Re: Undisclosed breach at major US facility

["Stack Smasher" <stacksmasher () gmail com>]

Like I said, shareholder value and profit plays a huge role in people
getting off their ass and doing something to help the general public,
seeing as how you have mostly worked at a university you don't have an
executive board screaming at you that their intellectual propriety has
been sold to the highest bidder and the stock is dropping, so quit
wasting all of your time trying to stop students from using peer to
peer and get into the real workforce.

http://www.utdallas.edu/~pauls/plsresume.html





On 7/4/06, pauls () utdallas edu <pauls () utdallas edu> wrote:
> --On July 4, 2006 6:22:18 PM -0400 Stack Smasher <stacksmasher () gmail com>
> wrote:
>
> > Hey Jackass, I know HIPAA has stiff penalties but the fact is people
> > are to fucking lazy to prosecute cases that don't involve terrorism or
> > effect shareholder value, and lets face it millions of peoples
> > information has been exposed in the last 5 years and NO ONE has done
> > shit about it. Look at Ernest and Young for example, those fuckups
> > should all be rotting in jail right now for the amount of customer
> > data that has been exposed on multiple occasions. I can count 10
> > incidents that I KNOW of, imagine how many have been kept quiet.
> > HIPAA,Sarbanes Oxley,GLBA, and California breach act. are paper tigers
> > and everyone that has a clue knows it, they are a bulldog with rubber
> > teeth to give the general public a warm feeling about doing business's
> > with corporations that cant get their shit together. If you think I'm
> > wrong then prove it!
> >
> If the effects of HIPAA, SOx, GLBA et al could be measured in dollars, it
> has cost corporations millions of dollars in software, hardware and
> personnel expenses.  If they could be measured in time, they have already
> cost corporations hundreds of thousands of man hours.  The regulations have
> spawned uncountable numbers of seminars, speeches, papers and vendor visits
> talking about what it all means and how one comes into compliance.
> Unfortunately, the hype comes first, followed slowly by reasonably priced,
> effective technology that actually addresses the problems that *can* be
> addressed by technology.  The people problems are *much, much* harder to
> address.
>
> Furthermore, large organizations don't just change overnight.  Many
> attitudes have to be changed before change takes place, not least the
> realization that security really does matter.  Just because you don't *see*
> the change doesn't mean the change isn't taking place, and just because
> *you* know the solution to everyone else's problem doesn't mean everyone
> will agree with you.
>
> A perfect example of the dichotomy between what should be and what is is
> the recent theft of a laptop with millions of VA records (including mine)
> on it.  Full disc encryption has only recently become commercially
> available in an easy to use *and* easy to recover methodology, and it's
> still very expensive.  (If we were to encrypt every hard disk we have it
> would cost us a one-fifth of our entire existing IT budget and require
> another half-employee just to keep up with recoveries from employees who
> forget their passwords.)
>
> Furthermore, I'm certain that the theft of the laptop never crossed the
> mind of the employee who took the records home or of his (or her)
> supervisors, who merely winked at the violation of policy (if indeed it
> *was* a violation of policy!), because they were more concerned about
> getting "extra" work out of the employee than they were about the potential
> (and to them, theoretical) loss of data should the laptop be stolen.
>
> In the real world problems don't get fixed overnight, especially ones that
> are embedded into the culture like insecure thinking is.  When passwords
> finally go away (and they will fairly soon), almost one-half of the
> security problem will be solved, simply because humans will no longer be
> making decisions about what constitutes a secure authentication methodology.
>
> In order to understand the problem, you have to stop thinking in terms of
> *your* computer(s) and start thinking in terms of thousands and thousands
> of computers.  All of a sudden the reasons for a lot of things will become
> crystal clear.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


--
"If you see me laughing, you better have backups"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/