notes from an admin for himself. you can read it if you want.

Entries Comments

Custom Search

HITECH BAA scramble of 2013

18 February, 2013 (16:59) | security | 3 comments

I decided to document the scramble for BAAs here at my company. In short anyone outside of an ISP has to give you a BAA if they handle your PHI. Today we will start with Mozy because I know they will do a BAA. Keep in mind we have until about Sept to be done. I’ll note the time spent on the phone so far with each.

Latisys – Done, BAA in hand

Latisys provides me with two Tier three datacenters and services from unmanaged to managed. They are very easy to work with on a BAA.

Mozy- contacted, 20m

2/18/2013 Chat to support today reveals a need to talk to an account manager at 877-669-9776. After 2*5 minute phone calls, some tacky foreign hold music and a voicemail prompt, I still don’t know anything. I suggested that they automate the BAA process on the support forum and documented the idea that they will be responsible for BAA/HIPAA/HITECH. If you need it, there is a post from last night. Google it.

Google Apps for Business – Assertively Denied BAA and any allusion to HIPAA compliance- 35m

2/18/2013 877-355-5787. You will need to have your customer pin ready on the Google apps console under support. I talked to a nice support guy, explained that my company requires a BAA by Sept 2013. On hold, better hold music than Mozy. After 30ish minutes on hold, the tech support guy explained that it took a while to track down the correct answer.

My paid google apps support rep said google has not ever provided a BAA, guarantee of HIPAA compliance, intent or representation of service to HIPAA compliant materials. It was funny that he kept spelling out H I P P A, H I P A, H I P A A. The guy was very nice about it, sounded like he was reading from the notes he just took for the last 30 minutes. I repeated the idea that we will have to move away from Google apps if they cannot provide a BAA. He said sorry about that but I was correct, we will need to move by the deadline. He repeated a few ideas, google has not ever claimed to be HIPAA compliant, and they will not issue a BAA.

There is a lot of misinformation out there about what google will do for  you. Notice that it does not come from Google. Mostly fanbois. My attorney and I suspected this would be the case.

Logmein –


Q9 – Done, documentation in hand for Canadian PHIPA

Q9 is a bear to negotiate with, they are incredibly expensive as well. But they get the job done.

A few nifty security tools for home

17 February, 2013 (18:29) | antivirus/spyware, security | No comments This site will look your email address up and compare it to a list of known hacked accounts. You can ask it to keep on scanning for free on a personal account. This company teamed up with lastpass to do nightly scans.

Lastpass for passwords! Nobody should remember or write down passwords these days.

Separate email accounts – Build an email account for “account management” No spam, no personal email, etc. Just resetting passwords. make sure that password is darn strong on your email account.  I recommend MS or Google with the google authenticator.

WordPress- Bulletproof Security, WP Security – Both have similar approaches. If you run wordpress, you should spend a weekend getting to know each.

Don’t forget your hosts file from when you install windows 8. This currently blocks commercials in hulu, most ads etc.


Free windows 8 ISOs straight from microsoft

8 July, 2012 (19:58) | OS, software | No comments

Or google it yourself, “windows 8 consumer preview ISO” and go grab it. You need to start getting ready for the upgrade now if you are like me. I’m just adding the link because people keep asking me.

How to find credit card numbers and social security numbers on an employee workstation

8 July, 2012 (18:49) | How to, Monitoring, security, software | No comments

Cornell developed their spider program a while ago. You can search for anything on a machine using regular expressions with this tool. It takes a bloody long time to search an entire hard drive so hopefully you have the user locked down to write access in My docs or the equal on linux/osx. This tool has to run as administrator or a service on newer versions of windows so plan accordingly when automating.

I use this to search for HIPAA data and credit cards. Works pretty well, I write the log file out to a server over an IPsec encrypted tunnel. Download and enjoy:

Wooohooo I made my first $100 from google ads

30 June, 2012 (16:08) | blogging | No comments

They deposited it straight into my bank account. Well it is nice to get something back, it won’t cover the costs of running this page for years but it helps.

Why Macs are not designed for business use

30 June, 2012 (16:01) | linux, mac, security | No comments

Macs are great machines if you are a rich trendy person who was so brilliantly targeted by Steve Jobs. Not so good for normal people trying to keep up with the Joneses. Also not good for business at all.  This list is just a reminder for myself  when people are complaining as to why we protect HIPAA/PHIPA data with a capable OS’ like Windows and Red Hat. I know they all want bling and brainless packages to install. We tend to either install on windows with our own customizations and compile our own packages and automate with RHEL. We use exciting security technologies with certificates, ipsec, dnssec, selinux etc. We do our best to comply with fips-140-2, FISMA, USGCB and other standards that require tools that aren’t available or mature on apple products.


capable of: dell/win dell/rhel macbook pro
dock yes yes no
built in aircard yes yes no
lojack yes yes no
intel AMT yes yes no
gps tracking yes yes no
antitheft 3.0 yes yes no
remote wipe yes yes no
4 monitor support yes yes no
intel vPro yes yes no
FIPS-140-2 encryption yes yes few
FIPS-140-2 authentication yes yes no
Timely security patches yes yes no


That’s a few minutes of thought, I’ll add more as time goes on. Mac is a lot more expensive for quite a few reasons. Up front cost is very expensive. You need a developer to do all the custom security and networking work in a business setting.

