of Privacy Practices. They are required to give you one, even if you are not their patient. (If you're in desperate need of scratch paper, go ask the nearest clinic for an NPP.) Collect a few of these from different providers and read them carefully. You'll see that they all say basically the same thing, with a few minor differences based on the clinic's own policies. In no case should you see any language that construes your signature as anything other than acknowledgement of receipt of the document.
From the outset, HIPAA was expected to have a period of voluntary compliance, followed by a period of enforcement aimed more toward corrective action than towards punishment. I don't recall just what the intended durations were, but the period of corrective enforcement was to be at least a few years long.
Although HIPAA was set in motion back in 1996, the Privacy rule only came into mandatory effect in October of 2002, and the Security rule not until April of 2005. We might be nearing the hard-enforcement date for Privacy, but for Security I don't think we're even close yet.
I'm no fan of this administration, but lax HIPAA enforcement is not something that one can fairly tar them with yet. They're pretty much sticking to the original plan so far.
"Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything"
Then your provider needs to get a clue.
You only need to sign one HIPAA "Notice of Privacy Practices", once, for each provider. If they give you a second one, it's because their NPP was revised, or they've lost track of the fact you've already got one.
The NPP shouldn't ever ask you for anything or limit any of your rights if you sign it. It exists to inform you of the clinic's policies, and that's all. You sign only to acknowledge that you got a copy. You don't even have to sign an NPP; you can refuse it.
If they give you anything at each visit and tell you that you must sign it due to HIPAA, you'd better read it very carefully and they had better have a very specific reason for asking you to sign. It sounds to me like they're either being inept ot sneaky.
If what your auditor is saying were correct, you could not have a waiting room. Everyone there is presumably there for some medical reason or other, and they can see one another for chrissakes. And we all know that patient images are PHI... You'd have to herd them into separate cells as they arrive, and keep any visitor to the office from seeing any other.
It's daft. I hate to say it, but your compliance auditor has something to gain by making things seem more difficult than they really are.
Remember that HIPAA is a complaint-driven process. The patients don't sue you directly, but instead take a complaint to the civil rights office. If the civil rights office takes action against any provider anywhere on a complaint of a patient name being called out in the waiting room, I'll buy your auditor lunch.
Speaking as someone who keeps a copy of the HIPAA regs ready to hand, I can say that what you describe is not a problem with HIPAA. Instead, it's a problem with that provider's stupid implementation. There is no "HIPAA security code" in the law.
If you're involved in the patient's care, they are allowed to release information to you. They do have to have "reasonable belief", when releasing information, to verify that you are who you say you are and that you are actually involved in the patient's care. But the mechanism by which they confirm your identity doesn't have to be especially difficult. Asking you to provide the patient's full name, date of birth, and maybe one piece of other information should be more than sufficient.
Slashdot Mirror
Dang it.
In general, if the next lower layer can't be trusted, the security of whatever you're evaluating is screwed.
By way of example, at my previous job I used a linux boot floppy to change the local administrator password on a Windows NT4 system, thus owning the machine at the next boot. By an extension of your standard, this represented a Windows vulnerability, because whatever measures Windows may have taken to prevent such a thing (like NTFS) were ineffective.
I think that's a clear mis-assessment of the true vulnerability: the problem wasn't that Windows couldn't handle tampering, but that the machine itself was physically unprotected from tampering. (Fortunately, I was an authorized tamperer.)
Likewise, it is unreasonable to expect any app to successfully defend itself from its host OS. Firefox might make OS-level tampering harder, but it cannot prevent it. Therefore I agree with the grandparent poster that this is not a firefox vulnerability.
A freind of mine once wrote a message with a much lower refresh rate... he planted trees. Somewhere in northeastern Washington, aliens (or pilots) may be startled to see a certain naughty word beginning with "f" spelled out over a couple acres.
Hmm. Actually, I ought to get the coordinates and check google maps...
Let me see if I've got this right: You don't have standing to sue to find out if you were wiretapped unless you can prove you were wiretapped.
Hmm.
This actually might be good news over the next few years. A large and key bloc of Republican voters (the Christian right) is going to be very, very annoyed about this ruling. If they start supporting copyright reform in a big way because of this, substantial changes might be possible for once.
Oh! Well, heck, I take that back.
I gotta say, it did seem rather out of character.
That is an excellent start.
Mr. Bush's administration has clearly outperformed Mr. Clinton's administration on this issue.
"Once the battery is devoid of charge, the landmine is safe for handling by a small child."
That's good... during the timeframe in which the various explosive compounds remain stable. I'm not sure about these particular compunds, but explosives are notorious for becoming unstable over time. If one of these mines is plowed up by a farmer in 80 or 200 years, will it still be safe to handle? (And by "safe to handle" I mean that it needs no special precautions at all... the farmer can simply toss it in a rock pile, burn it, or disassemble it for scrap without risk of any detonation.)
If not, then the problem of unexploded ordinance is merely postponed for future generations who may have forgotten that there was ever a minefield there.
Self-destructing mines would be a much better choice than self-deactivating. Self-destructing has its own problems, of course... a full detonation may still injure a bystander. The best solution would be to trigger a low-order detonation or slow burn while the mine is still buried.
"Landmines are awful, but letting genocidal dictators rule the world is worse."
Land mines are a genocidal dictators' best friend. They offer very little value to anyone trying to remove genocidal dictators.
When science gives us a self-deacivating minefield, or one that can distinguish a combatant from a civillian from a cow, then we'll have real progress.
No warranty expressed or implied, including warranties of merchantability or fitness for a particular purpose. Product may not actually be the smoothest ride from here to Boros for them that can pay, but is generally accepted as smooth enough. Caveat emptor. Offer void where prohibited. Your mileage may vary. See dealer for details.
Don't forget the downloadable commentaries for Firefly.
Far from being an "... absolute misjudgment of the seriousness of the matter", this librarian correctly realized that it was a serious matter which she was not qualified or empowered to judge. She deferred to the courts, which are only appropriate and authorized arbiter of police search powers.
Bravo, Ms. Reutty!
Hey, it was late. I wasn't thinking clearly.
The second does make sense. Several times in the past, exploits have been discovered in other systems, and when the OpenBSD team looks into their stuff they realize that a previous code audit fixed the problem before it was even known. Their habit of fixing whole classes of coding errors throughout the system, instead of just particular instances in particular places, has really served them well in this regard.
But you're right, this exploit seems likely to be embedded in a binary blob. If so, then Theo's aggressive policies regarding blobs will have been very handily vindicated. I'm looking forward to finding out.
No, no, nononono. I was trying to say that it'd be a big surprise if the problem affects OpenBSD, even if every other OS on the planet is affected. Sorry if I was unclear.
Most likely (now that I think about it more) is that the vulnerable wireless hardware is unsupported under OpenBSD, or is supporetd by a not-vulnerable blob-free driver. (Even if the OpenBSD driver is vulnerable, I'd be very surprised indeed if the problem turns out to be exploitable enough to qualify as a remote hole.)
It sounds like this will be either the second remote hole in the default install for OpenBSD, or another example of them saying "Yeah, we fixed that a couple years ago."
I'd bet on the latter.
"Do we, as consumers, have any recourse against these businesses?"
There's always the solution from Fight Club.
Oops. I'm not supposed to talk about that. Forget I said anything, will ya?
Actually, they have expressed to me that they do want to be educated, but that's not in their contract with him. When that contract expires, he's gone.
Some payment for his expertise in product selection is of course reasonable. But that's not how this is structured.
All this guy is doing is adding an unnecessary layer to the transaction and driving up the end-user's cost. I have other reasons to think that he's milking this particular cash cow that I won't go into here. Suffice it to say that he has found several ways to profit by his customer's continued ignorance, and he acts to keep them in the dark rather than educate them. (The customer probably should work to get a clue themselves, but that's yet another story.)
It may be legitimate capitalism, but I wouldn't feel right about doing it.
Oh, heck. It's easier than that.
I am familiar with a business that gets all its IT services through a one-man contracting operation. It's in the contract that this guy will provide them with all their hardware, at a 5% markup over his cost. So instead of just telling them what to buy and letting them call up Insight or whomever, he buys it for them, tacks on 5%, and gives them the bill.
