iPod: Your Portable Corporate Hellraiser
MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's
iPod from corporate networks as they can be used to introduce malware or
steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
corperate just recently issued 1GB thumb drives to all employees. we find it's easier for the users to back up their own crap and transfer it that way.
teaching a user about network storage or even using the IRDA file transfer was unsucessful... yet these dolts took to using the thumb drives like it was second nature.
so now usb storage devices are required and issued to users.
Do not look at laser with remaining good eye.
I used to work at a government defense contractor and this type of policy was standard there. No CD players, no radios, nothing with any type electronics could be brought in just in case they could somehow be used as a transmitter or to steal data or something. Oddly enough, floppies could be used. Go figure.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
That is interesting (that your users were confused by using a network file share, but found the thumb drives intuitive.)
Is it the fact that there is a physical artifact that makes the idea of "your files are going here" easier to map into their worldview? UI Designers Take Note. This might be on the test.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
But they do allow diskettes (friggin diskettes! Do you know how much customer data you can put on a diskette?). Then I also found out that the "internet-network" (which only internals have access to with a NT username/password) operates simply on DHCP, no MAC address checking: the only "security-check" is the NT-Domain login. Why did I find this out? Simple: these morons allow contractors to have laptops, so I once just plugged it in that network. Worked instantly. Now there is a security concern in my eyes! For crying out loud, I have a Mac, I don't even need a crosscable to pump over data from my work-PC to my Mac. Imagine what kind of data I could take away with that! Nobody evere stopped me at the entrance/exit with my laptop bag. Nobody.
You see, if you want security, you need to ban every device that can be networked somehow. It's that simple. Yes, this includes your iPod. So, I supect that this is only a great concern in governmental instituation (top-secret clearance), but in the "highly sensitive environment" of banking they don't get it at all.
Hey, I pointed out their flaws and I was told to shut up.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Most military bases have banned PDAs, USB Flash drives, iPods (and variants), cell phones, and any other device that can be connected to a computer and can store data. Some have even gone as far as removing diskette drives and banning CD-RW and DVD-RW drives on new systems. I have seen incidents where people decided to put classified military data on a flash drive or floppy to take it home to work on it. This happened even after people sign an agreement and go through repeated training sessions where they spell out what will happen if they do something like this.
Corporations are having to deal with this same problem as portable devices can now be used to store data or take pictures that could compromise sensitive data. However, this has always been an issue. A systems administrator could walk out of work with and 4mm or 8mm tape full of sensitive/classified data and no one would know. It boils down to a matter of trust and integrity; do you trust the people who use/administer your systems? Have they shown the integrity in other matters that would indicate they can be trusted with more sensitive matters?
Unfortunately, it only takes one person in a sensitive position to screw it up for everyone else.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
Not in some movie - Cringley wrote about seeing a man walk into CompUSA, plug his 1st gen iPod into a mac there and drag the MS Office folders onto it. The article claimed (I have no idea how true it is/was) that Office will re-establish the system folder items necessary so this amounted to a perfect and complete copy of the software.
That said, certainly the benign uses outnumber the malicious ones. The question is, if you have other data control policies, do you need to CYA by having this ban so you can respond to suspicious activities decisively? I also think comparisons to more easily concealed USB key devices isn't reasonable - I can't fit a large ACT! database of contacts on one of those but I can on a 40g devices.
Bad management trumps ideology - Show the world you want better leadership. http://www.timefornewmanagement.com
True, but that's not the entire purpose.
.
Where I work (a DOD contractor) we can carry just about anything (except a camera). We are, however, required to register it with the security manager. In order to register it, you must give them permission to read the contents on the way into or out of the building. That allows them to maintain their illusion of safety while allowing employees to carry their preferred gadgets.
I don't know of anyone actually being searched, however . .
'I ain't a liar, baby, and I ain't proud I just want what I'm not allowed.' -- Violent Femmes, 36-24-36
Remember last year, the movie 'The Recruit'? One of its big premises was that a CIA agent was smuggling out data; but they couldn't figure out who was stealing the information, and how. The smuggling device turned out to a common USB flash drive hidden under a coffee thermos's seal. The USB drive didn't come up in the CIA scans because the drive wasn't active; the inactive drive wasn't giving off any EM for them to detect.
I think USB, IR, and now 802.11 devices and Bluetooth enabled cell phones could be a real concern for data centric firms.
As a side thought, companies may begin to ban cell phones as well. Late last year SlashDot had an article about a cell phone detection device made in Israel. People were leaving modified cell phone in planters. The modified phones would transmit the conversation of anyone in the room for about a week. Thus making a cheap spy toy.
You say things that offend me and I can deal with it. Can you?
In much the same way as the demise of Napster brought about the end of filesharing, banning iPods from work will wipe out corporate secret stealing. Nobody will ever think to tunnel data through SSH, copy data onto floppies, USB keychain storage devices, portable laptops, or magnetic tape. Surely, nobody will upload information to their Palm or Windows CE handheld devices; nobody will print out data and take it home; nobody will call someone on the telephone and read them data over the phone.
Man, they've sure got all their bases covered!
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
That day I wanted a tin foil hat lol.
My company works with the Bureau of Engraving and Printing (the folks who print the bills). The Bureau issues transparent vinyl purses and packs for employees to carry their lunch and belongings. This makes it easier to see whether somebody is walking off with sheets of un-cut currency.
We also worked with the US Mint (the folks who mint the coinage). They told a story about metal detectors tied to biometrics that were so sensitive that when a woman became pregnant, the changes in the metal chemistry of her blood (increased iron, etc...) were enough to have to retake the biometric scan. That one always seemed apocryphal to me (but a very cool concept nonetheless).
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
(except a camera)
;) This was after '96.
True story: a former supervisor took a Sony Mavica (uses a dos fmt floppy disk) onboard a ship with Soviet missles where he should not have and took pictures of them. When the rent-a-cop spotted this he asked that the pictures be deleted. My super handed me the disk and we did the old dos 'undelete' trick with Norton Utilitues and got the pictures back, no problem
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I'm not yet sure if it's going to fall into the category of "absurd overkill," but at my workplace (a large FDA-regulated manufacturing and research facility), we've just disabled USB support entirely on the machines comprising our HVAC distributed control system. The reasons behind this are partly due to, first, questionable processes of vendor-support technicians using their USB thumb-drives to move system configuration files around from one network instance to another (which is perfectly reasonable and needed sometimes, it's just that they're doing it ad hoc without supervision and, under FDA regs, this raises the questions of 'how much control do we really have over our system?' and 'has the system's "validated" state been disturbed by this laxness?'), and second, as far as we've been able to tell, the anti-virus software we use doesn't automatically scan, say, thumb-drives when they mount (though it really seems that it should, and I still need to do some investigation there in my copious free time).
On the side of the argument calling it all "absurd overkill" - this clamp-down just makes it that much more inconvenient for people using the system to do their job, while not really tightening security up that much, since most people who have access to the system in the first place can figure out plenty of work-arounds. (Hell, part of my job is figuring out those work-arounds - it's why they pay me the Big Bucks(TM), (yeah, right).)