Slashdot Mirror
iPod: Your Portable Corporate Hellraiser
MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's
iPod from corporate networks as they can be used to introduce malware or
steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
Not to skirt the question, but is this really "absurd overkill?" I'm sure that USB pens/watches/etc have been a boon to corporate espionage. With a USB storage device, you don't have to worry about burning CDs or emailing your stolen information off-site.
Having said that, I do think that some companies need to quit treating their employees like potential criminals. But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space. (thin clients would have gone a long way towards solving this problem, but that's another discussion)
In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
No, its just a matter of scale. There are no real legitimate concerns, but every company will balance employee happiness vs the 1 in 10000 chance something will go horribly wrong with a USB watch, and just ban everything outright.
I work for a casino, and we don't allow our employees to bring in such devices either. I'm sure it still happens, but such policies are important when your customer database is vital to your income.
DeviantArt Page
NSFWMy father works in the Aerospace industry. He is required to leave his iPAQ at the front door every day.
Is this overkill? Perhaps. But sometimes such heavyhanded policies make sense, especially when it comes to making war.
(I was only an egg, but then I cracked)
corperate just recently issued 1GB thumb drives to all employees. we find it's easier for the users to back up their own crap and transfer it that way.
teaching a user about network storage or even using the IRDA file transfer was unsucessful... yet these dolts took to using the thumb drives like it was second nature.
so now usb storage devices are required and issued to users.
Do not look at laser with remaining good eye.
I used to work at a government defense contractor and this type of policy was standard there. No CD players, no radios, nothing with any type electronics could be brought in just in case they could somehow be used as a transmitter or to steal data or something. Oddly enough, floppies could be used. Go figure.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ...
How is that overkill? Sounds like a common-sense move for a firm that wants to take steps so that sensitive information doesn't just walk out the door. It's not that much different than walking in with a USB CD burner under your arm.
Stop by my site where I write about ERP systems & more
Seems to me the first step should be to disable USB on machines which do not need it in the BIOS then lock the BIOS....
Dude,
if you don't understand or agree with this policy, you probably don't belong in the job you are doing, and don't 'get it'.
scary...
-ac
I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day.
That's actually pretty generous if you're actually serious about the information the consultant handled being Top Secret. Even if it isn't, that's a much better alternative (for you) than being "let go" because you continued to wear a prohibited device after being told not to.
!#@%*)anks for hanging up the phone, dear.
Cute.
Makes me thankful for my original iPod with it's Firewire connectivity only, there's no firewire ports in this office.
Yes, like you're going to win that arguement at the security door/HR rep/etc. "But my ipod only has a firewire interface, unable to connect to the computers here!"
To them, that sounds like technical nonsense that makes you even more suspecious. "He mentioned fire!"
Well, that's a pretty legitimate complaint, especially if you work in a secure building. You can't just be coming in and out with a portable hard drive and copying mechanism every day if you have secret clearance and work on DOD stuff, so it makes sense that other companies would follow suit. Besides, it's not like CD players, tape players, mp3 cd players, radios, live365.com, etc. don't exist! Just like checking your guns before entering a saloon makes sense, so does this. Sure, you might not use it, but if you did, people would sue.
stuff |
...or are you just glad to see me?
Seriously, the barn door's been open and the horse halfway to Topeka on this one for a while. Who needs an iPod? I've been carrying around virtually my entire business on one of these things for over a year. Sure, take away my music player, phone, key chain, watch, whatever, I'm a big boy and you pay me enough to play along, but at what point short of a strip search and replacing the pink-haired receptionist with a Brinks guard to watch over the stash does this policy become a smidge unwieldy?
(However, I do throw my whole-hearted support behind any policy which confiscates iPods (or sunglasses, for that matter) from any too-cool-for-the-room tool who doesn't stow them shortly after he enters the building...)
Banning personal portable storage devices (iPods, USB, powerful calculators w/ a computer connection, etc) is pretty much standard (and smart!) pratice when either government or industry classified/proprietary information is available. The risks are simply too great... the chance of soldiers dying due to a security violation or a company going under due to industrial espionage greatly trumps your desire to have a silly USB watch on your wrist all the time. If you don't like that reality, then don't take jobs that put you in contact with that sort of information in the first place.
_sig_ is away
Is really there for you to stash your usb memory device.
Jon Bardin
The German c't magazine recently had a short article about disabling the USB storage driver for non-administrator users on Windows 2000 and XP - effectively eliminating the security risk. This policy could be enforced by any system administrator on all desktops. Similar things could be done for Firewire ports and storage devices that attach to it. Basically it works by making the driver non-readable and non-executable for the average Joe Schmoe user logging into the system.
;)
Bring your own USB sticks? No problem. Can't use em anymore
Christian
--- Eat my sig.
That is interesting (that your users were confused by using a network file share, but found the thumb drives intuitive.)
Is it the fact that there is a physical artifact that makes the idea of "your files are going here" easier to map into their worldview? UI Designers Take Note. This might be on the test.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
You know, I could bypass such security precautions very easily with a USB keyfob and tightly squeezed buttocks....
At one point the corporate machine-support staff tried to set up the following:
The sneaky bastards kept trying to steal my laptop, my PDA and my Nomad Jukebox to do this. I kept catching them and throwing them out of my cube (at one point, literally, as he refused to leave until he had formatted my laptop's hard drive and I had to roll him out in my chair and overturn it in the corridor).
Finally, they stopped that after they did this to an senior VP and erased the powerpoint presentation he had on his laptop. Heads rolled for THAT little debacle. The funny part was that his machine was already work-provided, he just didn't work in our building, so they didn't know him...
Brazil has decided you're cute.
But they do allow diskettes (friggin diskettes! Do you know how much customer data you can put on a diskette?). Then I also found out that the "internet-network" (which only internals have access to with a NT username/password) operates simply on DHCP, no MAC address checking: the only "security-check" is the NT-Domain login. Why did I find this out? Simple: these morons allow contractors to have laptops, so I once just plugged it in that network. Worked instantly. Now there is a security concern in my eyes! For crying out loud, I have a Mac, I don't even need a crosscable to pump over data from my work-PC to my Mac. Imagine what kind of data I could take away with that! Nobody evere stopped me at the entrance/exit with my laptop bag. Nobody.
You see, if you want security, you need to ban every device that can be networked somehow. It's that simple. Yes, this includes your iPod. So, I supect that this is only a great concern in governmental instituation (top-secret clearance), but in the "highly sensitive environment" of banking they don't get it at all.
Hey, I pointed out their flaws and I was told to shut up.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Those in charge of company security should remember that these same employees bringing in iPods are the ones who were issued key cards to get into the building. Companies have no choice but to give their workers the benefit of the doubt.
Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
But for a regular corporate setting the above action seems more appropriate and pro-active as someone can always sneak a usb device in.
I think it's unreasonable that someone like you is allowed near a facility containing "top secret" information.
You know, if your employees actually CARE about hooking up their iPods or other MP3 players at work, you should be more concerned about what your employees are actually DOING, as opposed to what data could be stolen. My iPod's Library is managed by my home machine, not my work machine, and the only reason I bring it inside is to keep it out of my hot car during the day. I don't even bring a cable that would be compatible.
I'll just burn the site licensed software to CD and take it home that way...
nonsense... I run a pretty secure net here (secondary school, HUGE threat from any teenager who just happen to think he is a XaxooR)... we got everything so locked down that we didnt have a single major incident for the last year =) And still, yes, portable USB devices are a threat... can't telnet from the school due to policies? just bring Putty on a memory stick... et voila! Therefore, it is not so much about network security, but what you allow people to do on the network... with the saaumption that any memory stick can contain software you DONT WANT inside your net.
http://www.automatiq.se
Most military bases have banned PDAs, USB Flash drives, iPods (and variants), cell phones, and any other device that can be connected to a computer and can store data. Some have even gone as far as removing diskette drives and banning CD-RW and DVD-RW drives on new systems. I have seen incidents where people decided to put classified military data on a flash drive or floppy to take it home to work on it. This happened even after people sign an agreement and go through repeated training sessions where they spell out what will happen if they do something like this.
Corporations are having to deal with this same problem as portable devices can now be used to store data or take pictures that could compromise sensitive data. However, this has always been an issue. A systems administrator could walk out of work with and 4mm or 8mm tape full of sensitive/classified data and no one would know. It boils down to a matter of trust and integrity; do you trust the people who use/administer your systems? Have they shown the integrity in other matters that would indicate they can be trusted with more sensitive matters?
Unfortunately, it only takes one person in a sensitive position to screw it up for everyone else.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
Oh yes I remember this! A supposedly high security installation and there are USB ports on the keyboard! Puhhhlease! In high security environments where it matters, there aren't supposed to be disk drives and USB ports, or a easily accesible means to get data off the network.
Please explain how to secure a network so that hte users dont have access to data but can still do their job.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Not in some movie - Cringley wrote about seeing a man walk into CompUSA, plug his 1st gen iPod into a mac there and drag the MS Office folders onto it. The article claimed (I have no idea how true it is/was) that Office will re-establish the system folder items necessary so this amounted to a perfect and complete copy of the software.
That said, certainly the benign uses outnumber the malicious ones. The question is, if you have other data control policies, do you need to CYA by having this ban so you can respond to suspicious activities decisively? I also think comparisons to more easily concealed USB key devices isn't reasonable - I can't fit a large ACT! database of contacts on one of those but I can on a 40g devices.
Bad management trumps ideology - Show the world you want better leadership. http://www.timefornewmanagement.com
I have a friend that works for the Department of Defense and though he wanted an iPod however, employees aren't allowed to bring in any device that data could be written to, so he couldn't use it at the main place he'd wanted to.
Question everything
Do corporations outlaw email because someone could smuggle an important corporate document through a simple email attachment? You can put a heck of a lot of info on a single freemail attachment in a text file, and / or use a corporate POP3 mailserver too. Do corporations also outlaw CD-Rs because they could be used to copy important data? Do corporations outlaw floppy discs? And, above all, do corporations give their employees a darned internet connection to begin with? What about the internet itself? If someone is truly paranoid about security, it'd be more effective to plug already existing giant holes in security, and completely strip their employees of all the fundamental tools of the information age. It's hard to prevent the exchange of information on the computer: after all, a computer is a device specifically designed for just that purpose, anyways. If someone goes through all the trouble to smuggle files on an iPod when he could simply PGP encrypt them over email, it would be an act of stupidity anyways. Conclusively, it's a bad idea banning the iPods from offices. -Foo
Because you can't always just assume that a hacker is stealing information every time, it's realistic to assume that someone in your organisation would give away information for the right price.
;)
The malware aspect though, from my viewpoint though is FUD, because (as far as I know), iPods and flash memory sticks don't run software when you plug them in. I could be wrong though. But I know people who have had 200+ spyware apps, and it's never happened to them. 200 isn't that much compared to some, but I've known him a few years, and being the only Open source guy he knows should give me some influence. Just remember, the weakest link is always the people.
And, for the record, my friend now had dumped IE, and moved to Firefox. It's offtopic I know, but I spent an hour browsing Secunia tonight, and set up a couple of the exploits (IE is vulnerable to all the ones I tried), so I know how easy it is to bring Malware onto a windows box. In short, I'm scared shitless, and anyone who brings in data from a source which hasn't been checked is just asking for trouble. Perhaps if the networks moved to a platform that was less truoblesome
It's my opinion though, that you can either trust an employee, or you can't. If you trust someone with the data, you should not worry about their iPod, or not trust them in the first place.
Companies should consider hiring trusted professionals. If you hire quality, professional employees and explain the policy against putting corporate data on personal devices, this should not be a problem.
Believe it or not, most professionals want to do a good job and take pride in their work. If you set reasonable policies and explain them clearly, most will want to follow them.
Do you want to grant someone enough access to your data that they could copy it onto an iPod if you don't trust them to abide by your policies? If they have that kind of access to the data, copying it to an iPod is far from the only or best way to get it out, and you're just adding an inconvenience to your employees' lives without meaningfully increasing your own security. If you believe that banning these devices would help, your problems run much deeper and you should rethink the way you're doing business.
.sig: file not found
Remember last year, the movie 'The Recruit'? One of its big premises was that a CIA agent was smuggling out data; but they couldn't figure out who was stealing the information, and how. The smuggling device turned out to a common USB flash drive hidden under a coffee thermos's seal. The USB drive didn't come up in the CIA scans because the drive wasn't active; the inactive drive wasn't giving off any EM for them to detect.
I think USB, IR, and now 802.11 devices and Bluetooth enabled cell phones could be a real concern for data centric firms.
As a side thought, companies may begin to ban cell phones as well. Late last year SlashDot had an article about a cell phone detection device made in Israel. People were leaving modified cell phone in planters. The modified phones would transmit the conversation of anyone in the room for about a week. Thus making a cheap spy toy.
You say things that offend me and I can deal with it. Can you?
This USB Drive was in your Daddy's pocket when he was shot down outside the office. He was captured and put in a Boeing prison camp. Now he knew if the suits ever saw the drive it'd be confiscated. The way your Daddy looked at it, that drive was your birthright. And he'd be damned if and dopeheads were gonna put their greasy corporate hands on his boy's birthright. So he hid it in the one place he knew he could hide somethin'. His ass. Five long years, he wore this drive up his ass. Then when he died of disentary, he gave me the drive. I hid with uncomfortable hunk of plastic up my ass for two years. Then, after seven years, I was sent home to my family. And now, little man, I give the drive to you.
For a start one should have half decent virus checkers etc OR (a far better solution) is to make sure your users are well informed about these things. I run a firewall and no anti-virus software and have had 1 virus in 10 years. Prevention is better than cure.
Secondly - My USB Key is a god send. It may 'only' be 128Meg but I can take work home and work on it directly on the key. I always have the most up to date docs/code with me. If I couldn't take stuff home it'd take me much longer to do. When one is working in R&D you never quite know when inspiration and a solution will hit you.
Yes - there are hazards but (for me) the benefits massively outweigh them.
Time flies like an arrow. Fruit flies like a banana.
In much the same way as the demise of Napster brought about the end of filesharing, banning iPods from work will wipe out corporate secret stealing. Nobody will ever think to tunnel data through SSH, copy data onto floppies, USB keychain storage devices, portable laptops, or magnetic tape. Surely, nobody will upload information to their Palm or Windows CE handheld devices; nobody will print out data and take it home; nobody will call someone on the telephone and read them data over the phone.
Man, they've sure got all their bases covered!
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
The result? Now everyone walks around with a USB drive to move files around, or they email them to and from gmail, etc. (OR they use their iPods/Dell Pods, SonyPods)
So the system, overall, is a LOT less secure because all the company's assets are kicking around in email and USB thumb drives. But the folks in IT can cluck their tounges and think they did something useful.
Best Buy can have you arrested
The employees at companies using this policy likey have access to confidential information. Copying that to the usb storage device and walking out the door is very possible, and the only way to secure the network against this is to actually ban the devices from entry. It's absurd to just declare that a company enforcing this policy does not "run a secure network", because banning people from read access to information necessary for their job is not going to work.
can't telnet from the school due to policies? just bring Putty on a memory stick ... I'm confused, wouldn't this be better addressed with a packet filter instead of removing the telnet binary? What happens if a kid brings a laptop in?
--
lds
I had a similar problem. Boss was curious why I was switching out Compact Flash cards in a reader I brought. I told him I was copying parts of a small ISO of a linux distro I was going to try out at home.
I was asked by corporate security to remove it or have it removed. I turned right around and asked them "Do you give access to the internet in any way, shape or form?" of course they do. I then sited numerious free email sites and plenty of "X: drive" sites that let you store info central on their systems, also tossed in a bit of AIM/FTP/IRC file transfering for example. The execs were dumbfounded and had to call a few "heads of IT" and "techies" to confirm what I said.
Of course I was right and anyone in the company with internet access could easily upload any file and they would never see it. I was allowed to keep my CF reader/writer and they left me alone.
If a ban on static memory / portable drives is in place at your company then you have no business with one.
Of course, hiding the devices in hilighter pens and the handle to your coffee mug isn't too hard.
What the ban does is make all possession of these devices improper in the workplace.
What is the maskwork for your new chip worth? What is it worth to a competitor? How do you move the data?
If the two idiots at AOL and Vegas had scammed the userbase this way they might not have been caught.
Nope, the advent of portable RAM drives means that these devices will be used improperly.
OH, on a personal note: only a genuine geek has a USB watch. It will (eventually) wind up in that dresser drawer reserved for the calculator watch, the last 7 cell phones, 5 PDAs, pen cams, dead MtBlanc pens, old swag and $200.00 in odd pocket change.
Yeah, right.
Just one more. What about printers? Oh yeah, pens and paper?
My company works with the Bureau of Engraving and Printing (the folks who print the bills). The Bureau issues transparent vinyl purses and packs for employees to carry their lunch and belongings. This makes it easier to see whether somebody is walking off with sheets of un-cut currency.
We also worked with the US Mint (the folks who mint the coinage). They told a story about metal detectors tied to biometrics that were so sensitive that when a woman became pregnant, the changes in the metal chemistry of her blood (increased iron, etc...) were enough to have to retake the biometric scan. That one always seemed apocryphal to me (but a very cool concept nonetheless).
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
For better or worse, personal storage is going to increase. Cellphones, watches, ipods, all these things are becomming increasingly necessary to remain competativly productive in the modern world. Companies that dont figure out how to allow employees to use PDAs or cellphones or USB thumbdrives are going to find themselves at a disadvantage relative to companies that allow their employees to discover new ways to increase their productivity.
USB / Firewire Devices / Cell Phones with Cameras / etc. etc.
- USB pen drives can quickly and easily store data without a trace and they are small enough to hide just about anywhere. A spammer was arrested in Ireland in a Internet cafe and the man tried to swallow the USB key drive. It contained all the spammer's software and mailing lists.
A PC in a corporate office could be booted up using a USB key drive and literally used to run hacker tools. (well same could be done with a CD-R but that's beside the point). It's faster and easier to slip a USB device into an office situation unless you are going to be frisked and metal detected or body cavity searched.
Hackers have been slipping XBoxes, Sega Dreamcast, etc. into an office and jacking it into the ethernet to perform network analysis and packet sniffing.
- Firewire devices like the iPod have tremendous storage abilities. It truly is a portable hard disk that masquerades as a personal music device. There was an article a while back where the author witnessed a kid waltz into CompUSA with an iPod and the kid jacked it into a PowerMac and stole a complete copy of Office X from the floor model!
- Phones with mini-digital cameras can be used like a 007 James Bond mini camera. A police officer was fired for taking a photo of a naked body in the city morgue with his camera phone.
As technology gets better and better and the costs drop, the spy toys of yesteryear are now in the hands of joe blow.
True corporate espionage is going on every day. These tools make it easier an easier to steal data. Security folks who see the threat and take measures against it are enlightened. However, all security measures can be bypassed one way or another.
I am not even sure if there is a way to restrict USB/Firewire drives from working on a PC as long as it's running Windows. Seriously doubt many companies have thought about these issues.
I do know my company had the opportunity to give everyone a CD burner on their computers. This would have been ideal for user backups. But they sighted security as the reason why they did not.
Wow. Whoever marked this as "insightful" needs to take off their Bondi Blue glasses.
You guys do know that the minute an employee enters a "secure" network, they're pretty much clear to do whatever they want, right? The security is on the perimeter: getting in is the hard part. If employees needed to type a password for every keystroke, they're be a mass-exodus of white-collar workers.
I'm not saying conditions like that don't exist. I'm sure the computers that run missles and the like have multiple passwords that have to be entered all the time, but the average worker isn't going to be subjected to something like this.
Now, disable USB drives from being connected hardware-wise: that's an idea. Not sure if there's a way to do that in software, but I'm sure there's a way in the BIOS.
Just look at all the bad stuff you can do with an iPod... people really shouldn't be let out of the house with one of these things!
Have iPod, Will Secretly Bootleg
Not everybody is a criminal or has criminal intentions. If you don't trust an employee with an iPod, please explain why you would trust them to have access to the data in order to do their job?
A policy against iPods and other USB or other portable devices applied blindly is illusionary security at best. There are countless ways for a dishonest employee to steal data - the only mitigating factor is going to be how secure the network is - that should be the primary focus of any system administrator.
Storage devices are security threats that should be taken seriously. The best way is not to refuse employees listening to music but rather
* hide computers away or lock them up so they can't be physically accessed. This should be combined with tight firewalls for outgoing traffic.
or
* make limitations in the software so USB storage devices or firefire disks simply won't work. Of course users can't have administrative rights.
or
* disallow sensitive information from reaching employees computers. Store things on secure servers.
I'm right now sitting at work on one of the largest corporations in the telecom business and we sure as hell don't have enough security.
Ciryon
A friend of a friend mentioned that when the iPod first came out he saw a student "jammin'" to some tunes while checking out the new Macintosh computers at the University Bookstore.
A closer look revealed that the student had the firewire cable attached to the demo mac and was busily downloading all of the applications on the mac.
Pretty clever though I would never condone such behavior.
Waltz, nymph, for quick jigs vex Bud.
Geez...if you let people install hardware or software on your computer then the computer really isn't yours.
Most corporate policies prohibit non-admins from installing hardware and software for STABILITY reasons. That alone should dictate policy on iPods and other such devices.
-ted
In my first novel, "Shining Star," (released under a Creative Commons license, free download at http://pedrovera.com/media/shiningstar.pdf ) a soon-to-be defector carried a bunch of classified material out of a NOC by using his iPod as a firewire drive. He was one of the NOC techs, so he was expected to be in the equipment rooms messing with hardware.
He would go and swap some tapes, then run a psync from a server into the iPod. He did this a few times and did not get caught.
Pedro
----
The Insomniac Coder
That's why I got the subdermal implant with 16mb flash and bluetooth. Just copy data to my stomach and walk out, search all you want.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Hey
I work in India in a major software park. The company in the oppposite quadrant is a typicall BPO company and they have a LARGE poster stuck outside the entrace - "Please get checked and declare all your belongings at security". Several friends too told of similar rules in their companies.
In short, for BPO firms, the data of their clients is of utmost importance. Even CEO of the company is required to go through the mandatory check! Internet access is locked down. No CDROM/CDRW/Floppy/USB/Firewire ! Even printer access is restricted and fully logged and accounted for!
You can get fired for trying to access an irrelevent site (eg Yahoo briefcase), forget about bringing in that 40GB iPod or your favorite USB key.
Oh yeah, did I tell you that even cameras are forbidden and you'd be handed over to police if you're seen taking a "group picture" with your team mates in the office! A camera phone can send you in for good.
Folks, its sometimes business *requirement* not to allow such kind of things. You want to listen to music ? Fine, bring along a vanilla walkman/discman/portable MP3 CD player whatever... just leave the fancy gadgets behind and you'll be fine.
Fortunately I work in a company that has fairly open policies and our data is our own, so the rules are less stringent... no CDRW/USB drive, but still very open policies.
- mritunjai
I said:
Conformity is the jailer of freedom and enemy of growth. -JFK
written by Quentin Tarantino & Roger Avary
Captain Koons: Hello, little man. Boy, I sure heard a bunch about you. See, I was a good friend of your dad's. We were in that .com pit of hell together over five years. Hopefully...you'll never have to experience this yourself, but when two men are in a situation like me and your Dad were, for as long as we were, you take on certain responsibilities of the other. If it had been me who had not made it, Major Coolidge would be talkin' right now to my son Jim. But the way it turned out is I'm talkin' to you, Butch. I got somethin' for you. .com boom. It was bought in a little general store in Knoxville, Tennessee. Made by the first company to ever make USB drives. Up till then people just carried loads of floppies. It was bought by private Doughboy Erine Coolidge on the day he set sail for Paris. It was your great-grandfather's job drive and he wore it everyday he was in that job. When he had done his duty, he went home to your great-grandmother, took the pendrive off, put it an old coffee can, and in that can it stayed 'til your granddad Dane Coolidge was called upon by his country to go overseas and fight Microsoft once again. This time they called it Browser War II. Your great-grandfather gave this pendrive to your granddad for good luck. Unfortunately, Dane's luck wasn't as good as his old man's. Dane was a Java programmer and he was fired -- along with the other programmers at the battle of .NET. Your granddad was facing death, he knew it. None of those boys had any illusions about ever leavin' that job alive. So three days before Microsoft took the market, your granddad asked an Unix sysadmin of Winocki, a man he had never met before in his life, to deliver to his infant son, who he'd never seen in the flesh, his USB pendrive. Three days later, your granddad was dead. But Winocki kept his word. After the war was over, he paid a visit to your grandmother, delivering to your infant father, his Dad's pendrive. This pendrive. (holds it up, long pause) This drive was on your Daddy's pocket when he was caught near Redmond. He was captured, put in a Microsoft campus. He knew if the gooks ever saw the pendrive it'd be confiscated, taken away. The way your Dad looked at it, that pendrive was your birthright. He'd be damned if any slopes were gonna put their greasy yella hands on his boy's birthright. So he hid it in the one place he knew he could hide something. His ass. Five long years, he wore this pendrive up his ass. Then he died of dysentery, he gave me the drive. I hid this uncomfortable hunk of silicon up my ass two years. Then, after seven years, I was sent home to my family. And now, little man, I give the pendrive to you.
(The Captain sits down and pulls a USB flash drive from his pocket)
This pendrive I got here was first purchased by your great-grandfather during the first
Signatures are for stupids.
Plenty of corporations are having a hard enough time rolling out security patches out to the machines on their network using a remote console (ie, can hit all those machines from one location). How likely would it be that they'd *physically* get to *each* machine, change the BIOS to ensure that it disables the USB ports and lock the BIOS?
Even outside of that logistic nightmare, you'd have to remain vigilante for new/old machines.
But even if you do get a draconian policy in place, what stops a spy from cracking open one of the cases and using the little jumper to "reset" the BIOS?
Maybe for ultra-small organizations this would make sense to try and do. But if you're in that small an organization, you have other easier methods of protecting your data.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
My company does digital camera chips and firmware. We were bought by a company that had a "no personal storage devices" policy.
Every person's desk has at least one card reader and a drawer full of CompactFlash, SmartMedia and SD cards.
They bought another company that relies on storage cards & moved 'em to the main office so this violation of the employee manual is happening there too, giving the verbal amendment (Director-level people saying "don't worry") to the employment contract more teeth. It would be hard to fire someone for a violation with 20 other violators going free.
Corporate espionage is something that is feared; however, all this really does in inconvenience those who are using these devices legitimately. I would trust that in an organization who has a real security concern, that they would have appropriate ACLs in place so that data theft would be limited to what the user that already has security clearance.
Now if you have already cleared someone to be viewing and working with such data, you have much bigger problems than fearing them stealing it with a USB device. It's like trusting your employees with your business in their day to day operations but keeping office supplies under lock and key. It just doesn't make sense. If someone is intent on ripping you off, they would't go for the small stuff. Similiarly, if your business depends on these people who have access to such "crown jewel" data you'd better hope that you have a good hiring process and that you are keeping your employees happy.
A side rant: so you're all concerned about people with USB devices; yet, you're fine with shipping your data off to some foreign land for outsourcing. Hmmm... If only the world were based on logic!
Or if you are one of the few Linux desktop shops, you could:
/sbin command, and your users aren't running as root, are they?
1) Not build usb-storage into the kernel.
2) Compile the module (for admin use, if need be). But not load it at boot. Modprobe _is_ an
This will allow USB devices other than those requiring the usb-storage module to be used. Repeat as necessary for other USB devices . . .
Does not prevent someone from booting up with a Knoppix CD and accessing the network and a USB key.
Alert! A new device, known as a "Briefcase" has been increasing in popularity in the workplace. While useful for ordinary business it brings with it some sinister baggage. This nefarious device serves to conceal a large amount of objects, such as sensitive data and staplers, in a small space, enabling employee theft and espionage. While it's true that file folders have been commonplace in corporate environments for years, this new product threatens to bring unforeseen and catastrophic results. Ban it before your company falls apart and you have to spend the rest of your life living in the street trying to support your starving family.
I do think it makes sense for companies that already employ policies like searching employee belongings and metal detectors to add USB storage devices (and any data storage medium for that matter) to the list of things they check for. If you really needed to bring one in, you could have some sort of approval/checking process. As far as most companies go, I think it makes sense to judge based on whether they seem to be causing problems in the workplace, and if so, banning them or finding some other way to fix the problems. I think it would be a good idea to do virus-checking on insertion of any removeable media.
I thought this was a particularly interesting quote:
"Another potential danger is that the devices -- that typically make use of USB and FireWire -- could be used to steal large amounts of company data as they are faster to download to than CDs."
I think they've been watching too many movies. I highly doubt that most downloading of corporate data happens in a down-to-the-second race against corporate security. I think it's much more likely that most data is stolen by those with official access and all the time in the world. And I may be naive, but I think a corporate spy would be able to think of a better way to export data than an iPod.
The same Charleton Heston that said he didn't like AK-47s? That guns like that made him "nervous"?
Charleton Heston is the President of the NRA, but the NRA is by no means the steadfast defender of guns and gun rights that the media tries to portray him as.
Check out www.nrawol.com for more info on this.
The sea changes color, but the sea does not change.
If my personal laptop and my personal PDA are in my personal bag, not connected to anything, not even turned on, where do they get off playing with my crap? I don't drive to work, and it's exceedingly inconvenient to go to a LAN party uptown by way of northern NJ, as that means going from NYC to home to NYC again - inefficient.
There is no reason for the IT staff to be searching bags - in fact, going into my bag is a violation of corporate privacy rules. There's no rule against you having the laptop with you, as long as it's not turned on in the office.
Where I am now in Lower Manhattan, I can take it outside and connect to a public hotspot with the wifi card, and no one says anything about it.
And just as a note? The machines were running Windows NT4. You know, the OS that DOESN'T support USB in any configuration? But they gave out floppies if you asked.
The sheer magnificent idiocy of this staggered me.
Brazil has decided you're cute.
anyways, do they check digital cameras? that little SD card can hold more than photos...
One should not forget that cameras also can be used to photograph screenfuls of hexdumps.
Data can also be converted to strobes of light and pulsed out through the Caps Lock-led, into a receiver cunningly hidden in the fabric of ones clothing.
A full body search, including a cavity search should be mandatory at every workplace, at any time an employee enters the premises (including returning from lunch breaks).
Don't forget to check that those eyeballs aren't in fact high-tech camera implants still photographing hexdumps, after the employee left the camera (presumably recovered from a cavity search) at the security checkpoint.
did you *actually* read the post before replying or did you just read what you wanted to hear?
It's true. The installation process for Office on a Mac consists of one step: "Drag this folder to your Applications folder."
As much as I hate to admit it, Microsoft's Mac team is pretty good.
irb(main):001:0>
The barn door has always been open. Same old problem just a different set of devices. What has changed is the ease, speed and volume of information that can be copied. Think of the fear that was generated in paranoid organizations after the wholesale adoption of photocopiers.
A organization can best deal with the issue by treating their workers with a sense of respect. It will not prevent the employees with criminal intent from stealing information but innoculate honest workers from feeling a sense of entitlement.
A possible technological fix is to ensure that copying data to/from a removable device is logged. This does not prevent the employee from taking work home but does allow for a system administrator to track where the data is going. However this means nothing unless the logs are reviewed. It is essentially a file-nanny.
It does require that a security policy that is appropiate for the organizational goals and for departmental specifica goals.
Research is what I doing when I don't know what I am doing - Werner von Braun
Until the company outlaws laptops that people take home, calling an iPod or other portable data device a security risk is absurd.
My office has recently instituted a new policy: employees are no longer allowed to bring paper or pens to work. Unfortunately allowing people to bring these instruments is just too much of a security risk, and the data we work with is extremely sensitive. You can get around the ban by getting approval from a manager and then checking the equipment in with security, but you also have to consent to being searched at any time.
What more can I add?
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
Yes I read the post.
... he is not. He is, like the NRA, weak and ready to compromise rights away at a moments notice.
"even Charleton Heston would balk at this"
That implies that Mr Heston is the "peachiest pie in the sky" when it comes to defending RKBA
The sea changes color, but the sea does not change.
Security must always be judged on a scale. How sensitive is you information against what your are willing to pay to keep it secret. Even naked people working in a plexiglass room could figure out a way to work the system.
Another solution for smuggling a thumb drive into a secure area. Slip a thumb drive into a pocket in a steel toed boot. The steel should block any x-ray detection of the device. Kick your shoes off while you work and deftly slip the device into the back of the PC with your toes (not visible on most security cameras). Spray on a little extra 'foot funk' in you think that they are on to you and wanting to check your shoes.
Another thought, most new machines (with unlocked BIOSs) can boot a USB device. Now rather than trying to sneak your HackMaster 7000 past security, your can load all your apps on your USB key, boot up and hack away on your employer's machine.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
Our $OUTSOURCED developers are all but strip-searched each day. Also, we don't allow them to see any code. Sure, they can't do any work, but oh boy are they cheap.
If you haven't worked in Dilbert land, you may think I am joking. Oh, how I wish that I was. It's laughable; if they really want to swipe things, they could stick a flash reader in their sock. We can't stop them. But what's important is that we've shown that we don't trust them. That's the kind of lesson that really sinks in.
If you were blocking sigs, you wouldn't have to read this.
I have a photographic memory. When working on military projects, I have to leave it at home.
If you can't bring in your USB watch, how about my bluetooth cell phone? Okay, bluetooth technology isn't as common as USB, but my phone can hold a gigabyte of data. Plus, it has a camera, so I can take pictures of secured areas.
.01 percent that will destroy you.
How can your office stop someone from bringing in their cell phone? Or a USB key on their keychain? Or their PDA?
I'd hate to be responsible for corporate data security now with all of these devices floating around. Someone could discretely download a lot of data onto their key chain. Heck, it is even easier with my bluetooth phone. I don't even need a wired connection, just be with in 15 feet of my PC. I don't even have to be near my PC in order to download data.
A few years ago, I worked for a large financial corporation when someone stole the HR database and sold it to idenity thieves. Hundreds of us "highly compensated" employees suddently discovered that someone was using our identity to buy electronic hardware, get bank loans, etc.
It took me five months to clean up the mess, and I was lucky. I found out about it the very day it happened because one of the stores that gave this guy instant credit called me to verify if I had just applied for credit.
Still, in a twelve hour period, that person went to over 3 dozen different stores from Atlantic City to Philidelphia getting instant credit and buying over $200,000 of goodies. I could literally figure out which roads he took by looking at the various times he hit the stores and applied for credit.
Other people weren't so lucky because they didn't find out about it until either a collection agent called, or they were denied credit because of this attack.
And who was the person who gave the information to the thief? Heck, it could have been almost any lowly paid clerk in HR. If you're only making $30,000 per year, someone offers you $100K or so for this kind of information, and you know the likelyhood of you getting caught is almost nill, what would you do?
Millions of employees with access to valuable data, and hundreds of ways to get around corporate security. Maybe 99.99% of your employees are dedicated, hardworking, and honest, but it's the other
This is probably expected at any sort of secure military or defense contracting site.
I remember helping my father burn a CD full of MP3s once so he'd have something to listen to in the secure section where he worked. No portable radios or music players were allowed, no PDAs, no portable storage devices, nothing. The systems didn't have floppy drives or recordable CD drives and (obviously) weren't on the internet. I think that's just standard operating procedure.
For the private sector, depends on the paranoia level I guess. You could fit a lot of data on a 40GB iPod... =)
...as Israel has trouble with suicide bombers in public, in areas that the military is guarding. We have the same problem in Iraq right now.
The person committed to a mission, for whatever reason, will have figured out what they're willing to risk to complete that mission. Frequently people will actually risk more that initially reasoned, if they see the goal. So while there are cameras, and while there are people monitoring devices brought in and out on an "official" basis, it's not hard to get stuff in and out of otherwise "secure" areas unless they are willing to literally strip search and body cavity search someone. As for espionage, If another company is paying someone enough, I doubt that the person being paid would balk at a "sign this form" or a "routine inspection" when they could hide the device in a shoe, or behind a belt, or in underwear, or any other number of places.
That being said, if a company has a policy to allow any of these memory devices then people are used to seeing them in cubicles and accept them as legitimate. If a company doesn't accept them, then if someone is seen with one at all they're subject to search. Period. End of discussion. This would help to catch a perpetrator, as there is no real deterrent.
Do not look into laser with remaining eye.
EMPLOYEES. You know, those sneaky stealing bastards may remember something and simply re-type it at home if they want. I personally know a couple of folks who can memorize 3-4 pages of text (not just plain text, but with formulas, diagrams, etc.) by simply reading them once.
As people learn to augment their abilities using computational devices of increasingly greater power and smaller size, corporations will have the choice of either having full powered employees or having their abilities and knowledge toned down to attempt to satisfy company paranoia. What no one seems to get yet is that we are fast approaching a time when it must be assumed that everyone has the equivalent of an eidetic memory in full fidelity for everything they are ever present to. I think we need to work with this instead of attempting to fight it.
I said "applied blindly". Do you think any data is more secure if a company banned iPods? An iPod could allow somebody to transport data more easily than without, but it does nothing to secure the data itself.
Oh, and FYI, not all companies ban listening to personal music for all job types. Having happy employees can often lead to enhanced productivity. Not treating employees like potential criminals would be a good place to start in my book.
As an earlier poster said, there are jobs/situations that require high degress of security - that do have secure networks and do want to make wholesale copying of data less convenient. For those situations, and people working in them, a ban on mass USB/Firewire devices is probably already in place.
To them, that sounds like technical nonsense that makes you even more suspecious. "He mentioned fire!"
Someone told me this story:
In the late 1890's, while the Ottoman empire was still around, a machine was being imported into Turkey. The customs inspector asked what it said on the side of the box. The importer translated, "This machine makes eight hundred revolutions every minute." The inspector said, "Well, you can't bring it in here. Revolutions are forbidden."
Boot machine using USB device/CD ROM/floppy or even network using Linux.
Using Samaba authenticate yourself in the Windows network, mount your loacal and network drives, copy to your USB device that has now bee recognized.
When you are finished reboot in your "secure" machine.
The only sane way to avoid foreing devices is to put a physical barrier on the computer ports (thinking about all-in-one critters) or remove the ports when possible. Anything else is just pretending you are doing something.
IANAL but write like a drunk one.
You, sir, have watched Goldfinger one too many times... A single errant shot is not near big enough to depressurize a cabin. See here or here or here or... you get the point. Thanks for playing, try again.
Be careful! Bears shouldn't consume large furry dogs.
A 500mm round? Have fun getting that BATTLESHIP through security.
But then again, if you do, there's other problems besides that...
I guess that a company that didn't trust it's employees would be very concerned that basically everything can go home on an iPod. But I don't work in one of those places.
In your opinion. But, what matters to the company is their opinion. Where I work you have to get manager approval for Internet access, it goes through a web proxy, and traffic is scanned both coming and going. Oh, and the web sites you can access are limited from the get go, and so far I have been unable to download anything of interest ( .zip files, .exe, .msi ) as I get "requestor terminated request" page evertime I go to download something. Truthfully, I haven't tried ssh'ing out of the Intranet, and I have heard you can ftp via an ftp proxy if you get permission ( mgr approved, again ), but have not tried that either.
.
Web mail is blocked, ESPN is blocked, and I am certain the "allowed" list is pretty small. One thing I have done is bring in my USB keychain drive with my code/etc on it so I wouldn't have to redo all of the functions I have already written before ( job is turnkey solution developmemt )
Oh, and I was haggled a bit about my bluetooth headset I use with my cell phone, but they let that slide, lol.
I can't afford a sig!
Hell, a strip search isn't even too likely to stop those that are determined to smuggle out corporate data. These days, simply by giving someone access to use a web browser on a PC at work, you've given them the ability to take your data. Plenty of online services (such as Yahoo) offer "briefcases" where you can upload files for storage to your personal account.
How many of these places banning USB flash drives from coming in are also preventing users from going anyplace on the Internet except specific web sites designated as "safe"?
Ultimately, it comes down to the same old thing. Treat your employees fairly and keep morale up, and you have a much more effective theft deterrent than any security measures you could ever put in place. Happy employees don't want to see their employer hurt and lose money. (Furthermore, if exceptions do exist in such a workplace, their co-workers are going to rat them out if they see them screwing over the business.)