The value-add is pretty near nil, but the cost add really lines the guy's pocket.
"The truth is you sign a lot over when you sign HIPPA [waivers]"
Actually, no. There is no generic HIPAA waiver. For the most part, HIPAA doesn't require the patient to sign anything, except to authorize specific disclosures in unusual circumstances.
I think what you're talking about is a clinic's Notice of Privacy Practices, which each provider or clinic is required to present to you at least once. By signing it, you simply acknowledge that you have received such notice, not that you agree with the clinic's policies therein. You can refuse to sign an NPP, and the provider should still treat you if you refuse. (The reason they want you to sign it is so that they can prove to their auditor that they offered it to you... a refusal is almost as good for their purposes, so long as they keep record of the refusal.)
There is no waiver of HIPAA rights accomplished by signing that form. Under the law, any provider is allowed to share your information with other HIPAA-covered entities for the purposes of Treatment, Payment, and healthcare Operations without your specific authorization. You have no power to affect TPO disclosures by signing or not signing anything.
If you want proof, go to any HIPAA-covered clinic or hospital. Go to the front desk, and ask for a copy of their Notice of Privacy Practices. They are required to give you one, even if you are not their patient. (If you're in desperate need of scratch paper, go ask the nearest clinic for an NPP.) Collect a few of these from different providers and read them carefully. You'll see that they all say basically the same thing, with a few minor differences based on the clinic's own policies. In no case should you see any language that construes your signature as anything other than acknowledgement of receipt of the document.
From the outset, HIPAA was expected to have a period of voluntary compliance, followed by a period of enforcement aimed more toward corrective action than towards punishment. I don't recall just what the intended durations were, but the period of corrective enforcement was to be at least a few years long.
Although HIPAA was set in motion back in 1996, the Privacy rule only came into mandatory effect in October of 2002, and the Security rule not until April of 2005. We might be nearing the hard-enforcement date for Privacy, but for Security I don't think we're even close yet.
I'm no fan of this administration, but lax HIPAA enforcement is not something that one can fairly tar them with yet. They're pretty much sticking to the original plan so far.
"Every visit to a MD office now requires that you fill out and sign the form that swears they promised under HPPA not to divulge anything"
Then your provider needs to get a clue.
You only need to sign one HIPAA "Notice of Privacy Practices", once, for each provider. If they give you a second one, it's because their NPP was revised, or they've lost track of the fact you've already got one.
The NPP shouldn't ever ask you for anything or limit any of your rights if you sign it. It exists to inform you of the clinic's policies, and that's all. You sign only to acknowledge that you got a copy. You don't even have to sign an NPP; you can refuse it.
If they give you anything at each visit and tell you that you must sign it due to HIPAA, you'd better read it very carefully and they had better have a very specific reason for asking you to sign. It sounds to me like they're either being inept ot sneaky.
A slightly easier analogy is "Email is like a postcard" and "Encryption is like an envelope".
If what your auditor is saying were correct, you could not have a waiting room. Everyone there is presumably there for some medical reason or other, and they can see one another for chrissakes. And we all know that patient images are PHI... You'd have to herd them into separate cells as they arrive, and keep any visitor to the office from seeing any other.
It's daft. I hate to say it, but your compliance auditor has something to gain by making things seem more difficult than they really are.
Remember that HIPAA is a complaint-driven process. The patients don't sue you directly, but instead take a complaint to the civil rights office. If the civil rights office takes action against any provider anywhere on a complaint of a patient name being called out in the waiting room, I'll buy your auditor lunch.
In the meantime, get a new auditor.
Speaking as someone who keeps a copy of the HIPAA regs ready to hand, I can say that what you describe is not a problem with HIPAA. Instead, it's a problem with that provider's stupid implementation. There is no "HIPAA security code" in the law.
If you're involved in the patient's care, they are allowed to release information to you. They do have to have "reasonable belief", when releasing information, to verify that you are who you say you are and that you are actually involved in the patient's care. But the mechanism by which they confirm your identity doesn't have to be especially difficult. Asking you to provide the patient's full name, date of birth, and maybe one piece of other information should be more than sufficient.