back to article IBM bans all removable storage, for all staff, everywhere

IBM has banned its staff from using removable storage devices. In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).” The advisory stated some …

  1. DavidRa
    Trollface

    I see why they would do this, but ...

    I can't wait to start trolling them - especially when it will undoubtedly come to them installing updates on a disconnected/broken device and they need to be on a USB storage device of some sort.

    In fact I can almost imagine the customer reaction to something like this - "Hi, I'm from IBM here to fix the broken XXXX. To start with, can I please use your computer to download a file from IBM and put it on a USB stick you'll have to provide, because we're not allowed to use USB storage any more". Depending on how important the repair was I'd even consider saying, "Um, no, you have a computer, figure it out".

    1. DougS Silver badge

      Re: I see why they would do this, but ...

      The field service guys will just carry a second miniature laptop that will be used for downloading stuff and putting it on USB sticks. If they need to download something from IBM's secure network they'll use their corporate issued laptop, and copy it over via cloud - until they block third party cloud services after someone copies sensitive material to one, leaves it open to the world, and it leaks into the wild...

      1. Daniel von Asmuth Bronze badge

        Re: I see why they would do this, but ...

        Who needs removable disc packs, mag tapes, paper tapes and puch cards, floppy and zip discs, MO discs, CD-ROM and DVD??

        "The field service guys will just carry a second miniature laptop"

        A laptop obviously counts as portable storage, just like cell phones, digital watches, cameras, etc. Not to mention paper, which may contain information that can be scanned and digitised. Anything weighing under 100 pounds shall be deemed portable.

    2. PM from Hell

      Deja Vu

      This feels like a return to the olden days when I had to provide an office terminal and phone for my 'on-site' engineer. TBH its not much of a problem top provide a pc and some encrypted memory sticks for the IBMer to use if you are a medium sized site, if you just have one server it would be ridiculous.

      Of copurse IBM corporately and the engineer personally would have to sign up to my computer usage policy before I could allow access.

    3. Anonymous Coward
      Anonymous Coward

      Re: I see why they would do this, but ...

      I find it interesting that Corporations will make it almost impossible for that Corporation's employees to do their work while giving contractors free range to work as they will. I, certainly, don't know that this situation will be like that; but, that is an observation I've made. I suppose it gives management a degree of separation from the issue and a reason to outsource more jobs. Plausible deniability, can't blame us it was the contractor who dropped the ball.

      1. Anonymous Coward
        Anonymous Coward

        Re: I see why they would do this, but ...

        " it was the contractor who dropped the ball."

        We were discussing* this yesterday re Hard drive Grinding-into-dust money for nothing AAA scams.

        The higher ups said "we record serial of every drive we gave them , so if they pop up on ebay , and data is leaked its on them"

        "What if" says me "a shit-ton of customer data is published (or sold) on the web by Hax-iz-uz team , and they dont have the decency to provide the serial number of the hard drive they got it off?"

        I say "we" , that was just me chiming in with my innate motivation to try to get things done properly . nobody actually ever asks my opinion , or pays for it . I try to not give a shit , and im getting better at it , but im not there yet.

        1. Anonymous Coward
          Anonymous Coward

          Re: I see why they would do this, but ...

          Translation... Reputation risk is where someone plugs in an infected USB drive causing havoc on IBM's infrastructure. OR.... Risk that someone is going to download Information that can become an embarrassment to IBM in the near future... (e.g. downloading sensitive emails, files, etc regarding recent RIFs.)

          With respect to customer systems... they can put it on the net or allow customer to download from offsite to their own system. So that's not the issue or the risk.

          The risk is greater when you start to have people using / sharing USB drives from god knows where.

          Posted Anon because I suspect this is more about IBM trying to protect themselves from whistle blowers or leakers.

          1. Anonymous Coward
            Anonymous Coward

            Re: I see why they would do this, but ...

            Risk that someone is going to download Information that can become an embarrassment to IBM in the near future...

            IBM is quite capable of embarrassing themselves **without** USB drives. As for "financial and reputational damage"; the only 'damage' that could be done is to *improve* it. Can't go any lower when you've already hit bottom.

            But yes, I can see the impossibility of doing firmware updates without USB sticks. There are plenty of servers now that don't have USB drives. Or perhaps they'll expect them to use USB floppy drives (unless those have been banned too). I know we had to do server installs with a USB hard drive when the network provisioning server went titsup. So I guess no more server installs. Not much of a problem if they don't have customers anymore.

          2. Anonymous Coward
            Anonymous Coward

            Re: I see why they would do this, but ...

            No, this can't happen, we are only allowed to use specially supplied usb devices that can only be plugged into certified systems, so there is no risk of getting a virus from them.

            But this will cause massive issues, as we download tools, from the IBM intranet, which the customer will not have access to, so won't be able to complete repairs.

        2. Anonymous Coward
          Anonymous Coward

          Re: I see why they would do this, but ...

          I worked for an NHS trust and told them we should buy our own hdd crusher. Would work out cheaper and safer.

          I was just a 2nd line engineer. Wasn't a yes man. What do I know.

          I was ignored basically.

          I left. The HDD destroying company turns out wasn't destroying the drives but flogging on eBay. Two were purchased with patient data still on them. The trust was fined a record amount.

          Oh look. Now they purchased the HDD crusher In originally suggested all those years ago and destroy the drives themselves.

          It's a nice feeling knowing you were right. But it's still super annoying being ignored and treated like "Shut up minion. You don't know what you're talking about".

          To this day I can't stand the culture of IT in the NHS. Maybe it's just the Trusts I've worked for.

          1. Stu Mac

            Re: I see why they would do this, but ...

            Nah I'm sure it's all of them!

          2. Anonymous Coward
            Anonymous Coward

            Re: I see why they would do this, but ...

            "Oh look. Now they purchased the HDD crusher In originally suggested all those years ago and destroy the drives themselves."

            The problem with that is , apart from being 100% effective , is that without an AAA data destroying licence (aka licence to print money) you dont get to tick a box saying "all our hard drives are disposed of to ISO xyz123 standard , and most big companies care more about ticking boxes than the task at hand.

      2. BMG4ME

        Re: I see why they would do this, but ...

        I can't imagine it would exclude contractors. This is common practice in so many organizations including the government. My only wonder is that it's taken so long. I am an IBMer but not speaking on behalf of IBM.

    4. swschrad

      so, no tape backups? no HDA replacements?..

      after all, this is what service and maintenence IBMers do for customer sites, and they ARE removeable storage....

    5. Zujar_boy

      Re: I see why they would do this, but ...

      I wouldn't be surprised if this was to stop leaking/unauthorised removal and dispersion of IP.

    6. Anonymous Coward
      Anonymous Coward

      Re: I see why they would do this, but ...

      This decision further demonstrates that IBM is being run/managed by less tech savvy 'higher ups', and the 'bean counters' are worming their way into every orifice in IBM. Putting in processes that are by default a significant inhibitor to efficient support, let alone making the on-site 'techie' look like a fool is nowadays classic at this company

  2. Dodgy Geezer Silver badge

    When USB sticks are illegal.....

    ...then only criminals will have USB sticks...

    Stand up for your constitutional rights!

    Issued by the NUA

    1. Sorry that handle is already taken. Silver badge
      Joke

      Re: When USB sticks are illegal.....

      The only way to stop a bad guy with a USB stick is a good guy with a USB stick.

      *shakes evil black USB stick*

      1. Anonymous Coward
        Anonymous Coward

        Re: When USB sticks are illegal.....

        *shakes evil black USB stick*

        I'm sorry Dave. I'm afraid your stick doesn't fit in the USB port.

        1. CrazyOldCatMan Silver badge

          Re: When USB sticks are illegal.....

          I'm afraid your stick doesn't fit in the USB port.

          Anything will go into $RANDOM_PORT if you have a big enough hammer. Of course, once in the port either party may not be in a working state but, hey, I didn't write the requirements spec..

        2. Anonymous Coward
          Anonymous Coward

          Re: When USB sticks are illegal.....

          I'm sorry Dave. I'm afraid your stick doesn't fit in the USB port.

          Must be a *Micro*-USB...

      2. Scroticus Canis
        Trollface

        Re: "The only way to stop a bad guy with a USB stick..."

        A Remington pump with a tube full of solid slugs works for most things up to Cape buffalo size.

      3. Arthur the cat Silver badge

        Re: When USB sticks are illegal.....

        *shakes evil black USB stick*

        What, one of these?

        1. mstreet
          Unhappy

          Re: When USB sticks are illegal.....

          "What, one of these?"

          Aww, what a tease...I was expecting a thumb drive in the shape of a ram-horned skull with glowing red eyes.

        2. Anonymous Coward
          Anonymous Coward

          Re: When USB sticks are illegal.....

          "The USB Killer is a CE Approved and FCC Approved testing device designed to test the surge protection circuitry of electronics to their limits - and beyond."

          FFS Someone needs a beatdown...

          1. jelabarre59 Silver badge

            Re: When USB sticks are illegal.....

            "The USB Killer is a CE Approved and FCC Approved testing device designed to test the surge protection circuitry of electronics to their limits - and beyond."

            The major thing I dislike about that USB "tester" is it looks far too much like a legitimate USB stick. I would want anything meant as a testing device, one that could potentially fry your electronics, to be packaged as *obviously* dangerous. Of course, they could be selling the device with a **claim** that it's for testing/validation, but really mean to sell it to less-savory parties.

            1. Tom 35 Silver badge

              Re: When USB sticks are illegal.....

              I can see someone having "fun" at a best buy store.

            2. Arthur the cat Silver badge
              Holmes

              Re: When USB sticks are illegal.....

              @ jelabarre59

              Of course, they could be selling the device with a **claim** that it's for testing/validation, but really mean to sell it to less-savory parties.

              See icon title text.

    2. Symon Silver badge
      Childcatcher

      Re: When USB sticks are illegal.....

      USB sticks don't kill people, data does...

      1. pɹɐʍoɔ snoɯʎuouɐ
        Boffin

        Re: When USB sticks are illegal.....

        USB sticks don't kill people, data does...

        I think that depends how much force is applied to said USB stick to propel it through the air with enough momentum combined with its mass can cause enough trauma to the body to expel it of necessary bioelectrical activity !!

  3. Anonymous Coward
    Anonymous Coward

    It's not for everyone but for most it could be good

    USBs are useful and sometimes critical however personally the last time I needed a USB at work for a server room work was about 2 years ago. Sure I use them at home but only to boot up a PC to get the O/S kick started for an install. My shop is using cloud services more for our infrastructure so most of the time I find myself using OneDrive and such like, company certified sharing systems that can be controlled, scanned and safeguarded. The way I see it, with companies getting more "trigger happy" to fire you on the spot for the smallest thing, the less potential to get in trouble the better.

    1. katrinab Silver badge

      Re: It's not for everyone but for most it could be good

      So when you take a new server out of its box, and you need to install an operating system on it, what do you use? I've never seen a server with a "boot from OneDrive" option on it.

      1. John Brown (no body) Silver badge

        Re: It's not for everyone but for most it could be good

        "So when you take a new server out of its box, and you need to install an operating system on it, what do you use? I've never seen a server with a "boot from OneDrive" option on it."

        LAN boot? Even desktops have that as standard now.

        Having said that, I do get the point. Most of the field repairs I go to require a USB boot to run diagnostics. If the OS won't boot or the hardware is flaky enough that a full OS boot won't happen reliably, it's very useful to boot a minimal OS like FreeDOS to run HDD diags, or boot memtest86 etc. Few systems have built-in diags, which may not work anyway depending on where they are stored

        1. Yet Another Anonymous coward Silver badge

          Re: It's not for everyone but for most it could be good

          You key in the network driver from the front panel toggle switches - like the good old days

          1. Prst. V.Jeltz Silver badge

            Re: It's not for everyone but for most it could be good

            What next? take the spanners off the Maintenance staff?

          2. ravenviz

            Re: It's not for everyone but for most it could be good

            Just boot from floppy disk!

      2. CrazyOldCatMan Silver badge

        Re: It's not for everyone but for most it could be good

        I've never seen a server with a "boot from OneDrive"

        No - but Macs can retrieve a fresh copy of MacOS directly over the internet[1]. Saved my bacon a few times..

        [1] Which, of course doesn't work when everything goes out through a proxy that requires authentication.

      3. Paul 129

        Re: It's not for everyone but for most it could be good

        iPXE. If you don't have it, chainload it, with your standard PXE.

        netbooting from a http/https server is heaps faster than tftp

    2. Doctor Syntax Silver badge

      Re: It's not for everyone but for most it could be good

      "company certified sharing systems that can be controlled, scanned and safeguarded"

      By whom? And note that the "whom" might be different for each verb.

    3. shedied

      Re: It's not for everyone but for most it could be good

      "trigger happy" to fire you on the spot

      Didn't get the memo, did you, the one called USB kill bill?

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not for everyone but for most it could be good

        Yes, while I was working at National Denfense we IMSecurity informed us of the New Rules.

        We ignore it then and will continue to do so, unless of course you're a normie (user).

  4. Meph

    First, they came for the CD-R's

    I can't help but think this is going to end poorly for them, but I guess this was always on the cards after being involved in so many data misplacement headlines.

    1. Lord Elpuss Silver badge

      Re: First, they came for the CD-R's

      " after being involved in so many data misplacement headlines"

      IBM doesn't really come to mind when I think of data misplacement disasters. UK.gov on the other hand...

    2. Adam 52 Silver badge

      Re: First, they came for the CD-R's

      If you put data on a USB stick and lose it it's going to be found by your office cleaner, your partner or someone in the company car park. Most of whom will have no malicious intent.

      If you use an Internet facing sharing service and get the security wrong then it's available to 4 billion people and it only takes one of those to make a fuss in public for your reputation to be trashed.

      1. TonyJ Silver badge

        Re: First, they came for the CD-R's

        "...If you put data on a USB stick and lose it it's going to be found by your office cleaner, your partner or someone in the company car park. Most of whom will have no malicious intent..."

        I mitigate this myself by only using a hardware encrypted USB stick. One of the ones with the little numerical pad to allow you to enter a PIN. Unplug it and it re-encrypts automagically.

        Of course at home, I have a few normal ones dotted around depending on what I need them for.

        1. Lord Elpuss Silver badge

          Re: First, they came for the CD-R's

          TonyJ which one do you have? I've been looking for one of those...

          1. TonyJ Silver badge

            Re: First, they came for the CD-R's

            @Lord Elpuss - one of these https://www.amazon.co.uk/iStorage-256-4-datAshur-256-bit-encrypted/dp/B0061DBZ2C

            Not the cheapest or physically smallest USB stick by any margin but works well. Can even decrypt first, plug in and boot to one if needed.

            1. keithpeter
              Coat

              Re: First, they came for the CD-R's

              @TonyJ: I have learned. I never knew such a device existed.

              Bought a cheaper make and will see if it is reliable.

              One employer provides rdp access to desktop. Absolutely no reason for me (as end user) to have any portable storage at all. T'other employer not as well-provisioned in IT terms (Major UK city/Crapita) so need to carry some stuff. Security cross section is losing the damned thing.

              Mines the one with the Trusted End Node Security USB in the pocket

  5. Anonymous Coward
    Anonymous Coward

    It's going to be fun...

    patching servers that are offline with no network connections but have to be powered up and patched monthly due contractual requirements.

    collecting audit and other artefacts from systems on a regular basis from 400 segmented servers and appliances

    carrying out firmware updates in isolated networks/DMZ's (or on customers who don't have any distribution servers for firmware/driver patching)

    building ESX (and other) servers which have no removable media (for security and cost reasons) before they are added to a network

    performing disaster recovery on isolated systems because you have to recover their entire environment due to them managing security and anti-virus (badly) in-house

    1. Nick Kew Silver badge

      Re: It's going to be fun...

      Indeedie. All sorts of things that smell of an impossible thing the Boss expects. Fertile ground for the likes of Dilbert, xkcd, or (best of all) a Reg Friday column such as BOFH or On Call.

      I expect we'll find that this policy, once clarified, applies only to user-writable storage. So devices like an approved read-only USB stick will be allowed for cases like this. And likely some more clarification once egg is seen on someone's face.

      What's no doubt really meant (even if someone behind the press release thinks otherwise) is naturally a "no unauthorised use" policy and a robust process for authorisation. And then somewhere down the line, fire someone for allowing authorisation to become a rubber-stamp exercise.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's going to be fun...

        I expect we'll find that this policy, once clarified, applies only to user-writable storage. So devices like an approved read-only USB stick will be allowed for cases like this. And likely some more clarification once egg is seen on someone's face.

        Sure, they'll provide firmware updates on read-only USB sticks. Of course, your department will probably be on one of the numerous spending freezes IBM likes to impose (what, you think you'd get it for free? No way, buddy, cough up those BlueDollars, or even better GreenDollars). Even if you COULD get them, it will have to go through the IBM requisition process, so don't expect to have that server back up for another 10 days.

    2. Prst. V.Jeltz Silver badge

      Re: It's going to be fun...

      "400 segmented servers and appliances"

      I dont know you're situation , but if youre wondering round with a usb stick sticking it into 400 things I'm sure you're missing a trick.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's going to be fun...

        Customer mandate for some servers and appliances mostly due to govt regulation (and their design choices as they decided to do the design in-house and the implementers did exactly what they were paid to implement without question as it became a 'BAU problem' after the project team walked away.) Fortunately the locked down config and the appliances only having vendor authorised patches installed minimises the work on those boxes (Meltdown/Spectre were the first patches put on the majority of the appliances in 12 months.) When the call goes out to patch them we've normally got to pull in locals wherever we can (who have had the appropriate clearance for the customer.) Of course, nowadays there are so few locals left they flew over offshore guys to work on the patching. Fun times.

  6. Phil Kingston Silver badge

    No real drama for firmware USB uploads etc... just clarify that such software is distinct from "data" in their memo of "expanding the practise of prohibiting data transfer to all removable portable storage devices". BAU for booting/updating.

    1. Anonymous Coward
      Anonymous Coward

      Unfortunately, the PHB's make no distinction between 'data' and firmware, patch updates etc. I'm expecting the Workstation Security Tool to start searching IBMers system logs for the presence of USB devices and being flagged as transgressing policy.

      Privileged users (anyone with admin access to IBM or customer equipment) already aren't allowed to connect USB storage devices to their IBM issued equipment - that includes charging your phone from your laptop while on a 8 hour teleconference working on an issue with other teams and vendors - a privileged user got written up for that on the basis the phone has storage.

      Privileged users are also selected for random audits of their machines for transgressions including connecting USB devices, images (unless part of the OS, application), sound files, not allowed to browse the internet from your work machine (not allowed to use private browsing, not allowed to clear browser cache) and so on. I've been selected for 'random' audits 3 times in 3 years and been clean each time because for researching problems, downloading patches I use my own personal laptop. (I use my own mobile broadband - rule number 27 - no IBMer's personal device is allowed to be connected to the IBM network unless it's been authorized using BYOD policy, registered and running approved IBM tools.)

      If I were to use my IBM issued laptop to transfer firmware/drivers/patches to a USB device, I have to get prior approval from 1st line manager, documented as well as why etc. I'd also have to explain to an internal auditor why I have a USB storage device registered as having connected 6 months before or why there are graphics ads from a google served page for a search I did because I couldn't use IBM's internal search tool to find the particular update I was looking for because they changed the page location for the 3rd time in 2 months...

      We had a workstation that we could use for pulling updates and copying firmware/drivers/patches/ISOs if we were onsite but it was removed as a cost saving measure - is this device used daily by someone? No? Remove it, no correspondence will be entered into.

      1. Richard 12 Silver badge

        Is it not better to aggressively obey?

        Follow the rules to the letter.

        Apologise (in writing) to the customer, perhaps giving the contact details of the authorising manager who hasn't authorised you to do the job the customer is paying for.

        Otherwise you risk being the subject of the next witchhunt.

      2. Phil Kingston Silver badge

        Mate, that sounds like a shit place to work!

        1. Anonymous Coward
          Anonymous Coward

          Mate, that sounds like a shit place to work!

          You haven't figured that out from the multitude of articles about them? Remember, "IBM" stands for "Idiots Become Managers".

      3. mark l 2 Silver badge

        "not allowed to browse the internet from your work machine (not allowed to use private browsing, not allowed to clear browser cache) and so on. I've been selected for 'random' audits 3 times in 3 years and been clean each time because for researching problems, downloading patches I use my own personal laptop."

        I know that business don't want their employees to spend all day on Facebook or looking at cat videos on Youtube but I can't believe that they have a complete blanket ban on internet use in 2018, especially for staff who work in a support role.

        Every IT job i have had going back to the 90s had at least some internet access even if it was a filtered internet connection so some websites were blocked.

        1. John Brown (no body) Silver badge

          "I know that business don't want their employees to spend all day on Facebook or looking at cat videos on Youtube but I can't believe that they have a complete blanket ban on internet use in 2018, especially for staff who work in a support role."

          At some stage, there has to be a level of trust placed on employees if the business is to work efficiently. If the trust is abused, there are procedures to deal with it. Blanket bans almost always cause more upset and costs than trusting your staff to do their jobs.

          1. Lord Elpuss Silver badge

            "...I can't believe that they have a complete blanket ban on internet use in 2018, especially for staff who work in a support role."

            They don't have a blanket ban. Certain employees in very specific job roles (generally working with very sensitive data) may be restricted from accessing the internet on their work device, just as they would be in any other high security environment. As far as I'm aware nobody's suggesting Joe Q. 'Regular' IBMer will have internet restricted in his daily job.

        2. BMG4ME

          Just pointing out that the statement made about "not allowed to browse the internet from your work machine" doesn't apply to IBM which is one of the least restrictive companies I know when it comes to curbing or censoring employee activity on company owned PCs.

      4. GruntyMcPugh Silver badge

        @AC

        When I was IBM being a 'privileged user' we were issued with IronKey storage, so it was encrypted. I worked from home, so used the IronKey to back up my documents and scripts. We used to get audited every now and again, to make sure we hadn't plugged in unauthorised devices too.

        This total ban seems like a bit of an over-reaction, the technology is there, USB can be disabled on devices issued to non-priv users, IronKeys can be issued to those that need them, and tecchies should be trusted to know better than PHBs. I guess IronKeys are deemed too expensive.

        1. Lord Elpuss Silver badge

          There's a very simple solution for this, don't mix business and pleasure. Have a separate laptop for your personal stuff, and keep the work laptop absolutely clean.

          The only reason this is a bitter pill to swallow for some is that they've become accustomed to considering their 'work' laptop as a job perk; i.e. a freebie for their own stuff.

          Where this decision causes problems with legitimate business processes e.g. firmware installs, well... that's not the employee's problem. Bounce it up the management chain, tell the client you can't do what you need to because the IBM process is broken, and copy the cybersecurity guy. 100,000 angry emails in one week tends to concentrate the mind wonderfully.

          1. jelabarre59 Silver badge

            There's a very simple solution for this, don't mix business and pleasure. Have a separate laptop for your personal stuff, and keep the work laptop absolutely clean.

            Absolutely. I work from home (not for IBM) and have my OWN machine for personal email (and posting obnoxious messages on ElReg), and about the only work-related stuff I do on the personal machine is looking up external technical reference material on occasion (gives me a 4th screen to use). Ten years ago I had been using the company laptop for personal email, but that was just after our house fire, and I didn't have anything else to use. I want it so that if I leave a job, I can readily and immediately wipe the work laptop and ship it back that day. (not that I'm planning on leaving my current job anytime soon).

      5. CrazyOldCatMan Silver badge

        IBMers system logs for the presence of USB devices and being flagged as transgressing policy

        Hmm.. I wonder if that will cover mobile phones being plugged in and then convinced to act as USB storage..

        1. Lord Elpuss Silver badge

          "Hmm.. I wonder if that will cover mobile phones being plugged in and then convinced to act as USB storage.."

          From a technical perspective, it doesn't matter whether it's a phone, HDD or USB stick. If it's presenting itself as a USB storage medium, it can be blocked.

      6. fajensen Silver badge

        Well. One is being paid to hang fairly-lights round ones bum so fairy-lights on bum it is!

        And so on.

        Most work is meaningless busywork and will become even more so until “They” figure out what to do with the huge overhang of surplus workers created by decades of increasing productivity!

        Using the money wisely and investing ones ambitions / emotions in a hobby and family instead of the workplace is the only way to win.

      7. Anonymous Coward
        Anonymous Coward

        "Privileged users are also selected for random audits of their machines for transgressions" etc. etc.

        Dear god, are you a salaryserf or what? Why do you work under such conditions? Go freelance, make your own work and save your sanity.

        Dyed-In-The-Wool Freelancer

  7. -tim
    Trollface

    Terminology?

    Perhaps its time to make some USB memory sticks with a "USB DASD" on them and charge a small fortune for them.

    1. Flywheel Silver badge

      Re: Terminology?

      DASD ? Wow!

      Er, just help me through the door with this removal storage will ya? *puff* *pant*

      https://goo.gl/images/Ukwz9e

      1. VBF

        Re: Terminology?

        Yikes! I remember those and the drives they went into. Hateful damn things!

  8. Dacarlo
    Paris Hilton

    It's not rocket science...

    Our company introduced this policy recently. It's a unix-esque "Assume no access" and if someone specifically requires USB access they can request it. The line manager of that person then makes the case to the security team. A lone field engineer uploading an image for a customer isn't going to bring down IBM.

    Perhaps this notion is too complex for a multinational monster.

    1. Tinslave_the_Barelegged Silver badge

      Re: It's not rocket science...

      Reminds me of a time when I experienced the exact opposite. In the late 90s, the CEO of a subsidiary who had demanded something daft was ranting at me in my office about how I kept too tight a hand on tech use. In fact, he said, he knew that I had even banned the use of USB sticks. But between us, on the desk where he could see it, was a large box of USB sticks which I had just bought from my own budget, as staff always had difficulty getting them through departmental budgets, and when they needed them, helped themselves from the box.

      (Bloke only lasted a few more months. He was trying to deflect some failing hairbrained scheme of his on to IT... )

      1. Waseem Alkurdi Silver badge
        Big Brother

        Re: It's not rocket science...

        (Bloke only lasted a few more months. He was trying to deflect some failing hairbrained scheme of his on to IT... )

        Does it involve a terrible workplace accident with a window?

        (Icon is what I think the BOFH really looks like - would help if the Reg made us a "BOFH TV show")

      2. WallMeerkat Bronze badge

        Re: It's not rocket science...

        Late 90s USB sticks?

        Did they even exist?

        I was using zip drives til the mid 2000s, then 128mb USB sticks.

        1. englishr

          Re: It's not rocket science...

          > Late 90s USB sticks?

          > Did they even exist?

          Indeed they did; I am the proud owner of an 8MB (yes, MB) IBM branded USB stick, that wouldn't be recognised by Windows until you installed the device driver off the provided floppy...

        2. Tinslave_the_Barelegged Silver badge

          Re: It's not rocket science...

          > Late 90s USB sticks?

          Yeah, they did, but thinking about it you're right - it was the early 2000s.

    2. Prst. V.Jeltz Silver badge

      Re: It's not rocket science...

      It's not rocket science...

      Quite. I thought all Enterprise size companies did this years ago , with caveats like access when requestes or , like in our case , "all usb sticks must be encrypted"

  9. HamsterNet

    We did this

    Then allowed exceptions for:

    Software because they need to do new pc builds

    Customer support and logistics as they need to send out legacy software on them

    Trial managers as the old software sends data back by usb

    Data management as they need to pull data from old systems.

    Sales and science as they need to do presentation on customers systems when ours won’t connect (surprisingly often)

    All in all it locked out only finances access.

    1. Korev Silver badge
      Thumb Up

      Re: We did this

      > All in all it locked out only finances access.

      Sounds like a Win to me

      1. Anonymous Coward
        Anonymous Coward

        Re: We did this

        Speaking as a Finances type... seems legit. Ours is (probably) the worst set of data to lose -breaching customer confidentiality AND providing market-sensitive intelligence to competitors) and we're all familiar with the idea that you should minimise the opportunities for error. No-one wants to be on the hook for a new category of potential screw-up!

        So yes, making sure that If I plug my phone in to charge the only place the electrons flow is to the battery and not file storage is Okay With Me.

  10. Anonymous Coward
    Anonymous Coward

    IBM restricts productivity via their Workstation Security Software in so many ways that I found it easier to have a 100% compliant company workstation that was there for looks and audits, and a 100% non-compliant workstation to actually get work done on.

    Sure that's bad, but when you're driven to that point, you have to question who's in.... control... IBM... bean counters.. sorry answered my own question

    1. ecofeco Silver badge

      I've said it many times. NEVER let the accountants run your business. They save you right out of business.

  11. Scott Marshall

    Big Blue has used Imation's Iron Key previously ...

    Back when I was a wage-slave to Big Blue here Down Under, because I was a "privileged user" the only desktop client I could use was a Linux (RHEL) notebook.

    We could only use (and only permitted to connect) Iron Key encrypted USB drives for any data we downloaded.

    The problem of course was that the Iron Key drives weren't usable on Solaris and AIX systems, and guess what I spent most of my time managing?

    Once again, a policy triggered by issues in the Wintel world bollixes things up for us who use/manage non-Intel platforms.

    Now, even though we weren't allowed to connect our mobile (cell) phones to the laptop USB ports, the policy at the time didn't specifically disallow Bluetooth connections!

    I've no idea what the policy says about "non-physical connectivity of external devices" now (if anything).

  12. Anonymous South African Coward Silver badge

    NeXT up - only punch cards are allowed as a viable means to transfer information around.

  13. Linker3000

    Same old...

    Me (on phone in 1990s - probably wrangling SCO UNIX): Hi support guys, this server OS doesn't recognize the optical drive properly - any thoughts?

    Support: Hmm, well there's a drivers CD in the box somewh...oh, right....OK...The driver will be downloadable from our BBS [look it up, youngsters]...that server has a built-in modem.

    Me: I can't see a modem on the devices list...?

    Support: Oh, the driver'll be on the CD..

    Me: See my problem here?

    Support: Um, yeah - but the driver will be downloadable from the BBS too...oh, yeah.

    Me: I'll just pop back to the office and fetch stuff on a floppy or three..

    Support: Hey, if the server's hooked up, why not download the drivers on another machine and copy them across the network?

    Me: There's no other machine here with a modem. Anyway, Would the NIC drivers be on the CD?

    Support: Yep!....Oh!

    1. John Brown (no body) Silver badge

      Re: Same old...

      I had a similar catch-22 with a replacement RAID card once. The onboard firmware had to be upgraded before it would work in the box but that box was the only box available. The box wouldn't even boot with the card in unless the card was updated first.

      1. JQW

        Re: Same old...

        Same here with an obscure OS. Server's built-in NIC only supported once the operating system was patched, patch could only be applied from a client PC once server was connected to a LAN. The fix in this case was to connect the server to a WAN link via a serial adaptor, and then get someone at another site to login over the WAN and slowly patch the server.

        We had similar issues with storage devices only being supported once patched. One fix here was to install a slower second supported storage adaptor, re-cable the drives, install, patch, and put the cabling back. Sometimes it worked, although disk numbers would be mixed up. The other was to simply wait for the vendor to eventually get round to issuing new release media with new drivers.

        After a few years of this farce they eventually allowed hardware manufacturers to produce their own server device drivers, which were installed from floppy. Well, until the hardware vendors started bundling hardware utilities and diagnostic tools with their driver installations, causing most boot partitions to run out of space.

  14. John Hawkins

    Does the ban cover smartphones also?

    There was talk of banning USB drives at my work so I tested using my Nexus 6P as an alternative solution. Mucking around with a cable + 'phone wasn't as simple as a USB drive, but worked well enough that I've started using the setup to back some essential files up.

    Would be interesting if IBM banned all smartphones - business and private - as well.

    1. Anonymous Coward
      Anonymous Coward

      Re: Does the ban cover smartphones also?

      I have an old BB Playbook which I use for music/films/eBooks but it has an added advantage that when I connect it to my work laptop it is mapped as a network drive rather than as a USB drive

      Posting anonymously?...Oh HELL yeah

      1. John Brown (no body) Silver badge

        Re: Does the ban cover smartphones also?

        "I have an old BB Playbook which I use for music/films/eBooks but it has an added advantage that when I connect it to my work laptop it is mapped as a network drive rather than as a USB drive"

        This is why I have Total Commander file manager on my android phone with the SMB LAN add-on. It also means it's more convenient to dump stuff between the phone and server without having to boot the desktop or laptop.

    2. Waseem Alkurdi Silver badge

      Re: Does the ban cover smartphones also?

      This says something about the professionalism of the IT bods at your place ... you should really go pick on them for it!

      Another way in your case would be to reboot into a live OS and copy whatever you need to copy (that's how we do it down here with every IT bod who thinks he's smaaaaart enough!)

      A USB ban I manage would include a ban of MTP and PTP as well AND/OR a USB port block at BIOS level (one that has user account support - at least a password) AND/OR physical unplugging of USB headers.

      1. LDS Silver badge

        "A USB ban I manage would include a ban"

        Which would impact printers, scanners, cameras for videconferencing, earphones/microphones, cards readers and security tokens, etc. etc.

        You should block explicitly storage devices - it could be done, but being software, attempts to bypass it could be made.

        1. Waseem Alkurdi Silver badge

          Re: "A USB ban I manage would include a ban"

          One by one sir:

          <jokealert>

          Printers: Get a network printer.

          Scanners: Tell them to use an app off Google Play

          Cameras for videoconferencing: Quite a number of laptops have webcams connected via i2c instead of USB, and that is a problem if you're making a Hackintosh, but why the hell would you make one in a business setting?

          Card readers: Most computers and laptops have PCI-connected card readers which are much faster than the USB ones (double win xD)

          Security tokens: Get a padlock.

          </jokealert>

          Nobody could bypass epoxy! (thanks @DoctorSyntax !)

      2. Doctor Syntax Silver badge

        Re: Does the ban cover smartphones also?

        "a USB port block at BIOS level"

        Do it right. A port block at epoxy level.

        1. Killfalcon Silver badge

          Re: Does the ban cover smartphones also?

          Our lot have set things up nicely - storage is blocked, but phones still charge. There would likely be riots otherwise.

        2. John Brown (no body) Silver badge

          Re: Does the ban cover smartphones also?

          "Do it right. A port block at epoxy level."

          Workaround. Unplug either mouse or keyboard and replace with device of choice.

          1. jelabarre59 Silver badge

            Re: Does the ban cover smartphones also?

            Workaround. Unplug either mouse or keyboard and replace with device of choice.

            They'll just work around that by banning KB & mice. Doesn't have to be logical for them to dictate a policy.

            1. Waseem Alkurdi Silver badge

              Re: Does the ban cover smartphones also?

              PS/2 hardware. Last I've seen, newer boards still have headers for those. Take a load of that from the dump and wire it to your hardware. That'd also count as a recycling initiative that translates nicely into $$$$ in bonuses for you (the IT bod) and a headache of broken pins for everybody else!

  15. Steve Davies 3 Silver badge
    Facepalm

    and in other news...

    Internal Stats in IBM showed a 1000% increase in Virtual machines in all areas.

    We had this policy for a brief period at one company I worked for. A VM was used to copy 'stuff' to USB sticks and then overwritten with a pristine copy of the VM.

    One day, the CEO's PC died and had to be recovered using a 'forbidden' USB stick. Then it hit home (the CEO was an Accountant) that the policy was silly and was recscinded but warnings were put in place about copying company confidential files to non approved devices.

    Sounds like IBM really is in its death throws when silly policies like this are implimented. The PHB's seem to be going out of their way to make it impossible for their staff to do their jobs so that... they'll quit.

    Everyones a winner then!!!!!!

    1. ecofeco Silver badge

      Re: and in other news...

      It's been this way for years. It's just getting worse is all.

  16. Whitter
    Devil

    Removable storage

    Laptops are eminently removable. I'm sure I've got some stuff sored on mine...

  17. Anonymous Coward
    Anonymous Coward

    Have to kill the SD card reader as well, they're so much smaller than usb.

    1. Anonymous Coward
      Anonymous Coward

      "Have to kill the SD card reader as well, they're so much smaller than usb."

      Those are included too, "USB, SD card, flash drive"

  18. Anonymous Coward
    Anonymous Coward

    Tape drive?

    Would a tape drive (and tape obviously) count as removable storage? ...

    1. GruntyMcPugh Silver badge

      Re: Tape drive?

      @AC

      Yeah, I've worked IBM audits twice,.... PSM (Portable Storage Media) for tape backups was always a mare,... not because we were doing it wrong, just because there was so much data, and supporting paperwork. All offsite transfers for storage, documented and signed off, all tapes destroyed, documented and signed off,... the contents of many tape robots, ... all accounted for, down to the cleaning tape.

  19. Anonymous Coward
    Anonymous Coward

    In my shop

    we can compound this with the in-house ban on downloading executable ourselves. Many people don't have any internet access at all. We also have a ban on removable devices unless approved by (nearly always absent) senior management. Even then your stick has to be encrypted and cannot be plugged into someone elses devices...

    All of these rules are sensible in isolation but collectively it will bring chaos.

    Now, about all that IBM kit in the other room... err..

  20. Salestard

    They were banned 5 years ago?

    I left the blue hellhole five years ago, and I'm pretty sure they were banned already then... despite the fact IBM branded USBs were available to order from the branded marketing catalogue.

    Also recall the CD/DVD drive on the Thinkslab was locked out. Extremely clumsy BitLocker (or similar) drive encryption which required unlocking even coming off screensaver.

    I've also got a vague memory of the corporate BlackBerry having some shit-awful MDM smeared over the top, because BES wasn't enough.

    The paranoia extended to travel policy - if you needed to work on a train journey, you HAD to travel first class... which given I had to lug the laptop about with me everywhere, meant I always travelled in the slightly less shit seats on Southern.

    1. matjaggard

      Re: They were banned 5 years ago?

      The article mentioned that they were already banned in some areas before. We used them in our IBM office to move large Windows images around with standard software installed and configured. Nothing even slightly confidential.

  21. Neal McQ

    Can someone explain if there is truly 'reputational' or material loss after data loss? Taking the extreme example of Sony after they essentially had everything released, they reported a loss of 400million the following quarter (from memory). However, at the previous quarter, they're previously reported they were going to make a loss anyway......

    in short, a lot of knowledge only works in the dynamics of a business and wouldn't work elsewhere anyway. Or is this simplistic thinking?

    Trying to get a point that feel like some security is becoming ridiculous to function in the everything-connected world.

    1. PM from Hell

      GDPR| Changes the rules on data loss.

      With the fines for data loss within the EU now reaching up to 4% of Global Turnover corp orates are taking it more seriously

      1. Anonymous Coward
        Anonymous Coward

        Re: GDPR| Changes the rules on data loss.

        Ohh 4%-scary

        Do you really really thing that

        1) Megacorp won't employ better lawyers than the government?

        2) Won't employ better accounts than the government? (Turnover - what turnover? Oh you mean that stuff our brass plate in the Cayman Islands does?)

        3) Won't employ better politicians than the government does? (Hello Minister... have you thought about joining our board when you retire....?)

        GDPR - keeping the global tick box industry gainfully employed, ensuring that you will miss the nice email telling you about the village fete, while having exactly zero effect on annoying spam and Camford Visagetome data mining.

  22. Gordon 10 Silver badge
    Coat

    When will phones be banned?

    Another day another Stoopid from IBM. Remember when they were vaguely respected?

    I presume IBM has usb ports mostly locked down anyway?

    Mines coat with the USB stick with a GSM modem built in, 1/4 TB of data slurpage space and an OTG lead in the pocket. -->

    Stoopid CISO makes obvious (well duh) policy statement.

  23. Chairman of the Bored Silver badge
    Mushroom

    But, but...

    I found this nifty USB stick in the parking lot! It even has an IBM logo on it, so it must be legit, right? Let me put it in re... <Boom>

    1. WallMeerkat Bronze badge

      Re: But, but...

      The one that has "Reduncancies" written across it?

  24. Anonymous Coward
    Anonymous Coward

    This is nothing new...

    IBM had this policy in use from 2015 to 2017 in Tech Support Services Group. Why it wasn't company wide, at that time is anyone's guess. Perhaps they're worried about bad press from leaks that have to do with Management laying off staff and Contractor's in Server Hardware Support. By now, there are more Manager's and less staff. It's not like Management is going to answer calls and provide technical support. There were already too many Managers walking around doing very little of anything, as it was. It's not likely that any Managers were laid off. They never are. They throw the bodies of staff and Contractors in the way of that swooshing ax.

    1. ecofeco Silver badge

      Re: This is nothing new...

      Gospel truth.

  25. sanmigueelbeer Silver badge
    WTF?

    IBM has banned its staff from using removable storage devices.

    HAHAHAHAHAHAHA ... *CHOKE!* HAHAHAHAHAHAHA

    I have a feeling that the "genius" who penned this memo doesn't work in IT and, most likely, spend his/her time behind a large desk.

    I think this is as insane as Marissa Meyer decreeing that no one is allowed "work from home".

    I wonder what's next, ban staff visiting clients? Oh, wait ...

    1. DrXym Silver badge

      Modern IBM

      I think this is as insane as Marissa Meyer decreeing that no one is allowed "work from home".

      Those kinds of decrees are designed to make work so onerous and horrible that people leave of their own accord. It's a cynical ploy to boost attrition because paying people to leave is expensive.

      IBM is probably being awful for the same reasons. Put in all kinds of petty rules and restrictions and watch as people leave.

      The problem for companies that do this is that all the skilled & upwardly mobile staff drain away, morale takes a dump and its only deadbeats and lifers who are left.

      1. ecofeco Silver badge

        Re: Modern IBM

        You just described the last 20 years of IBM.

  26. Blockchain commentard Silver badge

    Why not just plug your phone into the corp PC, download stuff onto that. On site, use your phone as a USB stick. There are Android apps to allow you to boot PC's off an ISO image on your phone. Rooted phone of course!

    1. David Nash Silver badge

      use your phone as a USB stick ?

      Er, I think "removable storage" would surely include a phone. If they are monitoring logs or whatever for USB storage then it will catch a phone just as well as a USB stick.

  27. matjaggard

    Trust your staff

    If you do not trust someone, do not employ them. If you do trust them then let them get on with their job in the best way.

    I understand the need for training, but policing is not the right way to run a profitable* business.

    *IBM need not apply.

    1. GnuTzu Bronze badge

      Re: Trust your staff -- But Verify

      Unfortunately, this perspective of hiring only those you trust is not practical. One does not fire a person for clicking a link they shouldn't have, because you'd have to fire half the company. People develop bad habits, and they make mistakes. This is all part of the behavioral management aspect of infosec. Yes, banning USB sticks is extreme. Other places just force all USB sticks to be encrypted. But, thinking you can do infosec by only hiring trusted people underestimates their fallibility and forgive-ability.

    2. lotus49

      Re: Trust your staff

      I venture to suggest that you are not a CISO.

      It's fine to say this in a business that employs 5 people. It makes no sense where I work - we employ well over 100,000 people. I know from personal experience that trusting everyone can backfire. I also know that the ICO does not regard simply trusting one's staff as "appropriate technical and organisational measures".

    3. Lord Elpuss Silver badge

      Re: Trust your staff

      Even trustworthy people make mistakes.

  28. Anonymous Coward
    Anonymous Coward

    What's the story here?

    I work for a different big US corporate, where the same policy has been in place for some time. Most people don't need USB storage, so they don't have a problem with it. The people who do need that functionality to carry out their jobs can get a waiver for the policy signed off by their management chain. It's all fine.

    If IBM don't have any means of overriding their process, more fool them - but it's still hardly newsworthy that one of the most beurocratic bigcorps in the IT sector is still a beurocratic bigcorp.

  29. JeffyPoooh Silver badge
    Pint

    Bah! IBM's data is all in EBCDIC anyway...

    Encrypted with EBCDIC.

    Nobody can read it.

    Not even IBM.

    1. TimR

      Re: Bah! IBM's data is all in EBCDIC anyway...

      You've just reminded me of the "fun" of managing character conversions between EBCDIC, ASCII and ICL 1900 (really!) systems. Known locally as the "Great Hash Pound Debate" - no one could ever agree on the correct mappings...

      1. tom dial Silver badge

        Re: Bah! IBM's data is all in EBCDIC anyway...

        Years ago in an environment where we had to do some routine conversions between EBCDIC and ASCII I found that IBM's FTP implementation did a pretty acceptable job. My recollection is that it did so automatically based on the native character sets of the endpoint machines. It didn't work for records containing IBM packed decimal numbers however, and for one application we wound up using binary FTP, a Perl module from CPAN to unpack the numbers, and EBCDIC to ASCII transliteration using dd. (Some idiotic quasi-political reason having to do with production control prevented changing the database extract program to produce the numbers in display format).

  30. herman Silver badge

    Yeah well, no biggie, just put the data on Dropbox or Mega, or your own anonymous FTP server open to the world or make yourself a netcat transparent proxy on a $5 Digital Ocean Droplet...

    1. lotus49

      You have entirely missed the point.

      No-one is suggesting that restricting the use of USB sticks will entirely mitigate the risk. I don't know where you work but setting up "a netcat transparent proxy" is something 99.9% of our staff would have no idea how to do. As long as the risk is limited to 0.1% of a company's staff, they have achieved a pretty impressive level of risk reduction.

    2. Lord Elpuss Silver badge

      Dropbox will also be banned - if not blocked. And file transfers from a locked-down company machine can also be logged, tracked and audited; which means if you're uploading something you shouldn't be, you're going to be f*cked in very short order.

      I suspect this is the real reason IBM's doing this; auditability.

  31. DrXym Silver badge

    Data smugglers, look at the back of the PC

    If it has an eSata port, you're still good to go. Buy a small SSD and plug it in.

    1. toejam13

      Re: Data smugglers, look at the back of the PC

      Unlikely. Instead of relying on the honor system, they'll probably roll out an enforcement agent to all of their systems (if they haven't already). Such an agent would probably block any untrusted drive, not just hot-swappable ones.

      My employer uses software like this. Users are authenticated via a bootloader before either Windows or MacOS starts. The rest of the drive is encrypted. If there are any unencrypted drives or partitions, they are never allowed to mount.

      If I attach a removable USB, Firewire, or eSATA drive, or if I insert a disc into an optical drive, the agent first checks if I have removable media rights. If I do, it next checks if it is encrypted or not. If it is encrypted with my PC's key, it'll mount. If it is encrypted with another PC's key, it performs a rights check against that PC and mounts if I have access. If it is not encrypted, it'll prompt me to securely format it if it is a writable medium. If all that fails, the media is ignored.

  32. Cuddles Silver badge

    With the correct tools...

    All storage is ultimately removable.

    1. Lord Elpuss Silver badge

      Re: With the correct tools...

      iFixit would beg to differ. <cough>MacBook</cough>

  33. ForthIsNotDead
    Thumb Down

    Note to self:

    Never work for IBM.

    1. Lord Elpuss Silver badge

      Re: Note to self:

      If THIS is your reason for not working for IBM, there's something wrong. Most big companies with lots of data to protect do similar things.

      Re other reasons not to work for IBM, I couldn't possibly comment.

    2. WallMeerkat Bronze badge

      Re: Note to self:

      If you find yourself in a startup that gets borged you may not have much of a choice.

  34. elvisimprsntr

    IBM just started enforcing this policy now?

    More than a decade ago, my employer went as far as disabling the USB interfaces on all computers (not including mice and KBs) with a Windows security policy update. If your job absolutely requires you to use an external USB device, you can apply for an exception to policy, signed by immediate supervision, reviewed by IT, and are required to take additional security training in order to get it approved. The goal is to prevent the masses from introducing threats (unintentional or otherwise) from within.

  35. J27 Bronze badge

    Will they ban laptops too? What about smartphones? If they're going to ban removable storage that's what people are going to use instead.

  36. Anonymous Coward
    Anonymous Coward

    Humm, did they forget about Cell phones??

    Cell phones have really big micro ssd cards in them now. And most connect by usb. You may not be able to boot off one, but for data transfer quite easily done.

    1. lotus49

      Re: Humm, did they forget about Cell phones??

      We didn't.

      I made sure when we introduced a similar policy that not only is all removable storage (which includes phones) banned from corporate devices, we installed a DLP agent on corporate laptops that blocks certain types of data being copied by any mechanism.

      It's not foolproof but it would stop the vast majority of our staff doing anything I don't want them to do.

      It's also worth pointing out that simply defeating the control is not sufficient to protect a malefactor. I have personal experience of several instances where controls were in place but were circumvented. In every case the culprit was identified as a result of a forensic investigation.

    2. Lord Elpuss Silver badge

      Re: Humm, did they forget about Cell phones??

      Highly unlikely they forgot about cellphones. It'll likely be a system block on unencrypted removable media - anything that isn't encrypted with the PC's key will be blocked or marked read-only unless access is explicitly granted.

  37. Anonymous Coward
    Anonymous Coward

    Or maybe they just want to spy on the contents of your files

    And don't want anything to be saved offline, away from their prying eyes on the Cloud.

    Personally, I don't see a need for a private company to do this. For government agencies and military facilities... probably, depending on the clearance of the staff and how sensitive the data is.

    1. lotus49

      Re: Or maybe they just want to spy on the contents of your files

      You may not but it is my job to want to know what's in our staff's files (or at least anything they share).

      You surely must have heard of the Data Protection Act and the General Data Protection Regulation. Companies are required to implement "appropriate technical and organisational measures". Doing nothing is not an appropriate technical or organisational measure.

      The files to which you refer are the property of the company, not the individual. As the person responsible for protecting data belonging to our customers and to our staff, I have every right - both legal and moral - to examine what people share and that is a right I exercise.

      1. Lord Elpuss Silver badge

        Re: Or maybe they just want to spy on the contents of your files

        @lotus49

        A lot of people forget that in most cases their work-issued laptop isn’t their property; and neither is the data on it. We have notices in the office which say literally; “The WORK LAPTOP and WORK PHONE you have been issued are not YOURS; they are OURS. This means we are NOT VIOLATING YOUR RIGHTS when we ask to see it, to enter it, to modify it, or remove it. WE CAN DO THIS WITHOUT YOUR PERMISSION. If there are files or data on OUR LAPTOP or OUR PHONE which you do not want us to see, REMOVE THEM. If you want to do stuff with OUR LAPTOP or OUR PHONE which we do not want you to do, BUY YOUR OWN and use that instead.”

        We’ve also started laser engraving our logo onto the laptop lid and the back of the iPhones, to reinforce the principle that it’s not YOURS it’s OURS. The reduction in residual value is somewhat compensated by the reduction in shrinkage.

        For what it’s worth, the logo engraving caused more howls of anguish than any policy we’ve introduced in recent memory.

        1. Anonymous Coward
          Anonymous Coward

          Re: Or maybe they just want to spy on the contents of your files

          Unless, of course, there is a place that manufactures aftermarket panels for that purpose, like how car parts thieves take the time to remove serial numbers (sometimes even the secret ones etched inside the parts).

  38. Anonymous Coward
    Anonymous Coward

    Timing makes this a little ironic

    IBM Privileged Users, which some people have referred to, have to use an IBM created Linux platform called OpenClient. These are users who have a need to hold privileged information on their workstations, be it client confidential, personal data or commercially sensitive.

    For stock deployments of OpenClient, RedHat Enterprise has been used as the base Linux (although it can sit on SuSE, Ubuntu or Debian), and for a long time the RedHat version has been RHEL 6.

    RHEL 6 goes out of support in June, so many IBMers in positions that need secure systems have just been told to upgrade to an OpenClient release based on RHEL7.

    The re-installation process, as defined by IBM, involves a 16GB USB memory stick.

    So, privileged users, on systems that are not allowed to have USB memory sticks plugged in, have been told to use a USB stick to perform the update, and now company policy prohibits using removable storage at a different level as well! Brilliant.

    Maybe IBM should go back to using 3278 green-screen terminals, NOSS/PROFS and SNA. I hear some of the (few) remaining old buildings may still have IBM Structured Cabling for 3270 coax and Token Ring.

    1. Anonymous Coward
      Anonymous Coward

      Re: Timing makes this a little ironic

      RHEL 6 goes out of support in June, so many IBMers in positions that need secure systems have just been told to upgrade to an OpenClient release based on RHEL7.

      The re-installation process, as defined by IBM, involves a 16GB USB memory stick.

      I remember hearing a rumor (when I was still there) that IBM was considering moving Priveledged Users to MSWin10. May have been unfounded, but it certainly sounded sufficiently boneheaded for IBM to be doing it.

  39. Instinct46

    Laptops

    I wonder if there will be an out right ban on laptops as well... the potential data loss on them is much higher, they aren't lost / robbed as often as usb pens but there are a number of unclaimed laptops dotted across the planet

    1. GnuTzu Bronze badge

      Re: Laptops

      It's all about full disk encryption now., so our laptops are safe for now. If we lose that, they'll lock us all in vaults with cameras hovering over us to manage our every little move.

    2. Anonymous Coward
      Anonymous Coward

      Re: Laptops

      I wonder if there will be an out right ban on laptops as well... the potential data loss on them is much higher, they aren't lost / robbed as often as usb pens but there are a number of unclaimed laptops dotted across the planet

      "We're taking away your laptops now. Here's a quill pen and ONE sheet of parchment paper. Use it sparingly. What, you wanted ink for that pen? Sorry, not budgeted for that."

      Hey, it's not like they're a high-tech computer company... oh, wait...

  40. Sheepykins

    Practically every big organisation I've worked in has had a restriction on non-authorised or un-encrypted removable media.

    Frankly I'm a little bit disappointed they haven't been doing this up til now lol.

    As much as we'd like to think its not the case, IT workers are not immune to accidents and big business is not immune to corporate espionage.

    There are certainly ways to manage this and yes it takes more time and wading through more tape, but ultimately it protects both the user and company.

    1. Anonymous Coward
      Anonymous Coward

      Practically every big organisation I've worked in has had a restriction on non-authorised or un-encrypted removable media.

      ...

      There are certainly ways to manage this and yes it takes more time and wading through more tape, but ultimately it protects both the user and company.

      And for many other companies it would look like sensible and intelligent security management. But this is IBM, where every day looks like an IT version of The Benny Hill Show. So it ends up being just a bunch of clueless managers drilling a few more holes in the bottom if the ship.

  41. 89724105418769278590284I9405670349743096734346773478647852349863592355648544996313855148583659264921

    Neuromancer

    The Prophet William Gibson spake thus.

  42. Anonymous Coward
    Anonymous Coward

    Great idea - until you are working at a client that also prohibits online file transfers (as I was earlier in the year). At that point you spend the best part of two days trying to get around the various restrictions in order to deliver documents that are larger than the email attachment limit.

    1. Lord Elpuss Silver badge

      Unless you're the client rep*, if you can't do your job bounce it up the management chain and let them deal with it. That's what they're paid for.

      * If you are the client rep, you're probably measured on actually GETTING the job done as opposed to just TRYING to get the job done. In which case - tell your sales manager, who will ALSO be measured on getting the job done. And so on up the tree, until Ginni says WTF - fix this.

      1. Anonymous Coward
        Anonymous Coward

        But that depends if the legal team isn't on the same level as Ginni and counters, "Data protection violation! Big fines if you try that!"

  43. shedied
    Mushroom

    But even the Reg named Big Blue as iBM? Like it was an Apple Thing from the 90s.

  44. The_Idiot

    'All'?

    I wonder if they've considered that a hard drive is, technically, 'removable storage' - courtesy of the right toolkit, at least :-).

    Those absolutes. They'l get you every time. Er, mostly, I mean... (blush) :-).

  45. Anonymous Coward
    Anonymous Coward

    fun

    Can they use the cloud for storage? Or mail stuff?

    1. Anonymous Coward
      Anonymous Coward

      Re: fun

      "Can they use the cloud for storage? Or mail stuff?"

      Network connections to the outside world will be/almost certainly are monitored by loss prevention software.

      All emails and attachments will be scanned, and either passed or dumped..

      Encrypted browser sessions from work computers will be decrypted and monitored.

      And none of that will prevent data exfiltration. If you can do it for air-gapped computers in another counttry, you can do it for locked down computers to which you have physical access.

  46. anonymous boring coward Silver badge

    Only surprised it took them so long.

    Seems incredible when you think about it that these wide open gaping security holes are allowed in any company.

  47. ecofeco Silver badge

    Oh this will be good

    Can't wait to see the consequences.

    *snerk*

  48. niksgarage

    Avoidances of strange rules

    Ah, those 'Its Better Manually' people at it again.

    Had a classic one with my current employer. No USB, bluetooth, Dropbox, Google Drive permitted. They provide a web-based mail client that you can access off-site. Of course they check all attachments to mails so you can't send yourself a big file, or an executable, or a zip file or anything useful. What they failed to notice was that you could attach one of those files to a draft email at work, save it as draft (of course no checking until you actually send it), go home, open web mail client, open draft and download the attachment.

    *sigh*

  49. Anonymous Coward
    Anonymous Coward

    Should use Kaspersky

    So, yeah really. I manage these things where I work. In KL we block all USB storage devices by default. We grant permission to individual devices by ID. We only use hardware encrypted USB drives. The drive is given permission to an AD group, and people are added to that group. It works great for us. We get both device and user control, which both or either can be revoked at any time.

    Trend has the closest to the same features (in my last review for replacement due to paranoid non IT management).

    1. Anonymous Coward
      Anonymous Coward

      Re: Should use Kaspersky

      F-Secure has similar device management system, though I haven't used Kaspersky so can't say whether it's better or not.

  50. Howard Hanek Bronze badge
    Happy

    Oh Dear

    IBM'll have to VERY careful with the rectal exams but on the upside it will attract that 'diverse' kind of personnel they're always after.

  51. lotus49

    I am the CISO for a FTSE 100 company and we have had the same policy for more than two years.

    If a technically competent person wants to steal data to which they are given any sort of access, they will likely succeed. However, implementing restrictions like this has two big benefits.

    Firstly, it forces staff to use a more controllable and auditable approach to data transfer. When our staff share information on Google Drive, for example, they can retain a considerable degree of control over what is done with that data including revoking access and preventing further sharing. My team and also monitor transfers (including examining the content for personal information) and keep a forensic trail. This reduces the risk of mistakes and permits my team and me to examine the circumstances of mistakes.

    Secondly, this limits the ability of less technically competent but malicious members of staff to harm our business.

    Can I absolutely stop people stealing our data? Probably not. Can I reduce the risk that someone will do something stupid or malicious? I absolutely can and I have. The sky has not fallen in. In fact, no-one really cares.

    1. kirk_augustin@yahoo.com

      Sorry, but that is totally ignorant. Any laptop or tablet has the exact same copy capability as any USB stick, and no cloud system like Google Drive is even remotely secure. Never use the cloud for anything you care about. You really should not at all be CISO. For example, tell me how you remove a rootkit virus without a USB stick?

  52. Chairman of the Bored Silver badge

    Two use cases

    My org hasn't allowed USB sticks for several years, and I get it - a flash drive can be the sucking chest wound of security.

    My guess is that IBM will do what we do: if you have a business case for using USB, we can make an exception for you. There will be training and documentation involved. Drives will never be used to bridge between internal nets. The USB sticks themselves will be obtained from Central Supply which (theoretically) does due diligence on the supply chain. We have 1:1 accountability between specific sticks and personnel. You lose it, we talk.

    Two use cases that work for me: I've got a stash of USB sticks with software, patches, tools that I might need to take to customer hardware. Single use... Once plugged in the customer machine we assume they've got cooties. Crush with hammer or snap in half to prevent reuse, bring carcass back for accountability, and then let the logistician destroy utterly

    Use case 2 is to have some sticks with Kali Linux. If weird stuff starts happening on the net, use a single use Kali instance to have a little look around. Again, destroy when done.

    1. doublelayer Silver badge

      Re: Two use cases

      That's fine, but you're likely to destroy a rather large quantity of USB disks. I might suggest using DVDs as much as possible. Not only would they be much cheaper to use even if you destroy them, but you would be rather certain that nobody has modified their contents, which you could encrypt rather easily. Of course, that doesn't help if you need more than 4.3 gb of space, but perhaps sometimes. I've considered using read-only USB devices under some of these circumstances, if only to prevent overuse of hammers.

      1. Charles 9 Silver badge

        Re: Two use cases

        I see where you're going, but even physical write-protect switches could be tampered. About the only solution I could see there would require some kind of custom job where a dongle is inserted into the device to write-enable such devices. Given how "cheap as chips" an 8GB drive is these days, especially on a bulk order, the hammer is probably the cheaper option.

  53. Chairman of the Bored Silver badge

    Symptom of why IBM is slowly dying?

    Faced with the security issues inherent in flash drives, the IBM we grew up with would probably see this as a golden marketing opportunity. IBM would (over)engineer a fairly secure, usable, well documented hardware/software solution that would ensure file and data portability while maintaining information assurance. It would work well and cost a bloody fortune.

    But today we get this risk averse culture that identifies only problems - not solutions.

  54. bigtreeman

    dumb terminals

    we're heading back to dumb terminals only

    server storage and applications

    better control, easier security

    good for business

    dis-empowering for the user

    all lusers praise the mighty main-frame

    1. Anonymous Coward
      Anonymous Coward

      Re: dumb terminals

      But suppose you're a field agent...at an air-gapped system?

  55. BMG4ME

    "Indeed, IBM offers advice on how to install Linux on its own POWER 9 servers using a USB key. ®"

    I am not sure that the ban covers that. You need a USB key or CD to install Windows too.

  56. kirk_augustin@yahoo.com

    International Beancounter Mismanagement

    One of the dumbest things I have ever heard, because obviously any laptop, tablet, portable drive, etc., can do all this as well, and the very least secure means of file sharing is the cloud, the way IBM WANTS it done.

    Somebody really does not understand computers.

    When you share on the cloud, everyone between you and the source can make a copy easily.

    1. Charles 9 Silver badge

      Re: International Beancounter Mismanagement

      Unless it's THEIR cloud, and the laptop can't access any other cloud, have you considered?

      And how can everyone between you and the source make a copy when it's encrypted in transit through things like VPN connections?

  57. Mat

    Shamla Naidoo

    Surely that's a 'Star Wars' name....

  58. greenwood-IT
    WTF?

    Easy options

    You're missing the easy answers;

    1) If IBM engineers aren't allowed to use USB sticks, then they can just outsource the maintenance to a 3rd party who do use USB sticks - ie, me! :-)

    2) They can always revert to CD's for installations and upgrades, most servers do still have CD drives.

    3) They are going to ban laptops, cameras, wifi, email and internet access next, that will really help improve security :-)

    Chat soon.

  59. jeffroimms

    Poorly thought through

    The webcam in pretty much every laptop I have worked on is USB attached, is a storage medium and therefore automatically contradicts this directive... As IBM wlll have to provide the work laptop (not may out there without Webcams) or BYOD clear the private useage one (almost certainly likely to have one fitted), to then sack or discipline any user would be questionable and lead to claims under Constructive Dismissal ( well in the UK anyway)..

    1. Anonymous Coward
      Anonymous Coward

      Re: Poorly thought through

      "The webcam in pretty much every laptop I have worked on is USB attached, is a storage medium and therefore automatically contradicts this directive... As IBM wlll have to provide the work laptop (not may out there without Webcams)"

      The webcam is easily fixed with a pair of wire cutters and a screwdriver. If not, buy a different laptop.

      1. Peter Gathercole Silver badge

        Re: Poorly thought through

        When IBM built their own laptops, and for a few years after the sale of the Thinkpad brand to Lenovo, IBMers working in secure environments within IBM, or on customer's own secure sites (generally those requiring some form of government security clearance) had to have Thinkpads without webcams.

        Now they are buying from third parties, they do not have the control over the devices they can get (and they don't want to have laptops built to their specification) so the users are instructed to cover the camera lens.

        In addition, phones with cameras used to be banned (if you had one, you had to leave it outside of the secure area). Now, as IBM no longer buy phones for their workers at all (the worker provides the phone, IBM provide a SIM) the prohibition is that you must not use a camera within one of these secure areas.

        All in all, less control rather than more.

  60. Arachnoid

    Removable storage

    Its in more devices than is apparent i.e. take hundreds of images for work projects so now how do you get them accessible to add to your training document?

    Phones and other Camera like devices OK so say you set up some form of authorization whats to say the installed memory in the "device" is the same as that which was authorized i.e. change out the removable memory?

    Just going back to laptops the hard drives are removable as are the ram chips.Yes a tad more fiddly to do but just the same risk apparently.....

    It may not be as common these days on laptops but a second drive could be installed in place of the removable CD drive for extra storage.Is this not removable?

    Making security so unworkable for the end user just makes people more inventive to circumvent it i.e. as mentioned using bluetooth.

    Using a mobile phone to proved a phone connection to a laptop does this not count as adding an external media connection [in more ways than one]?

    1. Anonymous Coward
      Anonymous Coward

      Re: Removable storage

      "Just going back to laptops the hard drives are removable as are the ram chips."

      Which is why the system unit is locked and there is an audit mechanism to detect opening.

      1. Anonymous Coward
        Anonymous Coward

        Re: Removable storage

        Wonder how long it'll take for someone to find a way to remove the drive without tripping the audit mechanism. AFAIK, no one's found a foolproof audit mechanism yet, and an internal IBM laptop could be consider a high-enough-value target to expend effort into exfiltration.

  61. Johan Bastiaansen

    Who knew

    Who know IBM would worry about "possible financial and reputational damage".

  62. Doctor Huh?

    Is IBM anything but a bellwether for business-crippling mistakes?

    When you find your company making the same sad business decisions that IBM makes, it is time to pull the handle on the ejector seat and punch out of there. IBM is your stoner friend who lies on the sofa all day watching Netflix and eating brownies -- when you even accidentally find yourself making any choice that he would make, you need to immediately reconsider.

  63. bigtimehustler

    What are they going to do when their monitors also connect via USB? It's going the way that everything is. Soon you won't be able to just turn it off.

    1. Anonymous Coward
      Anonymous Coward

      "What are they going to do when their monitors also connect via USB? It's going the way that everything is. Soon you won't be able to just turn it off."

      BIOS/UEFI lock to prevent anything other than encrypted video from going out to the monitor.

  64. Anonymous Coward
    Anonymous Coward

    Merely a symptom of dysfunctional management

    Arbitrary mandates that micro-manage operations in arcane ways with blunt instruments are imposed because management does not or cannot trust its staff. It's culture, and it spells doom, albeit probably by a long slow decline.

  65. regregular

    "UPDATE: Since publishing this story we've heard whispers that IBM has taken note of staff objections to the removable storage ban, especially when doing software updates, and is considering making a few exemptions."

    I can totally see IBM sysadmins lugging around a USB stick epoxied to a chain, which is attached to a brick in the future.

    You know, like those gas station bathroom keys...

    1. Anonymous Coward
      Anonymous Coward

      "I can totally see IBM sysadmins lugging around a USB stick epoxied to a chain, which is attached to a brick in the future.

      You know, like those gas station bathroom keys..."

      Won't work, too heavy, people will put them down.

      You have to use an exotic alloy chain, permanently attached around a wrist, no more than 2 m long, permanently bonded to the USB key. They cut it off when you leave the company, or if it needs to be replaced. Maximum of 4 USB sticks (one per ankle or wrist).

      Amputation without authorization would be cause for dismissal.

  66. Howard Hanek Bronze badge
    Happy

    IBM

    A suggestion. Look under all the prayer rugs that will suddenly appear.

  67. Artician

    Honestly, I thought that IBM was trying to solve a different problem: employees finding malicious drives and plugging them into company resources. This would be an excellent deterrent for exactly this type of attack, which is, sadly, still extremely effective.

  68. Stevie Silver badge

    Bah!

    How do they deal with the mobile storage everyone keeps inside their skulls?

    1. Chairman of the Bored Silver badge

      Re: Bah!

      What do you do with non-removable little grey cells? Exterminate the effective ones by forcing people to participate in writing vision statements, endlessly reorganizing, and other forced fun!

  69. Gigabob

    Did they Forget about Laptops?

    Last I heard - everyone was going to still have a laptop - and those are far bigger removable storage depositories. What happens when IBM starts to implement truly embedded technology - like implants? I guess I will be giving my employment contract a much more careful once over to ferret out the section on death panels.

  70. pks2973steel

    IBM, I didn't think they were still in business !!

  71. Ipsprivacy

    But there is software to fix this

    I can completely understand what they want to do and there is very clever software available that can solve this.

    You have the ability to authorise USB sticks based on serial number.

    DLP software can help as well.

    Anyway, it is a common requirement and easily fixable.

  72. mading25

    Mobile phone?

    As modern phones can be used as mobile storage, will they be banned as well?

    1. Charles 9 Silver badge

      Re: Mobile phone?

      If I've been reading this correctly, they already are flagged as illegal storage due to the MTP and UMS angles.

  73. Phillcole2

    Cell Phones are storage devices also ... Ban them also?

    Creating a policy with out really clearly thinking of a good solution about the problem?

    Cell phone can hold as much data as a thumb drive can.

    You think IBM employs the smartest people ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019