Slashdot Mirror
Longhorn Will Have Ability to Ban External Storage Devices
slashdotbs writes "CNET is reporting that Microsoft will allow IT managers to block devices such as USB memory keys and - shockingly! - iPods. The article refers to 'the threat posed by digital storage devices'."
Of course, it doesn't prevent it from being plugged in...
Super-glue over the USB port would help with that.
In our hospital our computer people actually cut/disconnected the cables from all the usb ports and cd-roms to increase security.
Of course, the shmucks left IE installed... now they spend a zillion more hours removing spyware than they ever would by me booting to a CDR or USB key.
This is a good thing! Now companies that are tempted to ban iPods to keep their data in-house won't have to. I know I wouldn't enjoy work nearly as much if it weren't for my iPod.
It would help some, but unless they also ban using laptops and allowing people to bring them in and out of the office it's not going to stop someone from taking confidential and proprietary information out of the office.
Unusable.
See, microsoft (lower-casing/deprecation intentional/perpetual) cannot innovate, but they also don't want keychain Linux (or other) OS's piggybacking on the hardware without even having to install. I'll bet ms will eventually slip in the real trojan: BIOS INTERACTIVITY.
Once booted, the windows box will offer the option to lock the BIOS (maybe this already happens, since Linux can permit the knowledgable user to write stuff to the BIOS...)
Then, they'll try to claim a patent on it.
IT managers and savvy computer owners SHOULD be able to-- regardless of OS-- lock down their peripherals ports. Running an OS or being just booted, the ports are an all-too-easy way to pull or vacuum data.
It's just that mshaft is putting a spin on the issue, likely to lay patents over it. But, I think too much prior art in existence should foil any attempt on their part.
David Syes
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
I have an emergency OS X (10.3.5) boot partition on my iPod, so I can boot my machine over firewire in the event of a disk problem. Ta-Da! I think having the option to ban external storage devices is a great feature for an OS to have. But I'm sure there are ways to fool it into thinking it's an internal disk or something.
With the first link, the chain is forged.
As an aside, I wonder how long it will be before we see the first 'boot type virus' (or perhaps a FAT FS virus) on these things like the good old days of floppies?
The referenced item from Intego was about a theoretical Trojan horse that no one appears to have actually taken advantage of to do evil (symantec's take on it. Also a detailed look at the "security alert" can be found here.
Anyway yes any storage device could have a Trojan, etc. dropped onto it. Yet in the case of the iPod and other storage devices (at least under Mac OS X) just because such a beasts exists on the storage device doesn't mean that once connected it spreads (no auto-run of code on mounted devices is supported on Mac OS X without third-party tools).
Not much can protect one from a Trojan if the victim cannot recognize it for what it is (sure virus scanners may hit on it if it is a known trojan).
Anyway the real issue is mostly about users dropping company data onto their iPod, etc. (likely unencrypted) and then walking out the door and possibly losing it...
I believe the /etc/fstab entry would be something like this :
/dev/sda1 /mnt/usb1 auto noauto,user,ro 0 0
Seriously... did anyone else notice that the story was submitted by someone calling themselves slashdotbs?
:)
If it were April 1, I'd think Michael was playing a joke on us, but as it stands, I think someone pulled a pretty good joke on Michael.
I work in the IT dept. of a financial institution. Our info security team is damn good at what they do, and they'll likely recommend that USB keys be blocked when (if) we ever make it to Longhorn - we're still on Win2K for desktops. Still, for all the measures they put in place, I've got ways around them. Port 80 and 8080 will always be open outgoing. So I use 8080 to SSH home, and port-forward all kinds of nifty services on my home network, like SlimServer, PopFile, VNC, and Remote Desktop for my Windows box. If they close 8080, I'll just find a different port.
I work for a rather large firm and recently I was in a spot of trouble my assertion that we were not serious on security because we still us MSIE.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
I just bought a 1GB usb key with the ability to be 'bootable.'
:) )
So, no only do they have to prevent external storage, but they also have to turn off USB booting, and password the BIOS. I don't know if those are standard practices or not.
And, with this ability to turn of external drives, does that retain the ability to use other USB devices? Wouldn't there be some sort of 'spoofing' that could happen? (don't ask my what...I haven't figured that out yet.
--Welcome to the Realm of the Hawke--
At work, we use a program called DeviceLock http://www.devicelock.com/, which allows us to permit/deny access to all I/O on a machine from anywhere on the network, based on username or group. Very handy, since we are still running an NT4-based domain (it's not connected to the Internet, so quit salivating!).
Microsoft in the name of security has done alot more silly things... like the fact that you can't send word/excel docs as attachments using outlook anymore. Instead of fixing their security holes they just disable whatever might cause viruses to spread...
.exe files because that is the only way they can stop people from getting viruses.
Pretty soon MS will disable double clicking
Now if a sysadmin blocked these ports they better have an alternative to getting files off the machine (if files need to be copied somtimes...)
I agree that these USB devices make for an easy way to smuggle files out of an office, but what about an ssh tunnel (are you really going to block all outgoing connections to port 22)? Most offices large enough to have an IT department have a decent Internet connection. There are plenty of other ways to go about smuggling the files as well. The bottom line is that if you allow users access to files, and they really want to take them offsite, they can.
If you can't trust your employees, then you shouldn't be giving them so much access in the first place.
Maybe linux HAS had this since 1991, but linux users also have had control over the service. It won't be that easy with Longhorn. My guess is that you'll have to get a specific license from Microsoft to enable these devices to interact with the system, and even then, only with specific "approved" applications.
I see the business justification for having a system like this, but Microsoft most likely will not make it disabled by default - or even give us control over the use of such a "service."
*enter Media Player 9 with it's copyright controls.
No thank you, Microsoft. I'll stay away from Longhorn like the plague if you plan on playing by these kinds of rules.
So my Neuros player will still work right?
Didn't think so. The story just sounds more sinister when a trendy gadget is apparently singled out. The writer thought by giving it a MS Vs Apple twist more people would read it.
There is no security without physical security. Leave me alone with a working device long enough and I can get the data out of it. From a certain point of view, DRM software is a system administrator. This feature will be more effective for controlling what the lightweight user does than at preventing corporate theft by a computer professional.
I don't think the feature itself is at all controversial. It is a matter of security to be able to block external devices to unauthorized users on your machine. There are ways to do this today in current versions of Windows with third party products.
Two things come to mind however:
1. Who will actually implement this feature? We're talking about something that really digs into the hardware/firmware/low-level-OS hooks of a system. For all practical purposes MS could simply shove most of the hard work off to the hardware makers saying that it provides a standard configuration panel in Windows and an API to unify the diverse hardware standards for features like this. Of course, it'd be up to the headaches of the hardware makers to make sure that things like firmware upgrades / hard resets / external booting are available but respect the settings of this API.
2. Is this something that software programmers will encourage? Before it became popular to mount USB cameras as FAT partitions on your desktop, digital cameras had to use a serial cable and follow an elaborate, non-standard syncing APIs and mechanisms. The simplicity from the programmer perspective of having a simple data repository that acts like a file system device lets them spend their time on many other things rather than handshaking and querying acrobatics. Unless MS is also implementing an extensible sync architecture which will allow them to properly screen out the "true" hardware storage devices but allow things like cameras and PDA's to be read into the computer, then I forsee most users turning off this security feature as the first or second step in the instruction manuals of most devices (just as turning off the MS firewall appears to be the first step of many Internet enabled programs).
So what's to stop someone from making a USB disk key that pretends it's a printer and stores data as postscript? You could even have it masquerade as a regular Epson printer or anything else that appears benign to the system.
Enter Zip Linux - Linux on a 250mb zip disk. Just boot into it and mount the NTFS filesystem.
But I'd prefer to disable USB in the bios and lock the bios - but the IT guys never do that - it means they have to remember the password.
Save Pangaea!! Stop Continental Drift!!
I disagree. I used to manage the IT for a smallish (about 24 workstations) background-checking law firm and essentially I have to make sure their data is more secure than the average shop.
A nice mix of employment policies, system policies, and hardware policies keeps everything on the up and up.
Internet access is heavily restricted to make sure that even if malicious code was introduced into the environment sensitive data can't go out - HTTP file uploading, P2P applications, FTP, etc is restricted.
Fields POST'd to websites are recorded and run daily against the various databases to make sure that the employees are not mailing sensitive information to themselves or others via a webmail (most webmail apps are blocked via the content filter, however, with proxies and what not you never know) or other method (posted A.C. style to slashdot for example).
The most sensitive records - bank accounts, clients personal information, etc is stored in a database that, besides being physically secured, is on an encypted filesystem. Data is never displayed casually in any of their internal applications - you have to specifically take steps to get to the sensitive data - and every access is recorded and audited. The audit log is provided to the client. If an employee was fiddling around and access data inappropriately their client would know it.
The workstations do in fact each have CD burners because most users need to use them on a daily basis to distribute (encrypted) background check reports to the clients. The internal applications are the only ones with permission to write to these devices, and the contents of every CD are hashed, recorded, and audited. Any file that is on the CD but doesn't match by hash a file in the database is duplicated, stored securely and flagged for review. Every CD-R in the building is pre-embossed with a serial number, and every CD-R is doled out by a responsible party. A log is kept of who takes what serial numbered CDs, and each client must sign-off when he/she recieves their CD(s). Every CD is accounted for at the end of the week.
Every workstation is secured to the cement floor, and housed in a serious case (not plastic, but steel and/or annodized alum.) There is one floppy disk drive - an external USB model, kept onsite just in case.
External computers are not allowed on the network. Every machine on the network is allowed only by MAC, and IPSEC is required on every single device.
Print jobs are saved, recorded, and audited.
USB ports are, for now, phyiscally disabled. Every machine is setup with real-time logging of chasis intrusion systems. Intrusions are recorded and audited.
No users are permitted by software policy or by employment policy to login to a desktop with network administrator rights. Clearing any system or security logs requires a paper trail signed off on by a witness who is an officer of the company.
The security precautions went on and on. Backup tapes were encrypted, andd the entire backup device was hardened: the SCSI cable was spot welded to the back of the machine, and snaked through a stainless steel 1" pipe that was spot welded to back of the tape drive. The autoloader catridge mechanism was equipped with a key, which was replaced on purchase by a locksmith with a more robust tumbler. The cartridges were stored in the same safe that held the really valuable stuff we sometimes held in escrow. A random person from a pool of five had to change the tapes weekly accomponied by an officer of the company.
Basically, when I was running this place's IT, things were pretty tight. All the security steps were put in place because of a few dozen incidents in the late 1990's were the assets of the company were greatly abused by a few bad-actor employees. Clients including the FBI and CIA were furious beyond belief when they learned that various databases had been used to get dirt on ex-girlfriends, business foes, etc. One employee stole the identity of
OK, here's what I would do. Obtain a bad motherboard battery. Remove the system from the network, open the case, remove the motherboard battery for several minutes (or use the jumper to reset the BIOS) to clear the BIOS settings and password. Replace the battery and boot the computer from Knoppix after adjusting your now virgin BIOS settings. Steal all the data you want. Turn the computer off, remove the good battery again for several minutes to clear case intrusion detection. Replace the good battery with the bad battery, reassemble and reconnect to the network. Blame your anamalous BIOS setup on the bad battery.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.