Thanks for being here guys, everything is quiet again here and business as usual. Frank even brought our 2 customer entertainment stations back in after lunch. I took a late lunch so he could get them up and running. We host games, internet access, and general apps on them for the people in the waiting room. Parents can sign their children in and lock out aspects (such as internet) to keep the little ones safe. As I am typing, both terminals are occupied by two boys I know are brothers of the patient being treated by Frank. The funny thing to watch is their mother prying them out of our waiting room.

Simon, I assume you use a cloud based EMR? Otherwise not much to choose from for Linux unless maybe you can code mumps.

How many choices do you need?

http://oscar-emr.com/

http://openmrs.org/

http://wiki.gnumed.de/bin/view/Gnumed

http://www.open-emr.org/

https://github.com/freemed/freemed/wiki

and there are others, some very specialized.

Yeah I've looked at all those. They have to be ONC certified by 2018 for MIPS/MACRA for Medicare. Open-EMR might make it. The rest can be used in more sane countries. You left out VistA which is the VA system that is free for download (based on mumps...whose idea was that). I heard recently the VA system is going to a commercial EMR which means they might be plagued with WannaCry soon. Cloud based may be the the way to go. Then you can run all Linux workstations...but you better hope the cloud has good connectivity and security.

I've seen others go the commercial route, either as the start or after pressure is applied through hidden aliances. The excuse is always "but they have paid support", implying that FOSS project support, being free, isn't equal to the quality of paid support. The reverse is almost always the case. Paid support ends up being wasted money because the folks in the trenches need good answers asap, not during "business hours", so they end up on free support sites with other disenchanted app users.


"Good connectivity and security" is almost oxymorons in today's IT climate. ALL versions of Windows except Win10 is susceptible to WannaCry and only MS management knows how long they knew about the EternalBlue security hole before they released the patch. Long enough to make Win10 secure. If past performance is any indication of future behavior MS probably knows about several other security holes it is setting on. WannaCry is now "motivation" (I would call it extortion) to force upgrades to Win10. Sure, MS released a patch for WannaCry, but how many non W10 installations will patch their OS before they get the ransom window? Probably hundreds of thousands, if not millions. Many corporate IT depts have policies about not allowing patch installations until they have been run through test procedures to determine if the patch will break their corporate IT structures. That adds months or more to the exposure.

Internet servers can be as vulnerable to malware and blackhats as local servers, even more so if the local servers are not facing the Internet. Then there are the corporations which promise to "do no evil" and after they get a good market share "evil" becomes their middle name as they strive to extend the influence and market share.

Outsourcing databases to the Internet as a cost saving measure may save the corporation lots of money short term, but like outsourced factories the data ends up sliding down the commodity curve to the bottom of the barrel: to servers housed on the cheapest sites around the world, sites that are controlled by not so savory countries and their leaderships.

Taking the long term view, IMO, it is better for people and corporations to maintain their own "clouds". They can be configured for local access and remote access via ssh through VPNs. Running Linux for both workstations and servers eliminates essentially all malware threats and the vast majority of remote access threats. Most vulnerabilities are via local hosts. Unscrupulous employees is a different kind of threat that IPSec and ssh won't protect against. While Windows vulnerabilities reach into the tens and hundreds of thousands, if not more, the CVE for Ubuntu is currently at 89, and that list goes back to 1996 for packages that were included in Ubuntu.

For "distinct vulnerabilities" among the top vendors the cvs score distribution is:

CVSS Score Distribution For Top 50 Vendors By Total Number Of "Distinct" Vulnerabilities

Here is a video that describes WannaCry very well and also discusses recent changes to the malware:

i have same issue on win7 i think because i ignored the uprgade to win 10 popup. updates suddenyl stopped working. i managed to install some using 3rd party tool. though recently i read the issue could be msmpeng needing to do full scan before updates can proceed. nevermind the fact thatsame "animalware" enabled trojan to run on windows. you just had to receive th einfected email it would scan it and while doing so run the malware.

a bit more on topic. the malware can infect linux if one uses wine. i guess you woul dneed ot use email client or browser in it. anyway it encrypts wine and home, but system stays intact.

just thought it is worth to remember that wine, while it enables some windows apps to run it is also an attack vector. though lmited in scope and you might need some work in many cases (just like other apps) to get the malware running in wine.

Unfortunately, if you want Windows applications to run under Linux it appears you must mirror Windows' vulnerabilities.

Limited indeed. A few years ago I did extensive testing of malware on WINE to determine just how much danger my Linux installation was in. My conclusion: none. While lots of damage was done, on occasions, to the WINE files I merely purged the WINE installation and reinstalled it to test other malware. I found that all the infections work through only eight different attack vectors, regardless of the names of the malware.

The biggest danger to Linux is not the malware, regardless of its source or attack mode, it is the USER. Programs don't run themselves on Linux by virtue of an extension type or some "activeX" control. On Linux there are three steps to running a program.
1) Save it as a file (ALL objects in Linux are and have to be files)
2) add the execute permission to the saved file
3) run the saved file

Only the user can do those three steps. It is ALWAYS done by installing software from sources other than the repository. If you are going to go outside the vetted repository then the onus is on you to see that you are not infecting your computer.

Looks like Win10 didn't get a free ride

https://www.bleepingcomputer.com/new...urity-company/


"Athena is an implant — a CIA technical term for "malware" — that can target and infect any Windows system, from Windows XP to Windows 10, Microsoft's latest OS version.

Documents leaked today are dated between September 2015 and February 2016, showing that the CIA had the ability to hack Windows 10 months after its launch, despite Microsoft boasting about how hard it would be to hack its new OS."

it is likely similar on Mac (just guessing here as i never used it have it). there was recently a hack on Handbrake site. someone planted malicious version on their website. user downloaded it. "the infection" was also physhing based as it asked for a password. the user though it was safe so they entered it never thinking why it needed the password. this could easily happen to new users as well. they would assume the program needs access to OS. password was then sent to attackers who got full access. you could say use what is in repos, but often in repos are not latest versions and sometimes you need the latest to complete the task or to avoid certain bugs.

anyway malware that abuses trust is still possible. not sure about snaps packages, are they contained?

The weakest component of any computer system, whether it be Window, Mac, Unix/Linux, or "other", is the user sitting at the keyboard. The user must have or acquire at least basic understanding of how the system works; period. If a user can't or won't acquire that understanding, they have no one to blame but themselves when something goes wrong; period. That may sound harsh, but it's the reality one must accept when choosing to use a computer.

ca·ve·at emp·tor
ˌkavēˌät ˈem(p)ˌtôr/
noun

• the principle that the buyer alone is responsible for checking the quality and suitability of goods before a purchase is made.
  
  
  

+1000000

There have been some notable hacks of repositories in the past: the Linux Kernel and Linux Mint, for example. Proprietary interests and bomb throwers try to inflame the public for profit or fame, like Sophos, which then offered Linux AV products at the end of that "story". Kepersky Labs ran annual Linux virus scare stories for half a dozen years, trying to push their Linux AV products, before they gave up. As PC-World explained, while a black hat may have compromised a developer's email login and gained passwords, trying for 17 days to infect something without being detected, there was no way he or she could have infected any of the 40K+ files in the kernel repository without raising alarms.

Sending out a Trojan or virus as an attachment in a mass mailing to millions of users will work to get Windows infected, even if the user doesn't click on the attachment, but on Linux an email attachment just sets in the inbox until the user decides to do something. Even clicking on the attachment won't run it because as an attachment it is not a file and Linux only executes special files (script & ELF) that have the execute permission set, and that at the user's request. A file in and of itself cannot execute automatically. For that to happen an entry in cron is required or some process previously executed by the user has to do the honors.

The number one security hole in Linux is the user, and the developers can't program him/her out of the loop, which is what Microsoft tried to do with Windows and it only made their security a bigger problem.

So, noobs, do NOT go outside the Kubuntu/Ubuntu/Neon repository to install apps. Do NOT save an email attachment, add execute permissions to it and then run it, regardless of who it claims it is from. Activate your ufw (firewall) and install its GUI to make it easier to use.
Go to Gibson's "Shields Up!" website and test your first 1,024 ports for security. Make sure they are all green. If you allow yourself to be pinged you'll fail the test even if all your ports are green, but that doesn't matter. ICMP acks don't hurt you.

If you have a router that you can or have installed DD-WRT on, then turn on its firewall as well. (But, holes you make in your ufw firewall you'll have to make in the router SPI firewall as well.)