You don't understand my point, though. Here it is: blame for these breaches is useless and misapplied. I'm not saying "blame the attacker" - I mean, ransomware is nothing more than opportunistic capitalism. It's like this: all organizations great and small must deal with data security. The data security required is a miasma of shifting standards, proprietary protocols, jargon-laden ingroup folklore and self-righteous dudgeon about the power of the MCSE which serves only the acolyte class. Your argument, if I read it correctly, is that the acolyte class should be ever-ready to defend the faith: I'm not necessarily saying that data breach insurance is a bad thing, just that it also has bad things that come with the good. In effect, you're arguing that if you don't want the Spanish Inquisition to destroy your town, you'd best either become a Cardinal or pay for the care and feeding of one. You're basically saying that only by being vigilant and ever ready to do battle can one defeat the hun. But I don't want to defeat the hun. I just wanna run my little blacksmith shop. It is the most logical instinct in the world to fob off the shit you don't understand on someone who does, and to pay them for the privilege. That's what "insurance" is - outsourced risk management, whether it's a plumber or Zurich Re. And Sony store passwords in plaintext. And we're discussing a leak of 9.3m patient records. And I have three overlapping credit protection services because Target, Home Depot and Bank of America failed to protect their data. So what the fuck am I supposed to do when frickin' Target can't get their shit together? How is my stress supposed to make anything better when apparently Primera can't keep their data off the Internet? This started as me saying there are very legitimate reasons to fear ransomware. It's become a rant against the entire IT industry. I'm not walking any of it back because I'm sick of this: When those of us out in the world ask "what are we supposed to do?" the IT answer is invariably A) Pay us extortive prices so that we can condescend to you B) Devote your life to our credo so that we can condescend to you for not being 1337 enough And that's why you can sit there and snigger in superiority while watching The IT Crowd while the rest of us laugh and point. Because in my organization, I'm you and I'm no fucking good at it and when I want to solve that problem, your entire industry conspires to make me feel bad about it.Yet when I worked without it, I felt that stress and I felt the urgency for patching and fixing things. I can definitely say that the systems I was working on were more secure as a result of everyone being unified in the security goals across the company.
This is a dangerous path to think down, and I don't know many people who think this way to be honest. I was more railing against a different argument, you're right. The reason it's dangerous is the same as if someone shot someone in the face, and you don't blame them for shooting them in the face. Well if it's not their fault, then why arrest them? They are just the product of a system of <insert_system_here>. Arresting someone is blaming someone, and saying we shouldn't arrest people for leaking and damaging people's lives is... strange, and I haven't heard that one before. To go back to analogies (it seems to be all I can do!), this to me is the same as a rollercoaster maintenance repair man. You have a responsibility to do a good job, otherwise people die. In the tech scenario, you are responsible for keeping the data people provide to you secure, otherwise they get their identities stolen and get their lives ruined. THIS is where we were in contention, and I think it's a simple miscommunication. Obviously ransomware is to be feared! What I was saying was in response to this part of the text body posted by dubski: In healthcare, ransomware attacks shouldn't be an issue whatsoever. I've only tangentially worked with HIPAA, but with how detailed it is I'm sure there are data retention and offsite backup requirements in the law itself, so if you don't have them, you're most likely violating the law. I wasn't thinking from an end-user, you should be afraid of ransomware for sure as am I. A) Pay us extortive prices so that we can condescend to you B) Devote your life to our credo so that we can condescend to you for not being 1337 enough And that's why you can sit there and snigger in superiority while watching The IT Crowd while the rest of us laugh and point. I'm not really sure where I said any of this, condescended or anything. All I see here is you lumping an entire industry together as if it were one giant whole. It's not that simple, there are warring factions within IT. There are business people who give no shit about end users. There are elitists like you describe. Then there are people like me who are constantly arguing in favor of UX design, usability concerns, making sure the end-user doesn't get confused, etc. My side is losing, hard. And nobody cares because our stuff doesn't make money and people only care if things work or not. I don't know what type of employee you are since I haven't worked with you, but I categorize people into four groups: 1) People who know their shit. 2) People who know their shit and don't care. 3) People who don't know their shit and are willing to learn. 4) People who don't know their shit are are unwilling to learn. 1s can be dicks, you are right. 2s are what I was arguing against in this thread. 3s are not a problem, and it sounds like this is you. I have turned many 3s into 1s with a few months of experience, teaching, and priming with proper ways to find, locate, and read through reference documents. Generally this also involves identifying useless buzzwords. 4s are a bane on the industry, and cause more security problems and are generally just assholes who sit around collecting paychecks and kiss up to their bosses' asses until they get promoted, continue to get promoted, and eventually become CTO. And thus, the problem of businesspeople not giving a shit about end-users compounds, because they are only focused on the dollar value and don't have any idea how to read email. I think we are basically making the same points, but somehow you have painted me into this prick who doesn't give a shit, and I think it all comes down to that simple miscommunication on what I meant by ransomware. I've seen cases of ransomware hitting organizations, and it's always becomes 2s and 4s fucked everything up. Not 1s, not 3s. And we're discussing a leak of 9.3m patient records. And I have three overlapping credit protection services because Target, Home Depot and Bank of America failed to protect their data. You seem to be making my argument for me. Sony will continue to store passwords in plaintext. Why? Because they have data breach insurance and they don't give a shit about your data. Those are exactly my points. I'm not saying go down and find the exact technician responsible for firing him. In fact, I explicitly stated that's not what I meant. I'm saying hold the organization accountable for their mistakes, you seem to be saying hold the organization accountable for their mistakes, why are we arguing?You don't understand my point, though. Here it is: blame for these breaches is useless and misapplied. I'm not saying "blame the attacker" - I mean, ransomware is nothing more than opportunistic capitalism.
In effect, you're arguing that if you don't want the Spanish Inquisition to destroy your town, you'd best either become a Cardinal or pay for the care and feeding of one. You're basically saying that only by being vigilant and ever ready to do battle can one defeat the hun. But I don't want to defeat the hun. I just wanna run my little blacksmith shop.
This started as me saying there are very legitimate reasons to fear ransomware.
Working in healthcare... this is the scariest scenario. This and ransomware attacks.
It's become a rant against the entire IT industry. I'm not walking any of it back because I'm sick of this: When those of us out in the world ask "what are we supposed to do?" the IT answer is invariably
Because in my organization, I'm you and I'm no fucking good at it and when I want to solve that problem, your entire industry conspires to make me feel bad about it.
And Sony store passwords in plaintext.
BECAUSE I'M THE ORGANIZATION. Let me point out where things break down: I used to do ADA shit. Had a boss who actually talked to one of the guys who drafted the ADA; when asked why certain aspects of the ADA were so vague, he was told that the plan was to let the courts establish caselaw. In other words, "we left it vague so that people would be sued so that this shit would go to the courts and do our jobs for us." So it is with HIPAA. I can either become a health IT expert or I can trust that every service I use, from end to end, is HIPAA-compliant. And when you're dealing with EHRs that serve sites of less than a thousand users, the answer to "is this HIPAA-compliant?" is invariably "we'll get back to you on that." Further, are you breaking HIPAA compliance if, say, you forward your office phone to your cell phone? Well, T-mobile will point to Avaya and Avaya will point to T-mobile and if you're doing it through Google Voice Google will say "we're in Beta, fuck off" and there you are, liability hanging out in the breeze, breaking the law. And your argument is that Dude, fuck that shit. Fuck it in the neck. Fuck everything about it, fuck it sideways, fuck it upside down, fuck it raw. You're saing that "a few months" of wading through YOUR world is necessary for me to connect my wife's cell phone to my wife's office phone without breaking the fucking law. So yeah. We're at loggerheads. We don't agree. I want to buy that problem away so hard it hurts. Because the alternative is joining the Pod People in the belief that lawsuits are the righteous punishment for a lack of expertise. Had a coworker. He used to be a license enforcement dick for Muzak. Means he'd wander around to restaurants and shake down people who were playing the radio instead of paying Muzak for their shitty $25/mo mechanical royalty service. So when the office we worked at wanted to put music-on-hold on our phone system, the asshole made the receptionist get a written letter of permission signed by a lawyer in order to use her fucking string quartet on our phone system. And he was technically correct - the worst kind of correct. But everybody else? They plug the fucking radio into the PBX and call it a day. Because we don't have time for that shit, and we shouldn't be required to. It isn't about blame. It's about a reasonable effort for a reasonable return, and you're advocating a strenuously unreasonable effort for a truly minuscule return.I'm saying hold the organization accountable for their mistakes, you seem to be saying hold the organization accountable for their mistakes, why are we arguing?
I've only tangentially worked with HIPAA, but with how detailed it is I'm sure there are data retention and offsite backup requirements in the law itself, so if you don't have them, you're most likely violating the law.
I have turned many 3s into 1s with a few months of experience, teaching, and priming with proper ways to find, locate, and read through reference documents.
