State Agency to Destroy Unauthorized USB Drives

Lucas123 writes "The State of Washington's Division of Child support has forced hundreds of workers to turn in personal USB flash drives and has instead begun issuing corporate-style USB drives. The goal is to centrally monitor, configure and prevent unauthorized access to storage devices. So far about 150 common drives have been issued. The agency eventually plans to destroy all existing thumb drives collected as part of the security policy change."

RTFA

[jlowery]

They're likely neither unauthorized or personal.

Re:Accuracy of Story?

[sepluv]

My bad. It says "after recalling the thumb drives used by workers. Most of those had been purchased independently by the employees, causing myriad problems for security personnel, Main said. The new policy requires workers to use the drives supplied by the agency. Main said he eventually plans to destroy all existing thumb drives collected as part of the security policy change." Although, I think from this and following comments like "The general perception is no one will report a lost USB memory stick because they're so cheap" there is an implication (although it isn't explicit at all) that the drives were bought with public money and used for public work.

Once again, I don't think there is too much to complain about here. It shocks me how many employers (even in sensitive areas like government departments and law firms) have PCs that will even, by default, run software or an operating system from a USB drive. According to TFA, in this case "sensitive data transported by off-site workers include[d client's] tax documents, employer records, criminal histories and federal passport data" and commonly "the names, dates of birth and Social Security numbers of children".

Of course, in opposition to what the article says, I think education about data protection legislation and issues is more important than attempting to physically constrain employees (which is ultimately impossible), although both may have their place.

Waste

[ajs318]

At the very least, they could /dev/zero them and give them away.

Re:What a waste

[jlarocco]

I'm also annoyed (as I always am with things like this) that they are going to destroy the drives as opposed to Zeroing them out and selling them second hand.

Two things to consider:

• By the time most government hardware gets destroyed, it's already obsolete. My guess is most of the drives they're destroying are well under a gig. Who would buy a used 256 MB flash drive?
• Destroying the drives is harder to fuck up. I don't know what information they're storing about people, but I'd rather it not be accidently released. It's pretty easy to see which drive hasn't been smashed to bits with a hammer, not so much which drive has been properly zeroed and formatted.

Re:Sensible policy

[Moraelin]

Call me a cynic, but based on the experience of some places I worked for, it might just end up something like this:

1. What maybe started along the lines that you described, then has to go through controlling or purchasing or such, which in a lot of places have their job judged and measured by how much they saved. If they saved 10,000$ at the cost of making everyone else spend 1,000,000$ in workarounds and lost productivity, they're doing their job right. So someone will go "auugh, why should we pay a few bucks more on very secure drives, when we could get ordinary ones at a bulk discount? Look, there are these drives with fingerprint scanner for half the price. That's secure, right?" (See the vulnerability linked even on Slashdot recently.)

2. Someone else (or in some organizations the same) will have to make sure it's one of the approved suppliers. Ideally this would mean those who have a good track record of reliability, quality, etc. In practice, it'll mean one of (A) whoever pays more bribe, or (B) the boss's wife's or cousin's supplies company, created just to siphon some money off such purchases. If it's a state agency, stuff like pork barrel, political favours and lobbies have something to do with it too.

Since this _should_ be in conflict with #1 and is exactly the kind of thing that #1 is supposed to catch, sometimes they split the bribe, sometimes they trade favours, and sometimes inventive discounts are used. Like we'll price the USB sticks at $1000 each, give you a 50% discount, and let you show that you've done your job right by negotiating a whole $500 discount per drive.

3. Some IT department has been given thoroughly counter-productive goals, like only keeping the computers or the network running, but no mention of actually providing a service to the rest of the organization. So suddenly the users are their sworn enemies, the filthy pests that keep using and screwing their preciouss computers and network. They'll do their best to contain, thwart and plain old inconvenience those users at every step. So the "secure" setup for those drives will be just an exercise in making it as inconvenient to use as possible, to teach those pesky lusers a lesson.

And indeed the users do learn a lesson: that if you want to get your job done at all, you have to do your own unauthorized workarounds. There goes most of security out the window right there.

Alternately, the IT department has also been on the shit end of #1, and is underfunded and staffed with the cheapest monkeys who can sorta bang on a keyboard, and don't fling too much feces at the screen. So they'll configure something which they think is right, but is not.

