IBM bans all removable storage, for all staff, everywhere IBM has banned its staff from using removable storage devices. In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).” The advisory stated some …
I can't wait to start trolling them - especially when it will undoubtedly come to them installing updates on a disconnected/broken device and they need to be on a USB storage device of some sort.
In fact I can almost imagine the customer reaction to something like this - "Hi, I'm from IBM here to fix the broken XXXX. To start with, can I please use your computer to download a file from IBM and put it on a USB stick you'll have to provide, because we're not allowed to use USB storage any more". Depending on how important the repair was I'd even consider saying, "Um, no, you have a computer, figure it out".
The field service guys will just carry a second miniature laptop that will be used for downloading stuff and putting it on USB sticks. If they need to download something from IBM's secure network they'll use their corporate issued laptop, and copy it over via cloud - until they block third party cloud services after someone copies sensitive material to one, leaves it open to the world, and it leaks into the wild...
Who needs removable disc packs, mag tapes, paper tapes and puch cards, floppy and zip discs, MO discs, CD-ROM and DVD??
"The field service guys will just carry a second miniature laptop"
A laptop obviously counts as portable storage, just like cell phones, digital watches, cameras, etc. Not to mention paper, which may contain information that can be scanned and digitised. Anything weighing under 100 pounds shall be deemed portable.
This feels like a return to the olden days when I had to provide an office terminal and phone for my 'on-site' engineer. TBH its not much of a problem top provide a pc and some encrypted memory sticks for the IBMer to use if you are a medium sized site, if you just have one server it would be ridiculous.
Of copurse IBM corporately and the engineer personally would have to sign up to my computer usage policy before I could allow access.
I find it interesting that Corporations will make it almost impossible for that Corporation's employees to do their work while giving contractors free range to work as they will. I, certainly, don't know that this situation will be like that; but, that is an observation I've made. I suppose it gives management a degree of separation from the issue and a reason to outsource more jobs. Plausible deniability, can't blame us it was the contractor who dropped the ball.
" it was the contractor who dropped the ball."
We were discussing* this yesterday re Hard drive Grinding-into-dust money for nothing AAA scams.
The higher ups said "we record serial of every drive we gave them , so if they pop up on ebay , and data is leaked its on them"
"What if" says me "a shit-ton of customer data is published (or sold) on the web by Hax-iz-uz team , and they dont have the decency to provide the serial number of the hard drive they got it off?"
I say "we" , that was just me chiming in with my innate motivation to try to get things done properly . nobody actually ever asks my opinion , or pays for it . I try to not give a shit , and im getting better at it , but im not there yet.
Translation... Reputation risk is where someone plugs in an infected USB drive causing havoc on IBM's infrastructure. OR.... Risk that someone is going to download Information that can become an embarrassment to IBM in the near future... (e.g. downloading sensitive emails, files, etc regarding recent RIFs.)
With respect to customer systems... they can put it on the net or allow customer to download from offsite to their own system. So that's not the issue or the risk.
The risk is greater when you start to have people using / sharing USB drives from god knows where.
Posted Anon because I suspect this is more about IBM trying to protect themselves from whistle blowers or leakers.
Risk that someone is going to download Information that can become an embarrassment to IBM in the near future...
IBM is quite capable of embarrassing themselves **without** USB drives. As for "financial and reputational damage"; the only 'damage' that could be done is to *improve* it. Can't go any lower when you've already hit bottom.
But yes, I can see the impossibility of doing firmware updates without USB sticks. There are plenty of servers now that don't have USB drives. Or perhaps they'll expect them to use USB floppy drives (unless those have been banned too). I know we had to do server installs with a USB hard drive when the network provisioning server went titsup. So I guess no more server installs. Not much of a problem if they don't have customers anymore.
No, this can't happen, we are only allowed to use specially supplied usb devices that can only be plugged into certified systems, so there is no risk of getting a virus from them.
But this will cause massive issues, as we download tools, from the IBM intranet, which the customer will not have access to, so won't be able to complete repairs.
I worked for an NHS trust and told them we should buy our own hdd crusher. Would work out cheaper and safer.
I was just a 2nd line engineer. Wasn't a yes man. What do I know.
I was ignored basically.
I left. The HDD destroying company turns out wasn't destroying the drives but flogging on eBay. Two were purchased with patient data still on them. The trust was fined a record amount.
Oh look. Now they purchased the HDD crusher In originally suggested all those years ago and destroy the drives themselves.
It's a nice feeling knowing you were right. But it's still super annoying being ignored and treated like "Shut up minion. You don't know what you're talking about".
To this day I can't stand the culture of IT in the NHS. Maybe it's just the Trusts I've worked for.
"Oh look. Now they purchased the HDD crusher In originally suggested all those years ago and destroy the drives themselves."
The problem with that is , apart from being 100% effective , is that without an AAA data destroying licence (aka licence to print money) you dont get to tick a box saying "all our hard drives are disposed of to ISO xyz123 standard , and most big companies care more about ticking boxes than the task at hand.
This decision further demonstrates that IBM is being run/managed by less tech savvy 'higher ups', and the 'bean counters' are worming their way into every orifice in IBM. Putting in processes that are by default a significant inhibitor to efficient support, let alone making the on-site 'techie' look like a fool is nowadays classic at this company
"The USB Killer is a CE Approved and FCC Approved testing device designed to test the surge protection circuitry of electronics to their limits - and beyond."
The major thing I dislike about that USB "tester" is it looks far too much like a legitimate USB stick. I would want anything meant as a testing device, one that could potentially fry your electronics, to be packaged as *obviously* dangerous. Of course, they could be selling the device with a **claim** that it's for testing/validation, but really mean to sell it to less-savory parties.
This post has been deleted by its author
USB sticks don't kill people, data does...
I think that depends how much force is applied to said USB stick to propel it through the air with enough momentum combined with its mass can cause enough trauma to the body to expel it of necessary bioelectrical activity !!
USBs are useful and sometimes critical however personally the last time I needed a USB at work for a server room work was about 2 years ago. Sure I use them at home but only to boot up a PC to get the O/S kick started for an install. My shop is using cloud services more for our infrastructure so most of the time I find myself using OneDrive and such like, company certified sharing systems that can be controlled, scanned and safeguarded. The way I see it, with companies getting more "trigger happy" to fire you on the spot for the smallest thing, the less potential to get in trouble the better.
"So when you take a new server out of its box, and you need to install an operating system on it, what do you use? I've never seen a server with a "boot from OneDrive" option on it."
LAN boot? Even desktops have that as standard now.
Having said that, I do get the point. Most of the field repairs I go to require a USB boot to run diagnostics. If the OS won't boot or the hardware is flaky enough that a full OS boot won't happen reliably, it's very useful to boot a minimal OS like FreeDOS to run HDD diags, or boot memtest86 etc. Few systems have built-in diags, which may not work anyway depending on where they are stored
I've never seen a server with a "boot from OneDrive"
No - but Macs can retrieve a fresh copy of MacOS directly over the internet[1]. Saved my bacon a few times..
[1] Which, of course doesn't work when everything goes out through a proxy that requires authentication.
If you put data on a USB stick and lose it it's going to be found by your office cleaner, your partner or someone in the company car park. Most of whom will have no malicious intent.
If you use an Internet facing sharing service and get the security wrong then it's available to 4 billion people and it only takes one of those to make a fuss in public for your reputation to be trashed.
"...If you put data on a USB stick and lose it it's going to be found by your office cleaner, your partner or someone in the company car park. Most of whom will have no malicious intent..."
I mitigate this myself by only using a hardware encrypted USB stick. One of the ones with the little numerical pad to allow you to enter a PIN. Unplug it and it re-encrypts automagically.
Of course at home, I have a few normal ones dotted around depending on what I need them for.
@TonyJ: I have learned. I never knew such a device existed.
Bought a cheaper make and will see if it is reliable.
One employer provides rdp access to desktop. Absolutely no reason for me (as end user) to have any portable storage at all. T'other employer not as well-provisioned in IT terms (Major UK city/Crapita) so need to carry some stuff. Security cross section is losing the damned thing.
Mines the one with the Trusted End Node Security USB in the pocket
patching servers that are offline with no network connections but have to be powered up and patched monthly due contractual requirements.
collecting audit and other artefacts from systems on a regular basis from 400 segmented servers and appliances
carrying out firmware updates in isolated networks/DMZ's (or on customers who don't have any distribution servers for firmware/driver patching)
building ESX (and other) servers which have no removable media (for security and cost reasons) before they are added to a network
performing disaster recovery on isolated systems because you have to recover their entire environment due to them managing security and anti-virus (badly) in-house
Indeedie. All sorts of things that smell of an impossible thing the Boss expects. Fertile ground for the likes of Dilbert, xkcd, or (best of all) a Reg Friday column such as BOFH or On Call.
I expect we'll find that this policy, once clarified, applies only to user-writable storage. So devices like an approved read-only USB stick will be allowed for cases like this. And likely some more clarification once egg is seen on someone's face.
What's no doubt really meant (even if someone behind the press release thinks otherwise) is naturally a "no unauthorised use" policy and a robust process for authorisation. And then somewhere down the line, fire someone for allowing authorisation to become a rubber-stamp exercise.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
