• Menu
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Before Header

  • About Us
  • Lexicon
  • Contact Us
  • Our Store
  • ↑
  • ↓
  • ←
  • →

Balloon Juice

Come for the politics, stay for the snark.

Reality always lies in wait for … Democrats.

They’re not red states to be hated; they are voter suppression states to be fixed.

Balloon Juice has never been a refuge for the linguistically delicate.

If senate republicans had any shame, they’d die of it.

Nothing worth doing is easy.

… riddled with inexplicable and elementary errors of law and fact

I’d try pessimism, but it probably wouldn’t work.

And we’re all out of bubblegum.

Russian mouthpiece, go fuck yourself.

Black Jesus loves a paper trail.

Wow, I can’t imagine what it was like to comment in morse code.

This fight is for everything.

Good lord, these people are nuts.

Their freedom requires your slavery.

🎶 Those boots were made for mockin’ 🎵

Let me eat cake. The rest of you could stand to lose some weight, frankly.

Only Democrats have agency, apparently.

rich, arrogant assholes who equate luck with genius

Is it negotiation when the other party actually wants to shoot the hostage?

Is it irresponsible to speculate? It is irresponsible not to.

I didn’t have alien invasion on my 2023 BINGO card.

Let’s not be the monsters we hate.

Sitting here in limbo waiting for the dice to roll

I did not have this on my fuck 2022 bingo card.

Mobile Menu

  • Winnable House Races
  • Donate with Venmo, Zelle & PayPal
  • Site Feedback
  • War in Ukraine
  • Submit Photos to On the Road
  • Politics
  • On The Road
  • Open Threads
  • Topics
  • Balloon Juice 2023 Pet Calendar (coming soon)
  • COVID-19 Coronavirus
  • Authors
  • About Us
  • Contact Us
  • Lexicon
  • Our Store
  • Politics
  • Open Threads
  • War in Ukraine
  • Garden Chats
  • On The Road
  • 2021-22 Fundraising!
You are here: Home / Science & Technology / Another Big Security Story

Another Big Security Story

by $8 blue check mistermix|  February 20, 201610:10 am| 86 Comments

This post is in: Science & Technology

FacebookTweetEmail

The Apple iPhone unlock story is getting all the press , overshadowing another important story:

Hollywood Presbyterian Medical Center, a hospital in Los Angeles, is the victim of what officials describe as an ongoing cyberattack. A hospital spokesperson told Ars in a prepared statement that “patient care has not been affected” by the intrusion. And an executive of the hospital told reporters that the attack was “random” and not targeted at patient records.

However, local news organizations have reported that some emergency patients were diverted to other hospitals—and that some of the hospital’s systems have been locked down by ransomware. The hospital has reverted to paper patient registration and medical records, according to NBC 4 in Los Angeles, and the hospital’s network has been shut down for over a week.

Ransomware is an attack where hackers who have infiltrated computer systems and encrypted files provide the decryption key for a price.  In the case of Hollywood Presbyterian, the price was 40 bitcoin, which is about $17K.

The scary thing about these kinds of attacks is that hospitals, the power grid, and other high-value, high-impact targets can be attached by offshore hackers whether or not our border security is airtight.  But instead of talking about this, the current yahoos in the Republican race focus on physical attacks, which are both difficult to launch and pretty rare.

By the way, the latest Apple news is that there was a way to get data off the phone, but the FBI or someone else on the case screwed up.

FacebookTweetEmail
Previous Post: « Saturday Morning Open Thread
Next Post: It Is Still February, Right? »

Reader Interactions

86Comments

  1. 1.

    A Ghost To Most

    February 20, 2016 at 10:25 am

    price was 40 bitcoin, not 4

  2. 2.

    Emma

    February 20, 2016 at 10:25 am

    By the way, the latest Apple news is that there was a way to get data off the phone, but the FBI or someone else on the case screwed up
    Why am I not surprised?

  3. 3.

    Schlemazel (parmesan rancor)

    February 20, 2016 at 10:27 am

    They are being a little less than truthful when they say patient care has not been affected. They have had to go to all paper records & note keeping and in addition to diverting some patients have delayed some procedures. Those are just things that they have admitted, having been through similar things with clients I bet you there is a great deal of pain they are not admitting to.

  4. 4.

    Schlemazel (parmesan rancor)

    February 20, 2016 at 10:32 am

    @A Ghost To Most:
    not bad though since the original ransom demanded was 3000 bitcoins. We really do need a nation-wide effort on IT security. There is more than enough brain power what we lack most is the will power and a unified movement. It is painfully cliche but a ‘moon shot’ effort would go a long way to ending about 99% of this crap.

  5. 5.

    Doctor Science

    February 20, 2016 at 10:34 am

    I don’t understand why the hospital wasn’t able to immediately (next day) go to a backup. Shouldn’t they have several sets, created at least daily?

  6. 6.

    mistermix

    February 20, 2016 at 10:35 am

    @A Ghost To Most: Thanks

    @Doctor Science: Lax security and lax backups go together like a horse and carriage.

  7. 7.

    Alex

    February 20, 2016 at 10:44 am

    By the way, the latest Apple news is that there was a way to get data off the phone, but the FBI or someone else on the case screwed up.