Yet another alternative is that a lax PHB can't be bothered to actually organize IT, and some BOFH personality types feel free to override everything and do what _they_ please. I've seen it happen. Stuff like production servers configured without XA support for _years_, just because the relevant BOFH thought that's a buzzword and it runs just as well without it anyway, plus it saves him the bother of installing the relevant libraries on all servers. So he _lied_ to the team for years that they have a feature that they didn't actually have.

And not only I can see all three happening with security too, I've _seen_ it happen with security features too.

4. Some PHB will figure out that it's not really an "enterprise" drive unless it has the organization's logo on it. In fact, that that's what makes anything properly enterprise.

Some frustrated users that have been on the shit end of #3 too often, will begin just printing and gluing makeshift logos to their own USB sticks, rather than put up with Mordac The Preventer Of IT Services again. Noone will be any wiser.

Etc.

Somebody has woken up to to personal privacy

[AlecC]

Given the casual way in which UK goverement employees, both civil and military, have been treating confidential information, I am glad that a department with seriously confidential information is taking the security of portable storage media seriously. Obviously, if the media were personally ppurchased and used in good faith, the owners of the media must be compensated. But, as previously suggested, these were probably privately purchased and then refunded as expenses, to the belong to the emplyer already.

As to destroying them... Put this in proportion: 150 devices, at perhaps $30 apiece if they wern't bought yesterday: about $4500. On the otyher side, when the UK government lost 2 CDs with large amounts of personal information, the mailshot warning the people whose personal and banking information had been misplaced cost $6,000,000. With cost ratios of this magnitude, the precautionary principle applies. Yes, you could wipe them, and they probably wouldn't leak info. But the cost if they did is so high that the tiny loss involved in destruction is irrelevant.

So I applaud a government department for finally taking privacy seriously. The cost arises becasue they didn't do so before, and is small. The cost for all the other departments who have not yet got it is increasing every day.

Why not disable the USB ports?

[Ahrel]

Call me dumb, but I don't understand what they're using these thumb drives for that wouldn't be possible with a good network? Why not disable the ports (or at least access to them by anyone but IT and managers). If they have network shares, that should be sufficient enough to transfer data to a colleague. The article mentions PowerPoint presentations and the like...but if they're giving a presentation within the building, they should be able to access their shares for the power point files. If it's outside of the building, transfer it to the laptop before you go. But if you absolutely need the files on a thumb drive, get a monkey from IT to do it (that's what field tech's are for). I dunno, I guess I'm just too used to how the two places I've worked at in IT did and do things. The million dollar question is why is the state so paranoid that their employees in the Division of Child Support are going to be stealing information? Maybe they should screen better.

Misleading Summary leads to Misleading Tags

[keirre23hu]

Now some geniuses have tagged it privacy - what does the state erasing a thumb drive it owns have to do with privacy?

But then again what does the content of the article have to do with analysis on Slashdot... yeah I know.. flamebait..

Re:Misleading Summary leads to Misleading Tags

[Firethorn]

Oh, I don't know, maybe erasing the drives makes sense because they contain case files and such?

The replacement drives might support encryption, which is a normal 'corporate' feature.

Re:You can have my USB key

[Tyndmyr]

Having spent quite a few years working for the US government, I assure you, they were either reimbursed for them if they were officially permitted, or warned against using them. It's not uncommon to sign a waiver giving them permission to confiscate storage media if you store sensitive stuff on it, and personally, Im rather glad to see them being responsible with information that could pose a major privacy threat.

Re:Good

[Skater]

I'm a government employee. My options are either (1) listening to MP3s and being slower or (2) being completely ineffective because I have to listen to my hyper coworker who has no inside voice screaming all day. She loudly, and randomly, says things like, "I'm not getting any work done guys!" to no one.

Re:Misleading Summary leads to Misleading Tags

[keirre23hu]

Oh, I don't know, maybe erasing the drives makes sense because they contain case files and such?

The replacement drives might support encryption, which is a normal 'corporate' feature.

Your sarcasm is duly noted and definitely misdirected - my point is that the state has the right to do what they please with their hardware. If they decide to erase the drives because they have purchased better equipment, that is their prerogative. Unfortunately the summary leads one to believe that the state gov't is saying, "you used your personal thumbdrive for work, so bring it in and we'll erase it" when actually, what appears to have happened is that they (stupidly/cheaply) purchased non-enterprise drives for enterprise purposes, then figured it out sometime later and decided to "fix" the problem - not really a big story... but like I said.. this is slashdot, where too many people believe in the process of "ready, fire, aim"

when it comes to commenting or responding... comprehension is not necessary.

The use of the word "personal" was obviously targetted at getting a rise out of the non-RTFA crowd, as the article itself never terms the drives - "personal drives". They called them "nonapproved thumb drives". We recently discussed "secure" thumb drives [slashdot.org] and I hope they arent wasting their (taxpayers') money on the version of the Cruzer reviewed in the article.

Re:What a waste

[TractorBarry]

> Who would buy a used 256 MB flash drive?

Depends on the price. If they were 1p I'd buy 100 of 'em. 256 Mb is still a useful amount of storage (plain text, html, mp3 etc. etc.).

Re:Won't work, even with all the good faith...

[dpbsmith]

There are three problems with this. The first is that you're framing the problem too narrowly. It's not "denying use of USB thumb drives," it's "creating a culture for proper handling of data." If they can use USB drives, they'll email attachments to themselves. Or use a WebDAV account. Or use a Bluetooth-enabled portable hard drive. Or whatever. The problem that needs to be addressed is "why are people taking data with them? If it's for a legitimate reason, how do we facilitate their doing it properly? If it's not legitimate, how do we convince them not to do it?"

The second is that you can't do this stuff in a top-down way. You can create the illusion that you've done it, with a paper trail showing that every employee has signed a memo or whatever, but you need to get employee buy-in. The second is... and I hinted at this point in my original post... very often the set of people who are not in compliance includes people who are in upper management. The CEO may _say_ "you have my backing," but is he really going to fire the CFO for using a thumb drive?

  The third is that if employees get the idea that you are, as Dilbert calls it, "the preventer of information services," you've already lost the battle. You can instill a corporate culture that says "as government professionals, we are proud of our ability to work effectively within a secure information framework." But you can't achieve this by putting superglue in the USB ports.

Re:Misleading summary

[aurispector]

It really isn't clear at all exactly who purchased the drives and under what authority. Early in TFA they refer to "privately owned drives" which clearly indicates personal property, but in the same breath refer to state owned drives - and the difficulties in distinguishing between the two. The agency may well have a policy allowing them to confiscate personal items containing confidential information. Props to the agency for recognizing the problem.

The whole point of the exercise appears to be about safeguarding the data. The /. submission focusses on the confiscated drives being destroyed, which in TFA is a minor note at the end of the article. It appears that the state has to choose between paying someone to wipe all those drives or "destroying" them by some as yet undefined but presumably secure method and of the two, destruction would presumably be the most reliable.

A better title would have been "Washington's Division of Child Support takes important steps needed to safeguard confidental data" or "State agency moves to plug USB flash drive security gap". Oops, never mind, the second one was already used by *TFA*.

Re:Why not disable the USB ports?

[JoeD]

Because USB ports are used for other things besides thumb drives. Notably, mice, keyboards, and printers.

Re:Why not disable the USB ports?

[AlecC]

This is a child care agency. They need to visit the child and/or parents in their home, and have access to the child's records, both to read them (e.g. to find if any allegations are repeat cases) and to update them to record new allegations. You cannot get parents and childern to come into a secure environment for interview. The case worker, who may have to do three or four emotionally draining interviews in one day, cannot be expected to remember all the facts accurately enough for (for example) legal proceedings to remove a child from parents. Tha alternative to USB keys is probably printout, pen and paper. And how secure is t that? At least USB keys can be encrypted.

If you had read my response to the other post...

[keirre23hu]

you would see that I did RTFA. If the state had purchased the correct type of thumb drives in the beginning this would not have been an issue. The headline says "State Agency to Destroy Unauthorized USB Drives", someone noted that the misguided headline and summary do not accurately reflect the content of the article. I followed that up by nothing the tagging was questionable. The gist of the summary is that the privacy issue is in the erasing of the thumb drives, whereas the article's point is that personal data isn't being adequately protected - this upgrade should improve on that.

Back to my original statement (with clarification - seems necessary) - Erasing the drives has nothing to do with the privacy of those who used them, the headline and summary are still bad.

I am done with this discussion.