Memory sticks top security concern for firms

Not too big a problem

This shouldn't be a problem -- just recompile your kernel without USB storage device support. This isn't as hard as it sounds, all you have to do is change the line in your .config file reading

CONFIG_USB_STORAGE=m

or

CONFIG_USB_STORAGE=y

so it now reads

# CONFIG_USB_STORAGE is not set

or, of course, you can use make menuconfig and turn off USB mass storage device support.

There probably is even a patch you can apply to your kernel to make USB mass storage devices behave as read-only devices. (There certainly is support in the SCSI layer for read-only devices -- remember CD-ROMs?) This will prevent anyone from using USB storage devices for abstracting company secrets.

If you want something a little bit less drastic, then you can just add "user,ro,noexec" to the "options" (fourth) field on the line in /etc/fstab which refers to the external USB drive (usually /dev/sda1, but may well be /dev/sdb1 if you have a SATA hard disk). This will allow non-root users to mount the device (you don't allow ordinary users to be root, do you? And you made sure they can't use sudo? Good); but make it read-only and non-executable. (You'll also need "noauto" if you want the machine to be able to boot up without slowing down if no USB stick be plugged in; but you knew that, of course.)

Or, of course, whatever the Windows equivalent is.

the Windows equivalent is

Araldite in the usb sockets !

Wire clippers

Given a DOS boot disk with the right configuration can access NTFS and both USB and Firewire, the only real solution is hardware mutilation, or the less extreme araldite option.

computer services are a bigger security risk

Since being upgraded to xp last year, write access on the USB ports has been disabled, however, it merely takes a 5 minute call (ignoring the 30mins on hold obviously) to the monkeys in the frontline computer support for them to enable it for you. Its even easier to talk them into giving you full admin access but thats a different security issue.

Because the dregs of society are generally employed in ours with a 15min training course, before being given full control over the whole corporate network's user access rights, they don't really understand enough to know that a usb drive is not the only way to move files between machines :)

How to disable USB memory devices on 2K and XP

I wrote this months ago in response to an earlier scare:

http://www.everything2.com/index.pl?node_id=1718364

Yes, this is available as a group policy setting on XP Pro SP2 and Vista, but not on earlier versions or on XP Home.

And after you've read that, consider removing the floppy drives and CD burners from work machines as well. There are easy ways to deploy updates without needing them, and you can then audit as much or as little traffic as you wish.

Value in computer systems

The reason why Microsoft didn't introduce read-only USB mass storage devices from Day One is that they place more value on the software that they supply than on the data that you manipulate with it. And if we're honest Linux probably only has it because it's descended from Unix; but the ability to restrict mere mortals' write access on certain devices can't be a bad thing.

Imagine if kitchen-equipment suppliers decided to block you from cooking food in their pans that was cut up with a different manufacturer's knife, or power tool manufacturers decided to prevent you from using their tools on wood cut with a different manufacturer's chainsaw. Of course these propositions are nonsensical; the value of good food does not come from the equipment used to prepare it, and the value of fine furniture does not come from the tools used to fashion it.

Microsoft are going to have to learn that lesson if they want to stay in business, because every new Linux distribution that comes out is making Vista look less and less attractive.