Refresh on a Mac is a lot faster than a PC especially now that the hardware is soldered on to the motherboard of a Mac. Good luck upgrading the RAM on a fleet of macbook pros, you will have to buy new ones before your renewal and replacement cycle is done. Or you will have workers without the resources they need to do their job.

Enterprise tools just aren’t out there for mac. Typical users think they know computers because they get along with their home machine just fine. Automation and centralized tools are the name of the game in business. Mature products don’t exist hence the need for a full time developer. At my old job most of the mac staff were developers. We worked closely with Michael Bartosh and had him in house for long periods of time to build the tools that came with windows or were easy to deploy in red hat.

Apple’s HIPAA email address goes to a black hole. Nobody on my team has gotten a response from them on any email we have sent. At my last job we did, but they called Mike down the hall who was already in our building and he laughed about Apple not having any HIPAA support or intention to build it.

Apple is downright horrible when it comes to security. They buried their heads in the sand as a defense against malware and finally last week corrected some statements on their web page about threats against mac. Java patches come out in a few weeks for windows and linux, they take 6 months for mac.

Apple is driven by rabid fanboys like a wacky fringe religion on a recruiting spree. They troll all forums and magazine comments to offer wisdom like OSX doesn’t get spyware. Then the goalposts move to trojan horses aren’t viruses. Now the goalposts move again to Apple people are richer and better targets and other wacky explanations as to why they get attacked like every other OS. The defensive tone is always flooding public forums. The ratio of fanboy posts to market share is way off. If people actually read my webpage I’m sure I’d get comments here.

The main lessons in security are finally being realized by apple. They decided to start checking for updates every day vs every week and automatically install now. I constantly find apple machines who haven’t patched lately if ever. They hate the popup. They did come up with the brilliant idea that if a component like java hasn’t been used in X amount of time it will disable itself. I do like that one a lot.

Apple makes an idiot proof anti multitasking environment perfect for home users. It does a great job in this audience. It is absolutely not built for business use and is not cost effective. I suppose if a company has money to burn or make money with a hip image it makes sense in certain public facing areas. But it is a tool with a very limited job.

I do like apple products the design is brilliant and I would use one at home for basic surfing if given one free. The walled garden ecosystem is very nice for novice users and consumers who aren’t interested in learning what a computer does. I can’t say I’m a mac hater at all. I just hate users forcing their will on business by abusing positions of power vs using logic to make sound decisions.




Finally! Spiceworks adds a client Agent

28 June, 2012 (15:20) | Monitoring | No comments

Many people came here to flame me for citing a lack of agent on Spiceworks. Apparently they saw the light 4 years later. It has finally matured into a really good little product. Still not quite enterprise material but if you have a small business full of mac/win machines it is THE best free tool for the job. Check out their new video.

Mac users – I told you so, John Dvorak did too

16 April, 2012 (20:14) | antivirus/spyware, prediction, security | No comments

Nice to see some predictions come true. From my own blog here in 2009-

With today’s news of Snow Leopard including some sort of anti-spyware/malware (i doubt antivirus.) I decided I should compile a list of my favorite mac holes for the macholes that seem to say there aren’t any. The culture will shift once AV/ASW is installed on all Macs, so the fun of prodding them will go away. So to all the macholes who say there is no such thing as a security threat to Mac, grow up. Your time is coming. When you play with the big kids, you get more 3rd party hardware, software vendors, and lots of problems. Muhahahah. spoiled brats.




Well to add to the list for famous mac munching software –

apple defender/Antivirus scam



I have plenty of saved up forum posts about how Macs are invincible.  It is sad to see macs getting attacked, but in a way it is nice to be able to say “I told you so. ” and be 100% correct on all fronts. Macs aren’t invincible. No platform is. The market share argument is valid. Virus is like Kleenex unless you really say things like “please hand me a Scott Tissue to wipe my Apple Macbook Pro keyboard.”

I think the moral of the story is that people are sheep. If  a strong shepherd like Mac tells the sheep they are safe, they will believe them. It isn’t really their fault, they are stupid. We need to go after the assholes that tell the sheep they are safe.



Use your old remote with an XBMC machine

16 April, 2012 (10:17) | How to, Remote Management, Stupid windows tricks | No comments

Need a remote? Just buy this usb dongle and use one of the 20 you have.

OSX Flashback shows apple innovating something in security. wait what? Apple and security in the same sentence?

15 April, 2012 (10:12) | mac, security | No comments

Apple did something brilliant. They might not be good at security, in fact they pretty much always suck at it. This forced them to create something new and just brilliant. If a user doesn’t use Java for X time, it SHUTS OFF! How incredibly obvious but new is that? How cool would it be if telnet got disabled after not being used for a few months on a windows box?

This new process of disabling after a service is not in use needs to become the standard for all platforms.

« Older entries

 Newer entries »