Slashdot Mirror
iPod: Your Portable Corporate Hellraiser
MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's
iPod from corporate networks as they can be used to introduce malware or
steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
Not to skirt the question, but is this really "absurd overkill?" I'm sure that USB pens/watches/etc have been a boon to corporate espionage. With a USB storage device, you don't have to worry about burning CDs or emailing your stolen information off-site.
Having said that, I do think that some companies need to quit treating their employees like potential criminals. But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space. (thin clients would have gone a long way towards solving this problem, but that's another discussion)
Makes me thankful for my original iPod with it's Firewire connectivity only, there's no firewire ports in this office.
I don't need a compass to tell me which way the wind shines.
Or you could just run a secure network and not have to worry about banning every luxury in the world.
"No coffee near those computers! You might kill the keyboard if you spill it!"
Think nothing is impossible? Try slamming a revolving door.
In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
No, its just a matter of scale. There are no real legitimate concerns, but every company will balance employee happiness vs the 1 in 10000 chance something will go horribly wrong with a USB watch, and just ban everything outright.
I work for a casino, and we don't allow our employees to bring in such devices either. I'm sure it still happens, but such policies are important when your customer database is vital to your income.
DeviantArt Page
NSFWMy father works in the Aerospace industry. He is required to leave his iPAQ at the front door every day.
Is this overkill? Perhaps. But sometimes such heavyhanded policies make sense, especially when it comes to making war.
(I was only an egg, but then I cracked)
corperate just recently issued 1GB thumb drives to all employees. we find it's easier for the users to back up their own crap and transfer it that way.
teaching a user about network storage or even using the IRDA file transfer was unsucessful... yet these dolts took to using the thumb drives like it was second nature.
so now usb storage devices are required and issued to users.
Do not look at laser with remaining good eye.
I used to work at a government defense contractor and this type of policy was standard there. No CD players, no radios, nothing with any type electronics could be brought in just in case they could somehow be used as a transmitter or to steal data or something. Oddly enough, floppies could be used. Go figure.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
Um, wasn't this the plot of some movie?
Why yes, yes it was.
"If you think you have things under control, you're not going fast enough." --Mario Andretti
I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ...
How is that overkill? Sounds like a common-sense move for a firm that wants to take steps so that sensitive information doesn't just walk out the door. It's not that much different than walking in with a USB CD burner under your arm.
Stop by my site where I write about ERP systems & more
Seems to me the first step should be to disable USB on machines which do not need it in the BIOS then lock the BIOS....
You mean...the iPod software spreads virii!!! OH MY GOD!
Blar.
Dude,
if you don't understand or agree with this policy, you probably don't belong in the job you are doing, and don't 'get it'.
scary...
-ac
I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day.
That's actually pretty generous if you're actually serious about the information the consultant handled being Top Secret. Even if it isn't, that's a much better alternative (for you) than being "let go" because you continued to wear a prohibited device after being told not to.
!#@%*)anks for hanging up the phone, dear.
Good thing the information of most of the US population isn't on any handheld devices.
Vote for new mod!!! Score:-2,Imbecile
What about other portable drives?
:)
What about USB keychain storage thingies?
What about FLOPPIES?!?
Of course, the whole "malware" argument is only a concern if you're running in an insecure Windows environment... am I being redundant?
Come to the University of Mars! Classes starting soon!
Well, that's a pretty legitimate complaint, especially if you work in a secure building. You can't just be coming in and out with a portable hard drive and copying mechanism every day if you have secret clearance and work on DOD stuff, so it makes sense that other companies would follow suit. Besides, it's not like CD players, tape players, mp3 cd players, radios, live365.com, etc. don't exist! Just like checking your guns before entering a saloon makes sense, so does this. Sure, you might not use it, but if you did, people would sue.
stuff |
...or are you just glad to see me?
Seriously, the barn door's been open and the horse halfway to Topeka on this one for a while. Who needs an iPod? I've been carrying around virtually my entire business on one of these things for over a year. Sure, take away my music player, phone, key chain, watch, whatever, I'm a big boy and you pay me enough to play along, but at what point short of a strip search and replacing the pink-haired receptionist with a Brinks guard to watch over the stash does this policy become a smidge unwieldy?
(However, I do throw my whole-hearted support behind any policy which confiscates iPods (or sunglasses, for that matter) from any too-cool-for-the-room tool who doesn't stow them shortly after he enters the building...)
Banning personal portable storage devices (iPods, USB, powerful calculators w/ a computer connection, etc) is pretty much standard (and smart!) pratice when either government or industry classified/proprietary information is available. The risks are simply too great... the chance of soldiers dying due to a security violation or a company going under due to industrial espionage greatly trumps your desire to have a silly USB watch on your wrist all the time. If you don't like that reality, then don't take jobs that put you in contact with that sort of information in the first place.
_sig_ is away
>In that case, I know it was absurd overkill ...
:-)
Why do you say that? If they really deal with sensitive (Top Secret - as you put it) information, it sounds justified...
Of course, they should also have disabled USB ports on machines on their network, but keeping the devices out is a good idea also.
A watch is much less conspicuous than a Furby on your wrist.
Is really there for you to stash your usb memory device.
Jon Bardin
*Spoiler on old movie* In the recruit, http://www.imdb.com/title/tt0292506/, a double agent uses a usb storage device to steal secret plans.
The German c't magazine recently had a short article about disabling the USB storage driver for non-administrator users on Windows 2000 and XP - effectively eliminating the security risk. This policy could be enforced by any system administrator on all desktops. Similar things could be done for Firewire ports and storage devices that attach to it. Basically it works by making the driver non-readable and non-executable for the average Joe Schmoe user logging into the system.
;)
Bring your own USB sticks? No problem. Can't use em anymore
Christian
--- Eat my sig.
That is interesting (that your users were confused by using a network file share, but found the thumb drives intuitive.)
Is it the fact that there is a physical artifact that makes the idea of "your files are going here" easier to map into their worldview? UI Designers Take Note. This might be on the test.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
I was recently stopped when taking an old PII home to some work. I pointed out that if they were worried about this little PII with a 4Gb hard disk - they should be really worred about the P4 laptop with the 60Gb HDD that I carry back and forth everyday.
All kinds of devices, many covert, have ways of storing data. The best way to prevent this is know your employees, get them to sign they won't steal data, and if they do sue them. It's that simple. This is one of those things you can try and fight and never win.
silly.if they have to ban ipod they have to ban all other electronic devices too.
You know, I could bypass such security precautions very easily with a USB keyfob and tightly squeezed buttocks....
At one point the corporate machine-support staff tried to set up the following:
The sneaky bastards kept trying to steal my laptop, my PDA and my Nomad Jukebox to do this. I kept catching them and throwing them out of my cube (at one point, literally, as he refused to leave until he had formatted my laptop's hard drive and I had to roll him out in my chair and overturn it in the corridor).
Finally, they stopped that after they did this to an senior VP and erased the powerpoint presentation he had on his laptop. Heads rolled for THAT little debacle. The funny part was that his machine was already work-provided, he just didn't work in our building, so they didn't know him...
Brazil has decided you're cute.
But they do allow diskettes (friggin diskettes! Do you know how much customer data you can put on a diskette?). Then I also found out that the "internet-network" (which only internals have access to with a NT username/password) operates simply on DHCP, no MAC address checking: the only "security-check" is the NT-Domain login. Why did I find this out? Simple: these morons allow contractors to have laptops, so I once just plugged it in that network. Worked instantly. Now there is a security concern in my eyes! For crying out loud, I have a Mac, I don't even need a crosscable to pump over data from my work-PC to my Mac. Imagine what kind of data I could take away with that! Nobody evere stopped me at the entrance/exit with my laptop bag. Nobody.
You see, if you want security, you need to ban every device that can be networked somehow. It's that simple. Yes, this includes your iPod. So, I supect that this is only a great concern in governmental instituation (top-secret clearance), but in the "highly sensitive environment" of banking they don't get it at all.
Hey, I pointed out their flaws and I was told to shut up.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
I carry 40GB in and out of my company every day - no need for USB drives!!
Those in charge of company security should remember that these same employees bringing in iPods are the ones who were issued key cards to get into the building. Companies have no choice but to give their workers the benefit of the doubt.
Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
But for a regular corporate setting the above action seems more appropriate and pro-active as someone can always sneak a usb device in.
I think it's unreasonable that someone like you is allowed near a facility containing "top secret" information.
You know, if your employees actually CARE about hooking up their iPods or other MP3 players at work, you should be more concerned about what your employees are actually DOING, as opposed to what data could be stolen. My iPod's Library is managed by my home machine, not my work machine, and the only reason I bring it inside is to keep it out of my hot car during the day. I don't even bring a cable that would be compatible.
I'll just burn the site licensed software to CD and take it home that way...
The concern is a real one. Consider someone who's irritated at their job at a weapons design facility, feels they deserve "the best" (but may actually not... You know the type). With these kinds of devices, how can you keep them from taking sensitive documents to countries with more money than research labs.
I just don't know what can be done about it, honestly. When you have USB devices that are shorter, narrower, and thinner than a stick of gum, what can you do? Here's hoping they have some way to block USB storage devices.
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
Most military bases have banned PDAs, USB Flash drives, iPods (and variants), cell phones, and any other device that can be connected to a computer and can store data. Some have even gone as far as removing diskette drives and banning CD-RW and DVD-RW drives on new systems. I have seen incidents where people decided to put classified military data on a flash drive or floppy to take it home to work on it. This happened even after people sign an agreement and go through repeated training sessions where they spell out what will happen if they do something like this.
Corporations are having to deal with this same problem as portable devices can now be used to store data or take pictures that could compromise sensitive data. However, this has always been an issue. A systems administrator could walk out of work with and 4mm or 8mm tape full of sensitive/classified data and no one would know. It boils down to a matter of trust and integrity; do you trust the people who use/administer your systems? Have they shown the integrity in other matters that would indicate they can be trusted with more sensitive matters?
Unfortunately, it only takes one person in a sensitive position to screw it up for everyone else.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
If there is an internet gateway sensitive information can always easily, securely and anonymously escape through there.
Not in some movie - Cringley wrote about seeing a man walk into CompUSA, plug his 1st gen iPod into a mac there and drag the MS Office folders onto it. The article claimed (I have no idea how true it is/was) that Office will re-establish the system folder items necessary so this amounted to a perfect and complete copy of the software.
That said, certainly the benign uses outnumber the malicious ones. The question is, if you have other data control policies, do you need to CYA by having this ban so you can respond to suspicious activities decisively? I also think comparisons to more easily concealed USB key devices isn't reasonable - I can't fit a large ACT! database of contacts on one of those but I can on a 40g devices.
Bad management trumps ideology - Show the world you want better leadership. http://www.timefornewmanagement.com
you know the insider threat is the most likely
Mod Me, Bee-yotch!!!
I have a friend that works for the Department of Defense and though he wanted an iPod however, employees aren't allowed to bring in any device that data could be written to, so he couldn't use it at the main place he'd wanted to.
Question everything
Do corporations outlaw email because someone could smuggle an important corporate document through a simple email attachment? You can put a heck of a lot of info on a single freemail attachment in a text file, and / or use a corporate POP3 mailserver too. Do corporations also outlaw CD-Rs because they could be used to copy important data? Do corporations outlaw floppy discs? And, above all, do corporations give their employees a darned internet connection to begin with? What about the internet itself? If someone is truly paranoid about security, it'd be more effective to plug already existing giant holes in security, and completely strip their employees of all the fundamental tools of the information age. It's hard to prevent the exchange of information on the computer: after all, a computer is a device specifically designed for just that purpose, anyways. If someone goes through all the trouble to smuggle files on an iPod when he could simply PGP encrypt them over email, it would be an act of stupidity anyways. Conclusively, it's a bad idea banning the iPods from offices. -Foo
Because you can't always just assume that a hacker is stealing information every time, it's realistic to assume that someone in your organisation would give away information for the right price.
;)
The malware aspect though, from my viewpoint though is FUD, because (as far as I know), iPods and flash memory sticks don't run software when you plug them in. I could be wrong though. But I know people who have had 200+ spyware apps, and it's never happened to them. 200 isn't that much compared to some, but I've known him a few years, and being the only Open source guy he knows should give me some influence. Just remember, the weakest link is always the people.
And, for the record, my friend now had dumped IE, and moved to Firefox. It's offtopic I know, but I spent an hour browsing Secunia tonight, and set up a couple of the exploits (IE is vulnerable to all the ones I tried), so I know how easy it is to bring Malware onto a windows box. In short, I'm scared shitless, and anyone who brings in data from a source which hasn't been checked is just asking for trouble. Perhaps if the networks moved to a platform that was less truoblesome
It's my opinion though, that you can either trust an employee, or you can't. If you trust someone with the data, you should not worry about their iPod, or not trust them in the first place.
