lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 06 Jul 2004 07:15:59 -0400
From: "Anything But Microsoft" <abm@...thingbutmicrosoft.org>
To: <bob@...is.net>, <BUGTRAQ@...urityfocus.com>, <alun@...is.com>,
	<jeremy.epstein@...methods.com>
Subject: RE: Microsoft technologies. By default, non-HIPAA compliant?


Out of all the replies, both on and off-list, I believe this quote is
the best to work with at this point. 

>>> "Alun Jones" <alun@...is.com> 7/4/2004 12:05:51 PM >>>
> Whenever you advocate a switch from Microsoft to another platform,
whether
> it's an operating system platform, or merely a browser platform, you
need to
> be providing technical reasons why the new platform is better than
the
> other.  Wishy-washy arguments of the kind of "there are lots of bugs
found
> in Microsoft products" /don't/ wash.  You have to make arguments of
the kind
> of "this entire class of bugs have been made impossible in the system
I'm
> proposing".

My decision making process as to what I interpret as HIPAA compliant
with my health care customers begins precisely by "providing technical
reasons" regarding an "entire class of bugs." (Please also note that I
understand even my strongest convictions and beliefs are interpreted
differently by others. I welcome all comments) But let's look at this
issue on a more micro level, the view most of us IT guys "in the
trenches" have of the problems we must face daily. 

Let's start with an analogy: Microsoft Office is to Macro Virus, as
Anything But Microsoft Office is to Immune To Macro Virus. I have
searched high and low, and have yet to see anything even resembling a
macro virus in any non-Microsoft document format. In fact, I have more
than once deliberately opened Microsoft Macro Virus infected documents
in Corel Word Perfect, Lotus SmartSuite, and OpenOffice without any harm
to the PC or spread of the virus. In most cases the document can be
modified and saved in MS format and the offending MS Macro Virus is no
longer present in the document. So by your own definition, an "entire
class of bugs" is eliminated by never using Microsoft Office. In my 15
years of providing IT services to health care professionals I have yet
to see one instance where a non-Microsoft Office solution does not fit
the needs of my clients both large and small. Therefore, my conclusion
is that installing Microsoft Office on a health care provider's PC under
the circumstances I face disqualifies that PC/Network from HIPAA
compliance regarding system security. The counter argument I look to you
for, is to define a situation where having Microsoft Office installed
instead of an alternative is required to provide health care services.

Are the non-MS alternatives immune to all security issues? No, I never
said that and never will. But as I stated above, we both share a similar
definition of what is HIPAA compliant. Now, please tell me where I went
wrong in the interpretation of our shared methodology using only the MS
Office example above. As much as I would love to now similarly discuss
LookOut and IE, let's move on...

> If you don't make those arguments, then the only argument you're
making is
> to move to a system that the hackers aren't _yet_ as interested in. 
That's
> a security by obscurity argument.  It may help you survive against
> broadcast, scattershot attacks, that don't care where they're aiming,
but it
> won't help you against an attacker that has chosen to target your
> organisation.

This and other similar statements to the effect of "Microsoft is a big
target, that is why hackers find so many security holes" I not only find
amusing (off topic for here) but I interpret as all the more reason to
avoid MS products while striving for HIPAA compliance. I hate to sound
like my Mother, but "If everyone was jumping off a bridge, would you
jump too?" Think of it this way, does putting your customers in front of
that MS target when alternatives exist meet this criteria? (as quoted
from Adrian Marsden) "You have to be able to show that, within your
environment, you did the best you could to maintain the security and
privacy of the data you hold." In the IT environments I maintain my
actions are based on the meaning of that quote. With any client I first
investigate the feasibility of the client's app running in wine on
Linux. If that fails and the Windows OS is required, I will hide IE
icons and configure the LAN settings to proxy a non-addressable IP
address preventing the use of IE. 

If everyone drops using IE in favor of Mozilla, and next year two other
people are having this same conversation about Mozilla's browser,
e-mail, etc. I'll be one of the first to argue that if Mozilla is the
target of choice, it is time to move on. The CCIA's CyberInsecurity
Report, for instance, points more at the dangers of a lack of
'biodiversity' in IT more than MS itself being the problem. And if that
happens, you can address me as AnythingButMozilla.

Lastly: "But the cost of having that feature custom coded is beyond
what most small offices would even consider when MS's 'X' is built right
in..." What part of HIPAA states "But if it is too difficult or costs
too much, just forget the whole thing"?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