Slashdot Mirror
Beware the iPod 'slurping' Employee
Zoner12 writes "CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive
business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port."
Nothing for you to see here. Please move along. Sorry, my iPod slurped the story.
503 Sig Unavailable
The Signature could not be accessed. Please try again later or contact the administrator
Most of the time, as an IT employee with ties to the management/accounts/administration side of things I have always had full access to company data and know exactly where to look to find what I want. The only real restrictions have been my contract/confidentiality/non-disclosure agreement.
.avi, .mpg and .mp3 files across the network and 'slurp' them back to my iPod...
..., if I used an iPod.
What I would consider much more useful is an application that can hunt
Optimist: The thumb drive is half empty! Pessimist: The thumb drive is half full...
There's nothing you could do with the iPod that you couldn't do with your normal computer and any random external hard drive. And your access will be logged (or not logged) just the same as if you'd just run some normal program. What's the big deal that an iPod can do it?
Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before. Treat your employees well and they won't feel the need to screw you.
"An insider threat would only need to plug the iPod into a computer's USB port."
Bet the good guys never saw that coming
We can all give Abe Usher the bird for offering management a reason to prohibit iPods a work. Thanks Abe--you're off my Christmas Card list.
iSpy
Now the kajillions of non-corporate data stealing types of iPod users will probably be shut down because you had a point to prove.
with carrying a USB key around? it's not that tough to search the network for files containing "Confidential" or whatever keyword and copying them on your key. If you don't trust your employees, their network access shouldn't allow getting at sensitive documents anyways.
Despite what the article says, a special program isn't needed. All that is needed is for someone to mount the ipod as a disk drive and run a batch file. It could be as simple as one line calling xcopy for each file type (pdf, doc, etc.) running a loop from A to Z for the drives.
An insider threat would only need to plug the iPod into a computer's USB port. ...not only that, the threat would have to have access to said files. Granted, it's an insider threat, but I fail to see the significance here.
Isn't this just:
1. Search for files containing "Confidential" or "sensitive" or "budget" or "payroll"
2. Copy to iPod
? Because I can do that pretty easily and more accurately than software.
Also, why the hell does everything have to have "pod" in the name? Now it's cool? Why can't people coin cool terms anymore??
What's the deal with iPod? Any form of mass storage media applies, usb drives, CD-Rs? what's the deal with singling out the iPod?
What business needs to allow its employees access to a USB port?
I'm not saying none do... but I work in a b2b company and we don't need it.
--- Grow a pair, liberals... stop letting the Republicans bully you!
Reminds me of a job I used to work at. It was a call center where nearly every computer on the production floor was configured (by the phone peons like me) as a file server. People would rip DVDs and download on the idle machines, then burn stuff and take it home. It was sweet; I just wish 4GB ThumbDrives and USB iPods were available at the time! As for the app, seems like it was a good idea used for the wrong purpose. Surely this would have been better employed somewhere like SourceForge, where people could contribute their opinions and ideas?
Slackmaster K Proprietor, DamnedNice Blog
iSuck
Thank you, I'll be here all week!
Jds
/. the download site!!! If we crush the site and burnup the download bandwidth, I'll be able to keep using my iPod at work! Oh wait....
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
There's nothing you could do with the iPod that you couldn't do with your normal computer and any random external hard drive [...] What's the big deal that an iPod can do it?
Because an iPod is a hard drive disguised as a music player, which may help you get past less-than-competent physical security in ways that you couldn't with a pure hard drive.
I work in a ... large... company (one of the top Fortune ones) and there was a global mandate last year to lock all USB access for data storage devices unless users can make a special case.
That means that USB keys, iPods, plug-in hard drives and so on not only fail to work here, but they generate a little message to the IT department.
Some users, like our media guys, need this access for their work (in this case, digital camera images), and they have an exemption.
This lockdown removes the possibility for portable storage device-based data copying.
Of course, I can always stay late, take the PC apart, remove the hard drive, take it home and copy it, come in early the next day and re-install it. But that's just naughty.
My point is that IT security policies can easily stop this sort of issue, and most large companies are already doing this.
This is nothing new whatsoever.
.pwl files off the Windows 98 boxes for cracking at home.
Back in high school, I used a floppy and a couple batch files to grab
Man, I wish I knew it was called "pod-slurping" back then, I would have been WAYYYY cooler.
Equally "dangerous" could be any other USB device including flash drives, so why all the attention to ipods specifically?
CNET: "Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod and can search corporate networks for files likely to contain business-critical data."
Actual article: "I've created an application (slurp.exe) that demonstrates this concept. When the program is run from an iPod, it can very quickly copy data files off of a PC and on to an iPod."
Am I reading it correctly that CNet doesn't understand the difference between launching an executeable stored on an external media device, and somehow running it "on" the media device? Am I the only one who thinks Mr. Usher could have been clearer, but intentionally wasn't? Or that both are playing it as "plug an ipod in, instantly hack a machine", like in the movies where magical devices "hack" systems?
