genericone 159 days ago [-]
This is common at many semiconductor companies. Not only is it a ban at one specific semiconductor oem I know of, the usb-ports are disabled and the usb-ports on new issue computers are epoxied to prevent trying to use them.

Semiconductor technology is one of the areas of global-technological competition which surely benefit from secrecy. For example, several years ago one of the c-level executives at this specific OEM was caught taking pictures inside of one of their customer's facility. Only the engineering staff from that oem is allowed inside those facilities now, and only for maintenence activity.

It's a very secret industry, and getting even tighter now since China has been blocked from acquiring the latest semiconductor technology. China has so far invested over $40 billion in boosting their chip-making abilities, to acquire capital, IP, and knowledge-workers. Given their history of borrowing technology from other countries without attribution, if I were at the head of a semiconductor related company, I would clamp down on the secrets ahead of the danger.

praneshp 159 days ago [-]
> Given their history of borrowing technology from other countries without attribution,

Impressive choice of words!

Barrin92 159 days ago [-]
It's always been an arms race and nations and companies have always strategically opened themselves up to acquire knowledge.

When Germany was trying to catch up to the industrialised UK, they send business people to the UK to copy the layout of factory floors to reimplement them at home. For the longest time, Japan only allowed trade under restrictive conditions to maximise exposure to foreign technologies while minimising the impact of foreigners in Japan. It's a story as old as history and I honestly don't get why people are upset about it.

It's even beneficial for the ecosystem overall because it helps transmitting knowledge and technology from advanced to disadvantaged regions, which in turn accelerates production and development.

joyeuse6701 159 days ago [-]
If you honestly don't know why I will explain it to you. It is because it is theft. If I were to steal some or all of your possessions and give it to the disadvantaged, then I suppose you shouldn't honestly get all that upset about it, but I doubt that would happen.
fabianhjr 159 days ago [-]
> In economic terms, intellectual property is non-rival, whereas tangible property is rival. As a result, the “piracy” of intellectual property is simply not the same sort of zero-sum game that car theft — or theft of any tangible property — is. And that means that when Hollywood or the U.S. government says that music or movie downloaders are “pirates” or “thieves,” they are indulging in a bit of loose rhetoric. There are, in general, good moral reasons not to take what doesn’t belong to you. But as this video by filmmaker Nina Paley so beautifully illustrates, copying is not theft.

Source: http://freakonomics.com/2012/04/02/copying-is-not-theft/

snowwrestler 159 days ago [-]
This is a popular argument but I think it is wrong because it uses the wrong analogy. I'll illustrate.

If I buy a candy bar at the store for $0.99 and then you steal it, now you have it and I don't. I'm out $0.99 of value and you stole $0.99 of value.

But what if you steal the candy bar directly from the store? You got $0.99 of value, but the store didn't pay $0.99 for that candy bar; they may have only paid $0.40. What you actually stole from them was two things: $0.40 of inventory and $0.59 of foregone revenue.

Even if you drop $0.40 on the counter as you walk out the door, it would still be considered a theft because the store gets to decide what their retail prices are, not you. You're still stealing $0.59 of foregone revenue.

IP products essentially have an "inventory" cost near zero. Yet, if you take a song or a trade secret without paying for it, you're still taking their foregone revenue. Just like dropping $0.40 on the counter for a $0.99 candy bar, you're dropping $0.00 on the counter for a $0.99 song or $1 million trade secret. Reimbursing someone's inventory cost (even if it's $0.00) does not mean there is no theft occurring.

While the IP itself is non-rival, the revenue from each sale is rival; that is, if you acquire my IP via a pirated copy then I still have my IP, but I don't have the revenue from selling you my IP.

kruczek 158 days ago [-]
This analogy is also wrong, exactly for the reason that IP is not a physical thing that can be taken - it can only be copied.

Yes, by leaving $0.40, I would be stealing $0.59 of foregone revenue, but that is because the shop doesn't have that candy bar anymore and can't sell it. In case of IP, even if I pirate it, you can still sell it to other people.

Of course you probably can't sell it to me anymore and that may be lost revenue, but it depends if I would be actually willing and able to buy that IP otherwise. And of course it may cause more competition to appear, which will negatively affect your business.

snowwrestler 158 days ago [-]
> Of course you probably can't sell it to me anymore and that may be lost revenue

Yes, this is the point.

> but it depends if I would be actually willing and able to buy that IP otherwise

I'm not entitled to your money, of course, but in exactly the same way, you're not entitled to my IP (or my candy bar).

> In case of IP, even if I pirate it, you can still sell it to other people.

If everyone followed your logic, no I couldn't.

mattrices 158 days ago [-]
Your candybar arguement is absurd because you can't sell ip direct to consumers. You could manufacture a product that uses it or sell access via some supply limiting portal, but that is much different than actually selling ip.

Additionally it's not inventory because it is not finite. There is a distinction made by GAAP regarding valuation of tangible vs intangible assets because it is much more complex process to valuate intangible assets such as ip.

snowwrestler 158 days ago [-]
Physical inventory and IP are analogous in that they are both types of property that their owner intends to use to generate revenue (and hopefully profit).

> it is much more complex process to valuate intangible assets such as ip.

Please note that my argument above assigns a value of $0.00 to the IP itself.

Even at that valuation, you can still commit theft by robbing me of the opportunity to use that IP to generate revenue. By analogy: when you steal a TV, you are charged on the retail price of the TV (the amount you should have paid for it), not the wholesale price (the amount the store paid for it).

mattrices 158 days ago [-]
Your intention is irrelevant, limiting your opportunity is not theft. You're using that analogy as an emotional appeal to present the ip holder as a victim.

Any competitor could limit your opportunity by releasing a functionally similar non infringing product. Would you choose the word 'robbing' in that circumstance?

One would have to use your ip to create a competing product before it would even be copyright infringement, and it still wouldn't be theft since you cannot steal somthing intangible since by definition it only exists as an abstraction which is not the same as zero valued tangible inventory.

snowwrestler 158 days ago [-]
I think you need to go back up and carefully read from my first post. I'm not talking about competitive markets in general, I'm talking about a specific transaction where you end up with a product I'm selling, but I don't end up with the revenue I was asking for that product.

