Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPod: Your Portable Corporate Hellraiser

Posted by CmdrTaco on from the without-the-aid-of-britney dept.

MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's iPod from corporate networks as they can be used to introduce malware or steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"

24 of 679 comments (clear)

  1. just the reverse here.. by Lumpy · · Score: 5, Interesting

    corperate just recently issued 1GB thumb drives to all employees. we find it's easier for the users to back up their own crap and transfer it that way.

    teaching a user about network storage or even using the IRDA file transfer was unsucessful... yet these dolts took to using the thumb drives like it was second nature.

    so now usb storage devices are required and issued to users.

    --
    Do not look at laser with remaining good eye.
  2. Second step? by Anonymous Coward · · Score: 5, Informative

    Seems to me the first step should be to disable USB on machines which do not need it in the BIOS then lock the BIOS....

    1. Re:Second step? by dasmegabyte · · Score: 5, Insightful

      Typical heavy handed IT lunacy. You're making it harder to use a possibly essential device on a machine you didn't know might need it, creating more work for yourself while gaining little to no security, as potential theives would just go to a machine that didn't have USB disabled.

      I've been subverting this type of network policy since second grade, and it's easy because it lulls you into a false sense of security. "I don't have to worry about X machine, I've locked it down!" Meanwhile, us grade school kids are running video games through the shell in WordPerfect.

      Want a secure network? Stop with the locks and start with the spies. Befriend your users and make them your eyes and ears. Remind them not to trust anybody and help them identify suspicious activities. Most of all, make them care. That's tough to do. But unlike being an asshole, it actually works.

      --
      Hey freaks: now you're ju
  3. Re:Old fashioned iPod... by Gannoc · · Score: 5, Insightful

    Cute.

    Makes me thankful for my original iPod with it's Firewire connectivity only, there's no firewire ports in this office.

    Yes, like you're going to win that arguement at the security door/HR rep/etc. "But my ipod only has a firewire interface, unable to connect to the computers here!"

    To them, that sounds like technical nonsense that makes you even more suspecious. "He mentioned fire!"

  4. German c't magazine showed how to disable USB... by flowerp · · Score: 5, Informative

    The German c't magazine recently had a short article about disabling the USB storage driver for non-administrator users on Windows 2000 and XP - effectively eliminating the security risk. This policy could be enforced by any system administrator on all desktops. Similar things could be done for Firewire ports and storage devices that attach to it. Basically it works by making the driver non-readable and non-executable for the average Joe Schmoe user logging into the system.

    Bring your own USB sticks? No problem. Can't use em anymore ;)

    Christian

    --
    --- Eat my sig.
  5. Mod this guy up ... by YankeeInExile · · Score: 5, Interesting

    That is interesting (that your users were confused by using a network file share, but found the thumb drives intuitive.)

    Is it the fact that there is a physical artifact that makes the idea of "your files are going here" easier to map into their worldview? UI Designers Take Note. This might be on the test.

    --
    How does the Slashdot Effect happen given that no slashdotters ever RTFA?
    1. Re:Mod this guy up ... by haystor · · Score: 5, Interesting

      That would be my guess. After supporting a customer service system as a programmer and trying to pull troubleshooting information out of them for a while I learned that they think in terms of location.

      They would say things like, "This data isn't in this program." They thought of the data as being in a specific program. If all their programs stopped retreiving data at once they would tell me that all the programs were broken rather than the database was down. No amount of explanation could convince them the data was in the database. For their purposes their view of things was perfectly appropriate I suppose, but it didn't help troubleshooting.

      --
      t
  6. At the very large financial corporation I work at by M-2 · · Score: 5, Funny

    At one point the corporate machine-support staff tried to set up the following:

    • All laptops in the building must be formatted to the corporate image (personal or not, connected to the network or not)
    • All PDAs had to be hard-reset before leaving the building unless your manager approved it
    • Any other device with a USB port had to be opened and checked by the desktop support group

    The sneaky bastards kept trying to steal my laptop, my PDA and my Nomad Jukebox to do this. I kept catching them and throwing them out of my cube (at one point, literally, as he refused to leave until he had formatted my laptop's hard drive and I had to roll him out in my chair and overturn it in the corridor).

    Finally, they stopped that after they did this to an senior VP and erased the powerpoint presentation he had on his laptop. Heads rolled for THAT little debacle. The funny part was that his machine was already work-provided, he just didn't work in our building, so they didn't know him...

    --
    Brazil has decided you're cute.
  7. Depends on strictness by jawtheshark · · Score: 5, Interesting
    I work as a contractor at a bank. Now, they are extremely paranoid about data being carried out of the bank. The only thing is: they aren't consequent. Yeah, they locked down the internet. Nobody can access it unless, you go on a second network that has internet access. No PC here has a CD drive (so no importing of your favourite games, screensavers and other crap and warez)

    But they do allow diskettes (friggin diskettes! Do you know how much customer data you can put on a diskette?). Then I also found out that the "internet-network" (which only internals have access to with a NT username/password) operates simply on DHCP, no MAC address checking: the only "security-check" is the NT-Domain login. Why did I find this out? Simple: these morons allow contractors to have laptops, so I once just plugged it in that network. Worked instantly. Now there is a security concern in my eyes! For crying out loud, I have a Mac, I don't even need a crosscable to pump over data from my work-PC to my Mac. Imagine what kind of data I could take away with that! Nobody evere stopped me at the entrance/exit with my laptop bag. Nobody.

    You see, if you want security, you need to ban every device that can be networked somehow. It's that simple. Yes, this includes your iPod. So, I supect that this is only a great concern in governmental instituation (top-secret clearance), but in the "highly sensitive environment" of banking they don't get it at all.

    Hey, I pointed out their flaws and I was told to shut up.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  8. weighing the benefits by bodrell · · Score: 5, Insightful
    Yes, iPods and USB watches are security concerns for many companies. But if an employee wants to do their employer damage, an iPod is not required. I think it's more dangerous to treat employees with distrust, because it makes them much more likely to scheme of more malicious ways to cause trouble.

    Those in charge of company security should remember that these same employees bringing in iPods are the ones who were issued key cards to get into the building. Companies have no choice but to give their workers the benefit of the doubt.

    --
    Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
  9. Employee concerns... by Luckboy · · Score: 5, Funny

    You know, if your employees actually CARE about hooking up their iPods or other MP3 players at work, you should be more concerned about what your employees are actually DOING, as opposed to what data could be stolen. My iPod's Library is managed by my home machine, not my work machine, and the only reason I bring it inside is to keep it out of my hot car during the day. I don't even bring a cable that would be compatible.

    I'll just burn the site licensed software to CD and take it home that way...

  10. Re:Not so "absurd" by therblig · · Score: 5, Insightful

    To use a tired cliche, a security policy is as "strong as its weakest link." If people have access to web mail, CD burners, or other simple means of transferring data, then the policy is absurd. However, if strong security measures have been taken elsewhere, then this is perfectly reasonable, too.

    --

    I struggled for days and days and all I got was this lousy sig.

  11. More at the movies by randomErr · · Score: 5, Interesting

    Remember last year, the movie 'The Recruit'? One of its big premises was that a CIA agent was smuggling out data; but they couldn't figure out who was stealing the information, and how. The smuggling device turned out to a common USB flash drive hidden under a coffee thermos's seal. The USB drive didn't come up in the CIA scans because the drive wasn't active; the inactive drive wasn't giving off any EM for them to detect.

    I think USB, IR, and now 802.11 devices and Bluetooth enabled cell phones could be a real concern for data centric firms.

    As a side thought, companies may begin to ban cell phones as well. Late last year SlashDot had an article about a cell phone detection device made in Israel. People were leaving modified cell phone in planters. The modified phones would transmit the conversation of anyone in the room for about a week. Thus making a cheap spy toy.

    --
    You say things that offend me and I can deal with it. Can you?
  12. Re:Not so "absurd" by akaina · · Score: 5, Insightful

    That's all good and well, but there are these things that have been used for years to facilitate corporate espionage, they're called floppy disks.

    Also, what's the point of taking a watch? Unless they do a strip search, you'll always be able to get information out of the building.

    --
    Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose.
  13. Re:Common Policy by halowolf · · Score: 5, Interesting
    In my former full time job, I got to visit a company that specialised in tempest shielding and the like. After I finished the job I was doing there, they showed me around, showing how they could read a remote monitor, tv, cable, all sorts of things. They even jammed my mobile phone for me, so I could see how such things worked in action.

    That day I wanted a tin foil hat lol.

  14. Re:Not so "absurd" by ch-chuck · · Score: 5, Interesting

    (except a camera)

    True story: a former supervisor took a Sony Mavica (uses a dos fmt floppy disk) onboard a ship with Soviet missles where he should not have and took pictures of them. When the rent-a-cop spotted this he asked that the pictures be deleted. My super handed me the disk and we did the old dos 'undelete' trick with Norton Utilitues and got the pictures back, no problem ;) This was after '96.

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  15. Re:Not so "absurd" by tfb · · Score: 5, Insightful

    It's not the saboteurs you should be worrying about (or rather, you should be worrying, but this won't stop them), it's the fools. The people who think it's fine to take something home and put it on their machine, which is sitting on a DSL line without much security. Your corporate firewall is now as weak as the security on this machine.

  16. Re:From the Fascist Department by joebok · · Score: 5, Insightful

    Not everybody is a criminal or has criminal intentions. If you don't trust an employee with an iPod, please explain why you would trust them to have access to the data in order to do their job?

    A policy against iPods and other USB or other portable devices applied blindly is illusionary security at best. There are countless ways for a dishonest employee to steal data - the only mitigating factor is going to be how secure the network is - that should be the primary focus of any system administrator.

  17. Re:Not so "absurd" by ArbitraryConstant · · Score: 5, Insightful

    I could steal the source to all my company's software and related documentation on my USB key. Of course, I could upload it to my home computer or some other site with no USB key. Who could tell the difference with SSH? Instead, they trust me. I signed the NDA and I honor it.

    --
    I rarely criticize things I don't care about.
  18. can't stop me by ch-chuck · · Score: 5, Funny

    That's why I got the subdermal implant with 16mb flash and bluetooth. Just copy data to my stomach and walk out, search all you want.

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  19. Re:Not so "absurd" by Yewbert · · Score: 5, Interesting
    Not to skirt the question, but is this really "absurd overkill?" I'm sure that USB pens/watches/etc have been a boon to corporate espionage.

    I'm not yet sure if it's going to fall into the category of "absurd overkill," but at my workplace (a large FDA-regulated manufacturing and research facility), we've just disabled USB support entirely on the machines comprising our HVAC distributed control system. The reasons behind this are partly due to, first, questionable processes of vendor-support technicians using their USB thumb-drives to move system configuration files around from one network instance to another (which is perfectly reasonable and needed sometimes, it's just that they're doing it ad hoc without supervision and, under FDA regs, this raises the questions of 'how much control do we really have over our system?' and 'has the system's "validated" state been disturbed by this laxness?'), and second, as far as we've been able to tell, the anti-virus software we use doesn't automatically scan, say, thumb-drives when they mount (though it really seems that it should, and I still need to do some investigation there in my copious free time).

    On the side of the argument calling it all "absurd overkill" - this clamp-down just makes it that much more inconvenient for people using the system to do their job, while not really tightening security up that much, since most people who have access to the system in the first place can figure out plenty of work-arounds. (Hell, part of my job is figuring out those work-arounds - it's why they pay me the Big Bucks(TM), (yeah, right).)

  20. New "Briefcase" Threatens Industry Security by jackrd · · Score: 5, Insightful

    Alert! A new device, known as a "Briefcase" has been increasing in popularity in the workplace. While useful for ordinary business it brings with it some sinister baggage. This nefarious device serves to conceal a large amount of objects, such as sensitive data and staplers, in a small space, enabling employee theft and espionage. While it's true that file folders have been commonplace in corporate environments for years, this new product threatens to bring unforeseen and catastrophic results. Ban it before your company falls apart and you have to spend the rest of your life living in the street trying to support your starving family.

    I do think it makes sense for companies that already employ policies like searching employee belongings and metal detectors to add USB storage devices (and any data storage medium for that matter) to the list of things they check for. If you really needed to bring one in, you could have some sort of approval/checking process. As far as most companies go, I think it makes sense to judge based on whether they seem to be causing problems in the workplace, and if so, banning them or finding some other way to fix the problems. I think it would be a good idea to do virus-checking on insertion of any removeable media.

    I thought this was a particularly interesting quote:
    "Another potential danger is that the devices -- that typically make use of USB and FireWire -- could be used to steal large amounts of company data as they are faster to download to than CDs."
    I think they've been watching too many movies. I highly doubt that most downloading of corporate data happens in a down-to-the-second race against corporate security. I think it's much more likely that most data is stolen by those with official access and all the time in the world. And I may be naive, but I think a corporate spy would be able to think of a better way to export data than an iPod.

  21. Re:Not so "absurd" by Octagon+Most · · Score: 5, Funny

    "What's to stop you simply encrypting the data, then wrapping it up or tagging it on the end of valid MP3 songs?"

    Honesty. Dislike of prison. Attachment to receiving a paycheck. Fear of John Ashcroft.

    Any number of things.

  22. Re:Not so "absurd" by kelzer · · Score: 5, Insightful

    And in the mean time, the actual thieves simply carry in their USB storage device hidden away in their pocket, without registering it, and leave without any search.

    This is just another example of a stupid law or policy that does nothing to prevent theft, but inconveniences the honest people.

    --

    ---------------------------------------------
    SERENITY NOW!!!!!!!!!!!!!!!!