back to article IBM bans all removable storage, for all staff, everywhere

IBM has banned its staff from using removable storage devices. In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).” The advisory stated some …

Page:

  1. DavidRa
    Trollface

    I see why they would do this, but ...

    I can't wait to start trolling them - especially when it will undoubtedly come to them installing updates on a disconnected/broken device and they need to be on a USB storage device of some sort.

    In fact I can almost imagine the customer reaction to something like this - "Hi, I'm from IBM here to fix the broken XXXX. To start with, can I please use your computer to download a file from IBM and put it on a USB stick you'll have to provide, because we're not allowed to use USB storage any more". Depending on how important the repair was I'd even consider saying, "Um, no, you have a computer, figure it out".

    1. DougS Silver badge

      Re: I see why they would do this, but ...

      The field service guys will just carry a second miniature laptop that will be used for downloading stuff and putting it on USB sticks. If they need to download something from IBM's secure network they'll use their corporate issued laptop, and copy it over via cloud - until they block third party cloud services after someone copies sensitive material to one, leaves it open to the world, and it leaks into the wild...

      1. Daniel von Asmuth Bronze badge

        Re: I see why they would do this, but ...

        Who needs removable disc packs, mag tapes, paper tapes and puch cards, floppy and zip discs, MO discs, CD-ROM and DVD??

        "The field service guys will just carry a second miniature laptop"

        A laptop obviously counts as portable storage, just like cell phones, digital watches, cameras, etc. Not to mention paper, which may contain information that can be scanned and digitised. Anything weighing under 100 pounds shall be deemed portable.

    2. PM from Hell

      Deja Vu

      This feels like a return to the olden days when I had to provide an office terminal and phone for my 'on-site' engineer. TBH its not much of a problem top provide a pc and some encrypted memory sticks for the IBMer to use if you are a medium sized site, if you just have one server it would be ridiculous.

      Of copurse IBM corporately and the engineer personally would have to sign up to my computer usage policy before I could allow access.

    3. Anonymous Coward
      Anonymous Coward

      Re: I see why they would do this, but ...

      I find it interesting that Corporations will make it almost impossible for that Corporation's employees to do their work while giving contractors free range to work as they will. I, certainly, don't know that this situation will be like that; but, that is an observation I've made. I suppose it gives management a degree of separation from the issue and a reason to outsource more jobs. Plausible deniability, can't blame us it was the contractor who dropped the ball.

      1. Anonymous Coward
        Anonymous Coward

        Re: I see why they would do this, but ...

        " it was the contractor who dropped the ball."

        We were discussing* this yesterday re Hard drive Grinding-into-dust money for nothing AAA scams.

        The higher ups said "we record serial of every drive we gave them , so if they pop up on ebay , and data is leaked its on them"

        "What if" says me "a shit-ton of customer data is published (or sold) on the web by Hax-iz-uz team , and they dont have the decency to provide the serial number of the hard drive they got it off?"

        I say "we" , that was just me chiming in with my innate motivation to try to get things done properly . nobody actually ever asks my opinion , or pays for it . I try to not give a shit , and im getting better at it , but im not there yet.

        1. Anonymous Coward
          Anonymous Coward

          Re: I see why they would do this, but ...

          Translation... Reputation risk is where someone plugs in an infected USB drive causing havoc on IBM's infrastructure. OR.... Risk that someone is going to download Information that can become an embarrassment to IBM in the near future... (e.g. downloading sensitive emails, files, etc regarding recent RIFs.)

          With respect to customer systems... they can put it on the net or allow customer to download from offsite to their own system. So that's not the issue or the risk.

          The risk is greater when you start to have people using / sharing USB drives from god knows where.

          Posted Anon because I suspect this is more about IBM trying to protect themselves from whistle blowers or leakers.

          1. Anonymous Coward
            Anonymous Coward

            Re: I see why they would do this, but ...

            Risk that someone is going to download Information that can become an embarrassment to IBM in the near future...

            IBM is quite capable of embarrassing themselves **without** USB drives. As for "financial and reputational damage"; the only 'damage' that could be done is to *improve* it. Can't go any lower when you've already hit bottom.

            But yes, I can see the impossibility of doing firmware updates without USB sticks. There are plenty of servers now that don't have USB drives. Or perhaps they'll expect them to use USB floppy drives (unless those have been banned too). I know we had to do server installs with a USB hard drive when the network provisioning server went titsup. So I guess no more server installs. Not much of a problem if they don't have customers anymore.

          2. Anonymous Coward
            Anonymous Coward

            Re: I see why they would do this, but ...

            No, this can't happen, we are only allowed to use specially supplied usb devices that can only be plugged into certified systems, so there is no risk of getting a virus from them.

            But this will cause massive issues, as we download tools, from the IBM intranet, which the customer will not have access to, so won't be able to complete repairs.

        2. Anonymous Coward
          Anonymous Coward

          Re: I see why they would do this, but ...

          I worked for an NHS trust and told them we should buy our own hdd crusher. Would work out cheaper and safer.

          I was just a 2nd line engineer. Wasn't a yes man. What do I know.

          I was ignored basically.

          I left. The HDD destroying company turns out wasn't destroying the drives but flogging on eBay. Two were purchased with patient data still on them. The trust was fined a record amount.

          Oh look. Now they purchased the HDD crusher In originally suggested all those years ago and destroy the drives themselves.

          It's a nice feeling knowing you were right. But it's still super annoying being ignored and treated like "Shut up minion. You don't know what you're talking about".

          To this day I can't stand the culture of IT in the NHS. Maybe it's just the Trusts I've worked for.

          1. Stu Mac

            Re: I see why they would do this, but ...

            Nah I'm sure it's all of them!

          2. Anonymous Coward
            Anonymous Coward

            Re: I see why they would do this, but ...

            "Oh look. Now they purchased the HDD crusher In originally suggested all those years ago and destroy the drives themselves."

            The problem with that is , apart from being 100% effective , is that without an AAA data destroying licence (aka licence to print money) you dont get to tick a box saying "all our hard drives are disposed of to ISO xyz123 standard , and most big companies care more about ticking boxes than the task at hand.

      2. BMG4ME

        Re: I see why they would do this, but ...

        I can't imagine it would exclude contractors. This is common practice in so many organizations including the government. My only wonder is that it's taken so long. I am an IBMer but not speaking on behalf of IBM.

    4. swschrad

      so, no tape backups? no HDA replacements?..

      after all, this is what service and maintenence IBMers do for customer sites, and they ARE removeable storage....

    5. Zujar_boy

      Re: I see why they would do this, but ...

      I wouldn't be surprised if this was to stop leaking/unauthorised removal and dispersion of IP.

    6. Anonymous Coward
      Anonymous Coward

      Re: I see why they would do this, but ...

      This decision further demonstrates that IBM is being run/managed by less tech savvy 'higher ups', and the 'bean counters' are worming their way into every orifice in IBM. Putting in processes that are by default a significant inhibitor to efficient support, let alone making the on-site 'techie' look like a fool is nowadays classic at this company

  2. Dodgy Geezer Silver badge

    When USB sticks are illegal.....

    ...then only criminals will have USB sticks...

    Stand up for your constitutional rights!

    Issued by the NUA

    1. Sorry that handle is already taken. Silver badge
      Joke

      Re: When USB sticks are illegal.....

      The only way to stop a bad guy with a USB stick is a good guy with a USB stick.

      *shakes evil black USB stick*

      1. Anonymous Coward
        Anonymous Coward

        Re: When USB sticks are illegal.....

        *shakes evil black USB stick*

        I'm sorry Dave. I'm afraid your stick doesn't fit in the USB port.

        1. CrazyOldCatMan Silver badge

          Re: When USB sticks are illegal.....

          I'm afraid your stick doesn't fit in the USB port.

          Anything will go into $RANDOM_PORT if you have a big enough hammer. Of course, once in the port either party may not be in a working state but, hey, I didn't write the requirements spec..

        2. Anonymous Coward
          Anonymous Coward

          Re: When USB sticks are illegal.....

          I'm sorry Dave. I'm afraid your stick doesn't fit in the USB port.

          Must be a *Micro*-USB...

      2. Scroticus Canis Silver badge
        Trollface

        Re: "The only way to stop a bad guy with a USB stick..."

        A Remington pump with a tube full of solid slugs works for most things up to Cape buffalo size.