Any device that can store data on it could be the corperate secrets walking out the door. USB watch/keychain, iPod, CD-R... Nobody should be bringing those in or out of a "secure area" without authorization, otherwise those secrets could be headed to the outside world and not so secret anymore.
If I genuinely wanted to steal corporate data from an office computer, I can think of a hundred ways to do it right now from an office of average levels of security, many of them either untraceable or hard to trace. Some involve things like portable storage devices, and some don't. (The simplest simply involves carrying laptop computers in and out of the office). I have three such portable storage devices with me now - digital camera, MP3 player and cell phone.
In most environments, stopping this kind of thing without also shutting down virtually your entire business seems pretty much impossible. (There are some environments where it is clearly necessary, such as the casino and defence situations mentioned by earlier people) but these are situations where every aspect of the business has a higher level of security. In a fairly normal office setting, give me a break.
Just remember, the anus is natures USB pen storage pocket.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
It seems like a whole lot of extra time & resources to stay on top of portable storage devices people may or may not try to bring in.
If they are so concerned, why don't they simply disable external storage devices in the domain policy ?
Companies should consider hiring trusted professionals. If you hire quality, professional employees and explain the policy against putting corporate data on personal devices, this should not be a problem.
Believe it or not, most professionals want to do a good job and take pride in their work. If you set reasonable policies and explain them clearly, most will want to follow them.
Do you want to grant someone enough access to your data that they could copy it onto an iPod if you don't trust them to abide by your policies? If they have that kind of access to the data, copying it to an iPod is far from the only or best way to get it out, and you're just adding an inconvenience to your employees' lives without meaningfully increasing your own security. If you believe that banning these devices would help, your problems run much deeper and you should rethink the way you're doing business.
.sig: file not found
its there for small bags of weed
Because any of the software from their Macintoshes won't run of the office Windows network, this isn't a big problem.
Best Buy can have you arrested
How is a USB storage device any different from a floppy? how often does security ask you to leave those at the door? They have just as much of a risk as any other storage device, regardless of whether or not it looks like a pen.
Dephyler
iPods are security risk, warns analyst
Just looking at the title of this article one could assume that the iPod has become such a recognizable personal device that it is reaching commodity level... way to go Apple.
Remember last year, the movie 'The Recruit'? One of its big premises was that a CIA agent was smuggling out data; but they couldn't figure out who was stealing the information, and how. The smuggling device turned out to a common USB flash drive hidden under a coffee thermos's seal. The USB drive didn't come up in the CIA scans because the drive wasn't active; the inactive drive wasn't giving off any EM for them to detect.
I think USB, IR, and now 802.11 devices and Bluetooth enabled cell phones could be a real concern for data centric firms.
As a side thought, companies may begin to ban cell phones as well. Late last year SlashDot had an article about a cell phone detection device made in Israel. People were leaving modified cell phone in planters. The modified phones would transmit the conversation of anyone in the room for about a week. Thus making a cheap spy toy.
You say things that offend me and I can deal with it. Can you?
For some reason yet unknown to me, the instant I finished reading this story, I pictured a company's network administrator hugging his file servers while morphing into Gollum..... *Caresses the file server* ......My precious.......
If you're a consultant, they want your help, so they should let you do what you need to. Even as a security consultant, with the intention to break or steal, you can get a way with a lot.
If they are not letting you in with your watch, I'd say they are security concious enough. But then again, if they give you web access, you can just as easily upload to a webpage. (But at least they'll have a log of that)
I liken this to removing cars from the road and forcing people to take trains because they're safer.
There's a reason there are so many types of media...because people have a need to quickly get data between locations. Let's address the two issues one at a time:
Data theft: If you don't trust the people you hire to be loyal to your company, then either:
a. You shouldn't hire these people
b. You are already aware of the fact that you mistreat your employees and worry about them taking recourse.
Virus/Malware: With a little education and proper software protection, I think and admin will agree that the malware/virus issue can be negated as well.
I think I would be more worried about the RIAA busting me for having "illegally" downloaded music on my network!
This USB Drive was in your Daddy's pocket when he was shot down outside the office. He was captured and put in a Boeing prison camp. Now he knew if the suits ever saw the drive it'd be confiscated. The way your Daddy looked at it, that drive was your birthright. And he'd be damned if and dopeheads were gonna put their greasy corporate hands on his boy's birthright. So he hid it in the one place he knew he could hide somethin'. His ass. Five long years, he wore this drive up his ass. Then when he died of disentary, he gave me the drive. I hid with uncomfortable hunk of plastic up my ass for two years. Then, after seven years, I was sent home to my family. And now, little man, I give the drive to you.
Nokia cellphones [and I'm sure those from other manufacturers] have flash media slots in them that can accept memory at least up to 1GB in size. And with bluetooth connectivity, you could easily transfer data from your machine to cellphone, without even having to have the device in plain view.
Of course, there was nothing stopping you from walking out the door with a laptop, with a 30GB hard drive.
For a start one should have half decent virus checkers etc OR (a far better solution) is to make sure your users are well informed about these things. I run a firewall and no anti-virus software and have had 1 virus in 10 years. Prevention is better than cure.
Secondly - My USB Key is a god send. It may 'only' be 128Meg but I can take work home and work on it directly on the key. I always have the most up to date docs/code with me. If I couldn't take stuff home it'd take me much longer to do. When one is working in R&D you never quite know when inspiration and a solution will hit you.
Yes - there are hazards but (for me) the benefits massively outweigh them.
Time flies like an arrow. Fruit flies like a banana.
I really don't understand the paranoia about stealing company secrets in relation to USB based devices.
If you have access to a printer, print it ant take it with you.
If you have access to pen and paper, write it down and take it with you.
If you have access to email, email somewhere else.
If someone wants to steal secrets, they're going to do so. Yes, I know, it's about minimization of risk just like there is no such thing as secure, but only minization of risk. But sometimes the paranoia can go to far and frustrate workers.
The first person to hack a believable cig lighter, or ballpoint pen that has a USB drive, will blow their security to hell?
In much the same way as the demise of Napster brought about the end of filesharing, banning iPods from work will wipe out corporate secret stealing. Nobody will ever think to tunnel data through SSH, copy data onto floppies, USB keychain storage devices, portable laptops, or magnetic tape. Surely, nobody will upload information to their Palm or Windows CE handheld devices; nobody will print out data and take it home; nobody will call someone on the telephone and read them data over the phone.
Man, they've sure got all their bases covered!
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
The result? Now everyone walks around with a USB drive to move files around, or they email them to and from gmail, etc. (OR they use their iPods/Dell Pods, SonyPods)
So the system, overall, is a LOT less secure because all the company's assets are kicking around in email and USB thumb drives. But the folks in IT can cluck their tounges and think they did something useful.
Best Buy can have you arrested
I had a similar problem. Boss was curious why I was switching out Compact Flash cards in a reader I brought. I told him I was copying parts of a small ISO of a linux distro I was going to try out at home.
I was asked by corporate security to remove it or have it removed. I turned right around and asked them "Do you give access to the internet in any way, shape or form?" of course they do. I then sited numerious free email sites and plenty of "X: drive" sites that let you store info central on their systems, also tossed in a bit of AIM/FTP/IRC file transfering for example. The execs were dumbfounded and had to call a few "heads of IT" and "techies" to confirm what I said.
Of course I was right and anyone in the company with internet access could easily upload any file and they would never see it. I was allowed to keep my CF reader/writer and they left me alone.
If a ban on static memory / portable drives is in place at your company then you have no business with one.
Of course, hiding the devices in hilighter pens and the handle to your coffee mug isn't too hard.
What the ban does is make all possession of these devices improper in the workplace.
What is the maskwork for your new chip worth? What is it worth to a competitor? How do you move the data?
If the two idiots at AOL and Vegas had scammed the userbase this way they might not have been caught.
Nope, the advent of portable RAM drives means that these devices will be used improperly.
OH, on a personal note: only a genuine geek has a USB watch. It will (eventually) wind up in that dresser drawer reserved for the calculator watch, the last 7 cell phones, 5 PDAs, pen cams, dead MtBlanc pens, old swag and $200.00 in odd pocket change.
As a consultant I've been asked on many occasions to not bring my iPod into the clients offices while I work on their servers and network systems. I have no problem with it either. The iPod is not alone though. I've been asked to leave my camera phone at the main desk as well, which, is frankly annoying but, if thats what the client wants...
Why do overlook and oversee mean opposite things?
the people with photographic memory.
Imagine I someone had a brain memory enhancing implant (probably not too unlikely in the future).
At GM, they have banned camera phones. They must be left at the security desk. (Hence why Pa1m0ne just released a cameraless Treo 600.)
At Ford, all new workstations will have no floppy drive. All Ford employees with a PC will be issued a USB thumb drive.
If you work for the government or any organisation that does you already know this. No one is allowed to take any type of transmitting electronics or storgage media into or out of secure areas. Even for just "secret" clearances. Gartner has simply stated the obvious (As they often do).
This is a concern tough because it does happen. People can take/steal all sorts of things home with 20Gb of space on an iPod. From proprietary software to maps, purchased software and confidential/customer/busniess data. If it belongs to the company that doesnt mean it belongs to you. Employees can also dump all kinds of crap onto company computers. That is how CodeRed got onto our system. Some moron brought his laptop in from home and plugged it in. 20 minutes later 400 computers were infected. Luckily I run the Linux and had a good laugh altough it cost our company 400 man days of work.
If you dont like it, switch companies or ask for an exemption. It is the companies right to ban personal items that can cause damage to the company. I sure as hell dont want to lose my job because some numbnuts sold customer data to a competitor and caused my company to fold.
Are you intolerant of intolerant people?
Ok, I can undrstand the policy on an iPod or any other mass storage device for that matter. Leave it at the front desk, it wont kill you. However if someone was really hell bent on stealing some files it wouldn't be too hard to conceal a small usb storage device from a casual search or pat down. The only real way to secure the data is on a server in a locked room and give the users nothing more than a keyboard mouse and monitor. Ok, if you're feeling generous I guess they can have a cdrom.
these people blow my mind...
hard reset the PDA? sure! go ahead...
then I'll pop the CF card back in and restore the image I made 30 minutes before you did that.
all you need is ONE weak link and all your security goes to hell...
if your pda will use SD cards it's even better. you can hide those little things anywhere.
anyways, do they check digital cameras? that little SD card can hold more than photos...
Half assed security is the worst of all worlds, it does nothing and only serves to piss everyone off.
Do not look at laser with remaining good eye.
My company works with the Bureau of Engraving and Printing (the folks who print the bills). The Bureau issues transparent vinyl purses and packs for employees to carry their lunch and belongings. This makes it easier to see whether somebody is walking off with sheets of un-cut currency.
We also worked with the US Mint (the folks who mint the coinage). They told a story about metal detectors tied to biometrics that were so sensitive that when a woman became pregnant, the changes in the metal chemistry of her blood (increased iron, etc...) were enough to have to retake the biometric scan. That one always seemed apocryphal to me (but a very cool concept nonetheless).
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
For better or worse, personal storage is going to increase. Cellphones, watches, ipods, all these things are becomming increasingly necessary to remain competativly productive in the modern world. Companies that dont figure out how to allow employees to use PDAs or cellphones or USB thumbdrives are going to find themselves at a disadvantage relative to companies that allow their employees to discover new ways to increase their productivity.
this first came to mind with laptops in my mind. think about how much corporate data is held on them, with the reasoning that whoever owns the laptop will take care of it, even though they aren't as security minded as an IT department would be. this is a great application for the OSX encrytion scheme. yes, you can do the same in Linux, but how many corp workers are using either OS?
iPods, usb drives, any of these are also suspect, but I'd worry more about laptops first.
oh, and as I type this I have a ssh-tunnel to my home network that allows me unfethered access to my boxes from home, all outside of any VPN. not the ideal setup, but our IT isn't working with allowing me to access our network with Linux (which is what we run at home), so this is the way for now. plus, I know how to keep it secure, so I'm not the typical example, but again, it should be considered for companies that NEED to keep things secure. DISCLAIMER: my company SHOULD be much better at this, but most of my complaints fall on deaf ears. oh well, at least I know I'm doing (more than) my part.
CBV
free ipod and free gmail!
Ever heard of the thing called a floppy?
In God we trust, all others require data.
You make it out to seem like your corporate security people were in the wrong here. What were YOU doing bringing those items in when it's obviously against your corporate security policy? Remember, you're at work to work, not to screw around with your personal stuff. Leave them at home or in your car until you leave the premises. Security policies exist for a reason, and believe it or not, nowhere in there is "To fuck with M-2's head" written as a reason for it being put into place.
USB / Firewire Devices / Cell Phones with Cameras / etc. etc.
- USB pen drives can quickly and easily store data without a trace and they are small enough to hide just about anywhere. A spammer was arrested in Ireland in a Internet cafe and the man tried to swallow the USB key drive. It contained all the spammer's software and mailing lists.
A PC in a corporate office could be booted up using a USB key drive and literally used to run hacker tools. (well same could be done with a CD-R but that's beside the point). It's faster and easier to slip a USB device into an office situation unless you are going to be frisked and metal detected or body cavity searched.
Hackers have been slipping XBoxes, Sega Dreamcast, etc. into an office and jacking it into the ethernet to perform network analysis and packet sniffing.
- Firewire devices like the iPod have tremendous storage abilities. It truly is a portable hard disk that masquerades as a personal music device. There was an article a while back where the author witnessed a kid waltz into CompUSA with an iPod and the kid jacked it into a PowerMac and stole a complete copy of Office X from the floor model!
- Phones with mini-digital cameras can be used like a 007 James Bond mini camera. A police officer was fired for taking a photo of a naked body in the city morgue with his camera phone.
As technology gets better and better and the costs drop, the spy toys of yesteryear are now in the hands of joe blow.
True corporate espionage is going on every day. These tools make it easier an easier to steal data. Security folks who see the threat and take measures against it are enlightened. However, all security measures can be bypassed one way or another.
I am not even sure if there is a way to restrict USB/Firewire drives from working on a PC as long as it's running Windows. Seriously doubt many companies have thought about these issues.
I do know my company had the opportunity to give everyone a CD burner on their computers. This would have been ideal for user backups. But they sighted security as the reason why they did not.
How about companies hire good people they trust.
"No more music on the way into the office?" Buy/Burn CD's :P
Yes, it's not the first time that an Apple device spreads vir*.*...
Trolling using another account since 2005.
Just look at all the bad stuff you can do with an iPod... people really shouldn't be let out of the house with one of these things!
Have iPod, Will Secretly Bootleg
The person that thinks companies and institutions are being paranoid and unrealistict not allowing iPods and USB watches would never think about using these devices to take something not his or that he was not entitled to take/copy.
The person who is responsible for the security of the data is not taking his repsonsibilites seriously if he makes it easy for the person who would copy the important data to copy and leave with it.
People always seem paranoid and even unreasonable when they are trying to protect something you would never even think of hurting, stealing or destroying. But that does not mean there are not people who would do those things.
In other news... cassette tapes go unnoticed. Evil spys get away with top secret brain research says Robin Cook, smuggled in Fleetwood Mac - Rumors cassette case. The cassette drive was aquired from a retired XT somewhere in the basement.
Or are you just happy to see me?
Oh, for the good olde days of yore of centralized computing with terminals when there wasn't any way to get data into the computer without requesting a tape mount from computing services and the worst thing that happened when users turned their TTYs off in the middle of an operation was someone had to reset the hard copy to the top of the next page of fanfold... yes, those were the days.
$#!^ happens, but why does it always have to happen to me???
If a secure facility is running Windows XP on a Dell box, there isn't a damn thing they can do to keep someone from hooking up a storage device. That's the downside to "helpful" device configuration. For bulletproof security, ditch Microsoft, ditch Dell, make custom builds of everything to eliminate known security holes.
All the machines here have LCD screens and the actual computers locked under the desk so they are inaccessable -except- the management computers (which have CRT screens and the computer is above the desk.) So if anyone is going to be doing corperate espionage, it's going to be those with responsibility of preventing the business from going under. Though fortunately, most everything is run through a thin client or the web browser, so only by downloading through the thin client to the network drive and then from the network drive to your Intentional Portable Office Damage [IPOD] device would you be able to do so.
Though again, the CRM software itself doesn't have much in the way of exporting mass quantities of data without you copy and pasting a bunch of stuff.
are you *seriously* saying guns should be permitted on aircraft? even charlton heston would balk at that, surely?
What ever happened to Jon Katz?
second society
About 6 years ago a software manager I worked with recounted a visit to GCHQ. After the meeting they even took his notes away so they could check on what he had written. Now that's security.
Many of the places I visited whilst working in the defence industry you had to leave your mobile phone etc at the door. A friend of mine had to get permission before he was allowed to bring his minidisk player his building where he worked (info sec classified it as a recording device).
At a previous job, most of the virus infections on the company network were via managers PDA's. As long as the policy is applied properly, there should not be a problem.
You don't need a lab to make mud.
Storage devices are security threats that should be taken seriously. The best way is not to refuse employees listening to music but rather
* hide computers away or lock them up so they can't be physically accessed. This should be combined with tight firewalls for outgoing traffic.
or
* make limitations in the software so USB storage devices or firefire disks simply won't work. Of course users can't have administrative rights.
or
* disallow sensitive information from reaching employees computers. Store things on secure servers.
I'm right now sitting at work on one of the largest corporations in the telecom business and we sure as hell don't have enough security.
Ciryon
A friend of a friend mentioned that when the iPod first came out he saw a student "jammin'" to some tunes while checking out the new Macintosh computers at the University Bookstore.
A closer look revealed that the student had the firewire cable attached to the demo mac and was busily downloading all of the applications on the mac.
Pretty clever though I would never condone such behavior.
Waltz, nymph, for quick jigs vex Bud.
On a more serious note, it comes down to how the corporation treats its employees. Study after study has shown that well-paid, fairly-treated employees protect their employer's interest. Abused employees who work for companies that regard their employees as "resources" to be exploited tend to hate their employer and feel no loyalty at all. Disguntled employess tend to feel that stealing from their employer or sabotaging them is a form of justice or payback. When your employees feel this way, there is little that can stop them (after all, who can you trust if you can't trust your own people?).
So the lesson here for employers is "Take Care of Your Soldiers and Your Soldiers will take Care of You". Unfortunately, PHBs up at the executive suite never seem to be able figure that out.
Geez...if you let people install hardware or software on your computer then the computer really isn't yours.
Most corporate policies prohibit non-admins from installing hardware and software for STABILITY reasons. That alone should dictate policy on iPods and other such devices.
-ted
In my first novel, "Shining Star," (released under a Creative Commons license, free download at http://pedrovera.com/media/shiningstar.pdf ) a soon-to-be defector carried a bunch of classified material out of a NOC by using his iPod as a firewire drive. He was one of the NOC techs, so he was expected to be in the equipment rooms messing with hardware.
He would go and swap some tapes, then run a psync from a server into the iPod. He did this a few times and did not get caught.
Pedro
----
The Insomniac Coder
That's why I got the subdermal implant with 16mb flash and bluetooth. Just copy data to my stomach and walk out, search all you want.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I did a security audit for a company that thought it had a problem in one area that video cameras weren't catching. The company was pretty good about restricting boot devices in the BIOS settings. To cut a long story short, found one machine that was otherwise identical to all the others except it had a somewhat newer BIOS revision. That machine also didn't had the wrong BIOS password. Then we noticed the security wire had a second wire taped tightly to it. One end went to the USB header block inside the machine, the other went to the space inside the desk but behind the bottom drawer. I thought that perhaps reflashing the BIOS from floppy had reset the password which then let the user boot from another device for some reason, and he had gone on from there, presumably adding a MSD to the USB cable from time to time. The company didn't want to go any further but was very happy with the result. I don't know what the outcome was other than I got paid, and I don't know why the guy wasn't caught on video, but it shows that there's always someone ready to try something.
I can understand.
It is like banning camera phones from restricted areas.
I have even seen an individual walk in off the street and plug his iPod into to a Mac that was on display in a store. A few short minutes later he walked out. I only assume that quickly copied the entire hard drive over to his iPod. But he could have easily infected it with worm or spy program.
Another poster got it right: disable USB support in the BIOS and lock each one with a password. If the motherboards don't support that, get some that do (if they're that worried about security). End of discussion.
A company I interned for had a strict no-use of CD-ROM policy (for music or otherwise). To that end, they yanked the IDE cables, pulled the power on the drives. They locked the case, enabled intrusion-detection on it and then locked the BIOS with a password. If they needed to use a workstation's CD-ROM, IT would come over with an IDE cable and set things up. Otherwise, only the daft would bring in their own IDE cables, attempt to pry open the case's lock, foil the intrusion-detection and erase all evidence that they were there. Policy worked extremely well.
And what did this company produce? Kitchen supplies. The hardware/systems adminstrator was overzealous, but brilliant.
There's a product that lets you set policies about what devices can be attached to computers in your domain. You can lock down all non-necessary ports on your PCs. We turn off USB and firewire ports and only turn them on for specific people on specific PCs. Works like a charm. Sometimes too well!
Securewave Secure NT and Secure EXE
Why is an iPod a tool of theft? Isn't that what CD and DVD burners are for? This reminds me of an assanine policy set forth by one of the departments I support:
"We insist that our staff carry USB hard disks no larger than 32MB. Anything larger will permit unauthorized software to be installed".
WTF? What does the size of the device have to do with anything? Of course, 32MB drives are getting harder to find, and are getting to be more expensive than their 128MB counterparts. Imagine arguing with a distributor that you in fact need 32MB drives, even though it makes way more sense to buy 128MB drives.
Data theft breaks down to this: all data can be stolen. Most businesses have the tools available to walk off with gigs of company data. An employee who wants to take data home can take it, regardless of banning certain devices.
There is no reasonable defense against an idiot with an agenda
:wq
If they were also not connected to the internet AND had a decent security plan then there might be a point.
Could the loss of a few k of data hurt them then, could you bring in a pen and paper? Or did they inspect your note pads on the way out? Were you strip searched on the way out?
Security is a funny thing, if you implement only one aspect then you are harassing for no good reason. If you implement an entire system of good security policy then you are totally harassing everyone but at least you can prove your plan as valid.
heh, heh heh heh, heh
Beavis
I guess we'll have to ban iPods from the stores that sell 'em too.
Assuming they were disabled, I would think in a secure environment you would still want to ban such devices.
http://www.hawknest.com/
And yet all I ever hear is the only secure network is the one that has nothing attached to it.
Regardless, corporate policy is there to protect the corporation from accusations of mismanagement and resulting lawsuits. Of course it can be violated or even flouted, that's not the point.
Say there are two companies where someone walks out of the building with confidential data on their MP3 player. Company A had a policy banning MP3 players and routinely enforced it within their power to do so (but of coure they can't frisk everyone!) Company B did not. Say it results in identity theft. The affected customers of both companies sue. Which company has a better defense? Which one is at higher risk of a damage payout? That's what this is all about folks.
In all classified installations I have been to, unless you work there (as opposed to visiting), you have to relinquish all laptops, cameras of any type, pda's, blackberries, usb keys and cell phones. (Unfortunately most of the security staff are not trained enough to ask for, recognize and take usb keys, though I wouldn't risk chancing it).
Processing Top Secret (again a classification of information) information, you should have damn near nothing electrical on you.
I work with some guys here who have been around this stuff a while and they say to take it very seriously because there can be VERY big reprocussions if something is transfered to the wrong place. You can easily get fired on the spot for security violations. They can also enprison you. More common is accidentally getting secret information on your unclassified computer and having IO take your hard drive for weeks while they check it for classified material.
While I understand the corporate world's concern about data security, banning iPods is overkill. I use my iPod at the office for listening to music while I code. In order to do this, I don't have to have it connected to my office PCs (and, in fact, I don't), so I can't be a threat to corporate data security.
Of course, even if I did connect it, we have anti-virus software deployed throughout our network; one would hope that if I did have a virus on my iPod, our anti-virus software would catch it and kill it.
Also, since I use MacOS X at home and Windows XP here at work, I'm not sure what kind of virus I would be expected to spread between the two environments (Word macro viruses excluded - do they still exist?)...
Don't underestimate the power of The Source
When 1GB thumb drives can be purchased, and hidden this is a policy that basically says "Hey stupid thieves, don't steal our stuff".
Which is great for stupid people, but lets face it, this is a CYA for upper management. It does nothing to address the problem, but it gives these guys a legal figleaf when data does get stolen.
Its a symptom of what's wrong with businesses; everybody's worried about the liability, and not the actual problem.
That one made me smirk. I have a friend who is another computer geek who works for [unnamed government agency with high security clearance]
:-)
He runs a double-proxied ssh tunnel with a command line aim client
Hmmm, I can't decide if it's good or bad that they single out the iPod. At first I was peeved, since unless you rtfa you might think the iPod is evil. But then I thought, has the iPod become the Kleenex of mp3 players?
Almost 97million sold at the iTMS, start buying now to win whatever prize there is when it dings....then start the not so long wait to 98mil...
Of course, when I got my iPod, my first thought was, "Now I can get a bunch of data from companies!" Seriously, folks, most people aren't that desperate to screw you that they would sacrifice precious MP3 space to do it. That said, if you treat people like they're out to get you, they will be. It's all a matter of perspective. Businesses need to realise that their philosophy of screwing the other guy quicker and harder than he can screw you isn't exactly the best buisness model out there.
