Real World Computing
Slipping through fingers
In the main picture, you'll see a picture of my key ring. Don't worry, I haven't run out of things to say about computers (and, no, I can't tell you where to get an off-cut of a knitted stunt kite handle to use as a key-fob as I do). What I actually want to draw your attention to is that little brownish-grey square thing with "pqi" written on it that clearly isn't a key. If our printers have done their job well you might even be able to just make out the legend running along the bottom of this fragile, almost unnoticeable object, which says "1GB".
Yes, indeed, it's a USB storage key, and the whole thing fits within the footprint occupied by its USB connector - it slides out of that grey-brown plastic carrier whenever needed. If I wanted to, I could make it entirely invisible to a casual search by ripping off its plastic cover and sliding it inside the pocket created by my colourful nylon key-ring tag.
This device can contain twice as much data as those 25,000,000 Child Benefit records lost on two CDs by HM Revenue & