Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×

Comment Re:We need a Foundation (Score 1) 66

by micheas (#64302933) Attached to: Study Finds That We Could Lose Science If Publishers Go Bankrupt

The idea's always appealed to me. From time to time we re-codify laws, we need to do the same for all human knowledge.

Set a baseline year - presumably whenever you start the project - and try to distill everything into a single encyclopedia of all human knowledge, a reference for getting someone from the stone age to the information age in as few steps as possible. We really don't need every paper ever published, and trying to keep it all means we're not in control of what is missing when something inevitably gets lost. It's a massive project, and would take a long time and inevitably be imperfect, but I think it's worth the attempt.

When you have the best encyclopedia you can churn out, you etch it into quartz tablets that can be human-read with a decent magnifying glass, and you put those tablets into a cave in some very geologically stable place. And then you take your digital copies and give them to whoever wants them.

Isn't that why we have the Library of Congress?

Comment Re:Missing point (Score 2) 12

by micheas (#64299167) Attached to: Feds To Offer New Support To Open-Source Developers

I must be missing some point, but repository signing and developer 2FA access will not prevent a rogue actor to register an account and push malicious software.

It's about being able to trust the response after an incident happens.

If Jane Doe's credentials are used to push malware then in the response you blacklist Jane Doe's credentials and don't trust any fixes from Jane.

In the past only Debian has had reasonable procedures around this from having had to deal with the occasional rouge developer.

Comment Re:Why commercial software security will always su (Score 1) 81

Commercial software has three competing groups of profit-seekers: the vendor, the corporate user, and hackers.

  • * Vendors of commercial software (that is not explicitly designed to be secure) is provided by vendors with just good enough security. Security could be a total facade but it appears to be secure and thus selected by businesses.
    • * Vendors of software explicitly designed to be secure will have a much better chance of resisting hackers as their reputation is a major factor in profiting. However, they are still profit-seekers so there are limits to their own security.
  • * Hackers specialize in different pieces of software and the fewer vulnerabilities, the longer specialization requires. When a hacker (group) specializes in a pieces of commercial software and exploits a vulnerability then then response vendor response is a patch that is just good enough to prevent it from happening in the same way. Vulnerabilities in the similar vein may be discovered in the process and patched but there is no grand effort to seek out all vulnerabilities that span any meaningful length of time.
  • * For the corporate user, If too many security breaches occur due to a particular piece of software then that piece of software is not selected for and thus a new piece of software replaces it's function. The new software may or may not have superior security but by switching anyone specifically targeting you must specialize in a new piece of software which is done in the hope of increasing the cost/time for you to be attacked by the same actor.
    • * If the commercial software is a dependency of other software then it can cause a locked-in effect where the (perceived) cost of moving to a new system exceeds to cost of further breaches. So even if commercial software is likely to be breached again, so long as the (perceived) cost of switching software exceeds that of another breach then the commercial software is determined to be just good enough and thus remains selected for.

The result is businesses will continue using a bad commercial software so long as it is perceived as just good enough. Before most commercial software was deeply tied to relying on remote servers, old versions of software remained just good enough, so long as no unsolvable problems were encountered. Remote servers are now used to function as an instant unsolvable problem and thus forcing a version upgrade which has added new added vulnerabilities.

Final note: Commercial software will ALWAYS fail when pitted against nation-state actors because the cost to a nation-state is largely irrelevant as the primary motive using the information gained from the breach. As such, the only way to resist nation-state actors is to use software and hardware that is designed expressly to be secure. That said, doing this merely shifts the focus/burden to the system/people that surrounds your software/hardware.

For something like a major insurance company, they should be assuming that they will be hit by nation-state actors and that they need to have a plan B, plan C, and probably a plan D for when it fails. It doesn't seem like they were prepared.

Comment Re:It's bad (Score 1) 81

Legacy CHC employee here, and all I can say is that yes, it's bad.

Most of us have been down or idle for 10 days, unable to login or do any real work since a lot of our tools are also down or inaccessible (jira, clarity, servicenow, etc etc).

Keep a happy thought that this shit will get straightened out soon.

Or it is all lost and DHHS finds that it was negligence of the C suite that allowed the breach to happen and people go to jail and someone has to rebuild it with security and not HITRUST in mind.

Comment Re:what a nasty web (Score 1) 81

These companies are either covered by HIPAA or sign a Business Associates Agreement (BAA) agreeing to be covered by HIPAA and subject to the penalties of HIPAA (maximum fine of $50,000 per users data disclosed in a breach and up to 10 years in jail if the cause of the breach is determined to be negligence).

The problem is that it is an industry ruled by certifications and checklists more than knowledge and ability.

There are people working at fixing the individual flaws in HITRUST but not in the flaw of thinking that you can just follow a third party checklist and magically be secure. Cyber insurance companies give favorable rates for ISO27001 and HITRUST compliance so the industry generally follows them. I'm not entirely sure how to get the industry to focus more on proper risk reduction by doing things like reducing attack surfaces and realistic risk assessments.

An example is a requirement that you do an annual pentest. You can spend anywhere from $600 to $120,000 for a pentest. If you want a pentest that says your systems are great you hire someone to do a $600 pentest. If you actually want to know what is wrong with your systems you spend for the $120,000 pentest. Most people don't want to know what is wrong, they just want the certificate that says "We didn't find anything after we ran a few scans with some open-source tools."

Comment Re:When will they learn??? (Score 2) 81

When will corporations, Governments, and courts realize that high security and strong encryption are critical to prevent these attacks from happening??? If I wasn't so old, I'd go back to school to specialize in cybersecurity consulting.

I can give you about a 99.9% confident answer that everything was encrypted in transit and at rest.

There is a huge HITRUST framework that insurance companies try and get their vendors to follow. It is about 70% good ideas, 29% meaningless, and 1% bad ideas that will undermine security. HITRUST makes the mistake of thinking that human beings are reliable if they are not malicious and it is very fond of error prone manual processes over reliable automated processes.

There is a law, and there is a detailed spec that the insurance company has drawn up and thousands of people are mindlessly following it.

Comment Re:Explain to me again (Score 1) 81

In this case, they are going to be facing questions from HHS (department of Health and Human Services) and if HHS doesn't like the answers they receive they can refer them to the Justice Department for prosecution under HIPAA for negligence with a maximum jail term of 10 years.

Their defense will be "We followed HITRUST and are certified as HITRUST compliant". Never mind that HITRUST is a severely flawed security standard that has many requirements that weaken security.

It is the worst thing about working in the healthcare industry. The security policies are more about proving that you are doing something and can blame someone else and not really about having the defense in depth and keeping security and the business goals in sync. Just randomly quoting HITRUST or ISO27001 or some other standard to mindlessly 99% follow with "a few exceptions" that make everything else meaningless. I saw a company that said "Developers cannot access production" that also had over 10,000 one-time exceptions of developers accessing production. You can create tools so developers don't need to access production, but in healthcare, it is by decree and no budget.

Comment Re:How long did they run the trial? (Score 1) 36

by micheas (#64205370) Attached to: OpenAI Says GPT-4 Poses Little Risk of Helping Create Bioweapons

AI is dreaming up drugs that no one has ever seen. Now we’ve got to see if they work.

ChatGPT Gaining Foothold in Drug Development, Clinical Trials .

I didn't read the Bloomberg article because it's subscription-walled, but I did read the Gizmodo equivalent. It didn't say how long the teams were given, but I suspect it was a lot less time than scientists spent with AI when they started finding new drugs.

If AI can help scientists create new drugs, it seems very unlikely to me that it can't help them to create bioweapons as well. This story comes across as criticism-deflecting feel-good propaganda.

If it is true that Chat GPT wouldn't be used, I suspect that it is because there are much better AIs to use for drug development than ChatGPT.

Slashdot Top Deals

To the systems programmer, users and applications serve only to provide a test load.

Close