Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

iPod: Your Portable Corporate Hellraiser

CmdrTaco posted more than 10 years ago | from the without-the-aid-of-britney dept.

Security 679

MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's iPod from corporate networks as they can be used to introduce malware or steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"

cancel ×

679 comments

Sorry! There are no comments related to the filter you selected.

First (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9620979)

Post

Not so "absurd" (4, Insightful)

MoxCamel (20484) | more than 10 years ago | (#9620984)

I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern?

Not to skirt the question, but is this really "absurd overkill?" I'm sure that USB pens/watches/etc have been a boon to corporate espionage. With a USB storage device, you don't have to worry about burning CDs or emailing your stolen information off-site.

Having said that, I do think that some companies need to quit treating their employees like potential criminals. But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space. (thin clients would have gone a long way towards solving this problem, but that's another discussion)

Re:Not so "absurd" (2, Insightful)

the quick brown fox (681969) | more than 10 years ago | (#9621053)

Making it a corporate policy is like saying "All saboteurs, please sign this document swearing you will not steal our intellectual property."

Those who are going to commit espionage are going to do it with or without an iPod, and meanwhile you've seriously inconvenienced owners of MP3 players.

Re:Not so "absurd" (0, Funny)

Anonymous Coward | more than 10 years ago | (#9621080)

So by the same argument, you would allow people to take guns onto planes?

Re:Not so "absurd" (2, Funny)

ooPo (29908) | more than 10 years ago | (#9621101)

When shooting becomes an acceptable way to pass the time on a plane... sure!

Re:Not so "absurd" (4, Funny)

Seth Finklestein (582901) | more than 10 years ago | (#9621108)

Guns don't kill people. iPods kill people.

Sincerely,
Tom Ridge
Homeland Security Chief and Microsoft beneficiary

Re:Not so "absurd" (4, Interesting)

palutke (58340) | more than 10 years ago | (#9621141)

True, but that's not the entire purpose.

Where I work (a DOD contractor) we can carry just about anything (except a camera). We are, however, required to register it with the security manager. In order to register it, you must give them permission to read the contents on the way into or out of the building. That allows them to maintain their illusion of safety while allowing employees to carry their preferred gadgets.

I don't know of anyone actually being searched, however . . .

Re:Not so "absurd" (0)

Anonymous Coward | more than 10 years ago | (#9621069)

I can totally agree. Some companies think that their product is golden and that everyone is trying to steal their information. Its pathetic at how far these companies will go to make sure nothing is stolen.

One company I have worked with went so far as to put hidden cameras in all kinds of locations. The only reason I found out was because I had helped train the security manager when he first showed up at the company...

Re:Not so "absurd" (1)

Triskele (711795) | more than 10 years ago | (#9621127)

Not to skirt the question, but is this really "absurd overkill?" I'm sure that USB pens/watches/etc have been a boon to corporate espionage. With a USB storage device, you don't have to worry about burning CDs or emailing your stolen information off-site.

So you'd condone a full on body search every time an employee enters or leaves the building?? USB devices are pretty small and Flash cards are impossible to detect without going through every body crevice.

Re:Not so "absurd" (0)

Anonymous Coward | more than 10 years ago | (#9621217)

so you disable the Removable Storage service within windows.

viola.
done.
fin.

there u go.

your anal cavity is safe.

Re:Not so "absurd" (5, Insightful)

therblig (543426) | more than 10 years ago | (#9621140)

To use a tired cliche, a security policy is as "strong as its weakest link." If people have access to web mail, CD burners, or other simple means of transferring data, then the policy is absurd. However, if strong security measures have been taken elsewhere, then this is perfectly reasonable, too.

Re:Not so "absurd" (1)

justkarl (775856) | more than 10 years ago | (#9621197)

Having said that, I do think that some companies need to quit treating their employees like potential criminals. But if you work for a company like mine, where the data is the company's life-blood I can completely understand

I agree, but I also can't help but think that all companies' data is their life-blood. While scrutiny does suck, especially from an employer, I think it's a neccecary evil. It's more important to protect a few million(billion) dollars than to protect your privacy. If you think something may cause a problem at work, don't bother bringing it.

DAMNIT (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9620989)

When are the slashdot editors going to get over their fetish with the iPod? Damn, its just a freaking music player and not a very good one at that.

Re:DAMNIT (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9621049)

When Apple stops paying them.

Old fashioned iPod... (1)

spoodie (641820) | more than 10 years ago | (#9620999)

Makes me thankful for my original iPod with it's Firewire connectivity only, there's no firewire ports in this office.

Re:Old fashioned iPod... (5, Insightful)

Gannoc (210256) | more than 10 years ago | (#9621044)

Cute.

Makes me thankful for my original iPod with it's Firewire connectivity only, there's no firewire ports in this office.


Yes, like you're going to win that arguement at the security door/HR rep/etc. "But my ipod only has a firewire interface, unable to connect to the computers here!"

To them, that sounds like technical nonsense that makes you even more suspecious. "He mentioned fire!"

From the Fascist Department (0, Troll)

Disevidence (576586) | more than 10 years ago | (#9621000)

Or you could just run a secure network and not have to worry about banning every luxury in the world.

"No coffee near those computers! You might kill the keyboard if you spill it!"

Re:From the Fascist Department (0)

Anonymous Coward | more than 10 years ago | (#9621102)

Impressive display of logic in your post. Let me guess, you're an Apple zealot?

Re:From the Fascist Department (3, Interesting)

doktorstop (725614) | more than 10 years ago | (#9621119)

nonsense... I run a pretty secure net here (secondary school, HUGE threat from any teenager who just happen to think he is a XaxooR)... we got everything so locked down that we didnt have a single major incident for the last year =) And still, yes, portable USB devices are a threat... can't telnet from the school due to policies? just bring Putty on a memory stick... et voila! Therefore, it is not so much about network security, but what you allow people to do on the network... with the saaumption that any memory stick can contain software you DONT WANT inside your net.

Re:From the Fascist Department (3, Insightful)

Kenja (541830) | more than 10 years ago | (#9621125)

Please explain how to secure a network so that hte users dont have access to data but can still do their job.

Funny you think that way. (3, Insightful)

Gannoc (210256) | more than 10 years ago | (#9621009)

In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"

No, its just a matter of scale. There are no real legitimate concerns, but every company will balance employee happiness vs the 1 in 10000 chance something will go horribly wrong with a USB watch, and just ban everything outright.

A valid concern (4, Insightful)

slusich (684826) | more than 10 years ago | (#9621011)

I work for a casino, and we don't allow our employees to bring in such devices either. I'm sure it still happens, but such policies are important when your customer database is vital to your income.

Common Policy (4, Informative)

hypnotik (11190) | more than 10 years ago | (#9621013)

My father works in the Aerospace industry. He is required to leave his iPAQ at the front door every day.

Is this overkill? Perhaps. But sometimes such heavyhanded policies make sense, especially when it comes to making war.

Re:Common Policy (1)

jrexilius (520067) | more than 10 years ago | (#9621186)

In a previous life, we had to leave _all_ electronics at the gate despite tempest shielding, jamming, and many other measures taken. The technical reasons for this should be obvious to most but it was by no means overkill.

I would say, however, that most companies are not in the same boat. If you have access, even through a proxy, to the internet from a machine where sensitive company data is then a USB storage device is no big deal. Not as easy to log and get an audit trail (all packets could be recorded on a network) but most companies dont have that level of logging in place ($$$).

Re:Common Policy (0)

Anonymous Coward | more than 10 years ago | (#9621233)

so why does he bother to take it to work? is he stupid or something?

just the reverse here.. (5, Interesting)

Lumpy (12016) | more than 10 years ago | (#9621014)

corperate just recently issued 1GB thumb drives to all employees. we find it's easier for the users to back up their own crap and transfer it that way.

teaching a user about network storage or even using the IRDA file transfer was unsucessful... yet these dolts took to using the thumb drives like it was second nature.

so now usb storage devices are required and issued to users.

Mod this guy up ... (5, Interesting)

YankeeInExile (577704) | more than 10 years ago | (#9621079)

That is interesting (that your users were confused by using a network file share, but found the thumb drives intuitive.)

Is it the fact that there is a physical artifact that makes the idea of "your files are going here" easier to map into their worldview? UI Designers Take Note. This might be on the test.

Re:Mod this guy up ... (5, Interesting)

haystor (102186) | more than 10 years ago | (#9621177)

That would be my guess. After supporting a customer service system as a programmer and trying to pull troubleshooting information out of them for a while I learned that they think in terms of location.

They would say things like, "This data isn't in this program." They thought of the data as being in a specific program. If all their programs stopped retreiving data at once they would tell me that all the programs were broken rather than the database was down. No amount of explanation could convince them the data was in the database. For their purposes their view of things was perfectly appropriate I suppose, but it didn't help troubleshooting.

Re:Mod this guy up ... (1)

mgs1000 (583340) | more than 10 years ago | (#9621191)

Well, it's not really a huge leap from mastering the complexities of using a floopy disk.

Re:just the reverse here.. (2, Funny)

MoxCamel (20484) | more than 10 years ago | (#9621220)

teaching a user about network storage or even using the IRDA file transfer was unsucessful... yet these dolts took to using the thumb drives like it was second nature.

Wow...that's some dumb users. We tell ours to "put your files on your H: drive, or they won't be backed up." For 95% of our users, that seems to work pretty well. For the other 5%...even thumb drives would do nothing more than collect drool.

Not so new (4, Interesting)

Scutter (18425) | more than 10 years ago | (#9621015)

I used to work at a government defense contractor and this type of policy was standard there. No CD players, no radios, nothing with any type electronics could be brought in just in case they could somehow be used as a transmitter or to steal data or something. Oddly enough, floppies could be used. Go figure.

Re:Not so new (1)

N Monkey (313423) | more than 10 years ago | (#9621130)

I used to work at a government defense contractor and this type of policy was standard there. No CD players, no radios, nothing with any type electronics could be brought in just in case they could somehow be used as a transmitter or to steal data or something. Oddly enough, floppies could be used. Go figure.

That sounds more like a "we don't want to be sued for electrocution from untested (and hence, probably uninsured) equipment" policy. You can get that at some companies and public services, such as hospitals.

Re:Not so new (0)

Anonymous Coward | more than 10 years ago | (#9621162)

Two reasons:

1) Instantly suspicious. Who the hell uses a floppy anymore?

2) What are they going to transfer? A single image from your digital camera??? ;)

iPod: Your Portable Corporate Hellraiser (1)

theMerovingian (722983) | more than 10 years ago | (#9621018)


Um, wasn't this the plot of some movie?

Why yes, yes it was [imdb.com] .

Re:iPod: Your Portable Corporate Hellraiser (1)

theMerovingian (722983) | more than 10 years ago | (#9621061)



A more pertinant link [mac.com] .

Re:iPod: Your Portable Corporate Hellraiser (1)

AKnightCowboy (608632) | more than 10 years ago | (#9621201)

Um, wasn't this the plot of some movie?

Yes, but not an iPod. A top secret program was smuggled out of the CIA headquarters in The Recruit using a USB keyfob hidden in the base of a coffee mug. The stupid thing of course is that top secret CIA workstations probably don't even have USB ports or removeable media drives of any kind. Hey, it's a movie though.

Re:iPod: Your Portable Corporate Hellraiser (1)

McKinney83 (687821) | more than 10 years ago | (#9621237)

Let's not forget The Recruit. http://imdb.com/title/tt0292506/ Where Colin Farrell has to find out who is stealing the CIA's information from the inside. He eventually finds out it's Bridget Moynahan using a usb device hidden in her coffee cup.

Come again? (4, Insightful)

TopShelf (92521) | more than 10 years ago | (#9621024)

I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ...

How is that overkill? Sounds like a common-sense move for a firm that wants to take steps so that sensitive information doesn't just walk out the door. It's not that much different than walking in with a USB CD burner under your arm.

Re:Come again? (2, Insightful)

cookem (172702) | more than 10 years ago | (#9621194)

It is nuts and overkill if they let me walk out with my laptop everyday that has a 40 Gig drive. What do I need an ipod or a usb drive for when I have a laptop with plenty of storage.

Second step? (5, Informative)

Anonymous Coward | more than 10 years ago | (#9621026)

Seems to me the first step should be to disable USB on machines which do not need it in the BIOS then lock the BIOS....

Re:Second step? (0)

trout_fish (470058) | more than 10 years ago | (#9621113)

And for those PCs that do need USB?

Also reccomended: Welding Drives into Chassis... (1, Funny)

FatSean (18753) | more than 10 years ago | (#9621030)

You mean...the iPod software spreads virii!!! OH MY GOD!

....scary (2, Insightful)

Anonymous Coward | more than 10 years ago | (#9621033)

Dude,
if you don't understand or agree with this policy, you probably don't belong in the job you are doing, and don't 'get it'.

scary...

-ac

This isn't overreacting. (4, Insightful)

PhxBlue (562201) | more than 10 years ago | (#9621034)

I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day.

That's actually pretty generous if you're actually serious about the information the consultant handled being Top Secret. Even if it isn't, that's a much better alternative (for you) than being "let go" because you continued to wear a prohibited device after being told not to.

Good old gov't (0, Offtopic)

strike2867 (658030) | more than 10 years ago | (#9621039)

Good thing the information of most of the US population isn't on any handheld devices [slashdot.org] .

Just to get this out of the way... (1, Insightful)

zaren (204877) | more than 10 years ago | (#9621040)

What about other portable drives?

What about USB keychain storage thingies?

What about FLOPPIES?!?

Of course, the whole "malware" argument is only a concern if you're running in an insecure Windows environment... am I being redundant? :)

Re:Just to get this out of the way... (1)

Akimotos (747459) | more than 10 years ago | (#9621092)

What about webmail. What about IM.

Re:Just to get this out of the way... (1)

Seth Finklestein (582901) | more than 10 years ago | (#9621145)

What about webmail.

Banned.

What about IM.

Banned.

Any other questions?

Re:Just to get this out of the way... (1)

TK2216UKG (733566) | more than 10 years ago | (#9621158)

What about HTTP? I hear Google are planning email accounts with 1GB storage limits.

Re:Just to get this out of the way... (1)

Seth Finklestein (582901) | more than 10 years ago | (#9621209)

My lusers don't have access to gmail as long as I'm in charge. All webmail services are banned.

If you're going to push 1 GB of private data across a web connection, I'm going to find you, terminate your network access, and see to it that you're fired.

Sincerely,
Bert Stanwick
Systems Administrator From Hell

Re:Just to get this out of the way... (1)

YankeeInExile (577704) | more than 10 years ago | (#9621198)

Of course, the whole "malware" argument is only a concern if you're running in an insecure Windows environment

<humor mode="sarcasm">Because there have never been in history any user-mode accessible root exploits for any competing systems ever. Zarendist Linux is absolutely known to be hole free.</humor>

I will definitely give the poster props for a nice MSFT bash - but perhaps you are being a bit pollyanna in your analysis. And if you posted it, there are surely those who believe it, and if they put that theory into practice, they also have an exposure to malware. (cough, cough)Morris Worm(cough).

Legitimate complaint,obvious alternates (3, Insightful)

192939495969798999 (58312) | more than 10 years ago | (#9621046)

Well, that's a pretty legitimate complaint, especially if you work in a secure building. You can't just be coming in and out with a portable hard drive and copying mechanism every day if you have secret clearance and work on DOD stuff, so it makes sense that other companies would follow suit. Besides, it's not like CD players, tape players, mp3 cd players, radios, live365.com, etc. don't exist! Just like checking your guns before entering a saloon makes sense, so does this. Sure, you might not use it, but if you did, people would sue.

Are Those Corporate Secrets in Your Pocket? (4, Funny)

RobotRunAmok (595286) | more than 10 years ago | (#9621052)

...or are you just glad to see me?

Seriously, the barn door's been open and the horse halfway to Topeka on this one for a while. Who needs an iPod? I've been carrying around virtually my entire business on one of these things [diskonkey.com] for over a year. Sure, take away my music player, phone, key chain, watch, whatever, I'm a big boy and you pay me enough to play along, but at what point short of a strip search and replacing the pink-haired receptionist with a Brinks guard to watch over the stash does this policy become a smidge unwieldy?

(However, I do throw my whole-hearted support behind any policy which confiscates iPods (or sunglasses, for that matter) from any too-cool-for-the-room tool who doesn't stow them shortly after he enters the building...)

Re:Are Those Corporate Secrets in Your Pocket? (1)

herrison (635331) | more than 10 years ago | (#9621172)

so... these wearable computers we keep reading about...?

Not "absurd" (4, Insightful)

Eagle7 (111475) | more than 10 years ago | (#9621056)

Banning personal portable storage devices (iPods, USB, powerful calculators w/ a computer connection, etc) is pretty much standard (and smart!) pratice when either government or industry classified/proprietary information is available. The risks are simply too great... the chance of soldiers dying due to a security violation or a company going under due to industrial espionage greatly trumps your desire to have a silly USB watch on your wrist all the time. If you don't like that reality, then don't take jobs that put you in contact with that sort of information in the first place.

Makes sense... (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9621059)

>In that case, I know it was absurd overkill ...

Why do you say that? If they really deal with sensitive (Top Secret - as you put it) information, it sounds justified...

Of course, they should also have disabled USB ports on machines on their network, but keeping the devices out is a good idea also.

A watch is much less conspicuous than a Furby on your wrist. :-)

the 5th pocket (2, Funny)

Diclophis (203740) | more than 10 years ago | (#9621063)

Is really there for you to stash your usb memory device.

no... (0)

Anonymous Coward | more than 10 years ago | (#9621182)

its there for small bags of weed

Hollywood (0, Redundant)

Digitus1337 (671442) | more than 10 years ago | (#9621073)

*Spoiler on old movie* In the recruit, http://www.imdb.com/title/tt0292506/, a double agent uses a usb storage device to steal secret plans.

Re:Hollywood (2, Informative)

halowolf (692775) | more than 10 years ago | (#9621123)

Oh yes I remember this! A supposedly high security installation and there are USB ports on the keyboard! Puhhhlease! In high security environments where it matters, there aren't supposed to be disk drives and USB ports, or a easily accesible means to get data off the network.

Re:Hollywood (1)

thbigr (514105) | more than 10 years ago | (#9621159)

Yup! I saw it to. If it is in the movies or on T.V. it must be true! Of course real harm is possible, but I havn't worked in such environments. I am sure it is happening somewhere.

Re:Hollywood (1)

Squirrley (708130) | more than 10 years ago | (#9621189)

how's that an old movie? it came out only like a couple years ago...

German c't magazine showed how to disable USB... (5, Informative)

flowerp (512865) | more than 10 years ago | (#9621077)

The German c't magazine recently had a short article about disabling the USB storage driver for non-administrator users on Windows 2000 and XP - effectively eliminating the security risk. This policy could be enforced by any system administrator on all desktops. Similar things could be done for Firewire ports and storage devices that attach to it. Basically it works by making the driver non-readable and non-executable for the average Joe Schmoe user logging into the system.

Bring your own USB sticks? No problem. Can't use em anymore ;)

Christian

USB watch bad - Laptop Okay (1)

iconnor (131903) | more than 10 years ago | (#9621081)

I was recently stopped when taking an old PII home to some work. I pointed out that if they were worried about this little PII with a 4Gb hard disk - they should be really worred about the P4 laptop with the 60Gb HDD that I carry back and forth everyday.

This is dumb (0)

Anonymous Coward | more than 10 years ago | (#9621082)

All kinds of devices, many covert, have ways of storing data. The best way to prevent this is know your employees, get them to sign they won't steal data, and if they do sue them. It's that simple. This is one of those things you can try and fight and never win.

Re:This is dumb (1)

ydnar (946) | more than 10 years ago | (#9621238)

I agree. It's sort of like DRM--only stopping the people who want to be stopped. Or drug laws. Take your pick.

heh (1)

techefnet (634210) | more than 10 years ago | (#9621083)

silly.if they have to ban ipod they have to ban all other electronic devices too.

Easy to bypass riduculous security precautions (4, Funny)

mirio (225059) | more than 10 years ago | (#9621084)

You know, I could bypass such security precautions very easily with a USB keyfob and tightly squeezed buttocks....

At the very large financial corporation I work at (5, Funny)

M-2 (41459) | more than 10 years ago | (#9621085)

At one point the corporate machine-support staff tried to set up the following:

  • All laptops in the building must be formatted to the corporate image (personal or not, connected to the network or not)
  • All PDAs had to be hard-reset before leaving the building unless your manager approved it
  • Any other device with a USB port had to be opened and checked by the desktop support group

The sneaky bastards kept trying to steal my laptop, my PDA and my Nomad Jukebox to do this. I kept catching them and throwing them out of my cube (at one point, literally, as he refused to leave until he had formatted my laptop's hard drive and I had to roll him out in my chair and overturn it in the corridor).

Finally, they stopped that after they did this to an senior VP and erased the powerpoint presentation he had on his laptop. Heads rolled for THAT little debacle. The funny part was that his machine was already work-provided, he just didn't work in our building, so they didn't know him...

Depends on strictness (5, Interesting)

jawtheshark (198669) | more than 10 years ago | (#9621089)

I work as a contractor at a bank. Now, they are extremely paranoid about data being carried out of the bank. The only thing is: they aren't consequent. Yeah, they locked down the internet. Nobody can access it unless, you go on a second network that has internet access. No PC here has a CD drive (so no importing of your favourite games, screensavers and other crap and warez)

But they do allow diskettes (friggin diskettes! Do you know how much customer data you can put on a diskette?). Then I also found out that the "internet-network" (which only internals have access to with a NT username/password) operates simply on DHCP, no MAC address checking: the only "security-check" is the NT-Domain login. Why did I find this out? Simple: these morons allow contractors to have laptops, so I once just plugged it in that network. Worked instantly. Now there is a security concern in my eyes! For crying out loud, I have a Mac, I don't even need a crosscable to pump over data from my work-PC to my Mac. Imagine what kind of data I could take away with that! Nobody evere stopped me at the entrance/exit with my laptop bag. Nobody.

You see, if you want security, you need to ban every device that can be networked somehow. It's that simple. Yes, this includes your iPod. So, I supect that this is only a great concern in governmental instituation (top-secret clearance), but in the "highly sensitive environment" of banking they don't get it at all.

Hey, I pointed out their flaws and I was told to shut up.

What about Laptops? (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9621090)

I carry 40GB in and out of my company every day - no need for USB drives!!

weighing the benefits (5, Insightful)

bodrell (665409) | more than 10 years ago | (#9621094)

Yes, iPods and USB watches are security concerns for many companies. But if an employee wants to do their employer damage, an iPod is not required. I think it's more dangerous to treat employees with distrust, because it makes them much more likely to scheme of more malicious ways to cause trouble.

Those in charge of company security should remember that these same employees bringing in iPods are the ones who were issued key cards to get into the building. Companies have no choice but to give their workers the benefit of the doubt.

Lock down privileges? (2, Insightful)

dalamarian (741404) | more than 10 years ago | (#9621096)

Wouldn't it make more sense to lock down the rights to users for connecting usb mass storage devices? I understand that in secret/top secret facilities this isn't enough, but it should be used in combination with ban of usb devices.

But for a regular corporate setting the above action seems more appropriate and pro-active as someone can always sneak a usb device in.

Overkill (2, Insightful)

Afty0r (263037) | more than 10 years ago | (#9621098)

I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ...
How is that overkill? You have a device capable of introducing viral agents/trojans, or of covertly copying half a gigabyte of compressed data every day you work there, from systems designated "top-secret", and you think it is unreasonable for them to ask you to leave it at the door?
I think it's unreasonable that someone like you is allowed near a facility containing "top secret" information.

Employee concerns... (5, Funny)

Luckboy (152985) | more than 10 years ago | (#9621100)

You know, if your employees actually CARE about hooking up their iPods or other MP3 players at work, you should be more concerned about what your employees are actually DOING, as opposed to what data could be stolen. My iPod's Library is managed by my home machine, not my work machine, and the only reason I bring it inside is to keep it out of my hot car during the day. I don't even bring a cable that would be compatible.

I'll just burn the site licensed software to CD and take it home that way...

The concern... (1)

Dracolytch (714699) | more than 10 years ago | (#9621107)

The concern is a real one. Consider someone who's irritated at their job at a weapons design facility, feels they deserve "the best" (but may actually not... You know the type). With these kinds of devices, how can you keep them from taking sensitive documents to countries with more money than research labs.

I just don't know what can be done about it, honestly. When you have USB devices that are shorter, narrower, and thinner than a stick of gum [microcenter.com] , what can you do? Here's hoping they have some way to block USB storage devices.

~D

This is a legitimate concern (4, Interesting)

thewiz (24994) | more than 10 years ago | (#9621120)

Most military bases have banned PDAs, USB Flash drives, iPods (and variants), cell phones, and any other device that can be connected to a computer and can store data. Some have even gone as far as removing diskette drives and banning CD-RW and DVD-RW drives on new systems. I have seen incidents where people decided to put classified military data on a flash drive or floppy to take it home to work on it. This happened even after people sign an agreement and go through repeated training sessions where they spell out what will happen if they do something like this.

Corporations are having to deal with this same problem as portable devices can now be used to store data or take pictures that could compromise sensitive data. However, this has always been an issue. A systems administrator could walk out of work with and 4mm or 8mm tape full of sensitive/classified data and no one would know. It boils down to a matter of trust and integrity; do you trust the people who use/administer your systems? Have they shown the integrity in other matters that would indicate they can be trusted with more sensitive matters?

Unfortunately, it only takes one person in a sensitive position to screw it up for everyone else.

internet gateway? (1)

ironhide (803) | more than 10 years ago | (#9621129)

If there is an internet gateway sensitive information can always easily, securely and anonymously escape through there.

iPod as theft/espionage device is well established (4, Interesting)

phearlez (769961) | more than 10 years ago | (#9621135)

Not in some movie - Cringley wrote about seeing a man walk into CompUSA, plug his 1st gen iPod into a mac there and drag the MS Office folders onto it. The article claimed (I have no idea how true it is/was) that Office will re-establish the system folder items necessary so this amounted to a perfect and complete copy of the software.

That said, certainly the benign uses outnumber the malicious ones. The question is, if you have other data control policies, do you need to CYA by having this ban so you can respond to suspicious activities decisively? I also think comparisons to more easily concealed USB key devices isn't reasonable - I can't fit a large ACT! database of contacts on one of those but I can on a 40g devices.

Makes sense when... (1)

JoeNiner (758431) | more than 10 years ago | (#9621142)

you know the insider threat is the most likely [entrepreneur.com]

The Gov't (2, Informative)

Thaelon (250687) | more than 10 years ago | (#9621143)

I have a friend that works for the Department of Defense and though he wanted an iPod however, employees aren't allowed to bring in any device that data could be written to, so he couldn't use it at the main place he'd wanted to.

What about other methods of stealing secrets? (3, Interesting)

HappyFunnyFoo (586089) | more than 10 years ago | (#9621144)

Do corporations outlaw email because someone could smuggle an important corporate document through a simple email attachment? You can put a heck of a lot of info on a single freemail attachment in a text file, and / or use a corporate POP3 mailserver too. Do corporations also outlaw CD-Rs because they could be used to copy important data? Do corporations outlaw floppy discs? And, above all, do corporations give their employees a darned internet connection to begin with? What about the internet itself? If someone is truly paranoid about security, it'd be more effective to plug already existing giant holes in security, and completely strip their employees of all the fundamental tools of the information age. It's hard to prevent the exchange of information on the computer: after all, a computer is a device specifically designed for just that purpose, anyways. If someone goes through all the trouble to smuggle files on an iPod when he could simply PGP encrypt them over email, it would be an act of stupidity anyways. Conclusively, it's a bad idea banning the iPods from offices. -Foo

It's a realistic threat (3, Interesting)

lachlan76 (770870) | more than 10 years ago | (#9621147)

Because you can't always just assume that a hacker is stealing information every time, it's realistic to assume that someone in your organisation would give away information for the right price.

The malware aspect though, from my viewpoint though is FUD, because (as far as I know), iPods and flash memory sticks don't run software when you plug them in. I could be wrong though. But I know people who have had 200+ spyware apps, and it's never happened to them. 200 isn't that much compared to some, but I've known him a few years, and being the only Open source guy he knows should give me some influence. Just remember, the weakest link is always the people.

And, for the record, my friend now had dumped IE, and moved to Firefox. It's offtopic I know, but I spent an hour browsing Secunia tonight, and set up a couple of the exploits (IE is vulnerable to all the ones I tried), so I know how easy it is to bring Malware onto a windows box. In short, I'm scared shitless, and anyone who brings in data from a source which hasn't been checked is just asking for trouble. Perhaps if the networks moved to a platform that was less truoblesome ;)

It's my opinion though, that you can either trust an employee, or you can't. If you trust someone with the data, you should not worry about their iPod, or not trust them in the first place.

Memory is memory is memory... (1)

LostCluster (625375) | more than 10 years ago | (#9621163)

Any device that can store data on it could be the corperate secrets walking out the door. USB watch/keychain, iPod, CD-R... Nobody should be bringing those in or out of a "secure area" without authorization, otherwise those secrets could be headed to the outside world and not so secret anymore.

Ultimately if your employees are not trustworthy.. (1)

mjj12 (10449) | more than 10 years ago | (#9621165)

If I genuinely wanted to steal corporate data from an office computer, I can think of a hundred ways to do it right now from an office of average levels of security, many of them either untraceable or hard to trace. Some involve things like portable storage devices, and some don't. (The simplest simply involves carrying laptop computers in and out of the office). I have three such portable storage devices with me now - digital camera, MP3 player and cell phone.

In most environments, stopping this kind of thing without also shutting down virtually your entire business seems pretty much impossible. (There are some environments where it is clearly necessary, such as the casino and defence situations mentioned by earlier people) but these are situations where every aspect of the business has a higher level of security. In a fairly normal office setting, give me a break.

Just remember.... (1)

Kenja (541830) | more than 10 years ago | (#9621166)

Just remember, the anus is natures USB pen storage pocket.

Going about it the wrong way (0)

Anonymous Coward | more than 10 years ago | (#9621167)

It seems like a whole lot of extra time & resources to stay on top of portable storage devices people may or may not try to bring in.

If they are so concerned, why don't they simply disable external storage devices in the domain policy ?

Instead of banning the devices outright... (4, Insightful)

petard (117521) | more than 10 years ago | (#9621178)

Companies should consider hiring trusted professionals. If you hire quality, professional employees and explain the policy against putting corporate data on personal devices, this should not be a problem.

Believe it or not, most professionals want to do a good job and take pride in their work. If you set reasonable policies and explain them clearly, most will want to follow them.

Do you want to grant someone enough access to your data that they could copy it onto an iPod if you don't trust them to abide by your policies? If they have that kind of access to the data, copying it to an iPod is far from the only or best way to get it out, and you're just adding an inconvenience to your employees' lives without meaningfully increasing your own security. If you believe that banning these devices would help, your problems run much deeper and you should rethink the way you're doing business.

How can the iPod users introduce Malware? (1)

callipygian-showsyst (631222) | more than 10 years ago | (#9621183)

Because any of the software from their Macintoshes won't run of the office Windows network, this isn't a big problem.

what about floppy disks? (0)

Anonymous Coward | more than 10 years ago | (#9621190)

How is a USB storage device any different from a floppy? how often does security ask you to leave those at the door? They have just as much of a risk as any other storage device, regardless of whether or not it looks like a pen.

Dephyler

Are iPods a commodity item now? (0)

Anonymous Coward | more than 10 years ago | (#9621192)

iPods are security risk, warns analyst

Just looking at the title of this article one could assume that the iPod has become such a recognizable personal device that it is reaching commodity level... way to go Apple.

More at the movies (5, Interesting)

randomErr (172078) | more than 10 years ago | (#9621202)

Remember last year, the movie 'The Recruit'? One of its big premises was that a CIA agent was smuggling out data; but they couldn't figure out who was stealing the information, and how. The smuggling device turned out to a common USB flash drive hidden under a coffee thermos's seal. The USB drive didn't come up in the CIA scans because the drive wasn't active; the inactive drive wasn't giving off any EM for them to detect.

I think USB, IR, and now 802.11 devices and Bluetooth enabled cell phones could be a real concern for data centric firms.

As a side thought, companies may begin to ban cell phones as well. Late last year SlashDot had an article about a cell phone detection device made in Israel. People were leaving modified cell phone in planters. The modified phones would transmit the conversation of anyone in the room for about a week. Thus making a cheap spy toy.

ROFL (0, Offtopic)

Ag3nt (790820) | more than 10 years ago | (#9621203)

For some reason yet unknown to me, the instant I finished reading this story, I pictured a company's network administrator hugging his file servers while morphing into Gollum..... *Caresses the file server* ......My precious.......

Consultant (1)

Sheepdot (211478) | more than 10 years ago | (#9621205)

If you're a consultant, they want your help, so they should let you do what you need to. Even as a security consultant, with the intention to break or steal, you can get a way with a lot.

If they are not letting you in with your watch, I'd say they are security concious enough. But then again, if they give you web access, you can just as easily upload to a webpage. (But at least they'll have a log of that)

Hmmm... (1)

Last_Available_Usern (756093) | more than 10 years ago | (#9621210)

I liken this to removing cars from the road and forcing people to take trains because they're safer.

There's a reason there are so many types of media...because people have a need to quickly get data between locations. Let's address the two issues one at a time:

Data theft: If you don't trust the people you hire to be loyal to your company, then either:

a. You shouldn't hire these people
b. You are already aware of the fact that you mistreat your employees and worry about them taking recourse.

Virus/Malware: With a little education and proper software protection, I think and admin will agree that the malware/virus issue can be negated as well.

Forget espionage! It's the RIAA who wants a piece (1)

cvbear0 (231010) | more than 10 years ago | (#9621212)

I think I would be more worried about the RIAA busting me for having "illegally" downloaded music on my network!

Daddy's USB Drive (2, Funny)

Carcass666 (539381) | more than 10 years ago | (#9621214)

This USB Drive was in your Daddy's pocket when he was shot down outside the office. He was captured and put in a Boeing prison camp. Now he knew if the suits ever saw the drive it'd be confiscated. The way your Daddy looked at it, that drive was your birthright. And he'd be damned if and dopeheads were gonna put their greasy corporate hands on his boy's birthright. So he hid it in the one place he knew he could hide somethin'. His ass. Five long years, he wore this drive up his ass. Then when he died of disentary, he gave me the drive. I hid with uncomfortable hunk of plastic up my ass for two years. Then, after seven years, I was sent home to my family. And now, little man, I give the drive to you.

What next, cellphones? (2, Insightful)

GAMMAH_DJ (767495) | more than 10 years ago | (#9621224)

Nokia cellphones [and I'm sure those from other manufacturers] have flash media slots in them that can accept memory at least up to 1GB in size. And with bluetooth connectivity, you could easily transfer data from your machine to cellphone, without even having to have the device in plain view.

Laptops? (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9621232)

I have worked for and heard of several companies that ban the use of instant messenger "to prevent corporate espionage". They also wouldn't install CD burners in PCs "to prevent corporate espionage".

Of course, there was nothing stopping you from walking out the door with a laptop, with a 30GB hard drive.

So Can Printers, Email, Pens and Paper (1)

ThatDamnMurphyGuy (109869) | more than 10 years ago | (#9621243)

I really don't understand the paranoia about stealing company secrets in relation to USB based devices.

If you have access to a printer, print it ant take it with you.

If you have access to pen and paper, write it down and take it with you.

If you have access to email, email somewhere else.

If someone wants to steal secrets, they're going to do so. Yes, I know, it's about minimization of risk just like there is no such thing as secure, but only minization of risk. But sometimes the paranoia can go to far and frustrate workers.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>