Slashdot Mirror
State Agency to Destroy Unauthorized USB Drives
Lucas123 writes "The State of Washington's Division of Child support has forced hundreds of workers to turn in personal USB flash drives and has instead begun issuing corporate-style USB drives. The goal is to centrally monitor, configure and prevent unauthorized access to storage devices. So far about 150 common drives have been issued. The agency eventually plans to destroy all existing thumb drives collected as part of the security policy change."
It's like trying to stop people from bringing in cell phones or iPods or PDAs... or creating personal Yahoo mail accounts from company machines... or playing solitaire at work. They are just too ubiquitous and there are just too many of them. Unless you get draconian (make it cause for immediate termination, and frisk every employee at the door... and I mean every employee, including all the vice presidents and directors and department heads).
Even employees that mean to comply will forget, will be at work and need one, reach in their pocket, and find they've got one of their own instead of the corporate-issued one.
I don't know what the answer is, but banning ubiquitous technology is like Canute holding back the waves.
The most dramatic case of the utter failure of this sort of thing I've seen occurred at a company in the 1990s which didn't quite understand that personal computers were personal. This was in the days before antivirus software was standard on any business machine. The company became seriously infected with a boot-sector virus. They had the entire IT department, SQA department, and tech support departments literally stop all their work for about a week while they went throughout the company collecting diskettes and disinfecting them, then pronounced the company clean. Apparently it never occurred to anyone that there were diskettes that weren't in the building.
Even then there were laptops, and, without pointing fingers--OK, pointing fingers--laptops were expensive at the time, and it was mostly the high-income and high-ranking employees, and, of course, people with good reason to have them--salespeople typically--that had them.
The company was reinfected by the same boot virus within less than a month.
"How to Do Nothing," kids activities, back in print!
Do they even need to be taking information off premises? If the drives aren't encrypted they aren't secure. What computers are they hooking them up to? Are those computers secure? If you're only going to use the data on departmental machines, a network storage solution would work a lot better, and be a lot more secure.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
The whole point of the article is that they are replacing dives of unknown source and capabilities with encryptes drives which self-wipe on to many access failures. They are, correctly, replacing insecure devices with secure ones and destroying insecure ones with confidential data.
Consciousness is an illusion caused by an excess of self consciousness.
The point is, where are they taking these drives? If it's just for between computers within the organization, a network storage solution would work better. It would be more secure, and the files would never leave the premises (ideally). The only need for USB drives is to transfer data between computers not on the network. If the information they are transporting is really all that important and confidential, it's probably best that they never give access to it from unknown computers. Once you enter the passphrase, the computer it's hooked to can do just about anything with the data.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
If they need to type up notes about cases, without being at the office, then get them a laptop and secure that. Sure they could still hook that up to another home computer, or to a USB drive, and data could get in the open, but there will be a lot less reason for them to do so. Giving them a USB drive gives them the ability, and actually encourages them to put the data on insecure systems. For the extra cost of these fancy USB drives, you could probably provide them with a laptop (over the cost of a desktop), and just install truecrypt on it.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
The auditor was furious, and demanded we give him the file, rather than just printouts. I said no, and he left, only to return the next day with his supervisor, who also demanded the same and said they'd get the file "legally" if needed.
I told them to give me the USB key, and we'll see. I plugged the key in and turned the monitor around so they could see 9 QuickBooks files from other companies. I asked them if they intended to share my data with the next 9 companies, like they just shared those files with me?
After much haranguing, and threat of legal action, we finally agreed on a full Excel file database dump, but with the critical fields (customer names, CC numbers, etc) wiped.
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
or did anyone else immediately think "They're not doing that because the fobs are insecure, they're looking for child porn."
They ARE out to get you simply because They are in it for themselves and they don't care about you.