Can we really trust IT?


log in

Advanced search

Message boards : Politics : Can we really trust IT?

1 · 2 · 3 · 4 . . . 13 · Next
Author Message
Profile ML1
Volunteer tester
Send message
Joined: 25 Nov 01
Posts: 8574
Credit: 4,234,167
RAC: 808
United Kingdom
Message 1328436 - Posted: 17 Jan 2013, 22:56:45 UTC
Last modified: 17 Jan 2013, 22:59:51 UTC

This thread is inspired from "Can we really trust the software we use?" to be a little broader.


I'll kick off with an old one that has rebounded yet again:


Here we go again: New NHS patient database plan sets off alarm bells

Health Sec Hunt wants your [medical] records in the cloud by 2018



At least with the present paper-based system, access is nominally gate-keepered by your doctor and his records assistant, all hopefully with a little human intelligence and rate limited to one viewing at a time and physically at your health centre...


IT is what we make it...
Martin
____________
See new freedom: Mageia4
Linux Voice See & try out your OS Freedom!
The Future is what We make IT (GPLv3)

Profile James Sotherden
Avatar
Send message
Joined: 16 May 99
Posts: 9043
Credit: 36,978,914
RAC: 15,239
United States
Message 1328704 - Posted: 18 Jan 2013, 17:49:23 UTC - in response to Message 1328436.

This thread is inspired from "Can we really trust the software we use?" to be a little broader.


I'll kick off with an old one that has rebounded yet again:


Here we go again: New NHS patient database plan sets off alarm bells

Health Sec Hunt wants your [medical] records in the cloud by 2018



At least with the present paper-based system, access is nominally gate-keepered by your doctor and his records assistant, all hopefully with a little human intelligence and rate limited to one viewing at a time and physically at your health centre...


IT is what we make it...
Martin


My Dr. has had a paperless office for two years. At leats its not in the cloud yet.
The cloud! Another way for the Gov to know everything you do.

Its seems to be a growing trend in the US for mediacl records going didgital.
____________

Old James

Profile Ex
Volunteer moderator
Volunteer tester
Avatar
Send message
Joined: 12 Mar 12
Posts: 2895
Credit: 1,797,699
RAC: 396
United States
Message 1328706 - Posted: 18 Jan 2013, 17:55:41 UTC

(I don't know when online storage starting being called "the cloud" but it wasn't too long ago.)

And yes the major health systems in my area are all paperless now, I know that it wasn't easily implemented for either of the two big boys in town. I remember one day where all the meds in the hospital had to be ordered by paper because the pharmacy end of the system wasn't working.

You can't have those kind of failures in a hospital. I'm ok with paperless if the tech is ready, but I think none of us are on board with a nationwide online database.

However, we all have all sorts of personal details already stored by many entities, in the "cloud".
____________
-Dave #2

3.2.0-33

Profile Gary CharpentierProject donor
Volunteer tester
Avatar
Send message
Joined: 25 Dec 00
Posts: 13000
Credit: 7,666,159
RAC: 6,190
United States
Message 1328781 - Posted: 18 Jan 2013, 20:22:52 UTC - in response to Message 1328706.

Interesting. Had a talk with my Doc the other day about paper/paperless. The Patient Protection and Affordable Care Act apparently contains provisions mandating paperless. PITA. But as the Doc put it, without even a VPN the Doc is presently able to log into some (unnamed intentionally) hospitals and have full access to records and prescribe. All I can say is how much of an idiot is designing this system?

____________

Profile James Sotherden
Avatar
Send message
Joined: 16 May 99
Posts: 9043
Credit: 36,978,914
RAC: 15,239
United States
Message 1329016 - Posted: 19 Jan 2013, 6:31:45 UTC

Now that is scary.

