Recently I had an fMRI done as part of a research program at North Western and had to sign a bunch of paperwork where it was said that my data would be secured with a best effort.
Well, fast forward to last night where I was curious if their psych department had any webservers exposed to the internet, which it shouldn't. I found sip servers, printers with admin rights, routers, personal computers, etc etc etc. HIPAA hell. And that was only on three subnets and only 80/443.
I sent their heads of technology an email to see if they could look into it, since I'd prefer that my data not be stolen by anyone who knows how to run wget. They closed the ticket with this:
bpchaps, I believe you do have good intentions. That being said, we are already performing regular scans of our systems. If you do stumble upon anything significant, please do contact us again.
:(
http://www.cyber.umd.edu/sites/default/files/documents/sympo...
Nothing to get a network admin to close a hole like an annoying undergrad stopping by your office every day, trying to get his extra credit before the semester is over.
I've been hesitant about reporting holes/vulnerabilities in the school's infrastructure until now, but it's reassuring to see that there are official channels for doing so.
I did take a Software Engineering course while I was there that directly interacted with real-world clients and had to ship customer ready software at the end of the semester. It was intense and a fantastic learning experience. I'm biased, but they do it right at UMD. Go Terps!
http://newmexico.jobing.com/lovelace-health-system/it-suppor...
Is there something I don't know or is it crazy for a hospital to be using MS Server2000 in 2016?
Several of them lamented that every department had "slackers" who'd probably be fired from any real business, but basically couldn't get sacked if they tried due to Government policies.
It's not my thing, but there are reasons people choose these places.
Seems like the end result would be a really nasty dead sea effect.
This is a paraphrase of a good answer from bugcrowd's CEO when asked about why people report bugs for thousands when they could sell them for hundreds of thousands. He answered "not everyone wants to be a drug dealer".
Light candle > curse the darkness
What happened to the first 7 years?
Add to that all of the rules that require you to be an expert in government proposals (Google "8a", "BPA", and "USG far") and you're virtually guaranteed anyone who's good and wants to be paid what they're worth will roll out.
The President just formed a commission to make Americans safe in cyberspace [1]
His Press Secretary says "Issues related to encryption will not be considered by the commission" [2]
[1] https://www.whitehouse.gov/blog/2016/04/13/announcing-presid...
Looking at some of the details it seems some agencies are somewhat better than others, it would be interesting to see the whole report and see which agencies do better and which really suck (NASA seems to have done quite poorly).
Given that the security needs for the EPA may quite different than those for the DoD, not to mention countless other agencies, it's easy to understand how standards and enforcement could quickly fragment. A lot of these agencies will hire contractors to do the work, they'll hire different contractors, who are themselves drawn from a limited pool of authorized contractors and soon enough you have Healthcare.gov version 1 again.
Additionally, if FB or Google have a breach, there's a clear line of responsibility that ends up at the CEO. While in theory that's true in government, in practice you have both the executive branch and congress that muck about in the operations of an agency, so although you may get security person X to resign, it's far less easy to get at the people who are actually responsible (Which congressperson? How do you vote them out of a gerrymandered district? Should the president fire his cabinet secretary? How does he get a new one past congress)
They need to streamline the hiring process and offer competitive pay.
Also, it's not as though the contractors themselves offer poor compensation. A lot of them actually offer at least market rate, and in some cases higher pay. It's not so easy to figure out how much something is going to cost over the lifetime of a contract. This, combined with the general opacity and bureaucratic hurdles of government contracting makes it so makes it so the government doesn't get the best deal over the lifetime of the contract despite picking what may look to be a good idea at the onset. Of course this is all ignoring political considerations and lobbying issues.
The US Government is the largest corporation in the world, I think the US Defense Department is alone the largest corporation in the world. And none of it is subject to the free market (in many ways for good reason). It's very difficult to do things efficiently at that scale, and its even harder to do it with external political influences of all sorts.
With the only serious motivator being to cut costs, most agencies will contract their project into the ground.
Add on to that the fact it's nearly impossible to hire because most tech people's heads are packed with dystopian scifi nonsense, and you have a perfect storm.
[0] http://money.cnn.com/2015/06/26/technology/microsoft-windows...
Info services and Technology seem like common sense answers, and maybe food includes fast food which has to defend against the underground's hunger for credit cards, but why does construction earn a top place?
Anyone have a theory?
The tech companies self-service.
Mike Dickerson gave a really good in-depth talk at Google about his work cleaning up the healthcare.gov project. The Time article lacks many of the technical details but is still pretty good. Sorry, all I can find is a link to the PDF. https://blog.newrelic.com/wp-content/uploads/80893.pdf
From talking to people who've worked in the USDS, the problem doesn't appear to be lack of capable people, or lack of funds. The problem seems to be in the structure of how projects are bid and executed. The bad news is the problem is universal. The good news it's fixable ... it's just going to take a lot of work by a lot of smart and determined people.
Sign up and go fix it.
He's possibly handling more data, providing more services and doing it with what...10K engineers?
We are just going to see more and more Sony type hacks, Manning/Snowden type events. Just look at what happened with Bangladesh's Central Bank and Philippines voter records.
Going forward I just don't see Govt IT coping on their own. Things are just moving too fast and they have my sympathies.