It's sensationalist bullshit- all admins would need to do is set up windows to not permit mounting removeable media drives/USB mass storage devices. Or control what executables are permitted to be launched. I'm sure an expert Windows sysadmin could name half a dozen MORE system/domain level ways to stop this dead in its tracks. It strikes me as a distinct non-issue for any company with a properly managed/secured windows network. But hey, that doesn't stop CNet from crying "the sky is falling, the sky is falling!"
"Security consultant releases overblown vulnerability with a confusing and/or misleading description to generate hits to his website, more at 11"...
Please help metamoderate.
I have a 1gb Sandisk Cruzer I use to run firefox, abiword, thunderbird, etc...http://portableapps.com/. I dont think this "exploit" is limited to an iPod. Probably better driver support for USB Thumbdrives anyway.
Also, doesn't this depend on user priveleges? Dont ban iPods, lower priveleges :P
-kcbanner
Obligatory blog plug: http://www.caseybanner.ca/
It's cheaper to ban the ipod from the workplace than to epoxy the USB ports shut or implement a sensible data access policy, therefore that is what management will do. Thanks a bunch, for making the workplace that much less bearable.
Don't tell me this thing doesn't run on thumbdrive. Enuf of iPod being a threat.
Why are stories like this always linked to the iPod? A USB key or portable hard drive could do the same thing. All this will do is keep people from using iPod's at work. If you're that paranoid and don't trust your employees (a bad sign to begin with), lock down the USB ports on their computers, or prevent additional drives from mounting. But don't pin crap like this on the iPod.
I don't know what kind of crack I was on, but I suspect it was decaf.
The REAL story here is that he has created an APPLICATION for the iPod, according to the FA. How did he do that? Apple closely guards the iPod SDKs and as far as I know have never released them to third party developers.
Maybe he went into Apple and "slurped" the SDKs using his application.... oh wait.
Then a friend went to his local bank branch to get a personal loan. His salary records were all on his USB memory device (he works for an ISP who really try to avoid paper if they can)and he was allowed to plug his mempory card in to the loan officer's PC and run Acrobat to show her the documents.
Yep, on a bank PC, inside the firewall, with a USB stick of completely unkown provenance.
I bet their IT security guys would've had a fit, if they'd known!
Eyeballs and a brain work too.
Sooner you're going to have to trust your employees with your sensitive or confidential information, otherwise they're not going to be able to do their jobs. So maybe employers should...oh I don't know...hire employees that are trustworthy? Oh and quit treating them like felons...that way they won't be tempted to live up to your expectations!
I worry more about users losing their damn USB drives than using them to steal.
You're using her as bait, Master!
It's just that simple right Larry?
I can use more disk space so I can watch Ashlee Simpson videos while I slurp data off the corporate network.
MY iAudio X5 can steal corprate secrets *AND* play Ogg/Flac formats!
Religion is a gateway psychosis. -- Dave Foley
Watch, we're going to find out that Abe Usher works for Creative.
Watch out! Those creepy employees with floppy! You never know what they are going to steal onto that floppy! Oh yeah, and those RJ-45 Jacks are just pouring out corporate secrets to those spies! And SCREEN! OMFG! Screens are the worst! They SHOW stuff to the eyes of SPIES! THEY ARE EVERYWHERE!!!
[background voice]
"Hey, IT guy, did you finish setting up that wireless access?"
Oh, ok, I gotta go. I had to set up the wireless 802.11g network with ultra secure MAC filtering enabled around our office. Yeah... somebody gotta look out for those absent minded people who have absolutely no idea about security. Heh!
[Update]
DAMN SPIES! I lost my job! Those DAMN SPIES!
"Don't let fools fool you. They are the clever ones."
... who didn't already realize that people could plug in a USB device to an open USB port and potentially copy files to it with or without the aid of a program to automatically search for files really should read this story... preferably prior to hitting Dice looking for a new job.
...from work...But *I* have created an application that prevents sensationalist articles by CNET and applications written by Abe Usher from being run or seen on my employers network! SO THERE!
"Love is like pi - natural, irrational, and very important." (Lisa Hoffman)
don't worry the TCPA will take care of those dirty whistle blowers
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
hand cranked gramophones? =]
stealing 100 megabytes
It's not stealing because when you copy someone else's data, you do not take that data away from them. They still have the data after you have copied it.
I'll probably be modded down for this...
USB and Firewire allow devices to peek/poke through (physical) memory at will. With the iPod, we have a device that's:
1. Can be attached to a computer without being suspect
2. Can run Linux with programs of your choice
3. Has a built-in mass storage system
Any open USB/Firewire port is a potentially huge threat to your whole system's security. If you look here: http://www.cansecwest.com/resources.html, you'll find a pretty detailed presentation on using iPodLinux to hack a computer (kill an X Window screensaver, here) through firewire, and another less detailed one on other DMA-attack vectors (PCMCIA and USB, mostly, iirc). So while it looks like this attack only uses characteristics 1 and 3 of the iPod, the second one is where the money's at (and requires a much larger investment).
Fill those ports with cement!
Try Corewar @ www.koth.org - rec.games.corewar
Dual proc machine, with vast amounts of storage and an innocent ubiquity is used as a corporate weapon. Next they'll be telling me that personal laptops can be used to sniff corporate networks, or that viruses can be transfered on floppy disk, and that restricted documents have been printed out, and 'sneaked' through the front door.
Any company with a decent security model will be able to recognise a user who's file browsing habits are irregular, and classified documents shouldn't be kept in a public repository on a LAN anyway.
Scared of flying, pointy things snce 1979!
"iPod to scan corporate networks"
We can guess more or less what he means, but it's simply not correct.
The iPod has no network hardware on board. It has a USB port (or FireWire, dependent on model) and so the iPod has no way al all to "scan" any network whatsoever.
i can't believe i never thought of this!
1. slurp information from company onto ipod
2.
3. profit $$$
anyway, to all the people who wonder why this is a big deal, the reason is that connecting your ipod is a very innocent looking. obviously there are other ways of hiding what you're doing, but it is perfectly normal to see a teenager, an old lady, or anyone in between hooking their ipod up to a computer to charge / sync.
-- lol pwned
In communist East Germany your whole network sold on ipod.
ipod the new floppy?
http://en.wikipedia.org/wiki/Hagbard_(Karl_Koch)
Domestic spying is now "Benign Information Gathering"
Two employers ago, the company's president walked by my desk and noticed I was listening to an iPod. The song playing at that moment was "Cake and Sodomy" by Marilyn Manson, which was unfortunate because the gentleman picked up my iPod to look at it before I had a chance to change to a song with a less offensive title. As he picked it up he said "I just bought one of these for my son for Christmas" and then I noticed the shock in his eyes when he saw the words on the LCD screen... then he said "Hmmm" and sat the iPod back on my desk and walked away without saying another word.
A few weeks later, after the Christmas holiday, I saw the president and asked if his son liked his iPod. He said "I decided to return it and got him something else." At first I felt like a heel because I probably caused him to go home and dig through his children's CD collections, confiscate those not meeting his approval and give them a stern lecture. But then it occurred to me that his kids are rich brats and I might have caused them some grief! Buwah hahaha! I felt so happy when I chose to Think Different.
Thanks Apple, your iPod filled me with holiday cheer.
Run and catch, run and catch, the lamb is caught in the blackberry patch.
CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port.
Who gives a fuck? Oh wait... I know this one... people who dont know crap about security.
If your network services are secure, then its secure. If its not, then deal with !that!.
If your worried about people (employies) carrying off data, then deal with !that!.
If your worried about iPods, then you have about 20 years of missinformation. Your data has always been insecure. Deal with !that!.
I for one think it rather nifty that this guy Usher was able to do build the Evil application to work on an iPod. As good as he seems to be on this basis alone, he obviously doesnt have way too much work on his hands. Maybe one day he will deal with !that!. Or maybe this is his way of fixing it.
(I normally dont use "!" agressivly, it just seemed funnier this way. To me that is.)
--dant
I think you underestimate just how much I just dont care.
Actually, you can install linux on an iPod and run all kinds of apps. I was able to play Doom on my Nano as well as video.
If your network is so insecure, you ought to fix that. It isn't the applications (or hardware) that we should be upset about, but the flaws which they highlight.
-Tim Louden
http://www.sharp-ideas.net.nyud.net:8080/download/ slurp.zip
^- The Coralized version of the software.
Hm. So now iPods will be forbidden in corporate environments. Bet iTunes is too, just for good measure.
*snif snif* is that MSFUD I smell...?
Let the data be stolen, it should be public anyway. Yay Socialism
The article on CNet is fine, the problem is that /. is a poor audience for such an article. Yes, there are LOTS of ways to stop an "attack" like this, yes it's primarily an insider threat and one of MANY other ways to accomplish such things. It's the automation of the task and the fact that it can be done in large volumes at high speeds onto a device that non-sysadmins wouldn't think twice about. I don't see why /.ers can't just ignore a story that doesn't apply to them (or better yet, editors reject stupid stories).
MacroHard - Boning you in a big way! (TM)
as has already been pointed out, any flash drive or external hard drive could be used.
Or a thieving employee could burn a CD or DVD.
Or use a cellphone to store sensitive info, transferred from a PC via the Bluetooth connection used to support a wireless mouse.
The only real defense against employee theft is restricting access to sensitive data and minimizing the number of untrustworthy employees. That's the best that can be done.
Exactly. I could very easily backup hundreds of complete databases right off the SQL servers (and other sources, XML, etc) - including tons of sensitive data, the source for every app we've made, our entire intranet's contents, and burn it to DVDs or copy to a portable HD anytime I would want to (or copy ona corporate laptop's HD), right in direct view. No one would even question, comment or bother me in any way (it would be ridiculously easy to try to conceil things too).
I have total access to dozens and dozens of servers. Thing is, it's a question of ethics. I'm not a dirty thief scumbag that wants to sell personnal information. No need to treat me like one. As far as non-admins are concerned, their access to sensitive data is extremely limited anyways, they can't do much damage really. My employer pays me decently and treats me well, no reasons to be disgruntled either.
I'm confused. Is this about a program that's on an iPod, executed by the computer into which the iPod has been plugged (which is what I think) or is it a way for an iPod to actually be executing its own code and somehow access the network through the USB port? (which seems REALLY clever and dangerous but extremely unlikely).
Both the article and the summary are poorly written in any event.
then I hope information security is already filtering outgoing email and stopping binary attachements.
Then send it out as a ternary attachment ;-) Seriously, for every filter there is a tunnel, even if it consists of pasting some uuencode variant into the body text instead of using MIME.
"Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive business data and download them,"
I couldn't be bother to see such a movie. Harrison Ford playing the righteous man who just isn't going to take anymore and singlehandedly wipes out untold numbers of bad guys is too old in and of itself, but to have Hollywood throw out a buzz word like 'firewall' and use it as a lame premise for a lame movie it way too much. Someone somewhere in Hollywood is laughing a /.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
No wireless slurping. Steals less data than a Nomad. Lame.
My other account has mod points.
You can't have it both ways; it isn't always secure, convenient or practicable to transfer files via email.
Unless your employees who telecommute set up a Trusted Computing partition on their hard drives so that everything at work stays private. They use Trusted e-mail over a Trusted VPN to communicate with work, and (to satisfy Alsee et al.) they use traditional e-mail to communicate personally. Nothing crosses the barrier; programs running in the traditional zone can't see the Trusted zone nor vice versa.
Devices that plug into a USB port and contain storage are potential vectors for stealing corporate data.
even if you were able to copy the physical documents onto an iPod, they'd be completely useless to you outside the organization
Unless your iPod is connected to a spy camera inside your glasses. Ye cannae stop the analog hole!
and only by talking to the RMS server (located internally) can they be unlocked.
Speaking of RMS, he wrote an article and a story about this very issue.
In other news, a carefully conducted study has revealed that the majority of retail stores are COMPLETELY UNSECURE as the majority of employees have full access to the stockrooms, and many are able to access the cash contained in cash registers!
Seriously though, in a corporate environment, USB ports, autoconfiguration, etc *should* be disabled (yes yes, we live in reality, not fairyland where that would be feasible).
Another case for DRM? If the ipod owner doesn't have the PC's (secure, in-built) private key, he can't read the company data... he'd have to steal the entire PC.
Alternatively encryption such as that included with Win2k (tied to the user account) could work perhaps?
This sort of problem is only going to get worse with plug and play + bluetooth and insecure users...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
"potentially stealing 100 megabytes in a few minutes."
Wouldn't it be more stealthy if this tool copied the data rather than deleting the original? Or was "steal" the wrong word to use here?
TFA on CNET must be poorly worded.
Could somebody please explain to me how a program running on the iPod is suddenly going to become a USB host and then communicate with the (previously) host computer (which could be a Mac, PC clone, or anything with a USB port) to search for files even locally, let alone figure out which network protocols are installed so it can enumerate file servers on the network and the files which they contain.
Most likely this "program" is just an .exe or its equivalent living on the iPod's filesystem which gets run by the host computer to do all the hard work - in other words, this is no different to using any old USB key.
It may be that their computers don't have any special access in particular. I work for a university and, of course, we have detailed financial and personal information on employees and students. Most people don't have access to it (including me) but of course people like our finance people need it. So you get at their computer, you get the info right? No, it's all stored on a mainframe over in the computer centre. They access it via a very archaic text interface over an encrypted link. Their computers aren't special for this access, you just need the right software, username, and password.
I don't know how banks work, I'd bet they are all different, but just because a computer is on their network doesn't necessiarly mean it has any special kind of access. All the important data may be stored on another system to which they have to log in. If they then lack admin access on their desktop, there's no real way to put a keylogger or anything on there. I would be more worried about someone getting a password via social engineering than getting anything useful off the computers themselves.
Many corporate geared computers have little sensors to report on when the cases have been opened. So, really, to be really paranoid, you'd have to find the sensor on your particular PC, then figure out how to get at the hard drive without triggering it.
Email/http/ftp/ssh/vpn are also options, but that's rather easy to monitor for abnormally large amounts of data.
Take for example the little bluetooth dongle I have sitting in the back of my PC, I use it with my palm Lifedrive, and a VNC client to remote into my desktop from nearly anywhere in the house, or in reasonable range outside.
with a hop, skip and a jump... at home I have Palm VNC over TCP/IP over Bluetooth to the Windows box, network connection shared to the Linux box, which is running DVArchive (a ReplayTV emulator) in a Java VM, which uses HTTP/UPnP to connect to my ReplayTV DVR, and I can change TV channels from my handheld.
Just slip a self-installing, invisible VNC server onto the bank computer (hopefully not easy), along with a tiny bluetooth dongle, and have your way with their network remotely, and continuosly
The USB dongle was quasi-free; $15, with a $15 rebate (which I have never received, just like the last 4 rebates I submitted from things bought at Fry's...) so if I never got it back, no huge loss.
I guarantee you get at least a couple bites.
When you buy it form over function a PC really isn't your best choice. Either convince your wife that "cute" isn't the only thing a computer has to be or just buy that Mac.
Though the alternative spellings in that post really sound like someone trolling... Meh, who cares?
Justice is the sheep getting arrested while an impartial judge declares the vote void.
Is it good, or is it whack?
+++ATH0
Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before.
The problem is that given the iPod's popularity it does not draw any attention. Even if someone notices that it is plugged in the thief may be able to dodge suspicion with a simple "I need to charge it".
Treat your employees well and they won't feel the need to screw you.
That is naive. Industrial / Commercial espionage happens. Greedy, self-centered, immoral people exist at all levels of companies. "Good" companies get screwed just like "good" employees.
Way to ruin a good joke dude. Who brought you along?
That's no iPod, that's iPwn3d.
w00t
...just watched the movie Firewall.
get whipped (you know you like it)
Iam used to listening to Audible books on my iPod at work....
Once our admins see this, they would definitely clamp down on this tool, without RTFA.
"Doing what i can, with what i have." ~ Burt Gummer
Since the iPod uses a proprietary connection to interface with the computer, wouldn't it be smarter (and less hassling to employees) to just ban bringing the Pod-to-USB (firewire) cord? If you want to keep your kid from playing video games, why lug out the entire system when all you have to do is take the power cord?
Sorry to point to Hollywood as the rightful owner of the 'warning shot' but this type of access and data theft was pretty much central to the plot of 'The Recruit' starring Al Pacino , Colin Farrell, and Bridget Moynahan. Moynahan's character uses a USB Flashdrive to steal the source code for some dreamy virus from within the CIA headquarters at Langley... and the moral of the story is... the best hacks are always personell hacks, get someone from inside the organization to transport the sensitive info off campus.
Smart employers have policies in place controlling access to sensitive documents, keeps logs of all attempted access to such documents, and have binding agreements defining the civil and criminal ramifications of purposely violating those policies.
Not-so-smart employers serve as reminders to the rest of us when they demonstrate that Darwinian priciples apply to many facets of life besides goldfish and DIY backyard balloon enthusiasts.
Thanks
I didn't use any program, just browsed the windows network shares and copied a few gigabytes of "sensitive" data from my school network for me to look at when I got home.
If anyone asked I was just charging it up.
The key thing is to ensure that employees have access to appropriate data, with the most trusted data being with as few people as possible.
Oh, SLURPing!
I thought the story was about LARPing. That would have been much more terrifying.
The ______ Agenda
...is king!
It's quite simple: Make sure that people cannot get to hardware they're not administrators of! - If someone can touch the hardware, they can get at the information inside with some tools, so make that impossible.
Own PC's? - Shouldn't be a problem provided they're properly configured, preferably with USB-ports locked out unless in use for keyboard/mouse, and with P&P disabled so new hardware added to these ports won't be installed.
Servers? - Should be in locked racks/rooms, not dumped in corners of common rooms.
Restricted physical access will also make it inpossible to 'borrow' a harddrive home for copying or wharever.
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
My father is head of security for our local police force, and has put up rules against the use of things such as iPods and USB data sticks to avoid leaking critical data.
Run an operating system developed in a hostile multiuser environment instead of one developed for standalone PCs?
At Berkeley, we had professors and CS students using the same computers. There were hardly any "personal computers" back then: tests, assignments, and exams were sitting on the same machine as student accounts. The students were intelligent and highly motivated, and yet the security worked.
So, today, you have a choice of running your business on the descendants of that OS, or the OS that turned the science fantasy idea of an automatically executing 'worm' from "if you can even get someone else's computer to run untrusted code, that's a bug... nobody would be dumb enough to treat it as a feature" to the most common and disruptive network security problem in the world.
Pick your poison.
Visit the homepage of your new Apple consortium. http://firstpost.gnaa.us/ DOWNLOADABLE APPLE OS for XP/Lunix and your mother.
Surely it is just as possible for a malicious worker to use netbios and find these documents in the same way the iPod would (perhaps even recreate the "business" algorithm that selects the files for Windows)
So really, this is something of a sideline...
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
This article is about as insightful as "Knives Can Stab People!"
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
And what happens when analysis shows that those files appeared there only hours before the person was "snitched out"? And all at once? The police hate child porno freaks but they are not stupid.
Freedom: "I won't!"
Better than that, get a nondescript one and say that it's a power supply for your computer.
There are external HDs now that are smaller than the AC power supply that came with my first laptop, and they look about the same -- big fat cord goes into plug in wall, smaller cord connects into computer.
I'm sure an enterprising hardware hacker could actually put a hard drive inside the plastic shell from one of those old brick-type AC adaptors, too.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
On the network that I run they wouldnt be able to get to the important files because you need to be an admin and unless you sneak into my office or the director or assoc directors office you wont be able to get documents. Thos are the only people who can get the important docs. admins or the people who created them . Second Windows 2003 can log what accounts logged into what share or files on that server if its a 2003 server. Also here at teh library we have extra security in the way of security cameras focused directly at the computers. I can see what everybody is doing plus we have some programs that you would have to hack in order to be able to even access the required stuff to be able to do this. Any secure network this would not work on. If it does then the network admin needs to be fired.
I'd like to talk to you after class, I wonder if you could make a presentation of your idea that copying data from one place to another is not a crime. For your reference points, here is Steve Jobs' (please mod me up for that topical example) bank account number, and here is mine. Copy the contents of one to the other.
I'm not after the money (tis Karma I crave) so feel free to copy in either direction.
Just like in Transporter 2 when he totally hacked the Gibson with his iPod!
Are you trying to make my workplace ban my iPod? Cut it the hell out.
Why in the hell do people do shit like this and PUBLICIZE it? All it does is give geeks a bad name and make a 'threat' out of anyone who carries an iPod or other digital music player.
I'm all for the freedom to write software like this but shit, you have to be smart about it.
Whoosh! [nt]
Is it possible to put these bits back into the computers once they've been stolen by iPods? Will the computers still work without those bits?
Modern copyright is theft of culture from everyone and it retards the progress of the useful arts and sciences.
The show didn't get much of an audience, but I liked it.
Just two years ago, when it was being filmed, the idea of a small device that connects to a network and hacks it for you was considered the stuff of high-tech fiction.
And now, here we are.
I'm ready to go to Gamma now.
Last post!
I have a laptop with a VPN connection to work's network. I can copy files from work's network to a home network drive in Windows Explorer while sitting comfortably on my couch at home.
That is naive. Industrial / Commercial espionage happens. Greedy, self-centered, immoral people exist at all levels of companies. "Good" companies get screwed just like "good" employees.
This is just a little cynical, isn't it? Obviously there are certain kinds of trade secrets or valuable personal data (banking, financial, etc) that are vulnerable to theft and this information is supposedly protected for that reason.
But the idea that employees who are treated with fairness and dignity are less likely to to damage to the workplace seems to be common sense. Rejecting this notion outright just seems like a crude justification to treat employees poorly since "some people are bad".
It seems to me that, and this is just my opinion, if the employee with the iPod (with the data gathering application installed) does not have access to read sensitive files, then they aren't able to steal them. If they do have access to sensitive files, then they are in a position of trust which means that they can steal files using multiple methods.
To me, this just means that if you haven't already worked out a corporate system of assigning, monitoring, and removing privileges it's just another reason to do so.
David
that supposed sensative material really isnt that important because it only matters to that company...
Everyone has this feeling that their personal data is soooo important, when in reality it isnt. First off alll, most "trade secrets" could only be figured out by the company. Have you read a corporate document lately, no one can figure that junk out.
Unless you are grabbing a list of credit card numbers (which are actually quite useless) you will get a bunch of documents that are worthless.
The phrase "more better" is acceptable English. suck it grammar Nazis
As has always been the case, in IT security, physical access to a system is everything. I'd state with relative certainty that any security control is heavily mitigated if a malicious user has physical access to the system.
I think the sensational part of this story is that lots of people use iPods at work and that they've typically been viewed as innocuous devices. Clearly, similar threats are presented by portable USB drives, cell phones with built-in cameras, Bluetooth devices, Web cameras, etc.
I work for a large telco supplier (another word for luminous, we have a famous lab). The company is shifting to all laptops, with open USB ports, DVD/CDR drives in every one, plus all wireless in an effort to standardize platforms and support costs.
Seems like not all "large companies are already doing this".
People who are computer savvy and malicious are always going to try to either attach some device or use a CD burner to steal information. This is where corporate culture comes into play by first, not allowing people to bring in and hook up any electronic devices to their computers and second, by locking down a machine enough where the OS will require a password to access ports such as USB. Unix can already do this and the next version of Windows, I believe, will have this capability as well.
Two words: Morris Worm. Sorry, but I just felt the need to remind you that all has not always been so secure in BSD land. Mail to pipe seemed like a useful thing when it was designed.
That said, BSD fixed those holes quickly, in contrast to the track record of that other OS to which you allude. And I'm certainly a happy FreeBSD user.
What a moronic post. I have already had dumb IT people (Thank God they are not all dumb) trying to prevent the use if an iPod because of the "Dangers of using iTunes"
Now they will just have one more excuse to prevent otherwise hardworking folk from listening to some relaxing/stimulating music while at work.
Get a life and find something useful to spend your idle time posting about. The fact that we have been able to do this with numerous other devices for years didn't cross your mind I guess... (along with a lot of other things).
There are loads of MP3/MP4 players out there. Mine is some unbranded 40G unit thats just as capable of sucking files.
Cant they just say MP3 Player?
Any open USB/Firewire port is a potentially huge threat to your whole system's security.
Superglue
(You'd think I'd be joking but there are places that do this)
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Where I work, most of the IT guys (myself included) run around with USB sticks attached to themselves (hanging around the neck, attached to a belt loop, etc.). Our main support guy has a Linux distro on one of them, and can boot desktop machines off the silly thing; comes in real handy when someone has REALLY hosed up their WinXP machine and he has to try to rebuild it without completely wiping their drive and losing their data. Each of us have a "personal" one which has .mp3's, etc. on them. In my case it's an old 128 MB Sandisk Cruzer. I got it free when we ordered a bunch of hardware from someplace. It's getting harder to buy something that small, these days. Even that little thing can easily haul 100 MB of files around.
Quite a few employees have iPods or other small, personal media players, with capacities that dwarf my Cruzer.
If we wanted to, I'm sure we could slurp a large amount of data and walk off with it. More than a few people have pointed out, though, that it would be unethical. For most people, that's enough of a reason not to do it. Probability of getting burned for doing so isn't really the motivating factor. Most people are ethical enough, without needing any kind of threats hanging over their heads.
On the other hand, my wife applied, at one point, for a position with a defense contractor. She wasn't allowed to bring any kind of personal media player, CD's, etc. into the premises. If she had a camera cellphone, she wouldn't be allowed to bring it in, either. A regular cellphone was allowed, but she couldn't turn it on or take/make calls inside the building; she'd have to be outside on break. She couldn't even bring a personal CD player into the place (no recording capability, at all). She had to go through a metal detector any time she entered the building; good luck sneaking an electronic device past that thing.
It all depends on the environment. Obviously, some places are "locked down" more than others.
... by the Dew of Mountains the thoughts acquire speed, the hands acquire shakes, the shakes become a warning
I tried to copy all your money to Steve Jobs, but his bank refused to, "fiddle with small change". Bastards. :(
Show me on the doll where his noodly appendage touched you.
There are always going to be stealthy removeable drive type devices out there that someone can sneak in and out of a company easily and copy files onto. The iPod is just a popular target because millions have been sold and most people are aware of them.
The *real* question is, why would employees have access to file shares on servers containing important documents they weren't supposed to have? If your business throws everything on shares that all users have read (or read/write) access to, they deserve what they get for not implementing some sort of security policy for the shares.
If you're an I.T. person who has full access anyway due to the nature of your job, again - so what? You're already able to burn the stuff off to DVDs at night and sneak them home or download them remotely over your corporate VPN or ??? The point is, companies have to place trust in their people to various extents. If they hired you as a sysadmin, they should have already done the background checking and everything else before hiring you - and believe you can be trusted. If you violate that trust - you screwed them, plain and simple. Implementing some sort of "no Ipod allowed!" policy won't prevent that.
Obviously there are certain kinds of trade secrets or valuable personal data (banking, financial, etc) that are vulnerable to theft and this information is supposedly protected for that reason.
But, look a little deeper into who does this kind of stuff.
OK, are they bright or dumb?
Probably on the brighter side, right? Dumb people risk their lives ripping off a convenience store for $50.
OK, are they wealthy or "underpaid"?
I would say more on the underpaid part. Wealthy people do whatever they want anyway, there is basically nothing that can be done preemptively or after the fact with these guys most of the time.
So, what kind of person is underpaid and bright? Your unconfident typical slashdot geek. So, yeah, I would bet that treating this kind of guy pretty well would reduce your risk of getting burned by this guy.
I wonder if the person that wrote the program just finished watching The Transporter 2
The problem that I'm beginning to see here is this: - most large companies have an IT department and thus know how to secure USB ports, etc - most small companies know their employees really well and have nothing to worry about - medium sized companies (say between 50 - 150 employees) are big enough to not know all their employees that well but small enough not to have an IT department in house. It's easy to say "hire trustworthy employees" but eventually someone will slip through. The biggest difference between this and target disk mode is that someone could plug in their ipod to "charge" and walk away as opposed to sitting in front of a computer screen where their boss could walk in and see what they were doing. Stupid people writing stupid things may have ruined charging an ipod without a charger for the rest of us. Grrrrr
... or are you still living in a cave? Who is not aware of Apple's marketing slogan? Oh, I'm sorry, you've never heard of Apple, the company that produces computers and consumer items? Wow, a lot must be confusing to you. I bet you've been trying to figure out how people listen to music on a piece of fruit. You poor thing.
How many times have you admins been told to use a non-administrator account for your day to day operations and to give users the least privleges possible? Don't make users local administrators to their machines. Don't give all of your user's domain admin access on a windows network. Don't give sensitive network shares full access to everyone. So many people focus on boundary security and leave their internal network absolutely open. Like others have said, it doesn't take software to do this. It also doesn't take an idiot with some clue of permissions to stop this sort of thing from happening in the first place.
There's a great, and easy solution to this, when a new computer comes into the company, while you're removing the CD drive (don't laugh, they do with us), go to the motherboard with a pair of wire-cutters, and after disconnecting the USB hubs, cut the pins. Voila, a PC that you can't hook an iPod (or anything else) to.
Why are people bringing Ipods to work anyway, aren't they suppose to be, yaknow, working? Then we complain about being outsourced.......
The gun is good - Zardoz
I'm sorry but the threat has been existent ever since the USB drive/device... or anything that is "hotpluggable". In theory I can come into almost any office with a USB drive with some malicious software to steal secrets or whatnot and just plug it in to the back of someone's computer. I guarantee the average luser wouldn't be aware of the devices existence.
Oops, how did this get here?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Good joke... where?
You are all a bunch of idots.
Or you could just use trusted computing to secure your data from people on-site with iPods and other portable storage device. Oh wait. I guess that's evil, never mind.
Vote for Pedro
"The most obvious glaring problem with your analogy is that data can be copied and the originals are still there."
...
... I wonder if you could make a presentation of your idea that copying data from one place to another is not a crime ...
...For your reference points, here is Steve Jobs' (please mod me up for that topical example) bank account number, and here is mine. Copy the contents of one to the other.
I'd like to talk to you after class,
I have office hours after class and I'll be happy to alleviate your confusion.
Why would I do so? You did not misunderstand things and believe that was what I wrote? When data is copied the original is still there, how does the owner know it was stolen, as opposed to physical inventory.
Financial transactions don't involve making "copies" of money, they involve transfering it from one place to another. What do you mean by "copy the contents", surely you realize that this is fundamentally different that copying a private data file from a server to an iPod?
I'm not after the money (tis Karma I crave) so feel free to copy in either direction.
Well fools get mod points too so perhaps your foolishness will get you something. Good luck.
But the idea that employees who are treated with fairness and dignity are less likely to to damage to the workplace seems to be common sense. Rejecting this notion outright just seems like a crude justification to treat employees poorly since "some people are bad".
The statement I responed too: "Treat your employees well and they won't feel the need to screw you." That is quite different from your "less likely" point, I agree with "less likely".
ok, so I didn't actually deprive the owner of second base.
Vote for Pedro
To be able to show our presentations in case the network is not available, or something like that, almost every one has an USB key of at least 256MB. Provide by the company! And if you see how much effort they put in for security, I wonder how long we can keep our USB keys.
Guns don't shoot people - Vice-Presidents shoot people!
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery?" - Patrick Henry
I suppose they can protect against this problem the same way they protect against similar IT theft here: Fill all the USB ports with hot glue, except one (for the mouse).
Yes, I'm serious.
Please, shoot me.
Yeah, that's exactly what I suggested :) It's an effective, cheap, low-tech solution. Ig might even be patent unencumbered! What's not to love?
Try Corewar @ www.koth.org - rec.games.corewar
Ten thousand songs, ten thousand names. It can't tell the difference.
Tell me something...it's still "We, the people"... right?
In other news, a carefully conducted study has revealed that the majority of retail stores are COMPLETELY UNSECURE as the majority of employees have full access to the stockrooms, and many are able to access the cash contained in cash registers!
... We have millennia of experience handling inventory and cash, security is not perfect but it far more evolved than the handling of data, which is in it's infancy by comparison.
"COMPLETELY UNSECURE"? With such a poor analogy the attempted joke falls flat. The most obvious glaring problem with your analogy is that data can be copied and the originals are still there, nothing to notice. Not so with the physical objects from the stockroom, they must simply be stolen and their absense noticed. Secondly, stockrooms, cash registers, etc often have have cameras trained on them.
I've worked in a warehouse that stocked department stores. We had a caged jewelry section, a caged firearms section, and a general caged section for other high price / small size items. Access required that keys be logged out.
Friends have worked cash registers and there is quite a bit of individual accounting taking place. Starting and ending balances are individualized, no sharing of a register, and these must balance with transactions.
In contrast data is often far less secure. Commands like "copy" are not logged at most companies, storage devices connecting are not logged at most companies,
Yes, familiar huh. I'm curious to see if mods react differently when one doesn't insult an AC.
Along the same lines, if you don't trust an employee having access to certain data, that employee should never have read access to that data. If you can't read it, you can't copy it to an iPod. If you can read it, you can steal it... via iPod, floppy disk, e-mail, or even by printing it. This software is just a tool, and the biggest lesson here is that corporate networks are often not secured properly.
LordBodak's journal.
How does an iPod access the network though the USB connection? That strikes me as really, really scary.
However, this strikes me as just bad reporting. I'll bet it's PC software that dumps the data to an iPod instead of software on the iPod itself. That means it's just using the iPod as a standard external USB drive.
plus-good, double-plus-good
- highlight data with mouse
- ctrl + c
- open gmail
- ctrl + v
Or does it just cryptographically protect the document file/format itself?Carthago delenda est!
This is a custom app?
Can someone tell me how you write code for the iPod?
It thought it was a closed system...
There's plenty of places where running around with an external harddive would seem very suspicious (or an outright violation), but a music player is, well, just a music player, right?
Wrong. I've worked for large corporations, and all of them subjected me to bag checks at the door (entering and leaving), and all of them strictly prohibited any type of electronic or magnetic storage devices. I had a pocket organizer that had no data ports of any kind, and I couldn't take it in the building, even though it was essentially as functional as a pad of paper.
There was one instance when a manager jumped my case when I had a floppy disk that was given to me by HR when I needed to transfer some files when I moved from one workstation to another.
If there's a big network and an even partially competent IT or building supervisor, storage devices like that are right out.
"Sometimes you have fun, and sometimes the fun has you"
It was bogus hype when consultants first started copying it from each other (to give them some credit, most of them saw an initial article written by some newsie and reinvented the scaremongering detail themselves, because it's simply not that hard.) By 1999, almost every techie sales person had a Palm Pilot with inadequate amounts of memory, by 2000, WinCE PocketPCs had USB, and by about 2002, most WinCE machines let you use standard-format flash cards, typically CF, so you could get enough memory to copy something useful. But the bogus hype didn't really heat up until the iPod caught on, though the scaremongers had kept busy with digital cameras for a couple of years, even before everybody's phone had one.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks