10 posts • joined 16 May 2012
Perimeter security is insufficient
The problem with perimeter security is that once people are in, they can move freely. A much better way of thinking is to assume that you are already compromised and actively monitor for bad behaviour. Regard the perimeter security as something that keeps the volume of intrusions down rather than something that stops them completely.
A big problem with detecting bad behaviour is that you need to know what good behaviour is first. This can be a daunting thing to define in a corporate network. There's a company called DarkTrace that have developed a Bayesian machine learning thing which can differentiate good from bad for you (http://www.darktrace.com/) and I'm willing to bet that this is where the future of security lies.
Re: if you want small players...
I disagree that the main weighting is price. In my experience in the Healthcare IT sector (as a medical doctor and a coder), we regularly find that 60-70% of the marks in tenders are for past history of supplying the public sector. It creates a self sustaining prophecy where the same big IT vendors get the contracts, because they were the ones who got it last time. Performance is seldom examined, so having won a past tender and then making a royal fuck of the cluster variety of it was rewarded with just as many points as a successful supplier. Price tends to account for 20% of the decision.
This is all a moot point though because the tender process is a sham. I know of no example of an NHS Trust who put out a tender for IT without already having a "preferred bidder" in mind. I know of no examples where a preferred bidder didn't win the contract. The Tenders are always written deliberately to favour the preferred bidder.
It all boils down to who you know on the Board and how many dinners you take them out to. Bribing the medical Consultants with a paid half day off every week to be a "tester" also works well. As does helping some of the Board set up their own consultancy company to supervise the roll-out of the IT project and then have the bid winner engaging the services of that consultancy. I've seen it all.
Re: Hands firmly down here
An absolutely sound idea. I completely agree that all the Department of Health should mandate is an interoperability standard, and then let local units (Trusts / PCTs) get on with it. I also think that clinicians should be involved early on the vendor side during software design, and also on the purchasing side when selecting software features. Sadly, neither of these things happens very often.
The procurement process also needs to change. The whole tender process is just an expensive smokescreen formality. In reality, Trusts and PCTs have a preferred supplier in mind, then enlist that supplier's help to write the tender so that the tender naturally favours that supplier. At the moment tenders are so heavily based upon past experience, and shut out SMEs by requiring arduous policy documents and certification.
We applied to a tender for clinician facing software and were asked to submit 12 different policy documents ranging from Equality & Equal Opportunities Policy to Environmental Sustainability Policy. 70% of the marks in total were for past supplying of the NHS, yet the scoring system did not penalise companies that had failed to deliver on past contracts with the NHS. The most absurd thing about the tender process was a question asking us to list our company's "key personnel" and "relevant qualifications". My medical degree and 4 years medical experience counted for zero points, however an European Computer Driving Licence qualification would have scored much higher. How f**king stupid have you go to be to rank the latter above the former for software aimed at doctors?!
I disagree with your choice of proposed standard though, purely because a more modern, more versatile one exists. HL7 is not a full open standard, and is deficient in certain areas as healthcare has progressed. The NHS poured money into funding version 3 of HL7, but this to my understanding is now on ice and will never be released.
A much better standard to mandate adopton of is EN13606. This standard was conceived by academics with a specific interest in data interoperability, so is thoroughly well designed rather than HL7 which has been assembled piece-meal by US software companies. It is the only healthcare data standard which is fully open thus not requiring subscription to use it. Being more modern, it addresses some of the shortcomings of HL7 v3. It plays nicely with XML. What's more, EN13606 is backwards compatible with HL7.
So, yes we absolutely need a national interoperability standard and I strongly agree with you for that. My vote is for EN13606 (www.en13606.org).
Source: I'm a medical doctor (4+ years) AND a software developer (6+ years).
To steal something (i.e. commit an act of theft), one has to deprive another of something. It's a pretty clear distinction. This is why crimes which involve copying cannot be regarded as theft as no-one is deprived, especially not JSTOR where articles could be obtained for free. In fact, he saved them some money on the bandwidth by keeping the traffic local.
I just wish that Carmen Ortiz could be subjected to absolute micro-scrutiny to see how she likes it. I wish for internet activists to pore over her past in detail unearthing everything they can about her and exposing any dubious activity in her past. Hopefully they'll identify an illegal act from her past and then she can be hauled through the criminal courts, face amplified charges and be hit with a bill for hundreds of thousands in legal fees out of nowhere. I wish.
Anyway, keep the pressure up, keep calling for her resignation. Schwartz had to put up with 2 years of pressure and uncertainty. It would be nice to apply similar pressure for a similar length of time to Ortiz.
You said it and F*** Plea Bargains
"It was clearly personal; the prosecutors can therefore hardly be surprised when they face personal consequences in the fallout from this."
I never normally wish harm upon a person, but for Carmen and Steve, I wish them the worst. How about internet vigilantes such as Anonymous probe their lives and pasts with a microscope and turn over every dubious and illegal act they've done? Seems only fair to me.
Grudges aside, this is once again American criminal justice trying to secure a conviction through a plea bargaining. Over 90% of US criminal cases are settled as plea bargains, the system works like this:
1) Identify a first-time offence suspect or someone who is otherwise impressionable.
2) Invent extra charges, pile on the counts and push for the maximum sentence possible for each count. At this point the accused is facing jail terms running into decades.
3) Suddenly offer the defendant an easier way out: just plead guilty and have their sentence reduced to perhaps 2 years. Even an innocent defendant would seriously consider this option because the alternative is so horrific.
4) The defendant pleads guilty. Prosecution pat themselves on the back for the fact that they've "caught another criminal" while saving the courts some time. The person goes to jail for a tolerable period of time and forever more carries the label of "guilty".
I have no doubt that plea bargaining distorts the criminal justice system and pressures the innocent into pleading guilty. I think that whenever you see such large numbers of charges and lengthy potential jail terms it is because the prosecution are setting up the ideal conditions for a successful plea bargain. See the recent Chris Tappin case for another example. I honestly think plea bargaining should be outlawed because it is a form of coercion thus undermines a fundamental principle of law: objective judgement.
RIP Aaron. Having read the blog post from your defence lawyer, I can see how a defence case based on technical grounds (such as what constitutes "wire fraud") could carry a lot of weight here. The lack of computing knowledge by the prosecution seems breathtaking and it's a wonder they are allowed to prosecute on computing offences at all.
RE: Can care less
"Can care less"?
I think you could benefit from some extra lessons in Mr Mitchell's class, dear boy:
"$ sudo apt-get install xfce4"
Then on the login screen, make sure you have "XFCE" selected as the Desktop environment. That way it doesn't haul in all the Xubuntu packages as well.
PROSTATE... ~STATE... one 'R' in that word, and it's immediately after P.
Sorry, but in my daily job (Emergency Medicine) I hear "ProstRate" too many times, usually from the same people who wander in with wads of printout from homeopathy websites. Causes immediate loathing. Fucking learn to talk.
F*ck yeah! Team America strikes again!
Helicopter, 4 vans of armed police officers, kicking the sole unarmed suspect to the floor? How typically bloody American. I do hope the kicker gets his arse sued by DotCom for use of excessive force.
It sounds like the yanks got themselves a bit over-excited when planning this raid. He's a suspected wilful copyright infringer, not an armed drugs-baron!
I look forward to seeing this case continue to collapse in both NZ and the USA. The worse the DoJ and Hollywood come out of this, the better.
Re: No, screw motorola and samsung.
If we look at how the patent system is being used rather than the purpose for it was intended, it is clearly broken. Large companies accumulate banks of patents with two main aims:
1) Create a large barrier to entry for competitors
2) Defend themselves against competitor patent infringement claims on a tit-for-tat basis.
Neither of these actual usages correlate very closely with the original idea of preserving the market for a creative inventor in exchange for sharing their invention.
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip