IBM Bans Staff From Using Removable Storage Devices

An anonymous reader shares a report: In an advisory to employees, IBM global chief Information security officer Shamla Naidoo said the company "is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive)." The advisory stated some pockets of IBM have had this policy for a while, but "over the next few weeks we are implementing this policy worldwide." Big Blue's doing this because "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised." IBMers are advised to use Big Blue's preferred sync 'n' share service to move data around.

Not to worry

No one under 40 does anyway!

Re:Not to worry

[hey!]

You're supposed to us IBM Cloud Services to leak data.

Lost Productivity

[zmaragdus]

But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself? My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!

Re:Lost Productivity

[PA23]

My company does similar. When we insert a USB thumb drive the system will prompt you to encrypt the drive, the encryption locks it to your machine only. If you say "Don't encrypt" then you are limited to Read only on the device, this is so we can download data from a client.

At least our company has a procedure for obtaining an exception to the encrypted usb drive rule if you can justify it.

Re:Lost Productivity

[HornWumpus]

If they did _exactly_ the same thing, they just told you that you need a brand new spectrum analyzer, I'm sure they're cheap.

You'll just have to 'sit ass', watch TV and scratch balls till the new instrument arrives.

Re:Lost Productivity

[HornWumpus]

What happens when you insert a device that tells the system it's a keyboard?

Re:Lost Productivity

Just use your phone as the USB drive. I work for a fortune 500 that uses the exact same technology and after asking one of the security analysts how it works, I quickly realized it would not recognize my phone as a removable storage device (it works based off the driver ID's used to interface with the device and thumb drives use a different driver than phones do.) I'm able to transfer files freely to my phone without issue.

Re:Lost Productivity

[Junta]

Of course, that same distinction between usb mass storage devices and mtp/ptp protocol phone also means it can't generally be used as a boot device.

Re:Lost Productivity

[Mr+D+from+63]

ITs becoming more common. The last company I worked for and the company I work for now are both moving in this direction. However, you can get 'approved' usb devices if you can show the need and establish required controls.

Re:Lost Productivity

I hope you posted this from the office so I can check the proxy logs and hunt you down

Re:Lost Productivity

[supremebob]

IBM is way too cheap for that... they would make him apply for a one off security exception to use a thumb drive explicitly with his old ass spectrum analyzer.

He would still get to sit on his ass for two weeks while it got the necessary management approvals, though, and another week while IT figured out a why to circumvent their new security lockdown software without triggering nasty warning e-mails to his manager.

But don't worry, those changes will magically disappear during the next software update, and he'll have to explain this to his NEW manager a few months down the road. Assuming that they don't just outsource the job to China first.

Re:Lost Productivity

When we insert a USB thumb drive the system will prompt you to encrypt the drive, the encryption locks it to your machine only.

Wow. Marketing really will tell management anything they want to hear. (Emphasis added)

Re:Lost Productivity

[farble1670]

Just use your phone as the USB drive.

I think the assumption is that employees aren't actively trying to thwart the company's efforts to improve security. If you can't follow basic and reasonable security procedures you shouldn't have a job. And I'm sure you won't in the not so distant future.

Re:Lost Productivity

[Joe_Dragon]

windows GPO to force bit locker on usb mass storage

Re:Lost Productivity

[farble1670]

He would still get to sit on his ass for two weeks while it got the necessary management approvals

He already said all he has to do is use his computer to transfer files. Great rant though.

Re:Lost Productivity

[gweihir]

Anybody that want to exfiltrate data can just take HD screenshots with a camera or use a frame-grabber modified to be undetectable (not hard to do on VGA). Anybody that does want to copy data for legitimate reasons is massively inconvenienced at the same time. A really stupid decision.

Re:Lost Productivity

[kelemvor4]

But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself? My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!

We have had a similar policy to IBM's for a few years. A person who needs to use usb storage devices for things like you're talking about have to apply for security exceptions. Even if your employer grants a few thousand legitimate exceptions for stuff like this, they have still minimized risk by eliminating USB use by the other 200,000 employees. It does involve some overhead and time wasted when you first apply for your exception. In my opinion the benefit outweighs the drawback.

It's a lot like changing a default security policy to DENY and only ALLOWing things you really want. Minor inconvenience in exchange for greatly improved security.

Re:Lost Productivity

[Darinbob]

There are new-ass spectrum analyzers that know how to upload to IBM's cloud? We use external hard drives for a lot of things, since the network is amazingly slow, no way is the "cloud" going to be as convenient as "here, copy 4GB off this drive into /local directory". But maybe IBM is all office desk workers now and they don't really do technical work anymore?

Re:Lost Productivity

[kelemvor4]

What happens when you insert a device that tells the system it's a keyboard?

Windows loads a keyboard driver instead of a USB mass storage driver and the device fails to function? Just guessing here.

Re:Lost Productivity

[zmaragdus]

Tried it. Got denied. Forced to continue doing things that are textbook examples of security breaches waiting to happen.

Re:Lost Productivity

[sexconker]

That's not how any of this works.

The hole here is that someone plugs in a "flash drive" that is actually a keyboard or flash drive + keyboard so people don't get suspicious.

Re:Lost Productivity

[MightyYar]

There are new-ass spectrum analyzers that know how to upload to IBM's cloud?

The oldest-ass spectrum analyzer we have still has GPIB-out. The newer ones have ethernet. Yeah, you can shuffle things with USB but that gets old really fast, depending on how repetitive the task is.

Re:Lost Productivity

[JackieBrown]

When I worked at UHC, my company disabled read and write access to cell phones. In fact, the job I'm working at now does the same.

I can charge my phone from the ports but can't access or write to my phone.

Re:Lost Productivity

[Baton+Rogue]

Each USB device is identified independently of each other. If you plug in a USB keyboard that also has a USB port with a flash drive plugged in, the computer will see two different devices and only lock out the flash drive.

If you are suggesting that someone can create a flash drive that the computer thinks is a keyboard, then the computer will not mount the drive to be written to since it knows that it cannot write data to a keyboard.

Re:Lost Productivity

" a spectrum analyzer (USB port only!)"

It's probably not a spectrum analyzer then, maybe a toy from eBay?

A spectrum analyzer has a GPIB and/or RS-232 ports, maybe a floppy drive.

Does it have a N-type connector?

Re:Lost Productivity

[Bite+The+Pillow]

I have a usb hard drive with its own encryption so it isn't locked to a device. It is the device. And if you plug in anything else, an alert goes to the appropriate people so you can be flogged.

Your description sounds like it is intended for temporary backups, which is not the problem needing to be solved.

Re:Lost Productivity

[LinuxIsGarbage]

But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself?

My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!

Our company blocks all USB flash drives except aegis secure key. These have a keypad on them so you have to enter a PIN to unlock the device at the hardware level before they can be used. Then they can be used in any OS or device. 10 wrong PIN entries and the drive is wiped. They are ludicrously expensive, but they don't get in the way too much, as you can unlock it, stick it in a client's laptop, then they can transfer files onto it, without them requiring special software.

Re:Lost Productivity

[tlhIngan]

There are new-ass spectrum analyzers that know how to upload to IBM's cloud? We use external hard drives for a lot of things, since the network is amazingly slow, no way is the "cloud" going to be as convenient as "here, copy 4GB off this drive into /local directory". But maybe IBM is all office desk workers now and they don't really do technical work anymore?

Depending on the spectrum analyzer, yes. A lot of higher end oscilloscopes, logic analyzers, spectrum analyzers, etc, run a version of Windows internally, and those should be able to run IBM's software.

The lower end units won't, so either you use LXI and a network connection, or you do what everyone does and have security exceptions.

It's like a firewall. you DENY by default, and ALLOW what you need. This policy is only a problem if security is so strict as to not allow exceptions.

On the plus side, it also means no one at IBM can lose a hard drive full of personal information anymore.

Re: Lost Productivity

[Bing+Tsher+E]

Maybe it only has a Zip drive. I am sure there was at least a short period of that kind of inanity at at least a few Instrument makers. I've seen Tektronix 'scopes that run in Windows 98.

Re:Lost Productivity

[rfengr]

New ass spectrum analyzers have USB. Old ass spectrum analyzers have analog pen plotter outputs.

Re:Lost Productivity

[sexconker]

This is a real attack vector that exists in the real world. Slashdot has covered this multiple times.

Someone creates a device that looks like a flash drive.
Internally, it is a keyboard, or a keyboard AND flash drive.
When plugged in, even a "secured" system that blocks removable storage devices will typically allow other USB devices (such as keyboards).
The OS will happily accept input from the thing as if it were a keyboard with keys pressed by a human, even though the key presses are all prerecorded payloads stored on the device.

As such, the keyboard can go to town and so shit like:

Windows Key
cmd
CTRL+SHIFT+Enter
Left
Enter
del /f /s /q /*.*
Enter

Or just spit out and run any malware payload:
Windows Key
cmd
CTRL+SHIFT+Enter
Left
Enter
ECHO MalwarePayload > GetFukt.exe
Enter
GetFukt.exe
Enter
exit
Enter

Re:Lost Productivity

[ELCouz]

These attack will be severely limited under non-admin user accounts.

Re:Lost Productivity

[HornWumpus]

That's not how a Rubber ducky works.

Windows loads the keyboard driver, the device starts 'typing' commands from an attack script.

Re:Lost Productivity

[HornWumpus]

You can reprogram a large number of flash drives to make a 'Rubber Ducky'. Don't pay the people $50, that's for chumps.

Re:Lost Productivity

[sexconker]

Yes, but this is what HornWumpus was referring to, and Joe_Dragon and Baton Rogue didn't understand it at all, so I had to explain it. Twice.

Re:Lost Productivity

[ELCouz]

But I agree with you.... Users having physical access can be a bitch to control.

Re:Lost Productivity

Since at least Windows 7, GPO's have had the ability to lock out specific classes of devices. Your mythical device would have to pretend to be a keyboard, rather than a storage device-- and while it might be able to deliver keystrokes, I'm not sure how you would convince Windows to copy a file to a keyboard.

Not saying it can't be done-- if you can exfiltrate data via a blinking HDD light, you can do all sorts of things.

But it isn't as trivial as you make it out to be.

Re:Lost Productivity

[laughing_badger]

Get a USB thumb drive and have it physically chained to the wall, such that the chain only reaches the devices that you need to transfer between. No chance of the thumb drive being lost or stolen.

Re:Lost Productivity

[thegarbz]

But how much productivity is lost

Probably none. When you hear notices like this come out of Fortune 500 companies the news only gets trickle fed headline. In the backend there will be alternatives in place, or procedures for actual use of USB if no alternatives can be found.

My company says it does the same thing too. None the less I have an authorised encrypted USB key to keep going about my work, and most of those other people who desperately needed USB? Well they discovered a world of networking that enabled them to increased their productivity rather than decrease it.

Re:Lost Productivity

[thegarbz]

I'm going to go on a limb here and say that the USB key won't let you copy files to and from it. If you're talking about the can't trust foreign hardware aspect of USB here the key requirement for it is that continues to act as the user expects in order to avoid suspicion. Sure it can be a keyboard in the background logging your strokes, but if it doesn't function as a USB drive as well the user will relegate it to the scrapheap.

Re:Lost Productivity

[thegarbz]

The OS will happily accept input from the thing

Yes but the user won't.

*Plugs in USB drive.
*USB drive starts doing evil things
*Computer: "This device is not an authorised USB drive"
*Unplugs USB drive and throws it into the bin.

The attack vector relies on either inside knowledge and privilege or time to collect privileged information. The former is mitigated by policy, the latter by human nature.

Re:Lost Productivity

[AmiMoJo]

Shhh! This is your excuse to require a nice new spectrum analyser with LAN port!

Re: Lost Productivity

I have been working at IBM for over 20 years, and have not heard one iota about this new "policy". Slashdot confirms why I haven't been coming to this site in years. See you in another couple years.

Re:Lost Productivity

[Doke]

Our otdr runs windows. I think it's XP. I suspect our security software would flag it for that, and block it off the network.

Re:Lost Productivity

[david_thornley]

*Plugs in USB drive
*Malicious USB drive tells computer "I'm a keyboard."
*Computer accepts incoming characters from USB drive as if it were a keyboard
*Computer finds no reason not to accept commands installing malware on local account
*User doesn't notice a thing
*Malware is installed.

Re:Lost Productivity

[zmaragdus]

I specifically avoid windows-based scopes when I can. Viva la Tektronix DPO4000!

Re:Lost Productivity

[david_thornley]

Bad assumption. If users find that security measures are hindering their ability to do their job, they'll bypass the security. If only one user is doing that, the user can be fired. If everybody is, the business can't fire everyone.

Re:Lost Productivity

[zmaragdus]

Nope. Still a spectrum analyzer. Rigol DSA1030. USB and ethernet ports. And for some reason this unit's ethernet port is malfunctioning. Now, I've been wanting a new spectrum analyzer anyways because...well...Rigol DSA1030. But now the USB policy means that I REALLY want a new spectrum analyzer.

Re:Lost Productivity

[zmaragdus]

Current one has broken LAN port, but your comment still stands. Current one is also kind of a shitty spectrum analyzer, so now I have multiple reasons for wanting an new one.

Re:Lost Productivity

[farble1670]

If users find that security measures are hindering their ability to do their job, they'll bypass the security.

My point is if employees are willing to do that, all bets are off. There's always going to be a way to bypass security. These policies assume employees want to do the right thing. They aren't intended as bullet proof measures to thwart malicious agents. If that was the case they'd strip search and body cavity search you at the door and modify the operating system and firmware of every computing device on the campus to ignore USB drives.

Re:Lost Productivity

[HornWumpus]

'From it' is easy. There is an example upthread.

Re:Lost Productivity

[HornWumpus]

First link after 'Ernie singing'...https://hakshop.com/products/usb-rubber-ducky-deluxe

'Mythical', yeah right.

Once the rubber ducky has rooted the computer you install a regular USB drive to exfiltrate data.

BTW don't buy that rubber ducky. You can reprogram many old thumb drives into one. A further search will turn that up for you.

Re:Lost Productivity

IBM is not trying to prevent network compromises. That is a security issue. This policy is to prevent employees from copying data that is privileged to removable storage and then losing the device. Preventing them from stealing the data is a bonus.
So this isn't a computer security protocol to protect their systems but a information security protocol to protect their privileged information; technical, proprietary and legal.

Re:Lost Productivity

[torkus]

Because there are zero known escalation exploits?

Being a logged-in, interactive user on a corporate network is already a huge advantage for exploiting a system/infrastructure. The admin escalation is pretty minor in comparison for any directed attack against a reasonable hardened target.

Re:Lost Productivity

It's only somewhat the employee theft risk, but more the accidental loss risk.

Losing a flash drive full of customer data could be VERY bad if it's not encrypted.

As a customer, I'm glad people are starting to take *MY* security seriously.

Re:Lost Productivity

[david_thornley]

Employees usually want to do the right thing. On the other hand, if it's too difficult or dangerous, they won't. In many cases, the company preaches security, but the guy who bypasses it to get stuff done gets the good annual review and a raise. Most employees will not try to bypass security for things other than getting work done, or possibly getting confidential information on celebrities or people they know.

I guess nobody told them

[bobstreo]

about wi-fi enabled portable hard drives and NFS or Samba shares. or FUSE or SSHFS.

Re:I guess nobody told them

[acoustix]

Yes, there's always a way around. But the point is to minimize the exposure. Depending on the environment rogue Wi-Fi devices wouldn't work, as well as other network file shares.

Re:I guess nobody told them

USB thumbdrives? Behind the times about 5 years aren't they?

Re:I guess nobody told them

SSSHHH don't tell THEM about my slick workaround.

Re:I guess nobody told them

[The-Ixian]

It's super trivial to export data for someone already on the inside.

I was at a company that locked down USB ports as described in this article and also proxied all web traffic, blocked all cloud file sharing services and fiddled with session cookies to web sties.

And yet they offered PuTTY in their user-allowed, self-service app portal....

SSH tunnel to my home network (along with whatever TCP redirects I wanted)....

Not saying I exported data, although I did test it to see if it would work (for science!)... I just used it to do personal web browsing from my own computer.

Re:I guess nobody told them

Suddenly, a wild pedant appears...

Re:I guess nobody told them

Not many people know SSH tunnels exist, how to use them, and how they can thwart security controls.

Does the security policy reduce the ability of general employees to exfiltrate data without authorization? If the answer is yes, the policy is justified.

Re: I guess nobody told them

[Bing+Tsher+E]

The problem is, you can do those things, but the typical IT type will poop a lump if they find out about it, and they are ignorant yet ruthless enough to make life uncomfortable. Big stupid dogs can seem funny, but they can also have a nasty bite.

Re:I guess nobody told them

I guess nobody told them that laptops are portable storage devices, too.

We've replaced so many laptops for staff over the years (usually it's sales people leaving them in airport lounges or taxis) that there's a process in place to deduct losses from salaries.

Re:I guess nobody told them

[david_thornley]

Agreed. At some point, you have to figure what security measures are actually justified, and who you're just going to have to trust. The only way to keep data absolutely secure is to destroy it.

Phone internal storage!

[HornWumpus]

You phone's internal storage is good enough for all your industrial espionage needs anyhow.

Has anybody written a 'Rubber Ducky' app for Android yet?

Re:Phone internal storage!

[thegarbz]

You phone's internal storage is good enough for all your industrial espionage needs anyhow.

I have never seen a company that denies USB Mass Storage but allows mobile phone transfers.

Re:Phone internal storage!

[HornWumpus]

Per IBMs stated policy. Removable storage is the problem. Phone internal storage is still allowed at IBM as it's 'not removable'.

Re:Phone internal storage!

[thegarbz]

Let me rephrase:

I have never seen a sane company that denies USB Mass Storage but allows mobile phone transfers.

Yeah yeah, no true IBM fallacy :-)

Secured To Death

Tighten that noose of security more tightly around your own neck, oh thrashing blue dinosaur.

"reputational damage from misplaced, lost..."

[JoeyRox]

Have they considered device-level encryption?

Re:"reputational damage from misplaced, lost..."

Have they considered device-level encryption?

At this point, I don't think they have any reputation left to damage, given their behavior in realigning the workforce.

Re:"reputational damage from misplaced, lost..."

[thegarbz]

Probably not only considered but using too.

What happens in the background and what little information is given to the media on a slow news day is usually a very different story.

Better ban paper tape and punchcards

[xack]

Knowing IBM they still use these on a regular basis.

Do this and I can't do my job...

I'm in IT. If I'm blocked from using USB devices, getting files to/from new servers, new laptops, etc. that aren't yet on the network becomes extremely problematic. And what about systems that have problems and can't currently get on the network?

What about setting up USB drives for Windows/Linux/etc. installation media?

What about all the times I needed to copy data to/from a USB drive for legal discovery purposes? (E.g., we were sued)

There are *MANY* completely legitimate reasons for using usb flash/hard drives to transfer/copy data.

Re:Do this and I can't do my job...

If you were actually in IT, then you would know that these rules apply to sysadmins in the same way that saying "stay of the couch" affects your cat's behavior.

Re:Do this and I can't do my job...

all part of their grand (cunning) plan
to piss their staff off even more so that they give up and quit.
Saves on severance pay!

Re:Do this and I can't do my job...

Oh for crying out loud, there are normally ways to get approval if absolutely required. They just want to make sure you have eliminated all other options first.

Re:Do this and I can't do my job...

[Joe_Dragon]

Or just let stuff fail do the Process

https://thedailywtf.com/articl...

I hope they have fast Internet access...

at all of their locations. No way would this policy work for us since we still have several locations on dial-up.

Maybe just put the phone down?

What ever happened to leaving work at work? When did we even need to start using removable storage devices to take work with us out of the office?

Idiocy versus deliberate espionage?

[ctilsie242]

I wonder if this ban is to prevent casual idiocy from happening (someone losing an unencrypted USB flesh drive with their documents on it), or if it is a measure against people trying to slurp confidential documents.

If this is intended to prevent deliberate intrusions, good luck. I've seen people get around this by shoveling data via iTunes or another sync program, or just plug in an Android device and use MTP (which presents itself differently than a mounted drive.) Worst case, there is popping photos of the screen and making QR codes of encoded binary files.

If a company has to worry about deliberate espionage, they need to get with HR and start cleaning house. No amount of tech is going to stop someone determined to take info. Instead, there needs to be separation of duties and limits to what people can access... basic stuff, but with the idea of "running thin" so just a few employees can wind up with a lot of confidential stuff they really don't have a need for.

If IBM is worried, perhaps they need to hire more employees and rely less on vendors/contractors, so they get more loyal people, not people who will bail when there is some job that offers better benefits out there.

Re:Idiocy versus deliberate espionage?

[Junta]

I presume this is for casual idiocy (the kind that has gotten various companies in trouble about someone leaving an unencrypted storage device or laptop with customer data and it getting stolen).

Re:Idiocy versus deliberate espionage?

[HornWumpus]

'flesh drive'...I don't even want to know what that is.

IBM has spent the last 20+ years teaching their employees to be ready to jump at a moments notice.

Full-time/contractor isn't much of a distinction. Only fools are loyal to those that have no loyalty to them.

If IBM wants data security, they better get to work epoxying up USB ports. Still won't work.

Re:Idiocy versus deliberate espionage?

There is a difference. FTE, IBM has to do an exit interview and a full process of separation.

Contractor, they just disable the badge, where you find it out in the morning.

Re:Idiocy versus deliberate espionage?

Most likely they finally ran out of ways to get exemptions for them during their audits for SOX or whatever.

Re:Idiocy versus deliberate espionage?

[will_die]

Probably because people don't use encrypted USB flash drives. If it is like other offices people are just using personal ones they had sitting around at home.

Re: Idiocy versus deliberate espionage?

What does IBM have that anyone wants to steal anymore?

Re: Idiocy versus deliberate espionage?

"unencrypted ... flesh drive".
*Shivers*

Re:Idiocy versus deliberate espionage?

[JackieBrown]

Wasn't there a few stories about crimials leaving USB devices in parking lots with virus and rootkits? People would pick them up and plug them into their work computer hoping for interesting photos or documents?

Re: Idiocy versus deliberate espionage?

[Bing+Tsher+E]

When my dad worked at IBM (from the mid 50s until the mid 80s) IBM had a full employment policy. They could not lay off employees, and any time a location was closed they had to relocate and find a new position for all employees at said location. At some point in the 70s they started contracting out parking lot attendants at their offices because until that point IBM employee parking lot attendants were reloated at company expense when necessary. My father got out (retired at 55) right before the culture at IBM changed from the old ways.

Re: Idiocy versus deliberate espionage?

All dealings I have with them nowadays is because they seem to have become primarily a hosting company in India for a shitload of customers, and *those* may have something to steal.

DVD drives?

[sremick]

So what do external USB DVD/CD writer drives look like? Are they included?

Extremely common especially considering most laptops don't include them any more, despite being widely needed.

Re:DVD drives?

[EvilSS]

Extremely common

Extremely common? Compared to what, USB floppy drives? I'd be willing to bet 98% of laptop owners who don't have a built in optical drive do not have an external one. And that's probably being conservative.

Re:DVD drives?

[flink]

Extremely common

Extremely common? Compared to what, USB floppy drives? I'd be willing to bet 98% of laptop owners who don't have a built in optical drive do not have an external one. And that's probably being conservative.

I need mine all the time when I need to bring data into areas where outside electronics (i.e. my laptop) aren't allowed, or I can bring in my laptop, but can't connect to the customer network.

I also burn discs when mailing data or software to contractors or customers. It's cheaper and more likely to pass muster with IT security on their end if I send them read-only media vs a thumb drive.

Re:DVD drives?

[Darinbob]

But there's often a USB CD/DVD reader floating around for when it's needed.

Re:DVD drives?

[EvilSS]

YOU need YOURS. I don't doubt there's a higher than average use of them with /. users, but I stand by my statement. The vast majority of laptop users don't own one. They are far from "Extremely common"

Re:DVD drives?

[drinkypoo]

So what do external USB DVD/CD writer drives look like? Are they included?
Extremely common especially considering most laptops don't include them any more, despite being widely needed.

When was the last time you had to use an optical disc in a corporate context? IT slots it once and copies its contents to the network and it is never, ever used again. Unless, of course, it's an OS install disc; that's used hopefully only once per system model, at which point an image is generated.

Re:DVD drives?

[bruce_the_loon]

Only for very rare operating systems. For the regular suspects, we just pull the ISO direct from MS licensing, Redhat.com, Ubuntu.org and so forth. No risk of getting bits swapped because of a scratch on the disk.

Re: DVD drives?

you can pxe boot an iso example for Ubuntu and probably most bootable ISO:http://www.vercot.com/~serva/an/UbuntuPXE1.html

What when portable media is REQUIRED ?

[mysidia]

For example: I sometimes deal with Raspberry PIs being used for organizational purposes, and in order to set them up I need to format and image a SD card. I have a number of environmental controllers whose only network interface is a Serial port, and the procedure to kick off a firmware update is to load the new .BIN file onto a SD card, and then boot up the controller with the card containing a new firmware file, And also, system logfiles, and some test equipment's log data is written to SD.

There are plenty such use cases where "Portable media" is the only viable option to accomplish vital tasks.

Re:What when portable media is REQUIRED ?

[halivar]

You ask information security to white-list the device, and it never leaves the building.

Re:What when portable media is REQUIRED ?

