Dexis Classic and the old Scan-X on Windows 10.

July 22, 2016, 3:31 am

≫ Next: I did a ton of work with the Still Pin this week

≪ Previous: 655000 Healthcare Records (Patients) Being Sold (DeepDotWeb)

Just thought I would make a post that the Dexis 10 classic does work fine on Windows 10 32 bit, with UAC disabled. Those card readers are somewhere on my blog.

http://justinshafer.blogspot.com/2014/10/dexis-8-pcmcia-adapters.html

Old School Scan-X (USB) and Eaglesoft 14, with Windows 7, 64 bit.

For the Scan-X:
1. Upgrade the firmware for the Scan-X on a 32 bit machine. This allows the 64 bit drivers to work.
2. Install the Scan-X on a 64 bit machine using the new driver.
3. Install the Scan-X 2 software so you have the demo program and may test.
4. Replace the VistaScan.dll file that Eaglesoft uses for the Scan-X with the one from the Scan-X 2 demo folder.

Should work.
Looking for the OLD 32 bit drivers for the Scan-X????
https://web.archive.org/web/20090207192025/http://airtechniques.com/library/drivers.aspx

↧

I did a ton of work with the Still Pin this week

July 22, 2016, 3:48 am

≫ Next: Dentrix G4 ODBC Methods

≪ Previous: Dexis Classic and the old Scan-X on Windows 10.

I decided I was bored.

I took a sample project called DXSnap and another one called Image Thumbnail Viewer C# and combined them into 1.

This allows the Still Pin to work. I will try to explain more about the Still Pin. The top window is a live viewing of the cameras capture pin. The bottom picturebox is the Still Pin. The Still Pin only gets 1 frame at a time, hence the name Still Pin. When you hit the capture button on the camera, the camera outputs 1 frame to the Still Pin. Some cameras like the MD-740 or ImageMaster camera are designed to work this way. Image Master actually does both. They support a Still Pin OR you can use the capture button software with the Capture Pin.

I will say after learning this much about a Still Pin... that I actually prefer the Capture Pin setup over a still pin. And the main reason is about the delay. When someone hits the button on a camera, you want the snapshot to be taken a couple of seconds later. (1500ms). Which is what my capture button program does.

Anyways... I designed the Open Dental interface to allow for ALL setups. Not sure what I am going to do about it. I am trying to make an Open Dental plugin but I don't think I will have that much success.. Running into a problem. But.. well see.

If anyone would like to play with this add on to Open Dental, let me know. You will need to be on 16.2 beta to play.

The graphs!
Capture Pin:

Still Pin:

↧

Dentrix G4 ODBC Methods

July 25, 2016, 10:59 am

≫ Next: Upgrading the 3Shape Trios to support Insane Mode Scanning

≪ Previous: I did a ton of work with the Still Pin this week

People keep asking me about ODBC or extracting data from Dentrix 11 to G4.

So....
1. https://code.google.com/archive/p/driller/ This is a former Dentrix user's project. Feel free to contribute.

2. Using the Dentrix ODBC driver. This requires an ODBC client that can use SQLExecDirect.
An example would be like this:
2AW^WCT * FROM ADDRESS_DAT;

You would notice the first couple of characters have been mangled, to find the rest of the commands you would need to enable ODBC tracing in Windows, and then run Dentrix for awhile, and then open the log file and view the commands.

3. Ask Open Dental for a copy of Trixi. It's what I use. =)

↧

Upgrading the 3Shape Trios to support Insane Mode Scanning

August 30, 2016, 10:19 pm

≫ Next: Security Research Continued!!

≪ Previous: Dentrix G4 ODBC Methods

Okay.. this ended up being more challenging then I thought it would be. I was asked to upgrade the 3Shape Trios video card to support "Insane Mode" scanning. This new mode of scanning is 3 times faster then the old mode, but requires a new 3Shape Trios that has an NVidia card.

The doc was told he could trade in his current scanner (black and white model) and get a new one (the model that is on the cart) for 13K. This would include the new color scanner that is also smaller, and of course the NVidia graphics card.

The doc instead had me figure it out.. which.. was pretty easy except that the Trios runs Windows Embedded. They have a group policy to prevent Windows Updates from being installed. I figure if they went that far to prevent windows updates from working, it is probably for a reason. It probably breaks stuff.

So I got the Trios apart. Went to the store. Grabbed an "NVidia graphics card".. I started with the NVidia 610 GT.. I got an error that I needed 2GB of RAM. So I got another card.. ATI.. I got an error that I needed Direct X 11.0

So I need DirectX 11 with 2GB of ram on the Video Card. Fine. I got one.

Now Trios the program would just crash... I bought an NVidia 980 GTX.. extra power supply to power it.. Same crash... I went into the programs log file and noticed an error about SlimDX.
http://stackoverflow.com/questions/18933591/slimdx-swapchain-resizebuffers-error

DXGI_ERROR_INVALID_CALL

Enough googling led me to the "Windows 7 Platform Update".. realizing Windows Update has been shut off on this computer, I installed this 1 update, and the problem was solved. I think this is because the 3Shape Trio version I am using is 2015-1 which means they would of already written a fix for this, especially since they allow people to buy their own laptop and use the 3Shape software and scanner on another computer that DOES get Windows Updates...

Pics:

The reset jumper is next to the cmos battery. Be sure to look at the manual from Fujitsu. Don't go off my word for it, look it up! It is in an odd place. You will also notice the power supply has a spot for extra wires.. Those are 24V. So replacing the power supply.. won't be fun.

We cut out a spot for the video card with a hand piece and a disc.

Will upload a video if the doc can email it to me.. The current plan is to use Drop Box... or drive back to the office.

The video card we ended up going with is:

NVidia 750 GT (low profile) which worked perfectly!

Having Windows Update disabled without a Virus Scanner is a HIPAA violation? 3shape?

↧

Security Research Continued!!

September 11, 2016, 9:07 am

≫ Next: How to upgrade an iCAT to use a newer Video Card because the old one was failing

≪ Previous: Upgrading the 3Shape Trios to support Insane Mode Scanning

Thought I would make a quick blog post on some of my security research.

Dexis Imaging Suite 10:
https://www.kb.cert.org/vuls/id/282991
Not much to talk about. It is what it is. They do go off the SYSTEM account which means if you CAN authenticate with the server, you can ALSO create user accounts and do almost anything you would like.

Dentsply Sirona CDR DICOM (formerly Schicktech):
http://www.kb.cert.org/vuls/id/548399
This uses the Network account, so you can't take control of the server like you can if they used the SYSTEM account, but you CAN use this account to take files off of file shares.

Open Dental:
https://www.kb.cert.org/vuls/id/619767
This was interesting. I mentioned to CERT that Open Dental uses a blank password for the majority of installations and few people change that password. I didn't think CERT could do hard coded credentials, as most know that Open Dental allows the mysql database password to be changed. They also have a website with documentation on how to change the password. CERT changed this to the program uses Default Credentials (root and a blank password for mysql). This is true. Not sure what will happen but I am glad that we get to discuss changing the password.

NEW Vulnerabilities I have submitted to CERT:
Planmeca ROMEXIS:
Installation Manuals
https://www.scribd.com/document/209880096/10014600-21-pdf
ftp://ftp.plandent.se/MANUALER/PLANMECA/ROMEXIS/TM_ROMEXIS_10037884_6.pdf

just google "pwr0mex!s" without quotes. Older installations appear to use "pwr0mex1s"

Not sure if they support changing the password.. I would try at an office but few doctors want me messing with their passwords. I will keep trying, perhaps CERT should ask Planmecca.

Carestream Softdent:
http://www.carestreamdental.com/ImagesFileShare/.sitecore.media_library.Files.Practice_Management.SoftDent.v15.cs_softdent_practice_management_software_installation_guide_for_clientserver_configurations.pdf

That is the manual for sertting up a client and server. Search it for the word password, and you can see the username is ADMIN and the password is ADMIN.

They do not support changing the password.

FTP SERVERS that stored patient data in the public (Anonymous authentication) that I downloaded went to these offices allegedly: (Blowing a whistle on the "internet"?)
Timberlea Dental Clinic (Patterson Dental)
Massachusetts General Hospital (Patterson Dental)
Dr. M Stemalschuk (Patterson Dental)
Grand Street Medical
OakView
Doctor's Health Group of South Florida
George Prevas (less then 500, 7 SSN)
Bailey's Crossroads Dental Services
http://filemare.com/en-us/browse/wsip-184-191-212-74.dc.dc.cox.net/shares/Ezdental_backup/DATA/Rsc_dat.dat

POST-RAID
Dr. Ronald Schultz DDS:
https://www.databreaches.net/its-10-pm-somewhere-do-you-know-where-your-old-databases-are/

Total Family Dentistry\Dansville Dental:
54,218 Patients
The latest was from an FTP Server with Acronis Disk Image.
Each archive was 30GB:

Apteryx X-Ray Vision had 38 Patients.

Dentech PMS has 54,218 Patients

WHY DOES THIS SERVER HAVE X-RAY SOFTWARE REGISTERED TO AN OFFICE THAT IS NOT THIS OFFICE???

Random Thoughts about moving to the "CLOUD":
Oh... I have thought more about Cloud vs Traditional Software... and I would like to see the "Cloud" incorporate at a minimum: Two Form Authentication. And I would like to see the ability to encrypt the data on the cloud with a key that the doctor has control over. .. I don't know of anyone in Dentistry that offers this. So if you read this and think "I should just move to the cloud".. you could still be hacked if someone finds your credentials, and without two form, it would be EASY for someone to just login. If the cloud provider gets hacked, what does the Business Associate Agreement say about things like: Who pays the expense of notification? Who will assume the financial burden? On the other side of that coin is: If someone breaks into your office, you don't have to worry NEARLY as much as having a physical server onsite, stuff like that. Then there is the hybrid cloud. where your server is on the cloud, but fully accessible on your office network.

"And Stuff".

↧

How to upgrade an iCAT to use a newer Video Card because the old one was failing

November 1, 2016, 9:37 pm

≫ Next: Dissecting Dentrix G6.2 Authentication

≪ Previous: Security Research Continued!!

The problem as you can see was the image itself had many image "artifacts" I guess you could call them. The office was told by iCAT that it was a problem with the workstation, and they should buy a new one. This is a problem because these artifacts are permanently saved into the scan?

I thought it could be something wrong with the iCAT unit\sensor, but my buddy called them and was assured replacing the computer would fix the problem. So.. I figured the N-Vidia graphics card could be failling and maybe they are using stitching or something extremely graphics intensive.

I noticed there as an NVidia CUDA library file in the Imaging Sciences folder. My buddy was hoping to just throw in a new video card, but it gave an error that the computer did not meet specifications or something.

I read the application log for iCatVisionQ.exe and noticed it didn't like the GPU name and called it quits. The CUDA library is 3.1, which means it only works with NVidia driver 257.21, and that tops out at Geforce GTX 400. So I decided we were going to try CUDA 4.2 and see if we could then use driver 301.32, which supports the GTX 680 Video Card and Windows XP

https://developer.nvidia.com/cuda-toolkit-42-archive

You are not finished yet! The programmers hard coded the following to make iCat acquire an image:

Driver Version (inf and nv4_mini.sys)

The name of the Video card (you can change that again in the driver inf file)

the Library for CUDA filename and version name must match 3.1

SO!!!

I used Resource Hacker to change the File Version of the cuda library files to match the old version and renamed the filename itself to match the old version. You can see it thinks I have 6.14.11.3010 when I am actually using 6.14.11.4020. I obtained these from the NVidia Cuda GPU\SDK.

Next you have to modify the INF File for the driver:

Changed from 6.14.13.132 to 6.14.12.5712

Change the line to rename the Video Card to a GTX 280 instead of a GTX 680 in the INF File:

Next use Resource Hacker and change the File Version for nv4_mini.sys. You will have to use the expand command to decompress the nv4_mini.sy_ file to change it into nv4_mini.sys and remove nv4_mini.sy_

Changed from 6.14.13.132 to 6.14.12.5712:

Now you may use your new driver you have created to use the NVidia Geforce GTX 680 on the iCat 2012 model. I tried to alter the XML files in the ICatVision folder, but everytime they wouldn't stick, or would claim my XML is corrupt when it wasn't. hmmmmm

AND YES! The problem with the lines was the VIDEO CARD! We could of found an older card, the application mentioned other cards that were supported, but they are ALL considered OLD so I wanted something new from the store. And yes we tested the GTX 280 with the newer CUDA library file and driver and the same problem persisted with the image. We threw back in the GTX 680 again and ALL was well. Reproduced and fixed. This combined with a new Solid State, this computer may have YEARS of service left. All the caps look GREAT! Heh.

Things to look for:

Alternative cards that were supported without modifying anything: (OLD)

NVIDIA GeForce GTX 470

NVIDIA GeForce GTX 285

NVIDIA GeForce GTX 280

NVIDIA GeForce 8800 Ultra

NVIDIA GeForce 8800 GTX

↧

Dissecting Dentrix G6.2 Authentication

December 8, 2016, 1:53 pm

≫ Next: Stop calling everything a "hack"

≪ Previous: How to upgrade an iCAT to use a newer Video Card because the old one was failing

How does Dentrix G6.2 Authentication work?

I thought since Dentrix G6.2 has arrived I would check out how the Authentication works and more importantly, if there were any vulnerabilities. So let's check it out!

As you can see from the above the now allow running Dentrix as a Standard User. This is GREAT! Also they have moved away from a Database GUID to Database User Password. GREAT!

Can we still read the database with Faircom ACE?

The first thing I did was to see if I could read the Database on another Faircom ACE Server. This was still possible even though the system tables have now been camouflaged and you need the same exact version of the Faircom ACE Server or HIGHER to read this database. So try out Faircom ACE 11.0 if you would like to just read your database files as an alternative method.

How does the new Database Passphrase authentication work?

Each client has to know the database passphrase to connect to the database. This is now saved locally in %ProgramFiles%\Dentrix\dtx.config. This file tells the client what the password is for ADMIN and DTXUSER. When you change the passphrase for the database it also changes the passwords for ADMIN and DTXUSER

How do other companies access the Dentrix Database?

Other companies have to use the Dentrix Developer Program to access the database. At some point of the installation you must run a DTXCreateUser type program that will add a user for the company to talk to the database. As far as I can tell the new USERNAME is RANDOMLY created and the password is hard-coded and added to the G6 database. This information is saved in the Apteryx Config folder in a file called DentrixG6_2_DRL_helper.DAT which is encrypted. So when a client wants to connect it reads this file and then connects.
Apteryx Credentials Example:
Username:AlUiAhPxGmotvvrpXcdDIJIWnfVzsVg
Password:dQaHHxEWO7JxYf4HdEKppyT5bJEswpJVaa0Vp2EWnAYvT2RUBB

I am *pretty* sure the usernames are randomly generated. If they are off of a list, then I think this could be vulnerable to anyone that has the list as the password is pretty easy to find.

So are there any vulnerabilities? Just one. Hard coded credentials for unknown users that can access patient data.

When you install Dentrix there are 4 database users. ADMIN and DTXUSER seem safe from hackers trying to steal patient data from Wifi or a server exposed to the internet. But 2 usernames stand out in this list. DDPUSER has a password that is "DvLprPgM" without quotes. I have seen this password before, I believe in G6.1

I logged in, and DDPUSER could access the patient table without a problem. I reinstalled Dentrix with a different servername and different serial number and different passphrase, and the password remained same. The DPDBACCESS user has the same level of access and his password is: Xb9jH71t

With Dentrix G6 and G6.1 the hard-coded username and password that can access patient data is:
Username: NSFXNHWAABSZ Password: JH48t7xu

Is the social security number encrypted like Eaglesoft 18?

No. They are plain-text see the screenshot above. Although I did google the hard coded credential for DDPUSER and I never found anything on public ftp servers that stored patient data. So, that is a plus. At least I won't have to worry about the fuzz. (joke)

Are the ADMIN and DTXUSER passwords hard to find?

No. These are of course based off of a Database Passphrase that YOU decide, but let's say you want ODBC access. If your database passphrase is "TESTtest1." without quotes then your passwords are:

ADMIN: mu5MAa959n9w3SK2MnvP0OwbnO7CjmKdRh8Ajv92ZTtEm9c7Ny

DTXUSER: C0w3qb5Hcd3OTFGlzA75sKR6hRfzgyxvMugsBDQBQUSkdaqAS4

Enjoy! ;)

↧

Stop calling everything a "hack"

December 30, 2016, 5:46 am

≫ Next: Dentrix Document Center ZED Password Notes

≪ Previous: Dissecting Dentrix G6.2 Authentication

Nevada state government's website was leaking thousands of social security numbers, and highly sensitive personal data. They said it was a hack. Spoiler alert: It wasn't.

By Zack Whittaker for Zero Day | December 29, 2016 -- 20:00 GMT (12:00 PST) | Topic: Security

There's something that's been bugging me all day.

On Wednesday, security researcher Justin Shafer reached out to a handful of security reporters after he found that Nevada state government's website was leaking thousands of applications from its medical marijuana dispensary program.

Shafer found the leaky web portal by using Google to search government websites for words like "social security," which anyone can do with relative ease. He found one listed web address, ending in a number, which pointed to a PDF file purporting to be a medical marijuana dispensary application. Altering the number in the web address let anyone view different applications.

The first reports came in.

CSO Online: "Agent applications for Nevada's medical marijuana program exposed"
The Daily Dot: "Medical marijuana portal exposes thousands of Social Security numbers"
ZDNet: "Nevada leaks thousands of medical marijuana dispensary applications"

See the common thread? The leak was Nevada's fault. No systems were hacked or breached.

========================

Dentrix Document Center ZED Password Notes

January 11, 2017, 6:17 pm

≫ Next: Shake it off, Why doesn't HHS do its job?

≪ Previous: Stop calling everything a "hack"

Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life. - Terry Pratchett

The Dentrix "Document Center" stores documents as ZED files since Dentrix G3. The ZED files in Dentrix are AES Encrypted ZIP Files. You can rename the ZED file to ZIP and attempt to extract data, but it wants a password. What is it? How does this work?

Note: I don't mind AES Encrypted zip files, but I like having CONTROL over the password. Especially if the document filenames happen to CHANGE from something like CHKDSK. You could recover the zip files because they have a "magic number" https://asecuritysite.com/forensics/magic But without knowing the ORIGINAL filename, it would be USELESS to attempt to recover, without trying to brute force based off of the information below. You could come up with the password for EACH document id and then try them all... that would work. Don't even get me started on "Faircom Camouflage"... and trying to recover that if all else fails. I did help a guy with a Dentrix Snapshot and if you ever need the password to that, let me know. Chalk this up to, reasons NOT to encrypt the disk? Makes recovery easier if there aren't backups. Say what you want, but it is true. Now that Dentrix recommends BitLocker, we can fully grasp that perhaps they still rely on faircom camouflage because..... I have no damn clue... All I know is it makes repairing data corruption, MUCH harder if you REALLY had to edit a dat file yourself which I did once and did a better job then Dentrix did. They provided the office with a 14MB file and I provided the office with a 21MB notes.dat file, although it did take HOURS to fix that with WinHex. I think if the Dentrix developers had to actually work at an office instead of "big brother" corporate making all the decisions, life would be MUCH easier. Also.. HIPAA?? Let's say I lost these document files, but I don't know the key or algorithm so I argued it was "encrypted". Probably not a good idea. I wouldn't argue anything is encrypted until you know the algorithm and have a unique key.

First find the document id, then find the password to that document id.

How do you convert a Document Filename to a Document ID?

Example:
DC0000AAT.ZED Document ID is: 3989
AAT=3989

Formula:
A=10*10*36 A=10*36 T=29
3600 + 360 + 29 = Document ID is 3989

Map:
0=0
1=1
2=2
3=3
4=4
5=5
6=6
7=7
8=8
9=9
A=10
B=11
C=12
D=13
E=14
F=15
G=16
H=17
I=18
J=19
K=20
L=21
M=22
N=23
O=24
P=25
Q=26
R=27
S=28
T=29
U=30
V=31
W=32
X=33
Y=34
Z=35

How do I convert the Document ID to a Password?

Document ID 3989 has the password of: "to look arou9" without quotes.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

namespace ConsoleApplication1
{
class Program
{
static void Main(string[] args)
{

String[] PASSWORD_KEYS = {
"A trickling ", "noise and a ", "strong chemi", "cal smell pr", "ompted them", "to look arou", "nd. Goodboy", " Bindle Feat", "herstone was", " squatting ", "with an air ", "of sheepish ", "innocence al", "ongside what", " was not so", "much a stain",
" on the carp", "et as a hole", " in the floo", "r. A few w", "isps of smok", "e were curli", "ng up from t", "he edges." };

Console.WriteLine("What is your Document ID?");
int documentId = Convert.ToInt32(Console.ReadLine());

int num = documentId % 10;

string str = PASSWORD_KEYS[Math.Abs((int)(documentId % 0x18))];

// return ();
Console.WriteLine(str + num.ToString());
}
}
}

You can compile this and use it yourself, or feel free to try:
http://rextester.com/CSD14604 and replace the documentId integer 1 with your document id number and it will output the password when you run the program online.

PASSWORD_KEYS are based off of Guards! Guards! by Terry Pratchett. Very witty. Please fix this.

I give credit to Dr. William Starck for teaching me about how to convert the Document Filename to an ID when he did his OWN conversion for a Dentrix and Vixwin bridged database to an OpenDental and Vixwin bridged database back when nobody knew how!!! It is similar except you add ! @ # $ % ^ after Z and it becomes 41 instead of 36 to deal with the special characters in the filenames.

↧

Shake it off, Why doesn't HHS do its job?

April 13, 2017, 11:22 pm

≫ Next: Hard-coded credentials placing dental offices at risk

≪ Previous: Dentrix Document Center ZED Password Notes

Proverbs 3:30

https://www.bleepingcomputer.com/news/security/fbi-alert-urges-companies-to-secure-ftp-servers/

https://www.databreaches.net/developing-justin-shafer-arrested-charging-with-cyberstalking-fbi-agents-family/

https://motherboard.vice.com/en_us/article/fbi-investigating-security-researcher-for-links-to-dark-overlord-hacking-gang Seems my phone call to the St. Louis FBI fell on deaf ears (I felt like she was an air head anyways), and me sending the Farmington Database to the Dallas FBI on July 1st 2016 had zero affect. TDO told me he is hacking everyone because the FBI "Butt Fisted" me.. his words. The only other insightful thing he told me is that he does security for a living.

https://assets.documentcloud.org/documents/3535241/Shafer-Complaint.pdf (they padded this complaint with TDOHack3r krud)

Accessing an anonymous (public) FTP SERVER is NOT a violation of the CFAA. =)

How about this:
Why does the Office of Civil Rights refuse to investigate GRAND STREET MEDICAL?
https://www.databreaches.net/ny-treasure-tr ove-of-grand-street-medical-associates-patient-data-exposed-and-indexed/

To add to the confusion the Dallas Office of Civil Rights is investigating Patient's Choice. They told me to keep it on the down low, but not after all this. They had a public FTP Server, I even recorded the IT guy. https://soundcloud.com/justin-shafer/tracks So why does one office refuse to investigate, but another office does investigate?

https://www.scribd.com/document/345133237/OCR001

When will I get my videos of my kids back? When will I get my property back? When will the FBI apologize for the way they have treated me? (NEVER). Maybe attorneys will learn to turn off tracking changes. heh.

I would LOVE to sue Patterson Dental. No, REALLY. Instead I am going to spend my money hiring a very good attorney named Tor Ekeland. It is what it is.

Not allowed to get on Twitter or Facebook etc. (Anything to get out of jail, right?) A judge said so. They also said I was a flight risk after turning myself in and then they had the audacity to say I was a threat to society. Riiiiiight. I even get to have 8 mental health evaluations because my Probation Officer said people were afraid I would kill myself! Ha!

Threats:

1. The VAN. A woman drove to my house and laid on the horn until I went outside.. I asked her what she wanted and she told me if I cared about my kids and drove away. (I had just submitted a breach to HHS regarding Williamsport but I used the doctors name and made up a patient count of 2600 (funny, because that was the number they used too, haha), because Dentrix had talked to the doctor and Dentrix told me they were "sure I wasn't the one who uploaded it"... I was too afraid to use my name for fear of retaliation. I thought the van was either Schein or the FBI. (It was the FBI) http://justinshafer.blogspot.com/2016/01/williamsport-pa-databreach-update.html

2. Phone call from Nathan Hopp during March 2013. After I went to WNEP about Williamsport, agent Hopp called me to ask me if I was a penetration tester and told me I don't want to get another phone call from the FBI. (I felt threatened by this, and told him I would tell ALL my friends on facebook.. not sure why I said that.. but... yeah)

3. The Patterson Dental RAID: Agent Hopp told me I should move. I gave him a look and he told me.. ."to colorado"... He repeated this later.. I am pretty sure this is because I used to buy pot from a guy who had PTSD and he kept telling me he would kill me if I was late.. And finally I told him he should move... (after he told me he would meet me at my work, he had seen my website which means my house) I told him I was working with the "government" regarding the FTC and Dentrix and we would "both" be in a lot of trouble. Seemed to work too. =)

4. They beat the shit out of my car during the RAID. A fort worth cop was with me when they made all the racket and knocked over a metal trash can. Now I have dents on my car like they beat it with something and then opened my car door hard enough to put a dent in it, because there are kids toys next to my car, and they didn't bother to move them.

5. That VAN was parked outside of Colleen's and Matt's (neighbors) house during the Patterson Raid.

Nathan Hopp laughed at me and told me "Man.. Schein really burned you" and I told him it was them who really burned me. This wasn't a threat but just more of his smart ass attitude. When they pulled me out of my house in my boxers the FIRST thing I said was "WOW, This is how you treat people who help protect the American People?" By my count I am up to 500,000 Social Security Numbers.

FBI is shady. Make NO mistake about it.

Nathan does nothing but threaten people, in my opinion.

Can't wait to test Dentrix G6.3, maybe they FINALLY got rid of the hard-coded credentials. Maybe one day US-CERT will update their VU#.

Patterson Dental's FTP Server Notes:

https://www.experts-exchange.com/questions/26983588/powershell-ftp-user-creation.htmlTony Elam worked on a Powershell script that would create a directory for a new user and restrict that directory to just that user. Seems to have worked to.

He wrote it in 2011. That is when most files on the ftp server were created.
http://www.mmnt.net/db/0/0/ftp.eaglesoft.net/TrainersYou can see most of these folders were created in 2011.
So.. these users\folders are SUPPOSED to be Denied access for ALL users EXCEPT for the user that the folder is assigned to.
Except mmnt's older cache reports sometime in 2013 that it was able to cache Eaglesoft.
http://web.archive.org/web/20150412233208/http://www.mmnt.net/db/0/0/ftp.eaglesoft.net
Server: ftp://ftp.eaglesoft.net
Total files found: 294,387
Total dirs found: 42,297
Total links found: 0
Indexed at: Thu Aug 1 06:39:19 2013
Someone could argue that the server was ONLY configured for directory listing and NOT read access..
But the whole point of the powershell script is to prevent even Directory Listing, Let alone Read Access.
Tony Elam got promoted in 2013, and someone else (I bet) started to administer the ftp server at Patterson Dental, and HAD to of RESET the NTFS File Permissions, and when they did that, it allowed the ENTIRE WORLD to READ the folders and files on the ENTIRE ftp server.
Case in point: http://www.pdfpump.com/patterson-test/ Pdf pump was able to read a pdf file in a trainer folder.
I attached the trainers.png for you to see otherwise it is still there. I have contacted pdfpump and asked to see if they have a file called MGH Evaluation Reports.pdf that was on the Trainers MGH Dental Group Folder.
I have connected to Tony Elam as well on linked in about 30 minutes ago explaining some of this.. And also commending him on doing a good job on the powershell script. And pdfpump.. and etc.
I see what went wrong. And I feel like I am being blamed. I am hoping maybe they would like to gracefully exit this situation. Also my personal dentist may have downloaded the dental.log file that has the MGH patient data inside.
HARD TO EXPLAIN????

I pray for the FBI, and all the good guys at the Mansfield Federal Holding Facility. They were SOOOOO NICE to me. Specifically to a guy named X who helped me appreciate life more, he is a good example for any Christian. God bless you, and thanks for hooking me up with soups when I was hungry. He was right.. I am skinny. =) 6 of em.. and a cup and a bowl. All X did the entire time I was there was pray and read scriptures. He has a full back tatoo that says Crime Pays. Guys like him deserve a second chance.

A great read:

https://books.google.com/books?id=NcLwhTDBICgC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false

God help all the kids in Dallas County with face tattoos.

John doesn't believe "Dope Smokers" are on the right path.. I think he may be onto something. You must pick up your cross daily. The narrow gate that few ever find. You have to deny yourself daily.

No comments allowed on this blog post, and blogger is NOT social media. It IS my first amendment right. You can take my facebook and twitter, but you will NOT take away my blog.

Happy Good Friday! When life gives you lemons... Make lemonade.

↧

Hard-coded credentials placing dental offices at risk

January 15, 2016, 3:04 pm

≫ Next: Williamsport PA Databreach Update

≪ Previous: Shake it off, Why doesn't HHS do its job?

Hard-coded credentials placing dental offices at risk

Full Disclosure: CERT has known about the issue in Dentrix for more than a year and has remained silent

CSO | May 19, 2015 8:38 AM PT

Henry Schein is one of the largest names in the dental industry. The company says that more than 35,000 dental practices rely on their flagship product – Dentrix – to cover both the clinical and business side of day-to-day operations.

The downside to this large market share, according to researcher Justin Shafer, is that Dentrix customers have been unknowingly exposed to risk and regulatory action after the latest version of the software shipped with a flaw that was supposed to have been patched two years ago.

To read more click here

========================================================

Thanks to Steve Ragan, Brian Martin and Dissent for this article.

https://www.kb.cert.org/vuls/id/948155

↧

Williamsport PA Databreach Update

January 17, 2016, 7:00 pm

≫ Next: The post about nothing.

≪ Previous: Hard-coded credentials placing dental offices at risk

Williamsport PA Databreach Update
http://www.databreaches.net/ocr-closes-case-on-lanap-dental-implants-of-pennsylvania-patient-data-breach/

I heard OCR closed their investigation (Thanks Pogo!) into this easy to investigate databreach. I thought I would post my findings into who I think caused the breach, to clear up any final confusion.

I think it COULD have been a bartender down the road who found a USB Flash Drive in the middle of the road, and uploaded it to the piratebay, as someone seems to have previously uploaded their Point Of Sale (POS) Software called Plexis. Yesterday I did some detective work of my own, leading me to THINK it may have been a barternder. OR.. it is possible someone dislikes the bartender, and is posing as him.

All I did was try to help a town, and for this I was blamed for a breach, and it seems like the government NEVER actually investigated the databreach. Even better I read that the OCR said the CE has improved their security by upgrading to a higher version of DENTRIX. They might as well just give that credit to me. I truly do not think a thorough investigation was performed, as I never even got a phonecall from OCR.... kinda like my last VU# with Dentrix and CERT....................................................................

Personally I want to know when a bar called RumRunnersPub purchased their Plexis Software and from who. I think it could of been around October 2006 though they opened in May of 2006 and purchased from POSGuys.com.

How would I be able to take a wild guess like this????? I have never been to Pennsylvania. I suppose it is possible I just called the bar one day and asked......... But I know I have never done that.........

I think whoever uploaded the Plexis torrent, uploaded the Dentrix Torrent... maybe there is some correlation between the two uploads? Most of the time nobody has any geographic idea where torrents come from, but I know Dentrix came from Williamsport, PA. The person or piratebay user (zeusgodz) who uploaded the torrent, said around when and where they bought Plexis from.

Perhaps the answer lies in RumRunnersPub.. follow the trail.

In summary: If you are thinking of disclosing a breach, you may have second thoughts after reading this.

Maybe I should have listened to Bangerter\Dentrix:
=====================================================================
From: Bangerter, Howard [mailto:Howard.Bangerter@henryschein.com]
Sent: Monday, September 17, 2012 10:04 AM
To: Justin Shafer
Cc: Roberts, Steve (Utah)
Subject: RE: hmm

Nice catch! Wow.

Whatever you do, please don’t out the Dr. Hopefully, he’s already on G5. . .
=====================================================================

If you are unfamiliar with the breach, you can watch the video here:

1. I know that zeusgodz uploaded Dentrix and Plexis POS.
http://thepiratebay.org.ua/user/zeusgodz/

http://thepiratebay.org.ua/torrent/3530941/Plexis%20POS%20Restaurant%202.8.7.5%20Full%20Version%20w/%20Keygen

2. I know a youtube user called zeusgodz lives near or in Williamsport.

I GOOGLED "Williamsport Zeusgodz"
https://www.youtube.com/user/zeusgodz (Read the comments) and he likes the RumRunnersPub

3. According to JamBase there was a website called ZeusGodz.com in Williamsport
http://www.jambase.com/shows/event.aspx?EventID=1267194

4. ZeusGodz.com redirects to RumRunnersPub in 2011! 
https://web.archive.org/web/20110209085349/http://zeusgodz.com

https://web.archive.org/web/20110209085349/http://rumrunnerspub.com

5. Oh look, is that PLEXIS I SEE??? 
https://www.facebook.com/rumrunnerspub/photos/pb.45551319779.-2207520000.1448129719./332205204779/?type=3&theater

6. IT IS!
http://www.plexispos.com

7. https://whois.domaintools.com/zeusgodz.com

Oddly enough the WHOIS information changed on 12/02/2013. Zeusgodz76@gmail.com and Jason Pfirman were removed. That is the same day Dave Bohman went around town to do interviews about the databreach.Odd coincidence?

This is what it said BEFORE:

Reverse Whois:
zeusgodz76@gmail.com
   Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
   Domain Name: ZEUSGODZ.COM
      Created on: 21-Oct-09
      Expires on: 21-Oct-13
      Last Updated on: 22-Oct-11

   Registrant:
   Jason Pfirman
   605 Hawthorne Ave
   Williamsport, Pennsylvania 17701
   United States

   Administrative Contact:
      Pfirman, Jason  zeusgodz76@gmail.com
      605 Hawthorne Ave
      Williamsport, Pennsylvania 17701
      United States
      5703220303

   Technical Contact:
      Pfirman, Jason  zeusgodz76@gmail.com
      605 Hawthorne Ave
      Williamsport, Pennsylvania 17701
      United States
      5703220303

   Domain servers in listed order:
      NS39.DOMAINCONTROL.COM
      NS40.DOMAINCONTROL.COM

8. Possibly attended Williamsport HS graduating year 1994: 2 names stand out to me, ZeusGodz and Jason Pfirman. They were posted at different dates??? Strange. Poser?
http://www.tree52.com/Groups_Class.php?csc=1994&csi=3295&csn=South%20Williamsport%20Area%20Jr.%2FSr.%20H.S
9. Rum Runners is in close proximity to LANAP



10. http://www.fixya.com/users/zeusgodz76 (Works with POS and computers)
ZeusGodz76 posted a question about Epson TM U325D Matrix Printer:

"This is a POS impact printer with a 25 pin serial connection on the back. I have connected..."
ZeusGodz76 ZeusGodz76Over a year agoGo to question page »

11. Another youtube account relating to Williamsport and ZeusGod

https://www.youtube.com/user/zeusgodz76/feed

https://www.youtube.com/user/zeusgodz76/about

"Just some random guy tryin' to survive on this dumb-ass planet, surrounded by a lot of stupid-ass people."

I have felt this way before.


12. Leader of "Team Heretic" Clan

13. At one time (2010) rumrunnerspub.com WHOIS was zeusgodz email

Whois Record for 2011-10-03

« Previous (2010-10-08)Next (2011-12-10) »
Domain:
rumrunnerspub.com
Record Date: 2011-10-03
Registrar: GODADDY.COM, INC.
Server: whois.godaddy.com
Created: 2006-10-10
Updated: 2010-10-11
Expires: 2012-10-10
Reverse Whois:
zeusgodz76@gmail.com

Registrant:
   Mary Rudinski
   341 Market Street
   Williamsport, PA 17701
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: RUMRUNNERSPUB.COM
      Created on: 10-Oct-06
      Expires on: 10-Oct-12
      Last Updated on: 11-Oct-10

   Administrative Contact:
      Rudinski, Mary  zeusgodz76@gmail.com
      341 Market Street
      Williamsport, PA 17701
      United States
      +1.5703220303      Fax -- 

   Technical Contact:
      Rudinski, Mary  zeusgodz76@gmail.com
      341 Market Street
      Williamsport, PA 17701
      United States
      +1.5703220303      Fax -- 

   Domain servers in listed order:
      NS33.DOMAINCONTROL.COM
      NS34.DOMAINCONTROL.COM

14. Did RumRunnersPub purchase Plexis between 10-15-2006 and 10-21-2006 Version 2.8.8.19 from POSGUYS.COM???

From the torrent:

http://thepiratebay.ee/torrent/3530941/Plexis_POS_Restaurant_2.8.7.5_Full_Version_w__Keygen
zeusgodz at 2006-10-21 11:46 CET:
Decided to purchase the software because the newer versions are worth the cost. POSGuys have it for a good price so I went with them. It's not the most perfect program out there, but in my opinion, it's worth it. I guess I'm selling out, but I believe in the software I guess.

https://web.archive.org/web/20061016101822/http://www.plexispos.com/release_notes.asp
RELEASE NOTES
Version 2.8.8.19 Released on 10/15/2006
15. According to google this may be Jason Pfirman.

↧

The post about nothing.

January 7, 2018, 11:51 am

≫ Next: Hard-coded credentials placing dental offices at risk

≪ Previous: Williamsport PA Databreach Update

↧

Hard-coded credentials placing dental offices at risk

January 15, 2016, 3:04 pm

≫ Next: Dentrix G6.6.. is it secure?

≪ Previous: The post about nothing.

Hard-coded credentials placing dental offices at risk

Full Disclosure: CERT has known about the issue in Dentrix for more than a year and has remained silent

CSO | May 19, 2015 8:38 AM PT

========================================================

Thanks to Steve Ragan, Brian Martin and Dissent for this article.

https://www.kb.cert.org/vuls/id/948155

↧

Dentrix G6.6.. is it secure?

January 20, 2018, 9:41 pm

≫ Next: Someone had their hard drive stolen!!!

≪ Previous: Hard-coded credentials placing dental offices at risk

Dentrix G6.6 is pretty dang secure since I set out to secure Dentrix through the "squeeky wheel" method. They have database usernames called ADMIN and DTXUSER that have passwords based off a database passphrase that the dentist creates, much like Dentrix G6.2, except these are the only 2 usernames in the database. The database passphrase itself is stored in a file on each workstation, making the passphrase unavailable to an attacker trying to gain access over the internet.

The only issue is the Dentrix Developer Program. Lets say your Lighthouse 360 and you enrolled in the Dentrix Developer Program to gain database access...

You give Dentrix some $$ and Dentrix gives you an API and some executables. One of these is called DTXCreateUser, and it does what you might think, it creates a database username and password for your application to read and write to the Dentrix database, which is Faircom ACE 10.3.

Lighthouse has no control or say over this username and password.. This password is the same for ALL installations that Lighthouse installs for ALL their customers. Lets say I as a dentist decide to leave Lighthouse 360, guess what? That database username and password is still in the database.

Lets say a hacker who is familiar with dentistry finds a database server exposed to the internet, he could in theory have a list of usernames and passwords from different vendors enrolled in the Dentrix Developer Program.. and could try to authenticate off that list. It isn't actually that hard to find a server exposed since Dentrix uses unique ports for its database service.

I did find a server a Dentrix G4 office that was exposed to the internet this weekend from searching the Shodan search engine. But what can you do about it? You could alert HHS or the FBI but it is doubtful either agencies will do anything about it. It's possible the shares themselves are password protected... I have contacted both agencies in the past about servers exposed to the internet, and have never heard anything about it. I am now currently not allowed to contact the FBI, but I guess I could try HHS. I have never understood why the government does not do more to protect citizens.

Searching for Dexis 10 databases on shodan yields 18 databases:

18 databases could be a lot of patients... Feel free to email someone in the government about it. I emailed OCR\HHS and I am waiting for a response. I posed a question: Why can't the government get a court order to find out whose office each database goes to, and then contact that dental office to get stop the databases being exposed to the internet? I will update this blog post if they respond.

Anyways, I am sure the developers at Henry Schein Practice Solutions can think of something better then what is currently being used.. so we shall wait and see.. I alerted this to US-CERT (VU#524021) and they asked me to work with Dentrix but I explained to them about the FTC and how we have a poor working relationship, and technically I haven't heard anything from Henry Schein Practice Solutions since emailing them... so... why not make a blog post about it? Plus my emails to the schein mail server never arrive to who I intend to send them to. I tried emailing someone in tech support last month over a problem with printing treatment plans and had to use the dental office's email address because my gmail address didn't go through. Someone at schein put a filter on my email address a couple of years ago, since the FTC thing happened. Plus they aren't allowed to talk to me... I have a friend that works at Dentrix so I talked to him about it.

Other people in the dental industry have their own problems, but I decided long ago to make Dentrix my project, and I ALWAYS see my projects to the finish.

I also have a beef with OCR\HHS for not investigating databreaches that I reported to them, but we will save that for another post!!!!!!!!!!! These were FTP servers.. 1 is being investigated..

↧

Someone had their hard drive stolen!!!

January 25, 2018, 11:29 pm

≫ Next: Henry Schein one of the world's most ethical companies in the world!

≪ Previous: Dentrix G6.6.. is it secure?

https://www.databreaches.net/nm-dr-zachary-e-adkins-dds-llc-notifies-patients-of-stolen-hard-drive/

The important part is: "The files in the Dentrix backup contained patient names, addresses, phone numbers, dates of birth, Social Security numbers, treatment information, and insurance information. The Dentrix backup is protected within the software through Dentrix’s data-masking techniques that use cryptographic technology. It would be accessible only to someone who had the Dentrix software along with Dr. Adkins’s unique software serial number and Dr. Adkins’s Dentrix username and password."

I would like to say that you can read a Dentrix G6 database without a Dentrix Username and Password, the Dentrix software, or a Dentrix serial number. Not to be confused with trying to authenticate with a database if the database server is exposed on the internet, which I discussed in my last post. And I would wager $100.00 that Henry Schein Practice Solutions told the Doctor this information, so I don't fault the doctor. Just like Dr. Meglia... https://www.databreaches.net/dentrix-claims-it-encrypts-their-data-but-does-it/

I won't publicly say how... but you can, and I would say it is pretty easy to do. I had a youtube video up but it has been private for almost 2 months. In the video I am able to read a Dentrix Database with Faircom 9.0...

With Dentrix G6, I can still do the same method. That is all I will say about that.

If Dentrix told the doctor that more was required, I think the FTC had a stipulation about being fined over their security advertising or any misleading statements.. I wonder if this scenario applies.....
https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-ftc-charges-it-misled

Dissent Doe from databreaches.net wrote a Federal Trade Commission complaint while I wrote a statement, you may read it here:
http://www.onsitedentalsystems.com/FTC_HenrySchein_JS.pdf

↧

Henry Schein one of the world's most ethical companies in the world!

February 15, 2018, 11:09 pm

≫ Next: If Dentrix and Eaglesoft and Open Dental were the same price, which one would I get?

≪ Previous: Someone had their hard drive stolen!!!

MELVILLE, N.Y., Feb. 12, 2018 /PRNewswire/ -- Henry Schein, Inc. (Nasdaq: HSIC) has been recognized by the Ethisphere Institute, a global leader in defining and advancing the standards of ethical business practices, as one of the 2018 World's Most Ethical Companies.

For all you Schein haters out their, take that!
========================================================================
This is the seventh consecutive year that Henry Schein has been recognized and it is the only honoree in the Healthcare Products industry, underscoring the company's commitment to leading with integrity and prioritizing ethical business practices.

In 2018, 135 honorees were recognized, spanning 23 countries and 57 industries. The twelfth class of honorees had record levels of involvement with their stakeholders and their communities around the world. Measuring and improving culture, leading authentically and committing to transparency, diversity and inclusion were all priorities for honorees.

"We at Henry Schein are honored to be named one of the World's Most Ethical Companies for a seventh time and this year's sole honoree in the Healthcare Products industry, as it reinforces our commitment to fulfilling our responsibilities as a corporate citizen by giving back to the professions and communities we serve," said Stanley M. Bergman, Chairman of the Board and Chief Executive Officer of Henry Schein. "Since our founding in 1932, we have pursued the ideal of 'doing well by doing good,' and we remain steadfast in our belief that great success can be achieved by serving the needs of society, holding ourselves to the highest ethical standards, and building our continued success on a foundation of trust and teamwork."

"While the discourse around the world changed profoundly in 2017, a stronger voice emerged. Global corporations operating with a common rule of law are now society's strongest force to improve the human condition. This year we saw companies increasingly finding their voice. The World's Most Ethical Companies in particular continued to show exemplary leadership," explained Ethisphere's CEO, Timothy Erblich. "Henry Schein, in particular, has been a powerful voice in expanding access to health care in underserved communities around the world, and I congratulate Team Schein for being recognized as one of the World's Most Ethical Companies."

Ethics & Performance
Once again, the 2018 World's Most Ethical Companies have proven that operating with integrity leads to greater financial performance. Research has found that, when indexed, listed World's Most Ethical Companies outperformed the U.S. Large Cap Index over five years by 10.72 percent and over three years by 4.88 percent. Ethisphere refers to this as the Ethics Premium.

Methodology & Scoring
The World's Most Ethical Companies assessment is based upon the Ethisphere Institute's Ethics Quotient® (EQ) framework, which offers a quantitative way to assess a company's performance in an objective, consistent and standardized manner. The information collected provides a comprehensive sampling of definitive criteria of core competencies rather than all aspects of corporate governance, risk, sustainability, compliance and ethics.

Scores are generated in five key categories: ethics and compliance program (35 percent), corporate citizenship and responsibility (20 percent), culture of ethics (20 percent), governance (15 percent) and leadership, innovation and reputation (10 percent). All companies that participate in the assessment process receive their scores, providing them with valuable insights into how they stack up against leading organizations.

To keep reading, click here.
https://www.prnewswire.com/news-releases/henry-schein-inc-named-one-of-the-2018-worlds-most-ethical-companies-by-the-ethisphere-institute-for-the-seventh-time-300597014.html

↧

If Dentrix and Eaglesoft and Open Dental were the same price, which one would I get?

February 14, 2016, 9:24 am

≫ Next: Notes to get the Open Dental Middle Tier working on Linux

≪ Previous: Henry Schein one of the world's most ethical companies in the world!

My answer is simple.. If they were not the same price, Open Dental. If they were the same price... Hard to say. Grass is always greener on the other side. I would probably still go with OD. Reasons.

1. Transparent Company
2. Great Tech Support
3. The software rarely needs tech support to fix a bug. (Stable)
4. Open Database Access to build your own reports! (WOOT WOOT!)
http://opendentalsoft.com:1942/ODQueryList/QueryList.aspx

5. More secure then Dentrix and Eaglesoft but with backend database control
6. Less Expensive
7. No Exclusive Agreements to worry about.
8. Open Source so nobody can buy it and take it away, also you can make your own changes to the program.
http://opendentalsoft.com/forum/viewtopic.php?f=2&t=4892

http://www.bigideasoft.com/

My Oral Surgeon wrote EASy. He was a Dentrix User. I showed him Open Dental.. THAT IS WHAT HE DID WITH IT!!!!!(Makes you wonder why even call me for help if you can write a damn program all by yourself!!!!) haha.. He did a great job on my wife’s exposure. This software records data from a vital sign monitor during surgery. I imagine this is what you would find in a hospital.
=================================================================================

That leaves functionality.. I prefer to grow with a good program and watch functionality grow, and be apart of that. We have enough reporting power with OD, etc. Anyone who disagrees.. IS wrong and probably a bit BIASED. We can do our own queries.. We can do anything.

I am a bit biased: After this encryption débâcle.. I personally would feel foolish to have purchased Dentrix!

↧

Notes to get the Open Dental Middle Tier working on Linux

March 11, 2018, 7:29 pm

≫ Next: Dentrix Query for production per zip code

≪ Previous: If Dentrix and Eaglesoft and Open Dental were the same price, which one would I get?

Rough draft notes.. will edit this more:

Setup Mono XSP4 and MySQL with Ubuntu 16.04 and Open Dental 17.4 (no samba yet)

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF

echo "deb http://download.mono-project.com/repo/debian preview main"

sudo apt-get update

sudo apt-get install mono-devel mono-complete ca-certificates-mono mono-xsp4 unzip

sudo apt-get install mysql-server

sudo ufw allow 3306

sudo ufw allow 9000

sudo service ufw restart

sudo pico /etc/mysql/mysql.conf.d/mysqld.conf

#Edit File!

#bind-address = 127.0.0.1

max_allowed_packet = 40M

sql_mode="NO_AUTO_CREATE_USER"

#Save File and restart mysql

sudo service mysql restart

#Add mysql access from outside the host

mysql -uroot -ppassword

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password';

quit

Use SSH and MySQL Workbench to upload database and OpenDental

Be SURE Interop.Word.dll and ODCrypt.dll are in the OpenDental bin folder AND you setup OpenDentalServerConfig.xml

Setup VPN

Start XSP4 by going into the Open Dental directory and typing xsp4, then connect from a client on port 9000 after editing Amazon EC2 Security group to allow port 9000 incoming traffic:

http://ip address:9000/ServiceMain.asmx

How should we handle HIPAA? Need to make XSP4 boot automatically, deal with encryption at rest and maybe a VPN for encrypting the traffic.

Notes for a faster Open Dental client:

http://opendentalsoft.com/forum/viewtopic.php?f=1&t=6742#p30203

Line 500 of Form OpenDental.cs
///<summary></summary>
public FormOpenDental(string[] cla){
//The default SecurityProtocol is "Ssl3|Tls". We must add Tls12 in order to support Tls1.2 web reference handshakes,
//without breaking any web references using Ssl3 or Tls.
ServicePointManager.SecurityProtocol|=SecurityProtocolType.Tls12;

Added code below:
ServicePointManager.CheckCertificateRevocationList = false;
ServicePointManager.DefaultConnectionLimit = 100000;
ServicePointManager.UseNagleAlgorithm = false;
ServicePointManager.Expect100Continue = false;

Also used this to help tweaking the mysql.cnf file
https://tools.percona.com/wizard

I should of use cp ../ODCrypt.dll . instead of mv but you get the idea. There is no patient data on this test server, so don't get any ideas.

↧

Dentrix Query for production per zip code

March 11, 2018, 7:30 pm

≫ Next: Note for changing out a hard drive on a caesy edge server.

≪ Previous: Notes to get the Open Dental Middle Tier working on Linux

Query to find production\collection per zip code with a date range and patient status, for someone who wanted to know the zip codes he should advertise to:

SELECT address.zipcode, SUM("amt") AS Collection FROM admin.fullproclog

LEFT JOIN admin.patient ON patient.patid = fullproclog.patid

LEFT JOIN admin.address ON address.addrid = patient.addrid

WHERE "amt"> 0 AND "procdate">= Convert(DATE, '2018-03-10') AND "procdate"<= Convert(DATE, '2018-03-11') /* amt > 0 is Collection amt < 0 is Production */

AND patient.status IN (1,2,3) /* 1 = Active, 2 = Non-Patient, 3 = Inactive */

GROUP BY address.zipcode;

↧