World Tech Tribune had a rather hilarious FUD article [worldtechtribune.com] covering this several days ago.
Wow, that... is.... incredible. 'Hilarious' doesn't even come close to describing it.
The article you mention does, however illustrate the salient point we should all be taking away from this, which is that 'security' is a multidimensional word with orthogonal meanings: when MS says 'it's secure' you have to consider whether they are talking about Palladium/DRM (others get to decide how your PC works) or Filesystem ACLs (you get to decide who can access what inside your box) or PKI algorithms (you get to decide whether someone else's identity can be verified and how to exchange data in a manner that is difficult for third-parties intercept.) This is what the newbies and PHBs need to understand.
Now, the CC certification means *something* (read the specs to find out exactly what) but there is no "SECURITY = ON/OFF" button you can go push to lock everything down. (Yeah yeah, I know: "power button", ha-ha, very funny.) Anyway, with the machine turned ON, security is only the end result of a process of auditing, testing, fixing and policy enforcement.
Seems like the type of thing law enforcement agencies would be against. As soon as you put out an APB for a black 4 door sedan, poof its a green 4 door sedan.
Not an issue, my friend. Thanks to your car's escrow key and a couple of suitable laws, law enforcement can now change YOUR paint job to hot ink with lime green stripes and a giant helicopter-visible bulls-eye on the top labeled "ARREST ME! CASE #2991822"
Let's hope Senators Hollings and Berman are paying attention.
The vast majority of voters won't care a bit. Yes, they'd like non-crippled CDs, but that won't sway their voting. People usually vote based on whether someone is Republican or Democratic - the stance the candidate takes on important issues is (depressingly) unimportant to most people.
I suspect that, the vast majority of American voters is more likely concerned with other, more immediate issues like taxes, education and security for "entertainment-industry issues" to even make it on to their radar.
I agree that this is an issue that merits voter consideration, but I must also concede that it is in no way important enough to be the primary factor in choosing a candidate to support -- I'm way too concerned with working, paying bills, the stock market, invading Iraq and trying to make time to spend with my wife for this to be a primary election issue for me.
#INCLUDE "rant.h";
Now, having said that, I ALSO have point out that this is an issue that really frosts my twinkie. I do not like the idea that jerkola neo-Socialist (yes, neo-SOCIALIST - look at the things they are asking for: managed competition, heavy government involvement and regulation, artificially high barriers to entering restricted markets, federal subsidation, etc... How is that NOT Socialist?) executives are paying high-priced lawyers several times my salary per day to figure out how to dictate how I use my property. I would love it if we all just woke up one morning and decided to never buy anything from them again. Music would survive - it just wouldn't be THEIR music.
For that matter, it isn't just the RIAA/MPAA - that's just the tip of it:
Why do I have to buy my cell phone service and my cell phone from the same vendor? What kind of an asshead designed this? I should be able to buy a phone at Wal-Mart, walk across the street to Verizon and buy an ID card I pop into my phone that keeps my phone book and account info on it so I can switch phones my swapping cards. (Don't they do it that way in Japan?)
For that matter, the telcos are simply run by assheads and the whole thing needs to be torpedoed and rebuilt using voice-over-IP on high-density fiber by new companies. It's not like we're suddenly going to stop needing phones all of the sudden.
Same with Major League Baseball - it's run by assheads, too. The only way to fix the stupidity here is for the whole thing to collapse under its own weight so it can be rebuilt under new ownership.
Credit card companies? assheads.... and PREDATORIAL assheads at that.
Every stupid software package out there that puts an icon in my system tray to tell me it's installed was programmed by ASSHEADS! If I had a dollar for every PC with performance/stability problems I've 'fixed' by running MSCONFIG I wouldn't be typing this from Ohio right now.
SO, STOP BUGGING ME ABOUT HOLLINGS AND BERMAN! AS YOU CAN SEE, I'VE GOT A LOT ON MY MIND TODAY!!!!! ARRRRRRRGHGHGH!
Except, then they'll also start consuming us for food. That's another often overlooked disadvantage of SETI.
+1 ***INFORMATIVE***?!?!?!
WTF?!?!?!
+1 Funny, sure. +1 Interesting, maybe. Hell, I'll even buy +1 Insightful when I'm on Nyquil, but +1 INFORMATIVE?!?! Who's moderating today -- Art Bell?
It was a lame attempt at ironic humor. I was actually quite proud of it until I realized I hadn't included the standard disclaimer to that effect. (Of course, that was *after* clicking 'submit'....)
This is a bit of an obnoxious distinction to make, and I certainly think they should have phrased it differently. Usually people say three-sphere when they mean a sphere in three dimensions, which is in fact just a surface and thus two-dimensional. Then, we can say n-sphere and have a sphere in n-dimensional space that is an n-1 dimensional object. However, this kind of quibbling tends to have no effect on proof, which is what math on this level concerns itself with anyway.
So, I guess all I have to do in order to get a submission finally accepted is resubmit a rehash of something that already made the front page half a dozen times then.
Don't get me wrong, I dig Janis Ian and her stand on this issue, but geez, can't we find some news that's actually NEW?
Again, this article is newsworthy NOT BECAUSE OF THE CONTENT (with which you and I are both already ridiculously familiar), but BECAUSE OF WHERE THE CONTENT APPEARS.
Maybe the wind blows up where you live, but my mother-in-law reads the USA Today, not/.
So the question is, what on earth will compell them to drop Windows on the desktop? Because it's sure as hell not any of the issues we've seen so far.
When I can buy LeasePlus, Smart.alx and Great Plains Dynamics as ELF binaries.
Seriously, the reason small-medium businesses buy MS servers and workstations in the first place is because they need to run that one application that runs their business, and it only runs on MS because the vendor doesn't have the resources to devote to multiple platforms. For us, it's a combination of the apps I mentioned (and a couple of other minor ones).
There are hundreds (if not thousands) of small software companies that write, manage and maintain ONE niche-software app to run the businesses in their specific industry. They use MS tools and platforms because they are easy, cheap*** and ubiquitous. There is some competition, but it is limited by huge barriers to entry -- mostly, up-front capital and specific in-depth industry experience (for example: in order to write effective lease management and accounting software, you first have to know the leasing industry inside and out.)
Oh, and did I mention that we hate the software we're using, but so does everyone else. We're stuck with it because the only alternatives are either prohibitively expensive to switch or crummier or both. We're too small to pay someone develop custom software in-house, and our industry is too small to generate enough free-developer interest for a non-propretary/open-source solution to be practical.
There is only one way Linux is going to **REPLACE** the MS servers in our storage/mopcloset/utility/telco room: Our vendors need to start developing for Linux, or at least on an open platform like LAMP or WAMP that allows us to pick one or the other.
Why do you think monkeyboy gets so jacked up about DEVELOPERS! DEVELOPERS! DEVELOPERS! DEVELOPERS! DEVELOPERS! ?
Until then, Linux is going to have to run our web site and our email and be happy with that. There aren't enough open-source developers in equipment leasing.
*** "cheap" in a relative sense. Consider that we're going to send the equivalent of a small automobile to each of our two or three software vendors every year for the priviledge of being able to call them when their shitty, crappy, slow and bug-infested software takes a dump after an update all the while frustrated that we can't get working features we were promised three years ago when we bought the software for the price of a good-sized house.
But, you know what? Our business couldn't function without it.
Ummmm, I agree that this whole coast-to-coast coverage thing is completely overrated, but I have a different tack on it. To wit:
Most people spend 99%+ of their time driving within 50 miles of home, where one radio station will cover them. Anyone who's all that picky about what they listen to will probably want to listen to CDs anyway. Personally I'm probably going to get a car MP3 player (I was waiting for an OGG player but I'm tired of waiting).
Yeah - and one of the cool things about going on vacation every year is that I get to listen to all the radio stations from other towns along the way -- It's *great* to hear something different once in a while. I also like to go out to McDonald's for dinner while I'm at the beach - can't get a flavor like that at home!