[mysidia]

OK... I have 1000 of these for you to get Whitelisted before this afternoon, and I'll have another 1000 tomorrow morning.

Re:What when portable media is REQUIRED ?

[tomhath]

No problem. Bring all of them to IT Services asap, we'll get right on it...tomorrow at the latest.

Re:What when portable media is REQUIRED ?

[mysidia]

No problem. Bring all of them to IT Services asap, we'll get right on it...tomorrow at the latest.

No... it HAS to be done to roll out a critical update to the IP cameras by lunch today, otherwise any resulting damage and repair costs resulting from still running unpatched firmware will be deducted from IT's budget. ^_^

Re:What when portable media is REQUIRED ?

[halivar]

Our IT department has a sign that says, "Failure to plan on your part does not constitute an emergency on mine." They'll fill out a PO for new devices (the one you should have done weeks ago) that they will service themselves, and tell you to go pound sand until then. Anything that proceeds from there is on your head.

Re: What when portable media is REQUIRED ?

An RPI is 100 times more secure than ANY machine running Windows. Even if the RPI has no virus scanner and firewall.

Also, the hardware is very reliable, not hot, generally rock solid.

What was your argument?

Re:What when portable media is REQUIRED ?

[farble1670]

Easy. You're fired.

Re:What when portable media is REQUIRED ?

Because every situation can be planned for...

Re:What when portable media is REQUIRED ?

[Darinbob]

Yes, when it comes to clueless IT policies, you just need to be creative. Don't call them micro-SD cards, call them high tech blood glucose test strips.

Re:What when portable media is REQUIRED ?

[drinkypoo]

IBM does not fiddle with toy computers, or if they do, they make their own toy computers and fiddle with those. No doubt there are some IBMers using Pis and the like for research projects here and there, and no doubt they will either work around the rules or get some kind of exception. But your [downstream] example of 1,000 R-Pis doesn't wash at IBM. As a rule, they don't build clusters out of hobbyist computers; they build them out of POWER processor-based systems and show up all over the Top500.

Re:What when portable media is REQUIRED ?

[drinkypoo]

Because every situation can be planned for...

It feasibly can if you bother to bring IT into the conversation in a timely fashion, so that they can make plans.

Suppliers

[Thelasko]

Part of my job is managing suppliers. The corporate IT departments of all of the companies all have different policies regarding how data is to be moved. Often times, it's just easiest to have an liaison engineer come over with a flash drive to move the data. Email can't handle large enough files, getting IT to setup an FTP server takes weeks, and is still clunky. I have had some success using box.com for one project.

I realize there has to be a trade off between getting work done, and security. I'm not sure this is worth the cost.

Re:Suppliers

[EvilSS]

They use services file transfer services like ShareFile, Box Enterprise, DropBox for business, or other Enterprise File Sync and Share (EFSS) products. These give the company more control and are easier to deal with than FTP sites these days since they are more user friendly and use HTTPS to do the transfer. Many can even be hosted on-prem so no cloud storage is required.

Re: Suppliers

You have more control when you outsource your data storage? That makes no sense, also, how do they give you more control than running your own ftp server?

Re: Suppliers

Many can even be hosted on-prem so no cloud storage is required.

There's your answer.

Re:Suppliers

[Darinbob]

But hose systems are SLOW. I don't know of any network that beats the bandwidth of driving over a portable hard drive. Seriously, cloud services are attrocious, especially when your company has a puny outgoing pipe all trying to handle the data from 500 people going to the outsourced backoffice servers in rural India.

Re:Suppliers

[EvilSS]

No, your particular scenario is slow. For the vast majority of users they are way faster and more convenient than driving a USB drive to someone who-knows-where.

Re:Suppliers

Part of my job is managing suppliers. The corporate IT departments of all of the companies all have different policies regarding how data is to be moved. Often times, it's just easiest to have an liaison engineer come over with a flash drive to move the data. Email can't handle large enough files, getting IT to setup an FTP server takes weeks, and is still clunky. I have had some success using box.com for one project.

I realize there has to be a trade off between getting work done, and security. I'm not sure this is worth the cost.

Instead of requiring every employer make your job easier, consider making their job easier. Set up a single web-based FTP system for them to upload to, give them credentials or eliminate read access, and you are done for every supplier forever. An hour long project.

Re:Suppliers

[LinuxIsGarbage]

But hose systems are SLOW. I don't know of any network that beats the bandwidth of driving over a portable hard drive. Seriously, cloud services are attrocious, especially when your company has a puny outgoing pipe all trying to handle the data from 500 people going to the outsourced backoffice servers in rural India.

Our facility's Internet connection is so slow, when I'm downloading updated installers (4GB downloads), I'll do it at home at night and bring it in so I won't cripple the site's network.

Re:Suppliers

[david_thornley]

The old saying about a station wagon and mag tape has been changed to "Never underestimate the bandwidth of an SUV filled with micro-SD cards barreling down the highway."

Like very other Fortune 500

[MobyDisk]

News Flash: IBM's IT department does what every other IT department does! Film at at 11!
(Except I can't seem to copy it to my flash drive... lemme try DropBox... blocked, ummmm... how about my old university FTP sit... oh that's down... )

In other news, IBM enters the 21st century...

[gosand]

I've worked for a couple of very large financial institutions, and they disabled USB drives 5+ years ago. It not only curtails the threat of pilfering information, but shuts down a hole in security. "hey, I found this thumb drive in the parking lot, I'll just plug it in and see what's on it"

It was a pain at first, but you quickly learn that for MOST work, it's not necessary. If it is, you can usually get an exemption.

I am surprised this made the "news" though.

Re:In other news, IBM enters the 21st century...

[Darinbob]

We will use them a bit. No one's bringing them from outside, but it's one of the fastest ways to transfer large files around. Ie, trying to get a reasonable cross development environment setup on newer OSX systems is painful and takes many hours, but dragging off of a plugged in hard drive gets it doesn in a few minutes. Plus all the lab equipment that doesn't understand how to send to the cloud, and which can't be upgraded because real world companies use things called "budgets".

Re:In other news, IBM enters the 21st century...

[magzteel]

I've worked for a couple of very large financial institutions, and they disabled USB drives 5+ years ago. It not only curtails the threat of pilfering information, but shuts down a hole in security. "hey, I found this thumb drive in the parking lot, I'll just plug it in and see what's on it"

It was a pain at first, but you quickly learn that for MOST work, it's not necessary. If it is, you can usually get an exemption.

I am surprised this made the "news" though.

I'm amazed IBM hasn't blocked this years ago. It's a huge security risk.

I'm also at large financial institutions. The all have or are moving to thin clients with no access for USB drives or anything else. They don't allow file transfers of any kind. If you get caught they could have you arrested, like Sergey Aleynikov.

Better idea

Ban there staff from being pakistani's.

Hey, IBM,

[RobertNotBob]

Hey, IBM.... Welcome to 2009!

IBM better prepare to pay cell carriers

[tepples]

From the featured article:

IBMers are advised to use Big Blue’s preferred sync ‘n’ share service to move data around.

I guess those who work in the field will end up seeing a lot more cellular data bills attributable to use of "Big Blue’s preferred sync ‘n’ share service".

Re:IBM better prepare to pay cell carriers

[fluffernutter]

Why would you assume a sync site would need a cellular connection? There is this thing called a website that works on wifi.

Re:IBM better prepare to pay cell carriers

[flink]

Because when you are in the field you often can't connect to the customer's WIFI, or you can connect to their "guest" network, but it is so locked down and/or slow that you are better off using a WiFi cellular data puck.

Re:IBM better prepare to pay cell carriers

[fluffernutter]

Well then I'd be pissed if my company didn't pay for my celphone connection. If it became a problem I would refuse to use my personal connection and ask the upper-ups what the accepted solution is for that situation.

Re:IBM better prepare to pay cell carriers

[drinkypoo]

Well then I'd be pissed if my company didn't pay for my celphone connection. If it became a problem I would refuse to use my personal connection and ask the upper-ups what the accepted solution is for that situation.

IBM is not shy about spending money. If you need a cellphone to get work done, they will probably just buy you a cellphone. When I worked for Tivoli just post-acquisition I was on the 24/7 team and they put ISDN into my house... straight into the 9 net. But I could also use it to make long distance calls, and so long as they weren't international, they didn't give half a shit who I called on it. A cellphone is penny-ante by comparison.

The Forecast

Things are looking CLOUDY.

Re:The Forecast

[Locke2005]

Seems like the firewalls would be able to trace transfers of company data to the web.

Late to the party

[MonteCarloMethod]

My employer has done this for years. If you want to use external storage you can get one approved for use in an office environment by demonstrating a need. As far as the lab environment goes, you can *borrow* one of the lab's own specially approved, encrypted, and regularly inspected and cleaned drives for pulling data off of lab computers and equipment. Why any large IP-handling company would allow any old employee to tote around their own personal attack/leak vector is beyond me.

Re:Late to the party

[fluffernutter]

At my workplace we got IronKeys for this a long time ago. They sat in a cabinet. One person checked one out once but then didn't need it. They are still there to this day. It turns out people who are good with technology don't absolutely need a USB key.

Common at Banks

I worked as a software dev at a bank, and they had this policy as well. It's painful, and I'm glad I don't work there anymore :)

Small world

The HPIC (Head Pajeet In Charge) here at my company has mandated the same thing. We are supposed to get access to some Microsoft tool ("OneDrive," I think it is?) to allow short-lived file sharing, since we cannot open up shares on our PCs due to lack of local admin rights. I cannot wait to try it!

Neither

[Comboman]

I suspect this is not about security at all, but rather about forcing employees (and suppliers and customers) to use IBM's cloud services. If IBM made flash drives, I guarantee the policy would be exactly the opposite.

aha

So you're saying carrying a USB drive is the same as carrying $40000 cash -- they can't track it!

Late to this party, they are

[rickb928]

This has been enforced policy where I work for more than a year. If I plug in a removable device alerts are generated, messages on my workstation pop up, and it doesn't work.

I haven't tried to get past this, since group polices on my work machine are mostly impenetrable. It's OK, we have s very good file sharing system to do the needful.

Security by disability

If it works, it isn't secure enough, and conversely it isn't secure until it doesn't work anymore.

Equilibrium is a barely working, barely secure organisation.

PS/2

IBM's announcement is not out of the ordinary. Years ago (late 90s/early 2000s) I worked for a company that offered an automated hardware/software inventory solution for PCs. When we sold to Goldman Sachs we were surprised to discover that they had disabled all USB ports on their PCs so as to prevent removable storage devices from being attached to any machine. They used PS/2 mice and keyboards.

Re: PS/2

[Bing+Tsher+E]

I bought a new motherboard last year (an MSI 'gaming' motherboard) that still has PS/2 ports. Also headers for a serial and parallel port.

Apple supports USB devices?

[Samurai+Nigel]

Pretty sure switching to Mac already accomplished this for them.

https://www.cio.com/article/31...

Maybe there's a dongle for that?

Re: Apple supports USB devices?

[Bing+Tsher+E]

Have the IT goons fill the USB-C ports with epoxy. One-use disposable Macbooks, with the benefit that the keyboard won't jam before the battery fully discharges.

No Tapes!

And no tape backups. Can't have those travelling off site!!!

Hahaha that's sweet of you to think....

...that your silly "encryption" will be effective.

Isn't this standard practise?

[viperidaenz]

I'm not allowed USB drives at work. If I plug one in, it's blocked.
If I really need one to do my job, I get given an encrypted usb drive that requires a pin code.

The news here should be IBM is late to the party and has been lax about information security.

Re:Isn't this standard practise?

Disks weren't blocked where I worked (the user had to "verify" they checked it for viruses, and I guess the centrifugal force flung them off or something, I dunno).
So I used floppies, Jaz drives, and CDRWs.

Not a new idea

[Locke2005]

I worked for a company that disabled the USB ports in all computers _after_ multiple instances of their employees downloading their customer lists and starting their own competing companies.

Re:Not a new idea

[Locke2005]

And here's the stupid thing about that policy: their routers didn't do MAC address filtering, so anybody could have brought in a WiFi Access Point, plugged it into the network, and accessed all the company files from outside the building! I didn't feel like telling them about that flaw in their security, since they had already made my job hard enough to do.

Re:Not a new idea

What would MAC filtering do? You realize that MACs are trivial to spoof right?

Re:Not a new idea

[Locke2005]

You'd have to turn off the computer whose MAC address you were copying. I'm not aware of any WiFi routers that feature MAC spoofing, but since they all run Linux, it shouldn't be too hard to do. My point was, if you don't trust your employees, technical measure don't help against someone who has physical access to the hardware. You can get admin privileges on most computers just be booting them off a different disk.

Re:Not a new idea

[david_thornley]

I'm going to guess that there's a very small intersection between the set of people who want to grab the customer lists and start their own business, and the set of people who can, or would even think of, bring in a router jiggered for MAC spoofing. If the company can keep IT loyal, they're unlikely to have that particular problem.

Oh jolly dear me

[Hognoxious]

How will they be able to do the needfuls if they R having one doubt and wish 2 revert the same?

Wrong Nitpick

All this nitpicking about device transfer and no one raised the important question:

What does IBM have to lose in reputation and financial standing at this point?

IBM doesn't make things anymore

[rsilvergun]

except for a few vanity projects like Big Blue. They're mostly a consultancy company now (and most of that is Indians). They everybody in the states who wasn't a salesperson back in the mid 2000s. It made /. when they announced it. End of an era and all that rot.

This isn't meant to stop insiders

[rsilvergun]

this is meant to stop morons who find a USB drive in the parking lot and plug it into their work computer. And yes, there have been several data breaches traced back to this rather lame method...

Long overdue

[aklinux]

USB, and other external storaqge media, have long been recognized as security risks. This may not be a cure-all, but it is a needed 1st step

USB and policy causing big hassles

I work at VBC(aerospace). We recently had a policy imposed on us where our office computers are prevented from writing to USB memory sticks. When I have time to read company bulletin boards, there are daily posts asking how to get around this. It's clearly causing problems throughout the company.

There have been suggestions of obscure FTP sites, sharepoints (whatever that is), etc. but they all require both sender and recipient creating new "accounts" (like we don't have enough usernames and passwords to keep track of already), and probably haven't been maintained for years. Also some of our projects, while not secret, are for customers who are working on top secret projects, and are export restricted. My understanding is we shouldn't put anything regarding those projects on the network (company or Internet) because we have to assume servers, data centers, etc. have been outsourced. It's far better to just use USB memory sticks, if we can get away with it.

There are annoying procedures to request temporary exemptions to the USB policy. I think my boss has managed to get our whole department an indefinite exemption (yay!).

I used to work for VBC(commercial electronics). There, it was known that all our computers had tons of corporate spyware which among other things would alert our boss about access to USB memory sticks. We did it all the time though, damn the consequences, especially when dealing with lab test equipment. Much of that lab equipment ran Windows XP or Windows 2000, and their ethernet ports were often physically plugged due to {donotfix} security holes, leaving USB memory sticks as the only way to get data off.

{getoffmylawn}I'm still shocked at most test equipment running Windows.{/getoffmylawn}

Why not use phone in drive mode?

Lots of apps and some phones have this built in..

Who is IBM ?

[micahraleigh]

I think I might have heard of them in a history elective.

Did they get started by Franklin or Edison?

An innovative thing here might be writing a good eulogy for that sad, pathetic company.