I'm curious why ransomware is something that you are scared of. If you do filesystem level snapshots and proper backups, ransomware can be as simple as flicking a switch or at worst case scenario just an annoyance from restoring from backups and cleaning the infected machines. I know sometimes situations arise in some organizations where a single machine will have (stupidly) been the only machine with certain data on it, so that can be a problem. I think the hardest is solving the stolen data stealing problem, though. Many people play fast and loose with data all the time, send it from here to there in random ways rather than actually lock down the process and pathways it goes. That one is truly terrifying. The answer is no. What has arisen in the last few years to deal with these things are exactly the same things you would expect from a corporation: legal solutions instead of technological ones. Basically, companies are increasingly signing into agreements where they effectively get data breach insurance. If they get fined, if they need to pay for victims' identity protection services, etc, the insurance will dish out accordingly. Which of course, is going to weaken technology security in this country. What employee will care about security if they have this massive safety net behind them? I've heard things like: "We have a security department and I'm just a random coder, so why do I need to know what a buffer overflow is?" and "Why do I need to learn encryption methods?", etc. This stuff is only going to get worse until people start realizing that technology is the solution. By then, the average company will not have the capability to solve security problems on their own and will be forced into cloud solutions where security is not in their hands, which itself introduces other security risks at the same time as solving existing ones. What's truly terrifying to me is if Amazon, Google, or Microsoft were to get hacked. We'd all be fucked, even if you don't use their services. Their cloud data providing services probably store a massive truckload of data, and even one bad employee there could leak parts of it even with the best security practices in place.We will keep following and updating, and can’t help wondering if those breached companies are being held accountable in anyway for not putting enough of their huge profits into protecting their most precious and private data.
You really want to point fingers at this so you don't have to think about it. But let's take a real example: Synolocker. So you keep your records on a Synology DSM because your IT department is small, you can't afford licenses and it's easy to deploy. As a plus, you can strap a few other things on it - like maybe Asterisk or Crashplan. And things are good. Except you have a HIPAA decision from your legal counsel on DSM 4.3, but not 5, because Synology 3rd parties some of their protocols and they can't give you an answer. So you can't roll up to DSM 5 because HIPAA. And while the office phones you bought seem to work fine on DSM 4.3 with Asterisk, you keep hearing scary things about Asterisk under 5, so you don't roll up to 5. So while you could patch things over, you might blow shit up when you do. Never happens, right? Tell that to every single "Windows 7 from my cold dead fingers" people on here, let alone out amongst the world. And yeah - if you cook off the admin account, you're good. And if you change the default ports, you're good. And if you're running DSM 5, you're good. So you have to fail three different ways in order to be vulnerable to Synolocker, yet it still hit dozens of organizations. Not because of money, but because whoever deployed the NAS did it between 3am and 5am to minimize downtime and the whole "reconfigure accounts" thing never got approved as soon as it was working because hell, it was working, right? And obviously hospitals should all be running Oracle and obviously their IT managers should be an army and obviously all those ill-gotten gains they're getting from healing people can be better spent to protect their integrity but LOOK: My wife takes insurance. Every insurance contract she's got requires her to hire a translator if she runs across a patient who doesn't speak English. And unless things go perfect for her, she doesn't get 70% of what she's billing for. It's still lucrative. There's still money in it. We wouldn't be doing it if we couldn't make a living. But that money-grubbing sonofabitch who is jeopardizing your data? It's me. Collecting unemployment. and googling shit like "is Google for Business HIPAA compliant."
I had to take a few hours to understand your point, possibly because my coffee hadn't kicked in yet. You claim that I'm assigning blame, but really I'm just pointing out faults in systems. I'm not saying "Fire Bill Johnson!" To me, I feel like I'm arguing that the assigning blame is the problem itself. For instance, you have said the exact real truth, the real blame should be on the attacker. The problem with doing this is that you then absolve yourself of any stress for any problems before the hack. Yet that doesn't change the fact that these SSNs are or will be out there, and that these people are now victims of a crime that can't be really resolved (SSN theft is pretty much the end of your credit, even with the best protection services). But with the insurance if you get hacked, it was someone else's fault, therefore everything is perfectly fine inside your company because you haven't been targeted yet. It means you can reduce security expenditures, reduce cares and your employees won't care as much either. It's an overall feeling that takes over the organization, not an individual or series of individuals to blame. I've worked in both environments before, and when I worked in an environment with the data insurance protection I definitely personally felt that alleviation of stress. I still tried to secure things as best as I could, but when arguing for upgrades in similar situations, even the decision making processes were delayed on upgrading. The meetings were more sparse around the discussions and the urgency was lifted. Coworkers didn't feel the level of security responsibility that I did, and I was often cleaning up after their security messes even though they knew better and were good developers. Yet when I worked without it, I felt that stress and I felt the urgency for patching and fixing things. I can definitely say that the systems I was working on were more secure as a result of everyone being unified in the security goals across the company. I'm not necessarily saying that data breach insurance is a bad thing, just that it also has bad things that come with the good. I would argue that a company should get that insurance and it's a bad idea not to since it's impossible to get a 100% secure system and hackers are everywhere. You'll end up bankrupting the company if you are small enough and have to deal with legal and/or restitution expenses. Actually it would be interesting if a company got the insurance and just didn't tell their IT staff, that would be interesting.
You don't understand my point, though. Here it is: blame for these breaches is useless and misapplied. I'm not saying "blame the attacker" - I mean, ransomware is nothing more than opportunistic capitalism. It's like this: all organizations great and small must deal with data security. The data security required is a miasma of shifting standards, proprietary protocols, jargon-laden ingroup folklore and self-righteous dudgeon about the power of the MCSE which serves only the acolyte class. Your argument, if I read it correctly, is that the acolyte class should be ever-ready to defend the faith: I'm not necessarily saying that data breach insurance is a bad thing, just that it also has bad things that come with the good. In effect, you're arguing that if you don't want the Spanish Inquisition to destroy your town, you'd best either become a Cardinal or pay for the care and feeding of one. You're basically saying that only by being vigilant and ever ready to do battle can one defeat the hun. But I don't want to defeat the hun. I just wanna run my little blacksmith shop. It is the most logical instinct in the world to fob off the shit you don't understand on someone who does, and to pay them for the privilege. That's what "insurance" is - outsourced risk management, whether it's a plumber or Zurich Re. And Sony store passwords in plaintext. And we're discussing a leak of 9.3m patient records. And I have three overlapping credit protection services because Target, Home Depot and Bank of America failed to protect their data. So what the fuck am I supposed to do when frickin' Target can't get their shit together? How is my stress supposed to make anything better when apparently Primera can't keep their data off the Internet? This started as me saying there are very legitimate reasons to fear ransomware. It's become a rant against the entire IT industry. I'm not walking any of it back because I'm sick of this: When those of us out in the world ask "what are we supposed to do?" the IT answer is invariably A) Pay us extortive prices so that we can condescend to you B) Devote your life to our credo so that we can condescend to you for not being 1337 enough And that's why you can sit there and snigger in superiority while watching The IT Crowd while the rest of us laugh and point. Because in my organization, I'm you and I'm no fucking good at it and when I want to solve that problem, your entire industry conspires to make me feel bad about it.Yet when I worked without it, I felt that stress and I felt the urgency for patching and fixing things. I can definitely say that the systems I was working on were more secure as a result of everyone being unified in the security goals across the company.
