UK military: iPod is security risk

cnn.com ^ | 7/13/04 | Reuters

[NotQuiteCricket]

LONDON, England (Reuters) -- Music fans, beware: Britain's Ministry of Defence has become the latest organization to add the iPod to its list of high-tech security risks.

The pocket-sized digital music player, which can store thousands of songs, is one of a series of banned gadgets that the military will no longer allow into most sections of its headquarters in the UK and abroad.

Devices with large storage capabilities -- most notably those with a Universal Serial Bus (or USB) plug used to connect to a computer -- have been treated with greater suspicion of late by government agencies and corporations alike.

The fear is that the gadgets can be used to siphon information from a computer, turning a seemingly innocuous device into a handy tool for data thieves.

"With USB devices, if you plug it straight into the computer you can bypass passwords and get right on the system," RAF Wing Commander Peter D'Ardenne told Reuters.

[NotQuiteCricket]

"With USB devices, if you plug it straight into the computer you can bypass passwords and get right on the system."

Huh? How so? You would still be able to login to the computer, so see the USB device, correct? Help me out here people, cause this isn't making any sense to me.

[BrooklynGOP]

Doesn't make sense to me, either... What's the big deal anyway? Uninstall the USB drivers and you're all set.

[js1138]

You are already logged into the computer if you are using it. The point is that any person in the building could copy files form any computer that is running. I carry 128 megs of USB storage on my keychain.

[glorgau]

Uninstall the USB drivers? Can't do it on a Mac, and many computers now use USB keyboards and mice. Quite hard to lock down a computer unless your're using it as a terminal or kiosk.

[kezekiel]

Doesn't make sense to me, either... What's the big deal anyway? Uninstall the USB drivers and you're all set.

Not with Plug-n'-Play, but wouldn't the same problem exist for USB flash drives? In other words, you can take those little keychain bob-sized devices, plug them directly into a computer's USB port and snag as many files as you want. The OS treats it just like another local drive.

Where this can *really* be a theft problem is on the Mac, where you can flat out steal software. Some dude got caught stealing Office X off a Mac at some computer superstore... all you have to do is plug in the iPod and drag the program files right onto the iPod.

[stuartcr]

US military has had this, and similar policies for a while.

[Boundless]

> ... add the iPod to its list of high-tech security risks.

Trying to maintain lists of portable data/imaging devices
is a lost cause, and high-security facilities are going
to have to find another way to deal with these threats.

Sure, maybe you can keep people from plugging their
key-fob USB flash drive into a port, or from mounting it
to the filesystem if they do, but we're close to (past?)
the point where:
- clothing buttons are digital cameras
- eyeglass frames are digital camcorders
just to name a couple of obvious examples. We won't even
guess what the wristwatch might actually be.

In the not too distant future, a copy machine repairman
can expect to be blasted with EMP upon entry, to
neutralize all electronic devices on their person.

Then come the photonic devices, which have no metal at all...

[BrooklynGOP]

Well, then why not make the pc case physically inaccessible?

[NotQuiteCricket]

Yeah, but what does that have to do with *bypassing passwords*? That is what has me stumped.

I completely understand USB flash drives/iPod portable hdd thing. I just don't see how any device is going to BYPASS PASSWORDS (unless you store some sort of password cracker application on it to work on admin passwords from the inside).

thanks.

[Richard Kimball]

You're right about that, and the issue they're concerned about here is employee theft. Very tough to lock down a system against the employees using it. The flash drives are probably the other banned devices the story talks about, but the iPod is a much bigger issue, as it can have up to 40 gig of storage. That makes it possible to download a complete hard drive in many instances, or entire user databases from companies. I fear all attempts at computer security are fingers in a cellophane dike. Everything is up for grabs.

[NotQuiteCricket]

I've got an extra 3 USB ports on my keyboard...but I agree that securing the hardware would go a long way to fixing this issue. (I'd think if someone were to do that, they would be sure to not have any extra USB ports outside of the secure area).

It depends on how paranoid you are about your employees. And I'd hope the military is VERY paranoid about their employees.

EMP wouldn't do anything to a device that doesn't have power running through it (I think). Also, I'm sure that if someone were to WANT to get in and get the information, they would shield their device/take counter measures.

[stuartcr]

Just go back to NT, which doesn't support USB.

[BrooklynGOP]

I've got an extra 3 USB ports on my keyboard...

Well, they should just make sure not to buy any of those keyboards, then :). Secure the back of the pc so no new devices can be plugged in (and the ones that already are, can't be pulled), and that's it.. Or just buy pc's with ps/2 connectors for keyboard/mouse and uninstall USB all together.

[Legion04]

leave it to apple, to screw things up

[D-fendr]

Yep, makin' them blasted high volume storage thingies for digitial music is really irresponsible.

[NotQuiteCricket]

Or put them in a wiring closet, or go to citrix or some other terminal application (icki, icki) where you don't really need much of a computer, just a dumb terminal.

We go forth, and then we run back the other way.

(mainframe/dumb terminal to hotrod desktop PCs that kick ass, but are insecure to server/dumb terminal).

lol

THIN CLIENT. (Wasn't that the "rage" like, 5 years ago or something?!)