State Agency to Destroy Unauthorized USB Drives 179
Lucas123 writes "The State of Washington's Division of Child support has forced hundreds of workers to turn in personal USB flash drives and has instead begun issuing corporate-style USB drives. The goal is to centrally monitor, configure and prevent unauthorized access to storage devices. So far about 150 common drives have been issued. The agency eventually plans to destroy all existing thumb drives collected as part of the security policy change."
RTFA (Score:5, Insightful)
Re:Accuracy of Story? (Score:5, Insightful)
My bad. It says "after recalling the thumb drives used by workers. Most of those had been purchased independently by the employees, causing myriad problems for security personnel, Main said. The new policy requires workers to use the drives supplied by the agency. Main said he eventually plans to destroy all existing thumb drives collected as part of the security policy change." Although, I think from this and following comments like "The general perception is no one will report a lost USB memory stick because they're so cheap" there is an implication (although it isn't explicit at all) that the drives were bought with public money and used for public work.
Once again, I don't think there is too much to complain about here. It shocks me how many employers (even in sensitive areas like government departments and law firms) have PCs that will even, by default, run software or an operating system from a USB drive. According to TFA, in this case "sensitive data transported by off-site workers include[d client's] tax documents, employer records, criminal histories and federal passport data" and commonly "the names, dates of birth and Social Security numbers of children".
Of course, in opposition to what the article says, I think education about data protection legislation and issues is more important than attempting to physically constrain employees (which is ultimately impossible), although both may have their place.
Waste (Score:3, Insightful)
Re:What a waste (Score:5, Insightful)
Two things to consider:
Re:Sensible policy (Score:5, Insightful)
1. What maybe started along the lines that you described, then has to go through controlling or purchasing or such, which in a lot of places have their job judged and measured by how much they saved. If they saved 10,000$ at the cost of making everyone else spend 1,000,000$ in workarounds and lost productivity, they're doing their job right. So someone will go "auugh, why should we pay a few bucks more on very secure drives, when we could get ordinary ones at a bulk discount? Look, there are these drives with fingerprint scanner for half the price. That's secure, right?" (See the vulnerability linked even on Slashdot recently.)
2. Someone else (or in some organizations the same) will have to make sure it's one of the approved suppliers. Ideally this would mean those who have a good track record of reliability, quality, etc. In practice, it'll mean one of (A) whoever pays more bribe, or (B) the boss's wife's or cousin's supplies company, created just to siphon some money off such purchases. If it's a state agency, stuff like pork barrel, political favours and lobbies have something to do with it too.
Since this _should_ be in conflict with #1 and is exactly the kind of thing that #1 is supposed to catch, sometimes they split the bribe, sometimes they trade favours, and sometimes inventive discounts are used. Like we'll price the USB sticks at $1000 each, give you a 50% discount, and let you show that you've done your job right by negotiating a whole $500 discount per drive.
3. Some IT department has been given thoroughly counter-productive goals, like only keeping the computers or the network running, but no mention of actually providing a service to the rest of the organization. So suddenly the users are their sworn enemies, the filthy pests that keep using and screwing their preciouss computers and network. They'll do their best to contain, thwart and plain old inconvenience those users at every step. So the "secure" setup for those drives will be just an exercise in making it as inconvenient to use as possible, to teach those pesky lusers a lesson.
And indeed the users do learn a lesson: that if you want to get your job done at all, you have to do your own unauthorized workarounds. There goes most of security out the window right there.
Alternately, the IT department has also been on the shit end of #1, and is underfunded and staffed with the cheapest monkeys who can sorta bang on a keyboard, and don't fling too much feces at the screen. So they'll configure something which they think is right, but is not.
Yet another alternative is that a lax PHB can't be bothered to actually organize IT, and some BOFH personality types feel free to override everything and do what _they_ please. I've seen it happen. Stuff like production servers configured without XA support for _years_, just because the relevant BOFH thought that's a buzzword and it runs just as well without it anyway, plus it saves him the bother of installing the relevant libraries on all servers. So he _lied_ to the team for years that they have a feature that they didn't actually have.
And not only I can see all three happening with security too, I've _seen_ it happen with security features too.
4. Some PHB will figure out that it's not really an "enterprise" drive unless it has the organization's logo on it. In fact, that that's what makes anything properly enterprise.
Some frustrated users that have been on the shit end of #3 too often, will begin just printing and gluing makeshift logos to their own USB sticks, rather than put up with Mordac The Preventer Of IT Services again. Noone will be any wiser.
Etc.
Somebody has woken up to to personal privacy (Score:5, Insightful)
As to destroying them... Put this in proportion: 150 devices, at perhaps $30 apiece if they wern't bought yesterday: about $4500. On the otyher side, when the UK government lost 2 CDs with large amounts of personal information, the mailshot warning the people whose personal and banking information had been misplaced cost $6,000,000. With cost ratios of this magnitude, the precautionary principle applies. Yes, you could wipe them, and they probably wouldn't leak info. But the cost if they did is so high that the tiny loss involved in destruction is irrelevant.
So I applaud a government department for finally taking privacy seriously. The cost arises becasue they didn't do so before, and is small. The cost for all the other departments who have not yet got it is increasing every day.
Why not disable the USB ports? (Score:3, Insightful)
Misleading Summary leads to Misleading Tags (Score:2, Insightful)
But then again what does the content of the article have to do with analysis on Slashdot... yeah I know.. flamebait..
Re:Misleading Summary leads to Misleading Tags (Score:3, Insightful)
The replacement drives might support encryption, which is a normal 'corporate' feature.
Re:You can have my USB key (Score:5, Insightful)
Re:Good (Score:3, Insightful)
Re:Misleading Summary leads to Misleading Tags (Score:5, Insightful)
The replacement drives might support encryption, which is a normal 'corporate' feature.
when it comes to commenting or responding... comprehension is not necessary.
The use of the word "personal" was obviously targetted at getting a rise out of the non-RTFA crowd, as the article itself never terms the drives - "personal drives". They called them "nonapproved thumb drives". We recently discussed "secure" thumb drives [slashdot.org] and I hope they arent wasting their (taxpayers') money on the version of the Cruzer reviewed in the article.
Re:What a waste (Score:3, Insightful)
Depends on the price. If they were 1p I'd buy 100 of 'em. 256 Mb is still a useful amount of storage (plain text, html, mp3 etc. etc.).
Re:Won't work, even with all the good faith... (Score:3, Insightful)
The second is that you can't do this stuff in a top-down way. You can create the illusion that you've done it, with a paper trail showing that every employee has signed a memo or whatever, but you need to get employee buy-in. The second is... and I hinted at this point in my original post... very often the set of people who are not in compliance includes people who are in upper management. The CEO may _say_ "you have my backing," but is he really going to fire the CFO for using a thumb drive?
The third is that if employees get the idea that you are, as Dilbert calls it, "the preventer of information services," you've already lost the battle. You can instill a corporate culture that says "as government professionals, we are proud of our ability to work effectively within a secure information framework." But you can't achieve this by putting superglue in the USB ports.
Re:Misleading summary (Score:5, Insightful)
The whole point of the exercise appears to be about safeguarding the data. The
A better title would have been "Washington's Division of Child Support takes important steps needed to safeguard confidental data" or "State agency moves to plug USB flash drive security gap". Oops, never mind, the second one was already used by *TFA*.
Re:Why not disable the USB ports? (Score:3, Insightful)
Re:Why not disable the USB ports? (Score:3, Insightful)
If you had read my response to the other post... (Score:3, Insightful)
Back to my original statement (with clarification - seems necessary) - Erasing the drives has nothing to do with the privacy of those who used them, the headline and summary are still bad.
I am done with this discussion.