Posts by big_D

Re: Dirty business?

Passing the information onto the police or TfL without a valid warrant or the informed consent of the identifiable persons whose data is being shared is a grave breech of GDPR.

I guess that their only hope is that Brexit goes through and the UK data protection laws are castrated, before this gets to court.

The problem is, that information collected by the disparate machines have to be collected centrally and put under tight access controls, so that only the relevant doctor can see the patients information, and that from the bedside, in his office, in an operating theatre etc.

And that central patient information also needs to pull in the external medical record from the insurance company...

The Iranian government would beg to differ. Their nuclear research labs were affected, despite being air-gapped. As long as there are humans in the chain, nothing is 100% secure.

And being full patched is a 100% guarantee either. There are still hundreds or thousands of unknown attack vectors that can be exploited once found until the manufacturer can get around to patching them.

All you can do is minimise risk as best you can.

We get calls from our users every day about, "is this genuine or a fake email?" I'd rather have to deal with 10 cases a day of a user being unsure than one case of a user not bothering to ask and infecting the whole network!

Re: Why?

Again, the hospital carried on operating in emergency mode. Existing patients were still cared for. Non-essential operations were postponed, but critical care continued.

Then the emergency plan was put in place, which says that all incoming patients get diverted to a fully functioning hospital. The problem is, the emergency plans don't always take into account the travel time, just that the affected hospital isn't running at 100%, so patients are diverted to a hospital that is at 100% effectiveness. In this case, the patient didn't survive the extended journey. There is, unfortunately, no evidence that she would have survived if she had been taken to the affected hospital running in emergency mode either.

Re: Why?

They could operate, they could take care of their existing patients. The problem is the emergency procedures.

If the systems fail, SOP is to divert all incoming patients to another hospital that is fully functional. In a catastrophe, where multiple hospitals have all lost key systems, they run manually. But the insurance says, if there is another hospital that is fully functioning, the patient has to go there. It is risk minimisation, but that doesn't take all things into account - like whether the patient can live through the extended journey time.

Airports are the same. If their systems fail, they land the aircraft already on final manually, everything else with enough fuel gets diverted to its alternative.

Re: Why?

We also have a sign printing system (signs printed on metal and perspex). It is DOS only. We have a spare machine and "collect" old PCs, for when the controller PC dies. The spare printer cost only a couple of grand (25 years old), a modern replacement costs high 5 figures, so there is no hurry to replace a working system.

Re: Why?

Virtual XP doesn't usually help. I had a telephone system at home (still being sold by Siemens in 2014) that only worked with XP. I tried the virtual XP environment in Windows 7 Pro at the time and a full virtual machine. No dice. It needed low-level hardware access and could only run on bare metal.

In the end, I repurposed an old laptop just for managing the telephone system, and that device was never attached to the network. I then looked at replacing the system with a more modern alternative that doesn't need dedicated management software.

Re: Why?

Part of the problem is that the equipment still has to be certified and that includes the patch level of the PCs running it. You can't apply security patches until they have been tested and certified by the manufacturer...

Re: Analogous to “Because I saw you tie your shoe laces, I ran over that kid”.

Linux isn't a magic pill (pardon the pun). It has bugs itself and can be poorly configured, just like Windows.

There have been problems with ssh and other key services in the recent past that would have allowed hackers to capture a Linux box, especially if it hadn't been kept up to date and patched straight away... Something that is very common in such institutions - the hardware and software suppliers only guarantee and support their kit and software if certain patch levels are used. If you patch a critical flaw without their permission, you are on your own if there are any problems...

I've worked at places where the PLC manufacturer have caused months or years of backlogs on Windows updates, because they don't keep their software current and test it in a timely manner against the critical patches coming out of Redmond. The same would be true if the PCs were running Linux, no updates without prior authorization. Medical equipment is also certified, which means it can't get OS patches until they have been certified by the equipment manufacturer, which can take an age.

The only real option is isolating the networks, but there still has to be some automation with the outside world, to exchange patient information and billion information.

Having a Linux admin who doesn't know how to batten down a Linux box doesn't bring you any advantage over a Windows admin who doesn't know how to batten down a Window box. Then you have the weakest link, the users...

I love Linux and I have used it extensively and administered it. But keeping it up to date and safe is not any easier than keeping Windows up to date and safe. And the more services you are running on the computer, the more complex the issues of keeping that Linux box secure.

Re: Some ransomware slingers have promised not to hit hospitals

In this case, they had assumed the were attacking the medical university, not the medical university clinic (hospital).

The local reports say, that as soon as they realised what they had done, they stopped the attack and handed over the keys.

Good of them, in the circumstances, but it would have been better if they never attacked anyone...

Re: Why?

If it's the case of needing to transfer patient data, say for blood type, couldn't a doctor just call another hospital (by phone) for the patients emergency records and perform the operation?

It isn't just blood type, it is the full medical history.

One of the problems is manufacturer support... They do remote support these days and access the devices and applications over the Internet. No Internet, no support when something doesn't work.

I know the admin at a manufacturing facility, they have an old cutting machine that is bound to software running under XP - it won't install or run on Windows Vista, 7, 8 or 10. To upgrade the software to Windows 10, they'd need a new machine. The old one works fine, reliably and does what is needed of it, so why throw it away and replace it with a new machine costing 7 figures, when it is just the software that doesn't work on newer versions of Windows?

They have isolated it and they do force the manufacturer to do remote support. The first question is the TeamViewer ID, the support are told the device is offline. They say to put it online. They are told, provide software for Windows 10 and we'll put it online. Until that happens, you will remote-control the machine operator with verbal instructions.

That might work for a single manufacturing machine, but a whole hospital full of "machines that go bing" is another matter, unfortunately.

Then there is patient data transfer. The Krankenkassen (health insurance companies) hold the patient data and they collect the billing information from the hospital systems. This should be over a secure Telematik system, but that is still running over the Internet, albeit in a secure tunnel.

That individual monitors, and whole operation rooms are online is a different matter, they should certainly be isolated, whether standalone or an internal isolated network. And there should be disaster recovery scenarios to allow them to keep working if the systems go down. But re-directing patients that are en-route to other hospitals, if there are problems, is SOP - and according to local news, the woman was en-route to the hospital and her ambulance diverted, because the ER was offline and couldn't accept new patients, she wasn't transferred.

It isn't their suppliers, it is their customers building the bugs in.

It is like blaming Intel for faults in Dell BIOS code or Windows. Well, other than Spectre and Heartbleed...

Re: "The hardcoded password is a deliberate backdoor."

Why not? It is the tactic Cisco has followed with great success for years. They've spent the last 2 years or so removing one backdoor after another from their kit.

Re: Encryption should be automatic

Without some sort of independent key verification, sending the public key is pointless.

A man-in-the-middle just need to intercept the email, remove the senders public key and put theirs in and sent the email to the destination. The same on the return leg.

Both ends believe they are sending encrypted emails that only they can read, the man-in-the-middle can happily read along.

* And also notice that Google monitors its public keys, which is how they spotted Symantec issuing fake certificates, but you do not. You would not be aware if the 'trusted' keyholder starts issuing a different public key. PGP was never adopted because it is flawed.

Issued SSL certificates are very different from how PGP works.

Re: Dystopian future

Ah, you've read Kill Decision then...

Re: Dystopian future

We don't need a dystopian future, we moved to Dystopia a few years back, but nobody noticed until it was too late.

As an aside, have a look at Daniel Suarez "Kill Decision", an excellent novel about a dystopian near future, where AI controlled drones are used to escalate tensions between the Middle East and the USA.

Re: Is

That is the question, whether it is in the contract.

I've had it in the UK, London weighting. All the time I was working in the London catchment area, I got the London weighting, when I transferred to an office outside, the London weighting was removed from my salary.

So, yes, you can have this legally in Blighty, but it has to be in the contract - in fact, I believe many unions have forced employers to use it over the years and tried to get it extended to other major cities.

Re: Take on a Roommate or 15

I think Psmo was referring to something like a corporate get-together, where they are all suddenly in town and all trying to stake their claim on the apartment.

Re: They may be in for a nasty surprise.

It depends on how they have moved...

If they have kept their flat in SV/SF and are currently living with relatives away from danger, then it would be wrong to reduce the salary. If they have given up their flat and moved permanently to somewhere cheaper, it is another matter.

If VMware can clearly show that it is just a cost-of-living reduction, I don't see the problem. BUT the question remains, can they retro-actively state that part of the salary is a cost-of-living benefit to SV? If that is already in the contract, again, it seems fair, if it isn't, I guess a court will have to decide whether they can claim it is CoL or not.

If not, there are other ways, like the salary remaining stable, until the CoL has been taken into account by inflation. Obviously an immediate CoL reduction is cheaper for the company, if they can get away with it.

I've certainly had it applied to me (and removed) in the past, in the UK. I had a London weighting at one point, then I was moved to another office outside the catchment area and lost the London weighting. But that was communicated in advance and written into my contract.

Yes, I used to get a London weighting, when I worked in the London catchment area. When I worked at a customer site outside that area, I lost the weighting.

I think it depends though, are these people temporarily fleeing a situation (i.e. the fires) and living with parents/friends etc. whilst maintaining their flat in the Silicon Valley catchment area? Or have they quit their contract and moved to cheaper accommodation elsewhere? That is the big question. If the former, then it is wrong to cut the salary, if the latter I removing a weighting is fair enough.

Re: SCCs

It wasn't issued in the EU, so it isn't a valid warrant.

I'd be happy with 4G or even 3G here. Currently ISDN would be faster than the "4G" I'm getting. In the city, I get 50 - 150mbps, at home 2 - 3mbps and at work 0.001mbps - so slow that Vodafone's own speed test app says there is no internet connection. My contract says 4G "up to 500mbps", to be honest, I'd be happy with 5mbps at work and 50 at home.

Re: Blackmailed

Doesn't that fall under duress and all testimony would be inadmissible?