Slashdot Mirror
State Agency to Destroy Unauthorized USB Drives
Lucas123 writes "The State of Washington's Division of Child support has forced hundreds of workers to turn in personal USB flash drives and has instead begun issuing corporate-style USB drives. The goal is to centrally monitor, configure and prevent unauthorized access to storage devices. So far about 150 common drives have been issued. The agency eventually plans to destroy all existing thumb drives collected as part of the security policy change."
I know... I apologize for reading the article.
If you post it, they will read.
I don't want government employees listening to MP3s while at work. They are slow enough as it is.
Although, it does say in the quote from the manager that they will "manage and back up the new drives using SanDisk's Central Management & Control server software...which relies on a Web connection to directly communicate with agents on the tiny flash drives [and can] remotely monitor and flush any lost drives" so they could read and delete files on the disks remotely.
It also says that they chose the disks for their MSW Vista compatibility which suggests that the "agents" really are (as previously quoted) on the disk rather than the PCs (one assumes so they can track what their employees do with the disks while not using their PCs, which really doesn't seem necessary to me). Hopefully they do have software on the PCs too to ensure that non-authorised disks are not used and to monitor activity if the "agents" are removed from the disk by intrepid employees.
Although, I suppose, in principal, the right to privacy of their clients (which could be breached by data being transferred out of the building) overrides the right to privacy the government employees have while in the office.
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
They're likely neither unauthorized or personal.
If you post it, they will read.
Before people moan about "personal" these aren't things that people have paid for with their own cash (they got the cash paid back). The other point is that banning removable storage is a difficult, but sensible, policy when there is confidential or valuable information about. Hopefully these USB sticks will be encrypted and tied to only the departmental machines (i.e. no working at home on confidential information) in order to prevent misuse or sale.
This isn't a personal privacy issue for the users (after all its just a USB key) its a personal privacy issue for the people on whom the department stores information.
An Eye for an Eye will make the whole world blind - Gandhi
At the very least, they could /dev/zero them and give them away.
Je fume. Tu fumes. Nous fûmes!
Two things to consider:
Maybe not
It's like trying to stop people from bringing in cell phones or iPods or PDAs... or creating personal Yahoo mail accounts from company machines... or playing solitaire at work. They are just too ubiquitous and there are just too many of them. Unless you get draconian (make it cause for immediate termination, and frisk every employee at the door... and I mean every employee, including all the vice presidents and directors and department heads).
Even employees that mean to comply will forget, will be at work and need one, reach in their pocket, and find they've got one of their own instead of the corporate-issued one.
I don't know what the answer is, but banning ubiquitous technology is like Canute holding back the waves.
The most dramatic case of the utter failure of this sort of thing I've seen occurred at a company in the 1990s which didn't quite understand that personal computers were personal. This was in the days before antivirus software was standard on any business machine. The company became seriously infected with a boot-sector virus. They had the entire IT department, SQA department, and tech support departments literally stop all their work for about a week while they went throughout the company collecting diskettes and disinfecting them, then pronounced the company clean. Apparently it never occurred to anyone that there were diskettes that weren't in the building.
Even then there were laptops, and, without pointing fingers--OK, pointing fingers--laptops were expensive at the time, and it was mostly the high-income and high-ranking employees, and, of course, people with good reason to have them--salespeople typically--that had them.
The company was reinfected by the same boot virus within less than a month.
"How to Do Nothing," kids activities, back in print!
Government and private sector agencies destroy used disks every single day using methods from as simple as patterning 1's and 0's to smelting the platters. This happens so often that their are dedicated machines available to do it for you right up to dedicated companies that specialize in the destruction.
I think that they are actually being fairly reasonable about the whole issue. USB keys are a severe security risk as far as controlling access to data leaving a business. People leave with Excel sheets full of database information, confidential email, and sometimes text pads containing passwords to various systems. We've already begun the process of completely disabling all computers company wide from their ability to write to removable drives which essentially takes away the threat a USB key poses. Here we see that the state spent a reasonable amount of money (cost of the usb key itself + enterprise management software which probably has some sort of CAL) just so employees could still use USB keys. In my environment, employees just straight up would never have access to USB resources to begin with... Can you imagine the consequences of a disgruntled employee walking out of the office with a spreadsheet of 65k+ credit card records or other customer records? Hello Fidelity Insurance scandal...
Given the casual way in which UK goverement employees, both civil and military, have been treating confidential information, I am glad that a department with seriously confidential information is taking the security of portable storage media seriously. Obviously, if the media were personally ppurchased and used in good faith, the owners of the media must be compensated. But, as previously suggested, these were probably privately purchased and then refunded as expenses, to the belong to the emplyer already.
As to destroying them... Put this in proportion: 150 devices, at perhaps $30 apiece if they wern't bought yesterday: about $4500. On the otyher side, when the UK government lost 2 CDs with large amounts of personal information, the mailshot warning the people whose personal and banking information had been misplaced cost $6,000,000. With cost ratios of this magnitude, the precautionary principle applies. Yes, you could wipe them, and they probably wouldn't leak info. But the cost if they did is so high that the tiny loss involved in destruction is irrelevant.
So I applaud a government department for finally taking privacy seriously. The cost arises becasue they didn't do so before, and is small. The cost for all the other departments who have not yet got it is increasing every day.
Consciousness is an illusion caused by an excess of self consciousness.
Call me dumb, but I don't understand what they're using these thumb drives for that wouldn't be possible with a good network? Why not disable the ports (or at least access to them by anyone but IT and managers). If they have network shares, that should be sufficient enough to transfer data to a colleague. The article mentions PowerPoint presentations and the like...but if they're giving a presentation within the building, they should be able to access their shares for the power point files. If it's outside of the building, transfer it to the laptop before you go. But if you absolutely need the files on a thumb drive, get a monkey from IT to do it (that's what field tech's are for). I dunno, I guess I'm just too used to how the two places I've worked at in IT did and do things. The million dollar question is why is the state so paranoid that their employees in the Division of Child Support are going to be stealing information? Maybe they should screen better.
Oh, I don't know, maybe erasing the drives makes sense because they contain case files and such?
The replacement drives might support encryption, which is a normal 'corporate' feature.
I don't read AC A human right
especially that due to wear protection flashdrives are pretty hard to zero. Overwriting files is not guaranteed to delete the data because the 'overwrite' may (and likely will) happen elsewhere than original data was. You can still fill the whole drive with zeros (or better - random noise) but the science concerning recovery of overwritten data from flash memory is nonexistent - nobody knows if whether it can or can't be done.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Having spent quite a few years working for the US government, I assure you, they were either reimbursed for them if they were officially permitted, or warned against using them. It's not uncommon to sign a waiver giving them permission to confiscate storage media if you store sensitive stuff on it, and personally, Im rather glad to see them being responsible with information that could pose a major privacy threat.
Support more choices in goverment-Vote 3rd party.
The replacement drives might support encryption, which is a normal 'corporate' feature. Your sarcasm is duly noted and definitely misdirected - my point is that the state has the right to do what they please with their hardware. If they decide to erase the drives because they have purchased better equipment, that is their prerogative. Unfortunately the summary leads one to believe that the state gov't is saying, "you used your personal thumbdrive for work, so bring it in and we'll erase it" when actually, what appears to have happened is that they (stupidly/cheaply) purchased non-enterprise drives for enterprise purposes, then figured it out sometime later and decided to "fix" the problem - not really a big story... but like I said.. this is slashdot, where too many people believe in the process of "ready, fire, aim"
when it comes to commenting or responding... comprehension is not necessary.
The use of the word "personal" was obviously targetted at getting a rise out of the non-RTFA crowd, as the article itself never terms the drives - "personal drives". They called them "nonapproved thumb drives". We recently discussed "secure" thumb drives and I hope they arent wasting their (taxpayers') money on the version of the Cruzer reviewed in the article.
> Who would buy a used 256 MB flash drive?
Depends on the price. If they were 1p I'd buy 100 of 'em. 256 Mb is still a useful amount of storage (plain text, html, mp3 etc. etc.).
Sky subscribers are morons. They pay to be advertised at !
RTFA. The reason the state is issuing these new fancy-schmancy thumb drives is that the new ones (claim to) have 256-bit AES encryption and (claim to) self-destruct after 10 consecutive wrong passwords. They're doing this whole switch because of privacy, because the thumb drives contain the private, personal case files of hundreds/thousands of citizens.
Range Voting: preference intensity matters
I remember reading an article from a security consultant awhile back. One of his clients, a bank, had hired him to try to break into their systems, and were quite cocky about how they'd sealed off external access.
So he took a bunch of thumb drives, put a Windows autorun backdoor installer on them, and scattered them around the entrances and outdoor smoking areas.
Hey, presto, instant access.
you would see that I did RTFA. If the state had purchased the correct type of thumb drives in the beginning this would not have been an issue. The headline says "State Agency to Destroy Unauthorized USB Drives", someone noted that the misguided headline and summary do not accurately reflect the content of the article. I followed that up by nothing the tagging was questionable. The gist of the summary is that the privacy issue is in the erasing of the thumb drives, whereas the article's point is that personal data isn't being adequately protected - this upgrade should improve on that.
Back to my original statement (with clarification - seems necessary) - Erasing the drives has nothing to do with the privacy of those who used them, the headline and summary are still bad.
I am done with this discussion.
The auditor was furious, and demanded we give him the file, rather than just printouts. I said no, and he left, only to return the next day with his supervisor, who also demanded the same and said they'd get the file "legally" if needed.
I told them to give me the USB key, and we'll see. I plugged the key in and turned the monitor around so they could see 9 QuickBooks files from other companies. I asked them if they intended to share my data with the next 9 companies, like they just shared those files with me?
After much haranguing, and threat of legal action, we finally agreed on a full Excel file database dump, but with the critical fields (customer names, CC numbers, etc) wiped.
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
or did anyone else immediately think "They're not doing that because the fobs are insecure, they're looking for child porn."
They ARE out to get you simply because They are in it for themselves and they don't care about you.
All government agencies have information that needs to be protected. Like Washington, we (my nick will give you a clue who we are) are safeguarding portable information. Our facility has moved to encrypted usb drives to reduce inadvertant disclosure of information. There is a huge list of information managers may need and use that could violate confidentiallity, provide the competition with stratigic data, and damage all kinds of legal processes. With the potential costs, an agency would be stupid to not just gather up unsecure drives and destroy them. The real cost is tiny and the potential cost of not doing so is enormous.
Profanity - The sign of a small mind trying to express itself.