State Agency to Destroy Unauthorized USB Drives

Lucas123 writes "The State of Washington's Division of Child support has forced hundreds of workers to turn in personal USB flash drives and has instead begun issuing corporate-style USB drives. The goal is to centrally monitor, configure and prevent unauthorized access to storage devices. So far about 150 common drives have been issued. The agency eventually plans to destroy all existing thumb drives collected as part of the security policy change."

Misleading summary

[jlowery]

The article states that the previous drives were "independently purchased" by employees, which likely means they got permission to buy a drive, went to Staples to get it, and then were reimbursed by the state. That would mean that they are not "personal" USB drives.

I know... I apologize for reading the article.

Re:

[jlowery]

Also... no mention of these drives being "unauthorized". Maybe the submitter needs to read the article as well.

Re:Misleading summary

[aurispector]

It really isn't clear at all exactly who purchased the drives and under what authority. Early in TFA they refer to "privately owned drives" which clearly indicates personal property, but in the same breath refer to state owned drives - and the difficulties in distinguishing between the two. The agency may well have a policy allowing them to confiscate personal items containing confidential information. Props to the agency for recognizing the problem.

The whole point of the exercise appears to be about safeguarding the data. The /. submission focusses on the confiscated drives being destroyed, which in TFA is a minor note at the end of the article. It appears that the state has to choose between paying someone to wipe all those drives or "destroying" them by some as yet undefined but presumably secure method and of the two, destruction would presumably be the most reliable.

A better title would have been "Washington's Division of Child Support takes important steps needed to safeguard confidental data" or "State agency moves to plug USB flash drive security gap". Oops, never mind, the second one was already used by *TFA*.

Re:

[mpe]

The /. submission focusses on the confiscated drives being destroyed, which in TFA is a minor note at the end of the article. It appears that the state has to choose between paying someone to wipe all those drives or "destroying" them by some as yet undefined but presumably secure method and of the two, destruction would presumably be the most reliable.

There are a couple of issues the first is can you trust a contractor not to copy any data before they erase the drives? The second is what does it actually

Re:

[phoenix321]

A squad of armed Marines guard the container at all times while it is being transported to, then burned in a high-temperature trash incinerator and inspected for leftovers afterwards?

You could also use a cadre of riot police guarding the container to an industrial mill, an ultra-fine high-powered shredder or a Blendtec blender. Be creative!

Some examples to give you ideas: http://www.stedman-machine.com/vslam-app.htm [stedman-machine.com]. Their slogan is hilarious and I can't explain why: "Your solution to size reduction(tm)". W

Re:

[bluefoxlucid]

Wear leveling and block remapping allow you to confidently know that if you overwrite the drive a bunch of times, some of the original data may still exist remapped elsewhere in inaccessible blocks. It could take thousands of overwrites to hit every block. Or just destroy the drive in a fire.

Re:Misleading summary

[damsa]

They are "personal" drives as opposed to "enterprise" drives in the sense that the state issued drive has additional features not available to the regular Staples consumer.

Re:

[Midnight Thunder]

They are "personal" drives as opposed to "enterprise" drives in the sense that the state issued drive has additional features not available to the regular Staples consumer.

Like secure finger print verification [slashdot.org]? ;)

Re:

[mpe]

They are "personal" drives as opposed to "enterprise" drives in the sense that the state issued drive has additional features not available to the regular Staples consumer.

If these additional features actually make the drive any more secure is likely to be another matter.

Re:

[Dan Farina]

Hope they are careful about what they're buying...

I suggest reading "A Security Market for Lemons" by Bruce Schneier. (aka the author of Blowfish)

http://www.schneier.com/blog/archives/2007/04/a_security_mark.html [schneier.com]

Re:

[warprin]

I agree, they probably got a supervisor's (at least one) ok on buying their own usb drive, it caught on, and then everyone started using them. Who knows if it was management that first decided to use non-approved drives. All we know is that the drives were not "coorrectly/officially" approved by the right department with the mandatory 100-page approval document.

Re:

[notaspunkymonkey]

"the mandatory 100-page approval document."

How the hell did you get access to my document - I store it on my personal USB drive, its the only copy... when they took it off me and gave me that new one I thought they destroyed my personal one..

Does that mean you have those pictures of my wife too???

Re:

[warprin]

I thought "independently purchased" in government terms meant "not properly approved"- a friend of mine who works for the Treasury Dept can't even bring in her own trackball instead of using a mouse. And the sub-department she works in won't order one, they say the pc mouse is just fine, thank you.

Re:

[lilmunkysguy]

The link didn't work for me, so here's another: http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9069038 [computerworld.com]

Re:Misleading summary

[martin-boundary]

I know... I apologize for reading the article.

Weeelll. Looks like we got ourselves a reader! [youtube.com]

Misleading Summary leads to Misleading Tags

[keirre23hu]

Now some geniuses have tagged it privacy - what does the state erasing a thumb drive it owns have to do with privacy?

But then again what does the content of the article have to do with analysis on Slashdot... yeah I know.. flamebait..

Re:

[Firethorn]

Oh, I don't know, maybe erasing the drives makes sense because they contain case files and such?

The replacement drives might support encryption, which is a normal 'corporate' feature.

Re:Misleading Summary leads to Misleading Tags

[keirre23hu]

Oh, I don't know, maybe erasing the drives makes sense because they contain case files and such?

The replacement drives might support encryption, which is a normal 'corporate' feature.

Your sarcasm is duly noted and definitely misdirected - my point is that the state has the right to do what they please with their hardware. If they decide to erase the drives because they have purchased better equipment, that is their prerogative. Unfortunately the summary leads one to believe that the state gov't is saying, "you used your personal thumbdrive for work, so bring it in and we'll erase it" when actually, what appears to have happened is that they (stupidly/cheaply) purchased non-enterprise drives for enterprise purposes, then figured it out sometime later and decided to "fix" the problem - not really a big story... but like I said.. this is slashdot, where too many people believe in the process of "ready, fire, aim"

when it comes to commenting or responding... comprehension is not necessary.

The use of the word "personal" was obviously targetted at getting a rise out of the non-RTFA crowd, as the article itself never terms the drives - "personal drives". They called them "nonapproved thumb drives". We recently discussed "secure" thumb drives [slashdot.org] and I hope they arent wasting their (taxpayers') money on the version of the Cruzer reviewed in the article.

Re:

[ColdWetDog]

And this is different from the Rest of Life in what particular way?

Just asking...

Re:Misleading Summary leads to Misleading Tags

[CTachyon]

Now some geniuses have tagged it privacy - what does the state erasing a thumb drive it owns have to do with privacy?

RTFA. The reason the state is issuing these new fancy-schmancy thumb drives is that the new ones (claim to) have 256-bit AES encryption and (claim to) self-destruct after 10 consecutive wrong passwords. They're doing this whole switch because of privacy, because the thumb drives contain the private, personal case files of hundreds/thousands of citizens.

If you had read my response to the other post...

[keirre23hu]

you would see that I did RTFA. If the state had purchased the correct type of thumb drives in the beginning this would not have been an issue. The headline says "State Agency to Destroy Unauthorized USB Drives", someone noted that the misguided headline and summary do not accurately reflect the content of the article. I followed that up by nothing the tagging was questionable. The gist of the summary is that the privacy issue is in the erasing of the thumb drives, whereas the article's point is that persona

Re:

[mpe]

The reason the state is issuing these new fancy-schmancy thumb drives is that the new ones (claim to) have 256-bit AES encryption and (claim to) self-destruct after 10 consecutive wrong passwords.

In which case they really should verify that this actually is the case before buying more than a sample. This is a business which sells quite a bit of "snake oil". It's also important to remember that any security system is only as secure as it's weakest component.

Re:

[ScrewMaster]

Now that leaves me with another questions: why on Earth would it be thought reasonable to put the private case files of thousands of citizens on thumb drives? It's bad enough when people copy confidential stuff onto their laptops and then sell the data or get their machines stolen ... but this is a case where we have a solution trying to find a problem.

Good

[BadAnalogyGuy]

I don't want government employees listening to MP3s while at work. They are slow enough as it is.

Re:

[William Robinson]

I don't want government employees listening to MP3s while at work. They are slow enough as it is.

Hell no...At least they used to be in their seat to listen music. Now I have to run around pantries, coffee shops and pubs. :P

Re:

[Skater]

I'm a government employee. My options are either (1) listening to MP3s and being slower or (2) being completely ineffective because I have to listen to my hyper coworker who has no inside voice screaming all day. She loudly, and randomly, says things like, "I'm not getting any work done guys!" to no one.

Re:

[Z00L00K]

Maybe it's time for some Good Earmuffs [peltor.com]

Accuracy of Story?

[sepluv]

It doesn't say in TFA that they have confiscated and destroyed existing drives (and, if they have, it may only be state-owned drives).

Although, it does say in the quote from the manager that they will "manage and back up the new drives using SanDisk's Central Management & Control server software...which relies on a Web connection to directly communicate with agents on the tiny flash drives [and can] remotely monitor and flush any lost drives" so they could read and delete files on the disks remotely.

It also says that they chose the disks for their MSW Vista compatibility which suggests that the "agents" really are (as previously quoted) on the disk rather than the PCs (one assumes so they can track what their employees do with the disks while not using their PCs, which really doesn't seem necessary to me). Hopefully they do have software on the PCs too to ensure that non-authorised disks are not used and to monitor activity if the "agents" are removed from the disk by intrepid employees.

Although, I suppose, in principal, the right to privacy of their clients (which could be breached by data being transferred out of the building) overrides the right to privacy the government employees have while in the office.

Re:Accuracy of Story?

[sepluv]

My bad. It says "after recalling the thumb drives used by workers. Most of those had been purchased independently by the employees, causing myriad problems for security personnel, Main said. The new policy requires workers to use the drives supplied by the agency. Main said he eventually plans to destroy all existing thumb drives collected as part of the security policy change." Although, I think from this and following comments like "The general perception is no one will report a lost USB memory stick because they're so cheap" there is an implication (although it isn't explicit at all) that the drives were bought with public money and used for public work.

Once again, I don't think there is too much to complain about here. It shocks me how many employers (even in sensitive areas like government departments and law firms) have PCs that will even, by default, run software or an operating system from a USB drive. According to TFA, in this case "sensitive data transported by off-site workers include[d client's] tax documents, employer records, criminal histories and federal passport data" and commonly "the names, dates of birth and Social Security numbers of children".

Of course, in opposition to what the article says, I think education about data protection legislation and issues is more important than attempting to physically constrain employees (which is ultimately impossible), although both may have their place.

Sensible policy

[MosesJones]

Before people moan about "personal" these aren't things that people have paid for with their own cash (they got the cash paid back). The other point is that banning removable storage is a difficult, but sensible, policy when there is confidential or valuable information about. Hopefully these USB sticks will be encrypted and tied to only the departmental machines (i.e. no working at home on confidential information) in order to prevent misuse or sale.

This isn't a personal privacy issue for the users (after all its just a USB key) its a personal privacy issue for the people on whom the department stores information.

Re:

[CastrTroy]

Do they even need to be taking information off premises? If the drives aren't encrypted they aren't secure. What computers are they hooking them up to? Are those computers secure? If you're only going to use the data on departmental machines, a network storage solution would work a lot better, and be a lot more secure.

Re:

[AlecC]

The whole point of the article is that they are replacing dives of unknown source and capabilities with encryptes drives which self-wipe on to many access failures. They are, correctly, replacing insecure devices with secure ones and destroying insecure ones with confidential data.

Re:

[CastrTroy]

The point is, where are they taking these drives? If it's just for between computers within the organization, a network storage solution would work better. It would be more secure, and the files would never leave the premises (ideally). The only need for USB drives is to transfer data between computers not on the network. If the information they are transporting is really all that important and confidential, it's probably best that they never give access to it from unknown computers. Once you enter the

Re:

[AlecC]

Very true. I was assuming that the need thus to transport the data is proven. For example, a case worker might need to look up notes at a client residence while interviewing the client, or to update notes immediately after a client visit because they will be stale by the time s/he returns to the office after several, possibly ewearing, client visits. These are legitimate reasons to take the data off site. Obviously, they are reasons with a security cost, and the cost/benefit must be positively evaluated rat

Re:

[CastrTroy]

If they need to type up notes about cases, without being at the office, then get them a laptop and secure that. Sure they could still hook that up to another home computer, or to a USB drive, and data could get in the open, but there will be a lot less reason for them to do so. Giving them a USB drive gives them the ability, and actually encourages them to put the data on insecure systems. For the extra cost of these fancy USB drives, you could probably provide them with a laptop (over the cost of a deskt

Re:

[mpe]

The whole point of the article is that they are replacing dives of unknown source and capabilities with encryptes drives which self-wipe on to many access failures.

The supplier of the devices claims that this will happen. There have been similar devices where any protection could be trivially defeated. There's also the issue of how long it would take for the device to "self-wipe" since it would need to carry an onboard power source which would last at least that long.

Re:

[DerekLyons]

Do they even need to be taking information off premises?

To some degree, yes. To lawyer's offices to discuss a case or cases. To doctor's offices or the hospital to discuss a case or cases. To civil or criminal court... To other state agencies... Etc... Etc...
 
It's either carry a thumb drive or equally vulnerable heaps o' paper.

Re:Sensible policy

[Moraelin]

Call me a cynic, but based on the experience of some places I worked for, it might just end up something like this:

1. What maybe started along the lines that you described, then has to go through controlling or purchasing or such, which in a lot of places have their job judged and measured by how much they saved. If they saved 10,000$ at the cost of making everyone else spend 1,000,000$ in workarounds and lost productivity, they're doing their job right. So someone will go "auugh, why should we pay a few bucks more on very secure drives, when we could get ordinary ones at a bulk discount? Look, there are these drives with fingerprint scanner for half the price. That's secure, right?" (See the vulnerability linked even on Slashdot recently.)

2. Someone else (or in some organizations the same) will have to make sure it's one of the approved suppliers. Ideally this would mean those who have a good track record of reliability, quality, etc. In practice, it'll mean one of (A) whoever pays more bribe, or (B) the boss's wife's or cousin's supplies company, created just to siphon some money off such purchases. If it's a state agency, stuff like pork barrel, political favours and lobbies have something to do with it too.

Since this _should_ be in conflict with #1 and is exactly the kind of thing that #1 is supposed to catch, sometimes they split the bribe, sometimes they trade favours, and sometimes inventive discounts are used. Like we'll price the USB sticks at $1000 each, give you a 50% discount, and let you show that you've done your job right by negotiating a whole $500 discount per drive.

3. Some IT department has been given thoroughly counter-productive goals, like only keeping the computers or the network running, but no mention of actually providing a service to the rest of the organization. So suddenly the users are their sworn enemies, the filthy pests that keep using and screwing their preciouss computers and network. They'll do their best to contain, thwart and plain old inconvenience those users at every step. So the "secure" setup for those drives will be just an exercise in making it as inconvenient to use as possible, to teach those pesky lusers a lesson.

And indeed the users do learn a lesson: that if you want to get your job done at all, you have to do your own unauthorized workarounds. There goes most of security out the window right there.

Alternately, the IT department has also been on the shit end of #1, and is underfunded and staffed with the cheapest monkeys who can sorta bang on a keyboard, and don't fling too much feces at the screen. So they'll configure something which they think is right, but is not.

Yet another alternative is that a lax PHB can't be bothered to actually organize IT, and some BOFH personality types feel free to override everything and do what _they_ please. I've seen it happen. Stuff like production servers configured without XA support for _years_, just because the relevant BOFH thought that's a buzzword and it runs just as well without it anyway, plus it saves him the bother of installing the relevant libraries on all servers. So he _lied_ to the team for years that they have a feature that they didn't actually have.

And not only I can see all three happening with security too, I've _seen_ it happen with security features too.

4. Some PHB will figure out that it's not really an "enterprise" drive unless it has the organization's logo on it. In fact, that that's what makes anything properly enterprise.

Some frustrated users that have been on the shit end of #3 too often, will begin just printing and gluing makeshift logos to their own USB sticks, rather than put up with Mordac The Preventer Of IT Services again. Noone will be any wiser.

Etc.

Re:

[Belial6]

A very good description of corporate security.

Re:

[Threni]

Not very green though, is it - destroying stuff like that. Isn't there a requirement to dispose of it in an environmentally friendly way? Do they like the competence to delete data beforehand?

Same thing happens in the UK - your car can be seized under certain circumstances and crushed. Why? Why not just sell them to someone else? It doesn't make any sense.

Re:

[yuna49]

I've discussed such a route with a health center I consult to. We're considering replacing most of the Windows machines with a system based on the Linux terminal server project, so that all machines share a common OS image. In Linux, it's possible to disable USB mass storage support [slashdot.org] in the kernel. You could also accomplish the same thing without using LTSP by rolling out a common image to all workstations with USB storage disabled.

I also came across this rather simple, yet elegant solution for Windows us

What a waste

[King_Dude]

Are they using proprietary encryption software? Because I suppose that takes away all chance of accessing them on any computer not running windows (as in: "they chose the drives for their excellent support for windows vista). I'm also annoyed (as I always am with things like this) that they are going to destroy the drives as opposed to Zeroing them out and selling them second hand.

Re:What a waste

[jlarocco]

I'm also annoyed (as I always am with things like this) that they are going to destroy the drives as opposed to Zeroing them out and selling them second hand.

Two things to consider:

• By the time most government hardware gets destroyed, it's already obsolete. My guess is most of the drives they're destroying are well under a gig. Who would buy a used 256 MB flash drive?
• Destroying the drives is harder to fuck up. I don't know what information they're storing about people, but I'd rather it not be accidently released. It's pretty easy to see which drive hasn't been smashed to bits with a hammer, not so much which drive has been properly zeroed and formatted.

Re:What a waste

[SharpFang]

especially that due to wear protection flashdrives are pretty hard to zero. Overwriting files is not guaranteed to delete the data because the 'overwrite' may (and likely will) happen elsewhere than original data was. You can still fill the whole drive with zeros (or better - random noise) but the science concerning recovery of overwritten data from flash memory is nonexistent - nobody knows if whether it can or can't be done.

Re:

[Technician]

You can still fill the whole drive with zeros (or better - random noise) but the science concerning recovery of overwritten data from flash memory is nonexistent - nobody knows if whether it can or can't be done.

Getting old data off my flash drive is just as reliable as looking at my bathroom light switch to see if it was on last night at 3 AM. You may be able to detect that the switch at one time or another was in the on position simply from wear patterns and the currently parked position, but as a high

Re:

[SharpFang]

From the last week, sure not. From just before the last erase - who knows?
Loading them full of whatever you want a couple of times is surely better than loading them with it once. But how many is enough? 2, 3, 4 times?

This process is time-consuming considering you need to fill the drive to the brim, sync the buffers and then erase everything and sync again. A drive may be $20, gross cost of a hour of a government employee erasing the drives, putting them on public sale, filling all the paperwork in, supplyi

Re:

[ratboy666]

"Wear protection" has nothing do with it. If the flash drive has a capacity of N bytes, and N bytes are written, every byte has been used -- even if you could not predict the order the bytes were used in. Wear protection is simply a function randomizing the write order, relative to the usual usage pattern. Since most Operating Environments try to write sequentially (in order to increase performance on magnetic media), and have "hot" areas (think allocation tables and directories) the randomizer is fairly ea

Re:

[SharpFang]

...but most of 'shred file' utilities don't fill up all the empty space on the drive, but just overwrite the file several times before deleting it. If you have 300K of data on a 16GB drive and want to 'safely delete' it, it would be much faster to use such an utility, without need to fill the empty space - except that will work on hdd, not on a flashdrive. Otherwise you must go through time-consuming process of filling the whole drive with noise, and you must go through standard file creation process, no fo

Re:

[ratboy666]

But, old versions of the files may be in the unused space. I usually recommend running

# possibly use /dev/urandom
dd=if=/dev/zero of=freespace bs=512; rm freespace

on filesystems periodically. This erases all data (although some information may still be recovered from the inodes, and unused parts of existing file blocks). On both hard drives and flash media.

It may take a long time (on either media).

"Unerasing" old drives can be very fruitful -- normally the machines are dumped and resold as bottom-end used co

Re:

[SharpFang]

Sure I know how to do this.
The question is, do the government employees know?
Do their bosses know? (I mean, they are the ones who decide which procedure is deemed safe enough.)
And does it pay to do so and sell the drives? (I'm not sure what manpower would have to be employed but knowing the way govt institutions do this kind of stuff, the that wouldn't be one unpaid intern but a team of security firm contractors at $80/hour)

Re:

[TractorBarry]

> Who would buy a used 256 MB flash drive?

Depends on the price. If they were 1p I'd buy 100 of 'em. 256 Mb is still a useful amount of storage (plain text, html, mp3 etc. etc.).

There is still some demand for small flash drives

[Ellis D. Tripp]

and memory cards. Users of the last generation of industrial control equipment come to mind immediately. I maintain a couple of industrial touchscreen interface panels that store configuration setups on CF cards, but cannot support CF cards larger than 128 MB due to firmware limitations.

This is industrial strength hardware that that would take serious $$$ to replace, a lot of time to migrate the software and debug the interface for, and it is perfectly functional. The only problem is that the mass-market ap

Re:

[couchslug]

"destroy the drives as opposed to Zeroing them out and selling them second hand."

The time to wipe and process them for sale is easily worth more than the drive. That's like erasing a floppy disk to save it, not to mention that destroying them ensures no files will be recovered.

Waste

[ajs318]

At the very least, they could /dev/zero them and give them away.

Re:

[AlecC]

And how sure are you that /dev/zero actually destroys the data rather than just removing pointers to it? A study of disk drives bought on ebay showed that 1/3 had not been wiped at all and 1/3 had been re-initialised in a way that made it trivially easy to recover the "deleted" data.

Re:

[ajs318]

dd if=/dev/zero of=/dev/sda1 will write zeros to /dev/sda1 until interrupted (which will happen of its own accord as soon as /dev/sda1 is full).

/dev/zero is a virtual device that whenever you read a character from it, comes out with a stream of zeros; it is always ready to read and never shows end-of-file. /dev/sda1 is a device that represents the first partition of the first SCSI, SATA or USB disk drive, treated as one huge file (which happens to contain all the files and pointers to them) rather than

Re:

[Culture20]

And you can
dd if=/dev/sda1
before and after to be sure.

If you're really paranoid, there's also shred:
shred -n 300 -z -v /dev/sda1
(writes random data to /dev/sda1 300 times, then writes 0's. Spends a couple cycles with I/O to screen to let you know it still cares, [-n 0 -z -v] for a verbose version of dd if=/dev/zero)

Re:

[Alchemist253]

That is not necessarily true, especially for magnetic media.

A good starting point to learn more is Wikipedia: http://en.wikipedia.org/wiki/Data_remanence [wikipedia.org]

Re:

[geekboy642]

Gutmann's paper on data remanence has not been discredited. In the words of Wikipedia, [citation needed]. Modern magnetic storage hard drives have, as far as I know, become so dense that it's no longer plausible to recover information in that way, but older drives were actually vulnerable. In fact as technology has advanced, more and more ways have been discovered to exploit remanence on many different storage media.
All the techniques I've thus far seen have required a certain amount of laboratory equipment

Re:

[couchslug]

Paying an employee to sit and zero the drives instead of doing their job is an expensive way to "give them away for free".

Re:

[ajs318]

Well, that rather depends upon what they're doing while the computer is doing its stuff. Put an "and" sign on the end, and you get a prompt back straight away (or just open more xterms / virtual consoles). You can do one drive in each USB port, up to however many sd* devices you compiled support for into your kernel minus however many you're already using. It's not like /dev/zero is going to start blocking reads anytime ..... (cue some crusty old BSD user making a feeble joke about not enough zeros goi

In Soviet Russia...

[rodney dill]

...USB Drives flash you.

Won't work, even with all the good faith...

[dpbsmith]

It's like trying to stop people from bringing in cell phones or iPods or PDAs... or creating personal Yahoo mail accounts from company machines... or playing solitaire at work. They are just too ubiquitous and there are just too many of them. Unless you get draconian (make it cause for immediate termination, and frisk every employee at the door... and I mean every employee, including all the vice presidents and directors and department heads).

Even employees that mean to comply will forget, will be at work and need one, reach in their pocket, and find they've got one of their own instead of the corporate-issued one.

I don't know what the answer is, but banning ubiquitous technology is like Canute holding back the waves.

The most dramatic case of the utter failure of this sort of thing I've seen occurred at a company in the 1990s which didn't quite understand that personal computers were personal. This was in the days before antivirus software was standard on any business machine. The company became seriously infected with a boot-sector virus. They had the entire IT department, SQA department, and tech support departments literally stop all their work for about a week while they went throughout the company collecting diskettes and disinfecting them, then pronounced the company clean. Apparently it never occurred to anyone that there were diskettes that weren't in the building.

Even then there were laptops, and, without pointing fingers--OK, pointing fingers--laptops were expensive at the time, and it was mostly the high-income and high-ranking employees, and, of course, people with good reason to have them--salespeople typically--that had them.

The company was reinfected by the same boot virus within less than a month.

Re:

[sepluv]

I don't see what is so draconian about terminating government employees who take personal data (that might be used for, say, ID theft) on citizens out of the building, no doubt committing a crime under data protection legislation in the process. After a few terminations, I'm sure they'd stop doing it. Governments tend to be way to lax with our data allowing their employees to repeatedly "mislay" it.

Re:

[Lehk228]

THIS

I work for the government (so i'm getting a kick out of these replies)

my boss is great, but she would have my head on a platter if i took a disk or flash drive full of confidential information, after i retrieved my head from said platter i would face criminal charges as well. you just don't do that sort of thing.

it doesn't happen accidentally unless there are HUGE (Like Xbox) flaws in policy and procedures, why would any employee be bringing personal storage in and hooking it up, it's not like the i

Re:

[tubs]

1) Get senior management support
2) Diasble all USB ports on all computers
3) All users to run as "Users" and not local administrator
4) Use GPO to diasble auto install of USB devices
5) Use GPO to deny all programs unless authorised (Not often used, but in windows you can stop a logged on domain user from running any programs whatsoever, including explorer)
6) Install Proxy that "denies" all webistes except approved one
7) Pissed off users, but more secure network. Senior management support you, so flack direct

Re:

[dpbsmith]

There are three problems with this. The first is that you're framing the problem too narrowly. It's not "denying use of USB thumb drives," it's "creating a culture for proper handling of data." If they can use USB drives, they'll email attachments to themselves. Or use a WebDAV account. Or use a Bluetooth-enabled portable hard drive. Or whatever. The problem that needs to be addressed is "why are people taking data with them? If it's for a legitimate reason, how do we facilitate their doing it properly? If

Re:

[tubs]

I think you're wrong about the bottom up approach - it has to be top down, and it has to be enforced. If the data has su value that it cannot be taken off site, then thems the rules. If your users break the rules then they should know they will be disciplined. Telling user that "you won't do this" means very little to the user, they'll just do it because they can.

If you've got the correct security in place, the CFO won't be fired for using his thumb drive because he won't be able to. If the CFO then nee

Re:

[AlecC]

There can be justifiable reasons for taking the data off site. Rather than banning it completely, you need to do a (security) cost/benefit analysis and justify the action. And if yu can reduce the security cost, you may well be able to access more benefits.

Re:

[Joe The Dragon]

Now days there are no PS2 ports so you need USB just for the mouse and keyboard.

Some apps need local administrator to run.

5. That may end up getting in the way of people doing there job and lead to long wait times to get a apps that they need added to the list.

6. That will likely just get in the way as well a block list is better.

7) That much lock down will Pissed off users and management to point that they will find a way to get around it just to get there job done on time.

Re:

[tubs]

No, they'll understand why these security measures are in place because you've explained it, given them options and shown what the damage can do.

Re:

[tubs]

Not every manager is the "PHB" from dilbert.

Oi - get real

[onyxruby]

Government agency does the right thing with trying to protect data and people still complain about it. Get real, not everything is a conspiracy, ok? The flash disks are government property, not personal, so why is anyone complaining.

Government and private sector agencies destroy used disks every single day using methods from as simple as patterning 1's and 0's to smelting the platters. This happens so often that their are dedicated machines available to do it for you right up to dedicated companies that specialize in the destruction.

/me grumbles and wants 5 minutes wasted out of my life back now...

Misleading Comments...

[Khue]

I think that they are actually being fairly reasonable about the whole issue. USB keys are a severe security risk as far as controlling access to data leaving a business. People leave with Excel sheets full of database information, confidential email, and sometimes text pads containing passwords to various systems. We've already begun the process of completely disabling all computers company wide from their ability to write to removable drives which essentially takes away the threat a USB key poses. Here we see that the state spent a reasonable amount of money (cost of the usb key itself + enterprise management software which probably has some sort of CAL) just so employees could still use USB keys. In my environment, employees just straight up would never have access to USB resources to begin with... Can you imagine the consequences of a disgruntled employee walking out of the office with a spreadsheet of 65k+ credit card records or other customer records? Hello Fidelity Insurance scandal...

Hah

[Shadow-isoHunt]

You can take my U3 drive from my cold, dead fingers! Gonzor's payload comes in handy.

Somebody has woken up to to personal privacy

[AlecC]

Given the casual way in which UK goverement employees, both civil and military, have been treating confidential information, I am glad that a department with seriously confidential information is taking the security of portable storage media seriously. Obviously, if the media were personally ppurchased and used in good faith, the owners of the media must be compensated. But, as previously suggested, these were probably privately purchased and then refunded as expenses, to the belong to the emplyer already.

As to destroying them... Put this in proportion: 150 devices, at perhaps $30 apiece if they wern't bought yesterday: about $4500. On the otyher side, when the UK government lost 2 CDs with large amounts of personal information, the mailshot warning the people whose personal and banking information had been misplaced cost $6,000,000. With cost ratios of this magnitude, the precautionary principle applies. Yes, you could wipe them, and they probably wouldn't leak info. But the cost if they did is so high that the tiny loss involved in destruction is irrelevant.

So I applaud a government department for finally taking privacy seriously. The cost arises becasue they didn't do so before, and is small. The cost for all the other departments who have not yet got it is increasing every day.

Why not disable the USB ports?

[Ahrel]

Call me dumb, but I don't understand what they're using these thumb drives for that wouldn't be possible with a good network? Why not disable the ports (or at least access to them by anyone but IT and managers). If they have network shares, that should be sufficient enough to transfer data to a colleague. The article mentions PowerPoint presentations and the like...but if they're giving a presentation within the building, they should be able to access their shares for the power point files. If it's outside of the building, transfer it to the laptop before you go. But if you absolutely need the files on a thumb drive, get a monkey from IT to do it (that's what field tech's are for). I dunno, I guess I'm just too used to how the two places I've worked at in IT did and do things. The million dollar question is why is the state so paranoid that their employees in the Division of Child Support are going to be stealing information? Maybe they should screen better.

Re:

[JoeD]

Because USB ports are used for other things besides thumb drives. Notably, mice, keyboards, and printers.

Re:

[AlecC]

This is a child care agency. They need to visit the child and/or parents in their home, and have access to the child's records, both to read them (e.g. to find if any allegations are repeat cases) and to update them to record new allegations. You cannot get parents and childern to come into a secure environment for interview. The case worker, who may have to do three or four emotionally draining interviews in one day, cannot be expected to remember all the facts accurately enough for (for example) legal pro

I'm not sure I understand your point.

[argent]

The case worker, who may have to do three or four emotionally draining interviews in one day, cannot be expected to remember all the facts accurately enough for (for example) legal proceedings to remove a child from parents. Tha alternative to USB keys is probably printout, pen and paper. And how secure is t that? At least USB keys can be encrypted.

So they're sticking these thumb drives in computers owned by the people they are investigating?

Or they have no way to securely store information on their own lap

Re:

[AlecC]

No. I am assuming that they have laptops which they may not carry into the office every time, or which they do not want to keep long term, or which may be shared between several workers, or which they cannot guarantee to have the same one every day or they want to move the data easily between work desktop, home desktop and mobile laptop without re-docking or they find it a pain to boot up the laptop in the office just to transfer one file or... A USB stick is a lot lighter than even a Macbook Air. My window

Re:

[poot_rootbeer]

I don't understand what they're using these thumb drives for that wouldn't be possible with a good network?

How do you physically attach a keyboard and mouse to a computer via an Ethernet port?

Could the agency insist on only purchasing PCs with PS/2-style ports? Maybe. What happens when the only manufacturer still supplying them charges thrice as much as a commodity PC for the privilege of using 20-year-old technology?

Could the agency lock down the OS so that only USB devices with approved IDs will be reco

Re:

[STrinity]

If they have network shares, that should be sufficient enough to transfer data to a colleague.

What if they need to transfer the data outside of the organization -- say a social worker took digital photos to document abuse and needs to bring them to court as evidence.

Re:

[Lehk228]

it's called a printer.

There are security concerns

[JoeD]

I remember reading an article from a security consultant awhile back. One of his clients, a bank, had hired him to try to break into their systems, and were quite cocky about how they'd sealed off external access.

So he took a bunch of thumb drives, put a Windows autorun backdoor installer on them, and scattered them around the entrances and outdoor smoking areas.

Hey, presto, instant access.

easily cracked?

[klossner]

Is there any reason to think these don't use the Windows-based encryption that is trivially defeated [slashdot.org]?

I have to wonder if they will be compensated?

[DragonTHC]

If I had a usb thumb drive that I purchased for work and my company or government in this case confiscated it, would I be compensated for my property?

I can understand the need to destroy the dive for security purposes, but who is going to pay for them? not the employees I hope.

by now, the IT guys probably sorted through them and kept the hi-cap ones for themselves.

How Convenient!!

[sunderland56]

Gee, I used to have to buy my own USB drive to steal software and data files from work. Now, they're providing me with one for free!!

Now if only all the other agencies would....

[LynnwoodRooster]

consider privacy, too. Two years ago, I had the "pleasure" of a WA State DOR audit. The auditor wanted me to copy our company's QuickBooks file to his USB so he could work on it at his office. Knowing the law, I said I'd run reports and print out anything he wanted, but would not give him the file because it contained delicate information (like SSNs, health information, credit card numbers, etc).

The auditor was furious, and demanded we give him the file, rather than just printouts. I said no, and he left, only to return the next day with his supervisor, who also demanded the same and said they'd get the file "legally" if needed.

I told them to give me the USB key, and we'll see. I plugged the key in and turned the monitor around so they could see 9 QuickBooks files from other companies. I asked them if they intended to share my data with the next 9 companies, like they just shared those files with me?

After much haranguing, and threat of legal action, we finally agreed on a full Excel file database dump, but with the critical fields (customer names, CC numbers, etc) wiped.

Is it just me,

[IdeaMan]

or did anyone else immediately think "They're not doing that because the fobs are insecure, they're looking for child porn."

Not destroyed - sold as surplus, likely

[themushroom]

Washington's usual practices are not to destroy materials, but to sell them at GSA Surplus sales. That's where the pointy objects the TSA took from travellers wind up, as well as where monitors and filing cabinets and so forth from government offices get liquidated. I would imagine they'd do secure wipes on the sticks before tossing in the barrel.

I will keep an eye out for USB sticks at the Auburn office near the Supermall. They'd be a welcome change from the elementary school scissors and grubby pocketk

They are not alone

[uspsguy]

All government agencies have information that needs to be protected. Like Washington, we (my nick will give you a clue who we are) are safeguarding portable information. Our facility has moved to encrypted usb drives to reduce inadvertant disclosure of information. There is a huge list of information managers may need and use that could violate confidentiallity, provide the competition with stratigic data, and damage all kinds of legal processes. With the potential costs, an agency would be stupid to not ju

RTFA

[jlowery]

They're likely neither unauthorized or personal.

Re:

[IBBoard]

Chances are they've been using their 'personal' USB sticks to transfer work documents. If that's the case and the agency have some form of classification level or protection for their information then more fool them for putting the information on a personal device.

It's the same in any military situation - hook a device up to a Restricted or higher machine and the only way to 'declassify' it is with a hammer.

Or, as some people have pointed out from TFA, it could be that these were purchases that they've been

Re:

[CharlieHedlin]

This information is 2nd hand, but someone I knew did a presentation at the Pentagon. There were two laptops on the table and he was told they could use one for the presentation (he wasn't allowed to bring in his own laptop for security reasons). The laptops were on top of each other and he accidentally plugged the USB drive into the wrong one, the one for classified information.

Apparently they had a Sargent take the drive to another room and inspect it, then returned it. I don't know what violations took

Re:You can have my USB key

[Tyndmyr]

Having spent quite a few years working for the US government, I assure you, they were either reimbursed for them if they were officially permitted, or warned against using them. It's not uncommon to sign a waiver giving them permission to confiscate storage media if you store sensitive stuff on it, and personally, Im rather glad to see them being responsible with information that could pose a major privacy threat.

Re:

[Comboman]

Too bad the person who wrote the summary didn't RTFA, because the summary says they were personal USB keys.

Re:

[daveime]

So you are worried about an account you didn't want in the first place being sniffed and hi-jacked by someone else ? If you are so paranoid about identity theft, that you think someone would steal your Slashdot account over say, your online Credit Card payments or online Banking Details, then maybe you'd be better not using the Internet at all.

Re:

[geminidomino]

And here comes the waaaaaahmbulance.

Suck it up. AC's have posted at -1 as long as I've had an account, thanks to setting them to -6 (and I am not the only one).

If you want anyone to care what you have to say, work it out.

Re:

[Lumpy]

REally? I give mine up willingly. I upgrade about every 3 months. I now carry a 16 gig model. I gave away my 4 gig to a stranger recently when we were talking and he asked about thumb drives, I said they are dirt cheap. Here, have one (I was out of the older 1 gig drives I had clogging the bottom of my backpack.)

that's the cool part. Plug in two drives, dump contents from one to the other, format the old one, give it away. Really simple.