January 4 Information

This is the situation: we made a system for pharmacies that only needs a username and a password to gain access to very sensitive data. National standards, etc, now require the system to have a "two-factor authentication". For real proof of identity, you'd also need for instance a chipcard or an SMS. Both have disadvantages which I'd like to avoid. Also, I think these rules were made thinking of a system that is available via Internet for which obviously just a username and password do not provide enough security.

However, to gain access to our system you do need 2 factors. The first being able to guess a username and password; the second being that you need physical access to a PC in a pharmacy because you cannot reach the system via Internet. Even if you give someone your username and password, he'd have a hard time finding out what medication Ms. X is using. (Also, as soon as someone has access to a PC in a pharmacy, there's not much need to access a computer anyway because he could just look in the bags to see what medication people are taking.)

To make the case that we don't need extra security measures besides a username and password because the people having access to the system also must have managed to unlock the door, switch of the alarm, etc, I need an "offical" standard that acknowledges "physical access" being a "second factor" needed to gain access to a system. Does anyone know such a standard? 94.210.106.121 ( talk) 02:11, 4 January 2014 (UTC) reply

When in doubt, I always consult the CFRs: the FDA has a CFR search engine. Title 21, Chapter II, 1311.100 through 1311.110 look relevant: it appears that there are actually very clear definitions for pharmacies (1300.03). "Two factor authentication" is required for certain activities, like servicing certain types of prescriptions. And, a security system only counts as "two factor authentication" (1311.105, for the purposes of these regulatory requirements) if it meets very specific standards defined in those regulations and their references. The CFR also references this National Institute of Standards and Technology publication: NIST SP 800-63-1 Electronic Authentication Guideline, so that also seems to be a relevant national standard (in the United States). Of course, I have no idea if you're subject to these or any other US regulations; interpreting that question is probably legal and medical advice... but it seems to me that a successful pharmacy business depends on very strict adherence to law and strict compliance with applicable regulations. Why don't you hire an attorney to help you navigate this issue? Nimur ( talk) 05:29, 4 January 2014 (UTC) reply

One of the reasons for the rise in popularity of two-factor authentication is that, these days, there's just about no such thing as "not reachable via the Internet". Most computers are accessible remotely, either deliberately or by accident, and those that aren't may find themselves accessible tomorrow. So insisting on a separate, physical authentication factor really can improve security. (But, yes, at a cost in money and inconvenience. It's a sad truth in security that convenience and security are often mutually exclusive.) — Steve Summit ( talk) 14:55, 4 January 2014 (UTC) reply

It's also worth remembering that looking in Ms. X's bag requires you to be present when Ms. X is picking up her medication. Beyond the possibility of breaking in when the store was closed which was mentioned, there's also the possibility of accessing the system at any time when staff are distracted to obtain the records not just of Ms. X, but Ms A, B, C, D, E, F, G,....

I presume any pharmacy who find someone repeatedly looking in customers bags is going to kick them out (not to mention I'm not sure how looking in their bags necessarily helps to obtain their home address, telephone number, medical conditions and what ever other private details are stored in the system).

If staff catch someone on the computer, they may call the police, but that's if they catch them (remembering you only need one successful attempt for all those details). And even then, the pharmacy staff probably can't detain them so you'd need to hope the police find them. And actually a little social engineering may mean people can easily get themselves out of such a situation without a call to the police, although they probably won't try it at the same pharmacy again.

There's also other risks like someone physically connecting something to the machine although these may still apply even with two factor and I assume there are additional requirements to reduce the risk from them.

All in all, although some may use physical access to a trusted computer as a form of 2 factor authentication, you may have less lucky convincing the regulators to accept that in a case where highly private information is involved.

P.S. Of course, all this assumes that the staff involved follow proper practice and don't do stupid stuff like leave their phone/smartcard/token/whatever next to the machine unattended. If they do, then there's little difference between the two in terms of physical access. (Remote access both that mentioned by scs and where they attached something to the system is still different.) But I don't know how much success you'll have in convincing the regulators that your system is just as good because people most behave poorly. You'll probably need a better system if you want to convince them of that.

