Comment Re:Indictments for "criminally negligent homicide" (Score 1) 81
The person most likely to go to jail is the person who swore that the company's disaster recovery plan has been tested and that they can recover in under 48 hours.
Commercial software has three competing groups of profit-seekers: the vendor, the corporate user, and hackers.
The result is businesses will continue using a bad commercial software so long as it is perceived as just good enough. Before most commercial software was deeply tied to relying on remote servers, old versions of software remained just good enough, so long as no unsolvable problems were encountered. Remote servers are now used to function as an instant unsolvable problem and thus forcing a version upgrade which has added new added vulnerabilities.
Final note: Commercial software will ALWAYS fail when pitted against nation-state actors because the cost to a nation-state is largely irrelevant as the primary motive using the information gained from the breach. As such, the only way to resist nation-state actors is to use software and hardware that is designed expressly to be secure. That said, doing this merely shifts the focus/burden to the system/people that surrounds your software/hardware.
For something like a major insurance company, they should be assuming that they will be hit by nation-state actors and that they need to have a plan B, plan C, and probably a plan D for when it fails. It doesn't seem like they were prepared.
Legacy CHC employee here, and all I can say is that yes, it's bad.
Most of us have been down or idle for 10 days, unable to login or do any real work since a lot of our tools are also down or inaccessible (jira, clarity, servicenow, etc etc).
Keep a happy thought that this shit will get straightened out soon.
Or it is all lost and DHHS finds that it was negligence of the C suite that allowed the breach to happen and people go to jail and someone has to rebuild it with security and not HITRUST in mind.
The problem is that it is an industry ruled by certifications and checklists more than knowledge and ability.
There are people working at fixing the individual flaws in HITRUST but not in the flaw of thinking that you can just follow a third party checklist and magically be secure. Cyber insurance companies give favorable rates for ISO27001 and HITRUST compliance so the industry generally follows them. I'm not entirely sure how to get the industry to focus more on proper risk reduction by doing things like reducing attack surfaces and realistic risk assessments.
An example is a requirement that you do an annual pentest. You can spend anywhere from $600 to $120,000 for a pentest. If you want a pentest that says your systems are great you hire someone to do a $600 pentest. If you actually want to know what is wrong with your systems you spend for the $120,000 pentest. Most people don't want to know what is wrong, they just want the certificate that says "We didn't find anything after we ran a few scans with some open-source tools."
When will corporations, Governments, and courts realize that high security and strong encryption are critical to prevent these attacks from happening??? If I wasn't so old, I'd go back to school to specialize in cybersecurity consulting.
I can give you about a 99.9% confident answer that everything was encrypted in transit and at rest.
There is a huge HITRUST framework that insurance companies try and get their vendors to follow. It is about 70% good ideas, 29% meaningless, and 1% bad ideas that will undermine security. HITRUST makes the mistake of thinking that human beings are reliable if they are not malicious and it is very fond of error prone manual processes over reliable automated processes.
There is a law, and there is a detailed spec that the insurance company has drawn up and thousands of people are mindlessly following it.
Given that these are the lowest form of life, and
Given that they are interfering with life giving drugs, and Given that innocent people could die.
When found, they should be terminated with extreme prejudice.
We already know where the Health Insurance C suite executives live.
In this case, they are going to be facing questions from HHS (department of Health and Human Services) and if HHS doesn't like the answers they receive they can refer them to the Justice Department for prosecution under HIPAA for negligence with a maximum jail term of 10 years.
Their defense will be "We followed HITRUST and are certified as HITRUST compliant". Never mind that HITRUST is a severely flawed security standard that has many requirements that weaken security.
It is the worst thing about working in the healthcare industry. The security policies are more about proving that you are doing something and can blame someone else and not really about having the defense in depth and keeping security and the business goals in sync. Just randomly quoting HITRUST or ISO27001 or some other standard to mindlessly 99% follow with "a few exceptions" that make everything else meaningless. I saw a company that said "Developers cannot access production" that also had over 10,000 one-time exceptions of developers accessing production. You can create tools so developers don't need to access production, but in healthcare, it is by decree and no budget.
AI is dreaming up drugs that no one has ever seen. Now we’ve got to see if they work.
ChatGPT Gaining Foothold in Drug Development, Clinical Trials
I didn't read the Bloomberg article because it's subscription-walled, but I did read the Gizmodo equivalent. It didn't say how long the teams were given, but I suspect it was a lot less time than scientists spent with AI when they started finding new drugs.
If AI can help scientists create new drugs, it seems very unlikely to me that it can't help them to create bioweapons as well. This story comes across as criticism-deflecting feel-good propaganda.
If it is true that Chat GPT wouldn't be used, I suspect that it is because there are much better AIs to use for drug development than ChatGPT.
The covid-19 vaccine https://www.ncbi.nlm.nih.gov/p...
Those rights are only with the original purchaser of the coin. (at least in countries like the US and England)
If the seller of the rights reneges and a purchaser in the secondary market sues the seller will simply demur claiming that there is no contract between the seller and the owner of the coin and that therefore the owner of the coin has no standing to sue. This is covered in This video on the problems with NFTs
Hmm, just thinking about this, AI could do some investigative reporting.
Feed an AI bot much of the video feeds of London and have it describe anomalies.
I don't know what percentage of London's surveillance state cameras have their feed accessible, but it could probably report car accidents and street crimes. It might even be able to do public interest stories about new food trucks and businesses.
It would be interesting to see if it could verify quarterly reports of publicly traded companies. An AI could probably do a lot of the summarization of anomalies of quarterly filings at the minimum and also generate the vapid fluff that the financial press puts out about how the market is reacting to an earnings report.
Based on how Ronald Reagan announced Baseball games an AI could probably do the same in real time from the stat sheet as he was announcing the games from just what was coming over the wire service, which was mostly just the stats.
We need to go back to human curated portals like DMOZ was and the original Yahoo. They would have to be edited from secure terminals that verify that human hands have typed what goes on the site.
Unfortunately, the spammers slowly realized that dmoz was an excellent place to place spam.
He has not acquired a fortune; the fortune has acquired him. -- Bion