Haec merda tauri est. Ceterum censeo Carthaginem esse delendam.
what's wrong with point one? you try and connect a laptop that's not 0wned by us and we'll can you: *nothing* connects to our LAN that we haven't built. it could have *anything* on it! c'mon, this is standard practice, for crying out loud!
OK I have gone through this and on a decently setup network that dosent use USB or firewire attached storage we disabled the drivers for them. Not to hard there is a easy technical fix for this without getting draconian looking for data leaving on USB sticks.
Funny they had us do this then allowed all the CD-R drives you wanted buecause sometimes you just need to give somebody a CD. They also allowed outgoing encrypted SSH sessions and the like it's not like you couldent scp the data out.
No sir I dont like it.
Hey
I work in India in a major software park. The company in the oppposite quadrant is a typicall BPO company and they have a LARGE poster stuck outside the entrace - "Please get checked and declare all your belongings at security". Several friends too told of similar rules in their companies.
In short, for BPO firms, the data of their clients is of utmost importance. Even CEO of the company is required to go through the mandatory check! Internet access is locked down. No CDROM/CDRW/Floppy/USB/Firewire ! Even printer access is restricted and fully logged and accounted for!
You can get fired for trying to access an irrelevent site (eg Yahoo briefcase), forget about bringing in that 40GB iPod or your favorite USB key.
Oh yeah, did I tell you that even cameras are forbidden and you'd be handed over to police if you're seen taking a "group picture" with your team mates in the office! A camera phone can send you in for good.
Folks, its sometimes business *requirement* not to allow such kind of things. You want to listen to music ? Fine, bring along a vanilla walkman/discman/portable MP3 CD player whatever... just leave the fancy gadgets behind and you'll be fine.
Fortunately I work in a company that has fairly open policies and our data is our own, so the rules are less stringent... no CDRW/USB drive, but still very open policies.
- mritunjai
"banning portable storage devices such as Apple's iPod from corporate networks as they can be used to introduce malware"
You know what I'm going to say, don't you?
If they are so concerend about malware are they going to ban IE too?
http://www.popularculturegaming.com -- my blog about the culture of videogame players
A portable data storage device.... iPod, USB watch, USB drives, oh and LAPTOPS.
Buster of an idea. Really great.
The next remark is false. The previous remark is true.
At what price security?
It is probably the case that USB devices have been used to bring bad things into corporate networks, and/or sneak confidential things out.
It is certain that telephones, fax machines, photocopiers, portable recordable media and Internet access have been used to achieve similar ends in the past.
The best way to secure a computer is to power it off, encase it in a couple of cubic meters of concrete, and bury it 10 feet underground in an undisclosed location. The best way to secure a network is to power it down and destroy the routers. The best way to secure an office is to not permit anyone in or out.
Since those are not realistic options if we actually want to achieve anything, the best security practices are a series of compromises between theory and practice.
Security practics that are excessively annoying without any corresponding benefits will be subverted as soon as possible.
For example, in the corporation I work for, the people who create security policies do not have any operational experience. In their finite wisdom, they have decided that any telnet/ssh session must automatically expire after 300 seconds (5 minutes) of inactivity. We are the SysAdmins of 100+ UNIX servers, and within a couple of hours, we discovered a couple of ways to subvert this "vital" security measure without actually modifying the configuration files.
They knew about your watch, and made you leave it with security. What about all of the devices that they did not know about?
*** Where are we going? And what's with this handbasket?
My company runs NT4 (= no USB), has disabled webmail and locks / removes floppy drives. However access to /. is unrestricted.
The rest of this message is, erm, for testing purposes:
TOP SECRET
--begin--
Jung'f Arj va Zvpebfbsg FDY Freire 2000
Zvpebfbsg® FDY Freire 2000 rkgraqf gur cresbeznapr, eryvnovyvgl, dhnyvgl, naq rnfr-bs-hfr bs Zvpebfbsg FDY Freire irefvba 7.0. Zvpebfbsg FDY Freire 2000 vapyhqrf frireny arj srngherf gung znxr vg na rkpryyrag qngnonfr cyngsbez sbe ynetr-fpnyr bayvar genafnpgvbany cebprffvat (BYGC), qngn jnerubhfvat, naq r-pbzzrepr nccyvpngvbaf.
Gur BYNC Freivprf srngher ninvynoyr va FDY Freire irefvba 7.0 vf abj pnyyrq FDY Freire 2000 Nanylfvf Freivprf. Gur grez BYNC Freivprf unf orra ercynprq jvgu gur grez Nanylfvf Freivprf. Nanylfvf Freivprf nyfb vapyhqrf n arj qngn zvavat pbzcbarag. Sbe zber vasbezngvba, frr Jung'f Arj va Nanylfvf Freivprf.
Gur Ercbfvgbel pbzcbarag ninvynoyr va FDY Freire irefvba 7.0 vf abj pnyyrq Zvpebfbsg FDY Freire 2000 Zrgn Qngn Freivprf. Ersreraprf gb gur pbzcbarag abj hfr gur grez Zrgn Qngn Freivprf. Gur grez ercbfvgbel vf hfrq bayl va ersrerapr gb gur ercbfvgbel ratvar jvguva Zrgn Qngn Freivprf. Sbe zber vasbezngvba, frr Jung'f Arj va Zrgn Qngn Freivprf.
Gur Jung'f Arj gbcvpf pbagnva oevrs bireivrjf bs gur arj srngherf naq yvaxf gb eryrinag pbaprcghny gbcvpf gung cebivqr zber qrgnvyrq vasbezngvba. Gurfr pbaprcghny gbcvpf cebivqr yvaxf gb gbcvpf gung qrfpevor gur pbzznaqf be fgngrzragf lbh hfr gb jbex jvgu gurfr srngherf.
Naq lbh gubhtug guvf jnf fbzrguvat whvpl!
--end--
umop apisdn aw pow f,uop aseald
You have so much training, and know so much that people can't get *anything* past you.
You're so knowledgable that people like me couldn't bypass your entire security and ability to monitor trivially.
My sysadmin is not nearly so self-assured and thus I must watch myself a bit. But with you, my job would be much easier. You could find me so easily that I couldn't possibly get to hotmail and download as much data as I pleased.
You're too powerful for mere users such as myself.
Spend millions of dollars buying new hardware, developing a new OS (or modifying an existing one to meet your neads, basicly a new OS), then spend more millions on porting or re-writing all of the software you need to your custom written OS that a dozen or so people in the world can support and work, change the workflow and re-train your thousand or so employees, just so people wont use USB devices.
Spend NO money on a policy saying that you can no longer bring USB devices into work which only affect three employees out of a thousand.
I wonder which one %99.99999 of biz will do?
I follow the SDK and GDN principles.. Spelling Dont Kount, Grammer Dont Neither
written by Quentin Tarantino & Roger Avary
Captain Koons: Hello, little man. Boy, I sure heard a bunch about you. See, I was a good friend of your dad's. We were in that .com pit of hell together over five years. Hopefully...you'll never have to experience this yourself, but when two men are in a situation like me and your Dad were, for as long as we were, you take on certain responsibilities of the other. If it had been me who had not made it, Major Coolidge would be talkin' right now to my son Jim. But the way it turned out is I'm talkin' to you, Butch. I got somethin' for you. .com boom. It was bought in a little general store in Knoxville, Tennessee. Made by the first company to ever make USB drives. Up till then people just carried loads of floppies. It was bought by private Doughboy Erine Coolidge on the day he set sail for Paris. It was your great-grandfather's job drive and he wore it everyday he was in that job. When he had done his duty, he went home to your great-grandmother, took the pendrive off, put it an old coffee can, and in that can it stayed 'til your granddad Dane Coolidge was called upon by his country to go overseas and fight Microsoft once again. This time they called it Browser War II. Your great-grandfather gave this pendrive to your granddad for good luck. Unfortunately, Dane's luck wasn't as good as his old man's. Dane was a Java programmer and he was fired -- along with the other programmers at the battle of .NET. Your granddad was facing death, he knew it. None of those boys had any illusions about ever leavin' that job alive. So three days before Microsoft took the market, your granddad asked an Unix sysadmin of Winocki, a man he had never met before in his life, to deliver to his infant son, who he'd never seen in the flesh, his USB pendrive. Three days later, your granddad was dead. But Winocki kept his word. After the war was over, he paid a visit to your grandmother, delivering to your infant father, his Dad's pendrive. This pendrive. (holds it up, long pause) This drive was on your Daddy's pocket when he was caught near Redmond. He was captured, put in a Microsoft campus. He knew if the gooks ever saw the pendrive it'd be confiscated, taken away. The way your Dad looked at it, that pendrive was your birthright. He'd be damned if any slopes were gonna put their greasy yella hands on his boy's birthright. So he hid it in the one place he knew he could hide something. His ass. Five long years, he wore this pendrive up his ass. Then he died of dysentery, he gave me the drive. I hid this uncomfortable hunk of silicon up my ass two years. Then, after seven years, I was sent home to my family. And now, little man, I give the pendrive to you.
(The Captain sits down and pulls a USB flash drive from his pocket)
This pendrive I got here was first purchased by your great-grandfather during the first
Signatures are for stupids.
doesn't always work when the company in question gives users admin rights on their local machine, or does it? I mean, I'm a temp right now, and I've got a desktop with admin privileges on it. My dad works for the same company, and same thing: he has admin rights on his laptop. It allows people to install and choose the software they want to be productive, as long as the format they save to is compatible with other things. And it makes me happier to use Firefox instead of IE on win2k. So as mentioned earlier, it'd have to be disabled in the bios, and lock the bios. But they don't. They trust their employees I guess. Of course, that's one company. Just trying to point out that there is a balance to be found of trust and security policy. Think of someone taking data home to work with, and at home the computer's full of spywares: you end up with a passive information transmission. Not to mention that spywares infest the work environment anyways, the biggest one being in the windows registry at installation! So, for real big security issues, businesses don't use windows, and it won't matter whether you let in ipods or not.
---- I am certain of only one thing : I know nothing else.
Plenty of corporations are having a hard enough time rolling out security patches out to the machines on their network using a remote console (ie, can hit all those machines from one location). How likely would it be that they'd *physically* get to *each* machine, change the BIOS to ensure that it disables the USB ports and lock the BIOS?
Even outside of that logistic nightmare, you'd have to remain vigilante for new/old machines.
But even if you do get a draconian policy in place, what stops a spy from cracking open one of the cases and using the little jumper to "reset" the BIOS?
Maybe for ultra-small organizations this would make sense to try and do. But if you're in that small an organization, you have other easier methods of protecting your data.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
What I find amusing, though, is my own employer's sudden discovery of camera-equipped cell phones. Now, every facility has a sign posted at the door saying no cameras are allowed on premises, and my work group, which generates documentation among other things, can't bring in a camera to use for creating illustrations of equipment. (No one has the intestinal fortitude to seek an exemption for this purpose.) Meanwhile, the employees are allowed to come and go with their cell phones, and no one checks the phones, or their bags, or anything else.
Of course, we all underwent background investigations before we were hired, so one might think maybe we could be trusted not to take pictures of sensitive documents, etc. After all, this office has copiers which are unmonitored, where it would be far simpler and less obtrusive to make bootleg copies.
As Bruce Schneier says, some security counter measures are simply to provide the illusion of security.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
My company does digital camera chips and firmware. We were bought by a company that had a "no personal storage devices" policy.
Every person's desk has at least one card reader and a drawer full of CompactFlash, SmartMedia and SD cards.
They bought another company that relies on storage cards & moved 'em to the main office so this violation of the employee manual is happening there too, giving the verbal amendment (Director-level people saying "don't worry") to the employment contract more teeth. It would be hard to fire someone for a violation with 20 other violators going free.
Corporate espionage is something that is feared; however, all this really does in inconvenience those who are using these devices legitimately. I would trust that in an organization who has a real security concern, that they would have appropriate ACLs in place so that data theft would be limited to what the user that already has security clearance.
Now if you have already cleared someone to be viewing and working with such data, you have much bigger problems than fearing them stealing it with a USB device. It's like trusting your employees with your business in their day to day operations but keeping office supplies under lock and key. It just doesn't make sense. If someone is intent on ripping you off, they would't go for the small stuff. Similiarly, if your business depends on these people who have access to such "crown jewel" data you'd better hope that you have a good hiring process and that you are keeping your employees happy.
A side rant: so you're all concerned about people with USB devices; yet, you're fine with shipping your data off to some foreign land for outsourcing. Hmmm... If only the world were based on logic!
Or if you are one of the few Linux desktop shops, you could:
/sbin command, and your users aren't running as root, are they?
1) Not build usb-storage into the kernel.