      3. Arthur the cat Silver badge

        Re: When USB sticks are illegal.....

        *shakes evil black USB stick*

        What, one of these?

        1. mstreet
          Unhappy

          Re: When USB sticks are illegal.....

          "What, one of these?"

          Aww, what a tease...I was expecting a thumb drive in the shape of a ram-horned skull with glowing red eyes.

        2. Anonymous Coward
          Anonymous Coward

          Re: When USB sticks are illegal.....

          "The USB Killer is a CE Approved and FCC Approved testing device designed to test the surge protection circuitry of electronics to their limits - and beyond."

          FFS Someone needs a beatdown...

          1. jelabarre59 Silver badge

            Re: When USB sticks are illegal.....

            "The USB Killer is a CE Approved and FCC Approved testing device designed to test the surge protection circuitry of electronics to their limits - and beyond."

            The major thing I dislike about that USB "tester" is it looks far too much like a legitimate USB stick. I would want anything meant as a testing device, one that could potentially fry your electronics, to be packaged as *obviously* dangerous. Of course, they could be selling the device with a **claim** that it's for testing/validation, but really mean to sell it to less-savory parties.

            1. Tom 35 Silver badge

              Re: When USB sticks are illegal.....

              I can see someone having "fun" at a best buy store.

            2. Arthur the cat Silver badge
              Holmes

              Re: When USB sticks are illegal.....

              @ jelabarre59

              Of course, they could be selling the device with a **claim** that it's for testing/validation, but really mean to sell it to less-savory parties.

              See icon title text.

    2. Symon Silver badge
      Childcatcher

      Re: When USB sticks are illegal.....

      USB sticks don't kill people, data does...

      1. pɹɐʍoɔ snoɯʎuouɐ
        Boffin

        Re: When USB sticks are illegal.....

        USB sticks don't kill people, data does...

        I think that depends how much force is applied to said USB stick to propel it through the air with enough momentum combined with its mass can cause enough trauma to the body to expel it of necessary bioelectrical activity !!

  3. Anonymous Coward
    Anonymous Coward

    It's not for everyone but for most it could be good

    USBs are useful and sometimes critical however personally the last time I needed a USB at work for a server room work was about 2 years ago. Sure I use them at home but only to boot up a PC to get the O/S kick started for an install. My shop is using cloud services more for our infrastructure so most of the time I find myself using OneDrive and such like, company certified sharing systems that can be controlled, scanned and safeguarded. The way I see it, with companies getting more "trigger happy" to fire you on the spot for the smallest thing, the less potential to get in trouble the better.

    1. katrinab Silver badge

      Re: It's not for everyone but for most it could be good

      So when you take a new server out of its box, and you need to install an operating system on it, what do you use? I've never seen a server with a "boot from OneDrive" option on it.

      1. John Brown (no body) Silver badge

        Re: It's not for everyone but for most it could be good

        "So when you take a new server out of its box, and you need to install an operating system on it, what do you use? I've never seen a server with a "boot from OneDrive" option on it."

        LAN boot? Even desktops have that as standard now.

        Having said that, I do get the point. Most of the field repairs I go to require a USB boot to run diagnostics. If the OS won't boot or the hardware is flaky enough that a full OS boot won't happen reliably, it's very useful to boot a minimal OS like FreeDOS to run HDD diags, or boot memtest86 etc. Few systems have built-in diags, which may not work anyway depending on where they are stored

        1. Yet Another Anonymous coward Silver badge

          Re: It's not for everyone but for most it could be good

          You key in the network driver from the front panel toggle switches - like the good old days

          1. Prst. V.Jeltz Silver badge

            Re: It's not for everyone but for most it could be good

            What next? take the spanners off the Maintenance staff?

          2. ravenviz Silver badge

            Re: It's not for everyone but for most it could be good

            Just boot from floppy disk!

      2. CrazyOldCatMan Silver badge

        Re: It's not for everyone but for most it could be good

        I've never seen a server with a "boot from OneDrive"

        No - but Macs can retrieve a fresh copy of MacOS directly over the internet[1]. Saved my bacon a few times..

        [1] Which, of course doesn't work when everything goes out through a proxy that requires authentication.

