Slashdot Mirror
Longhorn Will Have Ability to Ban External Storage Devices
slashdotbs writes "CNET is reporting that Microsoft will allow IT managers to block devices such as USB memory keys and - shockingly! - iPods. The article refers to 'the threat posed by digital storage devices'."
Block access to USB keys?
Hell, we can do that now!
Remember that SP2 has several new longhorn "features" that were rushed into the service pack in the name of security.
Davak
and - shockingly! - iPods.
Shockingly, michael, people use iPods to backup data! Companies don't want their employees leaving the premises with this data and checking through tens of thousands of bags is time consuming and expensive. Perhaps this would be different if iPods weren't easily able to be used for backing up data but that's just not the case.
According to the article this feature is available in XP SP2. See here for more information.
No, it's not some Microsoft conspiracy to end iTMS and the iPod.
They need to give IT people the ability to block IE, it's more dangerous than any removable storage device.
Companies struggle with protecting their confidential and proprietary information. Being able to to do this at a policy level will be a big help to a lot of security folks.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
vi /etc/fstab
"Luck is my middle name," said Rincewind, indistinctly. "Mind you, my first name is Bad." -- Terry Pratchett
The device you've attached to your computer is not Microsoft Certified and is therefore potentially dangerous. Please visit microsoft.com to purchase an approved device.
iPod acts just like any other USB storage device on Windows. It is still a security issue.
Longhorn to put squeeze on gadgets
By Ina Fried
CNET News.com
September 9, 2004, 4:00 AM PT
SAN FRANCISCO--Windows makes it easy to quickly download files to iPods and other portable storage devices--a little too easy in the minds of many IT managers.
In the next version of Windows, Microsoft will give big companies an easy way to block use of such devices, while making it easier for consumers to connect their home systems to them, a company representative told CNET News.com.
Much has been made of the security risks posed by portable storage devices known as USB keys, or flash drives, music players like the iPod, and other small gadgets that can store vast amounts of data. Some fear that such tiny devices can be used to quickly copy sensitive data off business PC hard drives, or to introduce malicious software onto corporate networks.
"It's a real problem," said Padmanand Warrier, a developer in Microsoft's Windows unit. "That's the feedback we've gotten from IT folks."
To put the new features in place, Microsoft is hoping to move to a common model for how wired and wireless devices connect to a PC in 2006, around the time that it releases the next version of Windows, code-named Longhorn. For consumers, that means that wireless printers, networked music players and other wireless devices should be able to connect to a PC as easily as the USB drives today.
Microsoft did include a workaround in Windows XP Service Pack 2 that lets users change an internal Windows setting to prevent data from being written to USB devices. But the features planned for Longhorn will be more comprehensive.
Microsoft showed that technology, known as "Plug and Play Extensions," at this week's Intel Developer Forum.
For businesses, it means regaining some control over portable devices. "It's not just USB keys," Warrier said, noting that devices can just as easily link to PCs through Bluetooth short-range wireless or another connection.
By including tools to prevent workers from connecting portable storage devices to corporate PCs, Microsoft is offering big companies another option in addition to the outright banning of such devices, as some government agencies and other high-security installations have done.
"USB keys have become ubiquitous," said, Alan Brill, a senior managing director at Kroll OnTrack, a technology services firm that does security consulting. "You can pop them into any computer after Windows 95 and all the software that's needed is already in there. It's a tool that can be both used and abused very easily."
Companies have been slow to react to the threat posed by digital storage devices in general, Brill said.
"It's one that companies have turned a blind eye to for a very long time," Brill said. "If you think back, it used to be that stealing significant secrets was difficult because it was hard to get away with that much paper."
Intel, for example, used to check the bags of employees, but eventually such searches became impractical. With roughly, 80,000 employees, the company found it didn't have the resources to prevent against someone putting files onto a flash drive or iPod, a representative said.
"You take a better approach--you make sure people understand the need to protect company information and you hold them accountable," the representative said.
Market research firm Gartner has advised big companies to disable certain "plug and play" functions in Windows as a security precaution.
IT managers do have access to tools that would allow them to block USB ports, but such tools are little-known, and little-used. "There are tools that are available to...manage USB ports, but 99.9 percent of all machines in corporations don't have anything like that," Brill said.
Longhorn in the headlights
Of course, Microsoft's changes aren't coming until Longhorn, which isn't scheduled to arrive until 2006, and it is likely to take more time before the new operating system is widely adopted by co
That might actually be a smart thing to do.
Comment removed based on user account deletion
you merely need to remove the module for the relevant driver.
For many people, it's currently easier to walk out with a USB device full of files than it is to connect to yahoo mail and send them as attachments. (Proxies, transfer size limitations, etc.) This is a logical step, like removing floppy drives in the 1990s and then limiting their use with software with Microsoft security policies.
I was talking to the CIO of a major health organization who had commissioned his engineers to find a solution to the problem of people bringing in their USB flash drives. Since he's worried about patient privacy, there's the fear that somebody would be inside, stick in a USB drive, copy data and walk out.
I know - "but what if they use a notepad, dummy". Yes, there is that problem - but last time I checked, you can steal a ton more data via a USB drive than a piece of paper.
The engineers answer? Epoxy glue in the USB slots. Not the best choice.
So for places that have to deal with security, this is good for two reasons. First, it prevents people from taking data through alternate methods (USB/Firewire drives). Second, it lets people with those devices bring them into the lab.
Take the iPod example. If you're working in one of my secure labs, I might tell you "sorry - leave it outside". But with this technology, I can say "Sure - bring it in and listen to your tunes" with a reasonable level of surety that they're not to go copy data they shouldn't.
So from my mind, this is a Good Thing, and I'd like to see it on my OS X/Linux machines as well.
52 Weeks, 52 Religions with John Hummel
Seriously,
Just because you give IT administrators the power to lock down the computer doesn't mean that Aunt Sallie isn't going to be able to use her iPod.
Imagine you administer a huge corporate network and you've standardized on Longhorn. Now imaging that the single biggest threats your network has seen in the past have originated from customer service reps bringing files from home on their iPods and Thumbdrives. If I were an administrator, I would have no problem locking down those machines to eliminate that threat.
Oh no! You mean people can stop me from attaching devices to computers they own and administrate?? Will microsoft's villany never end?!?
"The price good men pay for indifference to public affairs is to be ruled by evil men." -Plato
Worst. Idea. Ever.
It's going to be awesome when someone comes up with a virus that locks down all the USB ports and then starts doing things like uninstalling the CD-ROM.
-B
Just boot to Knoppix and do what you please. Or zip [whatever] up, tunnel through port 53 and email or scp it to yourself. If you're determined, this isn't a big deal. Of course, this is obviously designed to stop Sales Drones and Marketroids from wasting time on the clock. And based on what I see here at my company...FINALLY!
Send your friends messages of love at fuck-you.org
Microsoft since 2000 has always had Group Policy definitions to restrict CD burning and Floppy use on certain PCs, why is this such a big deal? Because it has the word "iPod" in the article?
It's not like every IT department is going to start locking down USB keys.. it takes one employee complaining to their manager they can't take their uber-important files home to work on at night to get things like this reversed anyway.
Nail biters don't bother.. it's just a slow news day for Slashdot
There is a rage in me to defy the order of the stars, despite their pretty patterns.
Windows XP SP2 already has this. The referenced article describes a larger new feature that would include this as a subset, but "the future is today" regarding IT admins being able to lock out USB storage devices.
This will also be useful at trade shows and at computer stores. Keep sneaky people from plugging in devices and pulling stuff off the computer while no one is looking! Or loading stuff onto it as well..
substitute iPod with samsung, sony, dell..
And the point is that MS is not the one who makes the decision about what devices to ban. It is the office manager. Who knows if the office manager himself might have an iPod?
While I personally believe this is a good thing, often these things can be circumvented easily by... booting a knoppix CD. Of course a modern BIOS will allow you to restrict booting from a floppy (yes I know... I am the only person who still uses these), or a CDRom, but all can be undone with 30 seconds and enough balls to open your case. Even then, Im sure there is some trick to purge the CMOS without ever cracking the case.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Part of being able to manage corporate computers is being able to secure them. Before everyone panics, note that this is a feature that they will make available to administrators, not something that will be enabled by default.
If I were a network admin, I'd definately want this power. There are situations where this type of inconvenience is definately warranted. Take a look at what happened at Sandia labs, for example, they documented plenty of examples of various workers transfering data between secured and unsecured systems. Everyone focused on the witch hunt regarding the scientist of chinese descent, but the problem was widespread and an audit in any modern lab could expose the same thing.
If anything, I'd be surprised that this isn't already available in the policy editor for 2K and XP.
Doesnt Linux recognize 50% of the plug-and-play shit incorrectly and does not have drivers for the other half.
I don't own an iPod, but I imagine it's just a plain ol' USB storage device when plugged in. As such, it's as much of a security risk as any other, similar device.
We've all been slagging off MS for years now for their attitude to security; no point in whining now when they get it right, just cos you can't play music through your desktop speakers.
BTW: cool link on that page. Well, not cool, but I like the headline: Allchin: Don't call it 'Shorthorn'
microsoft's implementation of this feature will be so buggy, it has already been cracked
vodka, straight up, thank you!
Microsoft will allow IT managers to block devices such as USB memory keys and - shockingly! - iPods
Well duh! Last time I checked, the iPod was indeed an external storage device. Not so shocking really - I should bloody well hope that the system could block such a popular and spacious device which could be passed off as a mere walkman to a security guard or somesuch
Then again, what better should I expect with a username like slashdotbs?
Uhm...
If users didn't have rights to do "bad" things, then USB keys and iPods wouldn't be a concern.
Isn't this exactly what they are doing? Giving admins the ability to take away unnecessary rights from the user?
Our IT folks have locked down our Unix Workstations from mounting most media. These devices especially mp3 player that act like drives cause our semi-technical security to freak.
It will help windows make inroads into classified environments.
(some feel that store bought "music" media should labeled to its security level, except cd burners can't burn store bought music cds.)
That the only thing blocked by default will be the iPod?
Someday a real rain is gonna come...
Why is this a bad thing? It just gives more choices for security. Now if a sysadmin blocked these ports they better have an alternative to getting files off the machine (if files need to be copied somtimes...) Also, anyone know how the blocking is done? Can it be on a per device basis, or just all external storage devices?
-You're only as clean as your towel.
and deliver this "super" OS. I'm tired of reading about how great the future is, but every time we get close to it, it runs away. Its like a giant punch the monkey banner ad or something.
AF-Design, web development.
you beat me to it.......
OMG! There's this tech company with whom I correspond, and ALL of their emails come from Outlook! They're in bed with Microsoft! OMG!!!
All of those people who we see here wishing that the 3.5" floppy would finally die will now be bemoaning the fact that there is no easy/convienent way to transport data between work and home.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
I worked on a project where we had to remove every USB, firewire, CDROM, and floppy drive along with sheathing all the plugs and sealing all the connections on hundreds of computers to satisfy some of the more stringent controls required in HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996) that no unauthorised persons be able to access restricted documents. It was cheaper than using control software (trusted computing platforms and certification is wicked expensive).
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Trust is good until it's broken. You can never have absolute certainty that someone won't betray you.
http://ipod.fresh27.net/
and - shockingly! - it was a joke.
The venomous tone of this article posting sucks. They're not talking about specifically banning ipods .. just blocking the USB port .. whoppdee doo .. if they didnt have this feature it would be a SECURITY RISK. Although I think it's better to lock down permissions and have a secure OS that cant have stuff written to it ..but some paranoid orgs won't want to take chances.
.. good or bad .. is ALWAYS viewed with a negative light around here.