2) Compile the module (for admin use, if need be). But not load it at boot. Modprobe _is_ an
This will allow USB devices other than those requiring the usb-storage module to be used. Repeat as necessary for other USB devices . . .
If he entrusted with the data, he can get it out, no matter how much a security monkey tries to stop him.
When corporate policy is stupid, you ignore it. Otherwise you can't do your job. The people who follow company rules no matter what are usually drones who care more about their retirement than actually doing something.
Where do you fit, I wonder?
If you can read this, you're probably:
So, worrying about data loss through physical media is pretty much a moot point, isn't it??
Weaselmancer
rediculous.
So did she beome pregnant at home or on company property? She could be smuggling data out in the baby's DNA.
Listen up, this is the BIG BOSS typing here.. Listening to your Ipod, playing with your gameboy or connecting your nuts up to the cyber-sucker3Ghotlipsmobiletelephone is NOT, I repeat, NOT part of your job description! Leave the toys at home if you can't bear to let Lenny at the Security Desk check 'em in!
I pay you to work so get on with it, Pronto!
(mindlessly surfing on the Internet, is of course still permitted, so long as you are a senior manager and if you find any good pr0n you email the url to me)
My girlfriend worked at GEMS in Paris. They were not allowed to use any disks in the office, and all internet traffic was monitored (for attachments, mostly).
However, 70% or so of the employees had notebooks they took home on a day to day basis.
Anytime I hear a "this and this equipment is banned" story, I can't help but wonder if the people making that rule are just as clueless.
If they are so scared, they should ban e-mail as well... Attach confident data and mail it little by little to your home address... No devices needed.. Oh, and remove the fax and telephone too by the way: you could fax or tell secrets to others...
Does not prevent someone from booting up with a Knoppix CD and accessing the network and a USB key.
Alert! A new device, known as a "Briefcase" has been increasing in popularity in the workplace. While useful for ordinary business it brings with it some sinister baggage. This nefarious device serves to conceal a large amount of objects, such as sensitive data and staplers, in a small space, enabling employee theft and espionage. While it's true that file folders have been commonplace in corporate environments for years, this new product threatens to bring unforeseen and catastrophic results. Ban it before your company falls apart and you have to spend the rest of your life living in the street trying to support your starving family.
I do think it makes sense for companies that already employ policies like searching employee belongings and metal detectors to add USB storage devices (and any data storage medium for that matter) to the list of things they check for. If you really needed to bring one in, you could have some sort of approval/checking process. As far as most companies go, I think it makes sense to judge based on whether they seem to be causing problems in the workplace, and if so, banning them or finding some other way to fix the problems. I think it would be a good idea to do virus-checking on insertion of any removeable media.
I thought this was a particularly interesting quote:
"Another potential danger is that the devices -- that typically make use of USB and FireWire -- could be used to steal large amounts of company data as they are faster to download to than CDs."
I think they've been watching too many movies. I highly doubt that most downloading of corporate data happens in a down-to-the-second race against corporate security. I think it's much more likely that most data is stolen by those with official access and all the time in the world. And I may be naive, but I think a corporate spy would be able to think of a better way to export data than an iPod.
that's a question, but if you cant trust your employee, how can you perform any work, at all?
Oh yea sure, just look for that "Secure NT" button, its up there next to the "Don't get any virus" and "Never Crash" buttons.
Migrate to Linux
The only way to secure Windows is to switch the power supply to 110v and plug it into 220v. The loud popping noise and flash of light are your confirmation that your Windows system is now secure. (Warning to Windows users and MCSEs, this is sarcasm)
No more music on the way into the office? Dont bring the iPod into the office, or use that radio thing that comes with most cars, unless your place of buisness confiscates that as well.
You are boasting about your usb watch, so the are scared. It's logical.
When visiting corporate offices, I keep my pda (linux, of course) in my pocket, switched on with proper bluetooth and wifi surveillance tools running.
I have no watch, either. Eh, should I add ",you insensitve clod!" maybe.
If the policy's were consistant. For instance the network was isolated and all programs were run through a proxy to get to the Internet, if allowed at all, no attachements on email, real security on all the data all the way around. It is there data after all.
As long as there is no other way to escape the lan will it make a difference. If someone wants to steal data, they will. In the meantime such a policy serves to alienate the employees, which in turn beeds contempt. They should think of it as a subtle accusation that the employees cannot be trusted, for that is how the employees will see it.
I think you underestimate just how much I just dont care.
If my personal laptop and my personal PDA are in my personal bag, not connected to anything, not even turned on, where do they get off playing with my crap? I don't drive to work, and it's exceedingly inconvenient to go to a LAN party uptown by way of northern NJ, as that means going from NYC to home to NYC again - inefficient.
There is no reason for the IT staff to be searching bags - in fact, going into my bag is a violation of corporate privacy rules. There's no rule against you having the laptop with you, as long as it's not turned on in the office.
Where I am now in Lower Manhattan, I can take it outside and connect to a public hotspot with the wifi card, and no one says anything about it.
And just as a note? The machines were running Windows NT4. You know, the OS that DOESN'T support USB in any configuration? But they gave out floppies if you asked.
The sheer magnificent idiocy of this staggered me.
Brazil has decided you're cute.
anyways, do they check digital cameras? that little SD card can hold more than photos...
One should not forget that cameras also can be used to photograph screenfuls of hexdumps.
Data can also be converted to strobes of light and pulsed out through the Caps Lock-led, into a receiver cunningly hidden in the fabric of ones clothing.
A full body search, including a cavity search should be mandatory at every workplace, at any time an employee enters the premises (including returning from lunch breaks).
Don't forget to check that those eyeballs aren't in fact high-tech camera implants still photographing hexdumps, after the employee left the camera (presumably recovered from a cavity search) at the security checkpoint.
With NT or W2k domain security, it certainly does.
Oh, and just as a note:
Most people brought expensive electronic devices in from their cars. Security was not the best in the area and we had on average two car break-ins a month. Even if I did drive, I wouldn't leave my machine in the car, or it might not be there when I got back.
Brazil has decided you're cute.
Nobody with a perfect photographic memory can ever be anything but the janitor, if that?
Stupid is as stupid does.
During the Sasser outbreak, a few of us IT types in a building full of sales people went desk to desk with patches and virus list updates on our personal USB thumb drives. If our company had an anti-user-data-device policy, they would've lost some serious money that day.
the point is they ALLOW exceptions. and you cant.
if you allow me to bring my pda, but you will be wiping it before I leave?? what bonehead though that up? great! give me a way to transfer data, and give me a way of legitimately having it there.
if it's top secret, then NOTHING is allwed in or out, no outside devices connected for ANY reason.
simple. nothing electronic in or out, and your arse is xrayed/metal detector sweep on entry and exit.
if you are going to take security serious, then you have to do it right.
cripes, companies trying a 1/2 ass attempt need to learn from real high security places and do what they do.
Oh, no second set of rules for the VP's or divisional staff... anal probe them too if you anal probe the janitor.
Usually you're not supposed to be listening to music while working anyway so there's no need to carry your iPod around the office. Just use it on your way to the office and back and put it in your briefcase or backpack while you're at work. That way, you have your music with you (in case you decide to take care of something during lunch) but won't get in trouble.
And, by the way, I have had a USB watch for way over a year now (the old 32MB model) and I've never ever been approached about it. Granted, people know me at my place of employment and generally don't question what I'm doing. However, these watches look so generic that most people would never notice there's a USB connector on it (the silvery part is hidden anyway).
It's true. The installation process for Office on a Mac consists of one step: "Drag this folder to your Applications folder."
As much as I hate to admit it, Microsoft's Mac team is pretty good.
irb(main):001:0>
what is it, you can only use some machine to hold thousands of songs that runs firewire underwater with a towed sonar array of wifi blue/green/black tooth command and control interface reverse satellite uplink functionality, OR WHAT? Just in order to hear what is currently passing as music? Phooie. I got a couple combo cassette players with built in radios, small form factor, hang off your belt jobbies,stick an earbud in, the original "portable personal music players". They all still work *fine*..run on these advanced things called "batteries" you can snag at any drugstore or quickstore. Between the two "formats", you can have "music on the way to the office", or in the office for that matter. Work in trains, planes and automobiles due to their exquisite ergonomic design and other folderah.. Carrying a few cassettes is not that hard to do, and you can still make your own copies of cassettes with the tunes/noise racket *you* want to listen to, even mix AND match, or find a station that is "close enough" to your tastes you can struggle by with it. Cassettes make it a lot harder to either steal data or introduce malware, so it's a viable option to satisfy those companies requirements. Remember, the primary reason to be going wherever you are going is "work" not "to be entertained and get paid for it".
This reminds me of the "back in the day" subthread funnies we get all the time, except in this case it's *absolutely* TRUE, BOTH WAYS UPHILL IN A BLIZZARD, WITH BADGERS GNAWING ON US. AND WE LIKED IT!
Kids these days, BAH! Spoiled rotten. They all need to spend a few years working outside doing grunt work for near minimun rage pay, or inside some place like a chicken processing plant or foundry, then MAYBE they will get a better appreciation of high paid cushy jobs, especially the "high paid" and the "cushy" parts of those "jobs".
%^)
The company I work at had all their engineering files stored on the shared server with no security. Anyone could download the files (which would have given them detailed specs for the product we manufactured, not quite enough to generate CAM instructions, but close) and driven a mile down river drive to our biggest competitor's factory and tried to sell them the plans.
I think it might be better now, but I dunno. I work in a different area of the company now.
I worked on a HIPAA compliance prject were we had to build the computers so that they had no ability to move information off them into a tranportable media. No floppy, cd-rw, USB, serial ports, etc...nothing. My boss was laughing because we basically reinvented the terminal.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
This is one of the good things about working in academia. At my office, we've got no trade secrets, no heinous NDAs, and heck, we don't even have a real firewall (at CMU, the students are more dangerous than any outsiders). As far as apropriate workplace behavior goes, nobody bats an eye if my office is blasting out "Joe's Garage" during business hours.
Yeah, it's less money than when I worked out in industry, by maybe 20% or so. But between the benefits and the environment, well, damn. You ain't gettin' me back out into "the real world" again.
I do agree with you. If data is the primary concern of the company than this is an issue they must be wary of. Of course I suspect before too long we'll see more and more dummy terminals being given to people that cannot burn CDs and have no accessible accessory ports.
Camera phones are a problem too, where images could be taken and sent or saved for later on the phone. Just one of many reasons why I do not want a camera phone. I'd like to be able to take mine with me. It's also the reason that many people I know do not want a camera on their PDA, if it takes photos they can't use it at work to take notes, schedule and do other things.
Presently here, but not there.
The barn door has always been open. Same old problem just a different set of devices. What has changed is the ease, speed and volume of information that can be copied. Think of the fear that was generated in paranoid organizations after the wholesale adoption of photocopiers.
A organization can best deal with the issue by treating their workers with a sense of respect. It will not prevent the employees with criminal intent from stealing information but innoculate honest workers from feeling a sense of entitlement.
A possible technological fix is to ensure that copying data to/from a removable device is logged. This does not prevent the employee from taking work home but does allow for a system administrator to track where the data is going. However this means nothing unless the logs are reviewed. It is essentially a file-nanny.
It does require that a security policy that is appropiate for the organizational goals and for departmental specifica goals.
Research is what I doing when I don't know what I am doing - Werner von Braun
If you start woriying about that kind of issues, then you've got far worth problems consider: What about cell phones with cameras ? While it's rather easy to prevent all your PCs from acessing USB mass storage device through the installation of filtering drivers, it's far more effective to make sure that the sensitive data is not accessible in the first place.
technology is the LAST tactic of the bad guys.
its far easier to just 'hire' away a competitor's expertise with a promotion and a raise.
also, a firm's 'top secret' method usually involves some little known method that has not been litigated; yet.
I'm sitting here in my current contract with my MP3 player/USB filestorage thingamajig next to me. If I was told I couldn't bring it in the building I'd be out of the door too. It's as simple as that.
Bottom line, if you don't like the rules, move elsewhere. If you don't mind taking it up that ass every time you walk into work, then that's OK too.
Bob
Listen to my latest album here
He's not working at a "top secret" installation. He's just not.
Really, the company has all rights to be worried and ban ANYTHING personal at the door.
While you may not be an agent for another company trying to steal secrets, what about the guy behind you in line? Are you sure?
In todays marketplace its a serious and legit concern. Even to be offerd enough $$ to quit your job and take your data with you to the new place...
Back to the music question: Instead of your iPOD Why not just bring in CD's?
Many places forbid personal music of any kind anyway.. Even radios.. Be happy if they allow anything...
---- Booth was a patriot ----
It can be absurd overkill. Security is about risk management, and it may be difficult to track every way data can leak out of the corporate network.
Let me give you a number of examples:
1) Uploading files to a number of web sites via https.