As an exercise: walk into Best Buy and pick up a $1,000 TV. On the way out, hand the cashier a check for the wholesale price of that TV. Have you just committed theft? And if so, what specifically have you stolen? You haven't deprived them of the TV itself, since you reimbursed them fully for that.

mattrices 158 days ago [-]
Allow me to present an intangible analogy to illustrate... If I see a chair at ikea and they own a patent on it and I go home and make a chair based on their ip, but don't commercially manufacture and distribute it then did I steal a chair? If it is stolen what have I stolen exactly?

I guess my point is that my point is that ip is a liscense to manufacture and/or distribute rather than a total monopoly on the idea or demand for the product.

fabianhjr 159 days ago [-]
Industrial >Espionage<[1] does happen. (When IP is a Trade Secret) If one doesn't want to risk espionage they can patent something, disclosing every detail, in exchange for a state enforced exclusivity over the patent.

As far as taking externalities into account: If someone doesn't behave to be "carbon-neutral" are they stealing from everyone?

Furthermore, the position you are defending is presupposing the ontological position that IP is Property. (Which might not hold in other cultures/countries, specially a Socialist Country with Chinese Characteristics™)

Patent infringement isn't theft and winging it and saying otherwise without a good basis won't convince anyone.

[1]: https://www.wikiwand.com/en/Industrial_espionage

Ygg2 158 days ago [-]
If someone isn't carbon neutral, they are in essence poisoning future generations.
PappaPatat 158 days ago [-]
Best analogy on this subject I've seen. I am sure there are a couple of issues that are left out, but it works for my needs (I am not a lawyer).
Barrin92 157 days ago [-]
Well if it's theft then it's been going on and used by everyone for thousands of years. To be upset about this is to be upset about gossip. It's an informal means to disseminate information. It will naturally occur in any sufficiently competitive system.

And the key point may be that the ones being 'stolen from' even allow it because the benefit they get from opening up to new markets usually exceeds the risk of having some of your IP copied.

It's not like the traders who ventured to Japan turned around just because they knew that the Japanese would try to catch up by any means, or that the British stopped trading with Germany. (Or that Apple stops to sell or build things in China)

drwu 159 days ago [-]
To be fair, Chinese technologies were also borrowed by other countries in the last 2000+ years of human history.
dgudkov 159 days ago [-]
Strictly speaking, borrowing assumes returning at some point.
rosser 159 days ago [-]
Is it "returning" a thing to sell it back to the people from whom you "borrowed" it?
astrodust 159 days ago [-]
It's like how there's Starbucks coffee shops in Paris and Taco Bell in Mexico.
coupdejarnac 159 days ago [-]
Strictly speaking, euphemisms substitute a mild, indirect, or vague term for a harsher term.
walrus01 159 days ago [-]
Taken to its logical full extent you might as well build a SCIF. Intelligence agency standard for facility that can handle air gapped SECRET and Top Secret data. If you look at the office park directly west of fort Meade, MD, some of those have SCIFs inside them. Not cheap.
beefield 159 days ago [-]
> the usb-ports are disabled and the usb-ports on new issue computers are epoxied to prevent trying to use them.

How are they planning to use new laptops that are powered via usb-c?

gl0w 159 days ago [-]
They probably don't use laptops, since laptops can easily be taken off site.
ci5er 159 days ago [-]
I used to work in semi- in Asia, and it was pretty loose compared to Financial and Pharma. Maybe things have gotten tighter, but...
genericone 159 days ago [-]
I think it depends on the tier at which the company does its business in. Is the OEM involved in the latest nodes, or are they working with sizes >100nm?

Secrets are kept tight for any company with any tech relating to the latest nodes <10nm. It just so happens that IBM has been working on sub-10nm processes for a long time, so they have a lot of secrets to keep, hence I am not surprised by the article heading.

ci5er 159 days ago [-]
I get your point, but even when everyone was at a micron, 100nm was the super-secret stuff. This "ratio" has been a constant for ~40 years.
xbryanx 159 days ago [-]
How do you connect a keyboard or mouse?
dogma1138 159 days ago [-]
An implementation I’ve seen had all ports locked down on the laptop itself and physically locked with a plastic plug that can’t be removed without leaving evidence.

The keyboard and mouse were connected to a dock.

On the OS level only HID devices were allowed via USB you could bypass this if you had admin rights but it would leave a trail.

The idea behind these like most other security controls is to prevent accidental leakage and to make it difficult enough that intentional leakage would likely be detecte on time.

mseebach 159 days ago [-]
> you could bypass this if you had admin rights but it would leave a trail

A move I've seen being put in place at several locations, is removing local admin rights from all users. Those with advanced needs, like developers, gets a VM which is limited to a specific VLAN, with no access to the production environments.

The principle is sound, implementation is ... difficult, to say the least.

jacquesm 159 days ago [-]
And if you're willing to run a lot of screencaps or re-type the stuff you see on another computer you can still get the data out. Before modems were common in the hands of unwashed masses my friend and I would transfer files on the phone by spelling out blocks in hex. Slow but with a checksum every 16 bytes it was good enough to get some work done. If the data is high value enough it would probably be worth it.
mseebach 159 days ago [-]
Airgapped exfil is a whole research field. Priority one is making accidental leaks or infections all but impossible. Priority two is making large scale intentional leaks as slow and difficult as possible. As long as there are human eyes on the data, some level of leaking is possible.
dogma1138 159 days ago [-]
Any host based DLP will monitor and block screen caps you also need to get them out some how. Printing will also be heavily restricted and monitored. Sure no DLP solution would beat pen and paper but that’s not a good way to exfiltrate data these days and a security guard checking people leaving a restricted area would be a good enough way to plug any leaks.
ekovarski 158 days ago [-]
All of these technologies are great to prevent employees from casually stealing data but as history has proven, usually while the front is well guarded, the back end many times has quite a few holes for hackers to exploit. It's like they say, the most secure computer is the one not connected to the network.
dogma1138 157 days ago [-]
People like to dramatize things way too much, most "breaches" are accidental there are 1000's of companies that manage to keep their data secure on a daily basis despite targeted attacks.

With a few exceptions it's much easier to either poach your competitors or simply buy them outright which is why "corporate espionage" is mainly employed by nation states these days that need to catch up. It's also important to note that stealing a design isn't that useful these days since you are too far gone what would be more important especially in the semi industry is to know the characteristics of a specific design or process in order to be able to preemptively position your offerings to compete without giving up any unnecessary ground.

MrMorden 159 days ago [-]
A malicious insider can always memorize the information to be exfiltrated. (See e.g. Ana Montes.)
dogma1138 159 days ago [-]
Oh yeah you don’t have admin rights or they are restricted via UAC and an agent that allows you to promote only certain apps and then restricts inheritance of permissions from these apps.

In a restricted environment you will have several monitoring agents that track and enforce system integrity.

jon-wood 159 days ago [-]
I’ve not seen this approach, but it’s definitely an interesting one. What do you do about the people who actually need production access?
dogma1138 159 days ago [-]
Organizations that take security seriously use PAWs for production access.

https://docs.microsoft.com/en-us/windows-server/identity/sec...

Example of an actual implementation in the wild: https://uit.stanford.edu/service/paw

mseebach 159 days ago [-]
Well, bias towards "infrastructure as code" and minimise the need to actually access the servers. Read logs through Splunk, configure through version controlled Puppet (or similar tools).

The only machines that can actually SSH into prod at least have screen-session-recording software, perhaps are kept in a separate room, with a policy of two staff present at all times. The general idea is that the closer you actually get to being able to bypass the checks and controls, the more attention you bring to yourself and your errand.

Yes, it can't be Git and Puppet all the way down, at some point someone will necessarily have access to do something as root on the server that hosts the Git repo that Puppet runs from. But instead of that being every dev on every laptop anywhere in the world, you can make sure it's a very small group of people, from a small number of workstations.

This is difficult and requires a substantial and very competent team to implement correctly.

the8472 159 days ago [-]
> On the OS level only HID devices were allowed via USB

Of course that's enough to run malware. Just inject Win+R, cmd, enter, <your shell code here>

dogma1138 159 days ago [-]
You are missing the point you don’t need a rubber ducky to input malware, all you need is a sheet of paper and some time.

On restricted workstations even if you can run command prompt which isn’t guaranteed it won’t lead to anything.

genericone 159 days ago [-]
To be fair, they are not completely locked down like I may have made it sound.

The usb port restriction is absolutely true for laptops, but colo desktops probably do not have this restriction, or just a more lax restriction. Also, its not true for all laptops of the company, but usb access does require explicit permissions and a new-issue laptop, so they do have a list of people who have riskier laptops, and may need to be issued a different travel laptop vs engineering laptop.

The laptop's epoxied ports likely prevent distracted traveling workers from having their laptops hacked with usb-keys inserted when they aren't looking.

pjmlp 159 days ago [-]
The solution I have seen for desktops is to put them inside a locked metal case.

You cannot access anything besides the power button.

StringyBob 159 days ago [-]
I've seen the 'USB ports get taped up for a visiting engineers computer' thing before - so I wonder what they do with a MacBookPro nowadays (there is no separate display or power connector!)
AstralStorm 158 days ago [-]
They use a laptop suited for business, obviously.
jay-anderson 159 days ago [-]
xaldir 158 days ago [-]
Now you know why the PS/2 port is still around.
159 days ago [-]
khedoros1 159 days ago [-]
A docking station.
bhandziuk 159 days ago [-]
Can't you just moved the usb ports around? What's the difference?

(Edit: Haven't --> Can't)

khedoros1 152 days ago [-]
(Realizing this is from a week ago...)

A docking station usually has a lot more than just USB ports. Mine has three monitor connections, more USB ports than the laptop itself, a power connection, and an RJ-45 jack. One of the benefits is the expanded number of connectors. Another benefit is that I don't have to unplug half a dozen items to take the laptop with me; I just hit the eject button and pick the laptop up. In the same way, reconnecting all that stuff is achieved by just plopping the laptop onto the dock.

Best of both worlds: Portability of the laptop itself, and the easy expansion of the laptop's capabilities in situations where the expansion is useful (e.g. somewhere that I can keep a bunch of big monitors, and would benefit from a non-mobile work area).

nickpsecurity 159 days ago [-]
Another common approach is thin clients that connect to VM's running on servers in protected rooms. My company does that. From there, most critical apps are web apps they monitor. Specific things that need Windows or Linux run in the VM's. There's even some solutions that support connecting USB devices to thin clients for use on remote VM's with some security on that process. I have no idea if that security is good but there's potential for secure devices designed for these use cases.
blacksmith_tb 159 days ago [-]
Are cases locked / glued shut? It seems like it would be easy enough to connect a new usb header...
Nelson69 159 days ago [-]
While visiting a Chinese division of an American company I worked for about 8 years ago they had Dell desktops, in a tower configuration and they had a metal (steel) super structure around them. A case within a case.

You could unlock it, plug in USB, monitors, ethernet, etc. route the cables out through a slot and then lock it. You couldn't reach the the different ports and sockets when it was locked. It was all relatively stout too.

Interestingly, they did have internet in the building but you had to have management permission and go to the security office to access it. If you wanted to download something, it was a fairly involved procedure. They were paranoid about people stealing their stuff and then also very paranoid about misappropriating something they shouldn't and creating legal problems in Europe or North America. They didn't seem to be all that concerned about stealing other people's IT but they wanted to control everything such that it didn't contaminate anything they wanted to sell where it mattered.

I nearly created a situation when I pulled out my phone to take a picture of an "engrish" sign they had on the wall.

It'll be interesting to see how the security culture in the US changes or doesn't, a lot of younger developers would be put off if you attempted to somehow restrict their access to the internet from work computers or restricted your ability to plug a phone or some arbitrary device in for charging of whatever. At every job I've had this century it has been fairly trivial to download nearly all of their source code and take it home if you wanted to. Trying to take the politics out of it, we're very much engaged in a cyber cold war with a number of nations that absolutely want to take our secrets; I won't speculate on the real impact but the Russians did meddle in our election.

rdtsc 159 days ago [-]
> Are cases locked / glued shut? It seems like it would be easy enough to connect a new usb header...

Well sure. I think the idea is to prevent mistakes and people just randomly plugging usb sticks they get from conferences as gifts or when they work from home. People will forget and do that anyway even if it is the rule.

When someone start disassembling the laptop or runs around with a screw driver trying to get the epoxy out of the ports, it would a bit hard to claim it was an accidental mistake. In that case, those people can probably find a way to exfiltrate data or to infect the system without the aid of USB keys.

rasz 159 days ago [-]
or unplug a mouse for 5 seconds
Lionsion 159 days ago [-]
If you're going through the trouble of epoxying USB ports, you could probably epoxy the mouse to its port as well.

Or just monitor connected USB devices and shutdown if something unapproved is installed, a la USBKill.

https://en.wikipedia.org/wiki/USBKill

TeMPOraL 159 days ago [-]
If mouse is epoxied - cut the cable, cut and splice in a male->female cable, connect your device.
floatingatoll 159 days ago [-]
Doing so would trigger a USB disconnection event, which under a sufficiently paranoid ecosystem would immediately terminate the entire enclosure and lock the door and call security.
chrischen 159 days ago [-]
I think they are trying to discourage accidental use of/the urge to use the USB ports.
AstralStorm 158 days ago [-]
Epoxy is a pain, just use a sticky connector envelope instead.

USB disconnect disabling whole USB host is trivial to code. You would disable on disconnect instead of whitelisting as there can be USB host bugs. Add a boot password so that only admin can start the machine...

Plus the are solutions where drivers are also put in a VM to further reduce attack surface.

petra 159 days ago [-]
How can they prevent migration of talented people, given China's infinite war chest ?
wolfgke 159 days ago [-]
> How can they prevent migration of talented people, given China's infinite war chest ?

The Renminbi is very difficult to convert.

basementcat 159 days ago [-]
I've never had a problem converting modest amounts of CNY <-> USD at any bank in China or in the USA. Are you referring to capital export controls (~100k CNY/year)?
wolfgke 159 days ago [-]
> Are you referring to capital export controls (~100k CNY/year)?

Yes.

avastmick 159 days ago [-]
Sorry, this is not true.

I live and work in China and move far than that a year. Also the NZ / Australian property markets are both in a bubble caused by Chinese cash investment by wealthy individuals, 100k CNY won't buy anything.

100k CNY is only 15k USD.

basementcat 157 days ago [-]
Are the capital restrictions only enforced on citizens or are there trivial workarounds? ("education" or "travel" expenses)
user5994461 159 days ago [-]
China is in China. Geography is a pretty good limitation against poaching.
loeg 159 days ago [-]
Geography, politics, and ordinary racism against non-Chinese.
visarga 159 days ago [-]
> the usb ports are disabled and the usb ports on new issue computers are epoxied to prevent trying to use them.

That means many current day laptops can't be charged.

tzs 159 days ago [-]
They could glue in a USB data blocker, which is a thing that plugs into a USB port and has a USB socket on the other end and has the power lines connected between the port and socket but not the data lines.
159 days ago [-]
brian-armstrong 159 days ago [-]
Preventing exfiltration? Nobody tell them about my library [1], they'll need to ban line out ports and headphones :)

1: https://quiet.github.io/quiet-js

wyldfire 159 days ago [-]
Awesome! A GMSK modem in js? Good on you. Submit for show HN?

Have you tried other modulations?

brian-armstrong 159 days ago [-]
Thanks!

It made the rounds on show HN a couple years ago. Also my dirty secret is that it isn't really JS, it's C via emscripten https://github.com/quiet/quiet

Currently supports everything Liquid DSP supports which is GMSK, PSK, QAM, OFDM and a lot more. Working on adding DSSS soon

edit: Here's a sort of lab/playground https://quiet.github.io/quiet-profile-lab

Sammi 159 days ago [-]
So what transmission rate can you hope to get with this?
brian-armstrong 159 days ago [-]
Depends quite a bit on what you have. I've seen about 10 kbps over air and 64 kbps over cable
AstralStorm 158 days ago [-]
It is pretty conspicuous over the air though. It also won't get rid of watermarks.

TEMPEST is probably easier and more reliable than this.

squarefoot 159 days ago [-]
This is going to hurt everyone but really motivated hackers in there.

If I had to smuggle some data out of a PC I'd use the audio card at a very low volume but known frequencies to output the data the FSK way, leaving a phone near the speaker recording the audio, then at home I'd reconstruct the data just as old modems did 40 years ago.

Other methods could also be used: blinking a pixel (or the optical mouse led left on the phone camera), raising the cpu power usage by making it run busy loops according to data ones and zeroes (nobody would object a bluetooth power consumption measurement device connected to the PCs mains cord), or manipulating innocuous fields into IP packets such as the Time To Live: make it higher than X and it's a one, make it lower and it'a a zero; routers will ignore the trivial difference but a passive (100% undetectable) tap into the network cable still allows to sniff the data. Actually, unless the infrastructure is instructed to report Ethernet frames sent to wrong addresses, one could send malformed frames carrying data into the payload so that they could be ignored at switch level but still readable by a tap on the cable: that would allow data smuggling at blazing fast speeds, much higher than USB.

emilfihlman 159 days ago [-]
Banning removable media is 100% the right direction (of course there needs to be exceptions for DSLRs and install media and whatnot, duh)

The amount of idiocy I've seen with storing sensitive and work intensive documents in USB sticks is horrible.

alexanderdmitri 159 days ago [-]
yeah, except this is why it's happening now: https://features.propublica.org/ibm/ibm-age-discrimination-a...:
awakeasleep 159 days ago [-]
Within a business, security has to be understood in the context of risk analysis.

Will the measures taken damage the company more than the benefit of the increased security?

In my eyes, banning storage media without a practical replacement is on the wrong side of the risk analysis equation. Sure, it's not desirable that files can be moved without full access control and auditing, but if people don't have a tool that works the same way then all your employees who rely on it will suffer.

It would have been great to see a standard encrypted portable drive, probably with the decryption software on a different partition establish a foothold in the world. With the addition of DLP software, that could have allowed employees to continue to do their work while mitigating the risk of lost or stolen data.

edit: what this doesn't cover is transferring large files quickly, or transferring files to a computer that isn't currently configured with the systems required for file transfers.

rtkwe 159 days ago [-]
With the rise of VPNs, fast home internet, and fairly ubiquitous public wifi along with laptops gaining enough power for most applications the question is what's the real use case that requires removable media that can't be accomplished with an internal FTP/network drive/email and using company laptops?
ghaff 159 days ago [-]
>"fairly ubiquitous"

If I'm giving a presentation to hundreds or thousands of people in 30 minutes and a laptop goes down/won't connect to projector, presentation wasn't loaded or was corrupted on the speaker laptop, things go sideways in a bunch of other ways (and they do), I don't want to be in the position of depending on the network to pull down a presentation from somewhere. Especially if I don't have my own laptop with me as is at least sometimes the case.

There should be various other ways to get to a presentation and I even have a setup to present from my iPhone (which I've actually had to use as a fallback), but a USB stick is a good, simple backup that I've used more than once.

mseebach 159 days ago [-]
Sometimes security is annoying, and sometimes security means you don't get to do what you needed to do. An event with hundreds or thousands of people should have rehearsals and spare speaker laptops, but if they don't, your need to present doesn't trump your (or someone else's) employer's cyber security stance.

Show up at a building site without your helmet and hiwiz? Unless there's a spare set around, you're going home. We need to get into the same mindset around cyber security.

ghaff 159 days ago [-]
It's going to depend on the circumstances and, perhaps, we really will decide over time that moving USB keys among untrusted laptops is simply a bridge too far. But, literally just this afternoon, used a USB stick to transfer a presentation to a (supposedly clean) speaker laptop that hadn't been preloaded like it was supposed to be. The circumstances (~100 person event, no rehearsals or heavyweight IT support) made that seem reasonable.

Cybersecurity is indeed important. But it's about managing risk, not minimizing it no matter the cost. And what I'd do at an event like this one is quite different from Defcon where I'd take the most stringent precautions possible.

downrightmike 156 days ago [-]
There are drives that you can physically disable write on: https://www.kanguru.com/
lb1lf 159 days ago [-]
Offshore work, for instance.

Lots and lots of vessels have painfully slow satellite links - think <=64kbps - whereas the others mostly have very slow satellite links - ~512kbps.

Trust me, in such conditions you do not want to cough and ask whether you can download your training material off the corporate VPN...

(Heck, in many cases, shipowner policy prevents any third party computer from being connected to any onboard IT infrastructure, anyway.)

gnode 159 days ago [-]
Working at sea; an Antarctic base; Mars; etc. is very much a niche for which specific exceptions can be made, but is irrelevant to almost all employers. In most cases security is the greater concern.
pythonaut_16 159 days ago [-]
In context of the original post though, it's unlikely IBM engineers are doing much work on ocean going vessels with 64-512kbps satellite links
raverbashing 159 days ago [-]
A hybrid structure, that is, allowing the transfer of files through portable drives however only allowing it to be saved/read encrypted to approved devices through encryption keys managed on devices or through the network (Group Policy/etc) could work.
downrightmike 156 days ago [-]
I just bought a new SanDisk USB 3 drive and noticed it comes with SecureAccess software. It uses 128-bit AES encryption. Better than nothing, we could think IBM a large and successful long term tech company could make their own. But that doesn't support the cloud vision.
theandrewbailey 159 days ago [-]
In this case, is cloud storage not a practical replacement?
Something1234 159 days ago [-]
The analog loophole. If I can access the resources from my local device. The odds are I can get a copy of it without the protections on it.
cepth 159 days ago [-]
This is already standard practice for several industries. For example, you’d be hard pressed to find a pharma company nowadays that allows the use of any removable media.

The likely “replacement” is that IBM employees will have to use some sort of corporate VPN to work remotely.

ams6110 159 days ago [-]
Last meeting I was in with an IBM rep, he wanted to download some slides that were not part of his stock presentation, to address some specific questions we had. By the time he got connected to his VPN about 10 minutes had elapsed, and the download was going to take another 90 minutes. He ended up saying he'd email them later.

Corportate VPNs are great, but if they don't perform people are going to work around them.

collinf 159 days ago [-]
What sort of Fortune x00 company doesn't use a corporate VPN?
dchest 159 days ago [-]
2sk21 159 days ago [-]
I work at IBM and I can get almost all of my development work down without logging into the company network when working remotely - quite similar to Google's approach. This is a relatively new development within the past few months.
joombaga 159 days ago [-]
Google
159 days ago [-]
kevinSuttle 159 days ago [-]
They already do.
forgotmysn 159 days ago [-]
I thought IBM was ending their remote work options?
ascagnel_ 159 days ago [-]
Remote work and working remotely are two very different things. The former usually refers to making your own arrangements for normal working hours outside of commuting to a corporate office; the latter usually refers to off-hours or one-off arrangements.

IBM may not want people remote working, but they'll be happy to have people working remotely at nights, on weekends, etc.

kevinSuttle 159 days ago [-]
Right. Even when you're on a campus and not on the employee SSID, you need to VPN in.
rubidium 159 days ago [-]
Office workers will be fine.

It's the field people that are going to have it rough. Even the best 4G LTE stick won't matter if you're installing in the basement of a huge complex.

mseebach 159 days ago [-]
First, if USB sticks are out for data exfil reasons, 4G sticks (and anything else that isn't a HID device) are out as well.

Second, such networks generally have an approved way of getting data on to them, typically involves handing your USB stick or DVD to someone with access to a particular machine with unblocked ports and specially firewalled off access to a particular shared drive on the network, and nothing else.

Rafuino 159 days ago [-]
Interesting but seems kind of late, no? Even the US State Department has banned USB drives since at least 2008. I don't think US government is particularly well known for being good at security.
jpalomaki 159 days ago [-]
It’s one thing to ban stuff and another to actually provide practical solutions for people so that they can continue working. Banning stuff looks good on paper, but sometimes the clever work arounds people invent are then much worse than the original thing.

Practical example from past. Policy denies creating user accounts for externals. In big orgs you anyways sometimes have the need to have some external do work on systems. Idealistic view is that employee baby sits the ext guy and performs everything on behalf of him. But in reality people have their own work and deadlines, so it becomes tempting to just log on and let the ext work on your credentials.

sailfast 159 days ago [-]
Agreed - this doesn't seem like that big a step at all from a security perspective. The main change is that it will now force a bunch of folks to think about how they manage their data and their consulting teams especially will get annoyed with how "hard" it is to transfer that powerpoint deck for their presentation.

Leaving data lying around on a stick is one vector. Malware and other considerations is quite another that should be discussed more often. Especially if your posture is jelly-filled.

I'm guessing they got burned here at least once with a relatively large dataset that somebody left in a cafe somewhere.

HillaryBriss 159 days ago [-]
agree. US defense contractors limited moving electronic media in/out of their facilities back in the 90s, i think.
bigmattystyles 159 days ago [-]
Seems like the move addresses accidental data leaks through portable device misplacement. I don't think it can do much to protect against intentional leaking. I mean, they want people to be able to work from anywhere from the sake of business, so I guess this addresses 1 vector. Hopefully, they understand this.
krona 159 days ago [-]
Well, it's still not going to stop the general institutional incompetence that permeates the company when it comes to security. For example: https://www.nytimes.com/2017/07/25/world/europe/ibm-sweden-d...

Keeping sensitive data off the cloud altogether is the more sensible option.

dsfyu404ed 159 days ago [-]
It's not stuff getting out that's the problem. It's stuff getting in. This move addresses the certainty that if a malicious actor manages to drop a flash drive in the parking lot it's practically certain that it will be plugged in.

When you're a large global company like IBM you become the target of lot of groups.

jackconnor 159 days ago [-]
This is a security move to prevent more documents getting leaked. They're under fire for the ageism layoffs, which were partially verified by leaked docs, and so they probably got paranoid.

Not that they shouldn't take this measure regardless. But there's a very specific reason it's happening now.

monocasa 159 days ago [-]
Surprised it took them so long. Outside of exfiltration, there's the issue with sketch USB sticks with malware making their way on to your network.

It's amazing how many people will plug in any flash drive they find in a parking lot.

pavel_lishin 159 days ago [-]
There's a very large Cryptocurrency convention taking place in New York right now, and I wonder how many USB drives are "lost" in the area.
TYPE_FASTER 159 days ago [-]
Worked at a financial institution ~10yrs ago, they pushed out a group policy change to not allow USB ports for storage for security reasons while I was there.
slededit 159 days ago [-]
I remember they came to our school to show off their new hot desk software they wrote. Look how efficiently we can use space! I saw it as saying your so unimportant we won't even give you a dedicated desk.

Now apparently you can't even use common tools to get the job done. If I had a big meeting I wouldn't take a chance on the network to keep my presentation.

ghaff 159 days ago [-]
Hot desk-ing mostly makes sense only if you're 1.) short on space and 2.) have a fair number of people who only come in intermittently. Otherwise, you're not really saving anything and you make it harder to find people who aren't sitting in a fixed location.

Presentations would be the big inconvenience for me. I always carry a backup on a USB stick when I'm presenting at an event or conference. Just today, I loaded a presentation onto a conference laptop that was supposed to have been preloaded but wasn't. I could probably have worked around by getting the presentation off the network but I never like to depend on WiFi at an event.

ADDED: Especially for an external public presentation, I'd get it onto a USB stick one way or the other.

ggg9990 159 days ago [-]
Hot desking is actually a positive indicator for some people. It means they only expect you in the office intermittently.
cf498 159 days ago [-]
>Now apparently you can't even use common tools to get the job done. If I had a big meeting I wouldn't take a chance on the network to keep my presentation.

Then you are an active threat to your networks security. You sound like you have an incentive and willingness to put in effort and take personal risks to circumvent the security protocol at your workplace. Looking at employees without bad intents, this is as bad as it gets.

This is a great example why social engineering is unlikely to go out of style anytime soon. People who think they know better and are confident in being qualified to take a risk are never in short supply.

slededit 159 days ago [-]
First, using USB drives was never against security policy at my work - so your personal attacks are unjustified. But secondly my powerpoint presentation isn't exactly top secret classified material.

If we were talking about handling the private signing keys I would agree with you. Different types of data have different levels of security needed. Over classifying trivial data just makes it harder to get things done.

cf498 159 days ago [-]
I am sorry if it came across as a personal attack, I didnt want to imply that you are personally negligent or unqualified to make that call. For all I know it is your job to make those policies at your place off work. The problem is a User with this attitude whos job isnt to make that call.

Strictly speaking, If a user in a workplace where this behavior is against the security policy acts like this or expresses this opinion, namely, that they wont be stopped by a security policy to hold their presentation, they are a user group that arent just a possible attack vector but a possible attacker them self.

If your company forbids the usage of USB ports, they do that for a reason, whether individual users think that is reasonable or not. This isnt just about possibly leaking data, but introducing stuff in an environment that is supposed to be closed. Differently put, as a bad faithed person, I will gladly borrow you my USB Stick to transfer your important files so you dont get in trouble for having technical hickups. I also will take you up on the "thank you" snacks and will also watch silently when you get in trouble for intentionally breaking security policies and infecting the network.

slededit 159 days ago [-]
The problem with blanket policies like this for an entire organization is that they don't consider the type of work being done. A publicist for example has as their job to distribute information publicly, you aren't helping them by making it impossible to drop off a USB key to someone. A software developer has a need to install operating systems much more frequently than an average user. You can net-install but usb media is still a major vector.

The vast majority of people in an organization don't work with sensitive material. It makes much more sense to do this on a per department basis.

Policies like this that ignore on the ground reality and make it hard to get work done encourage abuse of the rules. When the rules are too draconian people will work around them and it encourages disrespect for other rules - especially the ones that actually do improve security.

cf498 159 days ago [-]
That doesnt make individual users less of a security risk. This boils down how much harm an individual user can do, most of which the individual user doesnt have the full grasp off. It can be a simple as introducing something into a system and enabling an inside attacker or walking around with a audio keylogger in form of a usb stick. Your laptop with a borrowed usb stick can record the sound of someone way above your security clearance typing in sensitive data while being in the same room. This sensitive data might be a trivial as a cost center number.

Those rules arent draconian, someone somewhere was hired to make a risk assessment and found them to be necessary. You dont circumvent them period. Thats the responsibility of each an every employee. No matter if you think they are stupid, it isnt your call to make, except if someone hires you for exactly that, then they are your responsibility to do right.

Most attacks arent some espionage stuff, its plain and simply precaution against fraud and theft. And they target people who are to proud for their own good who never think of themself being at threat. Which is sadly something a lot of computer scientists have a bit of a problem with. No one wants to believe they could be duped like that, they surely would know it better. Security policies are there to not have to rely on individual egos and look at it more realisticly. Most of us will be duped when taken advantage of in a bad moment without enough time to think about it. Thats why people do it.

There is a reason even the CEO and CSO have to wear their badges. There is a reason a lot of Snowdens colleges started to get really scared once it became clear which credentials he used to access the files. And they were lucky, he could have been a criminal and sure as hell wouldnt have mentioned that those data leakages where his responsibility. He could have simply been a criminal transferring money in their names.

slededit 159 days ago [-]
I would love to see the cost benefit analysis that showed a company wide ban on USB keys would save more money than it cost.

Meetings happen daily, an iffy wifi connection is enough to waste the time of everyone in the meeting (10 minutes x 15 people is 2.5 person hours). These mundane things happen day in and day out. Someone walking around with an audio based keylogger is dramatically less likely to happen (and this ban on USB drives wouldn't prevent that anyways).

If you ignore the cost of people's time then pretty much every security idea makes sense. But its not a good way to run a business.

ghein 158 days ago [-]
I've come across this with data security policies at law firms, accountants, and investment banks.

They have to protect sensitive client data. Need to protect against illegitimate leaks of data. And the universal way that they communicate with clients, opposing parties, regulators? Email.

You can't force the SEC to accept your new encrypted cloud solution, nor can you require opposing counsel to use YOUR solution. And communicating with hostile parties is the entire organization's reason for existing.

"Simple and reasonable" IT approaches to problems frequently break down when faced with people whose job it is to deal with other organizations.

13years 159 days ago [-]
If this is about security of leaking things out, is IBM also ending their open web policy?

Otherwise I fail to see the point, anyone could easily just send anything to anywhere over the net. Don't need a USB.

Therefore, It seems to me this is about unintentional leaks of information, not intentional.

fhood 159 days ago [-]
Ha! If I worked at IBM they would never catch me. My flash drive is disguised as a tiny sports car! Foolproof!

Anyways, did IBM have a big leak recently or something? This seems rather draconian to have been put into place without some fairly strong motivations.

gaius 159 days ago [-]
Anyways, did IBM have a big leak recently or something?

Yes, this is almost certainly about leaks to publications such as El Reg. Eg. https://www.theregister.co.uk/2018/02/26/ibm_gives_services_...

fhood 159 days ago [-]
Wow, wouldn't want valuable corporate secrets such as your particular form of Agile leaking to outside sources. How devastating.
abiox 159 days ago [-]
when i viewed that link there was an ibm advertisement on the top and an interstitial one as well. couldn't help but chuckle.
justherefortart 159 days ago [-]
Slack instead of email?

That's hilarious.

philwelch 159 days ago [-]
Not to mention sad, soulcrushing, and generally illiterate.
tpeo 159 days ago [-]
I too thought of it as being draconian at first but come to think of it, USB drives seem much less important nowadays than they seemed back in 2007. They're still prolific, but they aren't thought of as a boon as they once were. Maybe IBM is onto something.
d0ugie 158 days ago [-]
Perhaps fairly inevitable eventual breaches of client data are more forgivable when a given firm can point to efforts such as this as evidence of having tried to keep a lid on leaks, and to elevate confidence that it is less likely to happen.

From what I've seen some firms' internal security practices in general seem more to be about appearances whereas other firms tighten and scrutinize everything as if the company's reputation and survival depended on it.

jacquesm 159 days ago [-]
Most companies that are somewhat serious about their business and the privacy of their clients (and their clients' clients) have a removable media policy. IBM's is nothing special in that respect. Besides cutting down on exfiltration vectors it also nicely takes care of some ways in which you might end up with malware on your corporate systems.

If your company does not have some kind of removable media policy then you are probably working for a very small company.

hb3b 159 days ago [-]
Right, they need to prevent the innovation from leaking out -_-
6nf 159 days ago [-]
They're just trying to keep Watson contained
prudhvis 159 days ago [-]
Would it be possible to just disable the usb driver from the OS(or just limit it, to a very very few tasks). Without it being a burden for UX purposes. One could argue that an exploit might be written in such a way that, it could be triggered before the OS boots from the BIOS. But, at that point, any external user-land exploit would provide the same level of access to sensitive data.
gaius 159 days ago [-]
Would it be possible to just disable the usb driver from the OS

For that you would need the capabilities of a world-class IT outsourcing company.

acdha 159 days ago [-]
> Would it be possible to just disable the usb driver from the OS(or just limit it, to a very very few tasks).

Yes, but think about what verifying that would look like. Epoxy is much easier to install and it doesn't disappear 3 months later when a Windows update ships.

mc32 159 days ago [-]
Don’t FB and Goog already do this in practice if not completely enforced (i.e. epoxying the connectors). What’s the news about this?
stefan_ 159 days ago [-]
Since USB is how you debug on Android and even flash the software, that doesn't ring true. If the Uber case is any indication, they instead give you all the freedom but essentially rootkit the system and keep very comprehensive logs and access controls.
mc32 159 days ago [-]
Right, I don’t think they disable USB, but more like you’re not supposed to use it, unless it’s within your job description because they keep logs and will do a forensic file search if they system is tripped.
trumped 159 days ago [-]
you don't need USB, it can be done using WiFi
ClassyJacket 159 days ago [-]
You do need USB. You still have to plug the Android phone into the PC every time unfortunately - then you can enable wireless debugging and disconnect the cable for that session. When you come back to your PC later, you have to plug in the cable again. I know this because I'm trying to learn Android development and it's infuriating.
trumped 159 days ago [-]
Not if your device is rooted, apparently: https://stackoverflow.com/questions/19117359/android-debug-w...
myelin 159 days ago [-]
Google's a bit more trusting of its employees. There's an expectation that you won't use non-Google services to store or transmit anything work-related, however. No code on laptops, no documents kept outside of G Suite, etc.
Ftuuky 159 days ago [-]
This is also something very common in banking.
Lev1a 159 days ago [-]
And hospitals (not the glueing part, but the blocking of anything that's recognized as a USB storage medium).
Pamar 159 days ago [-]
Absolutely - I don't understand why this is "new", "odd" or "difficult".

I work for an European company (travel/tourism) and the day they hired me (4 years ago) I got a corporate laptop with Windows 7 which would accept usb mouses, keyboards, charge smartphones... but would not "mount" anything that had storage. Interestingly enough I can connect my (personal) iPhone, and I can read pictures stored there, but I cannot write to it - I haven't tried installing iTunes because I don't need to backup to my work laptop so no idea how it would work with dedicated sw, but for sure there is no need to use epoxy glue or physical locks.

(Granted, I never tried to see how strong the protection was because it's not my specialty and frankly I don't care, but it looks like it works well enough as it is).

salgernon 159 days ago [-]
I met with a medical specialist at a huge hospital in New York - I had a usb drive with about 50G imaging data (pet, ct, mri) and they refused to access it.

Fortunately I was also hosting it on my own server in various formats - nope, they can’t access the external network.

I ended up burning the whole set to a spindle of dvds, which they could then import .. and shred.

mc32 159 days ago [-]
Many companies do not allow the physical removal of “hard drives” and must be shredded before they can exit a door, which is why the “keep your drive” warranty policy is quite popular with many companies.
Lev1a 159 days ago [-]
In the hospital I work at old CDs/DVDs/HDDs (readable or not) go through the slit at the top of a locked metal bin that gets taken away by some company at some point in time.
lsiebert 159 days ago [-]
Most android phones can function as portable storage devices, but I don't see them banning them.
s73v3r_ 159 days ago [-]
But to be used in that way, you'd have to plug the phone into the computer.
trhway 159 days ago [-]
BT/WiFi?
s73v3r_ 159 days ago [-]
In such an environment, wouldn't those also be disabled?
slics 159 days ago [-]
In many ways it can be stated: “the worst thing about security is too much security”. People always try to find ways to bypas security simply just to do their job.
programminggeek 159 days ago [-]
$1 says they give out IBM branded USB keys at trade shows ;-)
jacquesm 159 days ago [-]
The question is what's on them ;)
BasHamer 159 days ago [-]
So what they are saying is that every car in the employee parking lot will have a cellphone in it?

Wouldn't that cause a lot of break-ins?

benzesandbetter 159 days ago [-]
Well, treating your employees like middle schoolers is one way to quickly get rid of the remaining talent.
antoineMoPa 159 days ago [-]
This is nice until you have to transfer 78.2GB for one project and the transfer takes many hours.
6nf 159 days ago [-]
Copying large files to and from USB storage is probably slower than just copying across their internal network.
agumonkey 159 days ago [-]
I hope employees don't use sonoff wifi plugs :)
tgsovlerkhgsel 159 days ago [-]
Is there something particularly bad about Sonoff (as opposed to most other IoT devices, where the saying "the S in IoT stands for security" applies)?
agumonkey 158 days ago [-]
nah just that its the cheap mainstream model
notananthem 159 days ago [-]
This is really common and good practice
rasz 159 days ago [-]
How will they work with no phones?
Lev1a 159 days ago [-]
There's no reference to them intending to ban phones in the article, at least not that I could find.

The "portable devices" in the actual body of the article is phrased differently from the title, like so:

    portable storage devices like a USB, SD card, or flash drive
159 days ago [-]
zippitydoodah68 158 days ago [-]
Good for them.
asah 159 days ago [-]
cellphones? cellphone tethering?
JdeBP 159 days ago [-]
This is a third-hand story. Most of it is lifted verbatim from the PCMag article ...

* https://www.pcmag.com/news/361098/ibm-employees-cant-use-rem...

... which is in turn sourced from an article in The Register.

* https://www.theregister.co.uk/2018/05/10/ibm_bans_all_remova...

ssharwood 159 days ago [-]
Thank you so much for pointing that out! As the author of the original, it's irksome to see kudos (and revenue) go to outlets that re-re-report a story.
dang 159 days ago [-]
Ok, we've changed to that original URL from https://boingboing.net/2018/05/10/ibm-bans-usb-sd-cards-flas.... Thanks!
ssharwood 159 days ago [-]
Gosh, thanks! Certainly didn't expect the change or want to be seen as asking for it. But it's lovely that you did it so thanks!
dang 158 days ago [-]
We much prefer to have original sources. This is in the site guidelines actually: https://news.ycombinator.com/newsguidelines.html.
floatingatoll 159 days ago [-]
I emailed hn@ycombinator.com to ask the admins to fix this.
yborg 159 days ago [-]
Maybe IBM should just ban pockets instead.
hackme1234 159 days ago [-]
There are other places you could hide USB and SD cards ;)
kevinSuttle 159 days ago [-]
Just another act of IBM's security theatre, and a testament to their backwards views on employee experience.
chiph 159 days ago [-]
You're not wrong on their poor employee experience, but there's very little theater involved - there's good reason to protect their IP. Any firm that invests multi-millions in original design will want to protect their property from theft. Semiconductors were mentioned, but also think about someone like Pixar.
kevinSuttle 159 days ago [-]
The thing is, what's stopping employees from uploading files to a server? The physical devices are a fraction of a fraction of IP theft. Hence the term "theatre".
chiph 159 days ago [-]
A business like this is likely to have a WebSense network appliance, and/or policy enforcement software on the desktops.
jacquesm 159 days ago [-]
Hopefully a firewall.
racingmars 159 days ago [-]
Presumably they use network security devices and can see every bit of data that leaves their network to flag possible exfil. Devices like those in use at a company I used to work for man-in-the-middle all HTTPS traffic (using certificates from a CA that corporate IT pushes to all workstations/phones under corporate control, so they're trusted), man-in-the-middles SSH traffic (presumably assuming users just always answer "yes" to the "is this the right key?" question, or the user says no in which case the connection is effectively blocked, so either way the network security device wins), etc. Data exfiltration via USB key is a very real threat that is largely invisible to the company when it happens... no audit trail or anything to look back at.
amelius 159 days ago [-]
Product idea: a dongle with male & female USB connector, that you can place between USB drive and computer, and which catches possible security violations.
Kadin 159 days ago [-]
There are lots of forensics tools which block USB writes to prevent modification of data on drives under analysis.

However, the solution is to create tools that are easier to use and get the job done better than USB pen-drives. IBM seems to be all about the stick, no carrot. If they really enforce this (and as a former IBMer, I can tell you they are really long on pronouncements and very short on actual follow-through) I just foresee people bringing more laptops and multiple laptops around into places they previously would have brought a USB drive. E.g. if you can't easily move that Powerpoint from Laptop A to Laptop B because you're in some low-bandwidth hellhole, well, guess you're bringing both laptops along for the ride.

beefok 159 days ago [-]
Until 'they' figure out a way to tunnel through the dongle for yet more security violations, haha.
Retra 159 days ago [-]
All USB data already has to go through your USB drivers. So you've got a software solution vector right there.
amelius 159 days ago [-]
Yeah, but software can be mismanaged.

Perhaps a solution would be a combination of the two. E.g. dongle converts USB protocol to (say) XYZ protocol, and software converts from XYZ protocol to readable filesystem.

Retra 158 days ago [-]
And hardware can't be mismanaged?
pkaye 159 days ago [-]
There is already some Windows software that monitor the USB ports for storage devices and blocks them.
159 days ago [-]