iPod: Your Portable Corporate Hellraiser 679
MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's
iPod from corporate networks as they can be used to introduce malware or
steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
Not so "absurd" (Score:5, Insightful)
Not to skirt the question, but is this really "absurd overkill?" I'm sure that USB pens/watches/etc have been a boon to corporate espionage. With a USB storage device, you don't have to worry about burning CDs or emailing your stolen information off-site.
Having said that, I do think that some companies need to quit treating their employees like potential criminals. But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space. (thin clients would have gone a long way towards solving this problem, but that's another discussion)
Re:Not so "absurd" (Score:5, Insightful)
Re:Not so "absurd" (Score:5, Insightful)
Also, what's the point of taking a watch? Unless they do a strip search, you'll always be able to get information out of the building.
Re:Not so "absurd" (Score:5, Insightful)
Re:Not so "absurd" (Score:5, Interesting)
I'm not yet sure if it's going to fall into the category of "absurd overkill," but at my workplace (a large FDA-regulated manufacturing and research facility), we've just disabled USB support entirely on the machines comprising our HVAC distributed control system. The reasons behind this are partly due to, first, questionable processes of vendor-support technicians using their USB thumb-drives to move system configuration files around from one network instance to another (which is perfectly reasonable and needed sometimes, it's just that they're doing it ad hoc without supervision and, under FDA regs, this raises the questions of 'how much control do we really have over our system?' and 'has the system's "validated" state been disturbed by this laxness?'), and second, as far as we've been able to tell, the anti-virus software we use doesn't automatically scan, say, thumb-drives when they mount (though it really seems that it should, and I still need to do some investigation there in my copious free time).
On the side of the argument calling it all "absurd overkill" - this clamp-down just makes it that much more inconvenient for people using the system to do their job, while not really tightening security up that much, since most people who have access to the system in the first place can figure out plenty of work-arounds. (Hell, part of my job is figuring out those work-arounds - it's why they pay me the Big Bucks(TM), (yeah, right).)
New "Briefcase" Threatens Industry Security (Score:5, Insightful)
I do think it makes sense for companies that already employ policies like searching employee belongings and metal detectors to add USB storage devices (and any data storage medium for that matter) to the list of things they check for. If you really needed to bring one in, you could have some sort of approval/checking process. As far as most companies go, I think it makes sense to judge based on whether they seem to be causing problems in the workplace, and if so, banning them or finding some other way to fix the problems. I think it would be a good idea to do virus-checking on insertion of any removeable media.
I thought this was a particularly interesting quote:
"Another potential danger is that the devices -- that typically make use of USB and FireWire -- could be used to steal large amounts of company data as they are faster to download to than CDs."
I think they've been watching too many movies. I highly doubt that most downloading of corporate data happens in a down-to-the-second race against corporate security. I think it's much more likely that most data is stolen by those with official access and all the time in the world. And I may be naive, but I think a corporate spy would be able to think of a better way to export data than an iPod.
Re:Not so "absurd" (Score:5, Interesting)
Where I work (a DOD contractor) we can carry just about anything (except a camera). We are, however, required to register it with the security manager. In order to register it, you must give them permission to read the contents on the way into or out of the building. That allows them to maintain their illusion of safety while allowing employees to carry their preferred gadgets.
I don't know of anyone actually being searched, however . .
Re:Not so "absurd" (Score:5, Insightful)
-Jesse
Re:Not so "absurd" (Score:5, Insightful)
This is just another example of a stupid law or policy that does nothing to prevent theft, but inconveniences the honest people.
Re:Not so "absurd" (Score:4, Insightful)
This is lawyers getting in the way of common sense again. While it's true that it inconveniences the innocent and doesn't affect the guilty, it does give the company legal weight behind prosecution/persecution if they can point at the policy and say "You broke the corporate policy so you're fired." In this way, they can attack people for breaking the policy instead of stealing data, cuz that's much harder to prove.
IMHO, a USB storage device is no different than a photocopier on every floor, except for the capacity. How many times is your briefcase searched at the door to ensure you haven't photocopied/printed sensitive info? A much better approach is to secure the data in the first place to ensure that untrustworthy people don't have access to it at all. Now all we need is a retina scanner that can differentiate between the untrustworthy and the everyday masses.
Re:Not so "absurd" (Score:3, Interesting)
Re:Not so "absurd" (Score:5, Interesting)
True story: a former supervisor took a Sony Mavica (uses a dos fmt floppy disk) onboard a ship with Soviet missles where he should not have and took pictures of them. When the rent-a-cop spotted this he asked that the pictures be deleted. My super handed me the disk and we did the old dos 'undelete' trick with Norton Utilitues and got the pictures back, no problem
Re:Not so "absurd" (Score:3, Insightful)
Re:Not so "absurd" (Score:5, Funny)
Honesty. Dislike of prison. Attachment to receiving a paycheck. Fear of John Ashcroft.
Any number of things.
Re:Not so "absurd" (Score:3, Insightful)
- % mv Project.X.Blueprints.zip Britney.Spears.bend.me.over.mp3
Right, like THAT will work.Re:Not so "absurd" (Score:3, Interesting)
Re:Not so "absurd" (Score:5, Insightful)
It's similar to those guys with automatic weapons at airports. Do you think they'd ever fire one off in a crowd? No. But it's a deterant to bombers and the like, because it's basically saying "we'll shoot you before you get to your mission". Ditto on the X-ray scans and other crazy security measures in place. Thiefs/criminals like to stay hidden, not be put in the spotlight.
Re:Not so "absurd" (Score:3, Informative)
The M-16 no longer uses a full burst. The modern M-16 has a switch that selects either single automatic fire (Which is what it is usually set to, because it is by far the most accurate) or tri-burst, which is a series of three shots.
The M-16 was designed to be something of a poor man's sniper rifle, so if a solider in an airport had to shoot someone from a distance, he could probably do it with striking accuracy.
Of cou
Re:Not so "absurd" (Score:4, Funny)
Gee, with a name like grassy knoll I would never have guessed...
Re:Not so "absurd" (Score:5, Insightful)
Re:Not so "absurd" (Score:5, Insightful)
I've got a big problem with this. For one, it's an overstepping of power...this may not be "my network," but it sure as shit isn't yours, either. Does the janitor own the toilets he cleans out? Do I own the spaghetti code I have to wade through? Hell no. They're all part of a bigger organization: the company. And if you're alienating the rest of the company on a regular basis, you're going to discover some hefty resistance to your policies -- which is asking for trouble.
Want the perfect network policy? "Only you can prevent forest fires." Keep your users happy, keep them informed, don't make a mountain out of a molehill, admit your mistakes, ask for help and make strong suggestions. People watching people of their own free will is a much better way to prevent viruses, spyware and espionage then indemnifying yourself while the rest of the company is smugglying MuVos in their underpants.
Re:Not so "absurd" (Score:3, Interesting)
The reason USB keys and other storage devices are frowned upon is that in use, someone can very easily put something FOUO, Secret, or just generally private on a key on accident. (We have CD Burners in our computer and this type of thing happens ALL the time w/ cd burners. let alone the easy of USB keys.)
Re:Not so "absurd" (Score:3, Funny)
Sincerely,
Tom Ridge
Homeland Security Chief and Microsoft beneficiary
Re:Not so "absurd" (Score:3, Insightful)
While I wouldn't be very comfortable sitting next to a guy with a gun on an airplane, I'd also observe that banning guns, knives and toenail clippers from airplanes has done little to discourage hijacking.
Re:you're in the US, yes? (Score:3, Insightful)
I said:
Re:you're in the US, yes? (Score:3, Interesting)
Charleton Heston is the President of the NRA, but the NRA is by no means the steadfast defender of guns and gun rights that the media tries to portray him as.
Check out www.nrawol.com for more info on this.
Re:you're in the US, yes? (Score:3, Insightful)
did you *actually* read the post before replying or did you just read what you wanted to hear?
Re:Not so "absurd" (Score:5, Insightful)
The biggest change in air security since 9/11/01 hasn't come from the (sometimes asinine) so-called security rules. It's been from a change in passenger attitude. Passengers are now being responsible for the safety of their aircraft and crew. Before the Twin Tower Trashing, passengers considered stewardess bashing a spectator sport. When the hijackers slit the throats of the cabin crew, the passengers just ummed and awwwed all the way into the other side of the building. No more.
Nowadays, if somebody slaps a stewardess, he'll have half a dozen passengers on his back with another 20 standing by as backup. The shoe bomber was tackeled by fellow passengers not a sky marshall.
Speaking of sky marshalls: I wouldn't want to be one, because if anybody sitting near me pulled a gun in the middle of a fracas on an aircraft, I'd be looking for limbs to dislocate and break long before (s)he had much of a chance to identify him/her self.
As for smuggling weapons: I'd presumed, when I first heard of the Sept 11 hijackings, that they'd smuggled the weapons in as parts of a modified laptp or something similar. Something like that is still mind-numbingly easy to do. The only way you're going to prevent a determined hijacker from finding a way to smuggle a weapon onto an aircraft would be to force passengers to strip and wear those disposable paper suits on board -- even then, you'd need to do cavity searches.
But it really doesn't matter because, even if you did manage to pull a gun out of your ass, the passenger next to you would just as likely toss you out the emergency exit as sit by with big eyes watching things unfold.
Funny you think that way. (Score:4, Insightful)
No, its just a matter of scale. There are no real legitimate concerns, but every company will balance employee happiness vs the 1 in 10000 chance something will go horribly wrong with a USB watch, and just ban everything outright.
Pulp fiction: the USB pendrive. (Score:3, Funny)
written by Quentin Tarantino & Roger Avary
Captain Koons: Hello, little man. Boy, I sure heard a bunch about you. See, I was a good friend of your dad's. We were in that .com pit of hell together over five years. Hopefully...you'll never have to experience this yourself, but when two men are in a situation like me and your Dad were, for as long as we were, you take on certain responsibilities of the other. If it had been me who had not made it, Major Coolidge would be talkin' right n
A valid concern (Score:5, Insightful)
Common Policy (Score:5, Informative)
Is this overkill? Perhaps. But sometimes such heavyhanded policies make sense, especially when it comes to making war.
Re:Common Policy (Score:5, Interesting)
That day I wanted a tin foil hat lol.
Re:Common Policy (Score:4, Interesting)
MASINT was another really cool area if you are interested in exploring the uses of technology.
just the reverse here.. (Score:5, Interesting)
teaching a user about network storage or even using the IRDA file transfer was unsucessful... yet these dolts took to using the thumb drives like it was second nature.
so now usb storage devices are required and issued to users.
Mod this guy up ... (Score:5, Interesting)
That is interesting (that your users were confused by using a network file share, but found the thumb drives intuitive.)
Is it the fact that there is a physical artifact that makes the idea of "your files are going here" easier to map into their worldview? UI Designers Take Note. This might be on the test.
Re:Mod this guy up ... (Score:5, Interesting)
They would say things like, "This data isn't in this program." They thought of the data as being in a specific program. If all their programs stopped retreiving data at once they would tell me that all the programs were broken rather than the database was down. No amount of explanation could convince them the data was in the database. For their purposes their view of things was perfectly appropriate I suppose, but it didn't help troubleshooting.
Re:Mod this guy up ... (Score:4, Insightful)
It has several advantages...first, they don't have to remember to "disconnect" the flash drive. Less chance of losing data. Second, you still have that mental association between the data and the floppy. Third, the data is on a central server, where backups are made regularly. Fourth...the floppy could be formatted to only, say, 512 bytes of data. (I'm sure you can tweak superformat's settings to do that...) Nowhere near enough space to remove sensitive data from the premisis, let alone a normal filesystem.)
And if the user loses his floppy, issue him a new "key" and his old data. If you want, add some sort of CRC to the numerical key on the floppy, so that data corruption is less of a risk. Or put a backup of your only sector on the other side of the disk.
Re:just the reverse here.. (Score:3, Funny)
Wow...that's some dumb users. We tell ours to "put your files on your H: drive, or they won't be backed up." For 95% of our users, that seems to work pretty well. For the other 5%...even thumb drives would do nothing more than collect drool.
