i dont know about hippa/sox but i did recently have the "pleasure" of creating a pci-dss v1.1 compliant system from pretty much the ground up on the freebsd platform and have read all 16 (wow!) pages of the pci-dss 1.1 "spec" (if you can call it that, i put that in quotes because it it doesnt "spec"ify anything. at least it is short read albeit a vague one) the following is a rant. however if you read to the bottom (or skip there) there is a reward of a paragraph actually more directly pertinent to the original ask/. question:)
it (pci-dss) eerily reminded me of iso 9001. (i have a little experience in qual. assurance of manufacturing.) basically [pci-dss|iso9001], while its advocates will try and trumpet [security|quality], has nothing to do with either, and more to do with documentation and accountability. (ie whos responsible ie who gets fired/resign (after they've already pocketed enough money so that its actually basically a retirement) so that another scapegoat can be brought in to take his place) sure, documenting your process has always been a cornerstone of [security|quality] but anyone worth their weight in horse-sh^H^Hmanure already knew that and already did that.
[pci-dss|iso9001] seems to me (a small business operator) to mean more about burying the little guy in a mess of paperwork and red tape while letting the big guys pat themselves on the back with another acronym or seal-of-approval that in the end gets so watered down and turns into just another way for fool-hearty consumers/customers to increase their complacency (complacent-fool consumers both a. deserve to be separated from their money quickly and b. are in my opinion one of the major problems w/ american society) rather than study beyond the flashy outter packaging (in a manner of speaking) what they are buying.
and i dont have much experience with SOX but from the whiff of it based on what some colleagues have told me, is roughly the same thing (swap consumers w/ investors in the above text), despite glowing reviews in a recent usa today article on its 5th birthday. (usa today basically credits SOX for all of the US's economic growth since its inception after the post-enron market bomb, not the fact that the fear of being caught still looms in the air like a stench and so would-be corruptees might just be chilling out for the time being, seeing that 5 years is nothing the grand scheme. however my hypothesis is that they in fact aren't chilling out at all, and are going at it just as strong or stronger, because from what i have seen in business, i would tend to think that: just like there is nothing really stopping a iso9001 certified company from producing sh^H^Hpoor quality products, SOX smells like just a better way to bury the real story in cooked-books that are now just that much deeper. i know, i know, now the board is responsible and not just the CEO, and its a legal crime and they can't claim plausible deniability anymore, all good steps in the right direction, but that only matters if you get caught and my point is that SOX is just more paper to hide under so they dont get caught) (ok please label all flame replies telling me i dont know squat about SOX by keeping SOX in your subject while taking PCI-DSS out of your subject line if it no longer has anything to do with pci-dss, and do please enlighten us)
back to pci-dss: as consultants first and developers second, we reviewed handfulls of pci-dss compliant "solutions" before resorting to a custom built system. despite trying to scare those like us out of it, with a little patience and attention to detail we little guys could still implement a pci-dss compliant system that was WAY better than many systems i wont go into bashing here, and all for the cost of some lower priced of the pre-cooked "solutions".
to an experienced developer, the pci-dss "spec" reads like: 1. dont be so stupid, 2. pull yer head out of yer as^H^Hrear-end, 3. dont g
good two others already set this dude straight. as far as concerning MP boards of procs that have their memory controller built in like an opteron, to max out the ram on a MB you must also max out the num of procs the MB supports, but there's nothing stoping a oem or mobo maker to fitting a nForce4-for-intel based MP board to one proc and virtually unlimited banks of memory since the intel version of the nForce4 has its memory controller in it and has an HTX pipe so as to allow a single chain type connection of one proc and as many ram banks as chained nForce4 SPP's as needed to fill this niche of needing lots of ram with relatively less processing power to use it.
