Slashdot Mirror

← Back to Stories (view on slashdot.org)

Colleges Wrestle With Thumb Drives

Posted by kdawson on from the just-too-convenient dept.

Lucas123 writes "IT managers at colleges and universities are grappling with the problem of finding ways to better secure removable storage media in an environment that encourages information sharing. Draconian security mandates 'may be common in the corporate world, but "we don't have the flexibility to simply say all inbound traffic is locked down," said Jason Pufahl, information security team lead for IT services at the University of Connecticut.'"

9 of 127 comments (clear)

  1. What the hell is this about? by Opportunist · · Score: 5, Insightful

    Could anyone explain that? I don't see the point.

    You're worried about the university computers? Then use a secure system that doesn't allow a user to bring along any kind of software to infect it.

    You're worried about the student's data? Then teach them to use encryption and require them to use it.

    Both things neither require a lot of examination nor a lot of money. What's the big deal?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:What the hell is this about? by PopeRatzo · · Score: 5, Insightful

      There really should be more enlightened approaches to net security than filling the USB ports with superglue.

      Especially at a University, where you want people to take and share information. Seriously, deniable makes a great point. I taught a series of workshops at a small college that took the "no removable storage" approach to keeping themselves "secure". The IT Director eventually got fired and now they're being a little more reasonable.

      --
      You are welcome on my lawn.
    2. Re:What the hell is this about? by stevedcc · · Score: 5, Informative

      Universities really CAN'T lock systems down in the kind of way a workplace can. I'm doing a Master's degree in Information Technology (basically a one year conversion course Computing Science for those with different first degrees). We have to write software for our dissertations and this often involves making use of other people's software, sometimes libraries, sometimes compiled programs. We wouldn't be able to do our dissertations if we couldn't install more software. It's not practical to have to have to get permission for every peice of software every student needs. I'm sure many of the academic staff also need to do these things in order to do their own research.

      University networks are not like work networks. You can't enforce a standard set of tools and be sure that no one needs to run anything else

      --
      todo - The developer's equivalent of confession: "Forgive me Father, for I have sinned..."
    3. Re:What the hell is this about? by Anonymous Coward · · Score: 5, Insightful

      What's the big deal? Making user responsible in *any* way for their own security or for the computer they use is a no-no, it flies in the face of 15 years of learned helplessness regarding computers.

      Never mind that computers are a basic tool of the modern age, computers are magical black box administered by a priestly class, and only nerds should know anything about them. And encryption? That's for the government or terrorists, AND NO ONE ELSE!
    4. Re:What the hell is this about? by Anonymous Coward · · Score: 5, Funny

      I spent a good deal of my life in an university.

      lol

  2. Re:Deep Freeze by DHalcyon · · Score: 5, Insightful

    We restore the partitions on every boot, images are loaded from a central server, your profile is stored on a central server and loaded when you log in. Works very well.

  3. am I? by jon_joy_1999 · · Score: 5, Funny

    am I the only one who read the title and thought "One two three four, I declare a thumbdrive war."?

    --
    there are 10 types of people in this world; those who get this joke, and those who don't
  4. Portable storage blues by quarkie68 · · Score: 5, Insightful

    The portable storage blues is a mixture of incomplete policy decisions, technology adoption and resource planning . I shall explain my view. I am co-administering and directing on the technical side a 300 user R&D IT infrastructure (servers, desktops, network), which is part of a large University setup (20000 students plus) for 5 years now. Indeed, things in academia have to be open. And they can be as long as you focus on the problem.

    Desktop wise, a proven conbination of transparent bridging at network level, an antivirus/spyware on the desktop and another anti-virus/spyware on the mail server will filter out most of the traditional ways of infecting systems with malware. Scripts to enforce patching and lock out users that connect to the network might be a big headache, so if you can afford the overhead do that, or switch critical services to a more secure (and yes, I mean that) desktop such as a patched version of Linux.

    The issue of data migration to/from portable storage is a head-scratching one. So, where I work, we scratched our head a lot and came up with the following conclusions:
    - We can train users to understand the implications of relying on portable storage.
    - Encryption could protect the content. In rare cases, it was a big headache, when users lost encryption keys, or when users wanted us to face performance issues on large encrypted filesystems.
    - Portable storage will never be secure from the issue of data availability. Whether your data are encrypted or not does not matter if the device gets lost or broken and the user does not sync the data (for whatever reason). Scenarios where people had grant applications on USB keys and then they lost them or miscplaced them inside a warm cup of coffee or had their kids bike going over their laptop in the garden are common.

    This last point made us re-examine why people use portable devices in academic setups in the first place. Apart from the obvious reasons ( mobility convenience, etc, etc), we found that strong motives for users to use portable storage media in an academic setup exist due to two reasons:
    i)Network drive user quotas were extremely low, almost not usable. In fact, I know of faculties that still give a Gig of space per user and find it generous.
    ii)Lack of suitable VPN solutions, so people could authenticate and mount their drives securely from remote locations. VPNs are common place, but they were dog slow, especially for large user setups, so faculties tend to serve tenths of thousands of users with only three or four VPN gateways that can handle (together) far fewer sessions than the true average user load. The result, non existing or slow connections, users give up, buy a key or portable drive and hope for the best.

    I approached our Director, explained the problem and got funding to buy a storage solution able to a quota of 20 Gigs per user and also upgrade our campus connection and have our own separate VPN gateway, able to handle up to 80% of the average session load with strong crypto. It wasn't easy, and he heard the bill, he changed a few colours. However, if you explain with numbers the cost of loosing a grant, or the research work of the last two years (some experiments are quite expensive to repeat), they can be convinced to approve the budget.

    I don't know about the US, but in Europe, the broadband home market is good enough to sustain a good connection rate even with a 1Mbps/384Kbps ADSL setup for direct common file I/O (documents, spreadsheets, etc). Amongst academic networks things are even better. Storage is becoming cheaper, so making a policy decision to allow portable media and empowering your users with adequate amounts of centralized storage that is easily reachable is, in my humble opinion, the best way to combat the portable storage blues.

  5. Loss of SSN should not be a serious issue. by 140Mandak262Jamuna · · Score: 5, Interesting
    Why losing a drive containing SSN of some 199 old students become a serious issue? In this day and age of information storage, it is high time we view SSN as public information. The number of strangers who have legal access to my name, address and social security number is staggering. Doctor's office staff, university offices, payroll department of employers ...

    Why should I be held responsible if someone recites my name, rank and serial number correctly and obtains a loan based on that very simple trivial fact? The problem is in the credit industry that wants to lend money at a moments notice to people before their impulse to borrow fades away.

    All we need is a very simple change of law about default reporting. Let the companies lend without checks if they want to, it is after all their money. But they should not be able to report a loan as overdue or unpaid or in default without going through due diligence to verify that the person they are accusing of being a deadbeat is really the correct person.

    Let us change the burden of proof. Currently the victims of ID theft have to prove that ID theft occurred. Let us change it so that, it is the lender who should prove that ID theft did not take place.

    Then it wont matter if some department loses a hard disk containing million SSNs. Will it?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact