Slashdot Mirror

← Back to Stories (view on slashdot.org)

Colleges Wrestle With Thumb Drives

Posted by kdawson on from the just-too-convenient dept.

Lucas123 writes "IT managers at colleges and universities are grappling with the problem of finding ways to better secure removable storage media in an environment that encourages information sharing. Draconian security mandates 'may be common in the corporate world, but "we don't have the flexibility to simply say all inbound traffic is locked down," said Jason Pufahl, information security team lead for IT services at the University of Connecticut.'"

17 of 127 comments (clear)

  1. What the hell is this about? by Opportunist · · Score: 5, Insightful

    Could anyone explain that? I don't see the point.

    You're worried about the university computers? Then use a secure system that doesn't allow a user to bring along any kind of software to infect it.

    You're worried about the student's data? Then teach them to use encryption and require them to use it.

    Both things neither require a lot of examination nor a lot of money. What's the big deal?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:What the hell is this about? by deniable · · Score: 4, Informative

      This one seems to be about people being able to move data around on removable storage. Why does a college have a problem with this?

      We had a situation at work where we had to lock down the floppy drives on machines because people might steal stuff. The fact that they also had email and web access didn't make any difference to the people making the policy.

    2. Re:What the hell is this about? by KillerCow · · Score: 4, Insightful

      Yeah... I don't see the issue either. They weren't "banning" floppy discs 20 years ago. Or CDs 10 years ago.

      If they don't want viruses coming in, install virus scanners or don't allow executables to be run from user drives... and have the machines re-image on a regular basis.

      If they don't want sensitive data going out, banning media isn't going to stop some bonehead from using a floppy or emailing it to himself (or putting it on a "secret" part of his webpage).

    3. Re:What the hell is this about? by PopeRatzo · · Score: 5, Insightful

      There really should be more enlightened approaches to net security than filling the USB ports with superglue.

      Especially at a University, where you want people to take and share information. Seriously, deniable makes a great point. I taught a series of workshops at a small college that took the "no removable storage" approach to keeping themselves "secure". The IT Director eventually got fired and now they're being a little more reasonable.

      --
      You are welcome on my lawn.
    4. Re:What the hell is this about? by stevedcc · · Score: 5, Informative

      Universities really CAN'T lock systems down in the kind of way a workplace can. I'm doing a Master's degree in Information Technology (basically a one year conversion course Computing Science for those with different first degrees). We have to write software for our dissertations and this often involves making use of other people's software, sometimes libraries, sometimes compiled programs. We wouldn't be able to do our dissertations if we couldn't install more software. It's not practical to have to have to get permission for every peice of software every student needs. I'm sure many of the academic staff also need to do these things in order to do their own research.

      University networks are not like work networks. You can't enforce a standard set of tools and be sure that no one needs to run anything else

      --
      todo - The developer's equivalent of confession: "Forgive me Father, for I have sinned..."
    5. Re:What the hell is this about? by Anonymous Coward · · Score: 5, Insightful

      What's the big deal? Making user responsible in *any* way for their own security or for the computer they use is a no-no, it flies in the face of 15 years of learned helplessness regarding computers.

      Never mind that computers are a basic tool of the modern age, computers are magical black box administered by a priestly class, and only nerds should know anything about them. And encryption? That's for the government or terrorists, AND NO ONE ELSE!
    6. Re:What the hell is this about? by Opportunist · · Score: 4, Insightful

      This was exactly my train of thought.

      I spent a good deal of my life in an university. As a student, a tutor, and finally I briefly also worked there. If anything, an university is a place where information is flowing. Yes, usually only after publishing (because, well... nobody wants to tempt a colleague to crib), but then whatever you want, whatever you need, it's there. Mostly because you DO need it.

      Try to write any kind of scientific report without quoting sources.

      Not to mention that it is virtually impossible to (re)create everything on your own. You have to build on the foundation laid down by someone else. I cannot start a math paper by proving that inverting a matrix is possible.

      I also cannot do all on my own because I do need the expertise of other people with different knowledge. It's humanly impossible to learn everything, especially at the depth and detail required today when you want to create something "new". I could not design the hardware layout for an integrated circuit that I need. I'm not a hardware developer. But I know someone who can. He can probably not create the microcode for it, but that's no problem because that's what I can do.

      Cooperation has always (well, at least since the day when it became impossible to know everything that's necessary yourself) and will always be the corner stone of research. If there is something college and university should teach, it's the only cooperation and not egoism leads to success and results.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    7. Re:What the hell is this about? by Anonymous Coward · · Score: 5, Funny

      I spent a good deal of my life in an university.

      lol

  2. Universities shouldn't have to secure data by iamacat · · Score: 4, Insightful

    It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl. The only thing that should be punished is including contents of other people's removable drives in your coursework without giving credit. We don't want to be raising a generation of corporate drones who can never take the initiative to bend the rules and achieve true greatness.

  3. Re:Deep Freeze by DHalcyon · · Score: 5, Insightful

    We restore the partitions on every boot, images are loaded from a central server, your profile is stored on a central server and loaded when you log in. Works very well.

  4. High Security leads to a false sense of security. by jellomizer · · Score: 4, Interesting

    Not just in colleges but in corporate work environments. Block this stop that don't allow those.... But whatever they do if we need a way around we could get one. Most computers have bluetooth. So you have you cell phone right next to your computer unknown to the security guys you use your bluetooth as a PPP connection to the internet to check your mail or worse as a backdoor in, or a way to send traffic out. Even if the computers don't give you the security to boot there is always the Live CD option with a Linux distro with VMWare running in full screen most people won't know the difference. What ever they come up with there is normally some way around it. You are actually better off having a more open system, a good firewall to block outside traffic, allow external emails to come in and if you are silly enough to use Windows for your work station have your virus scanner up to date. Anything more make people realize that you are anal on security thus feel more pressure to find a way around it... Remember a worker may not know how to click the start menu to get to additional programs but if you stop them from their email they will learn to setup a Proxy Server in No time...

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. am I? by jon_joy_1999 · · Score: 5, Funny

    am I the only one who read the title and thought "One two three four, I declare a thumbdrive war."?

    --
    there are 10 types of people in this world; those who get this joke, and those who don't
  6. Huh? by kalaf · · Score: 4, Interesting

    "In recent months, some universities have been hit by incidents of lost or stolen flash memory and storage devices.

    In June, for example, Grand Valley State University was forced to notify 3,000 students of a stolen Zip drive."

    The article is all over the map. They are worried about hackers getting into your system and stealing your data in one paragraph, viruses from iPods in the next, and then they have some idiot storing SSN's on an unencrypted flash drive...

    I don't know about most universities, but the one I went to didn't give everone admin access. When you logged on it would clear the local temp directories (i.e. everywhere the previous student had write access). Simple, and it makes it very difficult for viruses to propagate or hackers to install a keylogger.

    What prof's need your SSN/SIN for is beyond me. We had "student" numbers, which were posted everywhere and didn't hold huge potential for abuse. No doubt the university could translate those to a SIN, but that system was supposedly secure.

  7. Well, even that is false by WindBourne · · Score: 4, Interesting

    Corporations claim to lock down systems, but nearly ALL of their systems have a CD burner and/or USB ports. And almost ALL systems are capable of being opened, hard disk lifted out, taken home, copied, and then put back in the system. There really is no such thing as corporate lock-down if they are run a windows desktop env (which is 97% of them). But what amazes me, is that they all tell the CEO that it is secure, and the CEO acts like it is. Weird.

    --
    I prefer the "u" in honour as it seems to be missing these days.
    1. Re:Well, even that is false by bhima · · Score: 4, Interesting

      This describes my office perfectly. The corporate IT policy bans everything: USB flash memory; Digital Music Players (like my iPod); Portable exernal drives; coming in or out of the building with *anything* that can store data; Any website that even faintly looks like you could upload something (Flickr, Gmail, Hotmail, photobucket, &tc); any program not available on the corporate NetInstall craplet; any encryption any time any where. Every person outside of R&D has this massive WindowsXP install regardless of what they actually need or want.

      I've seen them fire people over it.

      however... all the managers have laptops and we go in and out every day with them. Each department have a fleet of burners and scanners. Every single member of R&D has at least 2 USB memory sticks. and I've been using my iPod everyday for over 5 years.

      So what's the point? Surly I am not about to steal corporate secrets, and the mechanisms preventing me if I was inclined to do so, have nothing to do with site or IT security. A disgruntled employee who didn't understand the difficulty in marketing such things is in no way going to be able to figure out what to take and how to do so (or even be able to get to the part of the building where he could have access to the data). The segmentation of the network encourages the use external memory to transfer data from the segment containing the devices that create the data to the workstations of the people that analyze data.

      --
      Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
  8. Portable storage blues by quarkie68 · · Score: 5, Insightful

    The portable storage blues is a mixture of incomplete policy decisions, technology adoption and resource planning . I shall explain my view. I am co-administering and directing on the technical side a 300 user R&D IT infrastructure (servers, desktops, network), which is part of a large University setup (20000 students plus) for 5 years now. Indeed, things in academia have to be open. And they can be as long as you focus on the problem.

    Desktop wise, a proven conbination of transparent bridging at network level, an antivirus/spyware on the desktop and another anti-virus/spyware on the mail server will filter out most of the traditional ways of infecting systems with malware. Scripts to enforce patching and lock out users that connect to the network might be a big headache, so if you can afford the overhead do that, or switch critical services to a more secure (and yes, I mean that) desktop such as a patched version of Linux.

    The issue of data migration to/from portable storage is a head-scratching one. So, where I work, we scratched our head a lot and came up with the following conclusions:
    - We can train users to understand the implications of relying on portable storage.
    - Encryption could protect the content. In rare cases, it was a big headache, when users lost encryption keys, or when users wanted us to face performance issues on large encrypted filesystems.
    - Portable storage will never be secure from the issue of data availability. Whether your data are encrypted or not does not matter if the device gets lost or broken and the user does not sync the data (for whatever reason). Scenarios where people had grant applications on USB keys and then they lost them or miscplaced them inside a warm cup of coffee or had their kids bike going over their laptop in the garden are common.

    This last point made us re-examine why people use portable devices in academic setups in the first place. Apart from the obvious reasons ( mobility convenience, etc, etc), we found that strong motives for users to use portable storage media in an academic setup exist due to two reasons:
    i)Network drive user quotas were extremely low, almost not usable. In fact, I know of faculties that still give a Gig of space per user and find it generous.
    ii)Lack of suitable VPN solutions, so people could authenticate and mount their drives securely from remote locations. VPNs are common place, but they were dog slow, especially for large user setups, so faculties tend to serve tenths of thousands of users with only three or four VPN gateways that can handle (together) far fewer sessions than the true average user load. The result, non existing or slow connections, users give up, buy a key or portable drive and hope for the best.

    I approached our Director, explained the problem and got funding to buy a storage solution able to a quota of 20 Gigs per user and also upgrade our campus connection and have our own separate VPN gateway, able to handle up to 80% of the average session load with strong crypto. It wasn't easy, and he heard the bill, he changed a few colours. However, if you explain with numbers the cost of loosing a grant, or the research work of the last two years (some experiments are quite expensive to repeat), they can be convinced to approve the budget.

    I don't know about the US, but in Europe, the broadband home market is good enough to sustain a good connection rate even with a 1Mbps/384Kbps ADSL setup for direct common file I/O (documents, spreadsheets, etc). Amongst academic networks things are even better. Storage is becoming cheaper, so making a policy decision to allow portable media and empowering your users with adequate amounts of centralized storage that is easily reachable is, in my humble opinion, the best way to combat the portable storage blues.

  9. Loss of SSN should not be a serious issue. by 140Mandak262Jamuna · · Score: 5, Interesting
    Why losing a drive containing SSN of some 199 old students become a serious issue? In this day and age of information storage, it is high time we view SSN as public information. The number of strangers who have legal access to my name, address and social security number is staggering. Doctor's office staff, university offices, payroll department of employers ...

    Why should I be held responsible if someone recites my name, rank and serial number correctly and obtains a loan based on that very simple trivial fact? The problem is in the credit industry that wants to lend money at a moments notice to people before their impulse to borrow fades away.

    All we need is a very simple change of law about default reporting. Let the companies lend without checks if they want to, it is after all their money. But they should not be able to report a loan as overdue or unpaid or in default without going through due diligence to verify that the person they are accusing of being a deadbeat is really the correct person.

    Let us change the burden of proof. Currently the victims of ID theft have to prove that ID theft occurred. Let us change it so that, it is the lender who should prove that ID theft did not take place.

    Then it wont matter if some department loses a hard disk containing million SSNs. Will it?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact