Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Attack Prompts DoD To Ban Use of External Media

Posted by timothy on from the sehr-klug dept.

An anonymous reader writes "The Pentagon has suffered from a cyber attack so alarming that it has taken the unprecedented step of banning the use of external hardware devices, such as flash drives and DVDs [...] The attack came in the form of a global virus or worm that is spreading rapidly throughout a number of military networks."

61 of 295 comments (clear)

  1. heh by Anonymous Coward · · Score: 2, Funny

    be careful where you stick in the USB stick.. :)

  2. This isn't alarming... by Hahnsoo · · Score: 4, Insightful

    This sounds like common sense. Seriously. Several years ago, a military bud of mine said that the worst threat to their security is the USB flash drive.

    1. Re:This isn't alarming... by ShieldW0lf · · Score: 2, Interesting

      That's all well and good, but it's not going to stop grunts from using them to look at porn in the field. If I was going to do a cyber attack on the DoD, I'd be leaving virus infected DVDs full of porn lying around in occupied areas. You're pretty much guaranteed that it'll get passed from person to person.

      --
      -1 Uncomfortable Truth
    2. Re:This isn't alarming... by Creepy+Crawler · · Score: 4, Informative

      It needs to be said:

      In linux, one can remove exec permissions from a whole device via the noexec switch in /etc/fstab .

      --
    3. Re:This isn't alarming... by mrjohnson · · Score: 3, Informative

      It is.

      But then the network is also so locked down that often times that's the only way to transfer large files. There are shared network drives in the States but they're paltry and always 100% used by some officer's powerpoint presentation and his 2 hour home video.

      When my unit was deploying to Iraq I gave all of my guys 2g thumb drives loaded with the data that the company needed. They attached it to their dog tag chain and I had them swear up and down to wear it at all times.

      There was simply no other way provided.

    4. Re:This isn't alarming... by Creepy+Crawler · · Score: 4, Informative

      ---There is no technological defense against PEBKAC.

      You are absolutely wrong. If a system is designed properly, or set up properly, the user cannot wreak havoc on a system or the network.

      In windows, there are many ways to do X behavior that changes the system. Therefore, Windows is hard to secure properly. It is possible, only by globally applying over-secure regedits that disable even basic functionality. Instead, I propose Linux as a good starting point.

      PEBKAC, at least in the business setting can be effectively eliminated by the use of simply being unable to even execute the programs.
      Games? Not on the HD.
      Web browser? If you need it, you'll be in the webbrowser group.
      Some document program? does your job require documents, if it does, you'll have that.
      Are you a developer for 3d stuff? If so, you get DRI rights. If not, no permission. Can Windows restrict access to the 3d device?

      My question is why do you grant rights to users when they do not justify those rights? We need to provide granular access so that the user is limited in what they do and act only in prescribed ways.

      As for that, the only way users can then screw things up is if they do not back up their user files, which you should already have thought of. A morning rsync of the /home (which should be mounted from the server) should take care of basic backup issues. Then it turns to your problem of access to the backups (which could be automated also). It really is a game of admin vs user, and you must outsmart stupidity. You do that by providing 1 way as the only way.

      ---Something about "internet license"

      meh. You do that by providing a punishment via the lines of willful negligence. If one does not provide basic security to prevent infection/takeover or notices and takes no heed, one is guilty and owes a fine to the party harmed. In the course of a botnet, that would be the proportion of bandwidth they used (based upon the actions of the the takeover tool).

      Simply put: use the laws we already have now, and not some new, easily to corrupt, new license.

      --
    5. Re:This isn't alarming... by CaptainDefragged · · Score: 3, Informative

      You can with Windows as well.

      --
      Don't tailgate - the end is near!
    6. Re:This isn't alarming... by Creepy+Crawler · · Score: 5, Interesting

      Why is everything in Windows managed by tools that do not come with the default installation?

      I can perfectly manage a Linux installation without 3rd party or "optional" tools found on some website. Windows requires X tools that provide basic functionality on their site, and not default on the CD.

      I hate that.

      --
    7. Re:This isn't alarming... by BoT_Bizarro · · Score: 2, Interesting

      Yeah, what's more alarming is that the military is several years behind on their operating systems, such as running Windows 2000. They are even severely behind on applying patches to these machines as well, because of the amount of testing they require to patch a machine. So the rule of thumb: To infect the military, use an outdated attack and it will probably succeed.

    8. Re:This isn't alarming... by PitaBred · · Score: 2, Insightful

      Which just goes to show you that Windows should never be let on the Internet, or use removable media of any sort.

      --
      My blog. Good stuff (when I remember to update it). Read it.
    9. Re:This isn't alarming... by cheater512 · · Score: 2, Informative

      No thats what the admins at my old school thought too.

      It only means explorer cant execute anything from there.
      Any other program can in fact still execute programs.

      For example a single line of vbscript in a word document works rather well. :)

      noexec on Linux prevents any execution at all.

    10. Re:This isn't alarming... by Hmmm2000 · · Score: 2, Informative

      That is not much protection at all .. you just need to copy the executable from the USB drive to a local drive and then execute it there.

    11. Re:This isn't alarming... by Anonymous Coward · · Score: 5, Funny

      Why is everything in Windows managed by tools that do not come with the default installation

      We prefer to be called administrators you insensitive clod.

    12. Re:This isn't alarming... by Wodin · · Score: 2, Informative

      PEBKAC, at least in the business setting can be effectively eliminated by the use of simply being unable to even execute the programs.

      You can make it harder to execute something, but even on filesystems that are mounted noexec, you can still run shell scripts with:

      $ sh /path/to/script

      or binaries with:

      $ /lib/ld-linux.so.2 /path/to/binary

      So mounting filesystems noexec (and nodev etc.) is a good idea if they don't need to contain executables, it will not stop a determined idiot from running something on that filesystem :)

      --
      -- Wodin
    13. Re:This isn't alarming... by waffle+zero · · Score: 2, Informative

      You can still execute any binary by loading it with ld-linux.so, the dynamic loader.

      I.E.

      /lib/ld-linux.so.2 SOME_EVIL_BINARY

  3. In Soviet Russia... by markov_chain · · Score: 5, Funny

    ... external media bans DOD!

    --
    Tsunami -- You can't bring a good wave down!
  4. Auto-infect by robo_mojo · · Score: 4, Insightful

    Sounds like someone forgot to disable auto-run.

    1. Re:Auto-infect by Nerdfest · · Score: 3, Insightful

      It's quite sad that you need to with most (all?) versions of Windows. This should be the default state, especially with viruses coming right from the factories in digital picture frames, etc.

    2. Re:Auto-infect by supernova_hq · · Score: 2, Interesting

      While I agree with you (I disable it on ALL my systems), just image Joe Bob phoning Blizzard bitching that noting happened when he put the CD in the drive!

      But then again, I also believe that banking sites should authenticate to YOUR private key, that credit cards should have rolling pins and that it should be illegal to run windows on anything that handles security or financial information...

      While all these ideas seem sane, practical and necessary to me, the average person would become irate when they find out they can't just use the last 4 numbers of their phone number for their windows machine, bank pin, corporate login system and the key to their child's soul!

    3. Re:Auto-infect by Dr_Barnowl · · Score: 4, Funny

      credit cards should have rolling pins

      For a moment I pictured a credit card making pastry.

  5. Re:They're just ignoring the real problem by idiotwithastick · · Score: 5, Insightful

    Do you honestly think that foreign intelligence agencies won't write Linux or Macintosh viruses if it would get them into the DoD network? The OS might be part of the problem, but users are the much bigger one.

  6. The obvious solution by DesScorp · · Score: 4, Insightful

    Chuck Windows, and adopt Unix. I realize there are some possible implications of using Linux because of the GPL, but then use BSD. There are bright Comp Sci guys in the military and DOD. Customize a military Unix, and use it throughout all the services. In fact, I think it's long past time DOD did this. With the computerization of everything from planes to ships, now's a smart time to do it. There's no way Windows should be running a ship of war.

    --
    Life is hard, and the world is cruel
    1. Re:The obvious solution by ZackZero · · Score: 2, Insightful

      Disclaimer: IAAS (I Am A Sailor)

      Windows does NOT run a ship of war; I cannot say exactly what operating systems are used on the critical components (i.e. NOT shipboard LAN)but can say that they are a derivative of Unix. They are always kept in secured spaces and cannot simply be infected with a worm or virus. They're not even connected to the Internet.

      The issue affects workstations kept on-land, and is likely covering those that are marked unclassified. Those are the ones running Windows - and I'll say it now, DoD should've gotten a contract with Apple.

    2. Re:The obvious solution by SubmersibleJester · · Score: 2, Informative

      Windows doesn't run a ship of war. Some flavor of Unix (Solaris, HP-UX) or Linux (custom or RedHat) are used for all Command and Control computers. Windows is just used for office work and such. So logistics and paperwork are suffering, but thats it

    3. Re:The obvious solution by Naturalis+Philosopho · · Score: 2, Funny

      Oh, just logistics... I feel much better now. ;)

    4. Re:The obvious solution by link-error · · Score: 2, Insightful

      You mean like the version developed by the NSA? http://en.wikipedia.org/wiki/Selinux

      --
      -Unresolved symbol? Byte me!
    5. Re:The obvious solution by Bobb+Sledd · · Score: 2, Insightful

      You don't understand the scope of what you're suggesting.

      Let's take just one job -- a DoD web developer for example. You have an internally secure web site used for data collection that (we'll say) runs on IIS, PHP, MSSQL and is developed using an IDE such as DreamWeaver (and probably PS is involved too), and is developed specifically for the DoD version of Internet Explorer. It's already been run through testing and received certification for security and all.

      To move to a non-Windows based platform, you have to ditch your web server, ditch the MSSQL server, (and when moving to the new platform ensure that your PHP environment works the same), and run through all your PHP code to make sure it can connect to whatever SQL database you replace it with (No, MSSQL is not necessarily the same syntax). Then, if the site used any JavaScript (or anything else that is IE-only), you have to re-validate it for that new browser. THEN it can be submitted again for security testing and certification (which all this time, the site is brought down while you wait several months for them to get around to testing). And you may have to re-train your developer on new tools on a new platform for programming on yet another new platform.

      This is just ONE type of job to re-tool for. I'd say it's pretty infeasible.

      Now, original platform choice mistakes aside (that you had no control over), I know you're going to say, "well you should have programmed your pages so they could easily be switched to another platform!" or "well, who in their right mind would program for IE only?" But that's just the way the system was made by the guy before you. You can complain all you want, but it's still a lot of work you'd be imposing.

      Oh and by the way? Each system is usually owned by different department and has to be certified independently (expensive and time-consuming). Web server is owned by one tech group. DB server is owned by another. Web Developer is yet another department. And no one talks to each other well.

      --
      "They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
    6. Re:The obvious solution by ZackZero · · Score: 2, Insightful

      When I said "Windows does NOT run a ship of war", I referred to active ships. The USS Yorktown (CG 48) was decommissioned, and therefore is no longer an active ship of war. We evolved past using NT4.0.

  7. Better ban email to by Synn · · Score: 2, Insightful

    Because a virus can come from there as well. Along with web access, usenet access, ftp access.... might just as well unplug the network cable just to be safe.

    Or they could install an OS that wasn't insecure by design.

  8. Warfare without Clippy? by robinsonne · · Score: 5, Funny

    It looks like you're trying to blow up that building. Would you like to use:

    1)Grenade
    2)An RPG
    3)Airstrike

    1. Re:Warfare without Clippy? by haystor · · Score: 5, Funny

      4)Windows

      --
      t
    2. Re:Warfare without Clippy? by DarthJohn · · Score: 4, Funny

      5) Banana Bomb
      6) Super Sheep
      7) Holy Hand-Grenade

  9. commercial malware? by bl8n8r · · Score: 2, Funny

    ftfa: "Due to the presence of commercial malware.."
    So.. this was malware someone purchased?

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org
    1. Re:commercial malware? by supernova_hq · · Score: 2, Funny

      Until Windows is free, yes it is commercial malware.

  10. An actual case where Linux solved this problem by TheModelEskimo · · Score: 5, Informative

    Dave Richards, the administrator of the Largo, Florida computer network, came up against this problem. He made the system mount USB disks as FTP shares, and made the file browser hide any executable files on the share so they couldn't be transferred.http://davelargo.blogspot.com/2008/02/hp-thin-clients-and-usb-access-for.html

    I'm not surprised the DoD just completely shut the door on these things, but I think that for most admins, a solution like Dave's would be a really good compromise.

  11. ./configure by robo_mojo · · Score: 5, Funny

    make war

    1. Re:./configure by supernova_hq · · Score: 2, Funny

      Loading deprecated library: Democracy Exporter

    2. Re:./configure by jmyers · · Score: 2, Funny

      # make clean
      # ./configure --force
      # make war
      # make install
      boom copied to /usr/local/bin
      please edit /usr/local/etc/war.conf and set COUNTRY
      #

    3. Re:./configure by svank · · Score: 2, Funny

      make war

      make[3]: *** [war] Error 1 make[3]: make love not war

      [sam@Hector ~]$ make love
      make: *** No rule to make target `love'. Falling back to 'war'.
      [sam@Hector ~]$

    4. Re:./configure by genner · · Score: 3, Funny

      # make clean # ./configure --force # make war # make install boom copied to /usr/local/bin please edit /usr/local/etc/war.conf and set COUNTRY #

      vi /usr/local/etc/war.conf
      COUNTRY="TERROR"
      :w
      :q
      /bin/war
      Starting war on TERROR...
      Error: TERROR is not a valid COUNTRY.

  12. The debilitating virus is Windows! by David+Gerard · · Score: 5, Funny

    Yesterday, a terrorist attack on the NHS brought three London hospitals to a halt.

    The terrorists, representing an organisation calling itself "Microsoft," apparently used insecure third-party contractors to put a virus-running platform called "Windows" into critical systems in the hospitals, in order to extort money from them on an annual basis.

    It is understood that a large percentage of all businesses are infected with the virus, wasting up to 25% of employees' working time and opening the companies to further attacks from related criminal organisations demanding to see all their licenses.

    The virus in question, W32.SHILL/ZDNET, takes over the host's IT systems, leading to aches, pains, nausea, vomiting, pumping out prodigious quantities of faeces and a terrible compulsion to spread the infection to others. The patient also walks with a shuddering stumble and asks for their hospital meal to include tasty, tasty brains. Recovery has commenced when they have an overwhelming urge to throw their computer out of the window. "Getting this stuff out of the system makes MRSA look like a walk in the park," said one cleaner, waving his shit-encrusted hands about for emphasis.

    When the infection became known, ambulances were diverted to other hospitals. "We have maintained a safe environment for our patients throughout the incident," said a spokesman for Barts NHS Trust, "keeping them in the Clostridium difficile culturing lab rather than risking exposing them to 'Windows.'"

    --
    http://rocknerd.co.uk
  13. We had this problem... by RulerOf · · Score: 3, Informative

    Only it was with people bringing in docx files and expecting to use them with OpenOffice and blaming the IT department when it wouldn't work. So I followed some guides and wrote a script, threw it up in a GPO and now only Admins can use USB storage.

    The procedure is a HUGE pain in the ass (you need to modify ACL's on registry keys and the whole 9 to cover all angles) but scripted it was as simple as "USBStorage.exe </enable|/disable>" in a logon script.

    I think it took all of two hours.

    --
    Boot Windows, Linux, and ESX over the network for free.
  14. Skynet by GottliebPins · · Score: 2, Funny

    Skynet became self-aware at 2:14am EDT. By the time Skynet became self-aware, it had spread into millions of computer servers across the planet. Ordinary computers in office buildings, dorm rooms, everywhere. It was software in cyberspace. There was no system core. It could not be shut down.

    1. Re:Skynet by psnyder · · Score: 3, Funny

      The pieces are finally starting to come together...

      • Skynet was first introduced in a film staring Arnold Schwarzenegger.
      • Arnold Schwarzenegger was born on July 30th.
      • On July 30th, 2007 (10 years after Skynet became aware), CrunchGear runs an article about MojoPac, a program that "Puts Your Desktop On A USB Drive". The very type of interface the DoD now sees as a threat. In the article they state that when you use MojoPac, "...the host computer is oblivious to anything going on."
      • Foxnews reported the DoD attack on November 20th, 2008. On the same day, the music news magazine, named "Mojo" (following suit with the "MojoPac" software name), ran a snippet saying, "Gun's and Roses are currently previewing all the tracks from Chinese Democracy via their MySpace page." MySpace is an obvious front for Skynet to keep tabs on the younger generations that may pose a threat in the future.
      • However, the Mojo article about "Chinese Democracy" was Skynet's way of mocking us in an ironic way that only Skynet finds funny. You see, Arnold Schwarzenegger visited China meeting with "700 Special Olympics athletes ... to focus world attention on the Special Olympics World Summer Games ... held in Shanghai in 2007." Here we see 2007 again, representing the 10 year anniversary of Skynet's sentience, along with Arnold, the celebrity that announced it's existance.

      It's all so clear now.

  15. When you put something in a locked box by Ungrounded+Lightning · · Score: 3, Insightful

    Do you honestly think that foreign intelligence agencies won't write Linux or Macintosh viruses if it would get them into the DoD network?

    When you try to protect a secret by putting in in a locked box, do you put it in a steel box with a good combination lock? Or do you put it in a cheap transparent plastic box with a lock that can be picked by a safety pin and hundreds of holes and little doors that can be opened even more easily?

    Yes Linux, MacOS, and even OpenBSD aren't absolutely impregnable. But Windows has a decades long track record of holes (some unfixable) and a multibillion dollar malware industry built on exploiting them. The fewer holes you start with the easier it is to close them.

    Essentially ANY military function is a security issue. For a person with any level of IT expertise to put such functions on Windows platforms is, IMHO, either a level of incompetence suitable for dishonorable discharge or of malice meeting the definition of treason.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re:When you put something in a locked box by Ungrounded+Lightning · · Score: 2, Insightful

      Do you actually think the DOD only uses windows?

      Of course not.

      But I think that the machines affected by THIS WORM use Windows.

      Do you know of any "commercial malware" worms that self-spread on any other OS?

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  16. Re:Windows.... by Jamie's+Nightmare · · Score: 3, Interesting

    Get real. Security all comes down to the person who's task it is to implement it. Running Unix (or any compatible rip off) only gives you an additional layer of security through obscurity . Sorry fanboys, it's true. It's not a end all solution, and you would still need someone to take the time to plan for any possible security breach. Obviously, that includes any media (CDs, FlashDrives, Floppies) attached to the system. This isn't the first military fuckup, now you want to blame Microsoft instead of the brass simply because you think it's a chance to expand your following. Please.

    --
    "When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
  17. Re:Not News by Ungrounded+Lightning · · Score: 3, Interesting

    Intelligence agencies did it to eliminate data paths out of the agency. DoD is doing it to eliminate malware paths into and within the agency.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  18. The V.A. is ahead of DOD by 602 · · Score: 2, Interesting

    The V.A.--at least the healthcare part of it-- banned these months ago to prevent data from wandering away..

  19. Re:They're just ignoring the real problem by diegocgteleline.es · · Score: 4, Interesting

    There's no way you can automatically run code on a Linux computer by inserting a USB flash drive. It's just not possible. Those virus happen only because of Yet Another Windows Design Mistake - autorun.inf files that run executables.

    This has been a problem for years. Make a program that deletes all the files in a system. Put it into a CD along with a autorun.inf file. Burn the CD, don't write anything on it, and leave it near the office of someone you hate. At some point the guy will insert the CD just to check what's there. Boom. The virus will run automatically as soon as the CD is inserted.

    And there're more posibilities, like making a virus executable have a carpet icon. Since Windows hides extensions by default, people will double click the virus because they will think it's a carpet.

    These things can't happen in Linux (well, not really true, they can happen thanks to the shitty .desktop files that get "interpreted" by file managers even if they don't have execution +x permissions)

  20. It's not intuitive how to disable AutoRun by WD · · Score: 5, Informative

    Forgot to disable AutoRun, perhaps. But actually, it's quite non-intuitive how to disable AutoRun in Microsoft Windows. There are several options, and none of them (and even all of them combined) will disable AutoRun and AutoPlay features in their entirety. In fact, up until recently, Windows Vista had the logic reversed for one of the AutoRun features! i.e., if you take the effort to disable the AutoRun feature, you actually put yourself at more risk. More details here:
    http://www.kb.cert.org/vuls/id/889747

    But luckily, there is a single registry value that can disable AutoRun at its core. Once this change is made, Windows will not interpret the Autorun.inf file on any device, effectively disabling AutoRun for all devices, including USB drives, network shares, and more. Get the scoop here:
    http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html

    1. Re:It's not intuitive how to disable AutoRun by whoever57 · · Score: 2, Interesting

      Forgot to disable AutoRun, perhaps. But actually, it's quite non-intuitive how to disable AutoRun in Microsoft Windows.

      And then, after disabling Autorun, iTunes whines at you about it.

      --
      The real "Libtards" are the Libertarians!
    2. Re:It's not intuitive how to disable AutoRun by mysidia · · Score: 2, Informative

      Last I checked if you disable the "Shell Hardware Detection" service, you're pretty good, and who in their right mind wants to run an extra service to support autorun, if autorun isn't being allowed in your environment?

      It also makes sense to turn off all autoplay and autorun options (to be thorough), and turn on the security option "Restrict CD-ROM access to locally logged on user."

      These are very simple precautions that the most basic of security planning would entail.

      Don't deploy platforms you don't understand.

  21. DoD needs a security nazi ( soup nazi style ) by unix_geek_512 · · Score: 2, Funny

    DoD needs a security nazi ( soup nazi style ).

    Since I am the 2nd most paranoid person on earth I hereby nominate myself.

    Semper Fi, carry on.

  22. Re:They're just ignoring the real problem by diegocgteleline.es · · Score: 4, Funny

    d'oh, were I write "carpet" I obviously wanted to say "folder". "Folder" is translated to spanish as "carpeta", and I always confuse them.

  23. Insider perspective... by soulsteal · · Score: 2

    I work as an IT contractor for the USAF and what it boils down to is muddied interpretations and lack of discipline. They already have regulations stating what you can and cannot do with data coming in and out of the work place. No, you're not allowed to bring a floppy in from home. No, you're not allowed to take a government floppy home with you. The same regulations should, by default, extend to CD/DVD/USB/any and all media but since they're not specifically written that way, people could quote the AFI back and say it was allowed. This new ban is merely a clarification to close the loophole.

    Did they swat a fly with a nuclear bomb? Sure.
    Has it worked? So far.

    1. Re:Insider perspective... by jdoverholt · · Score: 2, Informative

      As an end user in the USAF I'd like to offer a bit more perspective on how exactly this filtered down.

      The official policy, as it has been preached to us for quite awhile, is that you're not allowed to use personally-owned removable media. If the government issues you a thumb drive, you're good to use it all over the place, so long as you scan it for viruses before accessing on a government PC. This latest policy change had a bit of wording that struck me as... well, dumb.

      Starting this week, upon logon we all get yet-another-popup informing us of the change. Basically it's stating that any flash-based media are explicitly forbidden, government-issued or otherwise, regardless of form factor; while portable hard drives are still okay under certain circumstances. Writable optical media must be virus-scanned once after burning before they can be used legally, hard drives must be scanned every time before use.

      This almost makes sense to me, except the odd bias against flash-based media. I can understand the caution with thumbdrives, uSD cards and the like, with all the careless data loss we've all read about, but the way it's worded makes it sound like they're blaming the underlying technology. My thumbdrive is no longer okay, but my iPod 5G is golden so long as I scan for viruses before accessing it. What? Seriously? What if I get a 3.5" SSD and stick it in a USB enclosure?

      Maybe I'm just disgruntled about the policies that come down without any kind of justification or rationale whatsoever. It feels to we lowly bottom-dwellers like they're written by a committee of people who don't understand any of what they're legislating.

      Also, to be fair, this move isn't entirely reactionary... I've heard rumblings for years about pending hard restrictions on USB devices. A few weeks ago we were briefed about some kind of automated encryption process that will be blanket applied to any USB mass storage device—to protect the data in case of loss. Couldn't squeeze any technical details out about that one though, it sounds like an exciting boondoggle coming down the pike.

      Disclaimer: My views are in no way aligned with those of the US Government, my employer, and should not be taken as an official statement. I'm just whining.

  24. Bingo! by snspdaarf · · Score: 2, Interesting

    Get real. Security all comes down to the person who's task it is to implement it.

    Years ago, I was on a DoD facility where scheduling was being done on a UNIX box. Everyone there used the console for their work, everyone used the root account to do their work, and the password was written in on the first page of the book marked "Procedures" that was beside the console.

    --
    Why, without your clothes, you're naked, Miss Dudley!
  25. Re:try this.. by Cajun+Hell · · Score: 5, Funny

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "NoDriveTypeAutoRun"=dword:000000ff

    That's the whole problem with you Linux dorks! People shouldn't have to get down to that level and do such obscure things, just to be able to safely use their computer. And what you don't understand is that most people just plain won't do it! Your post is exactly why Linux will never be ready for the desktop!

    --
    "Believe me!" -- Donald Trump
  26. You CAN do it in Windows with the built in tools by Anonymous Coward · · Score: 2, Informative

    With the built in Windows tools you can disable the use of USB thumb drives while still allowing USB keyboards and etc. You just have to know how to use Group Policy and a small handful of Registry settings.

    In Windows XP you simply go into RegEdit and go to this registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control

    Next, make a new key called StorageDevicePolicies. In there make a DWORD called WriteProtect and give it a value of 1. Now you can allow people USB keys but they can't write to them. Want to disable reading as well? Just add the appropriate DWORD.

    For a non-built in method I hear good things from a friend that has used this in the past.

    Why do I have the feeling this could be easily Google'd?

  27. Re:You CAN do it in Windows with the built in tool by Chr0nik · · Score: 3, Informative

    It's actually quite a bit easier to do than that. Just disable usbstor.sys with GPO. done. Keyboards still work. Mice still work. Just mass storage devices. And whoever said you can't prevent execute on windows systems is ignorant. You've been able to deny "Read & Execute" via NTFS permissions since NT 3. Note: Read is a seperate right. Since you have to be able to read it to exectute it, it's just included in the permission description. Semantics. Here's something that may help you understand it. It's not that complicated. In reading the doc it will talk about share permissions and individual permissions, group permissions, and NTFS permissions all seperately, and what wins in what scenario, and will talk about scenarios that no administrator that is worth his salt would ever implement. When done correctly it's actually very simple. However it does have the flexibility to be as complex as one needs it to be. http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html So there.

    --


    ... what did you expect, something profound?