Thread: [BBC] IBM workers banned from using USB sticks
View Single Post
  #26  
Old May 14th 18, 04:28 PM posted to alt.comp.freeware,alt.comp.hardware.pc-homebuilt,alt.windows7.general,alt.comp.os.windows-10,alt.conspiracy
Frank Slootweg
external usenet poster
  
Posts: 46
Default [BBC] IBM workers banned from using USB sticks
nospam wrote:
In article , Frank Slootweg
wrote:

The company I worked for banned them many years ago - for
reasons of (a) concern of theft of secure [either in the
government (it was a defence contractor) or commercial sense]
material, and (b) fear of infection.

Exactly. Same with the little 150K employee computer company I worked
for. As soon as USB ports showed up on computers, they were made
inoperable. (No card-readers at that time.) That was well before the
year 2000.

there weren't very many usb peripherals 'well before the year 2000' so
disabling the usb ports didn't make much of a difference.

Huh? The discussion is about USB (memory) sticks!

which didn't exist 'well before the year 2000'.

Correct. I thought it was earlier, but according to my notes, it was
probably mid-2001.

usb 1.1 was finalized in late 1998 and started to become popular in
1999 as manufacturers ramped up.

usb 1.0 and win95 'support' did exist before that, but it was more of a
technology demo than actual products.

We used Windows 2000 (and NT before that).

according to wikipedia, the first usb memory stick was available in
mid-december, 2000, so really 2001 when people could buy them.

https://en.wikipedia.org/wiki/USB_flash_drive#History
USB flash drives were invented at M-Systems, an Israeli company, in a
US patent filed in April 5, 1999 by Amir Ban, Dov Moran and Oron
Ogdan, all M-Systems employees at the time. The product was
announced by the company in September 2000, and was first sold by
IBM in 8MB capacity starting December 15, 2000.

meanwhile, ethernet ports remained active...

Duh! Yes, they were quite handy to connect to our *intra*net, thank
you very much! And yes, our Internet gateways were very secure/strict,
TYVM. (Think NET-15 (and -16.)

connect a rogue device to the intranet. done. spoof mac address (easy)
and it will go unnoticed by the admins.

Unlikely that someone trying to make a physical connection would get
unnoticed, i.e. they would have to disconnect an existing device. And
they would have to set a correct/non-clashing computer name. Not
impossible, but unlikely. And what could they do, other than infect
their own computer? No way they could get to any company data without
knowing logins/passwords, etc.. (IIRC, they also would need the client
software in order to be able to *get* a login, but I'm not absolutely
sure about that.)

if data theft and malware infection was truly a concern, they'd need to
disable floppy drives and pcmcia slots. did they?

Yes. The whole environment was locked down and all software
installation/updating was managed by the IT department. I.e. one could
only install/update software which was provide/blessed by the IT
department.

We actually sold our management software/services to our customers,
i.e. if it serves us, it would most likely suit them as well.

disabling usb was nothing more than fear of the unknown.

I wouldn't call it 'fear', but a justified precaution, *because* the
dangers were unkown.

Bottom line: Trust me, you can leave it up to a 150K employee computer
company to really lock down their own IT.