cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dcontesti
Community Champion

No good deed goes unpunished

3 Replies
rslade
Influencer II

> dcontesti (Community Champion) posted a new topic in Tech Talk on 03-03-2020

> https://www.cbc.ca/news/canada/hamilton/jackson-square-dental-hacking-1.5471071?
> fbclid=IwAR0Y3tH_n-DosPr8EPIibVF5BdecrZY5YJTTqH_IEy-lB9AEswRIo4WMQCI   So he
> says he was only trying to help.......   Thoughts?   d  

Notes for those not wanting to be called hackers:

- don't wait for all staff to exit the room and then intract with the device without
permission

- if you find out where the password field is, just point it out to the staff and don't
ask them for the password

- if you *do* enter the password, don't do any searches, even for your own name

- best not to touch the device at all, just make some suggestions (if you've already
asked if the staff want help) (Actually, I've found this last to be a cardinal rule for
assisting people use their systems or training. It may take a while, but just doing it
yourself usually leaves out some important part of the process.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Dance like nobody's watching. Love like you've never been hurt.
Develop software like the end user has your home address.
http://twitter.com/#!/RobertFischer/status/69117740622950400
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

@dcontesti   The golden rule:  Never touch the keyboard unless you want to own the situation, keep a forensic log with date/time of actions and have been given formal permission to carry the required tasks.

 

Plus make sure you ask the requestor, whether they want to make a criminal investigation or charge, should the results of the review indicate there is sufficient evidence.  Make sure you get a written confirmation of their decision, do not depend on a verbal one, which can be rescinded.  

 

If you are not a court recognised forensic investigator, walk away, do not touch the keyboard and tell the requester to seek a recognised qualified forensic investigator, who can take the case to court, if they wish.

 

People, get fed up with this attitude, but it saves one a whole heap of trouble.

 

Regards

 

Caute_cautim

denbesten
Community Champion

Kinda did it to himself.  By contacting the office, he created a formal record requiring a formal "management" response and a resultant change in demeanor from everyone in the office.

 

In the US, medical privacy laws by default prohibit my dentist from even confirming that my spouse or adult child is a patient, despite the fact that we often arrive together. Even allowing the patient to see search results for their last name risks a privacy violation.

 

Not surprised the office is separating themselves as far as possible from the situation.  After all, in addition to patient-privacy, there probably were also some disciplinary actions that can neither be  confirmed nor denied.