P.P.S. It's perhaps also worth remembering that in a case like yours where physical access to a machine is ideally needed anyway, it may be intended that there's actually effectively 3 factor authentication at play.

P.P.P.S. Of course I'm assuming that such systems are as bad as most system I see reported and lack any data limit protections. If they aren't then maybe adversaries won't get so many people in one go presuming they don't find a way around them, but still likely more than people are comfortable with or that are plausible from looking in bags.

Nil Einne ( talk) 18:24, 4 January 2014 (UTC) reply

I can think of some flaws:

1) A hacker may be able to spoof their location to make it look like they are using a pharmacy PC.

2) The hacker may well use a worker at the pharmacy to insert a program that will extract large quantities of patient data. Let's say it's the God Hates Fags "church" and they want to know everyone who is taking AIDS meds, so they can burn their houses down.

3) The hacker might be able to gain control of the pharmacy PC remotely, without inside help, using the internet, then use that PC to access the database. StuRat ( talk) 18:37, 4 January 2014 (UTC) reply

Maybe I misunderstood, but my assumption from the OPs comments is we were referring to a situation where the database is stored on a local PC or network which theoretically isn't supposed to be internet accessible, so spoofing the location or pretending to be the pharmacy PC doesn't help. As scs highlighted, assuming the PC or network is never internet accessible is likely a mistake. But when that does happen, I'm not sure if it was intended to suggest that the physical PC requirement offered any protection. Nil Einne ( talk) 19:04, 4 January 2014 (UTC) reply

As multi-factor authentication says in the lede, the factors are usually limited to "something you know", "something you have", and "something you are". Even if "somewhere you are" makes sense for authentication in your situation, it's not on that list, and you're unlikely to find a standard that includes it or lets you make up your own factors. But you may find a standard that doesn't require two-factor authentication for physically secure terminals. -- BenRG ( talk) 20:19, 4 January 2014 (UTC) reply

Also, "somewhere you are" only identifies you as one of the people with physical access to that terminal, unlike the standard factors, which all identify you personally. So it makes sense that it isn't on the list. -- BenRG ( talk) 21:05, 4 January 2014 (UTC) reply

The NIST publication I linked above had this to say: "The stipulation that every token contains a secret is specific to these E-authentication guidelines. As noted elsewhere authentication techniques where the token does not contain a secret may be applicable to authentication problems in other environments (e.g., physical access)." The way I read that, it sounds like NIST classified 'physical access' as a special case of weak token-based authentication. How can you prove you got physical access legitimately? Every part of the problem of authentication is about certifying legitimacy of a credential. Simply having a credential (or having physical access) is insufficient to authenticate. Authentication - whether it's implemented in software or any other mechanism - is entirely about proving you should have access. How do you prove (or at least, establish confidence) that physical access was actually protected? Nimur ( talk) 21:38, 4 January 2014 (UTC) reply

I'm looking for some suggestions on software to monitor and log what has been happening on our work computer running Windows XP. Once an hour we send out the weather by modem and it almost always goes OK. Sometimes though the computer will freeze up and a reboot is in order. So we are trying to identify the problem. It would need to log not only the keystrokes and mouse gestures but also other actions that the computer performed. I've been searching for software but all I can find is stuff that assumes I want to spy on the staff. Of course the cheapest solution would be best and keyloggers can be had for nothing but I had trouble finding anything that would show what buttons were clicked with the mouse. Software to record and automate mouse clicking is available but not really helpful. Thanks. CambridgeBayWeather ( talk) 02:39, 4 January 2014 (UTC) reply

If you haven't tried it, you might be able to get useful information from the event logger that runs automatically (I think). See http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/snap_event_viewer.mspx?mfr=true. Looie496 ( talk) 02:53, 4 January 2014 (UTC) reply

Sorry I should have mentioned that I did look through the event viewer. It gives some information but not enough. I was able to tell from it that the last claimed occurrence of the computer freezing up was actually the user forgetting to send the weather out. If the computer had shut down and been rebooted there should have been a "The Event log service was started." entry. The last claimed problem before that is no longer in the log. CambridgeBayWeather ( talk) 08:59, 4 January 2014 (UTC) reply

It seems to me that as long as you are dependent on somebody doing something every hour to send the weather report out, you are bound to have frequent failures. Can't this process be automated ? StuRat ( talk) 20:37, 4 January 2014 (UTC) reply

I am answering in the same line as StuRat, trying to understand and completely overhaul your procedures:

What about using a dedicated new computer for this?

Wouldn't a script/macro be more effective than a user doing anything?

You still use modem? Don't you have 4G or DSL in Cambridge? OsmanRF34 ( talk) 16:03, 5 January 2014 (UTC) reply

A modem as in over the phone line. A 1-800 number. We are not permitted to send weather by the Internet. It's some sort of weird countrywide standard. The problem isn't that people forget to send the weather. It's that the computer freezes and needs to be rebooted.

We manually type in the weather and then hit send on the hour. We produce a minimum of 8,760 weather observations a year (at least one observation an hour) and a total of 9 or 24 (depends on if people were telling the truth) were sent late because someone forgot. That's 0.1% or 0.27% and not really a problem. Yes I could set a program to record the mouse pushing send on the hour but there are possible problems with that. If the software stops working or it works and the computer freezes then the observer may not notice.

I did discover earlier in my shift that one problem that causes the weather software to freeze is caused by PowerDesk Pro. If it has been run and then shutdown it does not always do so. I had to Ctrl+Alt+Del and kill the process in Task Manager.

DSl is available here but not at work. Officially we only use it for email and a once a day retrieval of NOTAMs. Of course once you have run through the 20 GB it's $18 a GB after that. At home we would probably use the 20 in under a week (a combination of NetFlix and the Roku) and in one case a friend of mine spent over $1000 the first month. There is a another company but after you use up their allowance it reverts to dial up. I go with another company that doesn't give so fast a speed but has no monthly cap. Of course we are all waiting until 2016 when we are supposed to get fibre optic from Arctic Fibre.

As far as I know we are supposed to get 4G sometime this year but until then we will have to make do with our CDMA phones. Which is the reason BlackBerry phones are popular here because it's the only company that makes a CDMA smart phone. CambridgeBayWeather ( talk) 13:57, 6 January 2014 (UTC) reply

Sorry I missed your other comment about a dedicated computer provided by the federal goverment. It pretty much is that already. Weather, NOTAM retrieval, email and some spreadsheets. There is a backup that we use for everything else including playing on the Internet and a couple of us, like me, bring our own laptops. Oh yes, Environment Canada don't provide the Internet, it comes from the employer. CambridgeBayWeather ( talk) 14:03, 6 January 2014 (UTC) reply

ProcMon is my go-to for diagnosing this sort of problem, but it works best when you can reproduce the issue. If you set it logging just before clicking the button that sends the data (or whatever actually locks up and makes you have to reboot) and then stop it immediately after the issue happens, it will have a log of every file and registry access by every process on the system. Of course, this assumes that just your weather software locks up, not the whole system - if you can't click the button to stop and save the log then it won't do much for you. The amount of data logged can be overwhelming, but there are tons of filters you can apply afterwards, and by running it for as short as possible around the problem you eliminate a lot of noise. Hopefully this will help you figure out what exactly the process is trying to do when it locks up, and what other things on the system could have interfered with it. Katie R ( talk) 14:49, 7 January 2014 (UTC) reply

Thanks. I'll give that a try. I think most lock ups are only partial as we can usually shut down properly and rarely resort to plug pulling. CambridgeBayWeather ( talk) 15:30, 7 January 2014 (UTC) reply

With respect to Talk:Transmission_Control_Protocol#Choice_of_diagrams: Does anybody here know if there is an ACK expected on the transition from "Closing" to "Time Wait" when a TCP connection is being actively terminated? -- Stephan Schulz ( talk) 11:35, 4 January 2014 (UTC) reply

