ProjectSend



  • @drewlander found ProjectSend

    Reminds me of something a bit like what I think OwnCloud is like (though I've never used/seen OwnCloud)



  • @scottalanmiller posted that ASO has automatic scripts for ProjectSend and ownCloud just a could hours ago...

    http://mangolassi.it/topic/6776/a-small-orange-softaculous-software


  • Service Provider

    Looks like the main goal, though, is for doing external file management to clients rather than owncloud that focuses on internal storage.



  • yeah, that is @drewlander purpose is. A replacement for secure mail of attachments. Instead of using something like Zix, use ProjectSend.



  • @Dashrender said:

    rpose is. A repl

    I need to see exactly what they are doing with that SWF, that aside I like this solution and discussed it with Dashrender but we agreed it probably requires a few modifications.

    1.) This app needs to log IP Addresses
    2.) A client should be able to target a file to system user if the system user has a targeted an active file to the client.
    3.) The new user email template should not include a plain text password. It should have a username and a link to the forgot password landing page so the user can request and reset their own account if their account is created by a system user.

    I have no experience with ownCloud but I am not interested in creating a central point of management for dropbox and sharepoint or whatever it is they are advertising. If the state requires a patient record I need a secure file exchange service to handle that transaction, and that is specifically what this app does.

    -d



  • @scottalanmiller , that is how I understood the ownCloud product when I read up on it.



  • @Dashrender said:

    @drewlander found ProjecSend

    I was reading Drew's responses and was a bit confused but I think, after reading it, that you mean he founded the project? He didn't just find it and want to talk about it, he's actually the founder?



  • @Reid-Cooper said:

    @Dashrender said:

    @drewlander found ProjecSend

    I was reading Drew's responses and was a bit confused but I think, after reading it, that you mean he founded the project? He didn't just find it and want to talk about it, he's actually the founder?

    That would not be correct. @drewlander was surfing the web for a solution, and discovered it. He then told me about it, and I posted here about it - but I posted second because Scott included it in a huge list of things ASO does yesterday.

    But this thread is much more useful to talk about this one project than his :)



  • ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

    You can share multiple folders like this to keep clients / government entities separated.



  • Oh okay, so he actually did find it. LOL. Thanks for clearly that up.



  • @dafyre said:

    ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

    You can share multiple folders like this to keep clients / government entities separated.

    I don't think OwnCloud can log IP addresses although I'm pretty sure you can do that at the webserver level.


  • Service Provider

    @coliver you can definitely do it at the web server level, but single page apps would not tell you everything that is going on.



  • @dafyre said:

    ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

    You can share multiple folders like this to keep clients / government entities separated.

    That is not good enough for HIPAA.


  • Service Provider

    For example, the web logs for MangoLassi would tell us almost nothing. It would show only one connection for each tab that you have open rather than info about each page that you go to. That's why we rely on the application itself for stats. Only the app knows when it has shown a page, for example.


  • Service Provider

    @Dashrender said:

    @dafyre said:

    ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

    You can share multiple folders like this to keep clients / government entities separated.

    That is not good enough for HIPAA.

    Are you sure? What is the HIPAA requirement?



  • @scottalanmiller said:

    @Dashrender said:

    @dafyre said:

    ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

    You can share multiple folders like this to keep clients / government entities separated.

    That is not good enough for HIPAA.

    Are you sure? What is the HIPAA requirement?

    You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

    @dafyre doesn't mention anything about usernames.



  • @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    @dafyre said:

    ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

    You can share multiple folders like this to keep clients / government entities separated.

    That is not good enough for HIPAA.

    Are you sure? What is the HIPAA requirement?

    You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

    @dafyre doesn't mention anything about usernames.

    You could easily setup username per client or whatever. Even send out links to reset/create a password. How does knowing the user's IP address give you info about who the user is? Even a username and password would be iffy in this scenario.



  • Getting rid of shared accounts was one of the first huge hurtles I had to get this company to overcome. Frankly I'm still battling it daily.

    People around here just don't give to flips about security. Does it make their life a bit more difficult - sure! but is it so burdensome that it causes workflow breakdowns? No. They are just lazy.


  • Service Provider

    @Dashrender said:

    You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

    @dafyre doesn't mention anything about usernames.

    A username and password does not track individuals anymore than just a password does. It's more secure, but only by virtue of being naturally longer. If you want you can put the username into the first part of the password field. Works the same. The idea that usernames/passwords does something that pure passwords does not is a human perception thing and matters not at all to the computer.

    Username/password can be shared identically to just passwords. So anything that is allowed by username/password would be covered by just password.


  • Service Provider

    @Dashrender said:

    Getting rid of shared accounts was one of the first huge hurtles I had to get this company to overcome. Frankly I'm still battling it daily.

    People around here just don't give to flips about security. Does it make their life a bit more difficult - sure! but is it so burdensome that it causes workflow breakdowns? No. They are just lazy.

    Using "just" a password might encourage people to use it incorrectly, but it doesn't change it at a technical level.



  • @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    @dafyre said:

    ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

    You can share multiple folders like this to keep clients / government entities separated.

    That is not good enough for HIPAA.

    Are you sure? What is the HIPAA requirement?

    You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

    @dafyre doesn't mention anything about usernames.

    No, I didn't. I thought we were talking simple file sharing. ownCloud does allow you to share files among users as well though. it can run using its own stand-alone user database or run using LDAP / AD for the User database.



  • Of course you're right @scottalanmiller, as long as you can show that a specific password was used to access said files. If you can't, well then you haven't identified the user.



  • @coliver said:

    @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    @dafyre said:

    ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

    You can share multiple folders like this to keep clients / government entities separated.

    That is not good enough for HIPAA.

    Are you sure? What is the HIPAA requirement?

    You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

    @dafyre doesn't mention anything about usernames.

    You could easily setup username per client or whatever. Even send out links to reset/create a password. How does knowing the user's IP address give you info about who the user is? Even a username and password would be iffy in this scenario.

    While tracking IPs isn't specifically required, it's generally used as part of the verification that a user accessing a system is not accessing it from someplace they shouldn't be accessing it. For example, If a user is in Texas, and the IP they are logging in from is from Japan, someone should be looking into why that user's account was used from a Japanese IP.

    Users under the law are able to be held accountable for things accessed with their credentials. I'm sure this is to incentivize the user to maintain control over their account.



  • @Dashrender said:

    @coliver said:

    @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    @dafyre said:

    ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

    You can share multiple folders like this to keep clients / government entities separated.

    That is not good enough for HIPAA.

    Are you sure? What is the HIPAA requirement?

    You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

    @dafyre doesn't mention anything about usernames.

    You could easily setup username per client or whatever. Even send out links to reset/create a password. How does knowing the user's IP address give you info about who the user is? Even a username and password would be iffy in this scenario.

    While tracking IPs isn't specifically required, it's generally used as part of the verification that a user accessing a system is not accessing it from someplace they shouldn't be accessing it. For example, If a user is in Texas, and the IP they are logging in from is from Japan, someone should be looking into why that user's account was used from a Japanese IP.

    Users under the law are able to be held accountable for things accessed with their credentials. I'm sure this is to incentivize the user to maintain control over their account.

    So if the user is liable for their own account why are you tracking IP addresses? You just said after you give them the information you are no longer responsible for how they access it.


  • Service Provider

    @Dashrender said:

    Of course you're right @scottalanmiller, as long as you can show that a specific password was used to access said files. If you can't, well then you haven't identified the user.

    If there is only one password, then you know for sure. If not, then you are in the same boat as with usernames needing to track which one was used.


  • Service Provider

    @Dashrender said:

    @coliver said:

    @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    @dafyre said:

    ownCloud can be used to securely transfer files as well. You can share a folder with a password and Link... and whoever has the password and link can view / upload / download the files in that folder.

    You can share multiple folders like this to keep clients / government entities separated.

    That is not good enough for HIPAA.

    Are you sure? What is the HIPAA requirement?

    You have to be able to track it to a specific individual. I suppose as long as no one is sharing the password, i.e. it's only used by one person, then you kinda have that... but I don't consider it really the goal.

    @dafyre doesn't mention anything about usernames.

    You could easily setup username per client or whatever. Even send out links to reset/create a password. How does knowing the user's IP address give you info about who the user is? Even a username and password would be iffy in this scenario.

    While tracking IPs isn't specifically required, it's generally used as part of the verification that a user accessing a system is not accessing it from someplace they shouldn't be accessing it. For example, If a user is in Texas, and the IP they are logging in from is from Japan, someone should be looking into why that user's account was used from a Japanese IP.

    Users under the law are able to be held accountable for things accessed with their credentials. I'm sure this is to incentivize the user to maintain control over their account.

    how would IP tracking help that? As we've seen this morning IP geotracking doesn't work and often gets the country wrong (@Carnival-Boy reported as in France rather than the UK, me in Germany rather than the UK, etc.) And even when it works, how do you know where the other person is "supposed to be?"

    There is no reliable IP Geolocation system so using that with HIPAA seems like a bad idea.


  • Service Provider

    @coliver said:

    So if the user is liable for their own account why are you tracking IP addresses? You just said after you give them the information you are no longer responsible for how they access it.

    I'd say tracking IPs is bad because there is nothing good that could come from storing that information.



  • @scottalanmiller I'd agree with @Dashrender here. If something happens and a user's account is being used from Japan when the live in Texas... that would be information nice to have.



  • @coliver said:

    So if the user is liable for their own account why are you tracking IP addresses? You just said after you give them the information you are no longer responsible for how they access it.

    Hmm.. I'll have to think on that. Not talking about the law specifically, but why would I want to? To help ensure that only proper access is being used. If there is no reason for someone in Japan to be accessing my systems, yet I see an IP in Japan accessing it, I need to know that.



  • @Dashrender said:

    @coliver said:

    So if the user is liable for their own account why are you tracking IP addresses? You just said after you give them the information you are no longer responsible for how they access it.

    Hmm.. I'll have to think on that. Not talking about the law specifically, but why would I want to? To help ensure that only proper access is being used. If there is no reason for someone in Japan to be accessing my systems, yet I see an IP in Japan accessing it, I need to know that.

    At that point you would want to look into a intrusion detection system rather then doing it at the application level.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.