Contract Tracing app...
Why does everybody call it contract tracing? It is contact alerting, not tracing.
5434 posts • joined 27 Nov 2009
SoftBank made some disastrous investments (E.g. Uber and WeWork) and their major shareholder has pulled out, so they need some liquidity, so they are selling off ARM to help out.
Poor move to my mind, it is one of the investments that will bring long term rewards... But the investment "industry" is only interested in the next 3 months and anything long term is not sexy, if it doesn't bolster their immediate earnings.
Passing the information onto the police or TfL without a valid warrant or the informed consent of the identifiable persons whose data is being shared is a grave breech of GDPR.
I guess that their only hope is that Brexit goes through and the UK data protection laws are castrated, before this gets to court.
The problem is, this is medical equipment, so any changes to the device need to re-certified, before they can be issued. That costs the company money to go through the external re-certification process and it also takes time (limited federal testing capacity etc.).
The problem is, that information collected by the disparate machines have to be collected centrally and put under tight access controls, so that only the relevant doctor can see the patients information, and that from the bedside, in his office, in an operating theatre etc.
And that central patient information also needs to pull in the external medical record from the insurance company...
The Iranian government would beg to differ. Their nuclear research labs were affected, despite being air-gapped. As long as there are humans in the chain, nothing is 100% secure.
And being full patched is a 100% guarantee either. There are still hundreds or thousands of unknown attack vectors that can be exploited once found until the manufacturer can get around to patching them.
All you can do is minimise risk as best you can.
We get calls from our users every day about, "is this genuine or a fake email?" I'd rather have to deal with 10 cases a day of a user being unsure than one case of a user not bothering to ask and infecting the whole network!
Again, the hospital carried on operating in emergency mode. Existing patients were still cared for. Non-essential operations were postponed, but critical care continued.
Then the emergency plan was put in place, which says that all incoming patients get diverted to a fully functioning hospital. The problem is, the emergency plans don't always take into account the travel time, just that the affected hospital isn't running at 100%, so patients are diverted to a hospital that is at 100% effectiveness. In this case, the patient didn't survive the extended journey. There is, unfortunately, no evidence that she would have survived if she had been taken to the affected hospital running in emergency mode either.
They could operate, they could take care of their existing patients. The problem is the emergency procedures.
If the systems fail, SOP is to divert all incoming patients to another hospital that is fully functional. In a catastrophe, where multiple hospitals have all lost key systems, they run manually. But the insurance says, if there is another hospital that is fully functioning, the patient has to go there. It is risk minimisation, but that doesn't take all things into account - like whether the patient can live through the extended journey time.
Airports are the same. If their systems fail, they land the aircraft already on final manually, everything else with enough fuel gets diverted to its alternative.
We also have a sign printing system (signs printed on metal and perspex). It is DOS only. We have a spare machine and "collect" old PCs, for when the controller PC dies. The spare printer cost only a couple of grand (25 years old), a modern replacement costs high 5 figures, so there is no hurry to replace a working system.
Virtual XP doesn't usually help. I had a telephone system at home (still being sold by Siemens in 2014) that only worked with XP. I tried the virtual XP environment in Windows 7 Pro at the time and a full virtual machine. No dice. It needed low-level hardware access and could only run on bare metal.
In the end, I repurposed an old laptop just for managing the telephone system, and that device was never attached to the network. I then looked at replacing the system with a more modern alternative that doesn't need dedicated management software.
Linux isn't a magic pill (pardon the pun). It has bugs itself and can be poorly configured, just like Windows.
There have been problems with ssh and other key services in the recent past that would have allowed hackers to capture a Linux box, especially if it hadn't been kept up to date and patched straight away... Something that is very common in such institutions - the hardware and software suppliers only guarantee and support their kit and software if certain patch levels are used. If you patch a critical flaw without their permission, you are on your own if there are any problems...
I've worked at places where the PLC manufacturer have caused months or years of backlogs on Windows updates, because they don't keep their software current and test it in a timely manner against the critical patches coming out of Redmond. The same would be true if the PCs were running Linux, no updates without prior authorization. Medical equipment is also certified, which means it can't get OS patches until they have been certified by the equipment manufacturer, which can take an age.
The only real option is isolating the networks, but there still has to be some automation with the outside world, to exchange patient information and billion information.
Having a Linux admin who doesn't know how to batten down a Linux box doesn't bring you any advantage over a Windows admin who doesn't know how to batten down a Window box. Then you have the weakest link, the users...
I love Linux and I have used it extensively and administered it. But keeping it up to date and safe is not any easier than keeping Windows up to date and safe. And the more services you are running on the computer, the more complex the issues of keeping that Linux box secure.
In this case, they had assumed the were attacking the medical university, not the medical university clinic (hospital).
The local reports say, that as soon as they realised what they had done, they stopped the attack and handed over the keys.
Good of them, in the circumstances, but it would have been better if they never attacked anyone...
If it's the case of needing to transfer patient data, say for blood type, couldn't a doctor just call another hospital (by phone) for the patients emergency records and perform the operation?
It isn't just blood type, it is the full medical history.
One of the problems is manufacturer support... They do remote support these days and access the devices and applications over the Internet. No Internet, no support when something doesn't work.
I know the admin at a manufacturing facility, they have an old cutting machine that is bound to software running under XP - it won't install or run on Windows Vista, 7, 8 or 10. To upgrade the software to Windows 10, they'd need a new machine. The old one works fine, reliably and does what is needed of it, so why throw it away and replace it with a new machine costing 7 figures, when it is just the software that doesn't work on newer versions of Windows?
They have isolated it and they do force the manufacturer to do remote support. The first question is the TeamViewer ID, the support are told the device is offline. They say to put it online. They are told, provide software for Windows 10 and we'll put it online. Until that happens, you will remote-control the machine operator with verbal instructions.
That might work for a single manufacturing machine, but a whole hospital full of "machines that go bing" is another matter, unfortunately.
Then there is patient data transfer. The Krankenkassen (health insurance companies) hold the patient data and they collect the billing information from the hospital systems. This should be over a secure Telematik system, but that is still running over the Internet, albeit in a secure tunnel.
That individual monitors, and whole operation rooms are online is a different matter, they should certainly be isolated, whether standalone or an internal isolated network. And there should be disaster recovery scenarios to allow them to keep working if the systems go down. But re-directing patients that are en-route to other hospitals, if there are problems, is SOP - and according to local news, the woman was en-route to the hospital and her ambulance diverted, because the ER was offline and couldn't accept new patients, she wasn't transferred.
My father went out to the Isle of Barra in a Sadler 25. No GPS, this was early 80s, just chart navigation and tidal charts. They got caught in a fog bank. Taking into account wind, tide etc. they carried on course for Barra and they ended up about 25 yards from the marker buoy they had aimed for.
Without some sort of independent key verification, sending the public key is pointless.
A man-in-the-middle just need to intercept the email, remove the senders public key and put theirs in and sent the email to the destination. The same on the return leg.
Both ends believe they are sending encrypted emails that only they can read, the man-in-the-middle can happily read along.
* And also notice that Google monitors its public keys, which is how they spotted Symantec issuing fake certificates, but you do not. You would not be aware if the 'trusted' keyholder starts issuing a different public key. PGP was never adopted because it is flawed.
Issued SSL certificates are very different from how PGP works.
Except, in this case, it was a trial of a fully autonomous vehicle and the drivers job was to keep a constant eye on the situation and make sure the car didn't do anything stupid or cause an accident.
So, she knew it was a self driving car and she knew it wasn't perfect and that she was there to monitor it and take over in an emergency, not daddel with her phone.
We don't need a dystopian future, we moved to Dystopia a few years back, but nobody noticed until it was too late.
As an aside, have a look at Daniel Suarez "Kill Decision", an excellent novel about a dystopian near future, where AI controlled drones are used to escalate tensions between the Middle East and the USA.
Google Ireland Ltd is said to have denied that it is the data controller for YouTube's EU-based users, instead pointing at US parent company Google LLC.
Oooh, part 2 of the case following in 3...2...1... With Privacy Shield now defunct, that means Google LLC can't be the data controller for EU based user data.
If they are losing money on repairs, it means that the products are poorly designed... You know, all glued together and everything breaks if you try and take it apart.