This is absolute bullshit. When they didn't get their way and all the numerous commie bills that have come and gone that would try to hold isps responsible for various traffic on their networks, they try and now they are what? trying to use their size to bully isps themselves. the article at the register (OMG i RTFA before posting! pat on the back for me) couldnt have put it better:
Tony Soprano couldn't have put it better. "Nice content-carrying pipes you've got here. What a shame if anything were to happen to them... now, we've got this little agreement for you to look at..."
congress has already granted isps common carrier status, dammit, leave them alone. and from the/. post:
enforce terms of service that prohibit a subscriber from operating a server, or from consuming excessive amounts of bandwidth where such consumption is a good indicator of infringing activities.
ok since when is using the bandwidth you paid for or opening a listening port a good indicator of illegal activity? i have a friend who was contacted by his isp last year (at least they didnt cut him off and make him call them after being like, "WTF?" but whos to say what would have happened had he not answered his phone) because they were suspicious of his large bittorrent usage which was going on for a couple of days. he was getting music of the band Phish, who seed the torrents themselves of soundboard recordings of live shows in CD-quality.shn format because they are sticklers for quality, and encourage the free exchange of their music yet cringe at the thought of it being contorted into that lossy crap.
however i am all for isps stating in their terms of service that while you get a large bandwidth for bust transfer, spikes and so forth, that the bandwidth starts to decay after continued pegging, so long as the exact decay function is stated in their terms of service. that is a much simpler, cheaper, automatic way to deal with the very points brought up by the ones who drafted this supposed code of conduct, at least so far as to serve the interests of fellow subscribers and the community at large. much better than enlisting the isps to actively patrol their waters which results in increased cost for me and you.
A better alternative for the ISPs, IMHO, would be to start behaving like the network administration team in a big company. Joe Sixpack would be better off if the ISP would install a centrally adminsitered system administration client on his machine that automatically scans and deploys the latest anti-virus program.
are you friggin joking? do you who keeps your machine a non-zombie want to be paying for this so called network administration team? i suppose you think communism is a good idea too. and its a little different in a big company where the company owns the machines therefore has the control to do such things, how do you propose they get this done on thousands of lusers' winblows machines?
i say cut the bitches off. my isp cuts people like this off automatically and it already costs them enough just in calls of "why is my cable modem not working", "because you no longer own your computer and the spammer/zombie-fleet that does isnt a subscriber". (more than half of tech support calls) this same isp already bundles McAfee Managed VirusScan with the subscription AND guess what, they still are cutting people off every day because A) that cant handle everything, (ie, wearing a condom wont help you when you try to hump a meat grinder, which is the analoge of how some of these users go about their online experience) thats why it truly takes a "network administration team" in a company. and B) they send you the disk when you subscribe but they told me that less than 25% of their windows-using members install it.
This same ISP will give you a free month each year if you specifically ask to forgo the McAfee and manage to not get disconnected by the zombie trigger, basically reimbursing you for the cost of the McAfee which is rolled into their price for service. but they dont mention this reimbursement anywhere unless you ask/complain about the socializm that is bundling proprietary windows software with network service just to offer a bandaid to the most insecure computing platform ever concieved. but at least they make it right when you ask. however, i know of two linux users who would have been eligable but never knew of this free month offer and who's McAfee disks just ended up directly in their trash can after subscribing.
All DRM as applied to the current market of devices are just security through obscurity. The "labels" can't have their cake and eat it too. You make a standard and whoops, you no longer control what happens to the content.
DRM is a pipe dream. It's fundamentally flawed to think you can ultimately protect something from being copied while it can still be played. They should keep quiet and be happy that the more seperate obscure formats can delay the eventual open-source-then-soon-made-dmca-contraband release of each.
The only way to have a "standard" drm is to delegate some government bureau as the authority to sell a propietary playback component to a select few very large tech corporations, which make the then only legal playback devices. And I only said it would be standard, not effective. We saw for how long that idea worked for dvds' css decoding keys.
The only possible effective DRM method would require such a central bereau to issue UUIDs of some sort to the large enough online media retailer companies, with which the downloads of such a SocSecNum tracked sale will be permuted at the highest threshold of the digtal media format's quality level (wasting some bits that the codec could be using in order to sell you an inferior quality recording) so they could ultimately catch someone by finding an illegal copy and being able to reference when exactly who sold that track to whom. Of course this isn't necessarily effective DRM its just makes infraction prosecutable. Of course, to copy, people would have to lower the quality to below the threshold that the fingerprint can be identified or mix enough legit copies to obscure the fingerprints. And of course since anyone in the legal supply chain is a potential for corruption or leaks, each link in such chain would have to be fingerprinted in order to be effective, so as to compound the compromising of the quality.
Slashdot Mirror
i dont know about hippa/sox but i did recently have the "pleasure" of creating a pci-dss v1.1 compliant system from pretty much the ground up on the freebsd platform and have read all 16 (wow!) pages of the pci-dss 1.1 "spec" (if you can call it that, i put that in quotes because it it doesnt "spec"ify anything. at least it is short read albeit a vague one) the following is a rant. however if you read to the bottom (or skip there) there is a reward of a paragraph actually more directly pertinent to the original ask /. question :)
it (pci-dss) eerily reminded me of iso 9001. (i have a little experience in qual. assurance of manufacturing.) basically [pci-dss|iso9001], while its advocates will try and trumpet [security|quality], has nothing to do with either, and more to do with documentation and accountability. (ie whos responsible ie who gets fired/resign (after they've already pocketed enough money so that its actually basically a retirement) so that another scapegoat can be brought in to take his place) sure, documenting your process has always been a cornerstone of [security|quality] but anyone worth their weight in horse-sh^H^Hmanure already knew that and already did that.
[pci-dss|iso9001] seems to me (a small business operator) to mean more about burying the little guy in a mess of paperwork and red tape while letting the big guys pat themselves on the back with another acronym or seal-of-approval that in the end gets so watered down and turns into just another way for fool-hearty consumers/customers to increase their complacency (complacent-fool consumers both a. deserve to be separated from their money quickly and b. are in my opinion one of the major problems w/ american society) rather than study beyond the flashy outter packaging (in a manner of speaking) what they are buying.
and i dont have much experience with SOX but from the whiff of it based on what some colleagues have told me, is roughly the same thing (swap consumers w/ investors in the above text), despite glowing reviews in a recent usa today article on its 5th birthday. (usa today basically credits SOX for all of the US's economic growth since its inception after the post-enron market bomb, not the fact that the fear of being caught still looms in the air like a stench and so would-be corruptees might just be chilling out for the time being, seeing that 5 years is nothing the grand scheme. however my hypothesis is that they in fact aren't chilling out at all, and are going at it just as strong or stronger, because from what i have seen in business, i would tend to think that: just like there is nothing really stopping a iso9001 certified company from producing sh^H^Hpoor quality products, SOX smells like just a better way to bury the real story in cooked-books that are now just that much deeper. i know, i know, now the board is responsible and not just the CEO, and its a legal crime and they can't claim plausible deniability anymore, all good steps in the right direction, but that only matters if you get caught and my point is that SOX is just more paper to hide under so they dont get caught) (ok please label all flame replies telling me i dont know squat about SOX by keeping SOX in your subject while taking PCI-DSS out of your subject line if it no longer has anything to do with pci-dss, and do please enlighten us)
back to pci-dss: as consultants first and developers second, we reviewed handfulls of pci-dss compliant "solutions" before resorting to a custom built system. despite trying to scare those like us out of it, with a little patience and attention to detail we little guys could still implement a pci-dss compliant system that was WAY better than many systems i wont go into bashing here, and all for the cost of some lower priced of the pre-cooked "solutions".
to an experienced developer, the pci-dss "spec" reads like: 1. dont be so stupid, 2. pull yer head out of yer as^H^Hrear-end, 3. dont g
and absolute power corrupts absolutely.
With great power comes great responsibility.
n'all dat
good two others already set this dude straight. as far as concerning MP boards of procs that have their memory controller built in like an opteron, to max out the ram on a MB you must also max out the num of procs the MB supports, but there's nothing stoping a oem or mobo maker to fitting a nForce4-for-intel based MP board to one proc and virtually unlimited banks of memory since the intel version of the nForce4 has its memory controller in it and has an HTX pipe so as to allow a single chain type connection of one proc and as many ram banks as chained nForce4 SPP's as needed to fill this niche of needing lots of ram with relatively less processing power to use it.
This is absolute bullshit. When they didn't get their way and all the numerous commie bills that have come and gone that would try to hold isps responsible for various traffic on their networks, they try and now they are what? trying to use their size to bully isps themselves. the article at the register (OMG i RTFA before posting! pat on the back for me) couldnt have put it better:
congress has already granted isps common carrier status, dammit, leave them alone. and from theare you friggin joking? do you who keeps your machine a non-zombie want to be paying for this so called network administration team? i suppose you think communism is a good idea too. and its a little different in a big company where the company owns the machines therefore has the control to do such things, how do you propose they get this done on thousands of lusers' winblows machines?
i say cut the bitches off. my isp cuts people like this off automatically and it already costs them enough just in calls of "why is my cable modem not working", "because you no longer own your computer and the spammer/zombie-fleet that does isnt a subscriber". (more than half of tech support calls) this same isp already bundles McAfee Managed VirusScan with the subscription AND guess what, they still are cutting people off every day because A) that cant handle everything, (ie, wearing a condom wont help you when you try to hump a meat grinder, which is the analoge of how some of these users go about their online experience) thats why it truly takes a "network administration team" in a company. and B) they send you the disk when you subscribe but they told me that less than 25% of their windows-using members install it.
This same ISP will give you a free month each year if you specifically ask to forgo the McAfee and manage to not get disconnected by the zombie trigger, basically reimbursing you for the cost of the McAfee which is rolled into their price for service. but they dont mention this reimbursement anywhere unless you ask/complain about the socializm that is bundling proprietary windows software with network service just to offer a bandaid to the most insecure computing platform ever concieved. but at least they make it right when you ask. however, i know of two linux users who would have been eligable but never knew of this free month offer and who's McAfee disks just ended up directly in their trash can after subscribing.
That has got to be one of the ugliest things I have ever seen.
All DRM as applied to the current market of devices are just security through obscurity. The "labels" can't have their cake and eat it too. You make a standard and whoops, you no longer control what happens to the content. DRM is a pipe dream. It's fundamentally flawed to think you can ultimately protect something from being copied while it can still be played. They should keep quiet and be happy that the more seperate obscure formats can delay the eventual open-source-then-soon-made-dmca-contraband release of each. The only way to have a "standard" drm is to delegate some government bureau as the authority to sell a propietary playback component to a select few very large tech corporations, which make the then only legal playback devices. And I only said it would be standard, not effective. We saw for how long that idea worked for dvds' css decoding keys. The only possible effective DRM method would require such a central bereau to issue UUIDs of some sort to the large enough online media retailer companies, with which the downloads of such a SocSecNum tracked sale will be permuted at the highest threshold of the digtal media format's quality level (wasting some bits that the codec could be using in order to sell you an inferior quality recording) so they could ultimately catch someone by finding an illegal copy and being able to reference when exactly who sold that track to whom. Of course this isn't necessarily effective DRM its just makes infraction prosecutable. Of course, to copy, people would have to lower the quality to below the threshold that the fingerprint can be identified or mix enough legit copies to obscure the fingerprints. And of course since anyone in the legal supply chain is a potential for corruption or leaks, each link in such chain would have to be fingerprinted in order to be effective, so as to compound the compromising of the quality.