.. but let's not behave like a bunch of partisan politicians OK? It's whacko.
Anything microsoft does
I'm all for open source and all that
The bigger question is WHY is microsoft (lower-casing/deprecation intentional/perpetual) being allowed to take the lead on this. ANY OS (or even BIOS) should be capable of banning or blocking undesirable external devices, the operative phrase being "undesirable external devices".
At home, it should be possible, too, for it offers privacy from snooping friends, landlords (if you live in an apartment), and others.
This, to me, is not a "revolutionary" or patentable idea. It is common sense. Cars have locks, homes have them, and any security perimeters have granular restrictions: Sensitive stores and business or government operations (courts, military or nuclear labs), and even hospitals restrict whether or not a person can bring in any kind of electronic device capable of recording or causing disruptions.
Metaphorically and in actuality, a computer, once owned, is an extension of its primary or other users, all of whom should have complete or granular control over what is granted communications access across peripherals ports.
All that said, the REALLY scary part to worry about is will microsoft "escrow" the "keys" to turn on and turn off your ports for government "investigations"? "Sneak and peak" could be disrupted if machine owners left ports onboard, but simply encrypted or disrupted the access. This could play minor havoc with passive snoops who are accustomed to microwave, but landlords and other (persons who would dare to be) snoops with physical access to a computer pose a risk, regardless of what role they play.
David Syes
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
How many admins have gotten everything secured and free of viruses only to have some yahoo plug in a USB device with infected files? This is not a conspiracy, but an attempt for MS to get real. This is a valid option. Stop with the ravings.
As a desktop admin, you bet your ass that I would turn this on in a second. There is no business reason that I would want someone hooking up an iPod (and potentially downloading HIPAA sensitive info) to listen to music at work (potentially (!) bringing productivity down), and downloading music at work (why else would you hook the iPod to the PC, wasting bandwidth and definitely torpedoing productivity)
It annoys me enough that someone can install and launch spyware at the User permission level, but this is just unconscionable.
Case in point. A company has proprietary and confidential information that you, as their employee, have access to (without having admin privs). The company wishes to restrict your ability to make copies and potentially misuse (i.e., steal) that information.
I fail to see what administrator priveleges have to do with this.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
You can train a horse to stay in the barn, but it's far more effective to close the doors as well.
Some companies work with "trade secrets."
Some companies work with YOUR "private information."
Some companies work with your country's "military profile."
I think it's perfectly appropriate to empower the IT department to set forth a flexible and strategic policy of which devices are interoperable, and which devices are not.
[
You can do it in linux too by not letting users mount such devices.
Hell, by default linux sort of prevents users from using CDs or floppies too.
Of course, knee-jerk conspiracy theory, Free as in Freedom!
I don't need no instructions to know how to rock!!!!
Uhmmm... Even if you trust your employees completely, there's plenty of reasons you might not want important data being taken off site. Greatly increased risk of accidental loss/disclosure or theft, for example.
I feel much safer knowing MS is looking out for us, can't you just feel that invigorating "innovation" starting to pulsate through your O/S?
Excuse me - i'm getting woozy . . .
Yes, but this is /. where everything that restricts is viewed in the worst possible light, and any technology is viewed in the best possible light, unless it's technology that disables rather than enables, unless it disables something that disables ... and so on and so forth, ad infinitum.
Don't try to analyze it. We're all candidates for tin-foil hattery. Even you.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
we are getting a windows 2003 server for work soon so i wondered if anyone tried this already?
-- ladies and gentlemen we are floating in space!
:P
Don't create a (user accessable) mountpoint for it, don't use an automounter or simply restrict access to the mountpoint. I'm not as familiar with the automount system OS X uses, so I don't know if you could allow access to the cdrom and deny access to othe removables, but I suspect it's possible.
The problem with employee trust and removable media is not necessarily with the employees. Even if they have the best intentions with the data and you trust that they're going to do right by you, what if someone steals the hard drive, or it gets left in an airport bathroom, or whatever? Do we trust the thief too?
There's not much of a reason for the average employee to haul a ton of documents home every day. Why grant the access to do so in the first place? Giving people the access they require to do their job and nothing more is a sound security principle.
1. Stop users bringing in undesirable content that you can't filter, including viruses and spyware
2. Stop users taking out corporate data that you can't check
If you want to run a secure company network, then these are essential aspects to stopping getting owned. Centralised backed-up storage for all users, no CD-RW drives, etc, will be other aspects.
Want to work from home? Tough titties. Maybe via a work built laptop with fixed specification that connects via a VPN to access data.
Sure, there will always be ways to get past these types of restriction. But they exist for a reason. It is the company's computer. You've got an iPod? Listen to it then. No possibly illegal MP3s on company computers to get them in trouble.
One reason Microsoft is popular is that they deliver what the Pointy Haired Bosses want, even if it is a half-baked idea.
Open source people scoff at this feature, but Microsoft adds it to their marketing material.
PHB's can either go with the doom and gloom crowd, or with the ignorant optimist crowd. I predict they go with the latter.
A mainframe or large server with a bunch of thin clients with no ports (except the network connection) or floppies. This has been used 'forever' by large companies and is basically as secure as it gets.
Trying to make standard desktops secure has to involve a serious kludge no matter what the operating system.
Doesn't Linux already have a similar feature in that said USB devices already don't work?:) Just kidding, as an IT administrator I see how this can be beneficial to a company guarding both corporate secrets from being spirited away and for IT within said company protecting the machines end users work with from being infected with personal files and/or viruses.
This has nothing to do with a bad OS. If a user has read access to files at work, then they can copy them to other things, no? Sometimes a company will want to control their data. Is that a bad thing? Maybe MS is reacting to user or sysadmin demands. Is that a bad thing?
The only bad thing is that this is "news worthy".
$ mount /dev/sda1 /mnt
mount: only root can do that
***Quis custodiet ipsos custodes***
Since this is an option, and can be turned on or off at the discretion of those in charge of the computer (and, in a corporate environment, charged with implementing corporate information security policy), I don't see why this would be controversial.
Obviously some people have no sense of humor here... and wear colors similar to the scheme here.
Sure sound like such a futuristic techology that i't mindboggling the good people at MS need 3 more years to get this prime example of complexity up and running.
I mean just the fact that they thought this totally outlandish great idea up so we can hear about it now is amazing.
Jippy just 3 more years.
( I bet i'ts going to be a USB lock with a (not so ) one of a kind key, Remember the diskdrivelocks! )
-- forget
As for "copying large amounts of company data", what ever happened to employee trust?
Now THAT is a security strategy to be proud of!
Seriously, how would you feel if you read an interview with the CIO of your bank, and he made such a comment? If you had half a brain (which is apparently an open question), you'd get your $$$ out of there ASAP.
Stop by my site where I write about ERP systems & more
Jeez...
You'd think Microsoft would have issued some kind of patch for this years ago. I mean, Linux has had this ability for years.
But Windows is so much more advanced and feature rich than Linux.
My lack of God, it's Trotsky!
As usual, Microsoft continues to push the blame elsewhere instead of fixing their damn OS!
Linux works the same way, why don't the kernel folks fix their damn OS?
What's this kernel automounter permissions shit? Users should be able to mount what they want, and if it has the ability to do bad things to the system, it's the OS's fault!
I don't need no instructions to know how to rock!!!!
What happens if you try to boot from a machine that has USB copying disabled, but USB legacy turned on?
stuff |
I see a lot of comments talking about "anal sysadmins" and such. In a commercial environment that may be true. But there's an area where it is even MORE important to be able to lock these devices out: The government / sensitive info computers of the world. Think about all of the work that goes on in these places and the number of computers, many of which are on Solaris and Windows (some Linux is approved, but not much) They have to implement these features to keep national-security type information from walking out on someones keychain. (course those items cannot be in secured areas anyway, but I digress).
storing military profiles on Windows machines!? that should be considered treason.
2) The iPod, like all other storage devices, can carry a trojan or virus.
You've got to be kidding me? That beat up of a story from intego in an attempt to see anti-virus software for Mac?
In another newsflash, applications can have whatever damn icon they want, they might even look like a document. Wow, that's revolutionary, I bet you haven't been able to do that since the first GUI let you have custom icons for applications.
Get a life.
If they can read them, then they can upload them somewhere else. They don't NEED an iPod or USB key. Kapesh?
Javascript + Nintendo DSi = DSiCade
Unusable.
See, microsoft (lower-casing/deprecation intentional/perpetual) cannot innovate, but they also don't want keychain Linux (or other) OS's piggybacking on the hardware without even having to install. I'll bet ms will eventually slip in the real trojan: BIOS INTERACTIVITY.
Once booted, the windows box will offer the option to lock the BIOS (maybe this already happens, since Linux can permit the knowledgable user to write stuff to the BIOS...)
Then, they'll try to claim a patent on it.
IT managers and savvy computer owners SHOULD be able to-- regardless of OS-- lock down their peripherals ports. Running an OS or being just booted, the ports are an all-too-easy way to pull or vacuum data.
It's just that mshaft is putting a spin on the issue, likely to lay patents over it. But, I think too much prior art in existence should foil any attempt on their part.
David Syes
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
As usual, Microsoft continues to push the blame elsewhere instead of fixing their damn OS! If users didn't have rights to do "bad" things, then USB keys and iPods wouldn't be a concern. Yet Windows continues to insist on letting users run with privileges that only administrators should have.
As usual if you badmouth MS in your post you get modded up regardless of content. Example as to why your post is erroneous...Nuclear researchers at Los Alomos have access to Nuclear research...this is a good thing it helps them to earn their hefty salaries. Had they not been able to write to the A: drive the last several security breaches would not have occurred. Microsoft is not 'passing blame' they are acknowledging that the ability to use these devices may not always be right. If it upsets you that you can not sync your ipod to your office PC...Boo Hoo. Get a different job.
As an aside, I wonder how long it will be before we see the first 'boot type virus' (or perhaps a FAT FS virus) on these things like the good old days of floppies?
having physical access to computer is a security issue? Is it slashdot? Then will you people talk about "Microsoft security to open cdrw tray"?
Think for a while...
Machines alone can't give security at the end it is the human beeings behind.
The referenced item from Intego was about a theoretical Trojan horse that no one appears to have actually taken advantage of to do evil (symantec's take on it. Also a detailed look at the "security alert" can be found here.
Anyway yes any storage device could have a Trojan, etc. dropped onto it. Yet in the case of the iPod and other storage devices (at least under Mac OS X) just because such a beasts exists on the storage device doesn't mean that once connected it spreads (no auto-run of code on mounted devices is supported on Mac OS X without third-party tools).
Not much can protect one from a Trojan if the victim cannot recognize it for what it is (sure virus scanners may hit on it if it is a known trojan).
Anyway the real issue is mostly about users dropping company data onto their iPod, etc. (likely unencrypted) and then walking out the door and possibly losing it...
Everyone seems to agree that the ability to disable USB is a good idea, but this has been around for quite a while........not just WinXP. Most BIOS's have the ability to disable USB. Just set this, add a password, and physically lock it down.
Actually, I was referring to running "insecure" programs and such. :-)
The copying data part is at the end.
Javascript + Nintendo DSi = DSiCade
Check out my sci-fi/humor trilogy at PatriotsBooks.
It's pretty easy to just throw in a Knoppix disk, reboot, mount a drive, and copy things away at your leisure. They'd probably be better off filling the USB connectors with cement than relying on software.
(Score:-1, Wrong)
Just blob it into the USB ports on the motherboard and be done with it. It stops "boot Knoppix and save it to your USB key" approaches, too.
I believe the /etc/fstab entry would be something like this :
/dev/sda1 /mnt/usb1 auto noauto,user,ro 0 0
A workaround for longhorn's external device blocker was found. By simply coloring your device black with a marker and holding it, you will be able to mount your drives.
...spike
Ewwwwww, coconut...
This is not a big deal folks. My spouse works for a financial institution and they block access to Internet based email (e.g. GMail, Yahoo, etc). My current employer blocks ftp access to the outside world. My last employer didn't allow us to bring our cell phones or pagers into the secure computer labs. The computer you use at work is not yours and you can't do with it as you wish. This may be frustrating for us techies but it is the truth. Remember folks that this is intended to be used by corporate users and NOT for home users. This is just a natural progression of companies wanting to make sure that employees don't run off with data that they are not supposed to. Anyone else remember this fiasco?
OS X, Linux, Tivo, Amiga, my fascination with cult-like technologies would intrigue any psychiatrist.
Don't they mean the threat of _third party_ storage devices? :-)
- Kevin
The less confident you are, the more serious you have to act.
Unfortunately, trust is trust. If someone has access to your data, you are implicitly trusting that they will not misuse that data. If faced with a situation where I wanted to steal data, I could find a few hundred more effective methods than using a USB key or iPod.
Javascript + Nintendo DSi = DSiCade
Don't you need to be root or sudo to mount a drive in Linux? It's been so long since I've done it manually I'd really like to know!
Boomer Sooner
Wasn't trying to imply that the link wasn't informative, merely that the article already made mention of what was presented as new info.
I'm mostly frustrated at people not making an effort to read non-slashdotted articles & then half the comments are useless because they don't understand the situation. Case in point is the UTD WiFi article earlier today.
Linux has had this since 1991.
Seriously, it's called fstab.
It's also a handy way of keeping confidential information from leaking.
Just put chewing gum in the USB/Firewire Port
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Now... if only I could figure out _how_ to get my users classified as a storage device...
Well, I for one think companies should stop issuing laptops if their that concerned but the trend is to issue only laptops now a days. I walk out the front door with corporate information every day -- can't seem to avoid it.
Linux already supports this. You just compile the kernel with those modules turned off ;-)
previous articles on /. have discussed the potential problems with data security caused by the use of large capacity compact storage devices. This makes sense...as long as MS writes the OS securely. If the controls are written badly, then they will become a hindrance to those who do want to do useful work and a loophole for people who would actually copy confidential data. Paraphrasing Gavin DeBecker, bad security fools everyone but the bad guys.
The question I have is;
If you run a network that you want secured, and you know about these devices, why not either set permissions on the devices or yank support for USB beyond keyboards, mice, and other harmless devices? Why add anything ? Removing support and/or restricting access using the existing permissions settings seems to be a better plan.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Whats the big deal if you are using a free iPod to back up your hard drive, to take work home, or if your using your mini cruzer?
There are a lot of times that I need to bring work home to complete a time sensative project. Sure, bringing work home sucks, but still, it's better than using a floppy.
Seriously... did anyone else notice that the story was submitted by someone calling themselves slashdotbs?
:)
If it were April 1, I'd think Michael was playing a joke on us, but as it stands, I think someone pulled a pretty good joke on Michael.
.....that will only disable iPods"
By reading these responses, thats what one would think the article said. haha!
-Randy
What MS is doingis making it harder to steal, not impossible. One continues to raise the bar of difficulty until one attains a level of acceptable risk. This makes it easier to raise the bar.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I work in the IT dept. of a financial institution. Our info security team is damn good at what they do, and they'll likely recommend that USB keys be blocked when (if) we ever make it to Longhorn - we're still on Win2K for desktops. Still, for all the measures they put in place, I've got ways around them. Port 80 and 8080 will always be open outgoing. So I use 8080 to SSH home, and port-forward all kinds of nifty services on my home network, like SlimServer, PopFile, VNC, and Remote Desktop for my Windows box. If they close 8080, I'll just find a different port.
I see this being a potential useful feature. Granted it could be cracked, or virus-enforced and lock a home user out of their external drives, but for a network admin this has got to be a dream come true.
This would be great for a school environment taking the load off the sysadmins to find third party software to lock down the desktops. Being able to control what devices enter an environment like a school network can save time and money, neither of which sysadmins have in abundance.
- Dan
I just bought a 1GB usb key with the ability to be 'bootable.'
:) )
So, no only do they have to prevent external storage, but they also have to turn off USB booting, and password the BIOS. I don't know if those are standard practices or not.
And, with this ability to turn of external drives, does that retain the ability to use other USB devices? Wouldn't there be some sort of 'spoofing' that could happen? (don't ask my what...I haven't figured that out yet.
--Welcome to the Realm of the Hawke--
Long live the floppy!
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Because I'll be uploading that 20 GB Database to my offsite server without IT Noticing, or whistling the entire thing to my accomplice over the phone with my Captain Crunch whistle.
Fucking idiot.
There have been a few other OSes that disabled the ability to use USB drives... Win98 (first edition), Win95, Win3.1, DOS...
Security through obscurity?
Longhorn is going to be "progressive" by disabling the latest technology?
-iCoach
"Never upset a goalie, getting hit with a blocker is an unpleasent experience - facemask or not." -Me
What this *is* about is just one more "feature" that M$ is putting into their offering that UNIX/Linux/Et. AL. have had forever.
When you start diluting the issue talking about the conspiracy mumbo-jumbo, and fascist *admins, and what have you, you really are helping M$ along...
The only rational answer to an announcement like this is:
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
What happened to trust? It's an uncertainty. Even if you can trust me now, I promise you that when Your Competitor comes by and shows me a paycheck with my name on it that's about $5000 over what you're paying me, and all I have to do is give them a folder of files off my laptop, fuck trust, I'm getting MONEY.
If they can read them, then they can upload them somewhere else. They don't NEED an iPod or USB key. Kapesh?
if you are working in such a place that doesn't want you taking files out on USB devices, what makes you think you have access to upload them outside of their network, or access to email them out into the wild?
The dedicated can always do something to circumvent. This "solution" by MS is either a small part of a larger set of security checks or for detering the quick steal. I don't see it as a "hack" to fix a broken OS at all.
We can see what Microsoft has become: a corporate tool for closing the barn door after the horse has fled. These latest announcements engage in futile rear guards against people with physical access to the machine running the Microsoft OS. It won't really work, it will make everything more complicated for users and administrators, and it detracts from actual innovation. Computers, at their best, barely work - we've just started on a long course of brain augmentation devices. Rather than help make them do more for us, Microsoft is working to make them, and us, do less.
--
make install -not war
At work, we use a program called DeviceLock http://www.devicelock.com/, which allows us to permit/deny access to all I/O on a machine from anywhere on the network, based on username or group. Very handy, since we are still running an NT4-based domain (it's not connected to the Internet, so quit salivating!).
While I have 256MB USB2.0 device in my pocket at this moment, I view this as a good thing. In many environments it is highly undesirable to allow copying of data from a computer to removable storage. I'm personally horrified by how easy it has gotten where I work. When I came here (from an even more restrictive environment), things such as Zip Disks, and CD burners were forbidden. Now everyone carries a laptop with big HD's containing who knows what home every night, and most of those laptops have CD burners.
Personally I really hope that Longhorn includes the ability to block access to CD/DVD burners built into systems as well as removable storage devices!
In environments where data security is VITAL, these devices are a HUGE threat!
Microsoft in the name of security has done alot more silly things... like the fact that you can't send word/excel docs as attachments using outlook anymore. Instead of fixing their security holes they just disable whatever might cause viruses to spread...
.exe files because that is the only way they can stop people from getting viruses.
Pretty soon MS will disable double clicking
... I've figured it out all by myself! (sounding like the skinny guy in WarGames) You save the data onto the machine's harddrive, then you open the box and grab the harddrive. Voila... data gets out of the building.
This is probably an overture to the military as much as to anyone else, as the DoD takes a lot of steps already to ensure that their data stays secure (whether or not it works is another question).
This is to prevent casual copying of data without authorization ONLY. This will do nothing to prevent actual corporate espionage.
After all, real corporate spies can clone local drives and load them as data disks outside the network, they can take photographs of any file or document they can read and display onscreen, and they can always do manual transcription.
Rather than a solution in search of a problem, this is a non-solution to a very real but non-computer-related problem.
I just can't wait for the first virus whose payload is to enable this policy so that suddenly everybody who uses a thumbdrive to transfer/store files can't get work done because the key won't mount.
Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
Who says you need a network? Perhaps you simply crack the case and add a hard drive. Or plug in a new PCI card. Or transfer it out a floppy disk at a time (embezzel information). Or perhaps use the CD Writer that came equipped on the system.
There's lots of ways to steal data, not just the network and USB devices. It comes down to the fact that access == trust.
Javascript + Nintendo DSi = DSiCade
As an MCSE who knows how to do his job right (yes there are some of us who exist). I would like to say that through Group Policy, an IT administrator has been able to limit this ever since Windows 2000. We don't need new features (like this anyway), we just need better trained Windows Admins.
Step 1) Go to:
https://www.uploadmyfile.com (no this link doesn't work, but you could create any web page to do this from)
Step 2) Copy information (higlight desired info, then press CTRL+c)
Step 3) Paste info into text area of secure web page (CTRL+v)
Step 4) Press "Subbit" button.
Bye-bye data!
(Yes, I know that this could be stopped at the network level
OR
If your IT dept isn't THAT good, use one of the hundreds of windows exploits (for extra credit, make your own exploit), become the administrator, enable USB keys, steal the data, profit!, then return the settings back to the "secure" setting.
Let's face it, if you want to steal data, have no morals, have no loyalty, if you hate your job (or boss), and if you have ANY techincal no how, the data is as good as gone!
Silly MicroSofties!!!
HallmarkOrnaments.Com
Not really into Linux, are you?
/mnt directory and for the device files (like sda4) in /dev that are used for external storage devices. Piece of cake. This effectively blocks ALL storage devices, even ones that haven't been invented yet, because they would ALL have to be mounted to be used.
On Linux, you turn off the automounting daemon, then you grant sudo priviledges to certain users for the mount command. Then you can set up group access for the
Note that this even stops someone from using their own copy of mount to mount a filesystem in their home directory. It could probably be made tighter, but you get the idea.
With a savvy sysadmin, you can make Linux do ANYTHING. It's a much cooler OS than Windows.
You'd think they'd start out with the threat posed by sloppy coding.
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
I'll just have to use ye olde LapLink via parallel or serial ports.
As for "copying large amounts of company data", what ever happened to employee trust? i.e. You should only hire someone you can trust to do job you put them in, because there's no getting around giving them access to sensitive information. It's like telling the company accountant that they can't have access to the financial records, because they might embezzle money!
Unfortunately, in real life people have the amazing ability to turn on a dime, especially when they feel violated in some way or another. You can do all the background and personality and polygraph tests in the world but there's no way to know how someone will react if they perceive a slight-- epecially at a large and impersonal corporation, where layoffs and passed-over promotions are common. It only makes sense for a company to do its best to prevent trade secrets and other confidential information from walking out their doors... It's one thing to have a disgruntled employee with knowledge, since human memory is faulty and hard to prove. It's another to let them download the whole database to use against them later.
Actually, all the admin has to do now (in Win 2k or Win XP) is change the setting for "Allow users to manage devices" and the users can't add devices, even USB devices, without admin priviledges. This sounds like a more pointed approach, so you can add/remove other things, but not USB keys.
In the USA, we like stuff watered down, like beer, television, and freedom.
...at least on the part of Microsoft. Microsoft isn't trying to keep you from using USB drives or iPods, silly. You'll be able to use them by default. It simply gives the system administrator the ability to control the computer by giving them the *option* to disable these features.
There are a lot of organizations that don't want people plugging in USB storage devices and walking off with their critical, sensitive data. This gives them the ability to make their computers more secure, so less scrupulous people won't walk away with data.
I would think that on a site full of Linux people, there would actually be celebration about having more control over your computer. I think Microsoft should be commended on this one.
So now they can't just mail the stuff to themselves anymore? If you are worried to be detected, you can always PGP the information, or hide it in a word document or something. You could obviously ban both, but that would seriously hamper the ability of the person to communicate.
Information management normally can not be done digitally, unless the person is unable to get the information on his computer in any other way.
Obviously MS is right to make sure that you need sufficient privileges to attach a communication or data storage device to a system. I can see this to be particurarly helpfull for servers (with credit card information for example). It's easy to plug in a USB memory key in a system, but breaking it open to reset the BIOS is quite another thing.
In case of Intel (mentioned in the article - I wonder if the employees have personal laptops..... Up to 80 GB walking right out of the door, unharmed....
Can't you just disable the built in USB Hub in the device manager? Might not work with 9x, but with 2k and XP you need to be admin to change hardware. Is this really a new feature, or just new to their marketing drones?
I may not be able to keep someone from cutting a hole in the side of my house, but that doesn't keep me from locking my doors when I'm out.
It will block USB mass storage devices if IT admin wants to. Ipod is USB mass storage compliant, but so are dozens other MP3 players.
This paranoia over USB flash drives and iPods just shows how uninformed, uneducated and like lemmings general IT personnel are.
How is an iPod or a USB flash drive any different than a floppy disk? Or a ZIP disk? or CD-RW?
In the past, most CPUs have had some form of writable removable media drive such as a floppy, zip disk, ls120, etc. USB is the new form of that. So why the panic?
Job security? After all, network security is the new black. Or is it paranoia over USB flash drives and iPods that are the new black?
All locking out these devices does it make it inconvenient for people to do their job. No more storing that Powerpoint presentation on a USB drive and plugging it into the meeting room projector, you'll have to bring the whole computer.
And if someone REALLY wanted to steal corporate data, they'd remove the hard drive, take it home, copy it, and bring it back.
Amen, brotha. What the hell is the point of having a (relatively) secure OS running on your user desktops if any dingus can plug in a thumb drive and snag data?
What does it mean to wake out of a dream
and be wearing someone else's shorts?
BNL, Born on a Pirate Ship (1998)
Good point! But now there is a way of limiting their access to the sensitive information. So now less trust is required to do the same job which makes it easier to find someone to do it.
It sounds like you're against it but from your post I can only figure why this is a good thing.
As usual, Microsoft continues to push the blame elsewhere instead of fixing their damn OS!
I thought this was a change to their OS? You wouldn't call this a fix then?
Ask yourself this then: How likely is it that the lack of USB devices is going to stop you?
Javascript + Nintendo DSi = DSiCade
Those things are DANGEROUS!
Didn't anybody see The Recruit?
(obligatory smily omitted)
Oh, you're not stuck, you're just unable to let go of the onion rings.
This is functionality that wouldn't make sense for the company i work for -- and I would wager many others as well -- since they hand each employee a laptop with a CD burner built in. Ahhhh... Nevermind. They'd do it anyway just to be pains in the ass.
I give men fish.
Now if a sysadmin blocked these ports they better have an alternative to getting files off the machine (if files need to be copied somtimes...)
I agree that these USB devices make for an easy way to smuggle files out of an office, but what about an ssh tunnel (are you really going to block all outgoing connections to port 22)? Most offices large enough to have an IT department have a decent Internet connection. There are plenty of other ways to go about smuggling the files as well. The bottom line is that if you allow users access to files, and they really want to take them offsite, they can.
If you can't trust your employees, then you shouldn't be giving them so much access in the first place.
Incidentally, maybe they should also look into disabling command-line FTP. I got into a heap of trouble once because I was able to get a contraband file via FTP without anyone knowing.
That contraband file? Firefox.exe.
I'm in the hole of the broadband donut.
Just use group policies in active directory to set permissions on %systemroot%\inf\usbstor.inf and usbstor.pnf to deny everyone access. No one in the domain will be able to connect a usb storage device of any kind. I've been doing it this way for years.
If you give me physical access to a PC, I CAN get ALL of the data off of it.
The only way to be safe is to remove ALL avenues of data removal.
1. Remove all USB ports
2. Remove all floppy drives
3. Remove all CDRoms
4. Lock down the bios
5. Physically lock the case shut!!!
6. Don't connect your network to the outside world
7. Keep a phyusical distance between secure and non secure networks.
8. Keep the secure network and all of its machines in a electromagnetically shielded room.
Can you think of any others?
I live the greatest adventure anyone could want. - Tosk the Hunted.
- I live the greatest adventure anyone could possibly desire. - Tosk the Hunted
i'm no data thief, but in 30 seconds of pondering it's really clear that there are a whole bunch of ways to steal data. the IT dept only has to miss one and game over:
* boot from the USB drive itself (small linux partition)
* boot from CD-rom (knoppix)
* email the data to a throwaway account
* stay late and print out a bunch of stuff in small font on duplex laser printer
* plug in a cheapo wifi router then park 3 miles away with a directional antenna
* open the case and just take the hard drive
* or clone it, bring your own IDE cable
* bring up a few interesting screens of data and take pictures with mini camera
* install a backdoor via the floppy or cd-rom
* wait for the business function to be outsourced and then offer some nice foreign person a $20000 bribe.
* glued up USB/firewire ports...open the case and use a fresh cable
* network share then plug in your laptop somewhere else in the building and it's probably accessible
* a long time employee can just write down a few numbers on a notepad each day or just memorize 80 bytes of data until he gets out of the parking lot
* speaker output probably still available...find suitable codec and just "play" the data to a recorder
If you can get 15 minutes alone with a machine, you can get whatever data you want. At best, turning off external devices in windows just prevents casual data theft by ameteurs and I have to think that ameteurs are probably more interested in the value of the hardware (steal a laptop) than they are in a customer list.
Why is this news? It is a good thing, because I will be able to use USB devices on my work desktop now. Because of right now USB is disabled on my desktop because network security is scared about information leaking out via these storage devices. I know this isn't a norm for everybody, but there is enough of a demand out there, that Microsoft has decided to add it to their product.
At least in the world of Microsoft they impliment features that enough of their user base is calling for. I have personally found in the Linux world it is a crap shoot to get a feature that is useful to me and most of my peers.
By the way don't tell me to go impliment it, I hate that comment, because it doesn't provide anything useful to the conversation. Also using a device, or in this case not using one, doesn't require me to know the specification of the device down the the SDK.
Oh that's just too funny. "We won't let those pesky iPods create all these problems with OUR computers! No way. It's a big security risk too."
"So security is a big issue with you now? You've figured out how to keep worms, viruses, and the three-times-a-week security vulnerabilities at bay?"
"Well, um, no, but um, we won't let that scourge of society iPod connect. Ha!"
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
With proper management of GPO policy you can disable such external beasts today..
You can even disable things such as floppy drives...
Could even do that with NT 4...
---- Booth was a patriot ----
By the time Longhorn ships, we'll have pocket-sized multi-gigabyte network storage appliances. Who cares if your machine will let you plug in a thumb drive if you can just plug a 10GB keychain samba share into the hub?
There have been third party products that allowed you to lock out external media (cd-rom, floppy, etc) for quite some time. Unless you were logged in as domain administrator of course. Also you need a password to boot from a floppy and flash the BIOS on most secured networks.
The idea that an IT admin is given tools necessary to prevent outside data from getting into the network and to prevent data from getting out of the network is neither new nor is it a bad idea.
Of course one can still just zip up a bunch of secret document and mail them to an anonymous account like gmail. That does leave a pretty nasty paper trail though.
“Common sense is not so common.” — Voltaire
Ok, either the sysadmins here are *VERY* smart (it's doubtful) or this feature has been around since 2k, they're just making it EASIER to block external drives.
I suppose just turning off the usb ports that aren't being used is too easy of a solution for people. Or setting it up so that only the admin can add drives....
Is out the window in this day and age.
Once upon a time you could trust your co/workers.. Today you cant.. Who is that person in the cube beside you, is he a terrorist? Is he out to sell out to the competition?
Is he just bored and has destructive tendencies...
Trust doesnt apply today, its not worth the risk..
---- Booth was a patriot ----
Sure, we ban access to USB devices via a policy in Win2k as well, and it's a good thing. .....]
But since the arrival of Google's 1 GB Gmail there's a way bigger load that can be heaved out of the system than via a 128-USB stick. We're always chasing to get any form of leaking blocked.
[Still chasing, still chasing
what do those "ONE"s mean?
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
Copy the data to the hdd "C:\Windows\Printers\Spool" to get passed software that deletes naughty files from the hdd. Or if its hardware copy it to a scratch disk. SHUTDOWN the pc boot up knoppix and copy.
If you have nothing useful to say post as AC.
Damn, now I know I'm alienated; I really had to stop there for a couple of seconds before realizing you were not talking about notepad.exe.
Perhaps not the most stylish, but what about circumventing OS security with a boot disk of choice? If the machines have cdroms... Epoxy doesn't sound that bad after all. If an employee is really willing to fuck you and retrieve undue information, perhaps physical backup enforcement like this is just what you should look into.
O make me a mask
But now there is a way of limiting their access to the sensitive information. So now less trust is required to do the same job which makes it easier to find someone to do it.
They still have access to the data, right? So how are you trusting them any less? They could email the data, upload it to an FTP server, burn it to a CDRW, attach a serial hard drive, add a PCI card, post it to a website, copy it over an SSH connection, attach a laptop, etc.
I thought this was a change to their OS? You wouldn't call this a fix then?
Nope. I have to trust the user of the system. But why should an email attachment manage to breech all the trust I've given him? Or an RPC client? Or a bug in Internet Explorer? Making use of authentication tokens would prevent chunks of code from being exploited in these fashions. e.g. It would be impossible for any part of the Internet Explorer code to access the hard disk, except for the "Save", "Open", and "cache" areas. Each of those would be restricted to only the disk areas they should have access to. (e.g. Cache can only read/write the cache area of disk.)
THAT is a fix. Stuff like no USB keys is a workaround.
Javascript + Nintendo DSi = DSiCade
What about PDAs? Are they going to be locked out too? What would this do to the executives? Now they wouldn't be able to transfer information to and from them also. This isn't just limited to drives and iPods. It expands to PDAs, cameras, and other mass storage devices.
Maybe if there was a way to explicitly allow only for certain approved devices and then not allow any new?
wdd
This applies as a group policy... Circumvention? As easy as:
Copy the data you want to the local HDD.
Unplug the network cable.
Reboot.
Log on to the local machine rather than the domain.
Make your copies.
Plug the network cable back in.
Reboot.
Resume work as normal.
Now, if your admins actually went around and locked down each machine individually, you might need to get a little more "personal" with the machine (taking the HDD home for the night works well - Let's call that Circumvention Method #28).
Yet another "great" idea that annoys honest people and doesn't even slow down those intent on doing damage. Who comes up with this crap?
I think Micheal was just being an objective and unbiased journalist who'se taking a good stand against censorship. Are you suggesting he should discriminate against people because of their names?
Quite a bit, actually. Last place I worked, the only way you could get files off the computers was either a USB or parallel port drive. Everything else was transfered accross the network, and was backed up to removable media only in the back room closet by the guy who owned the shop.
How about not hiring untrustworthy people?
If you can't trust your employees, your company is fooked
So my Neuros player will still work right?
Didn't think so. The story just sounds more sinister when a trendy gadget is apparently singled out. The writer thought by giving it a MS Vs Apple twist more people would read it.
then how did you get into trouble. ;+)
Please mod this post only if you think others should/n't read this. I have enough ego^H^H^Hkarma. Thanks!
Again, it shouldn't be needed, but hey if you are paranoid already, go for it.
Security is standard practice almost everywhere. Rarely do you see everyone have administrative rights for everything, heck, where I work I ask that my account be specifically non-admin (so I can get a little bit of protection from shoot-self-in-foot-itus).
If you think you have to trust your employees entirely, you should visit your company's accounting department and discuss "checks and balances," and why cashiers have to count their drawer at the beginning of each shift.
of the hypocrisy layed forth by anti-MS shills. You blast MS for not having a feature that it should, but the moment it does, 'Oh well this is just MS copying nix!'
Give it a rest.
I'm going to assume that you had a closed network. (If it was open to the internet in ANY way, you'd have the ability to SSH, FTP, or HTTP POST it to yourself.) So, in your situation, what procedures were in place to stop someone from temporarily adding another hard drive, connecting a laptop via the Ethernet port, or simply adding another mass storage device to the network?
Javascript + Nintendo DSi = DSiCade
If you let them bring USB devices in, make sure you lock down the BIOS too to prevent USB booting.
As far as Unix (OSX/Linux) all you have to do is to disabe user mounting of filesystems, as it was and should be, and lock down the permissions on the appropriate devices (to prevent using it as a character device with tar).
If you want to steal a file this is no more difficult than doing an https POST to a web server. Pretty hard to block and pretty hard to detect.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
http://www.powerpage.org/cgi-bin/WebObjects/pow
http://slashdot.org
Microsoft already has documentation on disabling USB, and you do not need to wait for SP2 to implement this. http://support.microsoft.com/default.aspx?scid=kb; en-us;823732
As for the quote,
"IT managers do have access to tools that would allow them to block USB ports, but such tools are little-known, and little-used. "There are tools that are available to...manage USB ports, but 99.9 percent of all machines in corporations don't have anything like that," Brill said."
I guess Mr. Brill is not aware of the obscure concept of Microsoft Group Policies, file permissions and google.
Can Windows also prevent me from booting a Knoppix CD to copy files to my USB device?
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
At places where the security section really does take things seriously, doing something like that would have an "IT security" guy and a couple of "escort-you-out-of-the-building" security guys at your desk pretty soon.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Michael taking a stand against censorship. BWAHAHAHAHA
But you're missing the fact that these schemes don't work for folks that know what they're doing, which is who you are trying to control.
Everyone else, i.e. the people that are just trying to get their work done, are the ones impacted by these efforts.
USB storage devices may be a closeable hole. Are you going to close these too:
1. The Internet. Companies try. But if you can make a web request, send an email, etc. you can send data out of the company, very efficiently. Even the most byzantine "Great Firewall of Company X" leaves this door wide open. They may put a proxy, etc. That doesn't close the hole.
In fact, anyone worth their salt can create an encrypted VPN over any two way channel you give them.
2. The serial port, say connected to a cell phone, or a laptop.
3. The Parallel port. Laplink cable and a laptop, or maybe a parallel connected MP3 player (old models available for $5-$30 on ebay).
4. The ethernet port. Seriously, have you seen a computer that didn't allow connections to other machines on unpriveleged sockets? The Rio Karma comes to mind as something you could hook up there.
5. Floppy disk drive
6. CD-ROM burner. Typically easily available on every corporate network I've seen.
7. USB port on other protocols than "Storage," like say the simple USB peer-to-peer network cables.
8. Photons emitted by the monitors convey information which may be written down or relayed over a telephone or photographsed with a camera
9. Directly connected, and network printers. If you really want to, you can just print it out, and likely you could print a heck of a lot of info reduced down so small that you could shove the piece of paper in your nose and blow it up later to a readable size.
Given all of this, I'd say it is pointless to try to close all the holes without a ground up redesign of how operating system security works, and even then, there are ways around it. Neither Microsoft nor industry is going there any time soon, so why get in the way of folks just trying to get their work done if the problem isn't really solved?
-- John.
All this talk about keeping "company data secure"... better disable those network cards too so employees can't upload a "secret" company file or send an email that has a *gasp* file attachment. Besides, one can do the same exact thing with a floppy as they can with a USB drive... just on a smaller scale.
heh heh heh...
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
What about USB printers? What if I just walk in and print out the client list or something?
Get your Unix fortune now!
that for a long time in os x...
There is a setting in the local security policy that stops people from adding hardware.... This includes usb drives and ipods. Been there for a long time too Win2K without the SP's and later. I find it hard to believe that MS would put that into Local Security Policy and not have it at the Domain Security Policy. I dont feel the need to upgrade my system to a domain controller to verify that though.
Stop signs are only Suggestions
Do you think this will have any effect on there monopoloy DOJ case thing?
Remember that SP2 has several new longhorn "features" that were rushed into the service pack in the name of security.
.zip or whatever from apple. Yes, I really want to open the .zip I just downloaded. Yes, I really want to open the executable installation program that the .zip produced. Yes, I really want to run iTunes now! Christ. I understand that this is to protect idiots (or ignorant users, these two groups are often said to be one group), but this makes everything inconvenient! It's just a sorry state that in order to protect users you must make potentially unsafe operations (that might even be routine) inconvenient as hell.
Speaking of rushed security features, I was using a friend's SP2 laptop recently (using SP2 for the first time). It sucked. I figured I'd show her how cool iTunes music sharing is on a campus network. I needed to perform about 5 extra steps! Yes, I really want to download the
Yes, I realize I could probably turn off all those precautions, but this was her brand new SP2 machine.
"I've got to stop masturbating! It makes me too lazy! Stop it, Albert. Stop it." -- Albert Einstein
yay for anal sysadmins
Please FOAD. Corporate policy where I work says no USB drives. I didn't make the policy but I have to enforce it. Tell people not to use USB drives and they do anyways and when they do I get pulled into an office and bitched at because some Jr CIO claims he saw suzie secretary with a USB thumbdrive plugged into her computer.
None of the software solutions we've tried have worked. Right now our only option is having a bunch of techs go from box to box, open up the case, and disconnect the USB internally so that if someone plugs a USB device in nothing happens. This is a good thing. Microsoft should have done this from the outset when USB support was first introduced.
Just take away everyones PC's, Mac's or what have you away and replace them with the best alternative. A Abacus and an Etch-a-sketch. then when everyone leaves for the night shake the etch-a-sketch so no data is removed from the office.
-DrMyke
"mmmmmmmmm, doughnuts" - H.J.Simpson; super genius
There is no security without physical security. Leave me alone with a working device long enough and I can get the data out of it. From a certain point of view, DRM software is a system administrator. This feature will be more effective for controlling what the lightweight user does than at preventing corporate theft by a computer professional.
So because any security can be penetraited there should be no security since there is no point in making penetraiting security harder? Hope you don't have my credit card number on file where you work....
The average user does not have the skill to set up an SSH tunnel. Most users do have the skills needed to plug in a USB device and copy some files over to it. It sounds like you are argueing that since there is always a way around security we might as well have none at all.
Sure blocking the use of USB devices is certainly not the be all end all of security but every little bit helps.
The server is under his desk, behind the trash can, underneath the old copies of Windows magazine!
Yeah, right.
No, I think that if you are going to solve a problem you need to make a serious, comprehensive attempt to solve it.
This is just one facet of the problem. Patching this whole is just to give the unknowledgeable a false sense of security. And that is more dangerous than leaving them worried, which might prompt more serious consideration.
Credit card information can be pretty well locked down. It is normally restricted to one machine, and that machine is restricted to a certain set of users. It should be stored encrypted, and only some folks should have the keys.
Disabling USB storage devices on such a machine won't help if you don't trust the employee that has access. In fact that is probably the real issue; trying to let technology replace taking real responsibility for knowing and monitoring your employees. People steal data, and you need to know that your people aren't going to steal it. It's more of a human problem than a technical one.
We did have a closed network. At the time, broadband in my area was horridly expensive, and most small businesses were squeezing through a 56k modem, which meant one, maybe two computers had interent access. As for the rest of your questions:
Plugging a laptop into the ethernet port: Couldn't add stuff to the network like that. It wasn't just closed, but it was also annoying to work with, since if you plug something new in, it wouldn't be recognized without the manager (who, oddly enough for a manager, was actually quite skilled in the matter) did something which he wouldn't explain to the rest of us. Same would apply to a network printer or storage device.
Adding extra harddrives: Small office, no partitions. Everybody was in clear view of at least three other people and probably the customers comming in too, so you couldn't just crack your case open over cofee break.
Of course, what we did at this place was take other people's computers apart and fix/upgrade/etc them, so I imagine it would be easy to take apart one of the office computers and just say, "Yeah, this is that one the guy dropped off yesterday. Gotta get it finished quick, he's comming in for it at 3." But then, this wasn't exactly a cutting edge R&D sorta place. There was nothing in the computers worth stealing. Which, of course, brings us to the question of WHY they locked down the network so much. I can't even begin to guess.
Do not order computers with external device access.
Alternatively:
1)Remove USB ports at the motherboard.
2)Do not install floppy or zip drives.
3)Do not install CDR/DVRs.
4)Remove all legacy serial and parallel ports.
Now just how you will get any work done is another matter.
"Rocky Rococo, at your cervix!"
I don't think the feature itself is at all controversial. It is a matter of security to be able to block external devices to unauthorized users on your machine. There are ways to do this today in current versions of Windows with third party products.
Two things come to mind however:
1. Who will actually implement this feature? We're talking about something that really digs into the hardware/firmware/low-level-OS hooks of a system. For all practical purposes MS could simply shove most of the hard work off to the hardware makers saying that it provides a standard configuration panel in Windows and an API to unify the diverse hardware standards for features like this. Of course, it'd be up to the headaches of the hardware makers to make sure that things like firmware upgrades / hard resets / external booting are available but respect the settings of this API.
2. Is this something that software programmers will encourage? Before it became popular to mount USB cameras as FAT partitions on your desktop, digital cameras had to use a serial cable and follow an elaborate, non-standard syncing APIs and mechanisms. The simplicity from the programmer perspective of having a simple data repository that acts like a file system device lets them spend their time on many other things rather than handshaking and querying acrobatics. Unless MS is also implementing an extensible sync architecture which will allow them to properly screen out the "true" hardware storage devices but allow things like cameras and PDA's to be read into the computer, then I forsee most users turning off this security feature as the first or second step in the instruction manuals of most devices (just as turning off the MS firewall appears to be the first step of many Internet enabled programs).
Remember that Microsoft Security is like a paper mache lock painted with gray #12 - looks real enough, but fragile when tested
Yeah, right.
Barring the obvious morons that do not, most domains are going to have local admin restricted.
And I am sure the majority of slashdotters know the old 'unplug lan to bypass GP' trick.
And if the local Admin's did lock down the computers I sincerely doubt the taking home the HDD. Speaking of which what are you talking about the hard drive itself or referring to the entire Computer like half of the blissfuly ignorant that go to BestBuy for computer repair
Tech: 'Just bring in the computer'
Customer: I have to bring in the entire computer and mouse and keyboard too?'
Tech: No, just the box' Customer: 'Oh just bring in the (interchangeable)CPU/HardDrive?'
Tech: (sighs) Yes, ust bring in the CPU/HardDrive'
That will be exceedingly difficult to get permission to do.
I dont recommend 'borrowing' a computer at a place of work without permission.
So, having said that do you have anything of value to add to the thread?quote:
It in fact is a good idea since it will make potentially insecure devices easier to manage. The feature has been available before but sometimes making the feature more easily found is good.Boredom's not a burden anyone should bear.
If you want your tunes....Why not just connect the iPod mini-stereo out to the input of the soundcard? I don't see why a corporation would allow you to connect the iPod...Reeegardless
Squidward: "Spongebob, If I had a dollar for every brain you don't have, I'd have 1 dollar."
Plugging a laptop into the ethernet port: Couldn't add stuff to the network like that.
:-(
But I'm willing to bet that taking the machine off the network for a few minutes and plugging it into the same hub as your laptop or portable storage device, would allow you to upload anything you wanted from the target computer.
As you said, popping a hard drive in and out shouldn't cause too much concern. And if you were a bigger company, everyone wouldn't always be in view. Thus the company does have to trust the employee.
Javascript + Nintendo DSi = DSiCade
Ive worked with OSX Server since it first came out. and it has always had control over 3 types of media: HD,CD,External and for each you can set to either deny access totaly, make read only, or require authentication to access. Microsoft is just slow on the uptake.
It's too bad the article doesn't specify whether the 'security' features will allow IT to distiguish between devices on that USB port.
Is this a read/write thing that only affects mass storage devices, or will it support a higher level of granularity to select tools like PDAs and blackberries?
If your company wants honest employees, they won't be hiring iPod-owing, music-stealing anarchists.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
How about they do a better job of maintaining vigilance on keeping things like malware, and crapware from being installed by using their integrated browser.
On the list of things to tout, that should rate higher than the ability to keep someone's keychain or iPod from being plugged in.
There are 01 types of people in this world. Those that understand binary, and me.
alias usb_storage off
Linux is way ahead, again. Because on your normal Linux desktop installation, only root can mount USB devices. That's safety!
(In the past, the administrator could delegate the authority to mount certain devices by placing "user" entries in the fstab list. But modern distributions, like Red Hat, automatically overwrite fstab each time hardware is inserted, ensuring that ONLY root can use thumbdrives)
It seems to me that the primary Micro$oft's plans for the near future are to invent and patent the wheel.
igor
And CD/RW?
And DVD RW?
And USB keys that masquerade as a different device now?
And a drive that sits on the network connection rather than the USB connection?
And devices on your wireless link?
And Firewire[tm]?
My guess....
When the current generation of devices gets restricted, manufacturers will create devices to spoof Windows, bypass the blocks, and keep sales healthy. Isn't that always the way?
Besides, even when security is provided, shockingly few companies actively implement it properly.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
In /etc/modules.conf:
alias usb_storage off
In the movie "The Recruit" the agent snuck out data using an external storage devices. That kept me awake for days.
Mr or Mrs Coward:
Can I call you Anon? What you're missing, Anon, is that this isn't a feature, it's something that should just happen as a result of competant system design. The fact that Microsoft had to add it as a new "feature" rather than having it be something that any admin could implement by following a simple configuration formula... THAT is the problem. Why is that a problem? Because:
1. If Microsoft hasn't "invented" a particular feature yet, you're stuck... you either have to wait, or hope that someone with a lot more time than you can reverse-engineer Microsoft's undocumented kernel interfaces or otherwise figure out a way to wedge an application in between Win32 and the kernel.
2. Each feature adds complexity, which means the system as a whole is less reliable than it would otherwise be.
3. Since each of these addons is narrowly targeted to solve one problem, one instance of a security hole, there are entire classes of exploits similar to the ones that are already known that are waiting to be discovered. Also, they tend to be "thin" protection... once through the one hole, you're in.
4. Because of the complexity and the lack of overlapping layers of protection, it actually becomes possible for an exploit to use a security feature to its advantage... such as those viruses that can't be removed unless you disable system file restore.
The point is, Microsoft's piecemeal approach to security is dangerous, and it must be embarassing because NT itself has a rather complete security model that *could* be used to better effect. The only problem is that Win32 would have to become a compatibility subsystem for old code, rather than the native API, because fixing some of the problems at the kernel level would break Win32 and many Win32 applications. Internet Explorer, for one, and any other application that uses the MS HTML control... including the desktop.
I wouldn't worry, they can't even secure their own OS ;)
Bottom line: There is absolutely no point in banning removable media access if I have a dedicated internet access already! A person who really wants to steal company data, will always find a way. So why prevent use of a beneficial technology?
rwx
Coderz 4 Life
Doors are useless. You're missing the fact that these don't work for folks that know what they're doing, which is who you're trying to control. Everyone else, i.e. the people that are just trying to get in and out of their house are the ones impacted by these doors.
Doorways may be a closeable hole. Are you going to close these too:
1. The windows. People try. But if you can throw a rock, brick, or wield a baseball bat, you can get through a window. You may use double-plated glass, etc. That doesn't close the "hole".
In fact, anyone worth their salt can break a window and go through it.
2. The chimney, say accessed via a ladder or grappling hook.
3. The skylight. Roof access is attainable via ladder or nearby trees if so inclined.
4. The crawl space. You could cut holes up through the bottom all day an nobody would see you.
Given all of this, I'd say it's pointless to try to close all the holes without a ground up redesign of how houses work, and even then, there are ways around it.
In conclusion, I think doors are pointless. They don't keep anyone out that really wants in. For that matter, windows and walls should also be done away with. I see no point in closing off what access we can. It's better just to let those who want access have as easy and fast a go at it as possible.
3/4 of the posts I've read are blasting MS for this. Why? Did you people even RTF extract?
MS is not banning you from using these devices. It is setting up a way to ban them. You decided to set it up or not. This is a way for companies to lock down their networks a litle more. This isn't an abuse against you. We're talking about machines you don't own here...property of the corperation you work for...
Geez. Plus, doesn't Linux already let you do this? So, why doesn't linux get flack for this?
Let's be fair people. Just cuz MS is doing it, doesn't mean it is evil.
-Mark
Dovie'andi se tovya sagain.
Comment removed based on user account deletion
USB devices Will Have Ability to Ban Longhorn from accessing and exploiting their content.
Doesn't iTunes launch if you plug in an iPod to your Mac? How about if I craft an iTunes/iPod database that causes exploits in iTunes due to buffer over-runs?
Seems like you're mostly there then.
(I could be wrong, but I do remember iTunes popping up annoyingly when plugging my iPod in.)
How exactly do you turn off all the output devices on your computer without making it into an expensive paperweight? This isn't security. This is marketing.
Saw this at OSNews with the summary of "Windows makes it easy to quickly download files to iPods and other portable storage devices--a little too easy in the minds of many IT managers.".
;)
The article is a calm, rational article about how IT admins expressed security concerns over the fact that it's so easy to copy files to portable storage devices like iPods and USB drives. Because of this feedback, Microsoft is allowing sysadmins to block access to those devices if they wish.
Fast forward a few hours and I come to Slashdot, and suddenly the summary makes it out like it's a cyber-rights issue. They're even blocking iPods!!! A quick reference to an out-of-context phrase like "the threat posed by digital storage devices," a little bit of twisting so that this sounds like a censoring issue, in addition to a submitter named "slashdotbs" who obviously knows what's going on--and it was a shoe-in that Michael would seize upon this oh-so-important cyber-rights article where Windows actually allows sysadmins to block access to portable storage devices! Gasp!
10. The speaker/headphone outputs. Admittedly dumping info from the computer in Morse code does have a few problems with data rate.
One line blog. I hear that they're called Twitters now.
Wouldn't it just be enough to mount the fucking USB or FW-device with the NT-equivalent of noexec, nosuid, nodev ?
I mean, floppy drives are shit, yes, but sometimes these USB-keys are useful.
But I agree that there are situation where nobody will ever need this and being able to just deny it by software is a useful option.
But why do they try to lump all use-cases together ?
Rainer
Windows 2000 - from the guys who brought us edlin
I'm probably jumping on the wagon late here, but here it goes.
;)
Microsoft will allow IT managers to block devices such as USB memory keys and - shockingly! - iPods.
Believe it or not, this cannot be construed to be an anti-iPod move. Giving people the option to not allow iPods does not an iPod ban make.
Slashdot, blahblah, kneejerk, blahblah, Microsoft, blahblah.... You get the point.
And congratulations to me for my 101st post!
Karma: Bad (mostly due to all those "In Soviet Russia" jokes)
This isn't so bad - it might mean companies don't have to ban these devices outright if they have a way of preventing them from interfacing with their network. Implementation issues aside, I'd rather listen to music at work with my DAP, even if I can't hook it up to my workstation, than have to sit all day listening to the hum of fans blowing, the beeps from detected bit errors, inane colleague conversation and random cellphone activity.
No, but your sysadmin would just set a password on BIOS startup, preventing you from unauthorized rebooting. Who's to say they'd even allow booting from CD? I don't allow it on my network.
You are obviously a pro-MS whore who hates macs because you can't afford one and its a better computer and does graphics better and an ipod is the best mp3 player because it has a scroll wheel which no one else has. I will mod you down as flame bait becuase youre an obvious mac hater loser.
A more simple alternative? Disable it in BIOS.
"On a scale from 1 to 10, people are stupid"
... as of... today? (with pretty gfx too!) Just go to a user or group entry and select managed preferences... you can disable access to optical media (be it recordable or not) and external or internal HD... welcome to the preset Longhorn. (Note... I'm not an Apple shill... I'm a linux guy, but I happen to own a TiBook just for the sake of running Os X, wich is UNIX bliss). And BTW, this stuff is a rather trivial application of group/device-file membership tuning, you could do it yourself on a simple /etc/groups file. Yawn.
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
> 5. Floppy disk drive
Nope, can't. That's dead.
I've worked for many companies who would lock down or remove floppy drives, unused connectors, lock down BIOS passwords with hardware intrusion detection, and even diskless network workstations.
It's not a new idea to disable write access to devices, but I thought one company had an even more effective approach. They encrypted all floppy writes. If you tried to use the disk on a machine that didn't have the corporate image, it was junk.
Don't forget that when you're dealing with corporate desktops, the user's don't have "rights". They are employees, there to do a job, not to install gadgets on company hardware in violation of security policies.
I do not fail; I succeed at finding out what does not work.
"...prevent data from being written to USB devices...." This means you could still READ from sucha device, including an iPod, without the risk of writing sensitive information to the device. Sure...good job microsoft.
Heh. "realistic"
Doug
http://www.powerpage.org/cgi-bin/WebObjects/powerp age.woa/wa/story?newsID=9993/ articles/02/09/26/0058238.shtm l?tid=107
http://slashdot.org
It sounds like you are argueing that since there is always a way around security we might as well have none at all.
No, I'm saying that because this tactic does little to combat this particular security hole, that security would be better attained through other methods. For instance, doing a better job of limiting a user's access to the files they really should have access to. Another much better method would be using a file system that keeps a log of file access. That way there is some accountability for copying files (people would be less likely to steal data if they know that action is monitored and recorded).
In other words, this is like having a room you want secured with 3 doors, and just locking one of the doors with the naive hope that no one will try the other doors before giving up. Either find a way to lock all the doors, or don't lock any of the doors, and instead put a nice surveillance system up to deter people from trying to open the doors in the first place.
Do the headers really say "Mail.app running on free, bribe laptop?" Wow, who says Apple doesn't let you customize things?
That's way more complex than it needs to be.
Try making your fstab like this:
Now only root can read or write the floppy and first USB drive, and any additional USB drives won't work. You might also want to not install a CD-ROM drive, and make sure "Boot from USB" is disabled in the BIOS.
(minus the space in dmask=0700, slashdot line length formatting...)
So what's to stop someone from making a USB disk key that pretends it's a printer and stores data as postscript? You could even have it masquerade as a regular Epson printer or anything else that appears benign to the system.
Enter Zip Linux - Linux on a 250mb zip disk. Just boot into it and mount the NTFS filesystem.
But I'd prefer to disable USB in the bios and lock the bios - but the IT guys never do that - it means they have to remember the password.
Save Pangaea!! Stop Continental Drift!!
Removable storage devices can be a security risk, I don't think anyone can seriously disagree with that.
Obviously Microsoft has received many requests for better control over how these devices are used. So, they listen and go ahead adding mechanisms that administrators can use.
Now, how can this be a bad thing? What's wrong with adding new tools to the administrators security toolbox? Sure, there are pitfalls and there are other methods, but why not just welcome this change, bolt down this door and move on to the next?
AC
Oh, so what you're saying is that you've got no idea what GPO's are, and you're just karma whoring. Very well. Carry on.
Set NTFS encryption on all sensitive files and directories.
Boot away, all those files are directories are now gibberish.
Would I trust this enough to put the firing codes for the US nuclear arsenal on a publicly accessible PC? Of course not. This scenario is still pretty dicey, especially if people choose crummy passwords.
But while information needed to diddle the SAM database so you can get access to an NT system is widespread, so far as I know nobody has found a way to crack the NTFS encryption for a well chosen password.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
There's a way to fix this too. Set your firewall to ONLY allow outbound HTTP traffic from your web proxy.
How about crappy stuff coming IN?
As in trojans, etc getting onto the network because some doofus thought it would be cute to use his ipod as a storage device between home and work...
Given all of this, I'd say it is pointless to try to close all the holes without a ground up redesign of how operating system security works, and even then, there are ways around it. Neither Microsoft nor industry is going there any time soon, so why get in the way of folks just trying to get their work done if the problem isn't really solved?
Like the Trusted Computing/Palladium thing?
Why wouldnt you just open the box and disconnect the interfaces you didn't want used? Hell why not REMOVE them?
"But we use USB keyboards waa waa waa"
"and I can hook up a harddrive to the parallel port the printer uses, so cry me a new one"
You don't depend on software made by microsoft to protect your data. The software "disabling" of specific hardware devices hooked up to USB seems like mental masturbation. It's what MS is good at I guess.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
The way it blocks usb devices is it reformats the drive with the winfs, which longhorn cannot read. heh
Does the MSCE require people to know undocumented (or "not present by default" registry settings or just click on dialogs that have simple options? ;-)
OS X Server + LDAP + Workgroup Manager + OS X Clients = been there, done that.
I can lock users out using any optical drive or any external drive. Per user account, not machine.
Some users can burn CDs, others can't. In the drag and drop install world of OS X this makes a lot of sense. Machines I administer belong to the enterprise not the user, the company owns them and dictates how they are used. End of story.
In a word: Bullshit.
I plugged in a USB key that had no problems with 2k/xp, but once I plugged it into a fully updated 98se box and it asks for a driver disk on floppy.
Considering 95/a had no usb support, 95b had "dos mode" usb if you were lucky, 95c was slightly less of a joke, 98 was so-so and NT4 was a not-a-chance-in hell without a 3rd party and still a "maybe works".
Remember the "Death Of The Floppy" article yesterday (IIRC)...some installs *INSIST* on a floppy.
I honestly don't think the guy ever had to deal with USB on anything other than 2k/xp, because most devices had "support", but almost always device specific drivers were needed.
(Oh, yeah, I neglected WinME because it only took my boss 1.5 weeks before deciding it was a PoS and going back to 98se for a VOIP phone's software)
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Just because you wish that employees be treated as automatons with no ability to make intelligent choices doesn't mean you should.
A USB drive is not a gun. And I don't think guns have much utility in the typical workplace...
If you want employees to be effective and efficient they need to be empowered to do their work. Putting in artificial roadblocks is just red tape. You need to justify that policies will do what you want them to do. Otherwise, they just get in the way of good people trying to do their work.
If they are the small percentage with bad intent, actually looking to do damage, you're fighting a lost cause. Managers need to know, monitor, and demand that policy be followed. An important aspect of that is not making pointless policies that don't solve a real problem.
A friend of mine knows a guy that took with him military secrets using a usb pen. Why he took them? he had no clue. he just thought of it as "cool". (stupid fuck).
Anyways, it's so easy to steal data now, that I no longer trust any firewall. We need settings like this.
Or you can just lock up the computers like my college does. As I said in another thread, to stop people from plugging in extra drives (which wouldn't get automatically scanned on open by the half-assed antivirus software), they basically screw on a bracket that only lets you access the headphone jack.
Better yet, you can go the litigious bastard route and just sue the employee when they pull stupid shit. But even so, if they pull stupid shit that it is entirely within your power to prevent, the fault lies with you, trust or no.
If current versions of Windows didn't have this ability from Day 1, my opinion of Windows just slipped another notch.
Daniel
Hurry up and jump on the individualist bandwagon!
This actully makes a lot of sence. A friend of mine worked at AOL a while back and you wern't allowed to bring any electrical equip in with you becauase of the sensitive information you had access to.
Now of course, this wouldn't stop everyone just think, our very own Think Geek has usb WATCHES, not something you'd look for. So, having this sort of feature is not really a bad idea after all. It'll probably be selective too so you could decide what sort of devices to all, some people use external Hard drives all the time for extra storage.
It only makes sense to lock out any use of a computer other than the job at hand. After all, we are only extensions of our tools, not sentient individuals. It's just like prohibiting seamstresses from talking or looking out the window. Granted, they don't use the sewing machine to communicate or gain a view to the outside, but still...
-Rich
This is an insight none of us should ever forget.
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
I understand what you're getting at, but it's faulty reasoning. You either grant access to the data or you don't. If you have access to the data, then preventing one means of access isn't going to do anything to stop the other means of access. The person could always resort to printing out screenshots or writing the information down.
This is a "feature" in Longhorn? *yawn*. Sorry, but I'm not impressed when an OPTION in my BIOS settings are now considered a feature in some M$ product...
At the Home Depot, they just disable the USB ports in the BIOS, force a boot off the hard drive password protect the BIOS, and have no floppies or CDROMs on the boxes...
Everything is a custom Web-enabled app - there is no web access, and you go where they want you to.
Ummm, gee, they don't really have too many security issues... Yes, you could put a sniffer on a network line and capture stuff, but everything they have are switches, so you don't see too much unless you're in the computer room - and that's right by the Mgr's office so...
Physical security is possible - you just have to design it from the get-go...
Now as for being able to enable/disable USB ports for admins/non-admins - that might be useful, but if I really didn't want the stuff going out the door, I'd go with the BIOS option rather than the swiss-cheese OS made by M$... Chances are someone's not going to hack out the BIOS pw, but they'll definately figure out some fuckup in M$'s junk eventually...
And yes, they could just take the box - but that's always an option...
I guess your viwe of security is a little different depending on your requirements. If you deal with sensitive information then it's quite normal that you already have a third party tool installed which manages access to all these devices across the enterprise. I know we have. And it's centrally manageable per user/machine/group/whatever. So if someone gets permission to use a cdrom, we can enable usage of that particular CD, for a preset time if we like.
The product is called SecureNT and used in conjunction with SecureEXE it's just lovely.
I guess the co that makes these products will go out of business though if MS can make it just as easy and powerful to use/manage.
This feature will not be turned on by default. I probably won't enable it in my office. If I were the administrator of a bank, hospital, or defense contractor, however, it would be turned on in a heartbeat. As for your other options, I happen to know that hospitals have designated machines with e-mail and net access, and those are not on the same network as the other machines, nor are those networks connected to each other.
You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
-- Colonel Adolphus Busch
Yes, corporations must comply with the law. Employees must comply with the law. That means teaching them what they must do to comply, making it easy to comply, and monitoring that they comply. Nowhere did I argue that sensitive data should not be protected; passwords, access controls/rights, and encryption can give you those things.
Keep in mind that somebody has the keys to the data. There's no way to enforce proper behavior short of assigning someone to monitor him 24/7. And there are always holes.
For anyone that doesn't have the keys to the data, banning storage devices does no good; they theoretically can't get to the data anyway.
Your best bet is to restrict data access to those few who need it (the gatekeeper), and then get to know/monitor/know you can trust the guy.
Neuron-R media could store sensitive information which could be transmitted through the Mouth port or Hand printer.
Your security team is apparently *NOT* good at what they do. Blocking outgoing SSH via http-proxy is dead simple. It takes a couple of minutes to set up squid as a transparent proxy, which will very simply thwart your attempts.
I've got a Knoppix CD that says their wrong...
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
OK, I may be reaching with this assumption, but in thinking over different companies and positions I was entertaining a sysadmin position at, this actually came up.
;)
Thinking, well, working at company A, I have total flexibility, lack of control for anything IT related, I can do what I want and nobody would be the wiser. Then it hit me, company B has tight security, they'd be the type to impliment this USB drive thing, and I thought, wait a second, I'D be the guy implimenting it.
I'm posting this only to offer another point of view to when you say "But you're missing the fact that these schemes don't work for folks that know what they're doing, which is who you are trying to control."
In my opinion, the people who it would affect, the people you're trying to control, are the sales people bringing in pictures of their latest fishing trip or the receptionist with pictures of her kid. The people who 'know what they're doing' are going to be your programmers who need access to more than the avg joe from the start, or the admins who will have administrative access and the ability to make exceptions for themselves anyway. I do realize the risks of taking things AWAY from work, too, plans, specs, code, whatever, and yes, the determined person will find another way out just as you demonstrated with your list of alternatives. They can use things such as ftp or floppies or printers or something, but does that mean that closing this hole is a bad thing? Sure it doesn't solve all of your security needs, but you cannot deny that it's a step in the right direction.
I'm normally as critical of MS as anyone else here, but recently i've been more and more impressed with them, and this is just one reason.
Again, I may be off base and missing something, but in my decafinated state, that was the raw opinion that jumped into my head
-matt
NT
I remember rolling out PCs in the 80's at a bank. Those damn floppies were going to let workers STEAL all of the mainframe data! And yes, I have always considered a floppie to be an external storage device.
My wife doesn't listen to me either...
Isn't that one of the obvious security risks businesses face these days? Ex-employees walking off with sensitive data?
Good idea, methinks. I like this one.
Ok, troll away...
Warning: May contain nuts
There's one more output left - i.e thru VGA port, I predict that in 10 days or so someone will come up with a USB-VGA portadisk. Of course MS, in all its wisdom, will then shut off all reads and writes to the VGA port, and all sysadmins will be excited that they have stopped the data from leaking out the VGA port, by cutting off the wire to the VGA port.
Note to MS and Admins - don't fight a losing battle. As long as there's at least ONE output port involved, data can and WILL leak.
Maybe we should go back to punch cards so that the stupid fucks in suits can feel better. I come across admins who shut off other people's USB ports but happily have their own USB ports enabled for burning CDs. OK dork, if your USB port is useful to you, why isn't mine useful to me ???
dumbasses. I've actually walked up to one admin's cube and shown my CEO how I can abuse the admin's cube, copy data and leave a trail TO the admin. Then I asked the CEO in front of the admin, "of course, you're going to fire him now, aren't you ?". CEO chuckled, and said admin hasn't troubled anyone since.
