Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

State Agency to Destroy Unauthorized USB Drives

Zonk posted more than 6 years ago | from the what-they-don't-know-won't-hurt-you dept.

Data Storage 179

Lucas123 writes "The State of Washington's Division of Child support has forced hundreds of workers to turn in personal USB flash drives and has instead begun issuing corporate-style USB drives. The goal is to centrally monitor, configure and prevent unauthorized access to storage devices. So far about 150 common drives have been issued. The agency eventually plans to destroy all existing thumb drives collected as part of the security policy change."

Sorry! There are no comments related to the filter you selected.

Misleading summary (5, Informative)

jlowery (47102) | more than 6 years ago | (#22781150)

The article states that the previous drives were "independently purchased" by employees, which likely means they got permission to buy a drive, went to Staples to get it, and then were reimbursed by the state. That would mean that they are not "personal" USB drives.

I know... I apologize for reading the article.

Re:Misleading summary (1)

jlowery (47102) | more than 6 years ago | (#22781170)

Also... no mention of these drives being "unauthorized". Maybe the submitter needs to read the article as well.

Re:Misleading summary (4, Insightful)

aurispector (530273) | more than 6 years ago | (#22781824)

It really isn't clear at all exactly who purchased the drives and under what authority. Early in TFA they refer to "privately owned drives" which clearly indicates personal property, but in the same breath refer to state owned drives - and the difficulties in distinguishing between the two. The agency may well have a policy allowing them to confiscate personal items containing confidential information. Props to the agency for recognizing the problem.

The whole point of the exercise appears to be about safeguarding the data. The /. submission focusses on the confiscated drives being destroyed, which in TFA is a minor note at the end of the article. It appears that the state has to choose between paying someone to wipe all those drives or "destroying" them by some as yet undefined but presumably secure method and of the two, destruction would presumably be the most reliable.

A better title would have been "Washington's Division of Child Support takes important steps needed to safeguard confidental data" or "State agency moves to plug USB flash drive security gap". Oops, never mind, the second one was already used by *TFA*.

Re:Misleading summary (4, Informative)

damsa (840364) | more than 6 years ago | (#22781194)

They are "personal" drives as opposed to "enterprise" drives in the sense that the state issued drive has additional features not available to the regular Staples consumer.

Re:Misleading summary (0)

Anonymous Coward | more than 6 years ago | (#22781464)

They are "personal" drives as opposed to "enterprise" drives in the sense that the state issued drive has additional features not available to the regular Staples consumer.
Such as?

Re:Misleading summary (2, Informative)

Anonymous Coward | more than 6 years ago | (#22782020)

If you were really that interested in knowing, you would RTFA.

The flash drives they are providing for their employees have 256-bit AES encryption and a user-defined password. After 10 (presumably consecutive) failed attempts, the drive deletes its data. It also comes with remote management software, "which relies on a Web connection to directly communicate with agents on the tiny flash drives, [and] can also remotely monitor and flush any lost drives."

Sounds a lot better than the generic memory stick you buy cheap at Sam's Club, doesn't it? (At least from a data-security perspective.)

Eat my goatse'd penis (0)

Anonymous Coward | more than 6 years ago | (#22781196)

Goatse. [twofo.co.uk]

You nerds love it.

Re:Misleading summary (0, Offtopic)

davmoo (63521) | more than 6 years ago | (#22781204)

You read the article??!! What are you, some kind of damned troublemaker?! :-)

Re:Misleading summary (-1, Offtopic)

rucs_hack (784150) | more than 6 years ago | (#22781278)

You read the article??!! What are you, some kind of damned troublemaker?! :-)

Yeah! lets grab our pitchforks and storm his castle before this gets out of hand. He might be a communist too....

Re:Misleading summary (2, Informative)

warprin (794839) | more than 6 years ago | (#22781296)

I agree, they probably got a supervisor's (at least one) ok on buying their own usb drive, it caught on, and then everyone started using them. Who knows if it was management that first decided to use non-approved drives. All we know is that the drives were not "coorrectly/officially" approved by the right department with the mandatory 100-page approval document.

Re:Misleading summary (3, Funny)

notaspunkymonkey (984275) | more than 6 years ago | (#22781346)

"the mandatory 100-page approval document."

How the hell did you get access to my document - I store it on my personal USB drive, its the only copy... when they took it off me and gave me that new one I thought they destroyed my personal one..

Does that mean you have those pictures of my wife too???

Re:Misleading summary (1)

Corporate Troll (537873) | more than 6 years ago | (#22781762)

Does that mean you have those pictures of my wife too???

...and I frankly didn't know anyone could insert *that*! Uh, /ME needs brainbleach.

Re:Misleading summary (0, Offtopic)

iphayd (170761) | more than 6 years ago | (#22782360)

Dude,

We've all had pictures of your wife for years.

Re:Misleading summary (0)

Anonymous Coward | more than 6 years ago | (#22782568)

You have a W.I.F.E? Didn't know that slahdot people had any of those...

Re:Misleading summary (1)

warprin (794839) | more than 6 years ago | (#22781320)

I thought "independently purchased" in government terms meant "not properly approved"- a friend of mine who works for the Treasury Dept can't even bring in her own trackball instead of using a mouse. And the sub-department she works in won't order one, they say the pc mouse is just fine, thank you.

Re:Misleading summary (3, Funny)

martin-boundary (547041) | more than 6 years ago | (#22781376)

I know... I apologize for reading the article.
Weeelll. Looks like we got ourselves a reader! [youtube.com]

Re:Misleading summary (0)

Anonymous Coward | more than 6 years ago | (#22781594)

Excellent clip, thanks.

Re:Misleading summary (1)

harry666t (1062422) | more than 6 years ago | (#22781894)

It always bothered me...

How the hell is the slashdot effect even possible when nobody does RTFA?

Re:Misleading summary (1)

mlk (18543) | more than 6 years ago | (#22782090)

Everyone clicks the links so they can look for Flash or PDFs to bitch at. Many also how that /. has a Goats.cx on the front page. But clicking the link is not the same as reading the article.

Re:Misleading summary (0)

Anonymous Coward | more than 6 years ago | (#22782108)

It always bothered me...

How the hell is the slashdot effect even possible when nobody does RTFA?
All the nerds still open the links, it's just that they're only looking for pictures.

Misleading Summary leads to Misleading Tags (1, Insightful)

keirre23hu (638913) | more than 6 years ago | (#22781438)

Now some geniuses have tagged it privacy - what does the state erasing a thumb drive it owns have to do with privacy?

But then again what does the content of the article have to do with analysis on Slashdot... yeah I know.. flamebait..

Re:Misleading Summary leads to Misleading Tags (2, Insightful)

Firethorn (177587) | more than 6 years ago | (#22781508)

Oh, I don't know, maybe erasing the drives makes sense because they contain case files and such?

The replacement drives might support encryption, which is a normal 'corporate' feature.

Re:Misleading Summary leads to Misleading Tags (4, Insightful)

keirre23hu (638913) | more than 6 years ago | (#22781656)

Oh, I don't know, maybe erasing the drives makes sense because they contain case files and such?

The replacement drives might support encryption, which is a normal 'corporate' feature.
Your sarcasm is duly noted and definitely misdirected - my point is that the state has the right to do what they please with their hardware. If they decide to erase the drives because they have purchased better equipment, that is their prerogative. Unfortunately the summary leads one to believe that the state gov't is saying, "you used your personal thumbdrive for work, so bring it in and we'll erase it" when actually, what appears to have happened is that they (stupidly/cheaply) purchased non-enterprise drives for enterprise purposes, then figured it out sometime later and decided to "fix" the problem - not really a big story... but like I said.. this is slashdot, where too many people believe in the process of "ready, fire, aim"

when it comes to commenting or responding... comprehension is not necessary.

The use of the word "personal" was obviously targetted at getting a rise out of the non-RTFA crowd, as the article itself never terms the drives - "personal drives". They called them "nonapproved thumb drives". We recently discussed "secure" thumb drives [slashdot.org] and I hope they arent wasting their (taxpayers') money on the version of the Cruzer reviewed in the article.

Re:Misleading Summary leads to Misleading Tags (4, Informative)

CTachyon (412849) | more than 6 years ago | (#22781700)

Now some geniuses have tagged it privacy - what does the state erasing a thumb drive it owns have to do with privacy?

RTFA. The reason the state is issuing these new fancy-schmancy thumb drives is that the new ones (claim to) have 256-bit AES encryption and (claim to) self-destruct after 10 consecutive wrong passwords. They're doing this whole switch because of privacy, because the thumb drives contain the private, personal case files of hundreds/thousands of citizens.

Re:Misleading Summary leads to Misleading Tags (1)

sBox (512691) | more than 6 years ago | (#22782486)

Exactly.

At MyCo, all of our laptops (portables) must be encrypted. The same goes with other portable media. By selecting a certain vendor with an acceptable compromise of security and useability, we can significantly REDUCE the ability of an accidental or externally malicious compromise of customer and corporate data. REDUCE is the key, nothing is perfect.

In the OS, we can also limit these drives to specific users, models and serial numbers to prevent further exposure. That way secretary 'A' cannot transfer files, templates, documents, etc., to her iPod before leaving to competitor 'B'.

Good policies, technology and policing is the only way to control the accessibility of our data, whether they are files or data over the wire.

Re:Misleading summary (0)

Anonymous Coward | more than 6 years ago | (#22781590)

The article does not say they got permission, went to Staples and bought one.
It says people have been usingdrives they got personally, some their personal drives others
they got for business reasons.

Good (3, Funny)

BadAnalogyGuy (945258) | more than 6 years ago | (#22781160)

I don't want government employees listening to MP3s while at work. They are slow enough as it is.

Re:Good (1)

William Robinson (875390) | more than 6 years ago | (#22781248)

I don't want government employees listening to MP3s while at work. They are slow enough as it is.

Hell no...At least they used to be in their seat to listen music. Now I have to run around pantries, coffee shops and pubs. :P

Re:Good (3, Insightful)

Skater (41976) | more than 6 years ago | (#22781606)

I'm a government employee. My options are either (1) listening to MP3s and being slower or (2) being completely ineffective because I have to listen to my hyper coworker who has no inside voice screaming all day. She loudly, and randomly, says things like, "I'm not getting any work done guys!" to no one.

tor users sign up while exit nodes sniff (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22781176)

thanks to the automatic -1 rating now for AC, tor users are forced to sign up for a slashdot account but their passwords are probably sniffed by exit nodes.

what does this mean?

rather than posting as AC with score 0, ACs posting with auto-score of -1 must sign up and while using tor maybe lose their account to an exit node sniffer or have their account used to post garbage by a rogue entity.

thanks slashdot for caring!

Re:tor users sign up while exit nodes sniff (0)

Anonymous Coward | more than 6 years ago | (#22781368)

Why should we care? You want to AC... be a man and declare who you are

Re:tor users sign up while exit nodes sniff (1)

daveime (1253762) | more than 6 years ago | (#22781472)

So you are worried about an account you didn't want in the first place being sniffed and hi-jacked by someone else ? If you are so paranoid about identity theft, that you think someone would steal your Slashdot account over say, your online Credit Card payments or online Banking Details, then maybe you'd be better not using the Internet at all.

Re:tor users sign up while exit nodes sniff (0)

Anonymous Coward | more than 6 years ago | (#22782496)

your reply does nothing to help the situation.
AC should not be -1 by default, but this is typical in the land of the stuFREEpid.
It was more or less a concern of malicious exit node ops using the account to post rubbish and how that would affect /. rather than being "paranoid" some people have to use tor in countries where the government is controlled by tyrants.

you sir, can fuck off.

You can have my USB key (0)

houghi (78078) | more than 6 years ago | (#22781188)

when you pry it out of my dead cold fingers.

Seriously, how can they confiscate personal belongings? I can understand that they forbid the use, but how can they just take away something that belongs to me. Something that is mine.

What about cellphones? Or mp3 players? Those can be often used in the same way. Will those be confiscated as well?

It is good that they issue some sort of encryption, yet that does not mean they should be confiscating all the rest.

RTFA (4, Insightful)

jlowery (47102) | more than 6 years ago | (#22781192)

They're likely neither unauthorized or personal.

Re:RTFA (0, Offtopic)

kramulous (977841) | more than 6 years ago | (#22781252)

That 'smoking crack' was some of the funniest stuff I've seen. Oh, and comment was useful but a waste of time ... the RTFA bit anyhow.

Smiles

Re:You can have my USB key (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22781216)

Well, it appears that somebody removed your ability to read as well as reason. Could it be that only drives that were bought and paid for by the state and are in personal holding are the ones being discussed here? Yup.

Re:You can have my USB key (0)

Anonymous Coward | more than 6 years ago | (#22781220)

If you had RTFA, you would know that they're not personal USB keys.

If the government pays for it, it belongs to the government.

Re:You can have my USB key (1)

Comboman (895500) | more than 6 years ago | (#22782270)

Too bad the person who wrote the summary didn't RTFA, because the summary says they were personal USB keys.

Re:You can have my USB key (1)

IBBoard (1128019) | more than 6 years ago | (#22781222)

Chances are they've been using their 'personal' USB sticks to transfer work documents. If that's the case and the agency have some form of classification level or protection for their information then more fool them for putting the information on a personal device.

It's the same in any military situation - hook a device up to a Restricted or higher machine and the only way to 'declassify' it is with a hammer.

Or, as some people have pointed out from TFA, it could be that these were purchases that they've been reimbursed for that they've just been using as if they were their own. Again, if that's the case, more fool them.

Re:You can have my USB key (4, Insightful)

Tyndmyr (811713) | more than 6 years ago | (#22781574)

Having spent quite a few years working for the US government, I assure you, they were either reimbursed for them if they were officially permitted, or warned against using them. It's not uncommon to sign a waiver giving them permission to confiscate storage media if you store sensitive stuff on it, and personally, Im rather glad to see them being responsible with information that could pose a major privacy threat.

Accuracy of Story? (2, Informative)

sepluv (641107) | more than 6 years ago | (#22781190)

It doesn't say in TFA that they have confiscated and destroyed existing drives (and, if they have, it may only be state-owned drives).

Although, it does say in the quote from the manager that they will "manage and back up the new drives using SanDisk's Central Management & Control server software...which relies on a Web connection to directly communicate with agents on the tiny flash drives [and can] remotely monitor and flush any lost drives" so they could read and delete files on the disks remotely.

It also says that they chose the disks for their MSW Vista compatibility which suggests that the "agents" really are (as previously quoted) on the disk rather than the PCs (one assumes so they can track what their employees do with the disks while not using their PCs, which really doesn't seem necessary to me). Hopefully they do have software on the PCs too to ensure that non-authorised disks are not used and to monitor activity if the "agents" are removed from the disk by intrepid employees.

Although, I suppose, in principal, the right to privacy of their clients (which could be breached by data being transferred out of the building) overrides the right to privacy the government employees have while in the office.

Re:Accuracy of Story? (4, Insightful)

sepluv (641107) | more than 6 years ago | (#22781226)

My bad. It says "after recalling the thumb drives used by workers. Most of those had been purchased independently by the employees, causing myriad problems for security personnel, Main said. The new policy requires workers to use the drives supplied by the agency. Main said he eventually plans to destroy all existing thumb drives collected as part of the security policy change." Although, I think from this and following comments like "The general perception is no one will report a lost USB memory stick because they're so cheap" there is an implication (although it isn't explicit at all) that the drives were bought with public money and used for public work.

Once again, I don't think there is too much to complain about here. It shocks me how many employers (even in sensitive areas like government departments and law firms) have PCs that will even, by default, run software or an operating system from a USB drive. According to TFA, in this case "sensitive data transported by off-site workers include[d client's] tax documents, employer records, criminal histories and federal passport data" and commonly "the names, dates of birth and Social Security numbers of children".

Of course, in opposition to what the article says, I think education about data protection legislation and issues is more important than attempting to physically constrain employees (which is ultimately impossible), although both may have their place.

Sensible policy (4, Informative)

MosesJones (55544) | more than 6 years ago | (#22781200)

Before people moan about "personal" these aren't things that people have paid for with their own cash (they got the cash paid back). The other point is that banning removable storage is a difficult, but sensible, policy when there is confidential or valuable information about. Hopefully these USB sticks will be encrypted and tied to only the departmental machines (i.e. no working at home on confidential information) in order to prevent misuse or sale.

This isn't a personal privacy issue for the users (after all its just a USB key) its a personal privacy issue for the people on whom the department stores information.

Re:Sensible policy (2, Interesting)

CastrTroy (595695) | more than 6 years ago | (#22781262)

Do they even need to be taking information off premises? If the drives aren't encrypted they aren't secure. What computers are they hooking them up to? Are those computers secure? If you're only going to use the data on departmental machines, a network storage solution would work a lot better, and be a lot more secure.

Re:Sensible policy (2, Interesting)

AlecC (512609) | more than 6 years ago | (#22781372)

The whole point of the article is that they are replacing dives of unknown source and capabilities with encryptes drives which self-wipe on to many access failures. They are, correctly, replacing insecure devices with secure ones and destroying insecure ones with confidential data.

Re:Sensible policy (2, Interesting)

CastrTroy (595695) | more than 6 years ago | (#22781918)

The point is, where are they taking these drives? If it's just for between computers within the organization, a network storage solution would work better. It would be more secure, and the files would never leave the premises (ideally). The only need for USB drives is to transfer data between computers not on the network. If the information they are transporting is really all that important and confidential, it's probably best that they never give access to it from unknown computers. Once you enter the passphrase, the computer it's hooked to can do just about anything with the data.

Re:Sensible policy (1)

AlecC (512609) | more than 6 years ago | (#22782026)

Very true. I was assuming that the need thus to transport the data is proven. For example, a case worker might need to look up notes at a client residence while interviewing the client, or to update notes immediately after a client visit because they will be stale by the time s/he returns to the office after several, possibly ewearing, client visits. These are legitimate reasons to take the data off site. Obviously, they are reasons with a security cost, and the cost/benefit must be positively evaluated rather than just let slip. It seems that this organisation is doing just such an evaluation, and taking appropriate proceures to minimise the cost - which will actually allow more benefits to pass the cost/benefit threshold. Far too few organisations do that, and they are to be applauded for doing so. Obviously, eache benefit must be evaluated, and should not exceed its cost. And particularly, as you say, if there is no need for the data to go away from the central storage, there is a need for it not to do so. Every organisation handling confidential data should have a frequently-reviewed policy for secure data handling, and every reduction in security should be justified by needs which cannot be met other ways,

Re:Sensible policy (2, Interesting)

CastrTroy (595695) | more than 6 years ago | (#22782286)

If they need to type up notes about cases, without being at the office, then get them a laptop and secure that. Sure they could still hook that up to another home computer, or to a USB drive, and data could get in the open, but there will be a lot less reason for them to do so. Giving them a USB drive gives them the ability, and actually encourages them to put the data on insecure systems. For the extra cost of these fancy USB drives, you could probably provide them with a laptop (over the cost of a desktop), and just install truecrypt on it.

Re:Sensible policy (4, Insightful)

Moraelin (679338) | more than 6 years ago | (#22781334)

Call me a cynic, but based on the experience of some places I worked for, it might just end up something like this:

1. What maybe started along the lines that you described, then has to go through controlling or purchasing or such, which in a lot of places have their job judged and measured by how much they saved. If they saved 10,000$ at the cost of making everyone else spend 1,000,000$ in workarounds and lost productivity, they're doing their job right. So someone will go "auugh, why should we pay a few bucks more on very secure drives, when we could get ordinary ones at a bulk discount? Look, there are these drives with fingerprint scanner for half the price. That's secure, right?" (See the vulnerability linked even on Slashdot recently.)

2. Someone else (or in some organizations the same) will have to make sure it's one of the approved suppliers. Ideally this would mean those who have a good track record of reliability, quality, etc. In practice, it'll mean one of (A) whoever pays more bribe, or (B) the boss's wife's or cousin's supplies company, created just to siphon some money off such purchases. If it's a state agency, stuff like pork barrel, political favours and lobbies have something to do with it too.

Since this _should_ be in conflict with #1 and is exactly the kind of thing that #1 is supposed to catch, sometimes they split the bribe, sometimes they trade favours, and sometimes inventive discounts are used. Like we'll price the USB sticks at $1000 each, give you a 50% discount, and let you show that you've done your job right by negotiating a whole $500 discount per drive.

3. Some IT department has been given thoroughly counter-productive goals, like only keeping the computers or the network running, but no mention of actually providing a service to the rest of the organization. So suddenly the users are their sworn enemies, the filthy pests that keep using and screwing their preciouss computers and network. They'll do their best to contain, thwart and plain old inconvenience those users at every step. So the "secure" setup for those drives will be just an exercise in making it as inconvenient to use as possible, to teach those pesky lusers a lesson.

And indeed the users do learn a lesson: that if you want to get your job done at all, you have to do your own unauthorized workarounds. There goes most of security out the window right there.

Alternately, the IT department has also been on the shit end of #1, and is underfunded and staffed with the cheapest monkeys who can sorta bang on a keyboard, and don't fling too much feces at the screen. So they'll configure something which they think is right, but is not.

Yet another alternative is that a lax PHB can't be bothered to actually organize IT, and some BOFH personality types feel free to override everything and do what _they_ please. I've seen it happen. Stuff like production servers configured without XA support for _years_, just because the relevant BOFH thought that's a buzzword and it runs just as well without it anyway, plus it saves him the bother of installing the relevant libraries on all servers. So he _lied_ to the team for years that they have a feature that they didn't actually have.

And not only I can see all three happening with security too, I've _seen_ it happen with security features too.

4. Some PHB will figure out that it's not really an "enterprise" drive unless it has the organization's logo on it. In fact, that that's what makes anything properly enterprise.

Some frustrated users that have been on the shit end of #3 too often, will begin just printing and gluing makeshift logos to their own USB sticks, rather than put up with Mordac The Preventer Of IT Services again. Noone will be any wiser.

Etc.

Re:Sensible policy (1)

Threni (635302) | more than 6 years ago | (#22781496)

Not very green though, is it - destroying stuff like that. Isn't there a requirement to dispose of it in an environmentally friendly way? Do they like the competence to delete data beforehand?

Same thing happens in the UK - your car can be seized under certain circumstances and crushed. Why? Why not just sell them to someone else? It doesn't make any sense.

Re:Sensible policy (1)

ruin20 (1242396) | more than 6 years ago | (#22781646)

The government has strict policies on the labeling, use and storage of classified information. Technically any electronic media present in the workplace should be labeled with it's content and classification level. Classified data isn't only restricted to the office, but locked up in special safes. Alot of the problem is that information that is confidential (like your tax records) or proprietary (like Boeing's designs) are much much much more accessible and less securely kept. I have a feeling this is more for the IRS and DHS types rather than the actual lifeblood tech development because those guys already have these practices in place

Re:Sensible policy (0)

Anonymous Coward | more than 6 years ago | (#22781856)

If the State's Security and It staff were competent. they could simply issue a policy that disables USB disc and storage access.

But it's a lot more efficient to issue drives and destroy old ones. Yea that will increase security!

When will we hear, "State of Washington hires competent IT people, pays a competitive wage!"

What a waste (1)

King_Dude (1174325) | more than 6 years ago | (#22781206)

Are they using proprietary encryption software? Because I suppose that takes away all chance of accessing them on any computer not running windows (as in: "they chose the drives for their excellent support for windows vista). I'm also annoyed (as I always am with things like this) that they are going to destroy the drives as opposed to Zeroing them out and selling them second hand.

Re:What a waste (4, Insightful)

jlarocco (851450) | more than 6 years ago | (#22781238)

I'm also annoyed (as I always am with things like this) that they are going to destroy the drives as opposed to Zeroing them out and selling them second hand.

Two things to consider:

  • By the time most government hardware gets destroyed, it's already obsolete. My guess is most of the drives they're destroying are well under a gig. Who would buy a used 256 MB flash drive?
  • Destroying the drives is harder to fuck up. I don't know what information they're storing about people, but I'd rather it not be accidently released. It's pretty easy to see which drive hasn't been smashed to bits with a hammer, not so much which drive has been properly zeroed and formatted.

Re:What a waste (3, Informative)

SharpFang (651121) | more than 6 years ago | (#22781558)

especially that due to wear protection flashdrives are pretty hard to zero. Overwriting files is not guaranteed to delete the data because the 'overwrite' may (and likely will) happen elsewhere than original data was. You can still fill the whole drive with zeros (or better - random noise) but the science concerning recovery of overwritten data from flash memory is nonexistent - nobody knows if whether it can or can't be done.

Re:What a waste (2, Insightful)

TractorBarry (788340) | more than 6 years ago | (#22781686)

> Who would buy a used 256 MB flash drive?

Depends on the price. If they were 1p I'd buy 100 of 'em. 256 Mb is still a useful amount of storage (plain text, html, mp3 etc. etc.).

Re:What a waste (0)

Anonymous Coward | more than 6 years ago | (#22781712)

It's pretty easy to see which drive hasn't been smashed to bits with a hammer, not so much which drive has been properly zeroed and formatted.

It's hard to zero a USB drive because of wear levelling. If it's sensitive data, you don't want it lying around in blocks of flash memory that are temporarily being rested.

Re:What a waste (0)

Anonymous Coward | more than 6 years ago | (#22781240)

zeroize? Great, so you can only access the data if you're motivated. Remember, this is one of those "guilty utnil proven innocent" government agencies. I'd really rather 3 year old thumb drives be destroyed, since most of the value is in the data on them, not of a 3 year old 128mb thumb drive. Get a grip.

And yes, it's good that they will only work in corporate computers, in this situation.

what's the point? (0)

Anonymous Coward | more than 6 years ago | (#22781212)

even if the corporate USB drives have rootkits or such on them that record all 'copying' activity, would they do the logging when connected to linux? agreed, they'd probably know what you copied off 'their' computers, just not what you did with it.

and would they notice if you copied C:\data.txt to D:\data.mp3 ?

anyways, sounds lame.

Waste (2, Insightful)

ajs318 (655362) | more than 6 years ago | (#22781228)

At the very least, they could /dev/zero them and give them away.

Re:Waste (1)

AlecC (512609) | more than 6 years ago | (#22781382)

And how sure are you that /dev/zero actually destroys the data rather than just removing pointers to it? A study of disk drives bought on ebay showed that 1/3 had not been wiped at all and 1/3 had been re-initialised in a way that made it trivially easy to recover the "deleted" data.

Re:Waste (2, Informative)

ajs318 (655362) | more than 6 years ago | (#22781534)

dd if=/dev/zero of=/dev/sda1 will write zeros to /dev/sda1 until interrupted (which will happen of its own accord as soon as /dev/sda1 is full).

/dev/zero is a virtual device that whenever you read a character from it, comes out with a stream of zeros; it is always ready to read and never shows end-of-file. /dev/sda1 is a device that represents the first partition of the first SCSI, SATA or USB disk drive, treated as one huge file (which happens to contain all the files and pointers to them) rather than a file system.

Simpler version: I know, because that's just the way computers work. (And I've read the Source Code.)

Re:Waste (1)

Culture20 (968837) | more than 6 years ago | (#22781676)

And you can
dd if=/dev/sda1
before and after to be sure.

If you're really paranoid, there's also shred:
shred -n 300 -z -v /dev/sda1
(writes random data to /dev/sda1 300 times, then writes 0's. Spends a couple cycles with I/O to screen to let you know it still cares, [-n 0 -z -v] for a verbose version of dd if=/dev/zero)

Re:Waste (-1)

ajs318 (655362) | more than 6 years ago | (#22782082)

You don't need to overwrite data more than once to make it unreadable. Anybody who tells you you do is full of shit and does not know how computers work.

Re:Waste (1)

hakr89 (719001) | more than 6 years ago | (#22782298)

300 passes is all kinds of overkill. 1 pass is usually fine. 10 passes if you're somewhat paranoid. If you have more paranoia then 35 passes will get rid of, then you just better find some way of properly destroying the drive, because it's never coming clean.

In Soviet Russia... (0)

rodney dill (631059) | more than 6 years ago | (#22781246)

...USB Drives flash you.

Won't work, even with all the good faith... (2, Interesting)

dpbsmith (263124) | more than 6 years ago | (#22781254)

It's like trying to stop people from bringing in cell phones or iPods or PDAs... or creating personal Yahoo mail accounts from company machines... or playing solitaire at work. They are just too ubiquitous and there are just too many of them. Unless you get draconian (make it cause for immediate termination, and frisk every employee at the door... and I mean every employee, including all the vice presidents and directors and department heads).

Even employees that mean to comply will forget, will be at work and need one, reach in their pocket, and find they've got one of their own instead of the corporate-issued one.

I don't know what the answer is, but banning ubiquitous technology is like Canute holding back the waves.

The most dramatic case of the utter failure of this sort of thing I've seen occurred at a company in the 1990s which didn't quite understand that personal computers were personal. This was in the days before antivirus software was standard on any business machine. The company became seriously infected with a boot-sector virus. They had the entire IT department, SQA department, and tech support departments literally stop all their work for about a week while they went throughout the company collecting diskettes and disinfecting them, then pronounced the company clean. Apparently it never occurred to anyone that there were diskettes that weren't in the building.

Even then there were laptops, and, without pointing fingers--OK, pointing fingers--laptops were expensive at the time, and it was mostly the high-income and high-ranking employees, and, of course, people with good reason to have them--salespeople typically--that had them.

The company was reinfected by the same boot virus within less than a month.

Re:Won't work, even with all the good faith... (1)

sepluv (641107) | more than 6 years ago | (#22781338)

I don't see what is so draconian about terminating government employees who take personal data (that might be used for, say, ID theft) on citizens out of the building, no doubt committing a crime under data protection legislation in the process. After a few terminations, I'm sure they'd stop doing it. Governments tend to be way to lax with our data allowing their employees to repeatedly "mislay" it.

Re:Won't work, even with all the good faith... (1)

tubs (143128) | more than 6 years ago | (#22781446)

1) Get senior management support
2) Diasble all USB ports on all computers
3) All users to run as "Users" and not local administrator
4) Use GPO to diasble auto install of USB devices
5) Use GPO to deny all programs unless authorised (Not often used, but in windows you can stop a logged on domain user from running any programs whatsoever, including explorer)
6) Install Proxy that "denies" all webistes except approved one
7) Pissed off users, but more secure network. Senior management support you, so flack directed to them :-)

Re:Won't work, even with all the good faith... (0)

Anonymous Coward | more than 6 years ago | (#22781728)

2.5) physically lock (with key-lock) all computers
2.75) turn off firewire in BIOS 2.85) fill all usb and firewire ports with epoxy (if someone _has_ to have USB or Firewire, a PCI card can be purchased at the department's expense (after filling out red-tape paper)

And no, I'm not kidding. We're talking about security of citizen data, people...

Re:Won't work, even with all the good faith... (2, Insightful)

dpbsmith (263124) | more than 6 years ago | (#22781790)

There are three problems with this. The first is that you're framing the problem too narrowly. It's not "denying use of USB thumb drives," it's "creating a culture for proper handling of data." If they can use USB drives, they'll email attachments to themselves. Or use a WebDAV account. Or use a Bluetooth-enabled portable hard drive. Or whatever. The problem that needs to be addressed is "why are people taking data with them? If it's for a legitimate reason, how do we facilitate their doing it properly? If it's not legitimate, how do we convince them not to do it?"

The second is that you can't do this stuff in a top-down way. You can create the illusion that you've done it, with a paper trail showing that every employee has signed a memo or whatever, but you need to get employee buy-in. The second is... and I hinted at this point in my original post... very often the set of people who are not in compliance includes people who are in upper management. The CEO may _say_ "you have my backing," but is he really going to fire the CFO for using a thumb drive?

  The third is that if employees get the idea that you are, as Dilbert calls it, "the preventer of information services," you've already lost the battle. You can instill a corporate culture that says "as government professionals, we are proud of our ability to work effectively within a secure information framework." But you can't achieve this by putting superglue in the USB ports.

Re:Won't work, even with all the good faith... (1)

Corporate Troll (537873) | more than 6 years ago | (#22781848)

Senior management support you, so flack directed to them

They'll drop you like a hot potato when that happens. Besides, "Senior Management" are "Users" too and guess which side they'll take once they discover their lunch-time solitaire will be gone? It won't be yours.

Re:Won't work, even with all the good faith... (1)

AlecC (512609) | more than 6 years ago | (#22782188)

There can be justifiable reasons for taking the data off site. Rather than banning it completely, you need to do a (security) cost/benefit analysis and justify the action. And if yu can reduce the security cost, you may well be able to access more benefits.

Oi - get real (2)

onyxruby (118189) | more than 6 years ago | (#22781274)

Government agency does the right thing with trying to protect data and people still complain about it. Get real, not everything is a conspiracy, ok? The flash disks are government property, not personal, so why is anyone complaining.

Government and private sector agencies destroy used disks every single day using methods from as simple as patterning 1's and 0's to smelting the platters. This happens so often that their are dedicated machines available to do it for you right up to dedicated companies that specialize in the destruction.

/me grumbles and wants 5 minutes wasted out of my life back now...

Misleading Comments... (3, Informative)

Khue (625846) | more than 6 years ago | (#22781302)

I think that they are actually being fairly reasonable about the whole issue. USB keys are a severe security risk as far as controlling access to data leaving a business. People leave with Excel sheets full of database information, confidential email, and sometimes text pads containing passwords to various systems. We've already begun the process of completely disabling all computers company wide from their ability to write to removable drives which essentially takes away the threat a USB key poses. Here we see that the state spent a reasonable amount of money (cost of the usb key itself + enterprise management software which probably has some sort of CAL) just so employees could still use USB keys. In my environment, employees just straight up would never have access to USB resources to begin with... Can you imagine the consequences of a disgruntled employee walking out of the office with a spreadsheet of 65k+ credit card records or other customer records? Hello Fidelity Insurance scandal...

Hah (0)

Shadow-isoHunt (1014539) | more than 6 years ago | (#22781318)

You can take my U3 drive from my cold, dead fingers! Gonzor's payload comes in handy.

Whiii... (0)

Anonymous Coward | more than 6 years ago | (#22781342)

I gotta admit I was too lazy to actually read the linked article (oh come on, so were most of you) but...

I've worked in the ministry of foreign affairs (but in which country... YOU SHALL NEVER KNOW! MWAHAHAaa...) IT-department and was asked to take part in a project (I refused due to many other projects I had at the time) of making all the USB devices used there encrypted and openable only with personal identification cards with a nice chip already used to log on to computers or read encrypted (read: confidential) e-mails. This was because many people were using their personal USB devices, transferred work-related data there and occasionally these things (which in some cases held confidential documents) got lost.

I believe this about some similar matter. They are taking back "personal" USB sticks given to all employees and possibly everyone is told that they can get an encrypted USB stick if they give away their current one or something. I mean, it's not like they could make house searches to all employees to find their personal USB sticks to take them away.

Somebody has woken up to to personal privacy (5, Insightful)

AlecC (512609) | more than 6 years ago | (#22781360)

Given the casual way in which UK goverement employees, both civil and military, have been treating confidential information, I am glad that a department with seriously confidential information is taking the security of portable storage media seriously. Obviously, if the media were personally ppurchased and used in good faith, the owners of the media must be compensated. But, as previously suggested, these were probably privately purchased and then refunded as expenses, to the belong to the emplyer already.

As to destroying them... Put this in proportion: 150 devices, at perhaps $30 apiece if they wern't bought yesterday: about $4500. On the otyher side, when the UK government lost 2 CDs with large amounts of personal information, the mailshot warning the people whose personal and banking information had been misplaced cost $6,000,000. With cost ratios of this magnitude, the precautionary principle applies. Yes, you could wipe them, and they probably wouldn't leak info. But the cost if they did is so high that the tiny loss involved in destruction is irrelevant.

So I applaud a government department for finally taking privacy seriously. The cost arises becasue they didn't do so before, and is small. The cost for all the other departments who have not yet got it is increasing every day.

Why not disable the USB ports? (3, Insightful)

Ahrel (1064770) | more than 6 years ago | (#22781410)

Call me dumb, but I don't understand what they're using these thumb drives for that wouldn't be possible with a good network? Why not disable the ports (or at least access to them by anyone but IT and managers). If they have network shares, that should be sufficient enough to transfer data to a colleague. The article mentions PowerPoint presentations and the like...but if they're giving a presentation within the building, they should be able to access their shares for the power point files. If it's outside of the building, transfer it to the laptop before you go. But if you absolutely need the files on a thumb drive, get a monkey from IT to do it (that's what field tech's are for). I dunno, I guess I'm just too used to how the two places I've worked at in IT did and do things. The million dollar question is why is the state so paranoid that their employees in the Division of Child Support are going to be stealing information? Maybe they should screen better.

Re:Why not disable the USB ports? (0)

Anonymous Coward | more than 6 years ago | (#22781530)

The article mentions PowerPoint presentations and the like...but if they're giving a presentation within the building, they should be able to access their shares for the power point files.
Perhaps, the presentation room is isolated from the rest of the network. Why? So anyone can give a presentation (company members or not) and the network is safe an sound from any potential security problems.
If it's outside of the building, transfer it to the laptop before you go.
What if they are giving a presentation in an office which only gives them access to a preconfigured PC, and doesn't allow you to pull in another PC?
get a monkey from IT to do it (that's what field tech's are for)
Excuse me? If you're a trained IT tech, you should have better things to do than monkey work like this. It's exactly this attitude towards IT Staff that causes to HR to only approve cheap substandard TestKing MCSE drones.

Now get back to work

Re:Why not disable the USB ports? (0)

Anonymous Coward | more than 6 years ago | (#22781596)

Wait a sec. These fancy USB drives have to have web access to authenticate. Why not just put the damn data ON THE WEB with appropriate security , and don't allow people to take data out of the building? Working from home or another office -- use the web.

Re:Why not disable the USB ports? (2, Insightful)

JoeD (12073) | more than 6 years ago | (#22781976)

Because USB ports are used for other things besides thumb drives. Notably, mice, keyboards, and printers.

Re:Why not disable the USB ports? (2, Insightful)

AlecC (512609) | more than 6 years ago | (#22782228)

This is a child care agency. They need to visit the child and/or parents in their home, and have access to the child's records, both to read them (e.g. to find if any allegations are repeat cases) and to update them to record new allegations. You cannot get parents and childern to come into a secure environment for interview. The case worker, who may have to do three or four emotionally draining interviews in one day, cannot be expected to remember all the facts accurately enough for (for example) legal proceedings to remove a child from parents. Tha alternative to USB keys is probably printout, pen and paper. And how secure is t that? At least USB keys can be encrypted.

Re:Why not disable the USB ports? (1)

blacknblu (988181) | more than 6 years ago | (#22782564)

OK, your dumb (sorry, couldn't resist). Your point, however, is spot on for the private sector. IMHO, the positions that are being filled are mostly recent college grads who will accept the meager wage the state is offering (tech and business). With a high turnover rate, it's more cost efficient to implement policy for hardware than jeopardize the current business model. With this new policy, if any information is compromised, the State will be better positioned to evade any third party liability.

Imagine... (0)

Anonymous Coward | more than 6 years ago | (#22781456)

It is interesting to consider this move from the perspective of a decade ago, in which case they would be banning privately purchased floppy disks.

You can pry my USB drive (1)

Pikoro (844299) | more than 6 years ago | (#22781498)

from my cold dead fingers.

Re:You can pry my USB drive (1)

Corporate Troll (537873) | more than 6 years ago | (#22781872)

Beware what you wish for.... We *are* talking about the state, you know....

Re:You can pry my USB drive (1)

Lumpy (12016) | more than 6 years ago | (#22781896)

REally? I give mine up willingly. I upgrade about every 3 months. I now carry a 16 gig model. I gave away my 4 gig to a stranger recently when we were talking and he asked about thumb drives, I said they are dirt cheap. Here, have one (I was out of the older 1 gig drives I had clogging the bottom of my backpack.)

that's the cool part. Plug in two drives, dump contents from one to the other, format the old one, give it away. Really simple.

Re:You can pry my USB drive (0)

Anonymous Coward | more than 6 years ago | (#22781952)

Government: We find your offer.... acceptable. Welcome to the injection row.

When I first read the headline... (1)

sixtyeight (844265) | more than 6 years ago | (#22781732)

...I thought, "Oh. Halliburton must be branching out into storage media."

Actually ban them altogether. (0)

Anonymous Coward | more than 6 years ago | (#22781788)

I banned USB sticks and gave everybody a portable usb harddisk with a standardised encryption application. People in our department usually spend 50-75% of their time out of the office and overseas.

Why?

    Firstly once in China I was training a class using some files from my USB stick. On the same stick I had a bunch of unreleased files and planning documents (a big mistake). I left the room to go to the water cooler for about 40 seconds. When I returned one of the students was copying my stick to his lappy, in front of the entire class!

    Secondly they get lost. They are small and easy to loose. The bigger portable drive is much easier to remember, it's also a bunch more expensive so there is some incentive to keep it. Also, we've all had USB sticks, even popular name branded ones, die for no good reason when we needed them the most. I have a no-brand stick that has a certain half life, after a certain amount of time it starts loosing files and the capacity gets smaller and smaller until it's zero. Then you reformat it and it's good again for a few minutes.

    The biggest hassle with this policy so far has been the encryption software, which can be downloaded over the net (except the keys), but still if you need to move something quickly you need to install the software on both machines. Since the engineers have to type in the keys, they tend not to use the drives for mule work and just for keeping their work documents and I guess mp3s on.

    If someone stole or found one of our portable drives I suspect they'd be more likley to format it so they can have a working drive than try to crack the encryption. It's just a guess of course...

Auto-deletes - how? (1)

davidwr (791652) | more than 6 years ago | (#22781826)

From TFA:

Cruzer Enterprise provides 256-bit AES encryption and requires users to create a password upon activation. The device automatically deletes all of its content once someone has tried 10 times to access it using incorrect passwords.
How does it do that? Does it just delete the passphrase-encrypted key or does it actually delete the data? If it deletes the data does it overwrite it and if so, with what? How much time does this take?

Is it possible to bypass the protections and make a forensic copy of the drive before entering the passphrase, thereby making the "10 tries" meaningless?

If it's not possible to make a forensic copy, Al-Qiada wants to place an order.

There are security concerns (2, Informative)

JoeD (12073) | more than 6 years ago | (#22781900)

I remember reading an article from a security consultant awhile back. One of his clients, a bank, had hired him to try to break into their systems, and were quite cocky about how they'd sealed off external access.

So he took a bunch of thumb drives, put a Windows autorun backdoor installer on them, and scattered them around the entrances and outdoor smoking areas.

Hey, presto, instant access.

Why destroy them? (1)

chord.wav (599850) | more than 6 years ago | (#22781904)

Why destroy them when you can just give them away to people that need them?
Lots of people would use those USB flash drives! And they don't care a sht about it's current information.
For example these kids: http://www.epicchange.org/ [epicchange.org]

Nooooo! Recycle them, instead! (0)

Ngarrang (1023425) | more than 6 years ago | (#22781908)

Guh! Don't destroy them. There exists software that will securely erase data from any media, disk or ram. Use these programs and then give those memory sticks to some charitable cause or somethin'. Yeesh, what a waste of technology.

Re:Nooooo! Recycle them, instead! (0)

Anonymous Coward | more than 6 years ago | (#22782394)

There exists software that will securely erase data from any media, disk or ram.
Such a software only solution does not and cannot exist, particularly for flash drives - as they age, sectors will go bad and become physically unwritable (and get copied to an unused sector, with the old sector marked as bad) - but not necessarily unreadable. So no matter what software you use, a (smallish) portion of the data may remain readable and can only be destoryed by physical destruction of the drive. It may be that the bad sectors are few and contain nothing of value; or they may contain the most important or confidential part of the data.

USB Drives are not the problem... (0)

Anonymous Coward | more than 6 years ago | (#22782186)

usb ports are. So too are unused extra serial and ethernet cords if they allow files to be transferred. Similarly, CD Burners or DVD Burners can be a problem too. I work for a hospital and literally see my jaw drop many times when I see how lax security is in some places. In at least one or two clinics I personally have seen networked computers inside of the observation room, where patients usually sit and wait for the doctor to see them for a good 30-50 minutes on average. What's scare is that these computers, even though they do have screensavers, are not always locked. Simply moving a mouse can make the screen saver go away and allow anyone there to see the doc right in to the network... the network, where in the past, I've seen lots of personal data stored as unencrypted text files on top level folders that anyone in the full network can see because some idiot moved them out there when re-arranging department folders... the same network where some databases have simply a first and last name as ids and passwords... the same network that ties in to the electronic medical record system... the same network where email headers and subject lines are not encrypted but many staff are not aware of that or care about it so put confidential info in the subject lines anyways...Next time you see something like this, please complain to the staff about it, and file a written complaint. Some of my complaints have fixed some things, but it seems that often as soon as one thing is fixed 300 new things get broken security wise. A lot of folks in the medical field claim to follow Hippa, but do so very laxly... in ways that could get their butts sued off if someone with the right no how knew all that was going on.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?