The recent breach of “Jude Medical Center in Fullerton and Mission Hospital facilities in Laguna Beach and Mission Viejo” offers some examples of communication made after discovery.

First, the article gives a statement regarding obfuscation of the data:

But the data would have been difficult to access without using “a complex combination of terms” or be doing an “extensive search,” said Dr. Clyde Wesp, chief medical-information officer for the St. Joseph Health System.

Complex according to what? Compliance regulations tend not to use “complex” or “extensive” to describe controls required for privacy because computers are very good at turning both complex and extensive into easy and fast operations.

The University of Miami tried to make this argument when they lost their backup tapes. It did not fly then. It won’t fly now. Doctors, of all people, should know better than to say that complexity will be the main impediment to success.

So the question they really should answer is related to the “strength” of the control that protects data, not the complexity.

Second, the article says they are unaware of anyone obtaining the data improperly:

St. Joseph discovered the security breach within the past week after receiving a phone call from a patient’s attorney, said hospital officials, adding they do not know how the patient learned about the problem. Personnel at the two hospitals have not heard of any of the information being improperly obtained, Wesp said. The information could have been accessed from Google and Yahoo; the hospital worked with the search engines to delete the information from the Internet.

They may be trying to emphasise that it is hard to prove a negative. Yet the article also gives at least two positive examples of improper access.

The first is by the search engines. They have evidence that the data was accessed by Google, Yahoo!, and so forth. Did they authorise search engine access? No.

The second is by the patient’s attorney. Clearly the patient’s attorney obtained something akin to improper access, which is why they contacted the entity.

This also undermines their “difficult to access” communication in the first point. It is easy to use a search engine. It must have been easy enough for the patient and/or their attorney to find the data and access it, so how complex is it really?

Third, they try to give some of the usual disclaimers:

It would not have included Social Security numbers, addresses or financial data, the doctor said. “I think that the most important thing is that our response was rapid,” Wesp said. “As a health system, we have secured the sites, and this information is not available any longer.”

These no longer carry any weight. Regulators, as well as patients, have expanded the scope of concern beyond basic financial information. Email addresses, birth dates, intellectual property, even zip codes are increasingly considered privacy-related information. And if they want us to believe the data was not privacy-related, why would they report the breach at all?

It’s nice to see that they had a “rapid” response but I don’t know anyone who would characterise that as “the most important thing”. Everyone, I think, would agree it is more important to prevent a breach or to detect a breach internally than to respond rapidly. That certainly has been the perspective taken by regulators who have fined entities for failure to prevent breaches. Rapid response just lessens the penalties, it does not take them away.

I’ve been fiddling around the file system of the Nokia N9 lately. It’s not hard to do and actually quite fun to have shell on a linux device that fits in the palm of your hand.

First enable developer mode:

Settings > Security > Developer Mode

The phone will install an SSH server and also a Terminal to the home screen. Open the Terminal and you will be in BusyBox v1.19.0 shell.

Second, change the root password. Enter the following command to su to root:

devel-su

It will prompt for a password. The default is “rootme”. The prompt should change from “~ $” to “~ #”. Enter the following command to change the root password:

passwd

You will have to enter it twice. Then type “exit” to return to the user prompt.

If you type “gconftool-2 –help” at the prompt you should see a long list including a “s” option to set and sync a value and a “t” option with the values “int|bool|float|string|list|pair”

For example, use the following to install an image to the screen_lock screen.

gconftool-2 -t string -s /desktop/meego/screen_lock/low_power_mode/operator_logo /home/user/MyDocs/Pictures/filename.png

The image (filename.png) should be no more than 120×120 pixels and 1-bit (black and white). Space invaders comes to mind…

Or a flyingpenguin:

Maybe white is a little bright. The screen lock color can be modified by editing the following file:

/usr/share/themes/base/meegotouch/libsysuid-screenlock-nokia/style/libsysuid-screenlock-nokia.css

Easiest way to modify it is remotely over ssh. Open the SDK Connection app on the home screen. Select WLAN from the two buttons. It will show you the IP of the N9 and the password.

Once you’ve made a backup of the file, change the hex setting just below the line that reads LockScreen MLabelStyle#LockScreenLowPowerModeClockLabel. Red is #FF0000.

Chris Colotti has written detailed instructions on vCloud Director Disaster Recovery

Creating DR solutions for vCloud Director poses multiple challenges. These challenges all have a common theme. That is the automatic creation of objects by VMware vCloud Director such as resource pools, virtual machines, folders, and portgroups. vCloud Director and vCenter Server both heavily rely on management object reference identifiers (MoRef ID’s) for these objects. Any unplanned changes to these identifiers could, and often will, result in loss of functionality. vSphere Site Recovery Manager currently does not support protection of virtual machines managed by vCloud Director.