Slashdot Mirror


iPod: Your Portable Corporate Hellraiser

MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's iPod from corporate networks as they can be used to introduce malware or steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"

34 of 679 comments (clear)

  1. Not so "absurd" by MoxCamel · · Score: 4, Insightful
    I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern?

    Not to skirt the question, but is this really "absurd overkill?" I'm sure that USB pens/watches/etc have been a boon to corporate espionage. With a USB storage device, you don't have to worry about burning CDs or emailing your stolen information off-site.

    Having said that, I do think that some companies need to quit treating their employees like potential criminals. But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space. (thin clients would have gone a long way towards solving this problem, but that's another discussion)

    1. Re:Not so "absurd" by therblig · · Score: 5, Insightful

      To use a tired cliche, a security policy is as "strong as its weakest link." If people have access to web mail, CD burners, or other simple means of transferring data, then the policy is absurd. However, if strong security measures have been taken elsewhere, then this is perfectly reasonable, too.

      --

      I struggled for days and days and all I got was this lousy sig.

    2. Re:Not so "absurd" by Enigma_Man · · Score: 4, Insightful

      And that's the perfect solution. In the name of security, your stuff can be looked through. In the name of convenience, we won't look through it every time, and you can still keep it.

      -Jesse

      --
      Nothing says "unprofessional job" like wrinkles in your duct tape.
    3. Re:Not so "absurd" by akaina · · Score: 5, Insightful

      That's all good and well, but there are these things that have been used for years to facilitate corporate espionage, they're called floppy disks.

      Also, what's the point of taking a watch? Unless they do a strip search, you'll always be able to get information out of the building.

      --
      Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose.
    4. Re:Not so "absurd" by SilentChris · · Score: 4, Insightful

      I think you're missing the point. It's a deterant. They're basically saying "You bring that in here, we'll be watching you." Coupled with security cameras throughout the building (which a company like this would likely have) the average thief would think twice.

      It's similar to those guys with automatic weapons at airports. Do you think they'd ever fire one off in a crowd? No. But it's a deterant to bombers and the like, because it's basically saying "we'll shoot you before you get to your mission". Ditto on the X-ray scans and other crazy security measures in place. Thiefs/criminals like to stay hidden, not be put in the spotlight.

    5. Re:Not so "absurd" by tfb · · Score: 5, Insightful

      It's not the saboteurs you should be worrying about (or rather, you should be worrying, but this won't stop them), it's the fools. The people who think it's fine to take something home and put it on their machine, which is sitting on a DSL line without much security. Your corporate firewall is now as weak as the security on this machine.

    6. Re:Not so "absurd" by ArbitraryConstant · · Score: 5, Insightful

      I could steal the source to all my company's software and related documentation on my USB key. Of course, I could upload it to my home computer or some other site with no USB key. Who could tell the difference with SSH? Instead, they trust me. I signed the NDA and I honor it.

      --
      I rarely criticize things I don't care about.
    7. Re:Not so "absurd" by dasmegabyte · · Score: 4, Insightful

      Word. I've noticed a lot of people seem to think that corporate IT policy is a chance to get everyone to comply to their extreme viewpoints or get out of dodge; basically, to create a set of rules everybody will have to circumvent to get their jobs done, all in the hopes of being able to wag a finger and punish when things don't work out perfectly.

      I've got a big problem with this. For one, it's an overstepping of power...this may not be "my network," but it sure as shit isn't yours, either. Does the janitor own the toilets he cleans out? Do I own the spaghetti code I have to wade through? Hell no. They're all part of a bigger organization: the company. And if you're alienating the rest of the company on a regular basis, you're going to discover some hefty resistance to your policies -- which is asking for trouble.

      Want the perfect network policy? "Only you can prevent forest fires." Keep your users happy, keep them informed, don't make a mountain out of a molehill, admit your mistakes, ask for help and make strong suggestions. People watching people of their own free will is a much better way to prevent viruses, spyware and espionage then indemnifying yourself while the rest of the company is smugglying MuVos in their underpants.

      --
      Hey freaks: now you're ju
    8. Re:Not so "absurd" by kelzer · · Score: 5, Insightful

      And in the mean time, the actual thieves simply carry in their USB storage device hidden away in their pocket, without registering it, and leave without any search.

      This is just another example of a stupid law or policy that does nothing to prevent theft, but inconveniences the honest people.

      --

      ---------------------------------------------
      SERENITY NOW!!!!!!!!!!!!!!!!
    9. Re:Not so "absurd" by Stephen+Samuel · · Score: 4, Insightful
      There have been no publically known hijackings since 9/11/01.

      The biggest change in air security since 9/11/01 hasn't come from the (sometimes asinine) so-called security rules. It's been from a change in passenger attitude. Passengers are now being responsible for the safety of their aircraft and crew. Before the Twin Tower Trashing, passengers considered stewardess bashing a spectator sport. When the hijackers slit the throats of the cabin crew, the passengers just ummed and awwwed all the way into the other side of the building. No more.

      Nowadays, if somebody slaps a stewardess, he'll have half a dozen passengers on his back with another 20 standing by as backup. The shoe bomber was tackeled by fellow passengers not a sky marshall.

      Speaking of sky marshalls: I wouldn't want to be one, because if anybody sitting near me pulled a gun in the middle of a fracas on an aircraft, I'd be looking for limbs to dislocate and break long before (s)he had much of a chance to identify him/her self.

      As for smuggling weapons: I'd presumed, when I first heard of the Sept 11 hijackings, that they'd smuggled the weapons in as parts of a modified laptp or something similar. Something like that is still mind-numbingly easy to do. The only way you're going to prevent a determined hijacker from finding a way to smuggle a weapon onto an aircraft would be to force passengers to strip and wear those disposable paper suits on board -- even then, you'd need to do cavity searches.

      But it really doesn't matter because, even if you did manage to pull a gun out of your ass, the passenger next to you would just as likely toss you out the emergency exit as sit by with big eyes watching things unfold.

      --
      Free Software: Like love, it grows best when given away.
    10. Re:Not so "absurd" by peg0cjs · · Score: 3, Insightful

      This is lawyers getting in the way of common sense again. While it's true that it inconveniences the innocent and doesn't affect the guilty, it does give the company legal weight behind prosecution/persecution if they can point at the policy and say "You broke the corporate policy so you're fired." In this way, they can attack people for breaking the policy instead of stealing data, cuz that's much harder to prove.

      IMHO, a USB storage device is no different than a photocopier on every floor, except for the capacity. How many times is your briefcase searched at the door to ensure you haven't photocopied/printed sensitive info? A much better approach is to secure the data in the first place to ensure that untrustworthy people don't have access to it at all. Now all we need is a retina scanner that can differentiate between the untrustworthy and the everyday masses.

      --
      Karma: Excellent (Mainly due to Bill & Ted's Karma Adventure)
  2. Funny you think that way. by Gannoc · · Score: 3, Insightful

    In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"

    No, its just a matter of scale. There are no real legitimate concerns, but every company will balance employee happiness vs the 1 in 10000 chance something will go horribly wrong with a USB watch, and just ban everything outright.

  3. A valid concern by slusich · · Score: 4, Insightful

    I work for a casino, and we don't allow our employees to bring in such devices either. I'm sure it still happens, but such policies are important when your customer database is vital to your income.

  4. Come again? by TopShelf · · Score: 4, Insightful

    I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ...

    How is that overkill? Sounds like a common-sense move for a firm that wants to take steps so that sensitive information doesn't just walk out the door. It's not that much different than walking in with a USB CD burner under your arm.

    --
    Stop by my site where I write about ERP systems & more
  5. This isn't overreacting. by PhxBlue · · Score: 4, Insightful

    I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day.

    That's actually pretty generous if you're actually serious about the information the consultant handled being Top Secret. Even if it isn't, that's a much better alternative (for you) than being "let go" because you continued to wear a prohibited device after being told not to.

    --
    !#@%*)anks for hanging up the phone, dear.
  6. Re:Old fashioned iPod... by Gannoc · · Score: 5, Insightful

    Cute.

    Makes me thankful for my original iPod with it's Firewire connectivity only, there's no firewire ports in this office.


    Yes, like you're going to win that arguement at the security door/HR rep/etc. "But my ipod only has a firewire interface, unable to connect to the computers here!"

    To them, that sounds like technical nonsense that makes you even more suspecious. "He mentioned fire!"

  7. Legitimate complaint,obvious alternates by 192939495969798999 · · Score: 3, Insightful

    Well, that's a pretty legitimate complaint, especially if you work in a secure building. You can't just be coming in and out with a portable hard drive and copying mechanism every day if you have secret clearance and work on DOD stuff, so it makes sense that other companies would follow suit. Besides, it's not like CD players, tape players, mp3 cd players, radios, live365.com, etc. don't exist! Just like checking your guns before entering a saloon makes sense, so does this. Sure, you might not use it, but if you did, people would sue.

    --
    stuff |
  8. Not "absurd" by Eagle7 · · Score: 4, Insightful

    Banning personal portable storage devices (iPods, USB, powerful calculators w/ a computer connection, etc) is pretty much standard (and smart!) pratice when either government or industry classified/proprietary information is available. The risks are simply too great... the chance of soldiers dying due to a security violation or a company going under due to industrial espionage greatly trumps your desire to have a silly USB watch on your wrist all the time. If you don't like that reality, then don't take jobs that put you in contact with that sort of information in the first place.

    --
    _sig_ is away
  9. weighing the benefits by bodrell · · Score: 5, Insightful
    Yes, iPods and USB watches are security concerns for many companies. But if an employee wants to do their employer damage, an iPod is not required. I think it's more dangerous to treat employees with distrust, because it makes them much more likely to scheme of more malicious ways to cause trouble.

    Those in charge of company security should remember that these same employees bringing in iPods are the ones who were issued key cards to get into the building. Companies have no choice but to give their workers the benefit of the doubt.

    --
    Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
  10. Re:From the Fascist Department by Kenja · · Score: 3, Insightful

    Please explain how to secure a network so that hte users dont have access to data but can still do their job.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  11. Instead of banning the devices outright... by petard · · Score: 4, Insightful

    Companies should consider hiring trusted professionals. If you hire quality, professional employees and explain the policy against putting corporate data on personal devices, this should not be a problem.

    Believe it or not, most professionals want to do a good job and take pride in their work. If you set reasonable policies and explain them clearly, most will want to follow them.

    Do you want to grant someone enough access to your data that they could copy it onto an iPod if you don't trust them to abide by your policies? If they have that kind of access to the data, copying it to an iPod is far from the only or best way to get it out, and you're just adding an inconvenience to your employees' lives without meaningfully increasing your own security. If you believe that banning these devices would help, your problems run much deeper and you should rethink the way you're doing business.

    --
    .sig: file not found
  12. A company I'm working for... by callipygian-showsyst · · Score: 4, Insightful
    ...has "tighented" security by, among other things, setting the Windows policy so that shares can't be created.

    The result? Now everyone walks around with a USB drive to move files around, or they email them to and from gmail, etc. (OR they use their iPods/Dell Pods, SonyPods)

    So the system, overall, is a LOT less secure because all the company's assets are kicking around in email and USB thumb drives. But the folks in IT can cluck their tounges and think they did something useful.

  13. Re:From the Fascist Department by eraser.cpp · · Score: 3, Insightful

    The employees at companies using this policy likey have access to confidential information. Copying that to the usb storage device and walking out the door is very possible, and the only way to secure the network against this is to actually ban the devices from entry. It's absurd to just declare that a company enforcing this policy does not "run a secure network", because banning people from read access to information necessary for their job is not going to work.

  14. Re:From the Fascist Department by ldspartan · · Score: 3, Insightful

    can't telnet from the school due to policies? just bring Putty on a memory stick ... I'm confused, wouldn't this be better addressed with a packet filter instead of removing the telnet binary? What happens if a kid brings a laptop in?

    --
    lds

  15. Re:Just to get this out of the way... by ThatDamnMurphyGuy · · Score: 3, Insightful

    Just one more. What about printers? Oh yeah, pens and paper?

  16. Completely backwards. by baadfood · · Score: 3, Insightful

    For better or worse, personal storage is going to increase. Cellphones, watches, ipods, all these things are becomming increasingly necessary to remain competativly productive in the modern world. Companies that dont figure out how to allow employees to use PDAs or cellphones or USB thumbdrives are going to find themselves at a disadvantage relative to companies that allow their employees to discover new ways to increase their productivity.

  17. Re:From the Fascist Department by joebok · · Score: 5, Insightful

    Not everybody is a criminal or has criminal intentions. If you don't trust an employee with an iPod, please explain why you would trust them to have access to the data in order to do their job?

    A policy against iPods and other USB or other portable devices applied blindly is illusionary security at best. There are countless ways for a dishonest employee to steal data - the only mitigating factor is going to be how secure the network is - that should be the primary focus of any system administrator.

  18. some solutions by ciryon · · Score: 4, Insightful

    Storage devices are security threats that should be taken seriously. The best way is not to refuse employees listening to music but rather

    * hide computers away or lock them up so they can't be physically accessed. This should be combined with tight firewalls for outgoing traffic.

    or

    * make limitations in the software so USB storage devices or firefire disks simply won't work. Of course users can't have administrative rights.

    or

    * disallow sensitive information from reaching employees computers. Store things on secure servers.

    I'm right now sitting at work on one of the largest corporations in the telecom business and we sure as hell don't have enough security.

    Ciryon

  19. Re:Mod this guy up ... by Short+Circuit · · Score: 4, Insightful

    A cheaper, and more secure, alternative would be to use a floppy disk as an ID device. They put it in, their network map shows up, they copy the data. They remove the device, their network map disappears, and they go home.

    It has several advantages...first, they don't have to remember to "disconnect" the flash drive. Less chance of losing data. Second, you still have that mental association between the data and the floppy. Third, the data is on a central server, where backups are made regularly. Fourth...the floppy could be formatted to only, say, 512 bytes of data. (I'm sure you can tweak superformat's settings to do that...) Nowhere near enough space to remove sensitive data from the premisis, let alone a normal filesystem.)

    And if the user loses his floppy, issue him a new "key" and his old data. If you want, add some sort of CRC to the numerical key on the floppy, so that data corruption is less of a risk. Or put a backup of your only sector on the other side of the disk.

  20. Another too little too late attempt... by derfla8 · · Score: 4, Insightful

    Corporate espionage is something that is feared; however, all this really does in inconvenience those who are using these devices legitimately. I would trust that in an organization who has a real security concern, that they would have appropriate ACLs in place so that data theft would be limited to what the user that already has security clearance.

    Now if you have already cleared someone to be viewing and working with such data, you have much bigger problems than fearing them stealing it with a USB device. It's like trusting your employees with your business in their day to day operations but keeping office supplies under lock and key. It just doesn't make sense. If someone is intent on ripping you off, they would't go for the small stuff. Similiarly, if your business depends on these people who have access to such "crown jewel" data you'd better hope that you have a good hiring process and that you are keeping your employees happy.

    A side rant: so you're all concerned about people with USB devices; yet, you're fine with shipping your data off to some foreign land for outsourcing. Hmmm... If only the world were based on logic!

  21. Re:Second step? by dasmegabyte · · Score: 5, Insightful

    Typical heavy handed IT lunacy. You're making it harder to use a possibly essential device on a machine you didn't know might need it, creating more work for yourself while gaining little to no security, as potential theives would just go to a machine that didn't have USB disabled.

    I've been subverting this type of network policy since second grade, and it's easy because it lulls you into a false sense of security. "I don't have to worry about X machine, I've locked it down!" Meanwhile, us grade school kids are running video games through the shell in WordPerfect.

    Want a secure network? Stop with the locks and start with the spies. Befriend your users and make them your eyes and ears. Remind them not to trust anybody and help them identify suspicious activities. Most of all, make them care. That's tough to do. But unlike being an asshole, it actually works.

    --
    Hey freaks: now you're ju
  22. Re:German c't magazine showed how to disable USB.. by data64 · · Score: 3, Insightful

    Does not prevent someone from booting up with a Knoppix CD and accessing the network and a USB key.

  23. New "Briefcase" Threatens Industry Security by jackrd · · Score: 5, Insightful

    Alert! A new device, known as a "Briefcase" has been increasing in popularity in the workplace. While useful for ordinary business it brings with it some sinister baggage. This nefarious device serves to conceal a large amount of objects, such as sensitive data and staplers, in a small space, enabling employee theft and espionage. While it's true that file folders have been commonplace in corporate environments for years, this new product threatens to bring unforeseen and catastrophic results. Ban it before your company falls apart and you have to spend the rest of your life living in the street trying to support your starving family.

    I do think it makes sense for companies that already employ policies like searching employee belongings and metal detectors to add USB storage devices (and any data storage medium for that matter) to the list of things they check for. If you really needed to bring one in, you could have some sort of approval/checking process. As far as most companies go, I think it makes sense to judge based on whether they seem to be causing problems in the workplace, and if so, banning them or finding some other way to fix the problems. I think it would be a good idea to do virus-checking on insertion of any removeable media.

    I thought this was a particularly interesting quote:
    "Another potential danger is that the devices -- that typically make use of USB and FireWire -- could be used to steal large amounts of company data as they are faster to download to than CDs."
    I think they've been watching too many movies. I highly doubt that most downloading of corporate data happens in a down-to-the-second race against corporate security. I think it's much more likely that most data is stolen by those with official access and all the time in the world. And I may be naive, but I think a corporate spy would be able to think of a better way to export data than an iPod.

  24. Storage and Security by BStorm · · Score: 3, Insightful

    The barn door has always been open. Same old problem just a different set of devices. What has changed is the ease, speed and volume of information that can be copied. Think of the fear that was generated in paranoid organizations after the wholesale adoption of photocopiers.

    A organization can best deal with the issue by treating their workers with a sense of respect. It will not prevent the employees with criminal intent from stealing information but innoculate honest workers from feeling a sense of entitlement.

    A possible technological fix is to ensure that copying data to/from a removable device is logged. This does not prevent the employee from taking work home but does allow for a system administrator to track where the data is going. However this means nothing unless the logs are reviewed. It is essentially a file-nanny.

    It does require that a security policy that is appropiate for the organizational goals and for departmental specifica goals.

    --
    Research is what I doing when I don't know what I am doing - Werner von Braun