Do you have adblock enabled?
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   What United is to customer security and Uber is to gender and IP ethics, this company is to security practices. They had one job   ( arstechnica.com) divider line
    More: Facepalm, El Camino Hospital, Computer security, Security, Santa Clara County, California, Tanium, security company Tanium, venture capital-funded newcomers, Demonstration  
•       •       •

3099 clicks; posted to Geek » on 20 Apr 2017 at 1:01 AM (26 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



28 Comments     (+0 »)
 
View Voting Results: Smartest and Funniest
 
2017-04-19 09:30:58 PM  
You had one job, Subby - to write a coherent headline.
 
2017-04-20 12:37:29 AM  
It's hard to create meaningful demo data.  Why not use your customers, except for the fact that it's, you know, your customer's data.

/hippa
 
2017-04-20 01:25:09 AM  
As someone with 20+ years in IT systems administration, and who has worked for law firms, doctors' offices, medical schools, and FDIC -backed institutions...

Holy shiat. These morons violated ALL the rules. Seriously. All of them. There will be law firms consuming each other just to be closer to the front of the line to collect from the lawsuits.
 
2017-04-20 01:27:42 AM  
That's a hell of a HIPAA violation. Yikes!
 
2017-04-20 02:20:54 AM  

lycanth: You had one job, Subby - to write a coherent headline.


Well to be frankly honest I had long since given up on getting a green light.  It's been nearly 13 years.  I figured someone else would see the link, tweak it, churn up a headline and it would go.  All I cared is that this got out there.

As xaks said "ALL the rules"; that sort of thing leaves you a little gobsmacked.  HIPAA for sure, PCI is possible.  Not sure what else they may have voilated beyond client guarantees and contracts, but as a security firm they are dead, and the company corpse needs to be gibbeted as a warning to others.

/huh, I got a green?  Didn't see that coming.
 
2017-04-20 02:34:10 AM  

xaks: As someone with 20+ years in IT systems administration, and who has worked for law firms, doctors' offices, medical schools, and FDIC -backed institutions...


As someone with 20+ years developing and testing various IT systems and tools, this part from TFA made me ROFL.

"well-established "next-generation" cybersecurity vendor that was founded 10 years ago"
 
2017-04-20 03:42:03 AM  

MusicMakeMyHeadPound: That's a hell of a HIPAA violation. Yikes!


Nope. HIPAA doesn't apply to them, only to the hospital. And if no patient records were involved then even if they were culpable under HIPAA there was no protected information involved.

They are still subject to the federal hacking law, this was an unauthorized access of a system not their own. 20 years in federal prison for the guys doing the demos.
 
2017-04-20 05:36:48 AM  
Thank you, subby.  Seriously--this I'd something I will be forwarding all over in the morning, and not for chuckles.

On Tanuim itself, I wish it didn't have to be watched like a hawk during implementation to bring back up the servers it crushes. It doesn't take down every server, either--just enough to make it untrustworthy.
 
2017-04-20 05:50:00 AM  

LadyShiva: Thank you, subby.  Seriously--this I'd something I will be forwarding all over in the morning, and not for chuckles.

On Tanuim itself, I wish it didn't have to be watched like a hawk during implementation to bring back up the servers it crushes. It doesn't take down every server, either--just enough to make it untrustworthy.


As in the service they install is such a pig it'll impede the stuff its supposed to be monitoring?  Oh that's bawls.  I'm facing a some-what similar scenario with a bunch of ESX hosts vs Nagios, I think the root cause is how Dell's hardware monitoring is apparently pretty flaky to interface with but the net result is lots of false positives about how host 'X' is down when in fact its just the watcher daemon has become too slow to respond to the queries.  My HPE servers are fine (well apart from being HPE), just the Dell ones, which are newer to boot.
 
2017-04-20 06:05:41 AM  
I just work for ordinary commercial customers, but farked if I would EVER use the logged in portion of a customer's system to demo without their permission. Ever.

So very very stupid.
 
2017-04-20 06:26:58 AM  
WOW!  That's....wow!!!  how monumentally stupid do you have to be to think tapping into your customer's network to show off your IT Security packages WITHOUT THEIR PERMISSION is somehow a good idea??
 
2017-04-20 06:30:09 AM  

fst_creeper: As xaks said "ALL the rules"; that sort of thing leaves you a little gobsmacked. HIPAA for sure, PCI is possible. Not sure what else they may have voilated beyond client guarantees and contracts, but as a security firm they are dead, and the company corpse needs to be gibbeted as a warning to others.


Wow, thank you for introducing me to a new word.
 
2017-04-20 07:22:58 AM  
I don't always test my code, but when I do, I test it in production.
 
2017-04-20 07:47:14 AM  
Wholly carp!
 
2017-04-20 07:48:15 AM  

MusicMakeMyHeadPound: That's a hell of a HIPAA violation. Yikes!


No patient data was accessed.
 
2017-04-20 08:00:17 AM  
Tanium is also the company that fires people right before their stock options vest.
 
2017-04-20 08:03:53 AM  

BarkingUnicorn: MusicMakeMyHeadPound: That's a hell of a HIPAA violation. Yikes!

No patient data was accessed.


Still, hospitals are prime targets for ransomware, you don't just tap into their networks and show off their shiat without their permission.
 
2017-04-20 08:19:36 AM  

justinguarini4ever: Tanium is also the company that fires people right before their stock options vest.


Yup.That story alone was enough to tank their reputation.  It sounds like the older generation was decent enough but the kid running the show now is a tool.

Ambivalence: Wow, thank you for introducing me to a new word


Shame it wasn't a nicer one, even if it was a good time to use it.

/I read a lot of history articles and historical fiction.
 
2017-04-20 08:51:56 AM  

Marcus Aurelius: It's hard to create meaningful demo data.  Why not use your customers, except for the fact that it's, you know, your customer's data.

/hippa


You know how I can tell you really don't much about HIPAA?
 
2017-04-20 08:55:19 AM  
I wonder if they hid something in the BAA to allow them to be used for demos?

It wouldn't surprise me.
 
2017-04-20 09:03:17 AM  
I thought this was going to be about The Company, as in CIA.
/DRTFA
 
2017-04-20 09:18:46 AM  

BolloxReader: Nope. HIPAA doesn't apply to them, only to the hospital. And if no patient records were involved then even if they were culpable under HIPAA there was no protected information involved.



I think you are probably wrong on two levels.  One, I've never once been in a scenario where as a contractor I didn't have to agree to all the regulator requirements of the client especially HIPAA.  Two, with the HITECH
additions to HIPAA I think they fall squarely into the rules as they were providing administration services for PHI containing systems.  I'm not a lawyer but have been lectured to on the topic several times and every piece of HIPAA training I've had sure took that view. 

/I'm not sure which audit is worse, HIPAA or PCI.
//In both cases, lawyers are going to lecture, no matter how good the audit goes.
 
2017-04-20 09:28:10 AM  

BolloxReader: MusicMakeMyHeadPound: That's a hell of a HIPAA violation. Yikes!

Nope. HIPAA doesn't apply to them, only to the hospital. And if no patient records were involved then even if they were culpable under HIPAA there was no protected information involved.

They are still subject to the federal hacking law, this was an unauthorized access of a system not their own. 20 years in federal prison for the guys doing the demos.


At worst they'll get probation.
 
2017-04-20 09:29:21 AM  

xaks: As someone with 20+ years in IT systems administration, and who has worked for law firms, doctors' offices, medical schools, and FDIC -backed institutions...

Holy shiat. These morons violated ALL the rules. Seriously. All of them. There will be law firms consuming each other just to be closer to the front of the line to collect from the lawsuits.


Came here for this, leaving happily. This company should be used as an example of what not to do, ever, when it comes to someone else's data.
 
2017-04-20 09:34:09 AM  

Ambivalence: WOW!  That's....wow!!!  how monumentally stupid do you have to be to think tapping into your customer's network to show off your IT Security packages WITHOUT THEIR PERMISSION is somehow a good idea??


Huge savings. No, really - it costs money to maintain a demo network that can simulate a production environment. I've helped design them, so I know exactly what they were thinking: "We've got live data, with free access, on a real production system - screw setting up anything else! Get this out there!"

The horrible part is how this seems, at least to me, to characterize the last couple of startups at which I've worked. Ethics are driven not by principles, but profit - if they can get away with it, they will do it, even if it's potentially actionable later, because they need to drive profit or stock price now. It costs money to create an anonymized data set that's useful for demonstrating a domain. It costs money to create an environment that can simulate production usage. They thought that they had a clever way to avoid spending that money while pitching their product.
 
2017-04-20 09:43:07 AM  

fst_creeper: BolloxReader: Nope. HIPAA doesn't apply to them, only to the hospital. And if no patient records were involved then even if they were culpable under HIPAA there was no protected information involved.


I think you are probably wrong on two levels.  One, I've never once been in a scenario where as a contractor I didn't have to agree to all the regulator requirements of the client especially HIPAA.  Two, with the HITECH
additions to HIPAA I think they fall squarely into the rules as they were providing administration services for PHI containing systems.  I'm not a lawyer but have been lectured to on the topic several times and every piece of HIPAA training I've had sure took that view. 

/I'm not sure which audit is worse, HIPAA or PCI.
//In both cases, lawyers are going to lecture, no matter how good the audit goes.


Huh. Granted, my tiny independent insurance agency didn't need much in the way of data management and protection, I had a single laptop that was encrypted that I used and an encrypted backup drive, my assistant managed all the paper records and stuff but didn't have her own computer in the office, so despite being subject to HIPAA I have never used or seen contracts like that.

For me HITECH just meant don't let anyone else access your stuff, keep it encrypted, use best practices to keep the system clean. The state regulator emphasized in training classes on HITECH that there were safe havens as long as we could demonstrate documented best practices that met their standards and not to get too scared by it. If someone breaks into your office, jimmies your locked filing cabinet and takes your records and you can show where they broke into a secure area and the jimmied filing cabinet, you did your part to keep records safe. Same with HITECH.

Back then there were no cases I'd heard of involving patient data breaches. No formal charges, no case law to guide what was reasonable and what is not. But there were a ton of people trying to scare everyone into buying expensive proprietary systems. Maybe big health care systems need them, but it was overkill for what was basically a one person operation. And until there is a body of case law we don't know what is required.

Now I guess I'll go look up whether there have been any judicial rulings involving this stuff. There was nothing when I was subject to HIPAA.
 
2017-04-20 11:24:45 AM  

BolloxReader: I have never used or seen contracts like that.


That is probably the major difference.  I was a employee of a contracted service provider, in this case providing development services and some infrastructure build out.  So in many ways I would expect a very similar contract to what I would be expect Tanium signed.

A somewhat similar comparison to this scenario would be you having a contract with a document disposal company where they are not supposed to see the data but might accidentally and are covered rules and yet hold repeated after hours walk throughs of your office without your consent.
 
2017-04-20 08:40:13 PM  

fst_creeper: justinguarini4ever: Tanium is also the company that fires people right before their stock options vest.

Yup.That story alone was enough to tank their reputation.  It sounds like the older generation was decent enough but the kid running the show now is a tool.

Ambivalence: Wow, thank you for introducing me to a new word

Shame it wasn't a nicer one, even if it was a good time to use it.

/I read a lot of history articles and historical fiction.


Reading the statement from Tanium is laughable about it too. "We did an investigation and found there was no targeted terminations of employees. Which is totes legit. I mean, I looked into my own behavior. That works, right?"
 
Displayed 28 of 28 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking

On Twitter





Top Commented
Javascript is required to view headlines in widget.
  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report