Windows makes it easy to quickly download files to iPods and other portable storage devices–a little too easy in the minds of many IT managers.
Longhorn to put squeeze on gadgets
2004-09-09 Windows 39 Comments
Windows makes it easy to quickly download files to iPods and other portable storage devices–a little too easy in the minds of many IT managers.
How to move data off of corporate servers…le me count the ways!
blah blah blah
Want a “trusted PC”? remove the network cable and put it in a locked room and install biometrics and video surveillance of users. Otherwise, forget it.
Seriously.. it’s a wasted effort.
It might surprise you how many corporation are taking away internet access for exactly those reasons. The completely connected office network via the internet certainly has issues.(regardless of the OS involved) High bandwidth availability has turned internet access into a wide pipeline for theft of corporate resources.
An Enterprise that let steal important information from it
just by hooking an iPod USB-key or other storage device deserves it.As if every kind of sensitiv information is
just waiting there to be scooped from everyPC.Unfortunately
it mostly is.
Those IT Managers should spend more time on a decent security policy and should see to it that it gets implemented correctly.Eg: instructing personell not to leave the PC logged on unattended Why should everybody else suffer for some dorks spending more time on lunch and drinking coffee than on what’s really an issue.Or is it to easy to store expensive software etc , and use it at home without an extra license?
I find it hard to believe that these system admins can’t figure out that you can just disable the usb/firewire ports on pretty much every bios. Not like it’s going to help anyways, if an employee wants to steal company information then they will find a way.
Printers for instance. Most, if not all, newer desktop printers are USB only. Card Readers, Bio security devices..keyboards, mice.. etc etc etc.
Can we say “closing the barn door after the horse has left?”
Lock down the i’net and I’ll just plug in my widget.
Lock down the the fw&usb and I’ll just burn my CD.
Unless you’re do some really *tight* body searches and x-raying of all packages coming in/out, you’re not going to stop the sneakernet. (Okay, you could buy those little pizza box thin client no-drives jobbies and severely restrict the i’net domains it can visit, but depending on the duties of a person, that may not be practical.)
The best (but not perfect) way around security leaks is to keep tight tabs on which workstations have access to which files and which servers and to give everybody who doesn’t need a full service computer a pizza box.
If you’re doing windows workstations accessing a *nix server, you might want to rethink having a generic “usergroup” access to servers.
Password desktops from the bios on up.
Password the screensavers.
Making it harder to plug in an iPod or a flash drive isnt’ really going to stop the problem.
Nothing new here… See fstab(5).
Btw, as long as you’re networked, it makes no difference to security.
Unless you’re do some really *tight* body searches and x-raying of all packages coming in/out, you’re not going to stop the sneakernet.
If you’ve got no CD burner, no USB access, and no Internet access, how are you gonna get the stuff off? Of course, you could still print probably, but that’d be about all I think.
work wonders when you want to yank a drive out
Handmade adapter that uses the mouse port?
We’re underfunded, and “though not incredably” undermanned, we could use more people in the haiku project, etc..
But at least I am playing with some alpha security prototypes. biometric bling bling, etc
isn’t easier to simple replace all those Personal computers with Dumb terminals that don’t have anything boot the requirements to boot off of a server, getting data from another server???
No cd’s need a cd loaded, it goes to a central drive next to the shared printer. Same with everything else. it can then be easily monitored.
There are OS’s out there that let you mount remote drives easily and boot from them. Why add bloat when tech already has the answer.
Positives of this interface. Backups are a snap?? Keep a spare harddrive or two of the configuration of the servers, and restore them from hard crashes in minutes.
Why have an option to not allow drives in a system known for insecurity??
Surely the linux version is:
Then all done. I’m not giving this one out of zealotry or anything, I just don’t know window’s drivers very well, but this doesn’t seem like a big deal. Sure there are ways around it I expect, but if people want to spend time building a standard serial port to usb converter or something, then you need a much bigger change than just blocking one type of device.
“isn’t easier to simple replace all those Personal computers with Dumb terminals that don’t have anything boot the requirements to boot off of a server, getting data from another server???”
Indeed it is a LOT easier to use dumb terminals. It offers a higher level of security, (regardless of OS) cuts out many desktop support positions, and generally makes life for admins a good deal less eventful. Companies are returning to this method in growing numbers. MS, Citrix, Wyse, Cisco, and many others are investing heavily in this becoming the future of the corporate network.
I can’t see the corporate world going 100% in this direction, but the closer than can get the better off they will be.
Like most things, this is probably just a way for Microsoft to make iPods “incompatible” with Windows so users will stop using iTunes Music Store and switch to Microsoft’s store. Then they will make their own music devices mount by default with no problems. Furthermore they will spin it in such a way that “iPods don’t work well with Windows, so switch to OUR solution.”
Ok, this is getting a little insane. Granted PC’s do have to have secuirty due to end users not being hit with the clue bat. Some of the security restrictions are going into the insane realm, like:
1) not being able to change your desktop preferences, such as word pad instead of notepad or perhaps even winvi. Or using the generic cdplayer in windows vs WMP. (aka program associations).
2) what about uploding documents. I quiet freaquent have to bring large PDF’s to work and using emails and so forth is getting a bit ridiculous. Guess, I wont be working from home anymore.
3) redirecting users away from certain web sites (like stores that sell computers). You might question this one, here is the background. Some IT departments were getting more bang for the buck using local computer stores rather than going through corporate. So corporate forbids users from accessing all users (not just the IT staff). Its kind of funny acutally.
Yes, its possible to bypass these restrictions but its easier to say (sample conversation):
Employee: “Hey, I cant bring in files from home anymore, so I guess I wont be working from home”
Boss: “You can stay late”
Employee: “So are you going to bring me my slippers and hot chochlate at 2am”?
Boss: “What!!!, No”!
Employee: “Guess I am going home ontime”
Boss: “Hello, IT dept, we need to easy some restrictions on Johns machine”
And the battle of corp ideology goes from there.
If your low in the food chain or dont provide so valuable service, your going to get shot down…. Now, you can be low in the corp world but provide some valuable service… and guess what, the permissions and access rights to your machine could change…
Now, if I could only get corp IT from logging in remotely and shutting down all my applications without warning.. O’wait, I uninstalled that software long ago… and they said I would be fired… Ok, that was long ago, in a company far far away….. but anyway… it will be a battle of users needs vs corp precieved security…
Floppy drive.. thats how you get the data out… and if its disabled in bios… pop the case, remove the battery and let it reset….
unless the IT folks disable the driver or uninstall it (driver)… but I think there is a little a trick up a sleave or two that can fix that…
or how about using some of the local IT’s staff private email server?
how about ftp?
how about transfering files via telnet?
how about dragging and dropping files via IE or explorer to another directory where someone else can transfer the files off network?
but all this would be against company policy.
How about making a *.reg file and double click on it to over ride changes to your computer. Got notepad?
Its got to be a dumb terminal running only 1 program with no physical access to said unit. And at that point you minimize the chances of transfering files off the company grounds. But you also minimize the ability for people to actually work. And yes, fries do come with that.
Man this has just gotten to be a “how to steal corporate data” discussion :p
I just have one comment: working from home, some jobs allow it, others do not. You essentially reach a deal with your employer to do this. If you have reached such a deal you are already in another category of users. Secondly if you can upload large chunks for data you probably have a fast connection which means you can most likely VPN and do your work. Last, but not least, no one is asking people to work from home or put in overtime. If YOU want to do work at 2AM then that is your business, your work schedule is nine to five. If you dont like it, tough luck, that’s the work world for ya
Yeah, but please, continue, it’s quite interesting….=). I’ll be quite happy to write the synop at the end, “101 Ways to Transfer Data from a Corporate Lockdown Facility”.
When we got to the ‘remove battery from BIOS’ post by ‘Hi’, I knew we’d hit gold.
Can’t wait to see where this thread goes *grin. Telepathic transfers? Quantum teleportation? Holding the COO hostage?
Didn’t we already see something like this in the movie “The Recruit”?
Well, you could remove all removable storage from the PC. Or disable write access to the system hard drive, and use a central storage facility for user files. remove access to the floppy drive, and remove access to USB storage and to all removable storage. I am pretty sure any Linux sysadmin worth his salt can do this pretty easy and cost effective.
“Well, you could remove all removable storage from the PC. Or disable write access to the system hard drive, and use a central storage facility for user files. remove access to the floppy drive, and remove access to USB storage and to all removable storage. I am pretty sure any Linux sysadmin worth his salt can do this pretty easy and cost effective.”
Obviously you have never been or ever will be a sysadmin.
Doesn’t matter what OS or what sysadmin….. Users tend to make fools out of the entire process and thought behind it. Happens every single day.
I guess the problem is that the users are just browsing non-work related sites (= porn) all the time they are NOT copying company data…
how do i right click or change to the xp look from the classic look with out sufficant privlages? is it possible to make another user with admin rights with a windows pc because i know you can in osx
MS hinders security, that should be the real issue. Not an iPod or flash drive!
m$ is relitivly secure for being so widly used if the osx was as widly used it would be the os everyone cracked and said was so insecure so oh well security is always hindered
As an user in a big company, this looks to me like an “old school vs. new school” mindset discussion… There are many ways to restrict a user access? yes, this improves security? yes, but also makes the system so impractical… that you start wondering why the corporation you work for spends so much money in desktops and laptops if at the end we will use a small part of the system (the rest has been disabled by the IT guys)…
This is fun, lets hava a go.
You for got side channels. Even on a dumb terminal there is going to be a long peice of wire going to the terminal. This will give off EM as you transfer data and commands between the server and terminal which can be stored and if played back via an emulation of the original hardware setup could let you take any data you where working on. You can use the same technique against the screen as well, particually if it is a CRT.
Carrying the enormous arials and signal processing kit in under your jacket could be a slight hinderance to this plan. But that’s a minor detail.
You could also do this against a printer, much easier than trying to reconstruct the shreadded stuff latter, and if there is a printer attached to your machine then take your recorder and plug it into the printer port then print everything of interest strait into your digital recorder for latter reading.
You could use a camera phone to simply photograph the screen whenever there is something interesting on it, which is why camera phones are increasingly being banned from workplaces. In a similar vain you could claim to be visually impaired and require a screen reader, which reads strait into a small tape recorder such as the type used for dictating messages. If they refuse sue them for descrimination.
If you happen to have a photographic memory (admittedly rare) then the recording device won’t be required, just memorise everything you see and write it down later.
Holding the COO hostage is good and has already been mentioned, but surely blackmailing him about his enormous p0rn stash would be better as you can use it as many times as you like.
As an IT manager myself for the last 20 years, this article is plain stupid. We have been fighting for nearly 20 years for easier portability of our information and now some people think it’s a bad idea and we had ought to make it harder again? Shame on them. Those who don’t know history are doomed to repeat it. Let’s not go backwards, lets move forward. If someone can easily download your sensitive information, hadn’t you ought to look at securing it first rather than the person who could possibly download it?
Good Point! As my slightly sacrastic post above pointed out if someone wants to steal data they will find away of doing it. The best way to stop them is not to give access to that data in the first place.
Of course in that case they will burgle where ever the backups are stored and steal your backup tapes.
lol, I find it so depressing to see people that think this way too. It’s like blaming the screwdriver for the stabbing death.
“Screwdrivers have become far too invasive in all of our homes. The looming possibility of one being used in a violent crime had ought to be a warning to our society that they are a clear and present danger to us all! We need to get legislation in place now that will control people’s access to these deadly weapons!”
Pleeeaase! This arguement is so lame and had ought to be so transparent that it never should have made it to print. The disturbing thing is that it did and moreso that there are people trying to argue in favor of the point!
If you are afraid of being stabbed by your screwdriver, then lock your tools in your toolbox. Or better yet, keep the people away from your toolbox who you think will stab you with your own tools! Is the stupidity, that this article suggests, really that rampant out there? Gosh, I think I will start using this article to test employment candidates. If you can’t see through the idiocity of it, then no job for you!
An i-pod via via usb would make the scoop stylish.A flash eprom in my whatever watch or gsm connected via serial would do also,most of the time the files aren’t that big ,I wonder if it was an i-pod on which some Microsoft,source code was leaked lately , just kidding.
As said if someone is really determined and has time far beyond 9 to 5 he/she will eventually succeed in getting whatever is looked after.If something can be accessed the legal way it can be accessed illegally.In extremely rare cases if something could contribute to security in whatever way it shouldn’t be neglected.Its always a matter of is it worth the effort or just plain overkill.This time its the the scale that’s indeed ridiculous, yet another useless piece of code where most users, companies aren’t waiting for.
Microsoft should better concentrate their efforts on more
to the point stuff than this.Why should a wealthy company like Microsoft put adware in their 6.2 msn for example?Make it more modular, professional should be really professional version .They have top notch developers who are in essence the same as their “counterparts”in the OSS circuit.It’s the lame suit brigade and marketing hypers and other trend trolls that sometimes get out of control.I’m a tool user, and i use whatever tool that gets the job done , if my hat doesn’t have such a tool that i need i’ll make it myself.
Will there a pocket pc longhorn?