Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: Re:Just Lie (Score 1) 317

by Eosi (#48554287) Attached to: Ask Slashdot: Are Any Certifications Worth Going For?
Yeah, very bad advice. If you get yourself into a Security audit / Compliance review position, where you have to be a CISSP, CISA or CISM (as an example), and the company is breached, you can be sued in cases. Granted the company should ask for proof, and two I have been at have asked, others take you at your word (CISSP has an ethic's policy for instance). Easier to just take the test.

Comment: Re:... Everything? (Score 1) 528

by Eosi (#48531353) Attached to: The Sony Pictures Hack Was Even Worse Than Everyone Thought
Sorta, there are some other parts that get ignored. But I have heard this before.

So HIPAA *SHOULD* apply to you *IF* you have to keep the medical record of the people you treat or transport. Likely you do not keep the record but provide it to the hospital, so would be fine (that or shred it when returning to the barn / fire house). In that case, the "mini security rule" part of the Privacy rules, would be all that applies to you.

At least that was the case when I was doing HIPAA (moved on to other things, while I still know it, focus on ISO, RFM, PCI, SOX, etc. now).

Comment: Re:... Everything? (Score 1) 528

by Eosi (#48531305) Attached to: The Sony Pictures Hack Was Even Worse Than Everyone Thought
Oh, I agree, if you touch one card a year, and are a business, you need to ensure you are PCI compliant.

My comment was in reference to PWC trying to tell a company that did not touch cards are all, that they needed to be PCI and HIPAA compliant "Due to HR potentially having Medical data in employees files"...

I have worked with QSA's from 5 different organizations, including one that became an ISA for the company I worked at. None of them could agree what the PCI rules meant, much less how to meet them. Only One of them I would trust to do my review, but even then, my company told us to "Only answer what he asks, with short phrases, so he does not find issues"..... HELLO, they are there to help you prevent issues or protect you in the case of a breach (Hello, how was Target compliant with AV that was from 2007 and had been EOL for over three years?).

Sorry, I digress..... Compliance is important, but only when applied correctly. Security is even more important than compliance... but Compliance is NOT Security..... Never will be.

Comment: Re:... Everything? (Score 2) 528

by Eosi (#48529537) Attached to: The Sony Pictures Hack Was Even Worse Than Everyone Thought
Sigh, wrong... HIPAA is for "Covered Entities".... So unless you work for a medical profession, insurance processor, etc. then your work is not covered by HIPAA. For everyone else that data is called PII. Now laws protect PII, but HIPAA is not one non-covered entities.

Working in Security, and being a former HIPAA Security officer, I hear that "excuse" all the time by people, especially outside auditors like PWC (They should know this shit right). The also try to push PCI on companies that do not process credit cards.

Sony could have that information, as part of FMLA requires you have that data, also some states (though mostly a company issue to cover their bases) requires medical notes if you miss three or more days of work, as "proof" you were sick. While for the doctor its HIPAA, for work its PII. This is to protect the company if you were to sue.

Potentially they would have it due to work related accidents, limited work requirements (such as someone with lifting restrictions), actor/actress requests, etc..

Just my two cents

Comment: Re:Dumbass. (Score 1) 246

by Eosi (#48505297) Attached to: 10-Year-Old iTunes DRM Lawsuit Heading To Trial
Dude, take your Aderall.

First off that break down is what YOU AND I would pay for the parts, not what Apple paid. Second, not everything in the iPod was developed by Apple, more so in the original iPods. In the iPod touches, they used the iPhone chips for years, that did not require more engineering (as it was 90% of an iPhone). Over time, your cost goes down when your not making 100% new things, just making updates or swapping out chips.

My point, which people forget, is that Apple has a lower cost margin than what others do, and therefore make more money per device.

That money does pay for costs in the devices, OS they designed, etc. Regardless, they are making more than 30% on the iPod. The first rev of the hardware and software cost more than the next generations. Or do you assume that the iPod classic they sold for almost 10 years never made them more money on the "updated versions"... How often did that OS get updates? The Hard Drive cost to Apple would have gone down over that time period, but those reductions were not passed on to the consumer. The Zune sure did not have a 30% profit minimum for Microsoft.

My statement was about the music. Apple has NEVER disclosed their contract with BMG, not once. (If you can prove otherwise, I will retract my statement). From my working in the Music industry for many years, I can tell you that BMG does not get 70 cents per dollar on songs. Radio stations paid a flat fee to BMG for a year, normally around 25k for Country Music (this was in 2000). They made money (on paper) back from RCA and others to play Garth Brooks more per hour than other artists. RCA would do that to sell more CD's and get more tours for Garth. That is where they made their money.

Their statement was for independent artists, without a dedicated contract, that the profit was 30% per song.

Only an Apple Fanboy would not wonder how Apple showed more than 30% profit many years in a row to Wall Street, and believe that they only made that little per device... Course, at the risk of causing negative comments and statements, if Microsoft had not given Apple money in the 90's and offered Office on Mac's, Apple would not be where it is today.... But as normal on Slashdot, Facts are optional.......

Carry on with the "Media" facts now....

Comment: Re:Sweeeet (Score 1) 246

by Eosi (#48505221) Attached to: 10-Year-Old iTunes DRM Lawsuit Heading To Trial
Interesting. So your saying that Apple has made all of their contract Public, so that anyone can search them when ever they want.... Who is the moron now,....

Apple has not done so for the Music Labels. What they charge the Independent people who sell music, without a written contract, is what you *know* about.

When Apple increased cost to allow for DRM free music, they said they would not disclose what the agreement between them and BMG was to allow for that.

If you have said contract, please share it. You would find that your numbers are way off.

Comment: Re:Sweeeet (Score 2, Insightful) 246

by Eosi (#48500409) Attached to: 10-Year-Old iTunes DRM Lawsuit Heading To Trial
Please, this is Apple we are talking about. I recall the first iPod touch was broken down, cost Apple $142 but they sold it for $500. That is a much larger mark up than the 30 cents you listed. That $1 song likely cost them 15 cents to the artist, 25 cents to the labels and 10 cents to BMG. If that.

Comment: Re: Out of band patch.. (Score 4, Insightful) 167

by Eosi (#48418051) Attached to: Microsoft Azure Outage Across the Globe
Interesting... What about all the Open SSL or SSH issues that happened this year, which in many cases were default as part of Linux servers???
Regardless of OS, poor testing of third party apps / services or poor security as part of your deployment, can cause you to be violated. I have seen many Linux server still using Telnet or VNC for management, and allowing ROOT to login directly to them....
Secure your environment regardless of what you run......

Comment: Re:FISMA Security huh (Score 0) 54

by Eosi (#48401639) Attached to: State Department Joins NOAA, USPS In Club of Hacked Federal Agencies
I'm sorry, but are you saying that you do not want people to have Wisdom, when running this country? Experience makes you wiser. Reading a book only gives you the writer's opinion. Reading a wood working magazine may show you the 10 steps to build a cabinet, but that does not mean you can tell a master cabinet maker that they are doing it wrong because you read a book.... That's what we have by Congress telling Security personnel how to secure the network and data with all the regs like FISMA and such. Thanks for the input, but allow the people with the Wisdom to do their job....

Comment: Re:USPS is not a Federal Agency (Score 0) 54

by Eosi (#48401595) Attached to: State Department Joins NOAA, USPS In Club of Hacked Federal Agencies
Sorta correct. They have to abide by many federal standards though, including Federal Holidays and things such as FISMA. I believe that they are also classified as government workers, or at least there were back in the 90's when my family worked for them. (They used to hire Marines and Army people as they left service and they got their government pension.)

"If truth is beauty, how come no one has their hair done in the library?" -- Lily Tomlin