Looking at RFC 793, page 23, Figure 6 "TCP Connection State Diagram", seems to me like the ACKs are expected (there is a second ACK between LAST-ACK and CLOSED). Seems to me that the picture in the RFC is the source for the .svg image, so reliable-source-wise there are grounds for having the ACKs. 88.112.50.121 ( talk) 16:45, 4 January 2014 (UTC) reply

Agree. That seems like an impeccable source to me. Thanks! -- Stephan Schulz ( talk) 19:47, 4 January 2014 (UTC) reply

Okay, this is I am sure the dumbest n00best question ever, but here goes - I'm going to try to be very clear : Recently I decided to have my own blog - an actual non-blogger blog, with hosting, so that I could keep the files on my computer and mess with the code etc. But I am sort of busy and lazy and not the best coder, so I decided on a hosting package from GoDaddy that was bundled with Wordpress. (Yes, I hate the elephant poaching, but I also want something that is not going ot disappear and that is cheap, and I, like alot of people, don't really know much about these things). So I made my little test-stage blog honeyrococo.com and am using a "responsive theme" from Wordpress, meaning that it is supposed to automatically resize depending on the device on which it is being viewed - laptop, montior, ipad, various phones, etc.

Now my first question then is - why did I need to activate the Dudamobile mobile site? There was a button I was require to push in order to make my mobile site "go live". I thought the Internet was just the Internet and that things would be available to phones if they were available on the Internet proper, no matter what. I assumed that some things would look crappy on the phone because the formatting was iffy, but I thought that anything that was on the Internet was also available to mobile devices. Are there whole areas of the Internet (Flash issues aside) that are just not available? (So that's Q1)

Q2 is - when I finally made my mobile site "go live" it looked great online. Even my friend in London (I'm in California) who saw it on his different phone said so. It looked just like the actual online version of the site. But then there was this tool I was subsequently supposed to use from Dudamobile and I thought I had to use it - it asked me all sort of stuff about my color scheme and layout and changed everything so now the layout doesn't even seem to work if you turn the phone. This despite the fact that the original theme was "responsive". Add to this that the new color scheme is problematic because you can only have one background color on the phone, and so I have to choose something light enough for text and dark enough not to be plain white. The mobile site also looks kind of ... empty.

Q3 : When the site first went "live" and my boyfriend could see it in London, it looked great on his phone and on mine here in Oakland, because it was just honeyrococo.com, but then I guess something somewhere in the system "updated" to now always refer it to something like mobile.honeyrococo.com which is where all the ugliness transpires. Is it not somehow possible to just have the honeyrococo.com responsive site load as honeyrococo.com on phones? Why do I need to have this intermediary "mobile" version? Is Dudamobile actually providing me a needed service? Or is it some kind of gatekeeper? Or worse, a parasite? Is it only there to make sites that aren't "responsive" look good? Is there anyway to get back to that Edenic moment of having just my normal site display on phones?

Thank you in advance for any help. I am sure that I am asking the dumbest most obvious question(s) of all. Saudade7 13:42, 4 January 2014 (UTC) reply

Ugh. I can't tell you how to turn the gunky, mobile-"optimized" rendering off, but I can tell you that, yes, you're right, you shouldn't need it. (And don't worry, these are not dumb questions; IMO the only dumb thing here is the situation you've been put in, by experts who ought to know better.)

What you're up against is one of the great, eternal divides in web programming (and, for that matter, computing at large): generality versus specificity. One faction would argue that if HTML has no inherent screen size or resolution baked into it (which of course it doesn't), and if it has lots of mechanisms to support tailoring of a page's rendering based on the capabilities of the browser (which of course it does), then the obviously Right thing to do is to have one general-purpose version of your page that loads and works great on any browser, from the largest desktop to the tiniest smartphone screen. And your first experience proves that this is indeed possible.

BUT, there's this other faction that's just constitutionally incapable of accepting this situation. They come up with one little thing that looks bad on the biggest or the littlest screens, or that they want to do differently on the biggest or the littlest screens. (They might even be right; you obviously do want significantly different interaction styles on little touchscreens versus big screens with mice and keyboards.) But instead of rolling up their sleeves and figuring out a way of achieving their goal within the generic framework, they declare that for the "best possible", "optimized" user experience, we're all going to have to go with two wholly separate schemes, ponderously maintained in parallel. And you've seen the result.

