Slashdot Mirror
State Agency to Destroy Unauthorized USB Drives
Lucas123 writes "The State of Washington's Division of Child support has forced hundreds of workers to turn in personal USB flash drives and has instead begun issuing corporate-style USB drives. The goal is to centrally monitor, configure and prevent unauthorized access to storage devices. So far about 150 common drives have been issued. The agency eventually plans to destroy all existing thumb drives collected as part of the security policy change."
I know... I apologize for reading the article.
If you post it, they will read.
I don't want government employees listening to MP3s while at work. They are slow enough as it is.
when you pry it out of my dead cold fingers.
Seriously, how can they confiscate personal belongings? I can understand that they forbid the use, but how can they just take away something that belongs to me. Something that is mine.
What about cellphones? Or mp3 players? Those can be often used in the same way. Will those be confiscated as well?
It is good that they issue some sort of encryption, yet that does not mean they should be confiscating all the rest.
Don't fight for your country, if your country does not fight for you.
Although, it does say in the quote from the manager that they will "manage and back up the new drives using SanDisk's Central Management & Control server software...which relies on a Web connection to directly communicate with agents on the tiny flash drives [and can] remotely monitor and flush any lost drives" so they could read and delete files on the disks remotely.
It also says that they chose the disks for their MSW Vista compatibility which suggests that the "agents" really are (as previously quoted) on the disk rather than the PCs (one assumes so they can track what their employees do with the disks while not using their PCs, which really doesn't seem necessary to me). Hopefully they do have software on the PCs too to ensure that non-authorised disks are not used and to monitor activity if the "agents" are removed from the disk by intrepid employees.
Although, I suppose, in principal, the right to privacy of their clients (which could be breached by data being transferred out of the building) overrides the right to privacy the government employees have while in the office.
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
They're likely neither unauthorized or personal.
If you post it, they will read.
Before people moan about "personal" these aren't things that people have paid for with their own cash (they got the cash paid back). The other point is that banning removable storage is a difficult, but sensible, policy when there is confidential or valuable information about. Hopefully these USB sticks will be encrypted and tied to only the departmental machines (i.e. no working at home on confidential information) in order to prevent misuse or sale.
This isn't a personal privacy issue for the users (after all its just a USB key) its a personal privacy issue for the people on whom the department stores information.
An Eye for an Eye will make the whole world blind - Gandhi
Are they using proprietary encryption software? Because I suppose that takes away all chance of accessing them on any computer not running windows (as in: "they chose the drives for their excellent support for windows vista). I'm also annoyed (as I always am with things like this) that they are going to destroy the drives as opposed to Zeroing them out and selling them second hand.
At the very least, they could /dev/zero them and give them away.
Je fume. Tu fumes. Nous fûmes!
...USB Drives flash you.
Use your head, can't you, use your head,
You're on earth, there's no cure for that - S. Beckett
It's like trying to stop people from bringing in cell phones or iPods or PDAs... or creating personal Yahoo mail accounts from company machines... or playing solitaire at work. They are just too ubiquitous and there are just too many of them. Unless you get draconian (make it cause for immediate termination, and frisk every employee at the door... and I mean every employee, including all the vice presidents and directors and department heads).
Even employees that mean to comply will forget, will be at work and need one, reach in their pocket, and find they've got one of their own instead of the corporate-issued one.
I don't know what the answer is, but banning ubiquitous technology is like Canute holding back the waves.
The most dramatic case of the utter failure of this sort of thing I've seen occurred at a company in the 1990s which didn't quite understand that personal computers were personal. This was in the days before antivirus software was standard on any business machine. The company became seriously infected with a boot-sector virus. They had the entire IT department, SQA department, and tech support departments literally stop all their work for about a week while they went throughout the company collecting diskettes and disinfecting them, then pronounced the company clean. Apparently it never occurred to anyone that there were diskettes that weren't in the building.
Even then there were laptops, and, without pointing fingers--OK, pointing fingers--laptops were expensive at the time, and it was mostly the high-income and high-ranking employees, and, of course, people with good reason to have them--salespeople typically--that had them.
The company was reinfected by the same boot virus within less than a month.
"How to Do Nothing," kids activities, back in print!
Government and private sector agencies destroy used disks every single day using methods from as simple as patterning 1's and 0's to smelting the platters. This happens so often that their are dedicated machines available to do it for you right up to dedicated companies that specialize in the destruction.
I think that they are actually being fairly reasonable about the whole issue. USB keys are a severe security risk as far as controlling access to data leaving a business. People leave with Excel sheets full of database information, confidential email, and sometimes text pads containing passwords to various systems. We've already begun the process of completely disabling all computers company wide from their ability to write to removable drives which essentially takes away the threat a USB key poses. Here we see that the state spent a reasonable amount of money (cost of the usb key itself + enterprise management software which probably has some sort of CAL) just so employees could still use USB keys. In my environment, employees just straight up would never have access to USB resources to begin with... Can you imagine the consequences of a disgruntled employee walking out of the office with a spreadsheet of 65k+ credit card records or other customer records? Hello Fidelity Insurance scandal...
You can take my U3 drive from my cold, dead fingers! Gonzor's payload comes in handy.
www.isoHunt.com
Given the casual way in which UK goverement employees, both civil and military, have been treating confidential information, I am glad that a department with seriously confidential information is taking the security of portable storage media seriously. Obviously, if the media were personally ppurchased and used in good faith, the owners of the media must be compensated. But, as previously suggested, these were probably privately purchased and then refunded as expenses, to the belong to the emplyer already.
As to destroying them... Put this in proportion: 150 devices, at perhaps $30 apiece if they wern't bought yesterday: about $4500. On the otyher side, when the UK government lost 2 CDs with large amounts of personal information, the mailshot warning the people whose personal and banking information had been misplaced cost $6,000,000. With cost ratios of this magnitude, the precautionary principle applies. Yes, you could wipe them, and they probably wouldn't leak info. But the cost if they did is so high that the tiny loss involved in destruction is irrelevant.
So I applaud a government department for finally taking privacy seriously. The cost arises becasue they didn't do so before, and is small. The cost for all the other departments who have not yet got it is increasing every day.
Consciousness is an illusion caused by an excess of self consciousness.
Why should we care? You want to AC... be a man and declare who you are
Call me dumb, but I don't understand what they're using these thumb drives for that wouldn't be possible with a good network? Why not disable the ports (or at least access to them by anyone but IT and managers). If they have network shares, that should be sufficient enough to transfer data to a colleague. The article mentions PowerPoint presentations and the like...but if they're giving a presentation within the building, they should be able to access their shares for the power point files. If it's outside of the building, transfer it to the laptop before you go. But if you absolutely need the files on a thumb drive, get a monkey from IT to do it (that's what field tech's are for). I dunno, I guess I'm just too used to how the two places I've worked at in IT did and do things. The million dollar question is why is the state so paranoid that their employees in the Division of Child Support are going to be stealing information? Maybe they should screen better.
Now some geniuses have tagged it privacy - what does the state erasing a thumb drive it owns have to do with privacy?
But then again what does the content of the article have to do with analysis on Slashdot... yeah I know.. flamebait..
It is interesting to consider this move from the perspective of a decade ago, in which case they would be banning privately purchased floppy disks.
So you are worried about an account you didn't want in the first place being sniffed and hi-jacked by someone else ? If you are so paranoid about identity theft, that you think someone would steal your Slashdot account over say, your online Credit Card payments or online Banking Details, then maybe you'd be better not using the Internet at all.
from my cold dead fingers.
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
...I thought, "Oh. Halliburton must be branching out into storage media."
The Wolfpack Project: BitCoin + Crowdfunding = Political Accountability
Is it possible to bypass the protections and make a forensic copy of the drive before entering the passphrase, thereby making the "10 tries" meaningless?
If it's not possible to make a forensic copy, Al-Qiada wants to place an order.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I remember reading an article from a security consultant awhile back. One of his clients, a bank, had hired him to try to break into their systems, and were quite cocky about how they'd sealed off external access.
So he took a bunch of thumb drives, put a Windows autorun backdoor installer on them, and scattered them around the entrances and outdoor smoking areas.
Hey, presto, instant access.
Why destroy them when you can just give them away to people that need them?
Lots of people would use those USB flash drives! And they don't care a sht about it's current information.
For example these kids: http://www.epicchange.org/
Guh! Don't destroy them. There exists software that will securely erase data from any media, disk or ram. Use these programs and then give those memory sticks to some charitable cause or somethin'. Yeesh, what a waste of technology.
Bearded Dragon
If the drives were purchased by the employee, and the state ended up paying for it, then so be it. I'll give it to them (after I take my personal stuff off), but, if like me, they buy their own drive, because the one the state issued, or bought me isn't enough, they can't have it. Good luck prying it from my hands. I just will leave it in my glove box of my car. Since it is a metal casing, you can't have it. I just won't bring it into the office and will use the one you issue me for all work related business.
They should just erase them & air drop them over Cuba!
ON DELETE CASCADE
you would see that I did RTFA. If the state had purchased the correct type of thumb drives in the beginning this would not have been an issue. The headline says "State Agency to Destroy Unauthorized USB Drives", someone noted that the misguided headline and summary do not accurately reflect the content of the article. I followed that up by nothing the tagging was questionable. The gist of the summary is that the privacy issue is in the erasing of the thumb drives, whereas the article's point is that personal data isn't being adequately protected - this upgrade should improve on that.
Back to my original statement (with clarification - seems necessary) - Erasing the drives has nothing to do with the privacy of those who used them, the headline and summary are still bad.
I am done with this discussion.
The state actually realized it did a bad thing and decided to improve the situation by pulling in the ropes on a data leakage vector. I can't see how comprehension can get lost in such a simple, and yet completely boring article. In other news, Pepsi is using blue cans for their soda products...
Is there any reason to think these don't use the Windows-based encryption that is trivially defeated?
If I had a usb thumb drive that I purchased for work and my company or government in this case confiscated it, would I be compensated for my property?
I can understand the need to destroy the dive for security purposes, but who is going to pay for them? not the employees I hope.
by now, the IT guys probably sorted through them and kept the hi-cap ones for themselves.
They're using their grammar skills there.
And here comes the waaaaaahmbulance.
Suck it up. AC's have posted at -1 as long as I've had an account, thanks to setting them to -6 (and I am not the only one).
If you want anyone to care what you have to say, work it out.
Gee, I used to have to buy my own USB drive to steal software and data files from work. Now, they're providing me with one for free!!
The auditor was furious, and demanded we give him the file, rather than just printouts. I said no, and he left, only to return the next day with his supervisor, who also demanded the same and said they'd get the file "legally" if needed.
I told them to give me the USB key, and we'll see. I plugged the key in and turned the monitor around so they could see 9 QuickBooks files from other companies. I asked them if they intended to share my data with the next 9 companies, like they just shared those files with me?
After much haranguing, and threat of legal action, we finally agreed on a full Excel file database dump, but with the critical fields (customer names, CC numbers, etc) wiped.
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
and memory cards. Users of the last generation of industrial control equipment come to mind immediately. I maintain a couple of industrial touchscreen interface panels that store configuration setups on CF cards, but cannot support CF cards larger than 128 MB due to firmware limitations.
This is industrial strength hardware that that would take serious $$$ to replace, a lot of time to migrate the software and debug the interface for, and it is perfectly functional. The only problem is that the mass-market applications for flash memory (digital cameras and music players) have long since outgrown the 16 or 32 MB cards that are used to store machine setups. So memory card manufacturers no longer manufacture the smaller sizes, because the market is so limited. So users either have the choice of paying $$$ for obsolete memory cards from automation suppliers, or buying them (often for less than the shipping cost) on eBay.
Remember "News for Nerds, Stuff that Matters"? Help make it a reality again! http://soylentnews.org
How do we rein in our state government? It is way out of control.
or did anyone else immediately think "They're not doing that because the fobs are insecure, they're looking for child porn."
They ARE out to get you simply because They are in it for themselves and they don't care about you.
Washington's usual practices are not to destroy materials, but to sell them at GSA Surplus sales. That's where the pointy objects the TSA took from travellers wind up, as well as where monitors and filing cabinets and so forth from government offices get liquidated. I would imagine they'd do secure wipes on the sticks before tossing in the barrel.
I will keep an eye out for USB sticks at the Auburn office near the Supermall. They'd be a welcome change from the elementary school scissors and grubby pocketknives clogging the $1/item bins.
Laughter is the Spackle of the Soul.
The case worker, who may have to do three or four emotionally draining interviews in one day, cannot be expected to remember all the facts accurately enough for (for example) legal proceedings to remove a child from parents. Tha alternative to USB keys is probably printout, pen and paper. And how secure is t that? At least USB keys can be encrypted.
So they're sticking these thumb drives in computers owned by the people they are investigating?
Or they have no way to securely store information on their own laptops?
What exactly is the scenario you're envisioning here?
All government agencies have information that needs to be protected. Like Washington, we (my nick will give you a clue who we are) are safeguarding portable information. Our facility has moved to encrypted usb drives to reduce inadvertant disclosure of information. There is a huge list of information managers may need and use that could violate confidentiallity, provide the competition with stratigic data, and damage all kinds of legal processes. With the potential costs, an agency would be stupid to not just gather up unsecure drives and destroy them. The real cost is tiny and the potential cost of not doing so is enormous.
Profanity - The sign of a small mind trying to express itself.
>>The reason the state is issuing these new fancy-schmancy thumb drives is that the new ones (claim to) >>have 256-bit AES encryption and (claim to) self-destruct after 10 consecutive wrong passwords.
>In which case they really should verify that this actually is the case before buying more than a sample.
Very true, but let's go a little deeper... A prudent test would be applicable only to
one model of hardware, one revision of the firmware, and the cost of testing would only
be supportable if one makes a bulk purchase. Because a retail outlet, or even
a wholesaler, cannot identify the firmware from the packaging, you have to contract with
a manufacturer directly to do that.
Inescapable conclusion: consumers buying thumb drives cannot expect any
comparable security for their data. We can only trust some manufacturer's
claims printed on the retail package.
Now, we hear of a government agency that's going to certify one kind of drive, BUT only
for their own use. We should, as citizens, ask our elected government to provide
some support for our needs in this regard. Maybe Washington state can market an
"approved for security" logo and offset this hardware purchase cost?
Government acting for the public good: it's an idea.
The only "situation" as I see it is your overblown ego believing that everything you have to say should instantly be seen by the masses.
... if it's so easy to sniff an end node, then it's just as unsecured as anything else ... therefore seek an alternative if you are concerned about privacy.
... well, goatse, grit, russia, profit, myminicities to you sir. There's plenty of rubbish ALREADY here ... ergo the original point that AC start at -1.
I thought TOR was supposed to be the ultimate in "anonymous" browsing
And as for posting rubbish on Slashdot
The fact you choose to end your diatribe with an expletive for no other reason than you are devoid of sufficient vocabulary to manage anything better reinforces even more why AC should be -1.
Thankfully, as I have an account, I can reciprocate by telling you sir, to fuck off (The difference being everyone will see what I wrote).
Thank you and good night