    It was a county IT employee, trying to use the tools available to them to reset the password on their company owned phone. So they reset the password on the Apple ID which was associated with the company’s email address.

  8. 8.

    PhoenixRising

    February 20, 2016 at 10:51 am

    @Alex: probably trying to lock down county data from the media, who were at that moment trooping through the killers’ home at will. Doxxed the MIL. Not inherently stupid to use the override to protect the data. Just…that data is protected.

  9. 9.

    rikyrah

    February 20, 2016 at 10:52 am

    Biden says Democrats are making “a big mistake” by campaigning on the idea that the country could be doing better.

  10. 10.

    Napoleon

    February 20, 2016 at 10:55 am

    We had this happen at work 3 or 4 months ago. Me and someone else were in the office real early (a law firm) and we both started having issues with access so called the off site IT guy to solve the problem and he managed to block the program in mid encryption. It took a couple of days to replace the effected files from backup, but we didn’t need to pay the ransom.

  11. 11.

    MattF

    February 20, 2016 at 11:01 am

    Note that a ransomware exploit would be much tougher and much less safe for the exploiters if it wasn’t for the cryptographically protected and decentralized bitcoin blockchain. Managers of critical institutions like hospitals and electrical power infrastructure need to understand that crypto is not necessarily benign and that it’s already very much out there.

  12. 12.

    Tracy Ratcliff

    February 20, 2016 at 11:06 am

    @Doctor Science: I’ve only seen this sort of thing on a home-user’s machine, but on that sort of system the malware encrypts everything on every hard disk or network share that the computer has permissions on, including backup sets. Then if the computer has some sort of Internet backup, the backup software just sees the files have been modified, and helpfully overwrites the good files with encrypted ones. Then the user is down to what files were back up on drives not connected to the computer when the malware hit, for most users, “none.”

  13. 13.

    Tripod

    February 20, 2016 at 11:09 am

    Restore from backup is how competent IT shops are dealing with cryptolockers. That they didn’t have a good backup is pretty damning.

    There has been a rapid ramp up of IT use in healthcare, and many providers are still run the old school way where IT was phones and the billing system. Some clueless “Director” could mostly keep things afloat.

    Contrary to Mayhew’s hookers and blow schtick, a lot of the consolidation in the industry is being driven by IT spend. The EMR requirements, and networking of imaging devices, are capital intensive and require seriously skilled IT staffs.

  14. 14.

    MattF

    February 20, 2016 at 11:09 am

    @Tracy Ratcliff: Which is why my main backup disk is turned off after I make a complete backup. People managing networked backups have a significantly harder problem than home users.

  15. 15.

    Ultraviolet Thunder

    February 20, 2016 at 11:11 am

    A hilarious episode in Charles Stross’s book Rule 34 has hackers take over a victim’s 3D printer. They cause it to make nothing but multicolored dicks with a URL on them until he pays the ransom.

    There’s also a ransomware subplot in Neal Stephenson’s book Reamde.

  16. 16.

    Gex

    February 20, 2016 at 11:14 am

    @Schlemazel (parmesan rancor): Wouldn’t it be nice if our national security apparatus were more concerned with securing our IT from attackers than with making sure it was faulty so they can spy on us?

  17. 17.

    Brachiator

    February 20, 2016 at 11:22 am

    @Schlemazel (parmesan rancor):

    There is more than enough brain power what we lack most is the will power and a unified movement. It is painfully cliche but a ‘moon shot’ effort would go a long way to ending about 99% of this crap.

    The 99% figure is probably too high.

    Much of this hacking occurs because people are lazy and stupid, and create vulnerabilities because security would be inconvenient.

    We are also finding out that businesses are vulnerable because they often just do not think in terms of tight cyber security, and hire weasels who do not really know what they are doing. The attacks against Target and other merchandisers and banks succeeded because, oddly enough, many people have learned to take basic steps to make their smartphones and computers more secure (and more security is built into smartphones). Bad guys go where the picking is easier.

    Also, I think I heard that Hollywood Presbyterian was not a specific target. Either way, what adds to the complexity and potential tragedy here is that the hackers did not give a rat’s ass that patients might be endangered.

    There are some people in the tech community who look at hackers as neutral, and do not separate those who are malicious from those who claim that they hack just to see if they can.

  18. 18.

    rikyrah

    February 20, 2016 at 11:36 am

    From DON over at TOD:

    Don

    February 20, 2016 at 9:37 am

    I really believe that Bernie Sanders doesn’t care about the black vote in that he wants the black vote, but if he doesn’t get it he’s okay with that. I think that Sanders’ mentally is stuck back in the 60’s when it comes to the way he views African Americans. I think that Sanders admired the young black fire brands of the 60’s, I think that it instilled in him the way that he thinks African Americans should act. But Bernie’s problem is that he got left behind, those young black fire brands of the 60’s are now doctors and lawyers and teachers that now believe that to make a social change you must work within the system and not look for ways to blow up the system. I bet if you could read Bernie’s mind it would say “why aren’t these blacks out there raising hell and trying to blow up the system.”

    But what Bernie doesn’t understand is that in fact we are out there blowing up the system, we’re just doing it by becoming the first African American Attorney General, the first Latino Supreme Court Justice. That is how we blow up the system.You blow up the system by displaying a picture of a little black boy touching the hair of the first African American President in the oval office. That one picture alone is more powerful than anything Bernie Sanders has said since he decided to run for President.

  19. 19.

    rikyrah

    February 20, 2016 at 11:46 am

    Wisconsin blocks federal funds from reaching Planned Parenthood

    (Reuters) – Wisconsin Republican Governor Scott Walker signed two bills into law on Thursday that block federal funding from Planned Parenthood and could cost the local organization millions of dollars.

    Planned Parenthood of Wisconsin could lose about $7.5 million a year because of the measures, an organization spokeswoman said.

    One of the new Wisconsin rules requires the state to apply for federal “Title X” family planning grant money and to give those monies to “less controversial public entities” such as state, county and local health departments and clinics, a statement from Walker’s office said.

    Planned Parenthood is currently the only entity in Wisconsin receiving this federal money and the funds will not be sent to the organization, the statement said…

    Planned Parenthood of Wisconsin could lose roughly $4 million a year as a result of this measure, depending on patient volume and the type of birth control patients choose, organization spokeswoman Iris Riis said.

    The legislation singles out Planned Parenthood and is an attempt to stop the organization from providing essential healthcare, the group said.

    …Planned Parenthood of Wisconsin has 22 health centers in the state, three of which offer abortion services, according to its website.

    Earlier this month, Ohio legislators approved a bill blocking state and federal funds for groups that perform or promote abortions, which cut $1.3 million annually used by Planned Parenthood clinics for HIV testing, pre-natal care and other programs…

  20. 20.

    randy khan

    February 20, 2016 at 11:50 am

    @Tracy Ratcliff:

    And this is one of the reasons I have two physical backups for both computers in our house, only one of which is attached at any given time. (The other reason is that the second backup is kept at my office so that we can recover our data if something really bad happens to our house or if thieves come in and clean out all of the electronics.)

    These days, it’s really cheap, too – I just bought a new backup drive for something like $80.

  21. 21.

    different-church-lady

    February 20, 2016 at 11:57 am

    Well, that’s what Big Hospital™ gets for running Windows and answering the phone from callers they don’t recognize.

    [nods]

  22. 22.

    WereBear

    February 20, 2016 at 11:59 am

    I had to hire a security firm to keep my cat site protected. The domain would get hijacked and users told it was a malware site.

    The first time it happened my host company was incompetent about it so I just fired them and put my backup on the new hosting company servers. Got a company to protect it the second time, and I’ve been okay since.

    Just another expense I didn’t expect. But it is incumbent on me to do what I can. I am shocked hospitals are so slipshod about it. There’s certainly enough talent and ability out there to make things run right.

    But they don’t want to pay for it. They don’t want to spend money on someone having a job.

    Now that is what is sick.

  23. 23.

    different-church-lady

    February 20, 2016 at 12:00 pm

    @rikyrah: It’s sad seeing Sanders talk in language that makes it sound like black voters are less legitimate.

    It’s also sad to see Clinton’s camp talk as though black votes are the ones that will really matter in the end. Just not as sad as the first thing.

    (Apologizes for enabling the hijacking of the thread)

  24. 24.

    rikyrah

    February 20, 2016 at 12:01 pm

    Just dust in my eyes.

    This photo of Obama and a little visitor at a Black History Month celebration is remarkable
    By Janell Ross
    February 20 at 8:00 AM

    For 3-year-old Clark Reynolds, Thursday began like most others.

    Morning preparations gave way to hours at school and then a visit to his mother’s office to change into a suit and tie. Clark’s mother, Nichole Francis Reynolds is a former congressional staffer who now works in the private sector. Friends had secured an invitation for Reynolds and her son to the White House’s Black History Month celebration, the final gathering of its kind while the first black president remains in office. But Francis Reynolds had only told Clark that he had earned a special treat. He is, after all, only 3.

    What Clark does know is the president’s name, his face when he sees Obama on TV and the sound of President Obama’s voice when it comes through the satellite radio in his dad’s car. Then, there’s Clark favorite book, the one that Clark almost always picks when it’s reading time. Clark has been through the “The White House Pop-Up Book” by Chuck Fischer so many times that, almost as soon as Clark and his mother walked onto the White House grounds Thursday, Clark knew where they were.

    He was excited. And once inside, he was in open awe. This, as Clark put it, is where the president lives. He met Rep. John Lewis (D-Ga.). Someone snapped a photo of Clark and the First Lady. Somehow, Clark made his way to the front of the a rope line as President Obama worked his way across the room. Then, Obama noticed Clark too, touched Clark’s cheek and bent down to exchange words while he straightened Clark’s tie.

  25. 25.

    different-church-lady

    February 20, 2016 at 12:03 pm

    @WereBear:

    There’s certainly enough talent and ability out there to make things run right.

    The problem is there’s also enough hackery and incompetence out there to make finding the talent and ability a difficult proposition.

    My catch phase is, “Remember: IT is the first and last letters in IDIOT.”

  26. 26.

    Gin & Tonic

    February 20, 2016 at 12:03 pm

    @MattF: The old saw: “good backup is cheap, it’s lousy backup that’s expensive.”

    Multiple generations of backup, on multiple media, on- and off-site. That’s the only way to fly.

  27. 27.

    different-church-lady

    February 20, 2016 at 12:05 pm

    @Gin & Tonic:

    Multiple generations of backup, on multiple media, on- and off-site.

    If I wrote for the Onion:

    NSA TO BUILD DUPLICATE OF MULTI-BILLION DOLLAR UTAH DATA-HOARDING WAREHOUSE

  28. 28.

    ? Martin

    February 20, 2016 at 12:08 pm

    Other reporting states that Apple identified 4 possible ways to retrieve the data for the FBI without requiring creating a backdoor and all 4 failed. I find that remarkable. Apple worked with the FBI quietly until such point that the FBI demanded of a judge the very thing that the FBI has been publicly asking Congress to mandate, at which point they made this public, going so far as to call this a marketing stunt by Apple.

    I’m not normally one to ascribe malicious motives to our government but that is entirely too coincidental. Apple engineers are not hacks. They are among the best in industry and I find it very hard to believe that they fucked up 4 approaches to getting the FBIs data. And contrary to the reporting, Apple didn’t unlock 70 other phones for the FBI, but they did employ one of these other techniques to 70 other phones to successfully retrieve data for the FBI.

  29. 29.

    Schlemazel (parmesan rancor)

    February 20, 2016 at 12:09 pm

    @Doctor Science:
    The problem is that if they don’t know how they got pwned they could simply end up having the restored systems encrypted and a pissed off kidnapper still inside their network now willing to torch the place

  30. 30.

    Brachiator

    February 20, 2016 at 12:12 pm

    @randy khan:

    And this is one of the reasons I have two physical backups for both computers in our house, only one of which is attached at any given time.

    And I guess that having a backup in the cloud or something similar is recommended for critical data and programs.

    A tax preparer I know had a backup at home to augment the drive at his office. But both were damaged in a rainstorm and flood that went through his town. But he was able to buy a new computer and pull down a backup from a cloud service and get back to work with minimal loss of time.

  31. 31.

    a hip hop artist from Idaho (fka Bella Q)

    February 20, 2016 at 12:12 pm

    @rikyrah: My eyes have a little leak it seems. I can’t get to the photo because WaPo has a paywall. But what a wonderful story. Thanks for showing us.

    I found the image on teh google!

  32. 32.

    ruemara

    February 20, 2016 at 12:19 pm

    @different-church-lady: except that black turnout is what has mattered. Black female voting has kept the Dems fighting.

    And she’s hardly been taking about the black vote as all that matters, she’s just the only one running who’s saying it matters as much as the others.

    Failure to backup is so consistent, it’s why I use network backups at home. I love my little redundant nas.

    Sitting here waiting to buy SDCC tix. Freaking out, quietly. Not drinking, cos I don’t want to have to go to the loo.

  33. 33.

    Glaukopis

    February 20, 2016 at 12:27 pm

    @ruemara: I know. Preview night just sold out.

  34. 34.

    Schlemazel (parmesan rancor)

    February 20, 2016 at 12:31 pm

    True story of IT security from a previous engagement.

    We discovered a compromised system communicating with an external system, sending encrypted messages. Since it was a virtual machine we could simply make a copy of it and run that copy in a controlled environment. We figured out what files were infected and cleaned up. After a few hours the system rebuilt access for our attacker using a differnt set of system files. We cleaned that up and watched while it did it again using an entirely different set of system files. Each compromise was different and used different communication avenues.

    This particular attack was the work of a government but the process is not unusual. The first thing I want to do once I am inside is to make sure I can come back when i want even if they do find me the first time.

  35. 35.

    rk

    February 20, 2016 at 12:31 pm

    @Brachiator:

    We are also finding out that businesses are vulnerable because they often just do not think in terms of tight cyber security, and hire weasels who do not really know what they are doing

    They hire people who don’t know what they’re doing because they don’t want to pay highly competent people. Business model these days is get your work done as cheaply as possible. Doesn’t work like that for things that matter. You need experienced competent people and you need to pay them well. It’s pretty much pennywise pound foolish.

  36. 36.

    FlyingToaster

    February 20, 2016 at 12:31 pm

    I’m geniunely surprised that the hospital doesn’t have a) a big-ass firewall and b) 7-day rotating tape backups of every damn thing. Granted that living next to MIT and down the road from EMC means that MassGeneral and Brigham’s do this automatically, but even the little hospitals around here have “hourly-to-drive, daily-to-tape” backup routines*.

    But if the target wasn’t specifically the hospital, it has to be some vuln in a essential piece of software, rather than a social-engineering or man-in-the-middle attack. Which Hollywood Presbyterian should be shouting to the rooftops about.

    * I know people who work in IT at [redacted] and [redacted] hospitals and one of EMC’s salesmen and a staffer at one of the secure offsite storage facilities on 495. It became best-practice with the influx of new patients after Romneycare started. EMC made a fucking mint.

  37. 37.

    gwangung

    February 20, 2016 at 12:31 pm

    @ruemara: I think it’s telling Sanders still has this problem with the black community, a segment that would normally be all over progressive programs. In contrast, I think Obams worked pretty quickly to mend fences and reach out.

    I have two off site back ups to go along with my at-home backup. Not sure about a cloud based service, but I think about it.

  38. 38.

    gwangung

    February 20, 2016 at 12:33 pm

    @rk: Reoublican policies in a nutshell.

  39. 39.

    different-church-lady

    February 20, 2016 at 12:36 pm

    @gwangung: Actually, Republican policies are to spend as much money as possible on incompetent people, as long as those people are their friends.

  40. 40.

    Shakezula

    February 20, 2016 at 12:38 pm

    I actually think this is an improvement on the more common scenario which involves people taking the information for resale on the black market. That sort of thing can go undetected for months.

  41. 41.

    Feathers

    February 20, 2016 at 12:38 pm

    @different-church-lady: A large part of the problem is the degree to which far too many people are actually a bit proud that they don’t understand math and science. That it proves they are a creative, intuitive person.

    Math and science teaching need to be completely rethought, especially at the university level. Having an intro class in each discipline which is essentially designed to weed out students who won’t be able to hack it in the major (AKA potential PhD students) doesn’t meet the needs of the educated people of the US.

    This is what allows the grifters and fakers of the IT world to take hold.

  42. 42.

    Brachiator

    February 20, 2016 at 12:39 pm

    @rk:

    They hire people who don’t know what they’re doing because they don’t want to pay highly competent people.

    It’s not just a matter of not being willing to pay highly competent people. It’s hard to separate the competent from the charlatans.

    A company I do business with pays a good chunk of money to an IT group that doesn’t understand the needs of its customers and has boilerplate solutions to everything. In some ways they have become more vulnerable to cyber attacks.

  43. 43.

    Glaukopis

    February 20, 2016 at 12:45 pm

    Yay. Got comic con tickets!

  44. 44.

    Joel

    February 20, 2016 at 12:45 pm

    1) Where are these attacks originating, typically?
    2) Is there any way to arrest and/or punish these hackers?
    3) Are enemy/frenemy states sponsoring this kind of stuff?

  45. 45.

    ? Martin

    February 20, 2016 at 12:47 pm

    @MattF: I would strongly recommend two backups. One being a local continuous backup, like Apple’s TimeMachine or the equivalent for Windows. These are basically one-time costs, with replacements every 5-10 years. We have a small NAS in our house that all of our computers continuously back up to.

    The second should be a cloud-based backup like BackBlaze. Cloud backups encrypt locally and good ones like BackBlaze have the capacity for retrieving files via web browser in the event you have no physical access to one of your machines. This is a bit more expensive – $4/mo per computer but protects you against more local problems – theft, fire, etc.

    Far more important for people to do first, though is to get your passwords in order. Get 1Password, get all of your passwords, bank account info, SS#s, security questions and all that jazz in there. Find weak and duplicate passwords that 1Password can manage and change them to nice 30 character secure passwords. For the ones that 1Password can’t manage (like the password into 1Password) come up with a secure one that you will remember. I use a lyric from a song that would have punctuation a number, capitalization, etc.

    Use it religiously, sync it with your phone, etc. Sync it through a reliable cloud service like Dropbox.

    One of the benefits of this setup is that in a disaster, if you’ve lost everything, you can work your way to some family members house or whatever, use any old computer, and get access to all of your accounts, all of your backups. If you set it up properly, you can leave your master password with your next of kin so they can unwind your life if anything happens to you.

    I do this with my dad, who is single but travels a lot. Everything important in his life is in there. Everything from his passport information, the medications he’s taken, his financial information, the names of the people he would want me to contact if anything happens to him. Should that happen, I can pay his bills, inform his friends, provide information to a hospital, etc. and it’s all accessible from my phone wherever I may be. $5/mo for a family of 5.

    Security is there for the people with the money to do these services, but you need to take advantage of them. It takes a bit of time to set up and develop the habits, but it really does give some peace of mind. We’ve never had an account hacked or information stolen.

  46. 46.

    Starfish

    February 20, 2016 at 12:48 pm

    There was also some school attacked by ransomware that paid $8500 to get their stuff back. Horry County in South Carolina.

  47. 47.

    ruemara

    February 20, 2016 at 12:50 pm

    @Glaukopis: so jealous. Still in waiting room. Been here since 7:30.

  48. 48.

    RSA

    February 20, 2016 at 12:50 pm

    @Brachiator:

    Much of this hacking occurs because people are lazy and stupid human beings, and create vulnerabilities because security would be inconvenient.

    At least, that’s my view. Another part of it, as you mention later, is on the IT side (e.g., with ridiculously complex password requirements). Not to mention attitude issues: Is there any other service profession that holds its customer base in such contempt as IT does with non-technical computer users?

  49. 49.

    different-church-lady

    February 20, 2016 at 12:53 pm

    @Feathers: Our society needs left-brainers and right-brainers, in roughly equal amounts. It would be nice if (a) our society would recognize this simple fact and (b) the various-brainers could keep which thing they’re good at straight.

    But the problem I cited is not a result of right-brainers, or right-brainers trying to do left-brain jobs. It’s a result of left-brainers who are simply bad at what they do, yet convince others they know what they’re doing because they appear left-brainy.

  50. 50.

    I'mNotSureWhoIWantToBeYet

    February 20, 2016 at 12:54 pm

    @RSA: Um, banking?

    Go see “The Big Short” if you haven’t already. ;-)

    Cheers,
    Scott.

  51. 51.

    ? Martin

    February 20, 2016 at 12:56 pm

    @Brachiator:

    It’s not just a matter of not being willing to pay highly competent people. It’s hard to separate the competent from the charlatans.

    It’s also difficult to overcome cultural obstacles within enterprises. Good security requires retraining all of the staff, getting them to change their habits, and enforcing when those habits aren’t followed. Companies need to back that effort up, and most don’t.

    As an example, I have a family member that was CIO for a large health insurer. They had a policy of no personal photos, etc. going through work accounts. When one of the senior VPs broke that policy, my relative insisted they frog march him out of the building the same way as if it were a clerk doing it. A lot of companies wouldn’t do that, and once you start making ‘practical exceptions’ to your security policies, you might as well not have them at all and the quality of your security team become pointless.

  52. 52.

    RSA

    February 20, 2016 at 12:56 pm

    @I’mNotSureWhoIWantToBeYet: Oh, good one. I’d only thought about doctors and lawyers and such.

  53. 53.

    ? Martin

    February 20, 2016 at 12:58 pm

    @RSA:

    Another part of it, as you mention later, is on the IT side (e.g., with ridiculously complex password requirements).

    Use a good password utility like 1Password, and that will go away. My credit union thankfully has a mobile app that uses TouchID, so I can just use my fingerprint on my iPhone and iPad.

  54. 54.

    Starfish

    February 20, 2016 at 12:59 pm

    @? Martin: Isn’t LastPass getting hacked all the time?

  55. 55.

    ruemara

    February 20, 2016 at 1:01 pm

    Dammit. fucking SDCC.

  56. 56.

    MattF

    February 20, 2016 at 1:02 pm

    @? Martin: As a matter of fact, I have Time Machine working on a nice big desktop hard disk (in addiiton to a second bootable backup drive), so there’s that. Unfortunately, securing my financial accounts is not so easy– I have financial software that retrieves information from my various accounts into a single ledger– but setting that up requires using a fixed, saved password for each account. The different accounts all have different ‘not too bad’ passwords, but it’s not optimal. I wish I could get 1password to work with the financial software, but I’ve got no idea how to do that.

  57. 57.

    RSA

    February 20, 2016 at 1:05 pm

    @? Martin:

    Use a good password utility like 1Password, and that will go away.

    Sure. My complaint isn’t for myself (I’m technically competent in the areas I work in) but with some IT organizations.

  58. 58.

    Botsplainer, Cryptofascist Tool of the Oppressor Class

    February 20, 2016 at 1:05 pm

    Could be that critical system (internal patient records and continuous monitoring) need to be on an intranet and physically not connected to the Web. HR functions and utility systems need to be the same.

    Some things really don’t require integration with the web.

    Making it easy for all your employees to bid on eBay, shop on Amazon, pay their bills and check their Facebook is not really an employer requirement.

  59. 59.

    Keith P.

    February 20, 2016 at 1:09 pm

    @Doctor Science: Pretty amazing that ransomware is a thing in 2016 (for businesses, at least), given how long backup tech has been around. Even though it is probably not legal for a hospital to store that data in the cloud, older on-premises, or even legal off-premises backup is pretty ubiquitious.
    My previous employer got hit by ransomware (for some reason, they stored all their blueprint files as physical files instead of in a database). But it was discovered within 15 minutes of striking, and we lost maybe 4 hours worth of data since we had daily backups.

  60. 60.

    different-church-lady

    February 20, 2016 at 1:10 pm

    @Botsplainer, Cryptofascist Tool of the Oppressor Class:

    Making it easy for all your employees to bid on eBay, shop on Amazon, pay their bills and check their Facebook is not really an employer requirement.

    I thought we had moved from a world where employees took advantage of their employers’ computers to do all that to a world where employers forced employees to “bring their own devices” to take advantage of 24/7 access to the employees without having to pay for it.

  61. 61.

    ? Martin

    February 20, 2016 at 1:11 pm

    @Starfish: Sort of. I don’t like LastPass because the encryption is happening over the wire (which has it’s own encryption). 1Password does the encryption locally.

    LastPass had their account information hacked, but not your credentials, so hackers could learn you had an account, but not access that account. I think it would be extraordinarily difficult for someone to hack the LastPass vaults, but that’s not entirely clear because the security on the far end is a bit opaque.

    For this I like the local encryption. I also find the 1Password app and syncing services to be better. Being able to use TouchID on my phone to unlock my passwords is incredibly convenient and makes it far easier for me to keep shoving information into my vault. How easy the habit is to maintain is important.

  62. 62.

    BillinGlendaleCA

    February 20, 2016 at 1:12 pm

    @? Martin: 1Password is really good. I looked at it last year and is really Fruity computer device centric, which works well for you. The best I found for Windows/Android was Roboform, though I’m looking at one from Intel right now and may move in that direction.

    I saw this report about Hollywood Pres on the local new last week(being that it’s a local hospital). I’ve only been there once, 56 years ago last month.

  63. 63.

    ? Martin

    February 20, 2016 at 1:14 pm

    @srv: There’s KeePass, but I don’t know if it’s really secure or anything about it.

  64. 64.

    ? Martin

    February 20, 2016 at 1:15 pm

    @BillinGlendaleCA: 1Password has Windows/Android versions now. I don’t know how good they are, but they are expanding support.

  65. 65.

    retiredeng

    February 20, 2016 at 1:17 pm

    @Schlemazel (parmesan rancor): Government (Federal and State) is woefully backwards with IT. We see it all the time. By the way, so is the health insurance and provider industry. Big business and government is pretty much helplessly tied to Microsoft “technology.”

  66. 66.

    BillinGlendaleCA

    February 20, 2016 at 1:17 pm

    @? Martin: I know, they were really awful last year when I looked.

  67. 67.

    boatboy_srq

    February 20, 2016 at 1:19 pm

    @Emma: Chances are some genius changed the iCloud pw so the dastardly Daesh terrrrrrists couldn’t access the content anymore, and didn’t realize s/he was fvcking the FBI’s ability to read the phone. Typical all-systems-are-disconnected thinking. This is one more reason why I’m with Apple here: the content the investigators want should have already been accessible via the cloud, so hacking the phone security shouldn’t be necessary (let alone appropriate). No business should be in the business of fixing federal fvckvps, especially if the consequence is significantly broken product/service overall.

  68. 68.

    boatboy_srq

    February 20, 2016 at 1:27 pm

    @retiredeng: Government and IT (rather like healthcare and IT) are uncertain friends because IT doesn’t directly contribute to the bottom line. Spending on IT counts as “overhead” for most public sector entities, and thus lands on the chopping block relatively early.

    In addition, there are (or used to be) so many purchasing contracts that stipulated specific technologies – technologies that in the private sector quickly became obsolete – that providing the exact product allowed became difficult. Tthere’s an urban legend about the FBI being required to purchase 486 machines with 16 MB of RAM and 500MB hard drives, long after the Pentium II had arrived, Windows XP was the desktop standard elsewhere and disks were measured in tens of gigabytes: serving that purchase requirement became a cottage industry which had the feds paying multiples of the cost for newer equipment simply because nobody writing the requirements had added “or greater” to the purchasing language.

  69. 69.

    Villago Delenda Est

    February 20, 2016 at 1:40 pm

    @rk: The MBA mentality, in a nutshell. Fucking bean counters.

  70. 70.

    Shakezula

    February 20, 2016 at 1:43 pm

    @RSA: And in health care anything that slows people down is considered bad.

    Another problem was the attempt to sell doctors on things like encryption when the technology was really not lay-person friendly. Now people hear the E word and walk away. And there’s also the eternal fight over what doctors can do with their own devices and how secure those have to be…

  71. 71.

    Feathers

    February 20, 2016 at 1:46 pm

    @different-church-lady: The other problem is that the whole left-brain/right-brain concept is bullshit. The research it was based on was done on people with damaged brains. It turns out that high level performance in either logical/analytic or expressive/creative thinking requires activation of both brain hemispheres and communication between them. The current pathology of I’m one or the other, and my lack of ability in the other realm proves my superiority in my favored field.

    It creates the sort of just let somebody else deal with it attitude that creates these IT policy issues.

  72. 72.

    Feathers

    February 20, 2016 at 1:53 pm

    @boatboy_srq: Yeah, my brother is in the middle of a kerfuffle where his department is being ordered to put a contract out for competitive bidding. But we bought a Motorola phone system, five years ago, that means we need to buy Motorola phones to go with it or have a round of tests where we can make sure any phones we buy are interoperable with the current system. Nope. Open bidding with the department that will be stuck with the phones for the next decade having no input.

  73. 73.

    Schlemazel (parmesan rancor)

    February 20, 2016 at 1:55 pm

    @? Martin:
    When I was dping internal pen testing I always focused oon the executive suite. If we could tip the ceo’s pc the odds were we had access to everything. I had one case where he didn’t even have a password because that was just too much bother for someone important as he was. Good for those guys that treat everyone the same

  74. 74.

    Feathers

    February 20, 2016 at 2:00 pm

    One Bruce Schneier truism is that you can’t get people to buy in on a security system that makes it impossible for people to do their jobs.

    At an engineering firm where I worked we called it “design by vice president,” where specs were created based on the workflow as imagined by the senior people at a company. When implemented, the widget was completely unable to even approximate completion of the task at hand.

  75. 75.

    Mike G

    February 20, 2016 at 2:09 pm

    the current yahoos in the Republican race focus on physical attacks, which are both difficult to launch and pretty rare.

    People who can’t (or pretend they can’t) accept basic scientific theories like evolution or climate change can hardly be expected to understand IT security. Government by ideologues who combine willful ignorance with arrogant certainty of their infallibility is predictably disastrous.

  76. 76.

    Cookie monster

    February 20, 2016 at 2:17 pm

    ? Martin: that’s not quite accurate. Last pass encrypts all payloads locally (AES256) before sending the data over the wire.

  77. 77.

    Pogonip

    February 20, 2016 at 2:19 pm

    The hospital story was on Atlantic.com a week ago, that’s where I saw it. At first the hackers wanted something like a billion dollars in Bitcoin.

    Baud/Jane 2016. Because It’s A Jungle Out There. And Because Thurston Won t Stop Barking Until They’re Elected.

  78. 78.

    Brachiator

    February 20, 2016 at 2:36 pm

    @? Martin:

    It’s also difficult to overcome cultural obstacles within enterprises. Good security requires retraining all of the staff, getting them to change their habits, and enforcing when those habits aren’t followed. Companies need to back that effort up, and most don’t.

    Yep. But the trick is to make security part of the culture of the enterprise, not impose it with an iron fist. Fortunately, I’ve worked for companies where privacy and security were already part of the company mission, so cyber security was just icing on the cake.

    BTW, for personal use, Lastpass works for me. I ran across it before I ran across 1Password and don’t want to bother with switching to another service for now.

  79. 79.

    The Ancient Randonneur

    February 20, 2016 at 2:41 pm

    This is one that should get some attention as well. A Skeleton Key of Unknown Strength:

    The glibc DNS bug (CVE-2015-7547) is unusually bad. Even Shellshock and Heartbleed tended to affect things we knew were on the network and knew we had to defend. This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn’t even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe. Who can exploit this vulnerability? We know unambiguously that an attacker directly on our networks can take over many systems running Linux. What we are unsure of is whether an attacker anywhere on the Internet is similarly empowered, given only the trivial capacity to cause our systems to look up addresses inside their malicious domains.

  80. 80.

    Germy

    February 20, 2016 at 2:46 pm

    And we’re supposed to have online voting?

  81. 81.

    RSA

    February 20, 2016 at 2:49 pm

    @Feathers:

    At an engineering firm where I worked we called it “design by vice president,” where specs were created based on the workflow as imagined by the senior people at a company.

    Does that still happen today? Wow.

  82. 82.

    VFX Lurker

    February 20, 2016 at 3:38 pm

    @ruemara:

    Dammit. fucking SDCC.

    Argh. Getting SDCC tickets is like trying to catch a unicorn these days.

    I’ll be going to WonderCon this March and Anime Expo this July. Those conventions haven’t outgrown their venues just yet.

  83. 83.

    Ivan X

    February 20, 2016 at 3:44 pm

    @? Martin:
    Everything recommended here is rock solid advice. I second. Personally I like CrashPlan more than BackBlaze but please just use something. Big fan of 1Password.

  84. 84.

    ruemara

    February 20, 2016 at 4:16 pm

    @VFX Lurker: I think my friends may attend either of those. I may go then. but Fuck SDCC.

  85. 85.

    Raven Onthill

    February 20, 2016 at 6:16 pm

    I blame the NSA. Part of their job is securing civilian systems and instead they have systematically weakened that security, to the point where it’s only cranks, spies, and oldpharts like me who pay attention to it.

    As a for-instance: passwords are at best medium security; we ought to have stopped using passwords alone for security 15 years ago. If the NSA got on that, we could have standardized secure access technologies and been using them all along.

  86. 86.

    dantanna

    February 20, 2016 at 10:06 pm

    @? Martin: So what happens when 1Password is hacked?

Comments are closed.

Primary Sidebar

Fundraising 2023-24

Wis*Dems Supreme Court + SD-8

Recent Comments

  • Gin & Tonic on War for Ukraine Day 397: A New Week Begins (Mar 27, 2023 @ 9:25pm)
  • Sister Machine Gun of Quiet Harmony on War for Ukraine Day 397: A New Week Begins (Mar 27, 2023 @ 9:18pm)
  • mvr on Music and Last Night to Write Postcards for Wisconsin (Mar 27, 2023 @ 9:17pm)
  • WaterGirl on Music and Last Night to Write Postcards for Wisconsin (Mar 27, 2023 @ 9:16pm)
  • Andrya on War for Ukraine Day 397: A New Week Begins (Mar 27, 2023 @ 9:15pm)

🎈Keep Balloon Juice Ad Free

Become a Balloon Juice Patreon
Donate with Venmo, Zelle or PayPal

Balloon Juice Posts

View by Topic
View by Author
View by Month & Year
View by Past Author

Featuring

Medium Cool
Artists in Our Midst
Authors in Our Midst
We All Need A Little Kindness
Classified Documents: A Primer
State & Local Elections Discussion

Calling All Jackals

Site Feedback
Nominate a Rotating Tag
Submit Photos to On the Road
Balloon Juice Mailing List Signup
Balloon Juice Anniversary (All Links)
Balloon Juice Anniversary (All Posts)

Twitter / Spoutible

Balloon Juice (Spoutible)
WaterGirl (Spoutible)
TaMara (Spoutible)
John Cole
DougJ (aka NYT Pitchbot)
Betty Cracker
Tom Levenson
TaMara
David Anderson
Major Major Major Major
ActualCitizensUnited

Join the Fight!

Join the Fight Signup Form
All Join the Fight Posts

Balloon Juice Events

5/14  The Apocalypse
5/20  Home Away from Home
5/29  We’re Back, Baby
7/21  Merging!

Balloon Juice for Ukraine

Donate

Site Footer

Come for the politics, stay for the snark.

  • Facebook
  • RSS
  • Twitter
  • YouTube
  • Comment Policy
  • Our Authors
  • Blogroll
  • Our Artists
  • Privacy Policy

Copyright © 2023 Dev Balloon Juice · All Rights Reserved · Powered by BizBudding Inc

Share this ArticleLike this article? Email it to a friend!

Email sent!