|
RFC2324 posted:We slept alot. Always someone active on case the place caught fire, but of the 3 of us one guy spend most of his shift MIA, one guy slept half his shift, and i mostly shitposted and played EVE. My midnight helpdesk gig was typically 4 calls a night with 2 people on duty. Sleep. Everquest. Hour long smoke breaks. Pirated movies. As long as the phone got answered, nobody cared.
|
# ? Oct 28, 2020 18:02 |
|
|
# ? Apr 24, 2024 19:28 |
|
AlexDeGruven posted:My midnight helpdesk gig was typically 4 calls a night with 2 people on duty. Sleep. Everquest. Hour long smoke breaks. Pirated movies. As long as the phone got answered, nobody cared. My gig was monitoring. My core duty was to watch a screen for an alert to pop up, and make sure I notice it within like 2 hours of firing. I had other poo poo to do, but no one cared if I did it. The only thing that mattered was looking tlat a screen at least once ever couple hours.
|
# ? Oct 28, 2020 18:18 |
|
A ticket came in. User doesn't want to use our VPN because they're working with "real people's confidential data" and thinks we might have access to their screen activities. OH BOY YOU HAVE NO IDEA... That we can't actually see your screen unless you let us. E: The exchange was almost literally thus: "I don't feel comfortable using the VPN because HIPPA laws and I am working with real patient data on contact tracing." "What part of HIPAA regulations lead you to have concerns over using the $Org VPN on an $Org-owned device?" "That you might have access to my screen activities and I am working with REAL PATIENT'S CONFIDENTIAL DATA." Eyeroll, forwarded to InfoSec team to beat user with a clue-by-four. dragonshardz fucked around with this message at 20:20 on Oct 28, 2020 |
# ? Oct 28, 2020 20:15 |
|
Disclaimer: IANAL That's an insanely stupid take. My understanding is HIPPA has a provision where if witnessing PHI has to happen as part of your job, you're not violating anything as long as you and your organization makes a best-effort to minimize the time of exposure, the people exposed to it, and the amount of information they're witnessing. Unless you're actively seeking to witness PHI for reasons not immediately related to the job you need to do or you're being negligent in how you go about it, is usually kosher. Sure IT has the power to enable screen sharing to a doctor without checking first or some other valid work reason, but they also have the power to rifle through PHI without cause. The violation in both contexts comes from negligent actions, not from (appropriately managed) power itself that exists to perform relevant job functions.
|
# ? Oct 28, 2020 21:04 |
|
Also not a lawyer, but I did sit through HIPAA training for work many years ago when I was the lead dev for our software supporting hospitals. The user is seemingly trying to get out of being required to do work and is taking a really dumb stand. Forwarding it on to the infosec team was the right move, and you may have wanted to include their boss as well.
|
# ? Oct 28, 2020 21:13 |
|
I have recently, as in this year, read through all of the applicable sections of HIPAA for my coursework in InfoSec and the user's claim is absolutely loving dumb. They backed it up by their contract tracing coordinator claiming that being connected to a VPN gives arbitrary access to "see literally everything you do, including your screens" which is just so much patent bullshit. That isn't how VPNs work, that isn't how our remote desktop management is setup, bullshit bullshit bullshit. I privately commented to the infosec guys that yes, I know it's bullshit, but their saying the user is a loving idiot will go over better as how could I, a mere Service Desk grunt, possibly know?
|
# ? Oct 28, 2020 21:29 |
|
RFC2324 posted:i mostly shitposted and played EVE. Late night helpdesk memories
|
# ? Oct 28, 2020 21:40 |
|
RFC2324 posted:We slept alot. Always someone active on case the place caught fire, but of the 3 of us one guy spend most of his shift MIA, one guy slept half his shift, and i mostly shitposted and played EVE.
|
# ? Oct 28, 2020 23:11 |
|
dragonshardz posted:I have recently, as in this year, read through all of the applicable sections of HIPAA for my coursework in InfoSec and the user's claim is absolutely loving dumb. Even if this persons claims were true, none of that is against hipaa.
|
# ? Oct 28, 2020 23:12 |
|
armchair lawyers in the office aaaaaaagghhh
|
# ? Oct 28, 2020 23:26 |
|
I don't have as much as the tiniest bit of hipaa training but lol at the idea that an unmanaged computer on an unsecured network is somehow more private for the customer. Ask her how she planning to make copies of PII to save at home for personal use.
|
# ? Oct 28, 2020 23:38 |
|
I don't even see how the average employee needs to be aware of HIPAA requirements because it should all have been turned into policies enforced by IT or actual policies and processed enforced by the employer.
|
# ? Oct 29, 2020 00:14 |
|
Sickening posted:Even if this persons claims were true, none of that is against hipaa. I'm well aware! Idiot user is basing all of this on poo poo her similarly uninformed contact tracing coordinator is saying. Renegret posted:I don't have as much as the tiniest bit of hipaa training but lol at the idea that an unmanaged computer on an unsecured network is somehow more private for the customer. Oh, probably a directly connected wireless printer that'll stop working after the VPN is set up on her machine. Thanks Ants posted:I don't even see how the average employee needs to be aware of HIPAA requirements because it should all have been turned into policies enforced by IT or actual policies and processed enforced by the employer. Uninformed staff being voluntold to help with COVID-19 contact tracing and knowing that HIPAA is vaguely related to IT somehow so they get all when we (FINALLY) implement a VPN.
|
# ? Oct 29, 2020 00:18 |
|
Thanks Ants posted:I don't even see how the average employee needs to be aware of HIPAA requirements because it should all have been turned into policies enforced by IT or actual policies and processed enforced by the employer. This. The average user should only become aware of HIPAA when they butt up against it and get told that's why they can't do the thing. If a regular user is trying to leverage HIPAA to do things outside of normal policy, then they need to be smacked down hard and fast, and then sent for education.
|
# ? Oct 29, 2020 00:25 |
|
dragonshardz posted:Oh, probably a directly connected wireless printer that'll stop working after the VPN is set up on her machine. This stumped me for a good fifteen minutes the other day. Absolutely mortifying when I realized.
|
# ? Oct 29, 2020 00:30 |
|
AlexDeGruven posted:The average user should only become aware of HIPAA when they butt up against it and get told that's why they can't do the thing. I mean ideally yeah, but even if you design a system that's absolutely perfect at restricting only specifically relevant data to people immediately relevant to the situation, users can still "Hey I saw Alice check into our mental health clinic" and in practice users can almost certainly find a way to game the system if they were determined enough, and especially if they hadn't been actively told that making a copy of your buddy's SO's medical records for personal use is literally a crime.
|
# ? Oct 29, 2020 03:54 |
|
I love it when users don't understand that IT can see EVERYTHING if we decide we want to, and the only thing holding us back is ethics
|
# ? Oct 29, 2020 16:16 |
|
I am aware of one Head of Information Security who objected to Have I Been Pwned monitoring of company VIP email addresses "in case we learn things". Head of Information Security.
|
# ? Oct 29, 2020 16:37 |
|
One time we found out a user had been putting {encrypt} instead of [encrypt] in her email subjects so they weren't going to the magic email encryption machine.... She wasn't spelling encrypt right, either, so gently caress it. Per HIPAA we had to make sure that every email she sent in the last three months used SSL on the mail server side
|
# ? Oct 29, 2020 17:29 |
|
RFC2324 posted:I love it when users don't understand that IT can see EVERYTHING if we decide we want to, and the only thing holding us back is ethics Yeah, that's a fun concept to explain. Technically we have the ability to touch everything, but ethically we don't unless there's a specific business need or permission is given. It's especially fun when the person you're explaining it to can't fathom being able to nose around and not doing so.
|
# ? Oct 29, 2020 19:08 |
|
dragonshardz posted:Yeah, that's a fun concept to explain. Technically we have the ability to touch everything, but ethically we don't unless there's a specific business need or permission is given. I admit, not doing so can be an exercise is willpower occasionally (because an incurious mind doesn't succeed in this industry), but I am also capable of overriding my urges, being an adult
|
# ? Oct 29, 2020 19:11 |
|
Yeah, users can't conceive of the fact that I don't need to know their password, and that I do not want to know their password, and it really is for the best that they change it to something that hasn't been sent to them electronically or put into an unsecure ticket.
|
# ? Oct 29, 2020 19:17 |
|
RFC2324 posted:I admit, not doing so can be an exercise is willpower occasionally (because an incurious mind doesn't succeed in this industry), but I am also capable of overriding my urges, being an adult I guess you haven't run across enough browser history/save folders/etc to exceed the capacity of any eye bleach to ever unsee. That'll fix you right on up.
|
# ? Oct 29, 2020 19:21 |
|
Motronic posted:I guess you haven't run across enough browser history/save folders/etc to exceed the capacity of any eye bleach to ever unsee. That'll fix you right on up. I've only run into that once, and it was when I was tasked with figuring out why one person was using 80% of the storage on the user share.
|
# ? Oct 29, 2020 19:28 |
|
Bob Morales posted:One time we found out a user had been putting {encrypt} instead of [encrypt] in her email subjects so they weren't going to the magic email encryption machine.... Ugh, you have more to lookup than SSL I am afraid.
|
# ? Oct 29, 2020 19:32 |
|
Motronic posted:I guess you haven't run across enough browser history/save folders/etc to exceed the capacity of any eye bleach to ever unsee. That'll fix you right on up. Fortunately, no. I haven't had to support desktops since before best buy had a geek squad and in all jobs, poking in a users stuff like that was verboten, because of the risk of something confidential being saved there.
|
# ? Oct 29, 2020 20:09 |
|
Bob Morales posted:Per HIPAA we had to make sure that every email she sent in the last three months used SSL on the mail server side SSL doesn't work like that The user needs a personal PKI encryption certificate installed in her email client or Outlook Web Access. The recipient of her email also needs a PKI encryption certificate as well, and they need to exchange public keys somehow, either through your organization's Global Address List, or a digitally signed email between the users with the public key attached. (Outlook defaults to this behavior, so the user doesn't need to do anything other than digitally sign the email in order to exchange keys). Also, digitally signing an email =/= encrypting, they are unique functions, and should not be confused. You cannot encrypt an email without digitally signing it, but you can digitally sign it and not encrypt it. Unless of course your "Magic email encryption machine" has some strange function that encrypts users email but lets anyone who has access to the "Magic email encryption machine" can read email not directly addressed to them. I''ve never heard of anything like that, only good old fashioned PKI encryption. quote:OCR does not specify HIPAA email encryption requirements, but covered entities can find out more about electronic mail security from the National Institute of Standards and Technology (NIST) – See SP 800-45 Version 2. NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME. Granted this creates the problem of you not being able to scan email in transit because S/MIME is designed for end-to-end encryption, and your mail server would be unable to scan the email for malware if it is encrypted within the email, but that's why you have antivirus/antimalware on your endpoints, right? orange juche fucked around with this message at 01:37 on Oct 30, 2020 |
# ? Oct 29, 2020 20:43 |
|
RFC2324 posted:I admit, not doing so can be an exercise is willpower occasionally (because an incurious mind doesn't succeed in this industry), but I am also capable of overriding my urges, being an adult Exactly. Kurieg posted:Yeah, users can't conceive of the fact that I don't need to know their password, and that I do not want to know their password, and it really is for the best that they change it to something that hasn't been sent to them electronically or put into an unsecure ticket. Oh my god, the number of times I've had to tell a user we don't need their current password in order to reset it, and please for the love of all that is holy don't send it to us by email.
|
# ? Oct 29, 2020 23:12 |
|
dragonshardz posted:Exactly. At my last job I watched the SOC and a client go back and forth like 5 times. The client sent us a password to a thing, SOC saw it, stepped in, reset/expired the password, informed the customer, who immediately sent us what they changed the password to.
|
# ? Oct 29, 2020 23:41 |
|
I had a nurse who, for some reason, was completely incapable of remembering her password. Almost every night we would get a call that her "password stopped working again". At least 3-4x/week. So we set her a lovely easy password and put it on a post it note. Every time she called we would "reset it back" again. Which entailed nothing more than tapping on the keyboard for a moment while rolling our eyes.
|
# ? Oct 30, 2020 00:37 |
|
Is it like the beginning of RED where Bruce Willis keeps ripping up his checks just to speak to the hot help desk lady?
|
# ? Oct 30, 2020 01:11 |
|
AlexDeGruven posted:I had a nurse who, for some reason, was completely incapable of remembering her password. I had a user who would submit a password reset request at least once a week, sometimes up to 3, depending on how she was feeling I guess. And she got very very mad that I insited she change it away from the default bulk password I use for all "i am literally talking to the person and they can log in and change it as soon as I hit commit" users. Since "[my] password is so easy to remember." Eventually it stopped. I imagine because they changed it to their windows password.
|
# ? Oct 30, 2020 01:26 |
|
As an ISP network admin I have found my new mortal enemy gamers Complaining to executive management about your 70ms ping in counterstrike isn't going to make you suck any less, but it will waste a poo poo ton of my time.
|
# ? Oct 30, 2020 04:15 |
|
I mean turns out there actually is some suboptimal routing going on but shut up I'm more interested in saving bandwidth on my core than 30ms of latency.
|
# ? Oct 30, 2020 04:27 |
|
Renegret posted:As an ISP network admin I have found my new mortal enemy lol who did this? fucks sake if you care about it get a business class plan with a service level agreement and pay that loving money. Other than that, gently caress you, best effort, bitch.
|
# ? Oct 30, 2020 04:36 |
|
to be totally fair, if it's like 70ms to the next state over that's utter bullshit and absolute insanity
|
# ? Oct 30, 2020 04:40 |
|
Renegret posted:As an ISP network admin I have found my new mortal enemy Why does your network suck
|
# ? Oct 30, 2020 04:43 |
|
in all seriousness the csgo official server network can nearly guarantee sub-20 or 30 ms anywhere in the lower 48 (probably sub-5 to 10ms if you are in a major city like LA or Dallas) unless your network is literal dogshit, that includes even singlehomed cogent, so something seems horribly wrong. they are open peering on any IXP also. even I have a peering session with valve's AS32590 for my network of 4 people that play counterstrikeorange juche posted:lol who did this? fucks sake if you care about it get a business class plan with a service level agreement and pay that loving money. Other than that, gently caress you, best effort, bitch. i can understand that this is mildly ridiculous but if you are 70ms to one of the most heavily connected open-peering-policy from any major market, something is really wrong. even starlink is under 70ms to sea.valve.net Impotence fucked around with this message at 04:47 on Oct 30, 2020 |
# ? Oct 30, 2020 04:45 |
|
Methanar posted:Why does your network suck money
|
# ? Oct 30, 2020 04:52 |
|
|
# ? Apr 24, 2024 19:28 |
|
Renegret posted:As an ISP network admin I have found my new mortal enemy I remember when having a ping that was in the double digits was an amazing thing that gave me a massively unfair advantage in Quake type games. Spoiled rear end kids.
|
# ? Oct 30, 2020 04:53 |