This is a dangerous path to think down, and I don't know many people who think this way to be honest. I was more railing against a different argument, you're right. The reason it's dangerous is the same as if someone shot someone in the face, and you don't blame them for shooting them in the face. Well if it's not their fault, then why arrest them? They are just the product of a system of <insert_system_here>. Arresting someone is blaming someone, and saying we shouldn't arrest people for leaking and damaging people's lives is... strange, and I haven't heard that one before. To go back to analogies (it seems to be all I can do!), this to me is the same as a rollercoaster maintenance repair man. You have a responsibility to do a good job, otherwise people die. In the tech scenario, you are responsible for keeping the data people provide to you secure, otherwise they get their identities stolen and get their lives ruined. THIS is where we were in contention, and I think it's a simple miscommunication. Obviously ransomware is to be feared! What I was saying was in response to this part of the text body posted by dubski: In healthcare, ransomware attacks shouldn't be an issue whatsoever. I've only tangentially worked with HIPAA, but with how detailed it is I'm sure there are data retention and offsite backup requirements in the law itself, so if you don't have them, you're most likely violating the law. I wasn't thinking from an end-user, you should be afraid of ransomware for sure as am I. A) Pay us extortive prices so that we can condescend to you B) Devote your life to our credo so that we can condescend to you for not being 1337 enough And that's why you can sit there and snigger in superiority while watching The IT Crowd while the rest of us laugh and point. I'm not really sure where I said any of this, condescended or anything. All I see here is you lumping an entire industry together as if it were one giant whole. It's not that simple, there are warring factions within IT. There are business people who give no shit about end users. There are elitists like you describe. Then there are people like me who are constantly arguing in favor of UX design, usability concerns, making sure the end-user doesn't get confused, etc. My side is losing, hard. And nobody cares because our stuff doesn't make money and people only care if things work or not. I don't know what type of employee you are since I haven't worked with you, but I categorize people into four groups: 1) People who know their shit. 2) People who know their shit and don't care. 3) People who don't know their shit and are willing to learn. 4) People who don't know their shit are are unwilling to learn. 1s can be dicks, you are right. 2s are what I was arguing against in this thread. 3s are not a problem, and it sounds like this is you. I have turned many 3s into 1s with a few months of experience, teaching, and priming with proper ways to find, locate, and read through reference documents. Generally this also involves identifying useless buzzwords. 4s are a bane on the industry, and cause more security problems and are generally just assholes who sit around collecting paychecks and kiss up to their bosses' asses until they get promoted, continue to get promoted, and eventually become CTO. And thus, the problem of businesspeople not giving a shit about end-users compounds, because they are only focused on the dollar value and don't have any idea how to read email. I think we are basically making the same points, but somehow you have painted me into this prick who doesn't give a shit, and I think it all comes down to that simple miscommunication on what I meant by ransomware. I've seen cases of ransomware hitting organizations, and it's always becomes 2s and 4s fucked everything up. Not 1s, not 3s. And we're discussing a leak of 9.3m patient records. And I have three overlapping credit protection services because Target, Home Depot and Bank of America failed to protect their data. You seem to be making my argument for me. Sony will continue to store passwords in plaintext. Why? Because they have data breach insurance and they don't give a shit about your data. Those are exactly my points. I'm not saying go down and find the exact technician responsible for firing him. In fact, I explicitly stated that's not what I meant. I'm saying hold the organization accountable for their mistakes, you seem to be saying hold the organization accountable for their mistakes, why are we arguing?You don't understand my point, though. Here it is: blame for these breaches is useless and misapplied. I'm not saying "blame the attacker" - I mean, ransomware is nothing more than opportunistic capitalism.
In effect, you're arguing that if you don't want the Spanish Inquisition to destroy your town, you'd best either become a Cardinal or pay for the care and feeding of one. You're basically saying that only by being vigilant and ever ready to do battle can one defeat the hun. But I don't want to defeat the hun. I just wanna run my little blacksmith shop.
This started as me saying there are very legitimate reasons to fear ransomware.
Working in healthcare... this is the scariest scenario. This and ransomware attacks.
It's become a rant against the entire IT industry. I'm not walking any of it back because I'm sick of this: When those of us out in the world ask "what are we supposed to do?" the IT answer is invariably
Because in my organization, I'm you and I'm no fucking good at it and when I want to solve that problem, your entire industry conspires to make me feel bad about it.
And Sony store passwords in plaintext.
BECAUSE I'M THE ORGANIZATION. Let me point out where things break down: I used to do ADA shit. Had a boss who actually talked to one of the guys who drafted the ADA; when asked why certain aspects of the ADA were so vague, he was told that the plan was to let the courts establish caselaw. In other words, "we left it vague so that people would be sued so that this shit would go to the courts and do our jobs for us." So it is with HIPAA. I can either become a health IT expert or I can trust that every service I use, from end to end, is HIPAA-compliant. And when you're dealing with EHRs that serve sites of less than a thousand users, the answer to "is this HIPAA-compliant?" is invariably "we'll get back to you on that." Further, are you breaking HIPAA compliance if, say, you forward your office phone to your cell phone? Well, T-mobile will point to Avaya and Avaya will point to T-mobile and if you're doing it through Google Voice Google will say "we're in Beta, fuck off" and there you are, liability hanging out in the breeze, breaking the law. And your argument is that Dude, fuck that shit. Fuck it in the neck. Fuck everything about it, fuck it sideways, fuck it upside down, fuck it raw. You're saing that "a few months" of wading through YOUR world is necessary for me to connect my wife's cell phone to my wife's office phone without breaking the fucking law. So yeah. We're at loggerheads. We don't agree. I want to buy that problem away so hard it hurts. Because the alternative is joining the Pod People in the belief that lawsuits are the righteous punishment for a lack of expertise. Had a coworker. He used to be a license enforcement dick for Muzak. Means he'd wander around to restaurants and shake down people who were playing the radio instead of paying Muzak for their shitty $25/mo mechanical royalty service. So when the office we worked at wanted to put music-on-hold on our phone system, the asshole made the receptionist get a written letter of permission signed by a lawyer in order to use her fucking string quartet on our phone system. And he was technically correct - the worst kind of correct. But everybody else? They plug the fucking radio into the PBX and call it a day. Because we don't have time for that shit, and we shouldn't be required to. It isn't about blame. It's about a reasonable effort for a reasonable return, and you're advocating a strenuously unreasonable effort for a truly minuscule return.I'm saying hold the organization accountable for their mistakes, you seem to be saying hold the organization accountable for their mistakes, why are we arguing?
I've only tangentially worked with HIPAA, but with how detailed it is I'm sure there are data retention and offsite backup requirements in the law itself, so if you don't have them, you're most likely violating the law.
I have turned many 3s into 1s with a few months of experience, teaching, and priming with proper ways to find, locate, and read through reference documents.
I never stated anything about your wife's cellphone. I'm talking about server administration. We're talking about data of 9.3 million records of healthcare records, and if that data is on your phone you are a fucking moron. I take everything back. You are not a 3, you are a 4. You are actively against knowledge and learning new things in an industry where change happens every 5 minutes. We are beyond loggerheads, you need to be permanently fired and excommunicated from the data security industry if you currently are working in it. Wade through my experience? What do you think doctors do? They read a book and start cutting people open? They learn, they constantly learn, and they SHADOW OTHER DOCTORS WHO TEACH THEM THE WAYS OF THE BUSINESS. EVERY other industry operates this way. EVERY SINGLE ONE. Even McDonald's workers shadow other McDonald's workers to get experience. I went to Taco Bell once and had a confusing conversation with the drive in attendant saying I ordered "A burrito" when I actually ordered a specific type of burrito and was confused if they had placed the order incorrectly. When I got to the drive up he was in training and the guy was telling him he should have told me that I ordered a "burrito grande whateverthefuck" because it confuses the customers. It's a simple mistake to make, but the worker was willing to learn, and learned it right there. I doubt he confused another patron again. That's a good employee. I'm the type of person that is tolerant to lack of knowledge, because I remember when I was that way myself and wished I had more guidance. So I provide it to those who want it. But those who don't want it and want to just sit around and collect a paycheck while fucking the rest of us over because they aren't willing to listen to the (REASONABLE, not elitist pricks) intelligent people who are trying to help are a significant problem. But everybody else? They plug the fucking radio into the PBX and call it a day. Because we don't have time for that shit, and we shouldn't be required to. It isn't about blame. It's about a reasonable effort for a reasonable return, and you're advocating a strenuously unreasonable effort for a truly minuscule return. This example has nothing to do with what we are talking about. I'm not talking about phone systems, I'm talking about data protection. Phone systems aren't going to cause 9.3 million records of data being stolen. And you're right, that sounds like a dumb law. When did I support that law? My strenously unreasonable effort is something that takes about 5 minutes to enable on a SAN or a filesystem level snapshotting system to protect the identities of millions of people. In ANY environment in the healthcare industry where you are now responsible for backups, they would immediately tell you to do so and explain how. I thought you were arguing in favor of the end-user, but really you are just arguing that all IT workers are bad because of your bad experiences with tech people. I'm simply pointing out that in the healthcare industry not only is it highly regulated and wouldn't have these issues. I don't set policies, and I don't enforce policies. I don't advocate policies. I'm simply informing people that because of current regulations, this wouldn't be an issue. Probably ever. It's like having a lawyer trying to explain to you how the NSA justifies their surveillance through the legal system and then you kneeing the guy in the balls. All the while him thinking, "Not one law I just described do I think we should have on the books, but if we can't explain what laws are on the books we can't revoke them." You are being entirely counterproductive here. These conversations with you exemplify everything that is wrong with Reddit. Not Hubski, Reddit. This is supposed to be a simple discussion place, and not a flame war over god knows what anymore.I have turned many 3s into 1s with a few months of experience, teaching, and priming with proper ways to find, locate, and read through reference documents.
