The Conficker Working Group has hailed its success in neutralising domains programmed to act as control hubs for the infamous worm, while lamenting its failure to mount a comprehensive clean-up operation against infected PCs or to bring its authors to justice. Members of the Group reflect on the long battle against the infamous …
Have we learned nothing?
And yet IT departments far and wide, from Fortune 500 companies to defense contractors to governments, still allow all workstations to read/write/execute USB sticks. (stuxnet anyone?)
In this day of ubiquitous broadband internet, smartphones, and "cloud" infrastructure, I'm having a hard time justifying the need for any type of removable media for end users.
this is the title
Ok, well, I need to move several gig of data to another computer ASAP, I don't even want to wait on the LAN, propose a quicker and more convenient way to do that a USB removeable device.
autoexec on removeable media insertion
Any OS or OS configuration which automatically executes content on a removable device or media is insecure by definition.
OK I know it shortens instructions for dumb end users when you want them to install something from a CD, but is this consequence really worth that so called advantage ?
"Ok, well, I need to move several gig of data to another computer ASAP, I don't even want to wait on the LAN."
Give me a real-world example where this makes sense.
Not everyone has gigabit connections. In fact, most probably max out at less than 200 kilobit/s when connected to the internet. I'm guessing even most LAN's out there are still 100Mb hardware, and there are few real world instances where you actually get full potential. A USB drive can move files as fast as 400Mb/s. On many LAN's it can take 20 minutes (or more) to transfer a 4.4GB iso. This is a real-world example where it would make more sense to use a USB drive, especially if you were moving all 8 Debian squeeze iso's for instance. For most people if they need to take home a 2GB folder then USB drives are the only option. Getting rid of USB drive capabilities is not an option.
here's an example
A significant member of your organization's PC won't boot, you've pulled the HDD out and slaved to in another to get the data, and swapped in a temp PC for the worker. Obviously they've saved all their data locally as they are told not too and the longer it takes you to get them up and running the more earache you'll be getting.
This is only one example, but the generic case is "I need to move a large amount of data as quickly as possible", currently USB removable is the most convenient, even if not always the fastest.
There is no need to disable the ability to access the USB. It is enough to disable Autorun and Autoplay.