There needs to be a change in attitude from just supplying new shiny-shiny to actually designing sustainable products, like we used to have. The world of electronics design has taken huge steps backwards over the last couple of decades, at least in terms of repairability and sustainability.
If a TV broke in the past, it was probably a capacitor or another component that could be de-soldered and a new one soldered onto the board, job done, TV works again. Now everything is so small and tightly packed, that it is next to impossible to repair And whilst the integration of components onto single chips brings benefits in reduced production costs, it comes with a high cost on quality, longevity and repairability.
The same goes for smartphones or anything else, right up to automotive, aviation, shipping etc.
Whilst Apple is the poster child for poor repairability of their devices, it is an industry wide trend and we need to take a step back and look at what we are doing and what we will accept as consumers - although it will be hard to get away from, unless everybody suddenly switches to Fairphone and its ilk.
That is the question, whether it is in the contract.
I've had it in the UK, London weighting. All the time I was working in the London catchment area, I got the London weighting, when I transferred to an office outside, the London weighting was removed from my salary.
So, yes, you can have this legally in Blighty, but it has to be in the contract - in fact, I believe many unions have forced employers to use it over the years and tried to get it extended to other major cities.
It depends on how they have moved...
If they have kept their flat in SV/SF and are currently living with relatives away from danger, then it would be wrong to reduce the salary. If they have given up their flat and moved permanently to somewhere cheaper, it is another matter.
If VMware can clearly show that it is just a cost-of-living reduction, I don't see the problem. BUT the question remains, can they retro-actively state that part of the salary is a cost-of-living benefit to SV? If that is already in the contract, again, it seems fair, if it isn't, I guess a court will have to decide whether they can claim it is CoL or not.
If not, there are other ways, like the salary remaining stable, until the CoL has been taken into account by inflation. Obviously an immediate CoL reduction is cheaper for the company, if they can get away with it.
I've certainly had it applied to me (and removed) in the past, in the UK. I had a London weighting at one point, then I was moved to another office outside the catchment area and lost the London weighting. But that was communicated in advance and written into my contract.
Yes, I used to get a London weighting, when I worked in the London catchment area. When I worked at a customer site outside that area, I lost the weighting.
I think it depends though, are these people temporarily fleeing a situation (i.e. the fires) and living with parents/friends etc. whilst maintaining their flat in the Silicon Valley catchment area? Or have they quit their contract and moved to cheaper accommodation elsewhere? That is the big question. If the former, then it is wrong to cut the salary, if the latter I removing a weighting is fair enough.
While last July's ruling did not strike down the Standard Contractual Clauses (SCCs) used as opt-outs by many companies, it seems likely that will come under the gaze of the courts before long.
As SCCs work on the same basis as Privacy Shield - the promise not to hand the data over to third parties, including the government, without a valid warrant (i.e. no FISA, Patriot Act or NSA letter interference), I don't see how SCCs have a leg to stand on.
As long as you have humans in the equation, it doesn't make any real difference.
You can configure Linux to be just as vulnerable, if not more vulnerable than Windows, if you don't know what you are doing. Linux isn't a magic bullet to make things suddenly better, you still need to follow best practices in securing the installation and you still need to make sure the user doesn't fall for a phishing attempt and hand over the keys to the kingdom.
The other thing is, as far as I understand it, the high-speed, low latency signals from 5G are blocked by things like walls, glass or human bodies etc. and ranges are incredibly short (a few metres). There are also long-range, low speed parts to 5G, which will be more robust for IoT devices that need little bandwidth or for rural areas.
I'd be happy with 4G or even 3G here. Currently ISDN would be faster than the "4G" I'm getting. In the city, I get 50 - 150mbps, at home 2 - 3mbps and at work 0.001mbps - so slow that Vodafone's own speed test app says there is no internet connection. My contract says 4G "up to 500mbps", to be honest, I'd be happy with 5mbps at work and 50 at home.
The Yubikeys support most of the 2FA standards that are currently in use (at least, dongle based methods). They are also programmable, so additional methods could be added.
I've been using keys for about 6-7 years for providing 2FA on LastPass and for Microsoft, Google and a few other services. Just holding the key against my smartphone to unlick LastPass is great - worked with my old Lumias and with my Android phones.
Biting the hand that feeds IT © 1998–2020