2) SSH
3) encrypted, renamed email attachments
4) Get competitive agent hired as janitor. Have them steal the docs in the shredding bins, and say have other agents copy files to floppy disks and, you guessed it, throw them in their personal waste baskets.
Now, theoretically it is possible to go and trace a leak once it has happened via these methods, but is it really? I am not so sure. You see, you have a problem where you are gathering all information about all network traffic in that you have a larger haystack to look through.
Also, number 4 is a real tough one. And I remember Oracle pulling something like this off against Microsoft, so.....
LedgerSMB: Open source Accounting/ERP
The reason? Apparently there was a risk that the CD would shatter in the drive, sending deadly shards of metal/plastic in all directions :-)
:-)
:D
LOL!
Wow you must have been using one of the new 1000x speed CD drives. I wish I could have one
The memo went on to advise us that if we absolutely had to use a CD, we should turn our computers to face the wall (presumably because walls don't sue for workplace injury).
So was there no danger of ricochets then?
Actually, that reminds me of a very old April Fool's computer article describing a new high capacity, high speed hard disk. It had a big diameter and very high RPM. By the end of the article it pointed out that it achieved the phenomenal data transfer rate because the outer rim was exceeding the speed of light.
- connected to the network or not
If my machine is not hooked to their network they have no RIGHT to touch it. You know, employees are not 'property' of the company.- All PDAs had to be hard-reset before leaving the building unless your manager approved it
This reminds me of the tendency of high school math teachers requiring graphing calculators to be COMPLETELY WIPED before a test, never mind what OTHER programs you might have on there. I elected to just not use my calculator on one test, because I had a program I'd spent quite a while on, and I didn't want to lose it.Until the company outlaws laptops that people take home, calling an iPod or other portable data device a security risk is absurd.
What more can I add?
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
About 8 years ago I got about a dozen institutions to really thrive on file and print sharing, but that was Novell Netware 3.11/3.12 On the technical side, being rock solid stable and predictable helped. The rest was setting up a good design: I interviewed a handful of experienced but non-technical users about who they work with and how and worked out a good selection of folder names, groups and permissions plus a relevant directory hierarchy. After a short pilot, it took off like wildfire.
Similar experiences with AFS.
The opposite experience was at a place my colleagues consulted for. Even the tech dept. could not transfer an ISO image for me from one workstation to another a lot of the time.I spent a few hours one day talking with the non-IT staff, informally and found that no one no one transfer files or reliably save or retreive them on the server. After checking many factors, it seemed that their choice of file servers (MS-Windows) just wasn't upto snuff. Most of their file transfers actually occured via sneakernet.
The majority there feared for their jobs (it was in the middle of a multi-year downsizing and management turf war) too much to complain about anything.
Yes, there might be some of that, but don't discount the importance of having a reliable and easy to use technology with a clearly organized directory structure, groups and sharing permissions.Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
The policy described is sane, but dated. While I will be willing to bet that prohibiting iPODs might address a specific concern, it's likely that there exist dozens of other avenues to obtain and then store or transmit "sensitive" information. After all, as an employee, you are likely privy to all sorts of information that could be valuable and captured in some fashion (even if it's by jotting some access keys onto posti-it notes).
The problem is that we are asymptotically approaching the point where information stored is information public. Devices for storing and transmitting information are becoming more powerful, cheaper, easier to use, and less intrusive (think an optical microphone where you can listen to a conversation in a building from across the street).
What would we do if we suddenly all became telepathic and read each other's thoughts? What would we do if all the world's data was on the Internet, available to anyone that knew where too look for it? The latter is rapidly evolving into the truth -- think where we were only 10 years ago.
A security procedure that depends on stopping the importation of information gathering devices is one that's woefully incomplete (and basically useless if you want to stop someone malicious). It may reduce the amount of "stupidity-based" data dispersion, but that's all.
The key is to not keep secrets. If you have to keep secrets, don't rely on machines to do it -- if a machine can transmit or display it, someone else acan receive it or see it. If you keep secrets, you better not let anyone see them or touch them. One person with an eiditic memory is a greater liability than any mechanical recording device.
Security must always be judged on a scale. How sensitive is you information against what your are willing to pay to keep it secret. Even naked people working in a plexiglass room could figure out a way to work the system.
Another solution for smuggling a thumb drive into a secure area. Slip a thumb drive into a pocket in a steel toed boot. The steel should block any x-ray detection of the device. Kick your shoes off while you work and deftly slip the device into the back of the PC with your toes (not visible on most security cameras). Spray on a little extra 'foot funk' in you think that they are on to you and wanting to check your shoes.
Another thought, most new machines (with unlocked BIOSs) can boot a USB device. Now rather than trying to sneak your HackMaster 7000 past security, your can load all your apps on your USB key, boot up and hack away on your employer's machine.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
Our $OUTSOURCED developers are all but strip-searched each day. Also, we don't allow them to see any code. Sure, they can't do any work, but oh boy are they cheap.
If you haven't worked in Dilbert land, you may think I am joking. Oh, how I wish that I was. It's laughable; if they really want to swipe things, they could stick a flash reader in their sock. We can't stop them. But what's important is that we've shown that we don't trust them. That's the kind of lesson that really sinks in.
If you were blocking sigs, you wouldn't have to read this.
Really? With physical access to the hardware I don't see how having any flavour of NT installed would make much difference. If you can press reset or unplug and replug the power cable, (you'll need to be able to do this anyway if you're running Windows ;) you can get back to the BIOS. You'd need to have a BIOS password on each machine to prevent boot-from-cd. Nothing to do with NT domain security.
"Pokey, are you drunk on love?" "Yes. Also whiskey. But mostly love... and whiskey."
Lets put the iPod into perspective: one of the researches (the name escapes me), who was working on the human genome project, used an iPod to carry around the genome. He found the iPod data transfer was faster than using the network to download the data. If it can carry the human genome, it certainly could carry out a huge amount of corporate (or government) data.
You list should include:
The ideal uniform for employees would look like this.
Sanitation presents special problems because janitors must carry large amounts of material around. The trash should be searched daily by trained and trusted ninja weasles.
Or, you could determine what information is important and make safeguarding it a specific responsibility of a specific person who is trained in how to protect the information. That training used to say that the information should be kept under lock and key. Today, that training should include keeping that information of networked M$ PCs and keeping PCs with sensitive information on them under lock and key. If other people have to work on those PCs, they should be supervised by a person with a clue. That way, anyone can bring anything into your building and you don't have to perform strip searches and the like.
Friends don't help friends install M$ junk.
I have a photographic memory. When working on military projects, I have to leave it at home.
In my office it is much more likely that bad things enter through usb cards, floppy discs, cd-roms, or even my laptop that I take home every night.
They banned USB drives, but made it impossible to transfer files without them. They banned visiting external webmail because IE was filled with security glitches, but they refused to consider using anything but IE. I began to view them as kind of stupid. It was so unpleasant to work there that I went to another job. And I'm getting paid more too!
The cup is scanned at one point in the movie. Nothing shows up on the scanners. I think you need to rewatch it.
Celebrate the finer things in life
If you can't bring in your USB watch, how about my bluetooth cell phone? Okay, bluetooth technology isn't as common as USB, but my phone can hold a gigabyte of data. Plus, it has a camera, so I can take pictures of secured areas.
.01 percent that will destroy you.
How can your office stop someone from bringing in their cell phone? Or a USB key on their keychain? Or their PDA?
I'd hate to be responsible for corporate data security now with all of these devices floating around. Someone could discretely download a lot of data onto their key chain. Heck, it is even easier with my bluetooth phone. I don't even need a wired connection, just be with in 15 feet of my PC. I don't even have to be near my PC in order to download data.
A few years ago, I worked for a large financial corporation when someone stole the HR database and sold it to idenity thieves. Hundreds of us "highly compensated" employees suddently discovered that someone was using our identity to buy electronic hardware, get bank loans, etc.
It took me five months to clean up the mess, and I was lucky. I found out about it the very day it happened because one of the stores that gave this guy instant credit called me to verify if I had just applied for credit.
Still, in a twelve hour period, that person went to over 3 dozen different stores from Atlantic City to Philidelphia getting instant credit and buying over $200,000 of goodies. I could literally figure out which roads he took by looking at the various times he hit the stores and applied for credit.
Other people weren't so lucky because they didn't find out about it until either a collection agent called, or they were denied credit because of this attack.
And who was the person who gave the information to the thief? Heck, it could have been almost any lowly paid clerk in HR. If you're only making $30,000 per year, someone offers you $100K or so for this kind of information, and you know the likelyhood of you getting caught is almost nill, what would you do?
Millions of employees with access to valuable data, and hundreds of ways to get around corporate security. Maybe 99.99% of your employees are dedicated, hardworking, and honest, but it's the other
Or you could just use a product designed for enterprise scale management of floopy drives, usb, or whatever.. like Securewave. It makes life so so easy and I you never have to worry about what devices the users are bringing in because they wont be able to use them unless you say it's ok :)
You're exactly right, in that most businesses will take the easy route and ban USB devices because what they are going for is an illusion of security. What happens when an employee breaks the rule? Sure, you can fire him, but the damage will have been done already. Having a good policy is important, but when you rely on the honesty of dishonest people as your security policy, what you have is an illusion of security. In reality, you are wide open.
"So Bill, why did your top two engineers miss the meeting this morning with our most important client?"
"They forgot all about the meeting, said they put it in their PDA last week before the ban on them. Then they wrote it on their calendar but it just slipped. Thats been happening a lot lately..."
I do not understand why you should not be able to carry USB or firewire devices to the office. All the IT department needs to do is disable ordinary user access for installing these devices.
k b; en-us;823732
e.g. for Windows XP and USB flash media:
http://support.microsoft.com/default.aspx?scid=
Without a doubt, there is a similar solution for unix-flavours.
That also eliminates the need to harrass your employees by their personal belongings.
correct me if I'm wrong
I work for a rather large corporation as a contractor and received a rather pointed email from someone else in the department to the effect of "I have a pen drive here for you to keep you from using peraonsl equipment for "Company" purposes," accompanied by a walking in and the person (who is not my supervisor) telling me "you know you can't copy anything and take it home, right ?" This is after 14 months on the job. This is even after I saved corporate data on users' desktops with a utility stored on same. The long and the short of it is this. The only thing that gets copied to and from my personal pen drive and company property is my favorites as they represent a technical resource that I utilize at work. In this case, it works as the synchronization middleman for a technical resource. No different than bringing a reference book to work, which I also have done. On extremely rare occassion I bring no-footprint-no-install tools from home to get jobs done for which no corporate authorized tool is available. On even more rare occassions I have hacked out a quick note or spreadsheet and dumped it to the drive. There are corporate policies about not using resources for personal use but virtually everyone does it in some manner - it is better to drop it on the drive than my corporately owned property. Give us what we need to do our jobs and we won't be having to walk in with our toolkits or devices that arouse suspicion.
If a company has not identified, segregated and locked up what it considers sensitive data, none of the other steps will work. If they have, none of the other steps are needed. This is the first step to be taken in real security.
Most of the stories I'm reading here sound like big dumb company M$ hell. Network storage that does not work and networks designed around M$ flaws by idiots. There are so many superior alternatives available with free software. When you are root, not MickeySoft, you can secure your desktops and your networks and not have to worry about people doing things they should not.
Friends don't help friends install M$ junk.
I fail to see how this guy's insertion of the ever-quippy "M$" thing has anything to do with the topic at hand. Please mod him down.
or modify the USB storage module to require the root password before mounting a USB drive.
Snowden and Manning are heroes.
This is probably expected at any sort of secure military or defense contracting site.
I remember helping my father burn a CD full of MP3s once so he'd have something to listen to in the secure section where he worked. No portable radios or music players were allowed, no PDAs, no portable storage devices, nothing. The systems didn't have floppy drives or recordable CD drives and (obviously) weren't on the internet. I think that's just standard operating procedure.
For the private sector, depends on the paranoia level I guess. You could fit a lot of data on a 40GB iPod... =)
You just rip out or damage the USB-ports, like you do with the floppy-drives. Glue or drill can be used.
All research centers that I know have this done somehow. Carrying a camera means you are fired immediately.
I fail to see how this guy's insertion of the ever-quippy "M$" thing has anything to do with the topic at hand.
M$'s idiotic networking and desktop security models make "stealing" data easy. You don't even have to walk into a building to get data from a company that uses IE and Outlook. Other problems, such as network storage being unreliable, force people to use floppies and pen drives to do their job. Companies that use software like that are usually too stupid to have determined what data is important and what is not. What a nightmare. All of their security precautions are nothing more than an inconvenience to legitimate users.
You can actually do some of the proper work even if you are encumbered by M$. It is possible to keep real sensitive information on non networked PCs that are locked up and guarded by specific people. It's sort of in between paper systems and reasonable digital systems, but it can work. Thin clients with terminal services can help too, but you still have to worry about your servers working and not being rooted by the latest "I Love You" auto root.
Friends don't help friends install M$ junk.
If your stuff is that secure, then why do you not implement some sort of key system that will only let you into a file (even a local file) if your connected to the company network? I mean, yeah, with time, that file could be decrypted, but it would take time.
Banning things like USB drives and pda's and mp3 players just piss your employee's off. If you really want to be secure, just have everything open (now let me explain). Usually when things are wide open, people don't try to cover their tracks as much and then WHAM. You got them. Passive monitoring of the data and looking for people that look like they are trying to hide something in a open environment will usually clue you in on the one who's the leak. Also, don't jsut hire warm bodies. Make sure that the people you hire are good people. One place I applied for had me take the Meyers-Briggs for a RETAIL job. They were looking for personality types that may be more likely for thieving. Do background checks (credit checks don't tell you much...unless they have horrendously BAD credit as in they have had 2 or 3 bankruptcies.)
Gorkman
I don't think the restrictions are off base if your business really does depend on keeping information secret. But, realistically, a determined spy is still likely to get the info, so depending on how policy is implemented, it could turn loyal employees into disgruntled workers who will no longer care about keeping company secrets.
The underlying truth is that information is universal. If you thought of something, then there is no reason that someone else couldn't have thought of the same thing, or won't think of it in the future. That being the case, it would pay to plan for that day when your secrets are no longer secret. In the financial information game in particular, the money is made in that little gap of time before the rest of world learns what you already know. When that happens, it's time to learn/create something new. If companies don't plan for this, they'll die.
To the making of books there is no end, so let's get started
...as Israel has trouble with suicide bombers in public, in areas that the military is guarding. We have the same problem in Iraq right now.
The person committed to a mission, for whatever reason, will have figured out what they're willing to risk to complete that mission. Frequently people will actually risk more that initially reasoned, if they see the goal. So while there are cameras, and while there are people monitoring devices brought in and out on an "official" basis, it's not hard to get stuff in and out of otherwise "secure" areas unless they are willing to literally strip search and body cavity search someone. As for espionage, If another company is paying someone enough, I doubt that the person being paid would balk at a "sign this form" or a "routine inspection" when they could hide the device in a shoe, or behind a belt, or in underwear, or any other number of places.
That being said, if a company has a policy to allow any of these memory devices then people are used to seeing them in cubicles and accept them as legitimate. If a company doesn't accept them, then if someone is seen with one at all they're subject to search. Period. End of discussion. This would help to catch a perpetrator, as there is no real deterrent.
Do not look into laser with remaining eye.
Are they going to also ban all wi-fi capable devices in case someone set's up a mobile access point right outside your facility?
EMPLOYEES. You know, those sneaky stealing bastards may remember something and simply re-type it at home if they want. I personally know a couple of folks who can memorize 3-4 pages of text (not just plain text, but with formulas, diagrams, etc.) by simply reading them once.
"this may not be "my network," but it sure as shit isn't yours, either"
yes it is. I'm responsible for it, so I will assume it is mine until I leave. You think the CEO gives a shit about the network? Hell no. So as long as im responsible for it, it's mine.
"Keep your users happy, keep them informed"
User don't give a shit about being informed. Most of them don't even read emails you send out. How many times do you get phone calls in the middle of planned downtime asking to get access to the network.
get real. Users are like cattle. Dumb, but easy to trick
>users were confused by using a network file share, but found the thumb drives intuitive.
I have noticed this around here. Most workstations have one network share mapped as g:\. It maps a different share for different people in different departments. For most users, it is impossible to explain the reality of that share. They can't understand that it is physically located in another building as a directory on a drive in another machine. If you remapped it as Q:\, they would twitch for days.Thumb drives are instantly understandable as "really big floppy disks" or, as I think of them, really effective virus vectors.
Some mornings it's hardly worth chewing through the restraints to get out of bed.
I have never seen operational USB-ports in corporate environment.
This isn't going to prevent anybody who actually wants to steal data from doing so. It just insults most workers with iPod, and the like. Just like gun control; when they finally ban guns, the only people who will have them are criminals.
Confused User: Hello, is that support? I'd like to have a file restored from backup.
Support: Could you give us the name, date and size of the file?
Confused User: Yes, it's called "customeraccounts.dat" and is around 20 Gigabytes in size.
It seems to have disappeared overnight.
Support: Oh that file? Yes, it was breaking our backup process, so we deleted it.
You do have it on backup, don't you?
Confused user: That was our backup copy.
The .223 has been gaining popularity with LE over the years due to the development of frangible bullets - they still pack enough kinetic energy to slice through body armor, which is one of the primary reasons for choosing a 5.56 instead of a 9mm, but once the bullet hits a 'resistant' material like flesh or a wall, it disintegrates into small, harmless pieces. Anecdotal evidence from tactical entry situations that even NATO M855 ball ammo (62gr steel-core) doesn't tend to overpenetrate - the bullet is traveling so fast and is so hydrodynamically unstable that it tumbles and snaps in two after about 10cm of travel through flesh.
Now, in Europe (or at least Geneva), where the army d00dz have H&K 7.62mm battle rifles, the overpenetration issue is legitimate - a 168gr 308 bullet will blow right through a man like a hot knife through butter,.
Facts do not cease to exist because they are ignored. - Aldous Huxley
You can hide a lot of information between in your music.
In Soviet Washington the swamp drains you.
and be done with it.
The real issue is does the system environment match the requirements to the job in hand?
E.g. In a bank, do employees really need to be using commodity pcs with all the bells and whistles of a commodity os.
Are the systems people really upto the job of securing the data with foolproof access restrictions and policies?
Are the applications from vendors truely matched to the necessary security requirements, ie think of apps that only work properly over network shares exposing data which should really be using a client/server model or terminal/server model.
This all costs time and money and too many companies are cutting corners.
A login name and password to do the task in hand and nothing more should be all that is required.
Security costs but no security costs even more.
As people learn to augment their abilities using computational devices of increasingly greater power and smaller size, corporations will have the choice of either having full powered employees or having their abilities and knowledge toned down to attempt to satisfy company paranoia. What no one seems to get yet is that we are fast approaching a time when it must be assumed that everyone has the equivalent of an eidetic memory in full fidelity for everything they are ever present to. I think we need to work with this instead of attempting to fight it.
For years floppys have been used, whats so different about iPods? If they'reworrying about stuff getting on their network they'll need to also ban: floppys, cds, the internet, windows (or atleast IE)
Some of those are much more practical than an iPod or a watch.
For stealing data, e-mail always works, it may be scanned but but encrypt it the scanner wont be able to see what it is. Floppys, CDs, they can both be used, and they aren't much harder or easier. Data is never secure and never will be, thats the nature of anything that can change state so easily.
Also, is you really don't trust employees that much, dont hire them.
You can of course direct us to some place that shows it has had no effect?
(That planes occasionally get hijacked is not proof)
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
what stops a spy from cracking open one of the cases and using the little jumper to "reset" the BIOS?
THIS DOES:
http://www.fmjpadlock.com/products.html#uni
You mean they haven't been already doing that?!?
[Now, I'm off to lift my le... Um, visit... at another place.]
Why would you let non-admins boot from anything other than the hard drive?
[quote]If your stuff is that secure, then why do you not implement some sort of key system that will only let you into a file (even a local file) if your connected to the company network?[/quote]
What is this? I'm aware of author protected file. Whats this about network located files? Anyone have an example? I would hazard a guess it acts like software registration. Is this a file or appliation security?
Its easy enoughf to take a file in a low or minimum security situation. This sounds like a casual policy. Like some companies have dress policies that are moderately inforced. And some companies require a, aack, tie.
Too much hassle and no fun. I am having fun at a really small company.
I once applied at a company that ran a bulk eraser all over your body before you left the building. It was supposed to wipe diskettes and it would mess up any USB device. I did not go to work for them. There are levels of paranoia that we cannot dream of, thank goodness.
Setting rules and security on the network is only part of the task. The social aspects of data theft or mis-use has to be handled with as much attention. Now...enforcing the security becomes moot if they allow devices that can carry data outside, inside the building...
(paper can carry data too, and is a known sorce of data theft, just as the dumpster divers...)
karma, hah...
You could always get XM and drive your car right into the office, throught the lobby, into and up the elevator and park right by your desk, and then pop out your XM receiver and plug it in to the base unit on your desk.
i work in R&D. we have cute little picture id badges with embedded RFID which we need to have on us at all times, on campus, and must use to pass between areas, &c. on the back of the badges are little endorsements such as: laptop, diskettes, camera, packages, &c. if you try to take any of the officially proscribed items past security -- in, or out -- and you don't have the proper endorsement on your badge, you must have the proper paperwork for a 1-time exemption to the security policy, or you don't get past (and security does a write-up, possably leading nasty results).
Moderators: don't mod this up, because I'm agreeing with the parent.
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
This is indeed a security flaw. But sysadmins wishing to prevent data loss in a corporation would do better to restrict the means to EXPORT the data from the network, which is fully under their control, rather than try to play cat-and-mouse with technologies to IMPORT data to portable storage devices. E.g., keep secure data on machines without disks, ports, or network connections. You can do whatever you want to such a machine, but short of disassembling it or transcribing info from the screen to paper, it cannot be used to steal corp data no matter how many USB devices you have.
Currently hooked on AMP
...and then when the filesystem gets mounted under a different drive letter, they're totally lost.
I just started my first job in an interactive agency. I could see a policy like this being put in place (if your creative shop is owned by a larger corporate entity) to prevent folks from swiping applications or fonts from Macs or, to a lesser degree, PCs. I mean, if I really wanted to, I could get a sh*tload of rather expensive Adobe fonts from the collection of Macs in my office. If you're a contract designer that walks into a shop that has a nice collection of expensive Adobe fonts that you can't find online for free (pre-bootlegged), it would be very tempting to grab a few fonts and drop them onto a keychain drive or iPod. If the company never knows about the fonts getting out -- probably not an issue. But if the company were aware that fonts (or small Mac apps that can be installed by copying folders from an installation CD-ROM) are getting swiped, then maybe such an anti-iPod policy would find a place in a creative environment. IronChefMorimoto
I copied all contents of the corporate servers at my last two jobs (financial consulting) before leaving. I keep an encrypted copy just in case I need something, but I have no intention of harming either company in any way. Meanwhile, another guy managed to blackmail the company using only the data in his head. The problem of USB drives is blown out of proportion, IMNSHO.
>> I remember my counter-intel classes going over that stuff.
Wow, the FBI really does surf Slashdot!
Smile, you can't tell if it's funny.
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
A contributor to 2600 had a neat idea.. creating an auto-running batch file that copies the contents of my documents to your thumb drive. Plug and play indeed!
I think he meant that you couldn't get network resources directly to an outside device. You are correct that with physical access, non-OS steps would need to be taken to secure the machine.
However, file encryption is also available on NT based machines, so even if you could boot to another OS, you could be locked out of sensitive data stored locally.
Learn to love Alaska
I would not be worried about the person who is going to steal some information via their USB device. I would be worried about the person who would just send it out over the web. How many office networks have at least port 80 access? That is all you really need to send whatever data you want outside of the company. Most people aren't going to bother transfering stuff on to their mini-drives. They will just send it over the connect you are reading this with.
Won't solve a thing.
I know they want to believe I can't hold information in my head...but I could reproduce every experiment I have done from memory. I know all the results, the implications, and the next steps. I know where the reagents came from. I am the device they need to keep out to protect their information.
I can't take my notebook [paper pad that accepts data from a stream of graphite or pigmented fluids for the kids here] home . . . but I do get a company laptop, ssh access to the data, and well... if I really wanted too, I can print to an IP address half way across the country. My iPod is the least of their concerns, and if they ban iPods, so also must be banned the pen, printer, paper, pencil, and humans.
go ahead, treat me like a criminal,but don't be suprised if I live up to the expectations.
If a secure facility is running Windows XP on a Dell box, there isn't a damn thing they can do to keep someone from hooking up a storage device.
With a security policy that disabled the USB ports, how would you hook something up via USB? Will Dell not allow you to diable boot from floppy and CD and lock the BIOS with a password (and then lock the case with a little padlock)? I've done it with Dells, so unless there is some security hole, it should be relatively secure.
Learn to love Alaska
Huh? Did cd-r stop functioning on this plane of existance?
Your primitive culture doesn't do this already?
but only in situations where it would present the only way to move data out of the company without getting caught.
Most companies have wide open internet connections, and it's trivial to just upload stuff elsewhere. OR email it.
OR stick it on a CDR/DVDR
Or stick it on a bigass portable firewire hard drive.
If you are in a sensitive, secure environment, where all the above are disabled and/or forbidden.. and you work in isolation, then of COURSE you don't allow your staff to pack in an iPod.
This is a simple situation; they write the cheques, they make the rules. If you don't like it that much, then look for employment elsewhere. Very straightforward arrangement.
..don't panic
Of course it is overkill, especially since any 11 year old that has ever picked up a copy of 2600 can breach a firewall and grab whatever "secrets" the company tries to protect. Maybe we should all go back to pen and paper and vacuum tube radios. What a useless thread.
The article isn't abut how companies are actually doing this, but rather it is the Gartner Group *recommending* that comapnie do this.
This isn't about security, it's about Apple (as always). Apple is doin well, efforts at negative press backfire, the iPod is breaking sales records, along with the iTMS -- so, what can people like Gartner do to try to drag down Apple again?
"Let's see, let's claim it's a security risk, that will spread plenty of FUD with execs and IT experts that are clueles..."
It was just a matter of time for this to happen.
Harry
There are many other legitimate reasons for using https.
ANd shopping becomes a legitimate activity if the alternative is people sneaking out of the office in order to get to ashop before it closes.
IANAL but write like a drunk one.
I've seen 2GB USB keys. Do you have a >2GB ACT! database? (I have a 1GB USB 2.0 one of these. Yes, it's tiny. And it looks cool. :-) )
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
One major problem with having handguns on aircraft is that a stray shot could depressurize the cabin, no matter who makes it. Additionally, in a confined space such as an airplane, a gun may not be the most useful weapon, anyway.
This post written under Gentoo-linux with an SCO IP license.
You've obviously never had to use Windows Media Player or MSN Messenger for OS X. Awful software.
Boot machine using USB device/CD ROM/floppy or even network using Linux.
Using Samaba authenticate yourself in the Windows network, mount your loacal and network drives, copy to your USB device that has now bee recognized.
When you are finished reboot in your "secure" machine.
The only sane way to avoid foreing devices is to put a physical barrier on the computer ports (thinking about all-in-one critters) or remove the ports when possible. Anything else is just pretending you are doing something.
IANAL but write like a drunk one.
Information just wants to be free, right? ;)
And what guarantees somebody is not threatening you in order to steal data?
Or that you lost money in Vegas and need to moake up for it?
IANAL but write like a drunk one.
Dude,
At this juncture, I'm more concerned that you even own a USB watch. No matter how functional you may believe it to be, there's nothing a USB watch can do for you that can't be canceled out tenfold by the fashion statement you, intentionally, or unintentionally, put forth by wearing a storage device.
It's quite elementary (which is the grade you should've picked up on this lesson): What you wear says a lot about you. Wearing a USB watch says nothing good. Sell the USB watch (preferably to the geek friend who's hitting on that cutie pie in the steno pool you've got the hots for), buy an analog watch for your wrist and a USB drive for you key chain.
End of discussion!
-=- cpopin
-=- Many seek good nights and lose good days.
So, I'm curious: how did they KNOW that you had a USB watch in the first place?
...and you don't necessarily have the right to bring that machine in to your place of work. depends on the TOCs you signed...
The case of AOL aside, I think most companies have more to fear from non-employees than employees. Additionally, and equally dangerous, I suspect most companies are not aware of information thefts from outside sources, and when they are, are not as willing to report it.
No, it doesn't. I can't tell, however, if that's due to the fact that my primitive culture hasn't (yet) been directly exposed to the horribly high level of terrorist threats that others have been these recent years, or if we, even without being threatened, eventually will start implementing such privacy-eroding measures as we evolve and turn less primitive. :^)
and lobbied for registration/restriction laws for guns after the Kennedy assasinations. Sometime in the late 70's he changed his stance as his career was on the decline.
One of my brother's friends got fired for bringing a phone with a camera into highly secured military location - near Vegas where they just had a nuke test. He had just forgotten that his cell had a built in camera. My brother switched cell phones with me shortly after since he has secret level clearance and needed to work in some secured areas.
You can get 80 GB on this:5 ad4/
http://www.thinkgeek.com/computing/drives/
It's a 3" x 5" x 0.5" usb hard drive, not much bigger than a thumb drive.
You'll need it to use some of the things a quick Googling reveals.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Yeah, it's legit. My friend jacked Photoshop from his school using his first gen iPod...
Now, we both enjoy high powered graphics editing thanks to the University of Washington and Apple's consumer hardware division.
The kind of high security policy I can live with
Not a fool-proof policy (nothing is, as we all know ever is or seems to be), but some thing that seems to be a "respect of others" type policy.
You can bring it in, but since you brought it in we must be able to look through it in case of whatever.
This was brought to you buy the Department of Redundancy Department
" It's just a AudioPlayer ! " - No ! it is a means to summon us ! " Who are you ?" - Explorers in the further regions of anoyingness, Lawyers to some, Judges to others! " It was a mistake, i didn't mean to open it! argh go to jail!" - we cant, none of us can, you go to jail! sorry, couldn't resist.
Greetings from the Limburgian People's front ! and no we are not the Peoples front of Limburg!!!
well... I should say my solution is simple compared to what the powers that be WANTED to do (i.e. put GLUE in all the usb ports). All workstations have their usb, parallel, and serial ports disabled in bios. All mice and keyboards have to be ps2. Non-admin workstations have no disk drives or cd-roms, any installs are done through a shared cd-rom restricted to admins, and any reformats get taken down to the work room and have a cd-rom plugged in for the duration of the reformat/reinstall.
I personally think it's a little overboard, but it does work. And the workstations get no net access either.
The company I'm working at at present is still on NT 4 for their desktop systems. As NT 4 doesn't support USB or Firewire natively, my USB key is essentially useless for transferring files from box to box.
They're looking at migrating to XP on the desktop now, and one of their requirements is to be able to disable USB access on their desktops for security reasons. I've got no idea how this requirement is progressing, but it seems appropriate for a locked-down desktop environment.
Just watch the movie Terminal Error.
I guess that a company that didn't trust it's employees would be very concerned that basically everything can go home on an iPod. But I don't work in one of those places.
.. the problem is the people who have it.
In the old days technology like USB watches/keys/etc was the province of the geek. The technology may have been nerdy, but overall the people who used it were people who had a good chance of knowing the consequences if it was abused.
These days USB storage devices are falling into the same category as iPod's - the people who carry them are not geeks, but there not necessarily technically savvy or competent to see through the technology and respect the larger issues of security and intellectual property. Now few organisations have the balls to actually dicipline employees who screw up in ignorance (especially when those who screw up are the pointy haired bosses who want to look tech savvy).
So, the result is broad policies where the technology is banned to everyone, and the geeks run a higher risk of being busted and sacked.
USB drives are a REAL security problem. Real CIO's disable their use on the network. They even install "GOOD" virus that disable the USB storage capability on any computer attached to the corporate network. Anything less just can not be considered security. The programs I am familar with even sound an alarm when someone tries to attach a USB storage device of any kind. The more agressive ones disable network access at the router for the offending MAC device. These precoations are not perfect but they prevent >99% of the casual removal of data that is not transported by e-mail. There is even a standards group that is trying to get all USB devices to provide the owners information each time they are "Connected" so that records can be maintained of what data was moved to and from the device.
There are so many places to store significant amounts of data these days that unless you're military contractor level paranoid, there's no point about being concerned about any particular technology above another. Case in point. I now have Bluetooth running on my work laptop, my home PC and my mobile phone with a 128MB MMC card. I don't even need to take my phone out of my pocket to copy something off the network and take it home. Now, did you spot the hidden message in there? I have a laptop for work! I can take home Gig upon Gig of stuff in the normal course of business. The company wants me to work from home on occasion -- fixing problems remotely and such like. Note the implications of that -- we have VPN access to our network! I could go on like this for ages. Ultimately there are two points. You're either trusted or you don't work here and our data, while valuable, is not enough to setup an entity that can successfully compete with us.
Just like the Linux study, of course, MS wants extraneous USB/firewire devices banned.
Okay, just kidding. 80% of this report is that every once in a while, these analysts need to stir the hornests nest to get PR and on TV. Local news will be doing the NY Post/London Sun all over this.
Sure, portable devices are a danger so are having employees. Hell, the internet is about the most dangerous thing there is next to having employees.
Ideally, what analysts recommend are no employees and having your typewriter in a concrete block with one way and one key - and of course, to pay $20k for their quarterly reports.
Then you need to ask your workplace to offer a secure storage area for your personal belongings during the day, perhaps in a manager's locked office, then you could pick it up at the end of the day. I can't carry my gun to work or even have it in my car (work on federal land) if I want to hit the range at the end of the day, but you don't see me complaining. I accept that there are limits we must work within, not just blatantly thumb our noses at.
Sod that, I'll just walk past your cube farm with my new phone and leech all your s3kr3tz onto my phone and use its camera to take pictures.
I know of defense establishments where staff surrender ALL personal electronics at reception when they arrive at work in the morning. It's a question of how sensitive the data is.
Xix.
"Everything is adjustable, provided you have the right tools"
What about those nifty little USB "pen drive" flash memory sticks that can hold 256 MB for about $50?
The drivers are already built into Win2000 and WinXP, so it's very quick and easy to use them.
You can easily keep one well hidden in your pocket while you walk out the door with corporate data.
Companies now often issue laptops so that employees can more easily work at home but at the same time want to ban iPods and flash drive. This is the absurdity that lurks bust below the surface.
Hell, a strip search isn't even too likely to stop those that are determined to smuggle out corporate data. These days, simply by giving someone access to use a web browser on a PC at work, you've given them the ability to take your data. Plenty of online services (such as Yahoo) offer "briefcases" where you can upload files for storage to your personal account.
How many of these places banning USB flash drives from coming in are also preventing users from going anyplace on the Internet except specific web sites designated as "safe"?
Ultimately, it comes down to the same old thing. Treat your employees fairly and keep morale up, and you have a much more effective theft deterrent than any security measures you could ever put in place. Happy employees don't want to see their employer hurt and lose money. (Furthermore, if exceptions do exist in such a workplace, their co-workers are going to rat them out if they see them screwing over the business.)
what bs. i can't even speculate regarding what job a gig of flash is "essential" for. furthermore, if it was essential, it would have been issued. and why you need to be transporting shitloads of data by hand to other workstations. your employer dropped a pile of cash a while back to build a network so that you wouldn't have to do that.
if you're going to argue that you need to take it home, guess what; you don't. it's the company's property and it doesn't belong on your personal machine. if you can't get your work done at the office, try spending less time in the break room or downloading cool desktop wallpapers.
and what's this crap about turning users into narcs? wtf? my experience is that users mostly suspicious of the it dept. they seem to think that we just sit in our offices and monitor what they do all day. when they figure out that they can get around the hotmail block by going to the co.uk site, they think it's great and share it with each other and try find other ways to beat the man. you, oh so casually mentioning that you've been doing this for years, just demonstrates my point. they try to one-up each other by doing some other thing that they're not supposed to do.
it seems to me more likely that the it staff would be resented for planting spies among the workers. "they took away my yahoo flash games, now they have the mailboy looking over my shoulder!" could be different somewhere else, but i'm running a network for 350 users, and all of the above behaviour spans into other districts of my corporation (as told by my colleagues). all told we have over 3500 users.
[rant] if people would just do their jobs instead of fucking around like this we'd be a lot less likely to lock things down hard. when we see you wasting company time and doing things that you know (and that policy states) you are not to be doing, on a regular basis, it makes us assume the worst. btw, it's called work for a reason.[/rant].
this was supposed to be short, but now it's not, so i'm done.
i guess that it guy must've been telepathic, what with his being able to divine the contents of your bag from his desk. if you didn't have your toys out, how the hell did he know that you had them? i doubt that there was a task force searching through all bags until they happened upon yours? if, in fact, that is what happened, then i agree with you, that's fucked.
i won't comment on the nt4 foolishness; some people are indeed idiots, and i've met more of them than is good for a person.
you need to realize that it's not your employer's reponsibility to make it convenient for you to play video games after work. if i'm gonna go jam after work, i don't get to leave my rig in the reception area because i don't feel like going home to get it later (please don't argue against this by saying that your laptop fits in your bag. you know what i'm getting at).
In other news... Gartner group determined today that employee's brains can be used to store and take company data off site; recommends employees check their brains at the door.
I decline to work at places which treat people like this.
It's NOT because I think they're not entitled to protect their data -- they ARE entitled.
But their implementation is just plain stupid: a miscreant could simply encode some sensitive data with PGP, walk out with a hard-copy, and then read it elsewhere with a scanner.
So why do they insult their workers and associates, if they're not really serious about having air-tight data security?
The most effective method would be to force all employees to undergo full cavity body searches coming and going. Shoes should be x-rayed. Bags,boxes,briefcases and purses should be checked at the door.