Until you can figure out a way to turn the alternate gunk off, there might be a workaround: many "mobile optimized" schemes contain a little link somewhere to get back to the "desktop" version, for those die-hards who want to do it that way. See if you can find one of those lurking at the top or bottom of the page. (Or see if you can find a way to enable the mode-switching links, if they're available but off by default.) — Steve Summit ( talk) 14:38, 4 January 2014 (UTC) reply

P.S. Even Wikipedia has a separate, mobile-optimized version, and I have to say it's not bad. Thankfully, it's not "ponderously maintained in parallel", at least not on the content side.

P.P.S. It's not just in computing, either; this tension between generality and specificity is pretty much universal. But as some evolutionary biologist said, "change favors the generalist". But the inverse is also true: in times of stability, the specialists are gonna win. 14:47, 4 January 2014 (UTC)

Thanks Steve Summit for the sympathy and the link suggestions. I was trying to just put the http://honeyrococo.com/?no_redirect=true thing somewhere and see if that worked, but I will look into these other things that you suggest. I'm really sort of clueless so I will go google about and see what I come up with. :-) Saudade7 16:17, 4 January 2014 (UTC) reply

I seem to have fixed it - rather unbelievably - by simply "turning off mobile site" - before I guess there was a redirect to the mobile site, but not there isn't? Actually not sure what I did but happier. Wouldn't have discovered that without your help and encouragement to go fight the power and sniff around some more. Thanks Again Steve. Saudade7 16:41, 4 January 2014 (UTC) reply

Well, it is the time again for me to ask stupid questions :-) This is what happened. I reinstalled my old Windows Server 2008, ran all updates, etc and now I want to download Hyper V and quite possibly other software. I found a microsoft website that offers the downloads and ran into a small problem: I have to download first Microsoft Download manager. I actually has done it many times before but in other OS. Now my Firewall blocks the download "Security Alert: Your current security settings do not allow this file to be downloaded. " - this is what I get in a small pop-up. I am kind of afraid to turn the firewall off even for a single download so I tried to set up an exception. In "Windows Firewall" I clicked on "Change Settings." A window "Windows Firewall Settings" comes up. I added TCP port 25, called it "Inbound Port 25." and nothing happened. The download is stil blocked. What is wrong? What would be the other way to run safe downloads? Thanks, -- AboutFace 22 ( talk) 18:57, 4 January 2014 (UTC) reply

Rather than not allowing any downloads, you can set it to prompt you each time. StuRat ( talk) 20:25, 4 January 2014 (UTC) reply

You don't need Microsoft Download Manager. They may recommend it, but you can download their files without it.

Why do you think the message came from Windows Firewall? A quick web search suggests that the "Your current security settings..." message is from Internet Explorer and you need to change the settings there. And why do you want to unblock port 25? That's the SMTP port. It seems like you're trying things completely at random... -- BenRG ( talk) 20:31, 4 January 2014 (UTC) reply

Port 25 is SMTP port for some, inbound port for others. Well, anyhow I could not find so far how to prompt for the download every time (answering StuRat's suggestion). WinSer is a peculiar environment. Microsoft Download manager is NEEDED for downloading large files whereas it can download portions of a single file piecemeal and also it keeps track of all downloads which is very convenient. Thanks for contributions. I suggest to BenRG you either abstain from your inappropriate comments ("doing things at random") or stay clear off my posts. It is a WARNING!!! And it is the last one. -- AboutFace 22 ( talk) 20:47, 4 January 2014 (UTC) reply

The problem has been completely resolved. Much maligned :-) BenRG was correct. I had to allow file downloads in Internet Options. Now it is done. Thanks -- AboutFace 22 ( talk) 21:22, 4 January 2014 (UTC) reply

Resolved

StuRat ( talk) 19:01, 5 January 2014 (UTC) reply