Not so new (Score:5, Interesting)
Come again? (Score:5, Insightful)
How is that overkill? Sounds like a common-sense move for a firm that wants to take steps so that sensitive information doesn't just walk out the door. It's not that much different than walking in with a USB CD burner under your arm.
Re:Come again? (Score:3, Insightful)
Its in your head, and it can't be checked at the door.
At least it *shouldn't* be checked at the door, but for those that put these types of policy in place which do more harm than good - well maybe it does.
Second step? (Score:5, Informative)
Re:Second step? (Score:4, Interesting)
Re:Second step? (Score:5, Insightful)
I've been subverting this type of network policy since second grade, and it's easy because it lulls you into a false sense of security. "I don't have to worry about X machine, I've locked it down!" Meanwhile, us grade school kids are running video games through the shell in WordPerfect.
Want a secure network? Stop with the locks and start with the spies. Befriend your users and make them your eyes and ears. Remind them not to trust anybody [dasmegabyte.org] and help them identify suspicious activities. Most of all, make them care. That's tough to do. But unlike being an asshole, it actually works.
Re:Second step? (Score:5, Funny)
Sounds like a good idea. This should keep those crum-bums from stealing data from my workstation with their USB dri- hey, why did my mouse stop working???
This isn't overreacting. (Score:5, Insightful)
I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day.
That's actually pretty generous if you're actually serious about the information the consultant handled being Top Secret. Even if it isn't, that's a much better alternative (for you) than being "let go" because you continued to wear a prohibited device after being told not to.
Legitimate complaint,obvious alternates (Score:4, Insightful)
Are Those Corporate Secrets in Your Pocket? (Score:5, Funny)
Seriously, the barn door's been open and the horse halfway to Topeka on this one for a while. Who needs an iPod? I've been carrying around virtually my entire business on one of these things [diskonkey.com] for over a year. Sure, take away my music player, phone, key chain, watch, whatever, I'm a big boy and you pay me enough to play along, but at what point short of a strip search and replacing the pink-haired receptionist with a Brinks guard to watch over the stash does this policy become a smidge unwieldy?
(However, I do throw my whole-hearted support behind any policy which confiscates iPods (or sunglasses, for that matter) from any too-cool-for-the-room tool who doesn't stow them shortly after he enters the building...)
Re:Are Those Corporate Secrets in Your Pocket? (Score:4, Funny)
Where've you been? I established that here years ago.
You self-absorbed kids need to pay better attention...
Not "absurd" (Score:5, Insightful)
German c't magazine showed how to disable USB... (Score:5, Informative)
Bring your own USB sticks? No problem. Can't use em anymore
Christian
Re:German c't magazine showed how to disable USB.. (Score:3, Interesting)
Even outside of that logistic nightmare, you'd have to remain vigilante for new/old machines.
But even if you do get a draconian policy in place, what stops a spy from cr
Re:German c't magazine showed how to disable USB.. (Score:3, Insightful)
Easy to bypass riduculous security precautions (Score:5, Funny)
Re:Easy to bypass riduculous security precautions (Score:3, Insightful)
Assume, for a moment, the information were truly worth classifying. And, for a moment, we'll assume that USB connectivity would be a requirement for other functions.
If I ban all USB keyfobs, pens, watches, and plush dolls, then having a USB keyfob, pen, watch, etc. would not be "normal." If I see a coworker pulling one out of his butt (literally, in your example), a red flag would be raised, and, as a good employee, I would contact the appropriate security officer. Its mere presence would be th
At the very large financial corporation I work at (Score:5, Funny)
At one point the corporate machine-support staff tried to set up the following:
The sneaky bastards kept trying to steal my laptop, my PDA and my Nomad Jukebox to do this. I kept catching them and throwing them out of my cube (at one point, literally, as he refused to leave until he had formatted my laptop's hard drive and I had to roll him out in my chair and overturn it in the corridor).
Finally, they stopped that after they did this to an senior VP and erased the powerpoint presentation he had on his laptop. Heads rolled for THAT little debacle. The funny part was that his machine was already work-provided, he just didn't work in our building, so they didn't know him...
Re:At the very large financial corporation I work (Score:3, Insightful)
There is no reason for the IT staff to be searching bags - in fact, going into my bag is a violation of corporate privacy rules. There's no rule against you having the laptop with
Depends on strictness (Score:5, Interesting)
But they do allow diskettes (friggin diskettes! Do you know how much customer data you can put on a diskette?). Then I also found out that the "internet-network" (which only internals have access to with a NT username/password) operates simply on DHCP, no MAC address checking: the only "security-check" is the NT-Domain login. Why did I find this out? Simple: these morons allow contractors to have laptops, so I once just plugged it in that network. Worked instantly. Now there is a security concern in my eyes! For crying out loud, I have a Mac, I don't even need a crosscable to pump over data from my work-PC to my Mac. Imagine what kind of data I could take away with that! Nobody evere stopped me at the entrance/exit with my laptop bag. Nobody.
You see, if you want security, you need to ban every device that can be networked somehow. It's that simple. Yes, this includes your iPod. So, I supect that this is only a great concern in governmental instituation (top-secret clearance), but in the "highly sensitive environment" of banking they don't get it at all.
Hey, I pointed out their flaws and I was told to shut up.
weighing the benefits (Score:5, Insightful)
Those in charge of company security should remember that these same employees bringing in iPods are the ones who were issued key cards to get into the building. Companies have no choice but to give their workers the benefit of the doubt.
Overkill (Score:3, Insightful)
I think it's unreasonable that someone like you is allowed near a facility containing "top secret" information.
Employee concerns... (Score:5, Funny)
I'll just burn the site licensed software to CD and take it home that way...
This is a legitimate concern (Score:5, Interesting)
Corporations are having to deal with this same problem as portable devices can now be used to store data or take pictures that could compromise sensitive data. However, this has always been an issue. A systems administrator could walk out of work with and 4mm or 8mm tape full of sensitive/classified data and no one would know. It boils down to a matter of trust and integrity; do you trust the people who use/administer your systems? Have they shown the integrity in other matters that would indicate they can be trusted with more sensitive matters?
Unfortunately, it only takes one person in a sensitive position to screw it up for everyone else.
iPod as theft/espionage device is well established (Score:4, Interesting)
That said, certainly the benign uses outnumber the malicious ones. The question is, if you have other data control policies, do you need to CYA by having this ban so you can respond to suspicious activities decisively? I also think comparisons to more easily concealed USB key devices isn't reasonable - I can't fit a large ACT! database of contacts on one of those but I can on a 40g devices.
Re:iPod as theft/espionage device is well establis (Score:3, Interesting)
It's true. The installation process for Office on a Mac consists of one step: "Drag this folder to your Applications folder."
As much as I hate to admit it, Microsoft's Mac team is pretty good.
What about other methods of stealing secrets? (Score:3, Interesting)
It's a realistic threat (Score:4, Interesting)
The malware aspect though, from my viewpoint though is FUD, because (as far as I know), iPods and flash memory sticks don't run software when you plug them in. I could be wrong though. But I know people who have had 200+ spyware apps, and it's never happened to them. 200 isn't that much compared to some, but I've known him a few years, and being the only Open source guy he knows should give me some influence. Just remember, the weakest link is always the people.
And, for the record, my friend now had dumped IE, and moved to Firefox. It's offtopic I know, but I spent an hour browsing Secunia tonight, and set up a couple of the exploits (IE is vulnerable to all the ones I tried), so I know how easy it is to bring Malware onto a windows box. In short, I'm scared shitless, and anyone who brings in data from a source which hasn't been checked is just asking for trouble. Perhaps if the networks moved to a platform that was less truoblesome
It's my opinion though, that you can either trust an employee, or you can't. If you trust someone with the data, you should not worry about their iPod, or not trust them in the first place.
Instead of banning the devices outright... (Score:5, Insightful)
Believe it or not, most professionals want to do a good job and take pride in their work. If you set reasonable policies and explain them clearly, most will want to follow them.
Do you want to grant someone enough access to your data that they could copy it onto an iPod if you don't trust them to abide by your policies? If they have that kind of access to the data, copying it to an iPod is far from the only or best way to get it out, and you're just adding an inconvenience to your employees' lives without meaningfully increasing your own security. If you believe that banning these devices would help, your problems run much deeper and you should rethink the way you're doing business.
Re:Instead of banning the devices outright... (Score:4, Informative)
I'm certain all of them will gaze with a steady stare and nod gravely when you explain the corporate policy against data on personal devices.
And I'm convinced if you have a policy against bringing such devices to the workplace, you'll never ever see one carrying one.
The "solution" of banning the devices is the wrong one, I'll grant you, but the companies here probably just can't think of anything else to do that's as easy as the stroke of a pen in the rulebook. Hiring employees you can trust is done exactly how? How do you know you can trust them? How long does someone have to work for you before you -know- they're not going to burn you?
There were Soviet spies who lived as "normal" Americans for decades before becoming active. With all the money in corporate espionage at stake, I'm sure you could find a few poeple who would work to become trusted for years, until they could strike, possibly gaining access to more data the entire time.
Re:Instead of banning the devices outright... (Score:3, Interesting)
The Soviets were able to record almost every telephone call made over those lines for about 6-7 years!
Now while the Soviets are gone, plenty of other groups, including competing companies, poking their eyes and ears where the
More at the movies (Score:5, Interesting)
I think USB, IR, and now 802.11 devices and Bluetooth enabled cell phones could be a real concern for data centric firms.
As a side thought, companies may begin to ban cell phones as well. Late last year SlashDot had an article about a cell phone detection device made in Israel. People were leaving modified cell phone in planters. The modified phones would transmit the conversation of anyone in the room for about a week. Thus making a cheap spy toy.
Yay, another social problem "solved" by a ban! (Score:5, Interesting)
Man, they've sure got all their bases covered!
- A.P.
A company I'm working for... (Score:5, Insightful)
The result? Now everyone walks around with a USB drive to move files around, or they email them to and from gmail, etc. (OR they use their iPods/Dell Pods, SonyPods)
So the system, overall, is a LOT less secure because all the company's assets are kicking around in email and USB thumb drives. But the folks in IT can cluck their tounges and think they did something useful.
What is the new xxx processor mask worth (Score:3, Interesting)
Of course, hiding the devices in hilighter pens and the handle to your coffee mug isn't too hard.
What the ban does is make all possession of these devices improper in the workplace.
What is the maskwork for your new chip worth? What is it worth to a competitor? How do you move the data?
If the two idiots at AOL and Vegas had scammed the userbase this way they might not have been caught.
Nope, the advent of portable RAM drives means that these devices will be used improperly.
OH, on a personal note: only a genuine geek has a USB watch. It will (eventually) wind up in that dresser drawer reserved for the calculator watch, the last 7 cell phones, 5 PDAs, pen cams, dead MtBlanc pens, old swag and $200.00 in odd pocket change.
Ways your employer can keep you from stealing... (Score:5, Interesting)
We also worked with the US Mint [usmint.gov] (the folks who mint the coinage). They told a story about metal detectors tied to biometrics that were so sensitive that when a woman became pregnant, the changes in the metal chemistry of her blood (increased iron, etc...) were enough to have to retake the biometric scan. That one always seemed apocryphal to me (but a very cool concept nonetheless).
Completely backwards. (Score:3, Insightful)
Well Duh! Yeah it's obvious... (Score:3, Interesting)
- USB pen drives can quickly and easily store data without a trace and they are small enough to hide just about anywhere. A spammer was arrested in Ireland in a Internet cafe and the man tried to swallow the USB key drive. It contained all the spammer's software and mailing lists.
A PC in a corporate office could be booted up using a USB key drive and literally used to run hacker tools. (well same could be done with a CD-R but that's beside the point). It's faster and easier to slip a USB device into an office situation unless you are going to be frisked and metal detected or body cavity searched.
Hackers have been slipping XBoxes, Sega Dreamcast, etc. into an office and jacking it into the ethernet to perform network analysis and packet sniffing.
- Firewire devices like the iPod have tremendous storage abilities. It truly is a portable hard disk that masquerades as a personal music device. There was an article a while back where the author witnessed a kid waltz into CompUSA with an iPod and the kid jacked it into a PowerMac and stole a complete copy of Office X from the floor model!
- Phones with mini-digital cameras can be used like a 007 James Bond mini camera. A police officer was fired for taking a photo of a naked body in the city morgue with his camera phone.
As technology gets better and better and the costs drop, the spy toys of yesteryear are now in the hands of joe blow.
True corporate espionage is going on every day. These tools make it easier an easier to steal data. Security folks who see the threat and take measures against it are enlightened. However, all security measures can be bypassed one way or another.
I am not even sure if there is a way to restrict USB/Firewire drives from working on a PC as long as it's running Windows. Seriously doubt many companies have thought about these issues.
I do know my company had the opportunity to give everyone a CD burner on their computers. This would have been ideal for user backups. But they sighted security as the reason why they did not.
Comment removed (Score:3, Insightful)
Just like I predicted in my novel (Score:3, Interesting)
He would go and swap some tapes, then run a psync from a server into the iPod. He did this a few times and did not get caught.
can't stop me (Score:5, Funny)
Its fair and often REQUIRED for business (Score:4, Informative)
I work in India in a major software park. The company in the oppposite quadrant is a typicall BPO company and they have a LARGE poster stuck outside the entrace - "Please get checked and declare all your belongings at security". Several friends too told of similar rules in their companies.
In short, for BPO firms, the data of their clients is of utmost importance. Even CEO of the company is required to go through the mandatory check! Internet access is locked down. No CDROM/CDRW/Floppy/USB/Firewire ! Even printer access is restricted and fully logged and accounted for!
You can get fired for trying to access an irrelevent site (eg Yahoo briefcase), forget about bringing in that 40GB iPod or your favorite USB key.
Oh yeah, did I tell you that even cameras are forbidden and you'd be handed over to police if you're seen taking a "group picture" with your team mates in the office! A camera phone can send you in for good.
Folks, its sometimes business *requirement* not to allow such kind of things. You want to listen to music ? Fine, bring along a vanilla walkman/discman/portable MP3 CD player whatever... just leave the fancy gadgets behind and you'll be fine.
Fortunately I work in a company that has fairly open policies and our data is our own, so the rules are less stringent... no CDRW/USB drive, but still very open policies.
Digicam company bans storage cards (Score:3, Interesting)
Every person's desk has at least one card reader and a drawer full of CompactFlash, SmartMedia and SD cards.
They bought another company that relies on storage cards & moved 'em to the main office so this violation of the employee manual is happening there too, giving the verbal amendment (Director-level people saying "don't worry") to the employment contract more teeth. It would be hard to fire someone for a violation with 20 other violators going free.
Another too little too late attempt... (Score:4, Insightful)
Now if you have already cleared someone to be viewing and working with such data, you have much bigger problems than fearing them stealing it with a USB device. It's like trusting your employees with your business in their day to day operations but keeping office supplies under lock and key. It just doesn't make sense. If someone is intent on ripping you off, they would't go for the small stuff. Similiarly, if your business depends on these people who have access to such "crown jewel" data you'd better hope that you have a good hiring process and that you are keeping your employees happy.
A side rant: so you're all concerned about people with USB devices; yet, you're fine with shipping your data off to some foreign land for outsourcing. Hmmm... If only the world were based on logic!
Storage and Security (Score:3, Insightful)
A organization can best deal with the issue by treating their workers with a sense of respect. It will not prevent the employees with criminal intent from stealing information but innoculate honest workers from feeling a sense of entitlement.
A possible technological fix is to ensure that copying data to/from a removable device is logged. This does not prevent the employee from taking work home but does allow for a system administrator to track where the data is going. However this means nothing unless the logs are reviewed. It is essentially a file-nanny.
It does require that a security policy that is appropiate for the organizational goals and for departmental specifica goals.
Let's see... 20 Gig iPod or 60+ Gig laptop... (Score:3, Insightful)
How about my cell phone? (Score:4, Informative)
How can your office stop someone from bringing in their cell phone? Or a USB key on their keychain? Or their PDA?
I'd hate to be responsible for corporate data security now with all of these devices floating around. Someone could discretely download a lot of data onto their key chain. Heck, it is even easier with my bluetooth phone. I don't even need a wired connection, just be with in 15 feet of my PC. I don't even have to be near my PC in order to download data.
A few years ago, I worked for a large financial corporation when someone stole the HR database and sold it to idenity thieves. Hundreds of us "highly compensated" employees suddently discovered that someone was using our identity to buy electronic hardware, get bank loans, etc.
It took me five months to clean up the mess, and I was lucky. I found out about it the very day it happened because one of the stores that gave this guy instant credit called me to verify if I had just applied for credit.
Still, in a twelve hour period, that person went to over 3 dozen different stores from Atlantic City to Philidelphia getting instant credit and buying over $200,000 of goodies. I could literally figure out which roads he took by looking at the various times he hit the stores and applied for credit.
Other people weren't so lucky because they didn't find out about it until either a collection agent called, or they were denied credit because of this attack.
And who was the person who gave the information to the thief? Heck, it could have been almost any lowly paid clerk in HR. If you're only making $30,000 per year, someone offers you $100K or so for this kind of information, and you know the likelyhood of you getting caught is almost nill, what would you do?
Millions of employees with access to valuable data, and hundreds of ways to get around corporate security. Maybe 99.99% of your employees are dedicated, hardworking, and honest, but it's the other
Depends on the Employer (Score:4, Informative)
I remember helping my father burn a CD full of MP3s once so he'd have something to listen to in the secure section where he worked. No portable radios or music players were allowed, no PDAs, no portable storage devices, nothing. The systems didn't have floppy drives or recordable CD drives and (obviously) weren't on the internet. I think that's just standard operating procedure.
For the private sector, depends on the paranoia level I guess. You could fit a lot of data on a 40GB iPod... =)
Re:Old fashioned iPod... (Score:5, Insightful)
Makes me thankful for my original iPod with it's Firewire connectivity only, there's no firewire ports in this office.
Yes, like you're going to win that arguement at the security door/HR rep/etc. "But my ipod only has a firewire interface, unable to connect to the computers here!"
To them, that sounds like technical nonsense that makes you even more suspecious. "He mentioned fire!"
Friend of a friend story... (Score:3, Funny)
A closer look revealed that the student had the firewire cable attached to the demo mac and was busily downloading all of the applications on the mac.
Pretty clever though I would never condone such behavior.
Re:From the Fascist Department (Score:3, Interesting)
Re:From the Fascist Department (Score:3, Insightful)
--
lds
Re:From the Fascist Department (Score:4, Insightful)
Re:From the Fascist Department (Score:3, Funny)
Re:From the Fascist Department (Score:5, Insightful)
A policy against iPods and other USB or other portable devices applied blindly is illusionary security at best. There are countless ways for a dishonest employee to steal data - the only mitigating factor is going to be how secure the network is - that should be the primary focus of any system administrator.
Re:From the Fascist Department (Score:3, Funny)
Re:From the Fascist Department (Score:3, Insightful)
Re:From the Fascist Department (Score:4, Interesting)
You guys do know that the minute an employee enters a "secure" network, they're pretty much clear to do whatever they want, right? The security is on the perimeter: getting in is the hard part. If employees needed to type a password for every keystroke, they're be a mass-exodus of white-collar workers.
I'm not saying conditions like that don't exist. I'm sure the computers that run missles and the like have multiple passwords that have to be entered all the time, but the average worker isn't going to be subjected to something like this.
Now, disable USB drives from being connected hardware-wise: that's an idea. Not sure if there's a way to do that in software, but I'm sure there's a way in the BIOS.
some solutions (Score:5, Insightful)
* hide computers away or lock them up so they can't be physically accessed. This should be combined with tight firewalls for outgoing traffic.
or
* make limitations in the software so USB storage devices or firefire disks simply won't work. Of course users can't have administrative rights.
or
* disallow sensitive information from reaching employees computers. Store things on secure servers.
I'm right now sitting at work on one of the largest corporations in the telecom business and we sure as hell don't have enough security.
Ciryon
Re:Hollywood (Score:3, Informative)
Re:Just to get this out of the way... (Score:4, Insightful)