D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] off topic :but what Linux distro could read and write to a mac computer's external back up?

 

On 11/09/16 20:53, Joseph Bennie wrote:

Hi Joseph, thanks for your reply!

> boom! your seriously paranoid. 

Yep, that's 100% established around here :]

Post-Snowden however it has also been established that I am right to be,
which is partly why I make such a good sysadmin. You guys do read the
news right? You are aware that multiple European countries are mandating
that sensitive data remains balkanized within the country of origin
precisely to prevent American private companies hoovering it all up?
Which is completely pointless as via 5-eyes data-sharing agreements GCHQ
in this country hoovers up UK data and analyses it on behalf of the
American agencies to sidestep these restrictions with dubious legality?
This isn't exactly the stuff of tinfoil hat UFO believers: it's well
understood, well documented and there have been countless articles about
it even in the mainstream press, let alone the technical press.

Similarly encrypting your data *before* transferring it to a regular
commercial cloud service is literally security 101. Simply reading the
TOS for Dropbox/GDrive/etc informs one that they can and will decrypt
the contents for the security services as required - not that they would
ever bother as they simply fibre tap the companies without asking
instead, which is why Google et al rapidly and indignantly moved to
encrypt cross-data-centre comms recently(-ish, 2013). Research
MUSCULAR/INCENSOR/XKEYSCORE for fun and profit.

> ps time vault is a custom implementation of zfs. 

Umm, what? No, it's HFS+ with custom hardlinking. A 2-second Google will
tell you this, as will actually mounting a TimeMachine/Capsule and
checking mtab. What you're probably thinking of is a while back when
everyone (me included) was really excited by rumours that Apple were
going to fully integrate ZFS as a first-class FS for MacOS and there
were even some developer builds with it included. Sadly this petered out
quickly - my guess is this would have been down to Oracle being their
usual idiotic selves over licensing/money - and with the upcoming
'Sierra' MacOS release Apple have instead finally rolled their own new
attempt at a modern CoW filesystem, APFS.

https://developer.apple.com/library/prerelease/content/documentation/FileManagement/Conceptual/APFS_Guide/Introduction/Introduction.html

Promising start but it *really* needs some work yet, it's not even
bootable. Still, anything's better than HFS I guess.

All is not lost however:

https://openzfsonosx.org/

Warning: performance is pretty terrible as yet, and it lags
significantly behind the reference implementation from the Illumos guys.

> if her files are that sensitive, sure as fuck she'll be accessing them via an 
> encrypted thin client. they sure as hell wont be on her metal. if they are ...fail.

Ok, picking my way through this: yes, the files she will *categorically
need to do her studies* just like *every other medical student in this
country* are THAT sensitive. As in, some of it will be live, partially
or even completely un-anonymized patient records and cohort data
increasingly related to their specialisations as they progress through
their early career from student to junior doctor to registrar and
beyond. They will have hands on experience with real, live patients
frequently just as they will have access to real, live patient data
accordingly which can and WILL be copied to their computers as required,
following very strict DPA guidelines that they will be relentlessly and
repeatedly drilled on. Keeping any of this sensitive data on
non-encrypted USB media, laptops or any other device is strictly
forbidden and students and medical staff know this.

As for "...accessing them via an encrypted thin client" you're only
saying that because you're a sensible man and think that's how it SHOULD
be done! You're probably right and I pretty much agree, but sadly, the
NHS isn't quite that organized... Here's the thing: even world-leading
hospitals and "learning centres" like Kings in London, where I cut my
teeth, don't use encrypted thin clients *even within the hospital
itself*. You'd imagine all staff desks to have Sunrays, smartcard
authentication and full encryption right? Trust me on this, this is NOT
the case. The NHS have a multi-million (billion?) pound contract with
Dell so you will find simple bog standard Optiplexes on every desk from
reception to the morgue and even on the movable carts we shuttle around
speciality wards between beds to access everything from PALS to the
patient record system. "Security" is often limited to the smartcard
reader on the attached Dell keyboard and it's not uncommon to see
harassed clinicians and even surgeons and consultants wangle a temporary
"blank" access card (supposed to be stand in replacements for the
inevitable lost/forgotten tokens) which is left permanently in situ - or
at least until the compliance guy or someone from IT notices and dobs
them in. For which you will be frozen out by the offender and
potentially most of their entire department because although it's a
clear breach of hospital policy and in direct contravention of common
sense and the DPA, hyper-stressed medics on 100+ hour weeks will take
shortcuts sometimes. Just like sometimes the drug cabinets will be left
subtly unlocked to speed up the end-run around formally requesting
supplies from the pharmacy dept who are also biblically overworked,
stressed and late. This is all obviously seriously NOT GOOD and
definitely disciplinary, if not sackable, violations of policy but man,
if you guys actually knew just how much of a pressure cooker the modern
NHS is from inside you'd probably be a bit scared of ever going to a
hospital again.

"they sure as hell wont be on her metal" - yes they will, see above.
Students and staff are rarely issued hospital laptops (students: never)
and EVERY SINGLE ONE OF THEM will have medical data under the DPA on
their private equipment. EVERY. SINGLE. ONE. They can't do their job or
their studies without this, it's well understood, they're trained and
drilled in the rules and encryption is enforced. I have seen people
fired for screwing this up. In practice of course, compliance is well
short of 100% and during my time in the NHS I sweated, slaved and put as
much effort as I possibly could into helping staff and students
understand the tech and toe the line so they could get on with their day
to day business. I was there during the initial transition to mandated
encryption and it was a bit of a mess - contacts still there tell me
it's still a bit of a mess (surprise!) but has got better over time.

> in the real world, a device is disposible, files and data are centrally and 
> securly stored. 

Now this is something we can whole-heartedly agree on :] BUT - and it's
another big but* - rightly or wrongly the NHS can't handle becoming the
Domain Admin for every single student and staff computing device for
obvious reasons (cost, complexity, liability, etc). Individuals have to
be responsible for their own BYOD security and backups, which at least
they are specifically trained on. I could lock down all my department's
issued desktops and gear no problem, but as for every single persons
phone, tablet, laptop, etc? Just think about how that would actually go
down in real life...

"Got a nice new Macbook Air, fresh out of the box? Sweet, I'll have that
thanks. Now I'm just locking you out of admin, encrypting the storage,
enforcing policies and making sure you can only transfer any data in and
out of my NHS approved SAN, which is of course massively underfunded,
over-provisioned, slow and not available over VPN. Ok, here's your Â1000
doorstop back, have fun! What do you mean you can't install or update
anything? Of course not, that might violate NHS policy! Screw iTunes and
Netflix sunshine, you're only allowed to read NHS documents on it from
now on and at 10% screen brightness in case someone tries to
shoulder-surf you on the 37 bus to Wandsworth! You're welcome Professor!"

Yes, this was/is quite a mess frankly, and far from ideal but it is what
it is. Mercifully, by definition most medical staff/students are pretty
smart and will try to do the best they can and us IT bods did our level
best to support them to that end. It helps that some things are so
clearly defined it's almost impossible to get them wrong, and here I'm
directly addressing the "just back it up to iCloud/Dropbox" replies from
both of you. I will be as clear as I can why that was profoundly bad advice:

Storing DPA-d medical data unencrypted on a third party cloud service IS
FLAT-OUT *ILLEGAL*. YOU *CAN* BE FIRED. YOU *COULD* BE PROSECUTED.

If you encrypt first, you're fine. Hence why a local encrypted
TimeMachine copy - then synced to a cloud service, that would be
absolutely fine - is preferable in every way.

Ok, I've accidentally written another wall of text, apologies to anyone
still following along. I hope this has at least clarified a few things
along the way. The NHS have rather different and rather stricter rules
than most organisations, second only to the military in my experience,
but that's a wall of text for another day I guess. Bet you all can't wait.

Cheers

* teehee again :]

-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq