|
https://twitter.com/BBCNews/status/863145278840418304 It looks like the papers are going for the 'why did they ignore the warnings???' attack angle.
|
# ? May 12, 2017 22:36 |
|
|
# ? May 18, 2024 07:40 |
|
serious gaylord posted:https://twitter.com/BBCNews/status/863145278840418304 If they're going to ask that then to the gulag with anyone unable to say 'Inability to fund better IT due to cuts'.
|
# ? May 12, 2017 22:39 |
|
CYBER HACKERS
|
# ? May 12, 2017 22:40 |
|
Lord of the Llamas posted:CYBER HACKERS WATCH OUT THEY'RE COMING FOR YOUR DATA
|
# ? May 12, 2017 22:41 |
|
namesake posted:So question for people in the know: say this event is a major push towards a completely nationalised NHS with a completely isolated network for critical systems to protect patient data from this sort of thing. How difficult would it be to build such a national network (very, obviously, but how much work would be involved) and would there be any way of incorporating wireless transmission, or is that inherently unsecure? One of the infosec threads would be the best place to ask really. I don't think wireless is inherently insecure, but obviously the remote access aspect makes for a shedload of other security considerations. But there are best practices to follow, and ideally you'd limit access to the bare minimum I remember talk of a kind of a kind of anonymised patient database, where you'd only have access to a general profile and history associated with an NHS number or something similar - the actual database linking a profile to a person would be more restricted. So you can create different levels of information sharing and modification, with different security policies for various roles and situations (like at a secure computer vs on a tablet in a clinical setting) It's sort of an open-ended question and I dunno if we have anyone with that kind of broad overview of the current system and exactly what it should be like. But really you need this to be properly designed, top-down, and fully audited for compliance. Instead of the current 'hey let's get a bunch of contractors in to make isolated parts however they want using their proprietary software, the free market will surely make this cool and efficient' mess
|
# ? May 12, 2017 22:44 |
Also the system has to be usable by atrocious reception staff which does not help with security.
|
|
# ? May 12, 2017 22:46 |
|
The few times i've been to hospital the medical staff were all lovely but the reception staff treated everyone like scum and were always in foul moods. That's my anecdotal story and why I wish for the privatisation of the NHS. Those crones must pay.
|
# ? May 12, 2017 22:56 |
|
i'd be making GBS threads myself if i was the person responsible lmao https://intel.malwaretech.com/botnet/wcrypt
|
# ? May 12, 2017 22:56 |
|
jBrereton posted:Also the system has to be usable by atrocious reception staff which does not help with security. If it's properly designed it shouldn't matter. People are (supposed to be) the biggest security weakness so the system should be designed for that. Don't expose more than you need to, get a decent authentication system (not passwords because they'll stick them to the monitor), enforce security policies like locking down the computers and wiping them regularly, that kind of thing If it's properly designed it should all Just Work and minimise any potential problems. When you have a mess of different systems and hoops you need to jump through and the freedom to do things your own way, that's when things get really complicated and insecure I'm just talking generally because I don't really know much about this, but it would be a massive project for something the size of the NHS. You'd have to design it properly and build it properly and train everyone to use it and shift all the data over into the new system, running it in parallel so everyone could switch over and leave the old system for good. It's a huge investment but it still needs to be done
|
# ? May 12, 2017 23:01 |
|
baka kaba posted:One of the infosec threads would be the best place to ask really. I don't think wireless is inherently insecure, but obviously the remote access aspect makes for a shedload of other security considerations. But there are best practices to follow, and ideally you'd limit access to the bare minimum No need. Wireless means your security has to hold up without you knowing who's trying to open it, which is a risk, but making the entire system a fortress that is completely immune to attacks like this is fairly trivial with adequate funding. Basically you take a whitelist approach and then tell the users to get lost when they want more access. EDIT: Also, no, it wouldn't be a massive project because it benefits from economy of scale. Wiping the systems is stupid, passwords are fine as long as you combo them with, say, a rfid chip in the user's thigh and training people again would be mostly unnecessary. endlessmonotony fucked around with this message at 23:08 on May 12, 2017 |
# ? May 12, 2017 23:06 |
|
https://twitter.com/withorpe/status/863088159961210880 Well this might have legs.
|
# ? May 12, 2017 23:22 |
|
I'm talking about designing and architecting an entirely new system from the ground up, built for purpose around best practices. I mean as I understand it, the NHS as a whole is a mishmash of different systems made by different contractors who have no interest in making their software interact smoothly with other companies' software, data still isn't completely centralised, different trusts are doing things in different ways and so on If you're redoing the whole thing that would seem like a very big project, just for the sheer scope, and then you definitely need to retrain people if the processes have changed - ideally they would if your goal is to streamline things instead of having people work around all these quirks of the current setup. Even a change in the UI would require training for a lot of people, just because It's Different I mean isn't this why all the past attempts at a do-over have failed? Nobody's willing to commit to the cost of something so big with such a long horizon
|
# ? May 12, 2017 23:24 |
|
big scary monsters posted:I liked LastPass but they've had a number of security holes found of late (by a Google security researcher, and they were all patched promptly, but still). Other popular managers that I have not used and which may also have security holes, but at least they haven't been made public yet, are Keepass and 1password. I believe both differ from LastPass in that you store the vault yourself, rather than them doing it on their server. This is potentially more secure but if you gently caress up then you're hosed. Dropbox is a popular option for storing your vault to make it accessible across devices and probably recoverable if you accidentally delete it. I'm not sure how that'd scale up to a corporate/infrastructure level but you should have the funding to get someone to find out when they're doing your security audit if you're a critical sector, Jeremy Hunt you cock.
|
# ? May 12, 2017 23:26 |
|
serious gaylord posted:https://twitter.com/withorpe/status/863088159961210880 Someone inform the Mail!
|
# ? May 12, 2017 23:33 |
|
baka kaba posted:I'm talking about designing and architecting an entirely new system from the ground up, built for purpose around best practices. I mean as I understand it, the NHS as a whole is a mishmash of different systems made by different contractors who have no interest in making their software interact smoothly with other companies' software, data still isn't completely centralised, different trusts are doing things in different ways and so on The second most important data collection tool that the NHS has (after Secondary User Service) is a secure website which doesn't work properly (as in, it doesn't work) in Firefox and must be set up in compatibility mode in Chrome or IE after version 7.
|
# ? May 12, 2017 23:35 |
|
Poor firefox. The other browser.
|
# ? May 12, 2017 23:40 |
|
baka kaba posted:I'm talking about designing and architecting an entirely new system from the ground up, built for purpose around best practices. I mean as I understand it, the NHS as a whole is a mishmash of different systems made by different contractors who have no interest in making their software interact smoothly with other companies' software, data still isn't completely centralised, different trusts are doing things in different ways and so on You're clueless. This isn't a difficult problem to solve. We have the tools. You just need the people making the decisions make decisions that work in the long run, to refuse all sorts of nice resort conferences from people selling their systems and to not let promoting themselves get in the way of making a functional system. It's even cheaper in the long run, though the initial spike is substantially bigger than just re-licensing software.
|
# ? May 12, 2017 23:44 |
|
Regarde Aduck posted:Someone inform the Mail! "immigrants mean NHS can't afford software updates"
|
# ? May 12, 2017 23:46 |
|
Julio Cruz posted:"immigrants mean NHS can't afford software updates" "Global cyber attack that uses stolen NSA superweapon cripples the world" Oh wait that one's actually real
|
# ? May 12, 2017 23:47 |
|
Pochoclo posted:"Global cyber attack that uses stolen NSA superweapon cripples the world"
|
# ? May 12, 2017 23:51 |
|
Guavanaut posted:"Tool created using public money to spy on foreigners in the interests of capital ends up costing more public money and lives." Change that to 'use on foreigners' and you've just described the entire military and most of the culture budget,
|
# ? May 13, 2017 00:00 |
|
Regarde Aduck posted:The few times i've been to hospital the medical staff were all lovely but the reception staff treated everyone like scum and were always in foul moods. That's my anecdotal story and why I wish for the privatisation of the NHS. Those crones must pay. I applied for a job at the reception of my local GP surgery, which is in a local hospital. They rejected me. I guess now I know why, I wasn't curmudgeonly enough.
|
# ? May 13, 2017 00:01 |
|
namesake posted:Change that to 'use on foreigners' and you've just described the entire military and most of the culture budget,
|
# ? May 13, 2017 00:10 |
|
It's cool living in an actual dystopian cyberpunk future, but i really wish we had more neon and mohawks.
|
# ? May 13, 2017 00:12 |
|
Oberleutnant posted:It's cool living in an actual dystopian cyberpunk future, but i really wish we had more neon and mohawks. Be the change you wish to see in the world
|
# ? May 13, 2017 00:15 |
Pochoclo posted:"Global cyber attack that uses stolen NSA superweapon cripples the world" Just in case anyone wasn't aware, that's literally the Mail's front page tomorrow.
|
|
# ? May 13, 2017 00:18 |
|
Oberleutnant posted:It's cool living in an actual dystopian cyberpunk future, but i really wish we had more neon and mohawks. go out in Shoreditch and get your fill
|
# ? May 13, 2017 00:21 |
|
I've been out of the loop today. Did the Tories sabotage the NHS or what?
|
# ? May 13, 2017 00:25 |
|
Steve2911 posted:I've been out of the loop today. Did the Tories sabotage the NHS or what? Actually their normal everyday sabotage has been briefly out done by a spotty European teenager from their parents house.
|
# ? May 13, 2017 00:27 |
|
baka kaba posted:I'm talking about designing and architecting an entirely new system from the ground up, built for purpose around best practices. I mean as I understand it, the NHS as a whole is a mishmash of different systems made by different contractors who have no interest in making their software interact smoothly with other companies' software, data still isn't completely centralised, different trusts are doing things in different ways and so on The NHS has around 46,000 different networks, the vast majority of which are administered completely independently of each other. There is no 'starting over', it would be an incomprehensively vast project.
|
# ? May 13, 2017 00:29 |
|
^^^ getting mixed messages on this onenamesake posted:The second most important data collection tool that the NHS has (after Secondary User Service) is a secure website which doesn't work properly (as in, it doesn't work) in Firefox and must be set up in compatibility mode in Chrome or IE after version 7. I bet they chose that narrow platform to make a truly great experience though, right!? endlessmonotony posted:You're clueless. I don't know why you think this contradicts what I said or makes the project actually no big deal at all. Yes it needs to be run top-down with an iron fist and not by a belief in ~free market magic~. Yes that will be far better in the long run. No that doesn't make overhauling one of the world's largest organisations (literally dealing with life and death) a quick and trivial exercise. It means a cost commitment now with the benefits delivered in the future, possibly to another government - assuming it even makes it that far without the next government cancelling the whole thing. "You just need [everything to go perfectly without politics and bureaucracy interfering]" is a nice thought and all
|
# ? May 13, 2017 00:31 |
|
Jose posted:Chrome stores saved passwords in plain text lol They are stored encrypted rather than hashed because websites expect them in plain text. All browsers do this.
|
# ? May 13, 2017 00:45 |
|
>Hack the planet >send spike Im zerocool lol
|
# ? May 13, 2017 00:47 |
|
baka kaba posted:I don't know why you think this contradicts what I said or makes the project actually no big deal at all. Yes it needs to be run top-down with an iron fist and not by a belief in ~free market magic~. Yes that will be far better in the long run. No that doesn't make overhauling one of the world's largest organisations (literally dealing with life and death) a quick and trivial exercise. It means a cost commitment now with the benefits delivered in the future, possibly to another government - assuming it even makes it that far without the next government cancelling the whole thing. "You just need [everything to go perfectly without politics and bureaucracy interfering]" is a nice thought and all IT's not your strong suit, and neither is reading between the lines. The technology side is trivial. Quick is a matter of how much staff you hire. And it's not incomprehensibly vast either. Or even especially large. The "getting everyone on the side of making the NHS work right without regard to personal glory or the budget" is meanwhile an impossible pipe dream. The reason it's in the shape it is now is because of cost-cutting and going with the answer that's best for careers (in the short term, incidents such as this may be a problem) as opposed to best for NHS. Fixing it isn't hard, it's expensive.
|
# ? May 13, 2017 00:55 |
|
Ok my bad, redoing the NHS and all its disparate interconnected systems and switching everything over to it while it all continues to operate is actually a piece of piss
|
# ? May 13, 2017 01:11 |
|
endlessmonotony posted:The technology side is trivial. Quick is a matter of how much staff you hire. And it's not incomprehensibly vast either. Or even especially large. I never realised that it could be so easy. Why, if it's such a dismissively simple task you have to ask yourself why they haven't done it already?
|
# ? May 13, 2017 01:13 |
|
baka kaba posted:Ok my bad, redoing the NHS and all its disparate interconnected systems and switching everything over to it while it all continues to operate is actually a piece of piss My office of 4000 odd is trying to move everything over to some new Microsoft system whilst continuing as normal. It's bad. It's very bad.
|
# ? May 13, 2017 01:17 |
|
baka kaba posted:Ok my bad, redoing the NHS and all its disparate interconnected systems and switching everything over to it while it all continues to operate is actually a piece of piss Unironically this. Modern computers are kind of good at doing this very thing, and we've had this problem repeatedly solved in increasingly "hold my beer" ways for the past forty years, because "how do I keep these systems up to date, secure and reliable so actual work can be done?" is basically the most answered question in IT. These days the problems come more from, say, lacking firmware upgrades for the tools to do this exact kind of poo poo. Switching over 50k networks is the same as switching over one difficulty-wise, you just need more people to coordinate it.
|
# ? May 13, 2017 01:19 |
|
Any IT project that takes more than 3 months and involves more than 4 people is a loving nightmare already, I can't even imagine the horror something like that would entail. Like one of those madness-inducing vistas from Lovecraft's stories.
|
# ? May 13, 2017 01:23 |
|
|
# ? May 18, 2024 07:40 |
|
This bit of ransomware uses a vulnerability first found by the NSA, who sat on it (and possibly used it) for ages until someone hacked them and sprayed a bunch of their secret sauce all over the internet. Only then did they tell Microsoft about it. This ought to light a fire under all those "should the NSA/GCHQ be mostly defending or attacking" debates.
|
# ? May 13, 2017 01:25 |