Slashdot Mirror

← Back to Stories (view on slashdot.org)

Colleges Wrestle With Thumb Drives

Posted by kdawson on from the just-too-convenient dept.

Lucas123 writes "IT managers at colleges and universities are grappling with the problem of finding ways to better secure removable storage media in an environment that encourages information sharing. Draconian security mandates 'may be common in the corporate world, but "we don't have the flexibility to simply say all inbound traffic is locked down," said Jason Pufahl, information security team lead for IT services at the University of Connecticut.'"

9 of 127 comments (clear)

  1. What the hell is this about? by Opportunist · · Score: 5, Insightful

    Could anyone explain that? I don't see the point.

    You're worried about the university computers? Then use a secure system that doesn't allow a user to bring along any kind of software to infect it.

    You're worried about the student's data? Then teach them to use encryption and require them to use it.

    Both things neither require a lot of examination nor a lot of money. What's the big deal?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:What the hell is this about? by KillerCow · · Score: 4, Insightful

      Yeah... I don't see the issue either. They weren't "banning" floppy discs 20 years ago. Or CDs 10 years ago.

      If they don't want viruses coming in, install virus scanners or don't allow executables to be run from user drives... and have the machines re-image on a regular basis.

      If they don't want sensitive data going out, banning media isn't going to stop some bonehead from using a floppy or emailing it to himself (or putting it on a "secret" part of his webpage).

    2. Re:What the hell is this about? by PopeRatzo · · Score: 5, Insightful

      There really should be more enlightened approaches to net security than filling the USB ports with superglue.

      Especially at a University, where you want people to take and share information. Seriously, deniable makes a great point. I taught a series of workshops at a small college that took the "no removable storage" approach to keeping themselves "secure". The IT Director eventually got fired and now they're being a little more reasonable.

      --
      You are welcome on my lawn.
    3. Re:What the hell is this about? by Anonymous Coward · · Score: 5, Insightful

      What's the big deal? Making user responsible in *any* way for their own security or for the computer they use is a no-no, it flies in the face of 15 years of learned helplessness regarding computers.

      Never mind that computers are a basic tool of the modern age, computers are magical black box administered by a priestly class, and only nerds should know anything about them. And encryption? That's for the government or terrorists, AND NO ONE ELSE!
    4. Re:What the hell is this about? by Opportunist · · Score: 4, Insightful

      This was exactly my train of thought.

      I spent a good deal of my life in an university. As a student, a tutor, and finally I briefly also worked there. If anything, an university is a place where information is flowing. Yes, usually only after publishing (because, well... nobody wants to tempt a colleague to crib), but then whatever you want, whatever you need, it's there. Mostly because you DO need it.

      Try to write any kind of scientific report without quoting sources.

      Not to mention that it is virtually impossible to (re)create everything on your own. You have to build on the foundation laid down by someone else. I cannot start a math paper by proving that inverting a matrix is possible.

      I also cannot do all on my own because I do need the expertise of other people with different knowledge. It's humanly impossible to learn everything, especially at the depth and detail required today when you want to create something "new". I could not design the hardware layout for an integrated circuit that I need. I'm not a hardware developer. But I know someone who can. He can probably not create the microcode for it, but that's no problem because that's what I can do.

      Cooperation has always (well, at least since the day when it became impossible to know everything that's necessary yourself) and will always be the corner stone of research. If there is something college and university should teach, it's the only cooperation and not egoism leads to success and results.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Universities shouldn't have to secure data by iamacat · · Score: 4, Insightful

    It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl. The only thing that should be punished is including contents of other people's removable drives in your coursework without giving credit. We don't want to be raising a generation of corporate drones who can never take the initiative to bend the rules and achieve true greatness.

  3. Re:Deep Freeze by DHalcyon · · Score: 5, Insightful

    We restore the partitions on every boot, images are loaded from a central server, your profile is stored on a central server and loaded when you log in. Works very well.

  4. Portable storage blues by quarkie68 · · Score: 5, Insightful

    The portable storage blues is a mixture of incomplete policy decisions, technology adoption and resource planning . I shall explain my view. I am co-administering and directing on the technical side a 300 user R&D IT infrastructure (servers, desktops, network), which is part of a large University setup (20000 students plus) for 5 years now. Indeed, things in academia have to be open. And they can be as long as you focus on the problem.

    Desktop wise, a proven conbination of transparent bridging at network level, an antivirus/spyware on the desktop and another anti-virus/spyware on the mail server will filter out most of the traditional ways of infecting systems with malware. Scripts to enforce patching and lock out users that connect to the network might be a big headache, so if you can afford the overhead do that, or switch critical services to a more secure (and yes, I mean that) desktop such as a patched version of Linux.

    The issue of data migration to/from portable storage is a head-scratching one. So, where I work, we scratched our head a lot and came up with the following conclusions:
    - We can train users to understand the implications of relying on portable storage.
    - Encryption could protect the content. In rare cases, it was a big headache, when users lost encryption keys, or when users wanted us to face performance issues on large encrypted filesystems.
    - Portable storage will never be secure from the issue of data availability. Whether your data are encrypted or not does not matter if the device gets lost or broken and the user does not sync the data (for whatever reason). Scenarios where people had grant applications on USB keys and then they lost them or miscplaced them inside a warm cup of coffee or had their kids bike going over their laptop in the garden are common.

    This last point made us re-examine why people use portable devices in academic setups in the first place. Apart from the obvious reasons ( mobility convenience, etc, etc), we found that strong motives for users to use portable storage media in an academic setup exist due to two reasons:
    i)Network drive user quotas were extremely low, almost not usable. In fact, I know of faculties that still give a Gig of space per user and find it generous.
    ii)Lack of suitable VPN solutions, so people could authenticate and mount their drives securely from remote locations. VPNs are common place, but they were dog slow, especially for large user setups, so faculties tend to serve tenths of thousands of users with only three or four VPN gateways that can handle (together) far fewer sessions than the true average user load. The result, non existing or slow connections, users give up, buy a key or portable drive and hope for the best.

    I approached our Director, explained the problem and got funding to buy a storage solution able to a quota of 20 Gigs per user and also upgrade our campus connection and have our own separate VPN gateway, able to handle up to 80% of the average session load with strong crypto. It wasn't easy, and he heard the bill, he changed a few colours. However, if you explain with numbers the cost of loosing a grant, or the research work of the last two years (some experiments are quite expensive to repeat), they can be convinced to approve the budget.

    I don't know about the US, but in Europe, the broadband home market is good enough to sustain a good connection rate even with a 1Mbps/384Kbps ADSL setup for direct common file I/O (documents, spreadsheets, etc). Amongst academic networks things are even better. Storage is becoming cheaper, so making a policy decision to allow portable media and empowering your users with adequate amounts of centralized storage that is easily reachable is, in my humble opinion, the best way to combat the portable storage blues.

  5. Re:Well, even that is false by Anonymous Coward · · Score: 1, Insightful

    Because you can tell *nix to not mount a USB drive, cd burner, etc. unless it is root? OTH, you can not lock down windows. Of course, even if you lock down all these items, then you still have the issue of having physical access to the hard drive (game over).