I never stated anything about your wife's cellphone. I'm talking about server administration. We're talking about data of 9.3 million records of healthcare records, and if that data is on your phone you are a fucking moron. I take everything back. You are not a 3, you are a 4. You are actively against knowledge and learning new things in an industry where change happens every 5 minutes. We are beyond loggerheads, you need to be permanently fired and excommunicated from the data security industry if you currently are working in it. Wade through my experience? What do you think doctors do? They read a book and start cutting people open? They learn, they constantly learn, and they SHADOW OTHER DOCTORS WHO TEACH THEM THE WAYS OF THE BUSINESS. EVERY other industry operates this way. EVERY SINGLE ONE. Even McDonald's workers shadow other McDonald's workers to get experience. I went to Taco Bell once and had a confusing conversation with the drive in attendant saying I ordered "A burrito" when I actually ordered a specific type of burrito and was confused if they had placed the order incorrectly. When I got to the drive up he was in training and the guy was telling him he should have told me that I ordered a "burrito grande whateverthefuck" because it confuses the customers. It's a simple mistake to make, but the worker was willing to learn, and learned it right there. I doubt he confused another patron again. That's a good employee. I'm the type of person that is tolerant to lack of knowledge, because I remember when I was that way myself and wished I had more guidance. So I provide it to those who want it. But those who don't want it and want to just sit around and collect a paycheck while fucking the rest of us over because they aren't willing to listen to the (REASONABLE, not elitist pricks) intelligent people who are trying to help are a significant problem. But everybody else? They plug the fucking radio into the PBX and call it a day. Because we don't have time for that shit, and we shouldn't be required to. It isn't about blame. It's about a reasonable effort for a reasonable return, and you're advocating a strenuously unreasonable effort for a truly minuscule return. This example has nothing to do with what we are talking about. I'm not talking about phone systems, I'm talking about data protection. Phone systems aren't going to cause 9.3 million records of data being stolen. And you're right, that sounds like a dumb law. When did I support that law? My strenously unreasonable effort is something that takes about 5 minutes to enable on a SAN or a filesystem level snapshotting system to protect the identities of millions of people. In ANY environment in the healthcare industry where you are now responsible for backups, they would immediately tell you to do so and explain how. I thought you were arguing in favor of the end-user, but really you are just arguing that all IT workers are bad because of your bad experiences with tech people. I'm simply pointing out that in the healthcare industry not only is it highly regulated and wouldn't have these issues. I don't set policies, and I don't enforce policies. I don't advocate policies. I'm simply informing people that because of current regulations, this wouldn't be an issue. Probably ever. It's like having a lawyer trying to explain to you how the NSA justifies their surveillance through the legal system and then you kneeing the guy in the balls. All the while him thinking, "Not one law I just described do I think we should have on the books, but if we can't explain what laws are on the books we can't revoke them." You are being entirely counterproductive here. These conversations with you exemplify everything that is wrong with Reddit. Not Hubski, Reddit. This is supposed to be a simple discussion place, and not a flame war over god knows what anymore.I have turned many 3s into 1s with a few months of experience, teaching, and priming with proper ways to find, locate, and read through reference documents.
Dude, fuck that shit. Fuck it in the neck. Fuck everything about it, fuck it sideways, fuck it upside down, fuck it raw. You're saing that "a few months" of wading through YOUR world is necessary for me to connect my wife's cell phone to my wife's office phone without breaking the fucking law.
Had a coworker. He used to be a license enforcement dick for Muzak. Means he'd wander around to restaurants and shake down people who were playing the radio instead of paying Muzak for their shitty $25/mo mechanical royalty service. So when the office we worked at wanted to put music-on-hold on our phone system, the asshole made the receptionist get a written letter of permission signed by a lawyer in order to use her fucking string quartet on our phone system. And he was technically correct - the worst kind of correct.
Bitch, I am the end user. I am the client. I am the IT department because the company has one employee at the moment. When it's firing on all cylinders it'll have four. But the liability is the same. The problems are the same. The issues are the same. I don't work in IT, don't want to work in IT, don't want to touch IT. But I'm the IT department 'cuz if it isn't me, it's my wife. So I am talking about bouncing between the office phone and the cell phone because HIPAA doesn't care and VoIP, Skype, EHR, it's all HIPAA, it's all on CAT5, and it's all my problem. So talk dismissively about filesystem level snapshotting system and know that me, Mr. I am not good with computer, can successfully recover from the fact that Synology wiped my network stores due to a bug... but that I'm 100% entitled to resent IT workers that get all up in my business for feeling guilty for not wanting to devote my life to learning how to recover data from errant Synology NAS boxes. Because THAT is the issue: I just wanna run my fucking blacksmith shop, but you want me to be prepared for the Inquisition.I never stated anything about your wife's cellphone. I'm talking about server administration.
Unless your blacksmith shop deals in 9.3 million SSNs, none of what I'm talking about nor what I've argued about applies to your business. If your blacksmith shops deals with 9.3 million SSNs, then you should hire tech staff. I'm talking about major corporations who give no shits. I'm talking about Dell, who have repeatedly shown they don't care (internally). I'm talking about Sony, Target, and I'm talking about Home Depot, and I'm talking about all of these breaches that are occurring. These organizations need to be held accountable. You are not a target to hackers, so I don't care what happens to your data. Going back to my rollercoaster/theme park example, your organization is a 10ft waterslide. Unless you built it out of jello I can't imagine a scenario that it matters. This whole article is about healthcare, not blacksmithing, and I focused on the article's field, not yours. I stated that the healthcare industry, IE: Health Insurance Providers who are large organizations, likely have no need to worry about ransomware on their servers because they are large organizations who would be doing many forms of backups anyway. Small businesses absolutely have to worry about ransomware, and I'm not preparing you for the inquisition. If you have to abide by HIPAA because you indirectly provide health insurance to your employees, you are not going to be affected by ransomware either because you are going to be paying another organization to provide the health insurance. They have copies of that data as well. That being said, I don't think the large portions of HIPAA would require much out of your because it's more about the health insurance providers and the health care providers, they are the ones that have the sensitive information like what illnesses people have. IF the law states otherwise, that you have to lock down systems like crazy, I think that's as stupid as you do. What I'm against isn't people who get roped in because they have to, like you. I am against people who intentionally choose IT as their career path, get a degree in IT, get certifications, etc, and then land in a position in a large corporation or government where they get paid some ridiculous salary and then coast to retirement. Everything in your statement made me think that you were in large scale data security operations. When you said blacksmith the first time, I had no idea that was meant literally. My point is working for an organization where you are handling 9.3 million SSNs and falling back on "insurance" and saying "screw technology, we'll just insulate each other legally" is fucking over the consumer harder than anything else. That's why I said I agree with and would recommend data breach insurance, too, just wanted to point out the issues with large corporations falling back on these massive safety nets without looking at or caring about the consequences. Again, I think for the most part we agree with most things in this discussion, it's just constantly that you keep escalating things into personal attacks very quickly, then I fall into the role of defending my positions or attacking you further. It's a toxic mindset to think everyone is out to get you, believe me, I'm the one that has been repeatedly treated for it.
I don't think you're out to get me. I think you're reciting the archetypal brogrammer whistle-in-the-dark litany of tragedy-befalls-the-incompetent. And I think you honestly have no idea why it's pissing me off, and I think that's what's wrong with the IT industry. Are you ready? Those of us who can't just whip out a "filesystem-level snapshotting system" (or worse: those of us who have one, have been forced to recover one multiple times and know how peril-fraught that endeavor tends to be) know we're incompetent. We know that tragedy will befall us. But when you live by this mantra of "those who are prepared suffer no slings and arrows" you are A) accusing us of being unprepared B) insinuating that the misfortune we know is just around the corner is something we DESERVE. Here's what I know: for every needlessly open port in a corporate firewall, there's a pointy-haired boss whose golf buddy told him he could run a Minecraft server on DSM. That's the problem with insisting that proper hygiene will save the day: you have to enroll THE ENTIRE COMPANY in either (1) understanding and conscientiously practicing IT pro-level hygiene or (2) locking all your shit down to the point that nobody can accidentally let in the monster. (1) is bullshit. You're arguing that strenuously. I keep pointing out that I shouldn't have to know this shit and you keep pointing out that there, there, I don't have to, this is a monster with bigger teeth than I need to worry about. So clearly, the idea that all of us need to be 100% on the IT tip is ludicrous. But (2) is bullshit, too. Your users are going to make mistakes. Nerf up their world to the point where they can't and they'll resent the access control. They'll evade it. They'll defeat it. And then there'll be that pointy-haired boss, who needs you to blow a hole in the firewall so that he can install something tedious like a whatsapp desktop client so he can liason with his overseas paramour without his wife scanning his Facebook Messenger. And you have no power over that guy. He'll fire you. So now your perfect hygiene has been blown to shit. And now the port is open. And now the network is exposed. How compartmentalized is it? Compartmentalized enough? How deep can they get? Worked with a guy. Not a bad drafter. Goofball. This was at a company, back in the early '00s, and our IT guy/AV consultant/My Boss determined that in order to avoid viruses, we wouldn't be allowed to use the Internet from our desktops. Draconian? Sure. Effective? Well... "Bob" managed to look up on his lunch break how to poke a hole in the Windows firewall so he could stream internet radio from this one station. And we all knew it. My boss knew it. But we let it go. Until we got a virus that ate half our work product and of course we were on LTO that didn't come back from the dead. Bob got fired. Not because he was bad at CAD but because he'd poked a hole in the firewall. Two months later we figured out that Bob had fuckall to do with the virus; the head of the company had opened a .exe attachment (see, we were forced to run Pegasus Mail because it's invulnerable to AciveX... right? riiiight). Had the head of the company been told not to open .exe attachments? Yer damn skippy. Was our data still gone? Hell to the yes. You think we hired "Bob" back? And see, you don't even know what you're talking about. I've said more than a few times that it's my wife's medical office I care about. I've said more than a few times that ransomware fucked up a few hospitals because they were running DSM. I've pointed out that I'm running Synology at home. Know what advice we got when Synolocker hit? "Turn off your Diskstations." Let's hear it for high availability. So here I am - in the medical field, providing IT, attempting to keep our noses HIPAA-clean, and being told - BY YOU - that you don't need to worry about ransomware because it only fucks with the unprepared and those of us small fry who are facing the exact same problems on the exact same scale as Sony shouldn't be offended when you excoriate companies for wanting a non-technical solution to a truly intractable problem. How big do you think Home Depot's network is? What does the topology look like? How many points of access are there? How many weaknesses, cloned across a million stores? And does any of that even matter? Every.Single.Phone.Hack has been the result of social engineering. 'nuther story. My father built the first network the Department of Energy ever had. Literally soldered comparators onto the Nixie sockets. And for all my memory he's always been arrogant about security. It's not like he's got the launch codes but he's got some shit. He's got monitors that still run CPM and he's got them on the network - there's a dual dialup setup with a ciphered timetable that pokes a hole in the firewall for 15 seconds at some point during the day and squirts his data in. It's as close to airgapped as you can get. Some shit from his division got out anyway. How? One of his physicists had TS:SCI on a laptop at home and meth-heads broke in and stole it. They found it in a trailer park 30 miles away. I'm escalating things into personal attacks because you don't get it. Your attitude is why, as a profession, nobody likes IT professionals. On the one hand, you insist that we need not be competent. On the other hand, you insist that competence is the only ward against tragedy. It's patronizing at best and delusional at worst. For every massive hack there's an employee who thought he was doing the right thing... and an IT professional exasperated by the idiot lesser minions he's forced to interact with.
You never once said that. Twice you claimed it was a blacksmith office, and other times you said it was an "office". You continuously put words and arguments into my mouth. Every argument you've ever had against IT including the ones you just stated I've had myself against other IT workers and I've tried to explain that. The only thing you've gotten right is that I think that if you have sensitive data, you should protect it. Because sensitive data is like a loaded gun. If you have a loaded gun, you should be trained to use it properly without killing people accidentally. That's not a controversial statement even to gun nuts. I've witnessed what improperly used sensitive data causes. It turns people living in houses into people living in the streets. Personal attacks are not what a place for civil discussions are for, which is what this place is supposed to be about. You paint me into a corner that I don't really occupy, and then you attack me relentlessly and I have to defend myself with equal force. Even if I were to say something that were disagreeable, it's not a proper way to have a debate. You and other people keep turning "debates" into these venting sprees where you group whatever select group of people you once had a bad experience with and say it's the whole group's problem. Muslims, black people, white people, police, whatever. Our civilization has completely lost it's mind, and the diagnosed insane people are sitting on the sidelines thinking, "why are we called insane again?" I'm done with this, and I'm done with you. You can say it's because it's my attitude or I'm an elitist asshole I don't care. You can turn all of Hubski against me, I don't care about that either, because Hubski isn't the place for civilized debate that it claims to be. It's Reddit and Twitter with a different skin. Welcome to my hush, filter, and mute lists. Because that's what it's for: trolls. I'm done feeding the troll. And I'm done being bullied around.I've said more than a few times that it's my wife's medical office I care about.
I'm escalating things into personal attacks because you don't get it. Your attitude is why, as a profession, nobody likes IT professionals. On the one hand, you insist that we need not be competent. On the other hand, you insist that competence is the only ward against tragedy. It's patronizing at best and delusional at worst.