I know the VA is paperless. It makes sense that a vet that can be admitted to any VA hospital and they can get access to your records. ( Well any patient I suppose from any hosiptal ) But just to be able to access any file on a whim?
____________

Old James

Sirius B
Volunteer tester
Avatar
Send message
Joined: 26 Dec 00
Posts: 11794
Credit: 1,787,786
RAC: 1,688
Syria
Message 1329048 - Posted: 19 Jan 2013, 10:02:48 UTC

Can we really trust IT? Not according to this report....

Chip & Pin had its day?

....with a nice highly debatable ending........

"You have no control over tech security."
____________

Profile Gary CharpentierProject donor
Volunteer tester
Avatar
Send message
Joined: 25 Dec 00
Posts: 13000
Credit: 7,666,159
RAC: 6,190
United States
Message 1330803 - Posted: 24 Jan 2013, 18:28:56 UTC

http://arstechnica.com/security/2013/01/secret-backdoors-found-in-firewall-vpn-gear-from-barracuda-networks/
no password backdoor in ROM.

____________

Sirius B
Volunteer tester
Avatar
Send message
Joined: 26 Dec 00
Posts: 11794
Credit: 1,787,786
RAC: 1,688
Syria
Message 1330967 - Posted: 24 Jan 2013, 23:27:07 UTC - in response to Message 1330803.

Good link with some highly interesting reports linked off it....

The Hunt for Red October

Red October loves Java

Red October goes dark....for now....

Are you sure your phone is secure?


____________

Profile Gary CharpentierProject donor
Volunteer tester
Avatar
Send message
Joined: 25 Dec 00
Posts: 13000
Credit: 7,666,159
RAC: 6,190
United States
Message 1330972 - Posted: 24 Jan 2013, 23:40:14 UTC - in response to Message 1330967.

Are you sure your phone is secure?

Cui's hack works by overwriting portions of the kernel space in the phone's memory. That allows him to gain root access to the phone's Unix-like firmware system and take control of the digital signal processor and other key functions.

Just wonder which Linux kernel the phone is running. And is the bug allowing the overwrite present in other flavors of that kernel running on other devices.

____________

Sirius B
Volunteer tester
Avatar
Send message
Joined: 26 Dec 00
Posts: 11794
Credit: 1,787,786
RAC: 1,688
Syria
Message 1330986 - Posted: 25 Jan 2013, 0:57:26 UTC - in response to Message 1330972.
Last modified: 25 Jan 2013, 0:59:39 UTC

Just wonder which Linux kernel the phone is running. And is the bug allowing the overwrite present in other flavors of that kernel running on other devices.


Well with all the 1000's of posts on this forum alone regarding O/S'es & their weaknesses, just wonder what happened to the peer review in this case!

Also, with the Red October issue - Isn't many of those systems run by governments/corporations running linux?
____________

Profile Ex
Volunteer moderator
Volunteer tester
Avatar
Send message
Joined: 12 Mar 12
Posts: 2895
Credit: 1,797,699
RAC: 396
United States
Message 1331020 - Posted: 25 Jan 2013, 3:38:34 UTC - in response to Message 1330972.
Last modified: 25 Jan 2013, 3:39:12 UTC

Are you sure your phone is secure?

Cui's hack works by overwriting portions of the kernel space in the phone's memory. That allows him to gain root access to the phone's Unix-like firmware system and take control of the digital signal processor and other key functions.

Just wonder which Linux kernel the phone is running. And is the bug allowing the overwrite present in other flavors of that kernel running on other devices.

Doesn't cisco use a highly customized, almost proprietary version of Unix/Linux family OS?

In other words, I doubt it's a kernel that's commonly used, or even resembles one. But I would be curious to know.
Wouldn't be surprised if it was 2.6 if it is a "normal" kernel they use.
____________
-Dave #2

3.2.0-33

Profile ML1
Volunteer tester
Send message
Joined: 25 Nov 01
Posts: 8574
Credit: 4,234,167
RAC: 808
United Kingdom
Message 1331136 - Posted: 25 Jan 2013, 13:58:26 UTC - in response to Message 1331020.
Last modified: 25 Jan 2013, 14:01:31 UTC

Are you sure your phone is secure?

Cui's hack works by overwriting portions of the kernel space in the phone's memory. That allows him to gain root access to the phone's Unix-like firmware system and take control of the digital signal processor and other key functions.

Just wonder which Linux kernel the phone is running. And is the bug allowing the overwrite present in other flavors of that kernel running on other devices.

Doesn't cisco use a highly customized, almost proprietary version of Unix/Linux family OS?

In other words, I doubt it's a kernel that's commonly used, or even resembles one. But I would be curious to know.
Wouldn't be surprised if it was 2.6 if it is a "normal" kernel they use.

Indeed so: It's an 'embedded device' that is stripped down to the minimum... Those phones first came out quite a long time ago and so are likely based on whatever kernel version was in vogue at that time...

The actual flaw is: "due to a failure to properly validate input passed to kernel system calls from applications running in userspace". See: Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability

To exploit the vulnerability, you need to have physical access to the phone or a successful remote login. So, difficult to exploit unless you have a "James Bond" janitor wandering around reprogramming them!...


That vulnerability is very obviously not on mainstream Linux kernels!

No software is infallible to proprietary rush! And we become more vulnerable as we rush to ever more elaborate interconnected systems...


Aside: Should those researchers now be persecuted in a similar way to Aaron Swartz for exposing something so obviously highly illegal and world-shatteringly damaging?... They've very clearly and publicly executed a 'break-in'. The USA laws are there and vague enough for doing that, for the threat of 50+ years unto bankruptcy and death...


IT is what we make it,
Martin

Disclaimer: Merely my own personal opinion as ever...
____________
See new freedom: Mageia4
Linux Voice See & try out your OS Freedom!
The Future is what We make IT (GPLv3)

Profile Gary CharpentierProject donor
Volunteer tester
Avatar
Send message
Joined: 25 Dec 00
Posts: 13000
Credit: 7,666,159
RAC: 6,190
United States
Message 1331145 - Posted: 25 Jan 2013, 15:01:29 UTC - in response to Message 1331136.

That vulnerability is very obviously not on mainstream Linux kernels!
Disclaimer: Merely my own personal opinion as ever...

I smell an assumption of how you want the world to be.

____________

Profile Gary CharpentierProject donor
Volunteer tester
Avatar
Send message
Joined: 25 Dec 00
Posts: 13000
Credit: 7,666,159
RAC: 6,190
United States
Message 1331199 - Posted: 25 Jan 2013, 17:29:20 UTC

Excellent read:
NBS 500-75 Validation, Verification, and Testing of Computer Software
http://books.google.com/books?id=arNTsaD5FxEC&pg=PR2&lpg=PR2&dq=nbs+special+publication+500-75&source=bl&ots=L_sOiOQKHh&sig=Vy2D5SBaPCLYOxZ8N4LZeHSPCjA&hl=en&sa=X&ei=Ar0CUaWEFMTVigLW1YGQDw&ved=0CC4Q6AEwADgK

One of the main points it makes is that no matter how many sets of eyeballs look at code, unless you apply design discipline to those eyeballs, errors will be present.

A couple others you should look at are, if you care about software:
NBS 500-93 Software Validation, Verification, and Testing Technique and Tool Reference Guide
NBS 500-98 Planning for Software Validation, Verification, and Testing,
NBS 500-99 Structured Testing: A Software Testing Methodology Using the Cyclomatic Complexity Metric


____________

Profile ML1
Volunteer tester
Send message
Joined: 25 Nov 01
Posts: 8574
Credit: 4,234,167
RAC: 808
United Kingdom
Message 1331258 - Posted: 25 Jan 2013, 20:05:14 UTC - in response to Message 1331145.

That vulnerability is very obviously not on mainstream Linux kernels!

I smell an assumption of how you want the world to be.

Well, for your disparaging assertion, please list the bug report or rather the world headlines for such a dire problem for the Linux kernel.

