State Agency to Destroy Unauthorized USB Drives

Lucas123 writes "The State of Washington's Division of Child support has forced hundreds of workers to turn in personal USB flash drives and has instead begun issuing corporate-style USB drives. The goal is to centrally monitor, configure and prevent unauthorized access to storage devices. So far about 150 common drives have been issued. The agency eventually plans to destroy all existing thumb drives collected as part of the security policy change."

Misleading summary

[jlowery]

The article states that the previous drives were "independently purchased" by employees, which likely means they got permission to buy a drive, went to Staples to get it, and then were reimbursed by the state. That would mean that they are not "personal" USB drives.

I know... I apologize for reading the article.

Re:Misleading summary

[damsa]

They are "personal" drives as opposed to "enterprise" drives in the sense that the state issued drive has additional features not available to the regular Staples consumer.

Re:Misleading summary

[aurispector]

It really isn't clear at all exactly who purchased the drives and under what authority. Early in TFA they refer to "privately owned drives" which clearly indicates personal property, but in the same breath refer to state owned drives - and the difficulties in distinguishing between the two. The agency may well have a policy allowing them to confiscate personal items containing confidential information. Props to the agency for recognizing the problem.

The whole point of the exercise appears to be about safeguarding the data. The /. submission focusses on the confiscated drives being destroyed, which in TFA is a minor note at the end of the article. It appears that the state has to choose between paying someone to wipe all those drives or "destroying" them by some as yet undefined but presumably secure method and of the two, destruction would presumably be the most reliable.

A better title would have been "Washington's Division of Child Support takes important steps needed to safeguard confidental data" or "State agency moves to plug USB flash drive security gap". Oops, never mind, the second one was already used by *TFA*.

RTFA

[jlowery]

They're likely neither unauthorized or personal.

Sensible policy

[MosesJones]

Before people moan about "personal" these aren't things that people have paid for with their own cash (they got the cash paid back). The other point is that banning removable storage is a difficult, but sensible, policy when there is confidential or valuable information about. Hopefully these USB sticks will be encrypted and tied to only the departmental machines (i.e. no working at home on confidential information) in order to prevent misuse or sale.

This isn't a personal privacy issue for the users (after all its just a USB key) its a personal privacy issue for the people on whom the department stores information.

Re:Sensible policy

[Moraelin]

Call me a cynic, but based on the experience of some places I worked for, it might just end up something like this:

1. What maybe started along the lines that you described, then has to go through controlling or purchasing or such, which in a lot of places have their job judged and measured by how much they saved. If they saved 10,000$ at the cost of making everyone else spend 1,000,000$ in workarounds and lost productivity, they're doing their job right. So someone will go "auugh, why should we pay a few bucks more on very secure drives, when we could get ordinary ones at a bulk discount? Look, there are these drives with fingerprint scanner for half the price. That's secure, right?" (See the vulnerability linked even on Slashdot recently.)

2. Someone else (or in some organizations the same) will have to make sure it's one of the approved suppliers. Ideally this would mean those who have a good track record of reliability, quality, etc. In practice, it'll mean one of (A) whoever pays more bribe, or (B) the boss's wife's or cousin's supplies company, created just to siphon some money off such purchases. If it's a state agency, stuff like pork barrel, political favours and lobbies have something to do with it too.

Since this _should_ be in conflict with #1 and is exactly the kind of thing that #1 is supposed to catch, sometimes they split the bribe, sometimes they trade favours, and sometimes inventive discounts are used. Like we'll price the USB sticks at $1000 each, give you a 50% discount, and let you show that you've done your job right by negotiating a whole $500 discount per drive.

3. Some IT department has been given thoroughly counter-productive goals, like only keeping the computers or the network running, but no mention of actually providing a service to the rest of the organization. So suddenly the users are their sworn enemies, the filthy pests that keep using and screwing their preciouss computers and network. They'll do their best to contain, thwart and plain old inconvenience those users at every step. So the "secure" setup for those drives will be just an exercise in making it as inconvenient to use as possible, to teach those pesky lusers a lesson.

And indeed the users do learn a lesson: that if you want to get your job done at all, you have to do your own unauthorized workarounds. There goes most of security out the window right there.

Alternately, the IT department has also been on the shit end of #1, and is underfunded and staffed with the cheapest monkeys who can sorta bang on a keyboard, and don't fling too much feces at the screen. So they'll configure something which they think is right, but is not.

Yet another alternative is that a lax PHB can't be bothered to actually organize IT, and some BOFH personality types feel free to override everything and do what _they_ please. I've seen it happen. Stuff like production servers configured without XA support for _years_, just because the relevant BOFH thought that's a buzzword and it runs just as well without it anyway, plus it saves him the bother of installing the relevant libraries on all servers. So he _lied_ to the team for years that they have a feature that they didn't actually have.

And not only I can see all three happening with security too, I've _seen_ it happen with security features too.

4. Some PHB will figure out that it's not really an "enterprise" drive unless it has the organization's logo on it. In fact, that that's what makes anything properly enterprise.

Some frustrated users that have been on the shit end of #3 too often, will begin just printing and gluing makeshift logos to their own USB sticks, rather than put up with Mordac The Preventer Of IT Services again. Noone will be any wiser.

Etc.

Re:Accuracy of Story?

[sepluv]

My bad. It says "after recalling the thumb drives used by workers. Most of those had been purchased independently by the employees, causing myriad problems for security personnel, Main said. The new policy requires workers to use the drives supplied by the agency. Main said he eventually plans to destroy all existing thumb drives collected as part of the security policy change." Although, I think from this and following comments like "The general perception is no one will report a lost USB memory stick because they're so cheap" there is an implication (although it isn't explicit at all) that the drives were bought with public money and used for public work.

Once again, I don't think there is too much to complain about here. It shocks me how many employers (even in sensitive areas like government departments and law firms) have PCs that will even, by default, run software or an operating system from a USB drive. According to TFA, in this case "sensitive data transported by off-site workers include[d client's] tax documents, employer records, criminal histories and federal passport data" and commonly "the names, dates of birth and Social Security numbers of children".

Of course, in opposition to what the article says, I think education about data protection legislation and issues is more important than attempting to physically constrain employees (which is ultimately impossible), although both may have their place.

Re:What a waste

[jlarocco]

I'm also annoyed (as I always am with things like this) that they are going to destroy the drives as opposed to Zeroing them out and selling them second hand.

Two things to consider:

• By the time most government hardware gets destroyed, it's already obsolete. My guess is most of the drives they're destroying are well under a gig. Who would buy a used 256 MB flash drive?
• Destroying the drives is harder to fuck up. I don't know what information they're storing about people, but I'd rather it not be accidently released. It's pretty easy to see which drive hasn't been smashed to bits with a hammer, not so much which drive has been properly zeroed and formatted.

Somebody has woken up to to personal privacy

[AlecC]

Given the casual way in which UK goverement employees, both civil and military, have been treating confidential information, I am glad that a department with seriously confidential information is taking the security of portable storage media seriously. Obviously, if the media were personally ppurchased and used in good faith, the owners of the media must be compensated. But, as previously suggested, these were probably privately purchased and then refunded as expenses, to the belong to the emplyer already.

As to destroying them... Put this in proportion: 150 devices, at perhaps $30 apiece if they wern't bought yesterday: about $4500. On the otyher side, when the UK government lost 2 CDs with large amounts of personal information, the mailshot warning the people whose personal and banking information had been misplaced cost $6,000,000. With cost ratios of this magnitude, the precautionary principle applies. Yes, you could wipe them, and they probably wouldn't leak info. But the cost if they did is so high that the tiny loss involved in destruction is irrelevant.

So I applaud a government department for finally taking privacy seriously. The cost arises becasue they didn't do so before, and is small. The cost for all the other departments who have not yet got it is increasing every day.

Re:You can have my USB key

[Tyndmyr]

Having spent quite a few years working for the US government, I assure you, they were either reimbursed for them if they were officially permitted, or warned against using them. It's not uncommon to sign a waiver giving them permission to confiscate storage media if you store sensitive stuff on it, and personally, Im rather glad to see them being responsible with information that could pose a major privacy threat.

Re:Misleading Summary leads to Misleading Tags

[keirre23hu]

Oh, I don't know, maybe erasing the drives makes sense because they contain case files and such?

The replacement drives might support encryption, which is a normal 'corporate' feature. Your sarcasm is duly noted and definitely misdirected - my point is that the state has the right to do what they please with their hardware. If they decide to erase the drives because they have purchased better equipment, that is their prerogative. Unfortunately the summary leads one to believe that the state gov't is saying, "you used your personal thumbdrive for work, so bring it in and we'll erase it" when actually, what appears to have happened is that they (stupidly/cheaply) purchased non-enterprise drives for enterprise purposes, then figured it out sometime later and decided to "fix" the problem - not really a big story... but like I said.. this is slashdot, where too many people believe in the process of "ready, fire, aim"

when it comes to commenting or responding... comprehension is not necessary.

The use of the word "personal" was obviously targetted at getting a rise out of the non-RTFA crowd, as the article itself never terms the drives - "personal drives". They called them "nonapproved thumb drives". We recently discussed "secure" thumb drives and I hope they arent wasting their (taxpayers') money on the version of the Cruzer reviewed in the article.

Re:Misleading Summary leads to Misleading Tags

[CTachyon]

Now some geniuses have tagged it privacy - what does the state erasing a thumb drive it owns have to do with privacy?

RTFA. The reason the state is issuing these new fancy-schmancy thumb drives is that the new ones (claim to) have 256-bit AES encryption and (claim to) self-destruct after 10 consecutive wrong passwords. They're doing this whole switch because of privacy, because the thumb drives contain the private, personal case files of hundreds/thousands of citizens.