Dude, fuck that shit. Fuck it in the neck. Fuck everything about it, fuck it sideways, fuck it upside down, fuck it raw. You're saing that "a few months" of wading through YOUR world is necessary for me to connect my wife's cell phone to my wife's office phone without breaking the fucking law.
Had a coworker. He used to be a license enforcement dick for Muzak. Means he'd wander around to restaurants and shake down people who were playing the radio instead of paying Muzak for their shitty $25/mo mechanical royalty service. So when the office we worked at wanted to put music-on-hold on our phone system, the asshole made the receptionist get a written letter of permission signed by a lawyer in order to use her fucking string quartet on our phone system. And he was technically correct - the worst kind of correct.
Bitch, I am the end user. I am the client. I am the IT department because the company has one employee at the moment. When it's firing on all cylinders it'll have four. But the liability is the same. The problems are the same. The issues are the same. I don't work in IT, don't want to work in IT, don't want to touch IT. But I'm the IT department 'cuz if it isn't me, it's my wife. So I am talking about bouncing between the office phone and the cell phone because HIPAA doesn't care and VoIP, Skype, EHR, it's all HIPAA, it's all on CAT5, and it's all my problem. So talk dismissively about filesystem level snapshotting system and know that me, Mr. I am not good with computer, can successfully recover from the fact that Synology wiped my network stores due to a bug... but that I'm 100% entitled to resent IT workers that get all up in my business for feeling guilty for not wanting to devote my life to learning how to recover data from errant Synology NAS boxes. Because THAT is the issue: I just wanna run my fucking blacksmith shop, but you want me to be prepared for the Inquisition.I never stated anything about your wife's cellphone. I'm talking about server administration.
Unless your blacksmith shop deals in 9.3 million SSNs, none of what I'm talking about nor what I've argued about applies to your business. If your blacksmith shops deals with 9.3 million SSNs, then you should hire tech staff. I'm talking about major corporations who give no shits. I'm talking about Dell, who have repeatedly shown they don't care (internally). I'm talking about Sony, Target, and I'm talking about Home Depot, and I'm talking about all of these breaches that are occurring. These organizations need to be held accountable. You are not a target to hackers, so I don't care what happens to your data. Going back to my rollercoaster/theme park example, your organization is a 10ft waterslide. Unless you built it out of jello I can't imagine a scenario that it matters. This whole article is about healthcare, not blacksmithing, and I focused on the article's field, not yours. I stated that the healthcare industry, IE: Health Insurance Providers who are large organizations, likely have no need to worry about ransomware on their servers because they are large organizations who would be doing many forms of backups anyway. Small businesses absolutely have to worry about ransomware, and I'm not preparing you for the inquisition. If you have to abide by HIPAA because you indirectly provide health insurance to your employees, you are not going to be affected by ransomware either because you are going to be paying another organization to provide the health insurance. They have copies of that data as well. That being said, I don't think the large portions of HIPAA would require much out of your because it's more about the health insurance providers and the health care providers, they are the ones that have the sensitive information like what illnesses people have. IF the law states otherwise, that you have to lock down systems like crazy, I think that's as stupid as you do. What I'm against isn't people who get roped in because they have to, like you. I am against people who intentionally choose IT as their career path, get a degree in IT, get certifications, etc, and then land in a position in a large corporation or government where they get paid some ridiculous salary and then coast to retirement. Everything in your statement made me think that you were in large scale data security operations. When you said blacksmith the first time, I had no idea that was meant literally. My point is working for an organization where you are handling 9.3 million SSNs and falling back on "insurance" and saying "screw technology, we'll just insulate each other legally" is fucking over the consumer harder than anything else. That's why I said I agree with and would recommend data breach insurance, too, just wanted to point out the issues with large corporations falling back on these massive safety nets without looking at or caring about the consequences. Again, I think for the most part we agree with most things in this discussion, it's just constantly that you keep escalating things into personal attacks very quickly, then I fall into the role of defending my positions or attacking you further. It's a toxic mindset to think everyone is out to get you, believe me, I'm the one that has been repeatedly treated for it.