How does that compare to Microsoft Windows?

How does that compare to other proprietary systems?


Can we have some real comment and links rather than the lame mud slinging please?

IT is indeed what we make it...
Martin

____________
See new freedom: Mageia4
Linux Voice See & try out your OS Freedom!
The Future is what We make IT (GPLv3)

Profile ML1
Volunteer tester
Send message
Joined: 25 Nov 01
Posts: 8574
Credit: 4,234,167
RAC: 808
United Kingdom
Message 1331259 - Posted: 25 Jan 2013, 20:08:58 UTC - in response to Message 1331199.

... One of the main points it makes is that no matter how many sets of eyeballs look at code, unless you apply design discipline to those eyeballs, errors will be present. ...

Indeed so.

Note also that open peer review ensures state of the art practice for suitably patronized projects.

Hence, is that why Linux is steadily taking over the computing world?...


We really do need a good worthy competitor system to Linux that similarly includes freedom for the users, lest we suffer the evil of there only being Linux...

IT is what we make it,
Martin

____________
See new freedom: Mageia4
Linux Voice See & try out your OS Freedom!
The Future is what We make IT (GPLv3)

Sirius B
Volunteer tester
Avatar
Send message
Joined: 26 Dec 00
Posts: 11794
Credit: 1,787,786
RAC: 1,688
Syria
Message 1331297 - Posted: 25 Jan 2013, 21:43:57 UTC - in response to Message 1331258.

Can we have some real comment and links rather than the lame mud slinging please?

IT is indeed what we make it...
Martin


Already have to which you replied to one - Cisco Phones. However, no comment on the Red October issues......

... or are you arrogantly assuming that ALL the systems hacked were Windows?
____________

Profile Gary CharpentierProject donor
Volunteer tester
Avatar
Send message
Joined: 25 Dec 00
Posts: 13000
Credit: 7,666,159
RAC: 6,190
United States
Message 1331353 - Posted: 25 Jan 2013, 23:45:44 UTC - in response to Message 1331259.

Note also that open peer review ensures state of the art practice for suitably patronized projects.

suitably patronized is what, 0.1% of FOSS projects?

____________

Profile ML1
Volunteer tester
Send message
Joined: 25 Nov 01
Posts: 8574
Credit: 4,234,167
RAC: 808
United Kingdom
Message 1331372 - Posted: 26 Jan 2013, 1:14:14 UTC - in response to Message 1331353.

Note also that open peer review ensures state of the art practice for suitably patronized projects.

suitably patronized is what, 0.1% of FOSS projects?

There goes your mud slinging again.

What matters are those projects of significance that make a difference. Just is in natural evolution, there is a lot of wastage as new ideas are tried out by new people. The best and/or most 'interesting' survive and prosper.

Perhaps that is why Linux systems have already 'taken over' for where it matters... Linux systems certainly have a far better record than certain other system for thwarting malware...


IT is what we make it...
Martin

____________
See new freedom: Mageia4
Linux Voice See & try out your OS Freedom!
The Future is what We make IT (GPLv3)

Profile ML1
Volunteer tester
Send message
Joined: 25 Nov 01
Posts: 8574
Credit: 4,234,167
RAC: 808
United Kingdom
Message 1331373 - Posted: 26 Jan 2013, 1:16:47 UTC - in response to Message 1331297.

Already have to which you replied to one - Cisco Phones. However, no comment on the Red October issues......

Wow!

Of all the widespread examples, and compared to the unmanageable blizzard of malware and exploits that Windows appears to suffer... You have just those *two* examples?...


I'll let you do the leg work on those! Choose your own expense and goodness or other...

IT is still what we make it...
Martin

____________
See new freedom: Mageia4
Linux Voice See & try out your OS Freedom!
The Future is what We make IT (GPLv3)

1 · 2 · 3 · 4 . . . 13 · Next

Message boards : Politics : Can we really trust IT?

Copyright © 2014 University of California