Seriously, though, it really used to be kinda fun hearing radio from other parts of the universe when driving at night on vacation -- especially sportstalk and talk radio. But that was before the dark times.... before the ClearChannel...
By virtue of the ClearChannel fiat, doesn't broadcast radio enjoy coast-to-coast coverage now?
This is neat-o keen, but exactly how does this convince people who are running NT or Linux servers (and who therefore can *already* get MySQL for free) to go with NetWare?
If I were Novell, I'd be more interested in developing a Samba-style SMB server NLM to try to replace NT file and print servers -- look in any current virus catalog under "Klez" for more details...
Isn't it the job of a secure OS to prevent applications (however badly written) from royally screwing up things?
Amen, I wish I had a mod point to give. Along similar lines, didn't CDC claim that BackOrifice uses the same standard API calls as MS's own SMS to provide remote access? On second thought, maybe and maybe not.
Either way, it seems to me that most of MS's security problems have less to do with the OS not doing it's job and more to do with the fact that MS has designed every one of their products to encapsulate (arbitrary) code inside their data files so their developers have easier ways to hammer out apps.
The problem is that the same scripting engine that lets Word (usefully) puke out mailmerged documents generated from a VB/Access app also gives virus authors a platform to attack. The fact that it's useful to combine code with data just means the platform is now ubiquitous, and therefore not going away because this is a fundamental design issue, folks. MS did this on purpose to make it easier to get computers to run code, and it can't be fixed by patching holes.
To really fix this, MS would have to renounce this entire experiment and replace every copy of Win/Office/IE with new software that is less 'capable.' Those of you who are paying attention probably now understand Mr. Valentine's comments of a few weeks ago, as well as Microsoft's interest in shoving Palladium down everyone's throats.
I can't wait for the first time I can't Meta-Moderate because we've been Googled!
By the way, does anyone know if this will solve the slashdot-effect-site-caching issue?
Re:In the short run, this will make for bad polici
on
Politicizing Science
·
· Score: 2
No matter which party is in power, it's a foolish to assume that a goverment "science review" board is unbiased. They exist to endorse administration policy, not to give unbiased advice
And it's peoples willingness to accept this, that is the real problem.
Nobody is 'accepting' anything. It's his board, and he can do with it as he pleases. If you don't like their conclusions, feel free to start your own board and publish whatever results you like. Everyone gets to make their own decisions here.
I'ts important to recognize that the only authority these boards have is advising the president -- they don't make policy, they don't enforce policy, they don't legislate and their conclusions aren't binding.
Get it?.... cell phone... in... EM shielded pocket... assuming shielding works.... unable to connect.... to tower.... no ringy-dingy....... oh, bother.
OK, so Mozilla has more better features than Netscape? Well, Duh. but that's like saying the Pontiac Aztech in the dealer showrooms didn't have as many features as the concept car version.
Netscape is 'official'. It's going to be supported with a room full of tech support reps and it's going to be bundled with stuff, Moz has a more experimental, cutting-edge hue to it because it isn't.
This double-barreled development approach is really a brilliant move by AOL/Netscape, even if it did take FOUR years, I bet the end product is a lot more stable, with more useful features than it would have had as a closed proprietary project. Does anyone know if it came in under budget or not?
Every time I ask Google about this it seems like I end up bouncing back and forth between the same three or four sites never quite finding what I'm after -- kinda like pr0n, but not as fun. So here goes...
Does anyone know of any free/nonfree resources, documents or URLs that list the networking, server and policy encryption and configuration standards required for HIPAA compliance? Consider this from the point of view of a network administrator for a small health services company that buys all of its software from outside vendors (no internal development).
Please don't answer http://hhs.gov. I know about those, and I'm hoping to find a summary or sorts, not the original regs. I'm also aware that the rules themselves are vague and unspecific, and may or may not specifically mention networking and servers hardware software and practices, so I'd appreciate that someone confirm that if it is the case.
Having said this, the way most EULA are presented are HOSTILE to the user. Confusing legalese language presented in a tiny scrolling text box smaller than the text area I'm writing this response in.
You left out "unprintable".