I don't think you're out to get me. I think you're reciting the archetypal brogrammer whistle-in-the-dark litany of tragedy-befalls-the-incompetent. And I think you honestly have no idea why it's pissing me off, and I think that's what's wrong with the IT industry. Are you ready? Those of us who can't just whip out a "filesystem-level snapshotting system" (or worse: those of us who have one, have been forced to recover one multiple times and know how peril-fraught that endeavor tends to be) know we're incompetent. We know that tragedy will befall us. But when you live by this mantra of "those who are prepared suffer no slings and arrows" you are A) accusing us of being unprepared B) insinuating that the misfortune we know is just around the corner is something we DESERVE. Here's what I know: for every needlessly open port in a corporate firewall, there's a pointy-haired boss whose golf buddy told him he could run a Minecraft server on DSM. That's the problem with insisting that proper hygiene will save the day: you have to enroll THE ENTIRE COMPANY in either (1) understanding and conscientiously practicing IT pro-level hygiene or (2) locking all your shit down to the point that nobody can accidentally let in the monster. (1) is bullshit. You're arguing that strenuously. I keep pointing out that I shouldn't have to know this shit and you keep pointing out that there, there, I don't have to, this is a monster with bigger teeth than I need to worry about. So clearly, the idea that all of us need to be 100% on the IT tip is ludicrous. But (2) is bullshit, too. Your users are going to make mistakes. Nerf up their world to the point where they can't and they'll resent the access control. They'll evade it. They'll defeat it. And then there'll be that pointy-haired boss, who needs you to blow a hole in the firewall so that he can install something tedious like a whatsapp desktop client so he can liason with his overseas paramour without his wife scanning his Facebook Messenger. And you have no power over that guy. He'll fire you. So now your perfect hygiene has been blown to shit. And now the port is open. And now the network is exposed. How compartmentalized is it? Compartmentalized enough? How deep can they get? Worked with a guy. Not a bad drafter. Goofball. This was at a company, back in the early '00s, and our IT guy/AV consultant/My Boss determined that in order to avoid viruses, we wouldn't be allowed to use the Internet from our desktops. Draconian? Sure. Effective? Well... "Bob" managed to look up on his lunch break how to poke a hole in the Windows firewall so he could stream internet radio from this one station. And we all knew it. My boss knew it. But we let it go. Until we got a virus that ate half our work product and of course we were on LTO that didn't come back from the dead. Bob got fired. Not because he was bad at CAD but because he'd poked a hole in the firewall. Two months later we figured out that Bob had fuckall to do with the virus; the head of the company had opened a .exe attachment (see, we were forced to run Pegasus Mail because it's invulnerable to AciveX... right? riiiight). Had the head of the company been told not to open .exe attachments? Yer damn skippy. Was our data still gone? Hell to the yes. You think we hired "Bob" back? And see, you don't even know what you're talking about. I've said more than a few times that it's my wife's medical office I care about. I've said more than a few times that ransomware fucked up a few hospitals because they were running DSM. I've pointed out that I'm running Synology at home. Know what advice we got when Synolocker hit? "Turn off your Diskstations." Let's hear it for high availability. So here I am - in the medical field, providing IT, attempting to keep our noses HIPAA-clean, and being told - BY YOU - that you don't need to worry about ransomware because it only fucks with the unprepared and those of us small fry who are facing the exact same problems on the exact same scale as Sony shouldn't be offended when you excoriate companies for wanting a non-technical solution to a truly intractable problem. How big do you think Home Depot's network is? What does the topology look like? How many points of access are there? How many weaknesses, cloned across a million stores? And does any of that even matter? Every.Single.Phone.Hack has been the result of social engineering. 'nuther story. My father built the first network the Department of Energy ever had. Literally soldered comparators onto the Nixie sockets. And for all my memory he's always been arrogant about security. It's not like he's got the launch codes but he's got some shit. He's got monitors that still run CPM and he's got them on the network - there's a dual dialup setup with a ciphered timetable that pokes a hole in the firewall for 15 seconds at some point during the day and squirts his data in. It's as close to airgapped as you can get. Some shit from his division got out anyway. How? One of his physicists had TS:SCI on a laptop at home and meth-heads broke in and stole it. They found it in a trailer park 30 miles away. I'm escalating things into personal attacks because you don't get it. Your attitude is why, as a profession, nobody likes IT professionals. On the one hand, you insist that we need not be competent. On the other hand, you insist that competence is the only ward against tragedy. It's patronizing at best and delusional at worst. For every massive hack there's an employee who thought he was doing the right thing... and an IT professional exasperated by the idiot lesser minions he's forced to interact with.
You never once said that. Twice you claimed it was a blacksmith office, and other times you said it was an "office". You continuously put words and arguments into my mouth. Every argument you've ever had against IT including the ones you just stated I've had myself against other IT workers and I've tried to explain that. The only thing you've gotten right is that I think that if you have sensitive data, you should protect it. Because sensitive data is like a loaded gun. If you have a loaded gun, you should be trained to use it properly without killing people accidentally. That's not a controversial statement even to gun nuts. I've witnessed what improperly used sensitive data causes. It turns people living in houses into people living in the streets. Personal attacks are not what a place for civil discussions are for, which is what this place is supposed to be about. You paint me into a corner that I don't really occupy, and then you attack me relentlessly and I have to defend myself with equal force. Even if I were to say something that were disagreeable, it's not a proper way to have a debate. You and other people keep turning "debates" into these venting sprees where you group whatever select group of people you once had a bad experience with and say it's the whole group's problem. Muslims, black people, white people, police, whatever. Our civilization has completely lost it's mind, and the diagnosed insane people are sitting on the sidelines thinking, "why are we called insane again?" I'm done with this, and I'm done with you. You can say it's because it's my attitude or I'm an elitist asshole I don't care. You can turn all of Hubski against me, I don't care about that either, because Hubski isn't the place for civilized debate that it claims to be. It's Reddit and Twitter with a different skin. Welcome to my hush, filter, and mute lists. Because that's what it's for: trolls. I'm done feeding the troll. And I'm done being bullied around.I've said more than a few times that it's my wife's medical office I care about.
I'm escalating things into personal attacks because you don't get it. Your attitude is why, as a profession, nobody likes IT professionals. On the one hand, you insist that we need not be competent. On the other hand, you insist that competence is the only ward against tragedy. It's patronizing at best and delusional at worst.
I really liked tech.coop's model of being "the IT department" for a number of local organizations who couldn't have afforded to do it right themselves. They didn't last and as far as I know no one has tried to replicate it, so it probably has problems that aren't immediately apparent, but it's still as close to a good solution as I know of for that problem.
Well there are and have always been "Managed IT Support Services" for many decades now, the only difference I see for tech.coop is that it is democratically controlled and not a separate business. Some examples: (CRU Solutions)[http://crusolutions.com/] which covers Ohio areas, (InCare Technologies)[http://incaretechnologies.com/] which covers Alabama/Mississippi areas, and you can probably find one for any region. I know someone who works for one in our local area and that company does business with the local community college, most restaurants in our downtown area, most of the car maintenance services in town, etc. There are actually quite a few in our town alone.
Being a business doesn't imply that you are exclusively trying to bleed your consumers dry of money. Some businesses do that, true, but not all do that. Most businesses that work with the local one I was discussing definitely don't feel ripped off in any way. That being said, I agree that a coop would be a better organizational structure and less likely to bleed you dry.
Dude that would be so dope. Because here's where we're at: "Well, we need seven extensions, so I guess we need a business phone system. Better call a referral to get a quote." "Huh. The quote came in at $5800 for seven phones and they never even visited the site. Maybe I should talk to them." "Huh. After an hour and a half of glad-handing I'm almost willing to pay $2200 for two phones. Except they won't even walk in until we've got CAT5 strung everywhere. I guess I better get a quote." "Huh. They want to charge me $700 for a fucking WAP and $5800 to pull 14 runs of CAT5." "Huh. I'm talking a contractor who doesn't know the difference between CAT5 and CAT3 into pulling my wire, then terminating it myself, then reading the most boring book in the world in order to ask intelligent questions when buying a cloud PBX." "Huh. this is why people pay ITN 43 cents a foot for fucking CAT5E."
Not to second guess people who know what you're looking for better than I do, but I don't think any of Cisco's IP phones are more than $200 and I'd be skeptical of anything an order of magnitude more expensive than Cisco kit. And also a $700 WAP for less than a dozen users.
Not really scared of ransomware on our servers... those are backed up many times over. More worried for our network drives. The thing that worries me about ransomware is that it comes with bad press, money problems and requires a less sophisticated attack - its much easier to deploy than actually stealing information.