      3. Paul 129

        Re: It's not for everyone but for most it could be good

        iPXE. If you don't have it, chainload it, with your standard PXE.

        netbooting from a http/https server is heaps faster than tftp

    2. Doctor Syntax Silver badge

      Re: It's not for everyone but for most it could be good

      "company certified sharing systems that can be controlled, scanned and safeguarded"

      By whom? And note that the "whom" might be different for each verb.

    3. shedied

      Re: It's not for everyone but for most it could be good

      "trigger happy" to fire you on the spot

      Didn't get the memo, did you, the one called USB kill bill?

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not for everyone but for most it could be good

        Yes, while I was working at National Denfense we IMSecurity informed us of the New Rules.

        We ignore it then and will continue to do so, unless of course you're a normie (user).

  4. Meph

    First, they came for the CD-R's

    I can't help but think this is going to end poorly for them, but I guess this was always on the cards after being involved in so many data misplacement headlines.

    1. Lord Elpuss Silver badge

      Re: First, they came for the CD-R's

      " after being involved in so many data misplacement headlines"

      IBM doesn't really come to mind when I think of data misplacement disasters. UK.gov on the other hand...

    2. Adam 52 Silver badge

      Re: First, they came for the CD-R's

      If you put data on a USB stick and lose it it's going to be found by your office cleaner, your partner or someone in the company car park. Most of whom will have no malicious intent.

      If you use an Internet facing sharing service and get the security wrong then it's available to 4 billion people and it only takes one of those to make a fuss in public for your reputation to be trashed.

      1. TonyJ Silver badge

        Re: First, they came for the CD-R's

        "...If you put data on a USB stick and lose it it's going to be found by your office cleaner, your partner or someone in the company car park. Most of whom will have no malicious intent..."

        I mitigate this myself by only using a hardware encrypted USB stick. One of the ones with the little numerical pad to allow you to enter a PIN. Unplug it and it re-encrypts automagically.

        Of course at home, I have a few normal ones dotted around depending on what I need them for.

        1. Lord Elpuss Silver badge

          Re: First, they came for the CD-R's

          TonyJ which one do you have? I've been looking for one of those...

          1. TonyJ Silver badge

            Re: First, they came for the CD-R's

            @Lord Elpuss - one of these https://www.amazon.co.uk/iStorage-256-4-datAshur-256-bit-encrypted/dp/B0061DBZ2C

            Not the cheapest or physically smallest USB stick by any margin but works well. Can even decrypt first, plug in and boot to one if needed.

            1. keithpeter
              Coat

              Re: First, they came for the CD-R's

              @TonyJ: I have learned. I never knew such a device existed.

              Bought a cheaper make and will see if it is reliable.

              One employer provides rdp access to desktop. Absolutely no reason for me (as end user) to have any portable storage at all. T'other employer not as well-provisioned in IT terms (Major UK city/Crapita) so need to carry some stuff. Security cross section is losing the damned thing.

              Mines the one with the Trusted End Node Security USB in the pocket

  5. Anonymous Coward
    Anonymous Coward

    It's going to be fun...

    patching servers that are offline with no network connections but have to be powered up and patched monthly due contractual requirements.

    collecting audit and other artefacts from systems on a regular basis from 400 segmented servers and appliances

    carrying out firmware updates in isolated networks/DMZ's (or on customers who don't have any distribution servers for firmware/driver patching)

    building ESX (and other) servers which have no removable media (for security and cost reasons) before they are added to a network

    performing disaster recovery on isolated systems because you have to recover their entire environment due to them managing security and anti-virus (badly) in-house

    1. Nick Kew Silver badge

      Re: It's going to be fun...

      Indeedie. All sorts of things that smell of an impossible thing the Boss expects. Fertile ground for the likes of Dilbert, xkcd, or (best of all) a Reg Friday column such as BOFH or On Call.

      I expect we'll find that this policy, once clarified, applies only to user-writable storage. So devices like an approved read-only USB stick will be allowed for cases like this. And likely some more clarification once egg is seen on someone's face.

      What's no doubt really meant (even if someone behind the press release thinks otherwise) is naturally a "no unauthorised use" policy and a robust process for authorisation. And then somewhere down the line, fire someone for allowing authorisation to become a rubber-stamp exercise.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019