Not only are the EULA terms non-negotiatble, but most of the time you don't even get a record of the terms you accepted. Kudos to MS for being thoughtful enough to drop a EULA.TXT in the application install folder for your reference, but the paranoid among us will properly point out that there is no guarantee that this is the same EULA you were presented at install. In fact, I wouldn't put it past some of these jokers to actually deceive users by presenting a basic EULA at install, but enforcing a 'more robust' version later. And exactly how would you prove they'd done this without disassebling the code to recover the original (hopefully unencrypted) EULA text? DMCA Anyone?
I don't mind agreeing to terms of use for software, but this is the wrong way to do it.
1) Define "Security Professional". How do I get to be one? Do I have to hire a lawyer? Am I an SP if I config user passwords? Write code? Use keys in doors? Write papers on PKI systems and techniques? Hack my DreamCast to play Simon? Can I get an SP license from somewhere (other than the BAR Assoc.;) that excuses me from the DMCA? How much is it?
2) How do you get SP's if "ordinary Joe's" are forbidden from studying and learning the techniques required to do the hacking?
This got modded up as funny, but those of you out there who are new to network security and administration need to take note - this one is pretty fundamental.
No matter what patches you install, services you disable, firewalls you configure, or holes you plug; if I can get unrestriced (private) console access for < 1 hour, U R probly 0wn3d. I might not even need to r00t your box right away - I'll just image the hard drive to a spare I keep in my backpack and walk out with your data -- I'll have all the time I need to dig out the interesting bits later.
Encrypted filesystems *should* invalidate this approach, but we'll see.
Slashdot Mirror
World Tech Tribune had a rather hilarious FUD article [worldtechtribune.com] covering this several days ago.
Wow, that... is.... incredible. 'Hilarious' doesn't even come close to describing it.
The article you mention does, however illustrate the salient point we should all be taking away from this, which is that 'security' is a multidimensional word with orthogonal meanings: when MS says 'it's secure' you have to consider whether they are talking about Palladium/DRM (others get to decide how your PC works) or Filesystem ACLs (you get to decide who can access what inside your box) or PKI algorithms (you get to decide whether someone else's identity can be verified and how to exchange data in a manner that is difficult for third-parties intercept.) This is what the newbies and PHBs need to understand.
Now, the CC certification means *something* (read the specs to find out exactly what) but there is no "SECURITY = ON/OFF" button you can go push to lock everything down. (Yeah yeah, I know: "power button", ha-ha, very funny.) Anyway, with the machine turned ON, security is only the end result of a process of auditing, testing, fixing and policy enforcement.
Seems like the type of thing law enforcement agencies would be against. As soon as you put out an APB for a black 4 door sedan, poof its a green 4 door sedan.
Not an issue, my friend. Thanks to your car's escrow key and a couple of suitable laws, law enforcement can now change YOUR paint job to hot ink with lime green stripes and a giant helicopter-visible bulls-eye on the top labeled "ARREST ME! CASE #2991822"
The vast majority of voters won't care a bit. Yes, they'd like non-crippled CDs, but that won't sway their voting. People usually vote based on whether someone is Republican or Democratic - the stance the candidate takes on important issues is (depressingly) unimportant to most people.
I suspect that, the vast majority of American voters is more likely concerned with other, more immediate issues like taxes, education and security for "entertainment-industry issues" to even make it on to their radar.
I agree that this is an issue that merits voter consideration, but I must also concede that it is in no way important enough to be the primary factor in choosing a candidate to support -- I'm way too concerned with working, paying bills, the stock market, invading Iraq and trying to make time to spend with my wife for this to be a primary election issue for me.
#INCLUDE "rant.h";
Now, having said that, I ALSO have point out that this is an issue that really frosts my twinkie. I do not like the idea that jerkola neo-Socialist (yes, neo-SOCIALIST - look at the things they are asking for: managed competition, heavy government involvement and regulation, artificially high barriers to entering restricted markets, federal subsidation, etc... How is that NOT Socialist?) executives are paying high-priced lawyers several times my salary per day to figure out how to dictate how I use my property. I would love it if we all just woke up one morning and decided to never buy anything from them again. Music would survive - it just wouldn't be THEIR music.
For that matter, it isn't just the RIAA/MPAA - that's just the tip of it:
Why do I have to buy my cell phone service and my cell phone from the same vendor? What kind of an asshead designed this? I should be able to buy a phone at Wal-Mart, walk across the street to Verizon and buy an ID card I pop into my phone that keeps my phone book and account info on it so I can switch phones my swapping cards. (Don't they do it that way in Japan?)
For that matter, the telcos are simply run by assheads and the whole thing needs to be torpedoed and rebuilt using voice-over-IP on high-density fiber by new companies. It's not like we're suddenly going to stop needing phones all of the sudden.
Same with Major League Baseball - it's run by assheads, too. The only way to fix the stupidity here is for the whole thing to collapse under its own weight so it can be rebuilt under new ownership.
Credit card companies? assheads. ... and PREDATORIAL assheads at that.
Every stupid software package out there that puts an icon in my system tray to tell me it's installed was programmed by ASSHEADS! If I had a dollar for every PC with performance/stability problems I've 'fixed' by running MSCONFIG I wouldn't be typing this from Ohio right now.
SO, STOP BUGGING ME ABOUT HOLLINGS AND BERMAN! AS YOU CAN SEE, I'VE GOT A LOT ON MY MIND TODAY!!!!! ARRRRRRRGHGHGH!
Except, then they'll also start consuming us for food. That's another often overlooked disadvantage of SETI.
+1 ***INFORMATIVE***?!?!?!
WTF?!?!?!
+1 Funny, sure. +1 Interesting, maybe. Hell, I'll even buy +1 Insightful when I'm on Nyquil, but +1 INFORMATIVE?!?! Who's moderating today -- Art Bell?
Relax.
It was a lame attempt at ironic humor. I was actually quite proud of it until I realized I hadn't included the standard disclaimer to that effect. (Of course, that was *after* clicking 'submit'....)
They'll also tend to develop some strange characteristics.
Trans: like first post, links to prOn, and the like...
GEEZ - IT'S "pr0n", NOT "prOn"!!! GET IT RIGHT you flippin' newbie freak wannabe!!! It's not that isn't in the FAQ or anything!
This is a bit of an obnoxious distinction to make, and I certainly think they should have phrased it differently. Usually people say three-sphere when they mean a sphere in three dimensions, which is in fact just a surface and thus two-dimensional. Then, we can say n-sphere and have a sphere in n-dimensional space that is an n-1 dimensional object. However, this kind of quibbling tends to have no effect on proof, which is what math on this level concerns itself with anyway.
Yeah, Topologists always were kinda weird....
So, I guess all I have to do in order to get a submission finally accepted is resubmit a rehash of something that already made the front page half a dozen times then.
Don't get me wrong, I dig Janis Ian and her stand on this issue, but geez, can't we find some news that's actually NEW?
Again, this article is newsworthy NOT BECAUSE OF THE CONTENT (with which you and I are both already ridiculously familiar), but BECAUSE OF WHERE THE CONTENT APPEARS.
Maybe the wind blows up where you live, but my mother-in-law reads the USA Today, not
So the question is, what on earth will compell them to drop Windows on the desktop? Because it's sure as hell not any of the issues we've seen so far.
When I can buy LeasePlus, Smart.alx and Great Plains Dynamics as ELF binaries.
Seriously, the reason small-medium businesses buy MS servers and workstations in the first place is because they need to run that one application that runs their business, and it only runs on MS because the vendor doesn't have the resources to devote to multiple platforms. For us, it's a combination of the apps I mentioned (and a couple of other minor ones).
There are hundreds (if not thousands) of small software companies that write, manage and maintain ONE niche-software app to run the businesses in their specific industry. They use MS tools and platforms because they are easy, cheap*** and ubiquitous. There is some competition, but it is limited by huge barriers to entry -- mostly, up-front capital and specific in-depth industry experience (for example: in order to write effective lease management and accounting software, you first have to know the leasing industry inside and out.)
Oh, and did I mention that we hate the software we're using, but so does everyone else. We're stuck with it because the only alternatives are either prohibitively expensive to switch or crummier or both. We're too small to pay someone develop custom software in-house, and our industry is too small to generate enough free-developer interest for a non-propretary/open-source solution to be practical.
There is only one way Linux is going to **REPLACE** the MS servers in our storage/mopcloset/utility/telco room: Our vendors need to start developing for Linux, or at least on an open platform like LAMP or WAMP that allows us to pick one or the other.
Why do you think monkeyboy gets so jacked up about DEVELOPERS! DEVELOPERS! DEVELOPERS! DEVELOPERS! DEVELOPERS! ?
Until then, Linux is going to have to run our web site and our email and be happy with that. There aren't enough open-source developers in equipment leasing.
*** "cheap" in a relative sense. Consider that we're going to send the equivalent of a small automobile to each of our two or three software vendors every year for the priviledge of being able to call them when their shitty, crappy, slow and bug-infested software takes a dump after an update all the while frustrated that we can't get working features we were promised three years ago when we bought the software for the price of a good-sized house.
But, you know what? Our business couldn't function without it.
Uh oh.....
Sony isn'y going to like this!
Ummmm, I agree that this whole coast-to-coast coverage thing is completely overrated, but I have a different tack on it. To wit:
Most people spend 99%+ of their time driving within 50 miles of home, where one radio station will cover them. Anyone who's all that picky about what they listen to will probably want to listen to CDs anyway. Personally I'm probably going to get a car MP3 player (I was waiting for an OGG player but I'm tired of waiting).
Yeah - and one of the cool things about going on vacation every year is that I get to listen to all the radio stations from other towns along the way -- It's *great* to hear something different once in a while. I also like to go out to McDonald's for dinner while I'm at the beach - can't get a flavor like that at home!
Seriously, though, it really used to be kinda fun hearing radio from other parts of the universe when driving at night on vacation -- especially sportstalk and talk radio. But that was before the dark times.... before the ClearChannel...
By virtue of the ClearChannel fiat, doesn't broadcast radio enjoy coast-to-coast coverage now?
This is neat-o keen, but exactly how does this convince people who are running NT or Linux servers (and who therefore can *already* get MySQL for free) to go with NetWare?
If I were Novell, I'd be more interested in developing a Samba-style SMB server NLM to try to replace NT file and print servers -- look in any current virus catalog under "Klez" for more details...
Isn't it the job of a secure OS to prevent applications (however badly written) from royally screwing up things?
Amen, I wish I had a mod point to give. Along similar lines, didn't CDC claim that BackOrifice uses the same standard API calls as MS's own SMS to provide remote access? On second thought, maybe and maybe not.
Either way, it seems to me that most of MS's security problems have less to do with the OS not doing it's job and more to do with the fact that MS has designed every one of their products to encapsulate (arbitrary) code inside their data files so their developers have easier ways to hammer out apps.
The problem is that the same scripting engine that lets Word (usefully) puke out mailmerged documents generated from a VB/Access app also gives virus authors a platform to attack. The fact that it's useful to combine code with data just means the platform is now ubiquitous, and therefore not going away because this is a fundamental design issue, folks. MS did this on purpose to make it easier to get computers to run code, and it can't be fixed by patching holes.
To really fix this, MS would have to renounce this entire experiment and replace every copy of Win/Office/IE with new software that is less 'capable.' Those of you who are paying attention probably now understand Mr. Valentine's comments of a few weeks ago, as well as Microsoft's interest in shoving Palladium down everyone's throats.
Does this mean that Kazaa Lite will let me redirect the donations to myself? :)
I can't wait for the first time I can't Meta-Moderate because we've been Googled!
By the way, does anyone know if this will solve the slashdot-effect-site-caching issue?
No matter which party is in power, it's a foolish to assume that a goverment "science review" board is unbiased. They exist to endorse administration policy, not to give unbiased advice
And it's peoples willingness to accept this, that is the real problem.
Nobody is 'accepting' anything. It's his board, and he can do with it as he pleases. If you don't like their conclusions, feel free to start your own board and publish whatever results you like. Everyone gets to make their own decisions here.
I'ts important to recognize that the only authority these boards have is advising the president -- they don't make policy, they don't enforce policy, they don't legislate and their conclusions aren't binding.
So *THAT'S* why my nobody calls me anymore!
Get it?.... cell phone... in... EM shielded pocket... assuming shielding works.... unable to connect.... to tower.... no ringy-dingy....
OK, so Mozilla has more better features than Netscape? Well, Duh. but that's like saying the Pontiac Aztech in the dealer showrooms didn't have as many features as the concept car version.
Netscape is 'official'. It's going to be supported with a room full of tech support reps and it's going to be bundled with stuff, Moz has a more experimental, cutting-edge hue to it because it isn't.
This double-barreled development approach is really a brilliant move by AOL/Netscape, even if it did take FOUR years, I bet the end product is a lot more stable, with more useful features than it would have had as a closed proprietary project. Does anyone know if it came in under budget or not?
Clap..... Clap.....
Clap..... Clap..... Clap.....Clap..Clap..
Clap Clap Clap Clap WOO-HOO! Clap Clap Clap YEAH!Clap Clap Clap Clap Clap FREEBIRD!!! Clap Clap Clap Clap Clap Clap..... Clap.. Clap.. Clap.....
Clap.....
Well done indeed!
Every time I ask Google about this it seems like I end up bouncing back and forth between the same three or four sites never quite finding what I'm after -- kinda like pr0n, but not as fun. So here goes...
Does anyone know of any free/nonfree resources, documents or URLs that list the networking, server and policy encryption and configuration standards required for HIPAA compliance? Consider this from the point of view of a network administrator for a small health services company that buys all of its software from outside vendors (no internal development).
Please don't answer http://hhs.gov. I know about those, and I'm hoping to find a summary or sorts, not the original regs. I'm also aware that the rules themselves are vague and unspecific, and may or may not specifically mention networking and servers hardware software and practices, so I'd appreciate that someone confirm that if it is the case.
Having said this, the way most EULA are presented are HOSTILE to the user. Confusing legalese language presented in a tiny scrolling text box smaller than the text area I'm writing this response in.
You left out "unprintable".
Not only are the EULA terms non-negotiatble, but most of the time you don't even get a record of the terms you accepted. Kudos to MS for being thoughtful enough to drop a EULA.TXT in the application install folder for your reference, but the paranoid among us will properly point out that there is no guarantee that this is the same EULA you were presented at install. In fact, I wouldn't put it past some of these jokers to actually deceive users by presenting a basic EULA at install, but enforcing a 'more robust' version later. And exactly how would you prove they'd done this without disassebling the code to recover the original (hopefully unencrypted) EULA text? DMCA Anyone?
I don't mind agreeing to terms of use for software, but this is the wrong way to do it.
WOOHOO! IT'S ABOUT TIME!
I'm so excited about these developments, I'm gonna send automated emails to everyone in my database letting them know the good news!!!!
Two things bother me about this statement:
1) Define "Security Professional". How do I get to be one? Do I have to hire a lawyer? Am I an SP if I config user passwords? Write code? Use keys in doors? Write papers on PKI systems and techniques? Hack my DreamCast to play Simon? Can I get an SP license from somewhere (other than the BAR Assoc.
2) How do you get SP's if "ordinary Joe's" are forbidden from studying and learning the techniques required to do the hacking?
Lock the door when you leave the computer room.
This got modded up as funny, but those of you out there who are new to network security and administration need to take note - this one is pretty fundamental.
No matter what patches you install, services you disable, firewalls you configure, or holes you plug; if I can get unrestriced (private) console access for < 1 hour, U R probly 0wn3d. I might not even need to r00t your box right away - I'll just image the hard drive to a spare I keep in my backpack and walk out with your data -- I'll have all the time I need to dig out the interesting bits later.
Encrypted filesystems *should* invalidate this approach, but we'll see.