Sig Heil: Scumerica - Land of the Free* (* 18+, valid papers, health insurance, some restrictions apply)
What I think the parent post meant is that in Windows you have very little control of what people can and can not access in terms of devices. For *nix you can specifically change who has access to what and even add special permissions so that maybe they can access the floppy but not the CD-rom or anything you do or do not want them to do(Take out HPFS+ support to get rid of the ipod). I consider having no control of what people are allowed to access a flaw for an OS, but that's just me. On a side note, people here always complain about Linux zealots...but it seems that many people on Slashdot don't know the first thing about it. With basic knowledge of automounter, sudo, devfs, or chmod one would know that *nix systems slaughter Windows in terms of privledge control...
This is certainly a useful feature for sysadmins, but could be painful for home users. Home PCs are notorious for a lack of current anti-virus protection. The first virus that infects them and enables the setting that prohibits removable media/drives (and monitors that setting so if it's changed it gets changed back automatically) will mean users are forced to re-install Windows, which 90%+ of home users cannot manage by themselves.
We all know that slashdot is in bed with Apple's for free laptops (email correspond with any of them and look at their headers... OS X/mail.app all over the place)
Maybe they just like using an operating system with the stability of a *nix, without all the configuration issues of one?
Nahhhhh, why would someone want that?
You can protect all the data on the machine by removing the keyboard and monitor ports, and all the I/O ports, and welding the case shut, and bolting it to the floor.
But that machine won't be good for much anymore. The correct place to control is not the I/O ports (with the special exception of networking ports that connect to the outside world... and even then you don't control the ports, you do in/outbound firewall and proxy at the software level).
Placing sales peoples pictures on a machine with sensitive data isn't a problem. Copying sensitive data off the machine is. Protect the data (access rights, encryption, etc.), monitor the employee.
Short of crap like Trusted Computing, copying is not controllable, because machines are designed to efficiently process and share data, That is their purpose and they are not useful if you can't do those things. If you want to protect the data, encrypt it, access control it, firewall it, and only share the keys with those you have good reason to trust.
Comment removed based on user account deletion
jhoger, why do you keep arguing your point? Your original post about "why get in the way of folks just trying to get their work done if the problem isn't really solved?" read like a sad emotional plea from a kid threatened with losing his play time. Eravau's analogy (parent post) of a door (=USB port) on a house (=computer/data) showed just how flawed your logic is, and I can't think of a better or more obvious counterexample than that one.
I've worked with guys like you before, and they were truly a menace to the welfare of the overall state of IT. The world is a bit more complex than you make it out to be. At the same time, if you understood some basic principles of security, you would realize that predicting and preventing specific attacks is the foundation of a good defense. The more you can prevent, the better defended you are.
So until there IS a more holistic way to protect data (e.g. hardware-implemented DRM, of which I'm sure the idea gives you nightmares), security will be done by making theft hardER for would-be thieves. And if that costs Samir-Nayeenanajar-random-programmer 10 minutes a month where he has to fill out a "backup authorization form" or some such nonsense, then that's the price you pay for knowing your data is (that much more) secure.
If *I* really wanted to steal something, the only way you could stop me is to disable access to ***ALL*** i/o -- /audio ports,
including sealing the serial / parallel
AND hard-wiring the mouse, keyboard, ethernet, and monitor connections -- at BOTH ends.
Leave ANY of those open, and I'll be able to write to magnetic media,
UNDETECTABLY to anyone who isn't standing next to me at the moment when I'm connecting my evil capture device.
And even after you do all that, I can STILL transmit data -- encoded (e.g., barcode) in high frame-rate video -- from one tiny innocent-looking window, to a button-hole video lens in my shirt.
Then there's EM emissions recording.
IOW, if you don't strip-search me, your data is "gone in 60 seconds".
You're right. They should leave the ability to disable USB devices until every other door can be closed at the same time.
"Derp de derp."
... just use windows 98, which doesn't support usb drives to start with...
"I think it would be a good idea" Gandhi, on Western Civilisation
What's to keep someone from saving the info in another file? Nothing, at least nothing on M$.
This is just a band-aid for Microsoft's crummy networking. A competent system would all operate on a remote server in such a way that the "sensitive" data is never on the the user's machine except as display windows that don't contain more than a few kB at a time. This significantly reduces the number of machines you have to worry about. Microsoft can't handle tasks like that because their software usually requires a local copy of the information to work.
Those most likely to use this will really have the least amount of information that's useful to others in the first place. Ignorance goes hand in hand with such worries.
Friends don't help friends install M$ junk.
A lot of drivers in linux can be build to access stuff only readonly. Everything from partical partion types to usb and floppy.
Now why is it even news. At long last Microsoft does basic system protection? Ok where is the noexec flag for the mount point as well so people have a hard time running programs because it does not let it. Note allowing mounting readonly is another option in linux. Ie user can mount anything but anything they mount is readonly.
Managers don't believe users can send confidential information outside the company by uploading it to external web sites using HTTPS. Why not? Because they look at their silly "windows explorer" and all the drives they see are on local machines and company servers - so they "assume" that files can only be copied to those places - local disk, company server, cd-rw, usb drive.
Security will never evolve without the really bad things happening once in a while. Sadly, the largest percentage of people - including most managers - is still without technical knowledge, without any kind of common-sense, and without the required amount of humbleness to realise that they don't know anything about it and they should ask a professional.
free the mallocs!
floppy drives and CDRW too...
Personally, I wait for the first virus/worm that disables USB devices.
Well, better not upgrade too soon then eh...
Photographing screens makes getting through this impenetrable security...a snap. For less effort, putting monitor video through a recorder would get everything that you could display on a screen. Better hire screening would provide much better security than all this folderol. All of this might keep the honest employee free of the temptation to casual snoop, but it wouldn't impede a determined thief.
Yes you've worked with guys like me before. We're called Engineers.
I've worked with guys like you before. You're called... to fix my email or because I can't print...
Do you seriously think Office Space is an example of how corporate IT should work? It was a frigging SATIRE for chrissake!
Access controls and permissions should be properties of the user and the file. Not the I/O port. That's just my opinion, so sorry if that offends you.
In a large corporation tight security makes a lot of sense; the more employees, the greater number of potential thieves, and the less chance of real intimate knowledge of co-workers. For most companies, however, draconian security measures really don't prevent theft, but encourage it. Good developers know way more than most sysadmins about ways to smuggle data off a system. Treating intelligent people like irresponsible children is just a good way to piss them off. Bad idea, in general.
"administrate". Sort of like "administer" and "castrate" combined.
:)
I'm going to have to use this word more often...
(If I may add):
10. Pen and paper.
11. Voice to digital recorder.
Authority questions you. Return the favor.
Our Dells have the BIOS locked down via password, and they store that and other bios settings in non-volatile flash memory.
-ted
Most employees do not need access to the server room. Therefore the policy on access to the server room is "Access denied unless required". Show a valid reason to require access to the server room and access will be granted.
Most employees do not need access to the payroll system. Access denied unless required. Show a valid reason to require access to the payroll database, and access will be granted.
It's the same thing with USB storage devices. Most employees don't need it to perform their duties and it is now trivial to block access - Access denied unless required. Show a valid reason to require access to your USB storage device, and access will be granted.
It's really not that draconian folks, get over it.
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
It's a very new technology from the company everyone loves to hate, but the new Information Rights Management (IRM) capability in Office 2003 looks like a potential solution to this problem.
I work on the principle that a user, if motivated enough, will get a copy of the file off site. USB key, CD-R, email, laptop, take out hard drive, print out a hex dump of file then fax and OCR it, carrier pigeon
With IRM, my understanding (untested at this time) is that you can flag certain document types so that they have to be verified against the rights management server, which would be a box on your internal network.
So - good for you - you've snuck the file off-site. So when you go to open it up, the file (only openable using Office 2003) recognises that it has to be verified against the central rights server - and if that can't be contacted, then you don't get to open it up. This means that the data on your CD-Rs / USB keys / whatever are no use when off-site. It's the document itself that becomes protected, rather than stopping users from taking advantage of any number of methods to get a file off-site.
Of course, perhaps the technology doesn't work that way in practice, but it's on my to-do list of technologies to evaluate for precisely this purpose.
Aegilops
They are.
The ability to block USB keys?
How about installing NT4. That wil lock it down good!
But seriously. W2K has that ability as well. Just take out the users right to connect USB devices in the policy. Presto. I don't see the diff.
It's really hard, but not impossible, to stop experts from stealing/destroying/modifying data.
But in most cases, the people who's actually doing these things are *not* superhackers, or even mediocre hackers, or even doing it on purpouse.
Thus, most people can be stopped by relatively simple stuff.
Removing easy access to external storage is one of these.
And sometimes one have to accept that your employer might find it unacceptable for you to take sensitive data home over the weekend, into your possibly unsecure, internet connected homecomputer, just because it's convenient for you.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
this is the most inane post i've seen in a while, particularly as it obviously took you so long to tap it out with the stick attached to your forehead.
they're giving you the option of locking something down: this is a boon for sysadmins. you can stand in the corner with a dunces hat on explaining how all this is irrelevant as you could take pictures of sensitive data on the screen and post them to people all you like, but you'll still be being stupid.
if you can show the business you have a legit need for USB pendrives, they put you in the OU container that allows the use of them. if you can't, they put you in the one labelled "smartarse: delete their homedrive at random intervals".
If they design firewall rules correctly, you won't find an open port.
53 tcp/udp - use local dns or selected list of servers
80 tcp - local proxy (transparent proxy works too) no socks4/5
110 tcp - only to selected list of servers.
25 tcp - only to select list of servers.
Done.
the network is isolated from the internet and ports and secured through mac and 802.1x security. computers cannot be just plugged in.
computers should only be able to login using smart cards.
the computer is now the weakest link especially the usb devices. we woudn't want to disable the usb for other devices such as mouse, printers, etc. but we would want to disable the use of usb for mass storage device.
Live your life each day as if it was your last.
Disable USB, make the hard drive the first boot device, disable booting from other devices, password protect the BIOS, lock the case.
Then use whatever security features are available in the OS to restrict access to things like fdisk, use good virus protection, and limit access (via DNS or group policies for IE) to only trusted/necessary sites.
It's not that hard.
I've used this product, they actually changed the name to Securewave. It's an awsome product, much better then any of the alternatives I investigated.
Cheap storage VM.
I think this is one of those instances in which the PR impact is the true goal, with actual security benefits being a secondary concern. It's somewhat analogus to many of the security measures that government agencies took after 9/11. Just as keeping underground BART (the San Francisco equivalent of the subway) bathrooms closed will not thwart the designs of terrorists, neither will cripling the use of USB storage devices thwart someone determined to steal information. However, both of these measures send a very clear message to the public: "hey, look, we're doing something about your security concerns." Making people feel like their data is secure is the aim here; effectiveness is totally irrelevant.
Its disabled as standard in Debian. I had to add myself to the appropriate groups to access the various types of devices - even audio to listen to my mp3s! Sensible though - wouldn't want a remote user (OK, none on this system) opening the microphone device and listening in.
You could neglect to install the USB mass storage drivers. It becomes harder then, even with root access, to do anything about it. Capabilities can prevent module loading in the kernel so even a root user with a copy of the driver can't use it.
If you're running a netboot system with X Windows and thin clients - then of course your users aren't actually using the machine they're sitting at - so the USB devices sitting in front of them are not actually present on the machine they're using.
Controlling access to data also involves controlling what may be done with that data, how it may be displayed, where it may be moved. This is just another tool to do just that.
Yes, a skilled attacker can steal from us regardless, but that doesn't mean I should make it easy for anyone with the slightest temptation to walk off with the company database, okay? It's called reducing risk.
Sometimes people need limited access to information.. this is a tool to help limit access.
This isnt' something you give to a fairly trusted employee who needs to do lots of varied things with a computer. its' something you give to someone who specifically does NOT need to be, in facat is not allowed to be, copying things on and off their computer.