Colleges Wrestle With Thumb Drives

Lucas123 writes "IT managers at colleges and universities are grappling with the problem of finding ways to better secure removable storage media in an environment that encourages information sharing. Draconian security mandates 'may be common in the corporate world, but "we don't have the flexibility to simply say all inbound traffic is locked down," said Jason Pufahl, information security team lead for IT services at the University of Connecticut.'"

What the hell is this about?

[Opportunist]

Could anyone explain that? I don't see the point.

You're worried about the university computers? Then use a secure system that doesn't allow a user to bring along any kind of software to infect it.

You're worried about the student's data? Then teach them to use encryption and require them to use it.

Both things neither require a lot of examination nor a lot of money. What's the big deal?

Re:What the hell is this about?

[deniable]

This one seems to be about people being able to move data around on removable storage. Why does a college have a problem with this?

We had a situation at work where we had to lock down the floppy drives on machines because people might steal stuff. The fact that they also had email and web access didn't make any difference to the people making the policy.

Re:What the hell is this about?

[PopeRatzo]

There really should be more enlightened approaches to net security than filling the USB ports with superglue.

Especially at a University, where you want people to take and share information. Seriously, deniable makes a great point. I taught a series of workshops at a small college that took the "no removable storage" approach to keeping themselves "secure". The IT Director eventually got fired and now they're being a little more reasonable.

Re:What the hell is this about?

[Opportunist]

This was exactly my train of thought.

I spent a good deal of my life in an university. As a student, a tutor, and finally I briefly also worked there. If anything, an university is a place where information is flowing. Yes, usually only after publishing (because, well... nobody wants to tempt a colleague to crib), but then whatever you want, whatever you need, it's there. Mostly because you DO need it.

Try to write any kind of scientific report without quoting sources.

Not to mention that it is virtually impossible to (re)create everything on your own. You have to build on the foundation laid down by someone else. I cannot start a math paper by proving that inverting a matrix is possible.

I also cannot do all on my own because I do need the expertise of other people with different knowledge. It's humanly impossible to learn everything, especially at the depth and detail required today when you want to create something "new". I could not design the hardware layout for an integrated circuit that I need. I'm not a hardware developer. But I know someone who can. He can probably not create the microcode for it, but that's no problem because that's what I can do.

Cooperation has always (well, at least since the day when it became impossible to know everything that's necessary yourself) and will always be the corner stone of research. If there is something college and university should teach, it's the only cooperation and not egoism leads to success and results.

Re:What the hell is this about?

[Anonymous Coward]

I spent a good deal of my life in an university.

lol

Re:

[Anonymous Coward]

Didn't you get the memo? University is now pronounced ooniversity.

Re:

[no1nose]

Probably not a native English speaker, or something. Pretty funny though.

Re:

[shadowpuppy]

Why not multiple policies? Obviously secretaries and others likely to have a students personal information should have their computer locked down like a fascist state. Professors and students can be use open machines and be left to fend for themselves. You can even have mid grade policies for liberal arts and finger painters

Re:

[Opportunist]

That's a given. IIRC the topic was computers used by students for research projects.

Re:

[mabhatter654]

That would be more important to the university because they are basically selling the students as research assistants to large companies now. The high-level projects in many 400 level classes are really research for COMPANIES, not to be "owned" by the students that run them but by the university under contract. The problem should read Universities have trouble granting students rights to own study works instead of companies.

Re:

[mabhatter654]

It's only been that way since the late 70's early 80's. Before that a company supported education by making large donations with no strings attached and hiring workers from high performing, innovative schools for good wages... brining students and competition to the school for educations sake. Schools 30 years ago would never settle for the strings of today. Students are "indentured" to IP barons before they can even attend courses. Something is seriously wrong.

Under today's better "rules" you think

Re:

[mikael]

It not the students that seem to be the problem in this article. It's the fact that admin and academic staff are using removable media like USB memory pens, zip drives and CD-ROM's to store and transport personal information about other people that is the issue. They then carry these items around, forget about them and then lose them. Maybe they walk into a lab to chat to someone, put down their belongings, and then forget to pick them up again. This requires a data loss report to be submitted to the academ

Re:

[mlts]

How about universities use the time tested way of doing things, and have all the sensitive data put on a secure cluster. Then, if people want access to the databases, they can remote in via RDP, Citrix, or some X based protocol, depending on OS. Backups can be done via something like TSM, Networker, or some enterprise level solution which supports end to end encryption from the daemon (or service) running on the machine through the network, all the way to the disks and tapes.

This is basic separation of fu

Re:What the hell is this about?

[KillerCow]

Yeah... I don't see the issue either. They weren't "banning" floppy discs 20 years ago. Or CDs 10 years ago.

If they don't want viruses coming in, install virus scanners or don't allow executables to be run from user drives... and have the machines re-image on a regular basis.

If they don't want sensitive data going out, banning media isn't going to stop some bonehead from using a floppy or emailing it to himself (or putting it on a "secret" part of his webpage).

Re:What the hell is this about?

[cp.tar]

If they don't want viruses coming in, install virus scanners or don't allow executables to be run from user drives... and have the machines re-image on a regular basis.

Or, as the GP suggested, use a more secure system.

Of course, no system is absolutely secure, but I feel that here we're dealing with stupidity, not malice - dumping Windows and Windows viruses seems like a foolproof plan to me. (Of course, nothing ever is foolproof.)

If they don't want sensitive data going out, banning media isn't going to stop some bonehead from using a floppy or emailing it to himself (or putting it on a "secret" part of his webpage).

Or using the camera on his mobile phone to make some screenshots. (I still can't believe that somebody took the time to take pictures of and then post the whole of Harry Potter.)

Re:What the hell is this about?

[Datamonstar]

The Harry Potter leak was a group effort. Everyone was responsible for only a range of pages instead of one person doing the whole book. But yeah, you're spot on with the cameras. It's difficult to secure sensitive information group when we have so many avenues of data collection in this so-called digital age. The best (fair) solution I can think of for beating cameras is to actually have a person walking around in the area and watching for people doing questionable things. Good old fashioned security that's simple to implement and really hard to beat. I don't know why it's not used more instead of people putting their trust in expensive and ultimately insecure solutions.

Re:

[Stevecrox]

Regular re-imaging and a anti-virus program seemed to be enough for my university, you could install whatever you liked run it and then turn the machine off. When the machines are turned on they would re-image themselves, they were also set to erase all the temporary user information when a user logged off. I went to that University for three years and it only suffered 1 problem and that was because a batch of new hard drives in the SAN starting failing sequentially and aparently as they went they destroyed

Re:What the hell is this about?

[stevedcc]

Universities really CAN'T lock systems down in the kind of way a workplace can. I'm doing a Master's degree in Information Technology (basically a one year conversion course Computing Science for those with different first degrees). We have to write software for our dissertations and this often involves making use of other people's software, sometimes libraries, sometimes compiled programs. We wouldn't be able to do our dissertations if we couldn't install more software. It's not practical to have to have to get permission for every peice of software every student needs. I'm sure many of the academic staff also need to do these things in order to do their own research.

University networks are not like work networks. You can't enforce a standard set of tools and be sure that no one needs to run anything else

Well, even that is false

[WindBourne]

Corporations claim to lock down systems, but nearly ALL of their systems have a CD burner and/or USB ports. And almost ALL systems are capable of being opened, hard disk lifted out, taken home, copied, and then put back in the system. There really is no such thing as corporate lock-down if they are run a windows desktop env (which is 97% of them). But what amazes me, is that they all tell the CEO that it is secure, and the CEO acts like it is. Weird.

Re:

[TheLink]

You can get sacked for breaking policy. Policies suitable for companies are often inappropriate for universities or colleges.

I don't know why you're even talking about windows. It's not even relevant.

Plus it's as easy to bypass lockdown on default installs of typical Linux distros as it is for default installs of Windows. With the distros you usually get access to stuff like scp, perl, crypto and lots of other fun stuff preinstalled for you.

If you're going to allow users to have usb music players and camera

Re:

[Opportunist]

And being sacked matters why to someone who allowed himself to be hired to spy on the company in the first place?

Imagine you're a corporate spy. Your job: Infiltrate a competing company and copy their secrets. What do you do? You try to get hired, grab what you can and bail. I get fired for breaking policy? Here's my cell, call someone who cares.

Re:

[TheLink]

Uh, like I said: "If you're going to allow users to have usb music players and camera phones you just have to assume they can sneak stuff out. Just set your policies and processes accordingly."

If you're afraid of corporate spies, there are things you can do. Whether or not you use windows is irrelevant.

While most organizations are clueless and let just about anybody access to the "family jewels" (noobs/temps/outsourcees/contractors get access to backup tapes etc), not all are.

If you're a spy, you'd care ab

Re:

[Anonymous Coward]

Because you can tell *nix to not mount a USB drive, cd burner, etc. unless it is root? OTH, you can not lock down windows. Of course, even if you lock down all these items, then you still have the issue of having physical access to the hard drive (game over).

Re:

[TheLink]

Like I said : what difference does it make?

1) What important corporate secrets does root/administrator on a desktop have anyway?
2) Why are you letting people you can't trust have access to secrets? You hired them because they can't read/write or remember stuff or think out of the box?

You can hire "cannonfodder", but you sure don't give them access to important stuff.

Most companies don't really care about security or know anything about it. They just say they do. They hire new people and near immediately put

Re:Well, even that is false

[bhima]

This describes my office perfectly. The corporate IT policy bans everything: USB flash memory; Digital Music Players (like my iPod); Portable exernal drives; coming in or out of the building with *anything* that can store data; Any website that even faintly looks like you could upload something (Flickr, Gmail, Hotmail, photobucket, &tc); any program not available on the corporate NetInstall craplet; any encryption any time any where. Every person outside of R&D has this massive WindowsXP install regardless of what they actually need or want.

I've seen them fire people over it.

however... all the managers have laptops and we go in and out every day with them. Each department have a fleet of burners and scanners. Every single member of R&D has at least 2 USB memory sticks. and I've been using my iPod everyday for over 5 years.

So what's the point? Surly I am not about to steal corporate secrets, and the mechanisms preventing me if I was inclined to do so, have nothing to do with site or IT security. A disgruntled employee who didn't understand the difficulty in marketing such things is in no way going to be able to figure out what to take and how to do so (or even be able to get to the part of the building where he could have access to the data). The segmentation of the network encourages the use external memory to transfer data from the segment containing the devices that create the data to the workstations of the people that analyze data.

Re:

[Opportunist]

I'm fairly sure there is some kind of policy that your superiors have to observe, too. Maybe it's just SOX. In short, they don't care about it either. Someone set a policy. A manager gets it, groans, then executes it. To the letter. Does he care if it works? No. Could he? No, he doesn't know what technical problems exist in the first place.

But there is a policy that says "No external USB drives". So there are no external USB drives. Does the policy forbid internal USB drives to be taken home? No. So you can

Re:

[Brianwa]

I find it funny that if there's one thing people learn in the computer labs at my high school, it's how to sneak in their mp3 players and charge them off the USB ports without being caught.

Re:

[mabhatter654]

a properly locked down PC will allow power but ignore the data to the USB ports... so it's Secure and Handy!!!

more IT managers need to realize what users want and what the company NEEDS... Users may want data all over PCs, but companies NEED that data in a central place because users NEED that data for their jobs and NEED it backed up. The idea is to keep BOTH sides happy and in most cases it's quite easy if you think about it 5 minutes and are willing to restructure your systems to segment data correc

thin clients ftw!

[tropicflite]

linuxdevices.com [linuxdevices.com]

Re:

[hughk]

Unlike you I guess, I have worked a lot in banks. They spend good money to try to lock systems down. There are exceptions but mostly it works.

Corporations claim to lock down systems, but nearly ALL of their systems have a CD burner and/or USB ports.

CD burners are either not installed or are software disabled on the systems I have seen. Actually it is a major PITA to find a burner when you want to send some data to a vendor for analysis. Ah yes, that gets me to the USB ports. You can superglue them but the

Re:

[deniable]

Try saying "maybe" to a CEO some time and see what happens...

or try telling him that the article he read in CEO Monthly is a pack of garbage.

Re:

[Opportunist]

I bet you know the saying "the prophet is worth nothing in his own land" (I'm fairly sure there's something akin to that in the English language, too). Meaning, when you, from inside the company, tell your CEO that something's garbage, he won't even consider listening to you. When some consultant tells him the same, it suddenly turns into the pinnacle of wisdom.

I've seen it time and again myself. From both sides. I worked for the internal security of a bank. Told them at least once a month that there are se

Locking down toolsets and competitive advantages

[omnirealm]

stevedcc wrote:
> University networks are not like work networks. You can't enforce
> a standard set of tools and be sure that no one needs to run
> anything else

If by ``work networks'' you mean industrial software development
environments -- well, you also can't enforce a standard set of tools.
Let me put it this way: I really hope management over at my
*competitors* lock down their engineering team's tool set, since
that would give my group, which has no such artificial restrictions
on software tools we

Re:Locking down toolsets and competitive advantage

[mabhatter654]

no, not really, any developer should have the hell locked down.. it's some false Microsoft thing that developers should install their own stuff because remote management has been terrible for so long. In your case, who else knows that software? Who will continue your work in your absence? What resources are being captured by management and should they be getting a better deal or using different tools than the standard because developers are more efficient that way. By not locking down, they are loosing

Myth that businesses needs are any different

[SuperKendall]

If you think about it, for a business to be effective information and data need to be able to spread just as easily as they do in any college environment. In a business you need to be able to borrow software or libraries or papers as well.

Re:What the hell is this about?

[Anonymous Coward]

What's the big deal?

Making user responsible in *any* way for their own security or for the computer they use is a no-no, it flies in the face of 15 years of learned helplessness regarding computers.

Never mind that computers are a basic tool of the modern age, computers are magical black box administered by a priestly class, and only nerds should know anything about them. And encryption? That's for the government or terrorists, AND NO ONE ELSE!

Re:

[Opportunist]

computers are magical black box administered by a priestly class

Let's all go down on our knees and pray to blessed and most holy Alan.

Unfortunately, nothing's further than the truth. So far nobody kissed my pinky ring and begged for my blessing.

Re:

[proudfoot]

A celibate priestly class.

Re:

[Yvan256]

Indeed, what would happen to our beloved Darwin Awards [darwinawards.com] without these idiots?

Re:

[Opportunist]

It is!

When we allow dumbness to succeed, worse, if we make being dumb the get-out-of-jail card while incriminating people with knowledge, we're heading for desaster. And we are!

When Joe Snoozebag gets his machine infected with a trojan, his computer could trash the internet and he isn't liable. He doesn't know jack about computers, and while it may be irresponsible to operate high tech without the foggiest idea about it, his cluelessness saves him from liability.

When I, a professional security researcher, g

Re:

[mlts]

This is similar to martial arts experts. If a Joe Sixpack got lucky and mauled a black belt in a fight, a subsequent civil (maybe criminal) action would be laughed at. If the situation was reversed, the black belt will likely face some jail time (even if he was the one that was jumped) and a big personal injury lawsuit.

Re:

[Opportunist]

Quite true. A friend of mine is exactly in that situation. To make matters worse, he's also quite well known here (being on the olympic team).

He doesn't go to bars anymore. Invariably, sooner or later a drunk will approach him and start bothering him for a fight with the "champion". What should he do? He isn't so much concerned that he might hit him in ways that would injure the person (he has absolute perfect body control), but even if he doesn't do jack and that guy stumbles over his own feet and breaks a

Universities shouldn't have to secure data

[iamacat]

It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl. The only thing that should be punished is including contents of other people's removable drives in your coursework without giving credit. We don't want to be raising a generation of corporate drones who can never take the initiative to bend the rules and achieve true greatness.

Re:

[EveryNickIsTaken]

.... and considered an acceptable way to impress a girl.

So you're saying that I'm not going to get any play for changing my college's webpage to a goatse picture? Damn...

Re:

[knghtrider]

It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl.

While I agree with you in principal, at least one part of the story related to staff at the university losing a USB drive with 199 Social Security numbers on it. Staff should be required to use encryption as a minimum. Where I went to college, the admin network was segregated from the student network; and had stricter rules. It just makes sense; there is far too much sensitive information in that network to allow it to be connected to the outside world without controls. In a sense, the admin network is a corporate network. While I don't believe they need to be as draconian as some government agencies (swapping hard drives for internal/public networks), certainly they do need to keep tight controls.

Just my 2cents..which in today's world won't even buy me a piece of Double Bubble.

Re:

[autocracy]

I think the issue has mostly to do with working on student data. E.G., your social security number got sneaker netted and never deleted. The article fails to convey this properly, but does hint at it with discussion of notifying students of the ZIP drive.

Breaching Security

[camperdave]

It's an environment of learning where even circumventing campus computer security should be just regarded as being smarter than most people and considered an acceptable way to impress a girl.

There are some schools where circumventing computer security is taught as part of the curriculum.

Deep Freeze

[bl4nk]

My institute of higher learning utilizes Deep Freeze [faronics.com] on all computers and restores them all to their original state (except for a 'storage' partition) every weekend. It seems to do the job quite well.

Re:Deep Freeze

[DHalcyon]

We restore the partitions on every boot, images are loaded from a central server, your profile is stored on a central server and loaded when you log in. Works very well.

Re:

[JohnFluxx]

How long does it take to boot to do that?

Re:

[Pingmaster]

For the most part, not very long. The process does a type of checksum on the drive; if the checksum matches, then it boots normally. if not, then the image is rewritten, either from another partition on the drive (similar to how OEMs used to put a partition on the HDD with the win98 CAB files so that a format/reinstall only took a few minutes), or from an image on the network. Either way, if it had to re-image the drive, it only took about five minutes usually. When I was in school, if we turned on a co

Re:

[g-san]

Bet that sucker zips along when the network is down...

Re:

[DHalcyon]

Jep, that's indeed the big problem. When the network is down (It rarley is, though), people can't do anything (Which isn't _too_ terrible for a school, but still sucks).

Other than that, it's actually pretty fast (When multiple people boot, the system apparently does some interesting broadcasting type of stuff, I don't know, really). It's reasonably fast, ~3min, even when multiple people are booting (Windows2000, mind you, with oldish PCs), logging in takes ~30sec. Laptops are not using this though, might

Re:

[RESPAWN]

Works well as long as your infrastructure can handle it. I've worked at facilities before where they've attempted to enable roaming profiles in Windows, with undesireable results. Namely, veeeerrryyy long profile load times.

Re:

[Asmor]

We use DeepFreeze as well. It's actually really, really cool. I don't even begin to understand how it works (how, for example, it can restore a file that you delete? One of these days when I'm bored at work I'm going to try deleting a bunch of stuff and filling the drive up with garbage data...), but it works amazingly well and it's very easy to set up and administer.

Our PCs are completely locked down, but everyone's given space on the server and when they log in they get a network drive mounted for them.

Re:

[mlts]

Deep Freeze seems to keep a change journal (where the original data is left untouched).

If you do a cypher /w on a Deep Freeze protected (frozen) disk, eventually it will say it runs out of space and will not allow any changes to the drive. Rebooting fixes this back to normal.

Re:

[mlts]

Deep Freeze is a lifesaver in a university environment. I've seen library machines absolutely crippled by spyware. A power cycle later, the machine is pristine and ready to go. Of course, there are ways to bypass it, but Faronics seems to do well in blocking those attacks, and if one forces the guest user to run as a regular user (not an admin), there is no way to access the critical system files.

MS also has a free utility for XP (Shared User Computer Toolkit) that does similar, although it does require

High Security leads to a false sense of security.

[jellomizer]

Not just in colleges but in corporate work environments. Block this stop that don't allow those.... But whatever they do if we need a way around we could get one. Most computers have bluetooth. So you have you cell phone right next to your computer unknown to the security guys you use your bluetooth as a PPP connection to the internet to check your mail or worse as a backdoor in, or a way to send traffic out. Even if the computers don't give you the security to boot there is always the Live CD option with a Linux distro with VMWare running in full screen most people won't know the difference. What ever they come up with there is normally some way around it. You are actually better off having a more open system, a good firewall to block outside traffic, allow external emails to come in and if you are silly enough to use Windows for your work station have your virus scanner up to date. Anything more make people realize that you are anal on security thus feel more pressure to find a way around it... Remember a worker may not know how to click the start menu to get to additional programs but if you stop them from their email they will learn to setup a Proxy Server in No time...

Re:

[jellomizer]

a. USB Bluetooth that can be easily hidden in the back.

b. A majority have them anyways...

 

am I?

[jon_joy_1999]

am I the only one who read the title and thought "One two three four, I declare a thumbdrive war."?

desktops = bad

[timmarhy]

seriously, why can't people see past this fact. if you want a secure environment, the first thing you do is remove desktops and put in terminals. terminals only failure is in the arena of graphs rendering, in which case i'm sure they can manage to lock down a few graphics workstations

Re:

[grahammm]

Even when I was at college 30 year ago, when online computer access was mainly through mechanical and glass teletypes, there was at least one online graphing terminal (a Tektronics, I think)

Re:

[b0s0z0ku]

if you want a secure environment, the first thing you do is remove desktops and put in terminals. terminals only failure is in the arena of graphs rendering

You could use computers running JUST a web browser as terminals, or use X terminals. A "terminal" doesn't have to mean a text-only device out of the 70s/80s.

-b.

Re:

[mlts]

Thin clients are useful, but a lot of places can get by with desktops by doing the following (and this is a bit extreme, but secure):

1: Using Windows, and having them protected with Deep Freeze, or the Shared Computer User Toolkit, both roll back a machine to a known good state on reboot.

2: Have the machines on a private LAN with the only connections to the outside world are connections to a WSUS server (for windows updates), a domain controller (for being able to log on) and two RDP servers. One RDP ser

Huh?

[kalaf]

"In recent months, some universities have been hit by incidents of lost or stolen flash memory and storage devices.

In June, for example, Grand Valley State University was forced to notify 3,000 students of a stolen Zip drive."

The article is all over the map. They are worried about hackers getting into your system and stealing your data in one paragraph, viruses from iPods in the next, and then they have some idiot storing SSN's on an unencrypted flash drive...

I don't know about most universities, but the one I went to didn't give everone admin access. When you logged on it would clear the local temp directories (i.e. everywhere the previous student had write access). Simple, and it makes it very difficult for viruses to propagate or hackers to install a keylogger.

What prof's need your SSN/SIN for is beyond me. We had "student" numbers, which were posted everywhere and didn't hold huge potential for abuse. No doubt the university could translate those to a SIN, but that system was supposedly secure.

Re:

[watomb]

The article was an Advertisement and Slashdot just gave "Fortigate-5000 technology from Sunnyvale, CA". Free press Great Job

SSNs

[DingerX]

Many student numbers are nine digits, you might have noticed. That's because, back in the golden age, when student records were put into computers, someone decided that the 9-digit number uniquely assigned to each person was perfect for the task: no identity conflicts, and 30 years later, when the student wants a transcript, no problem.

Many large universities continued to use SSNs into the nineties, and I have no doubt many continue to use them. And when you'd teach a class, all the forms that came through

Re:

[garcia]

Our state system is 8 digits but the college I attended for undergrad was 9 (it started with a P but that doesn't really count, eh?) We also keep record of SSN if the student provides it (it isn't required for anything except work study or financial aid -- for obvious reasons). Most people don't know their student ID even when they're a current student so we end up using SSN or wildcard search for name.

Re:

[kalaf]

We had a student card with our student number on it. We had to write it on the top of all our tests, assignments, forms, etc. After the first year, you'll never forget that number. Ours was only 6 digits long when I went to school, but they've since switched to 9 digits. Even at 9 digits, you'll use that number more times in the first 3 months of school than you have your SIN/SSN in the last 5 years.

That said, I think the fact using the student number was the only option made it easier to memorize. If

Re:

[iphayd]

Are they sure that a janitor didn't accidentally throw the zip drive away when they were cleaning up the other useless trash left by students?

Re:

[LightForce3]

I go to GVSU. Whoever took it also stole some other office-type stuff, so it was definitely a theft. However, since they took other stuff, it was concluded that they probably weren't after the data on the drive, just the drive itself. I haven't heard any reports of students' identities being stolen, so it's possible that whoever stole the drive formatted it for their own use and erased the file containing the SSNs.

Re:

[Pig Hogger]

and then they have some idiot storing SSN's on an unencrypted flash drive...

What does an university needs with social security numbers? Does it pays social security to students???

Re:

[LightForce3]

Up until a year or two ago, GVSU used a student's SSN for their Student ID number. They no longer do this for new students, and are working on switching current students.

Many other colleges used to do this as well, but most (if not all) have switched to a different method for generating a student ID number.

Portable storage blues

[quarkie68]

The portable storage blues is a mixture of incomplete policy decisions, technology adoption and resource planning . I shall explain my view. I am co-administering and directing on the technical side a 300 user R&D IT infrastructure (servers, desktops, network), which is part of a large University setup (20000 students plus) for 5 years now. Indeed, things in academia have to be open. And they can be as long as you focus on the problem.

Desktop wise, a proven conbination of transparent bridging at network level, an antivirus/spyware on the desktop and another anti-virus/spyware on the mail server will filter out most of the traditional ways of infecting systems with malware. Scripts to enforce patching and lock out users that connect to the network might be a big headache, so if you can afford the overhead do that, or switch critical services to a more secure (and yes, I mean that) desktop such as a patched version of Linux.

The issue of data migration to/from portable storage is a head-scratching one. So, where I work, we scratched our head a lot and came up with the following conclusions:
- We can train users to understand the implications of relying on portable storage.
- Encryption could protect the content. In rare cases, it was a big headache, when users lost encryption keys, or when users wanted us to face performance issues on large encrypted filesystems.
- Portable storage will never be secure from the issue of data availability. Whether your data are encrypted or not does not matter if the device gets lost or broken and the user does not sync the data (for whatever reason). Scenarios where people had grant applications on USB keys and then they lost them or miscplaced them inside a warm cup of coffee or had their kids bike going over their laptop in the garden are common.

This last point made us re-examine why people use portable devices in academic setups in the first place. Apart from the obvious reasons ( mobility convenience, etc, etc), we found that strong motives for users to use portable storage media in an academic setup exist due to two reasons:
i)Network drive user quotas were extremely low, almost not usable. In fact, I know of faculties that still give a Gig of space per user and find it generous.
ii)Lack of suitable VPN solutions, so people could authenticate and mount their drives securely from remote locations. VPNs are common place, but they were dog slow, especially for large user setups, so faculties tend to serve tenths of thousands of users with only three or four VPN gateways that can handle (together) far fewer sessions than the true average user load. The result, non existing or slow connections, users give up, buy a key or portable drive and hope for the best.

I approached our Director, explained the problem and got funding to buy a storage solution able to a quota of 20 Gigs per user and also upgrade our campus connection and have our own separate VPN gateway, able to handle up to 80% of the average session load with strong crypto. It wasn't easy, and he heard the bill, he changed a few colours. However, if you explain with numbers the cost of loosing a grant, or the research work of the last two years (some experiments are quite expensive to repeat), they can be convinced to approve the budget.

I don't know about the US, but in Europe, the broadband home market is good enough to sustain a good connection rate even with a 1Mbps/384Kbps ADSL setup for direct common file I/O (documents, spreadsheets, etc). Amongst academic networks things are even better. Storage is becoming cheaper, so making a policy decision to allow portable media and empowering your users with adequate amounts of centralized storage that is easily reachable is, in my humble opinion, the best way to combat the portable storage blues.

Re:

[quarkie68]

True. Well, all this goes back to what I wrote earlier on and this is why we insisted on designing a storage infrastructure to provide realistic storage limits. If they gave you a suitable VPN and 10 Gigs, would you bother with the headaches of portable storage security? Probably not. Normally, there is some cash flow problem or their requirements are out of date and/or they don't care. Faculty or school funding must allocate money for storage per student/researcher. In the latter cases, they clearly don't

physical port lock

[mikey573]

I've heard about sys admins crazy gluing USB ports closed, but having a physical lock on the port instead seems a better idea. I found one company seeing a USB/lock and key set:
http://www.lindy.com/us/productfolder/04/40454/ind ex.php [lindy.com]
http://www.lindy.com/us/catalog/07/01a/index.php [lindy.com]
but I don't have the impression that the key is unique, so what's stopping me from buying the product and unlocking someone else using the same product?

Re:

[mikey573]

I was also hoping to find a software solution to lock USB ports for Windows XP Home Edition, but the closest thing I could find was this incorrect Microsoft knowledge base article:
http://support.microsoft.com/default.aspx?scid=kb; en-us;823732 [microsoft.com]
Windows XP Home Edition doesn't let you set ACL security on files, so their directions are incorrect. Furthermore, I tried the change to the USBSTOR registry key they mention, and it had no effect on my USB thumb drive.

Re:

[mlts]

I have seen some third party endpoint protection you can install that works on XP Home, like www.portprotector.com. For enterprises, I am not sure about something easily deployable.

Re:

[HansF]

Furthermore you would also need PS2 keyboards and mice, it's easy to copy files in windows with keyboard or a mouse.
Of course many motherboards also give you the option to disable usb ports in the bios.
You could also block thumb drives from being used with a group policy [petri.co.il].

Re:

[belg4mit]

That first page clearly indicates each color has its own key, so there are five keys.
In addition, any scheme like this could be defeated by the user buying their own lock
to get a key.

Re:

[mikael]

And there's the catch (no pun intended). If the admin's can buy a USB/lock and key set with a particular serial number, so can the students.

Back in the mid 1980's, one of our sys admins once had a cunning plan to stop viruses and worms creeping into early day PC's (8 MHz clones with CGA cards). Every machine would be installed with a lock which disabled the power to the floppy disk drive (communications were a serial line to a SUN server). Anyone who wanted to download or archive their personal files would

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[marsonist]

Sometimes I have to question what some admins consider "good" password policy. I work in an environment where I have to access no less than 4 password protected systems on a daily basis. Each system requires the passwords to expire after 30 days, but since each system is independant the 30 day marks tend to vary 1 to 2 weeks from system to system.

Each system has seperate password requirements. Some require passwords with 15 or more letters, some balk at anything larger than 14. Some require 2 caps, 2 num

I use a small program for this . . .

[KenSeymour]

KeePass [keepass.info]

It generates passwords for you, letting you set the length and what
characters are included. Then it stores them all for you.
You can use one password to protect all your other ones.
You can even set expiration in the program to remind you when to change
a password.

I used to re-use the same three or four passwords everywhere. But now
nearly all of mine are quite random.

Give it a try.

Re:

[mlts]

If one has the cash, there is a decent alternative for longer and longer passwords changed more frequently. SecurID, though expensive, can drop in and work in almost any computing environment. Aladdin eTokens are excellent too (one can use client certificates with them, so users can use SSL based web pages). Finally, one can use a security key like the one that Vasco OEMs to Ebay/Paypal which works in the OpenID framework.

The nice thing is that for staff and faculty, one can give them eTokens, while stud

But the most important question is...

[Tozoku]

Was the "thumb wrestling" pun in the title intentional?

Re:

[Oktober Sunset]

One! Two! Three! Four! I declare a Thumb War!

Really Not Difficult

[Shuntros]

Put computer in a secure cuff so it can't be opened.
Password the BIOS, lock out all boot options bar hard disc.
Run everyone as a restricted user using dynamic accounts (ZENworks for example, or deep freeze if you're stuck in the 90's)
Disable all onboard bluetooth, wifi etc

Not all that difficult really.

Huh? What are they smoking?

[TheLink]

Sounds stupid to me.

If the IT admins really want to make their life easy, why don't they just use one of those hardware solutions where if you reboot the PC (or press some button while booting) the PC gets restored to a known state (like a vmware "revert to snapshot"), and then have networked file servers for students to store some of their permanent _uni/college_ related stuff on. If the IT staff aren't totally lazy they might even back up the student's network stuff regularly (haha).

Basically the hardware

Loss of SSN should not be a serious issue.

[140Mandak262Jamuna]

Why losing a drive containing SSN of some 199 old students become a serious issue? In this day and age of information storage, it is high time we view SSN as public information. The number of strangers who have legal access to my name, address and social security number is staggering. Doctor's office staff, university offices, payroll department of employers ...

Why should I be held responsible if someone recites my name, rank and serial number correctly and obtains a loan based on that very simple trivial fact? The problem is in the credit industry that wants to lend money at a moments notice to people before their impulse to borrow fades away.

All we need is a very simple change of law about default reporting. Let the companies lend without checks if they want to, it is after all their money. But they should not be able to report a loan as overdue or unpaid or in default without going through due diligence to verify that the person they are accusing of being a deadbeat is really the correct person.

Let us change the burden of proof. Currently the victims of ID theft have to prove that ID theft occurred. Let us change it so that, it is the lender who should prove that ID theft did not take place.

Then it wont matter if some department loses a hard disk containing million SSNs. Will it?

Re:

[level_headed_midwest]

The problem with the SSN being public is that it's the only unique for identifying you. Nothing else is singularly unique and does not change- name, birthday, address, etc. Of course one could use several of the non-unique identifiers to create what would most likely (but not be guaranteed to be) a unique profile. But why do that if the government is handing out numbers that are guaranteed to be unique and each number is linked to the same person for their entire life? It's all a matter of ease.

Not using an

Re:

[QuoteMstr]

The underlying problem underlying the problems we're having with social security numbers is the confusion between identification and authentication.

A SSN is an identification number. In principle, there's no harm in everyone knowing that Bob Smith from Wichita is person 072-33-1234. The harm comes from being able to obtain credit, medical records, and so on just by saying "I'm Bob Smith, also known as 072-33-1234."

We need some kind of authentication mechanism to ensure that anyone claiming to be Bob Smith r

FTW: One Solution

[CyberGarp]

One place I worked at just put epoxy in all USB ports. Then they bought 200 signature capture pads, that work on USB. Heh.

Re:

[g-san]

Hmmm, maybe you would know.... can you suggest a good brand of sandpaper to use for the finishing?

thumb drive early adopter, lessons learned

[v1]

I have had a USB drive of some sort or another for quite a few years. I had the first 512mb drive available, first 1gb, first 4gb, owned and threw away a defective 16, and now use an 8gb Sandisk FireFlash. (SanDisk is probably the best brand going for small, fast, and reliable)

When I first was noticed to have a 1gb flash drive, my manager flipped out. We were not in a hugely secured environment, but he was formerly a branch manager of a bank so he saw this as a huge problem. We did deal with a large amount of customer information, but this never needed to be on my flash drive. I used the drive to assist in maintaining about 110 PCs, mostly loaded it with software tools, text files describing walk throughs to fix common issues, etc. We went round and round a bit and finally just dropped the issue and I was not bothered anymore.

Now I work in an IT department elsewhere, and I do have to carry sensitive materials. With all the switches, routers, server, etc, I have to keep passwords for them all. Having these items available on hand at any time in addition to a large number of software tools to suport > 500 machines of various types necessitates a flash drive - you just can't carry your laptop everywhere nor rely on the availablility of a network connection.

My solution now is to use OS X's "filevault" technology. Among the items I am not worried about, there is a small (10mb) encrypted disk image. Because the data on the image is frequently being changed and updated, I keep the main copy on the flash drive, and periodically (weekly or so) sync it with my laptop. The copy on the laptop is write protected to prevent temptation of editing it instead of the copy on the flash drive. The password to the vault is in the keychain on my laptop, which is encrypted with my login password. So if I plug in the flash drive to my laptop, I just double click to open the vault without any password to type. I can also open the read-only copy of the vault that is synced on my laptop if that's handier.

If I am in the field and either don't have my laptop with me, or it's inconvenient to haul it out, I just get out the flash drive and plug it into the machine and double click the vault. I have to enter the password since it's not on my laptop with its keychain, but that's not a big deal. The filevault is not supported on anything besides OS X, but it's supported directly by the OS and does not require any additional software or setup, it' just works when plugged in.

For the PCs I have a second 4gb flash drive that I use mainly for shuttling information between PCs, and it does not contain any sensitive information.

The biggest problem I have now with the flash drive is the very high risk of forgetting it somewhere. It's really easy to plug it into a machine, start working on something, get distracted by several other issues all at once, and hurredly rush to the next fire, only to leave the flash drive parked in the machine I was working on first. By the time I realize I don't have my flash drive, it can be up to a day later, and it's really hard to figure out where it was left behind. I've put a lot of thought into this problem, including various "phone phone" ideas, use of a lanyard, etc, and the solution I have come up with is working well. I have a small camera bag that I used to keep my powershot camera in. I now have a larger camera, so the bag has been repurposed. It's a LowePro, built well with a belt loop. It nicely holds my palm pilot, iPod, earbuds, an iTrip transmitter, AND a flash drive. How does this help you wonder? The fireflash has a removable clear acrylic cap that securely attaches to the flash drive, and the lanyard loop is on the cap, not on the drive. The drive came with a 5" lanyard, so I attached that to the loop on my Lowepro, and stuff the flash drive in the front pocket of the bag. When I am using the flash drive, I have to remove it from the cap to plug it in (or reach the computer for that matter) This leaves a clear acrylic cap dangling 5" dow

Wrinkle v2.0: Records retention policies

[icyandunapproachable]

As a CxO at an academic medical center, you become aware that the electronic documents that are the work product of the morbidity and mortality working group are stored on a somewhat restricted departmental share. While not discoverable, they are sensitive.(!) So you address this, and in the fullness of time you come to realize that external storage media often do contain The Only Copy of a Business Record, of the sort that state and federal regulations require you to maintain a copy for 5-to-30 years, dep

SSN #s?

[dufachi]

In May, a professor at Bowling Green State University in Ohio lost a flash drive containing Social Security numbers of 199 former students. And professors have SS#'s because why? If the school is using them as identifiers, then that is a severe security problem regardless of theft of flash drives.

Solutions?

[solar_blitz]

Here's a solution my university's library came up with:

Our computers use Novell software, and logging in requires knowledge of your Novell username and password. Guests can log in to use the web, but they aren't granted access to any of the Microsoft Office or Macromedia Studio software. If a computer is left alone for 20 minutes, it shuts down/resets. When a computer is shut down/reset, it removes all new files and programs that were installed on the computer during usage. That way they stay clean of all t

As a former uconn alumni (class of 06)

[discounteggroll]

I find this pretty ironic. At the Co-Op (the university's bookstore) they had PNY branded thumb drives with the UConn logo on it. Students had space allocated to them on the network. We used DC++ over the network for EVERYTHING. I was one of a few students to bring a laptop to class and actually type verbatim during lectures (my handwriting sucks). From there, some professors even asked me if I could give them a cd of their lectures so they could make fair tests and quizzes. This is a radically misdir

Recycled FUD

[DynaSoar]

Incidents referenced that actually occurred: two; stolen memory.

Incidents referenced not stated as actually happening: one; malware.

Incidents of "mandates" referenced: zero. Plus, the UConn IT guy says they can't do that anyway, so putting that in the headline makes it worth a -1.

This article seems to be pieces of three different articles that never got finished, thrown together into one big pile of FUD. Any one of them would make a good article if there were enough on-topic material. I'll give the guy a b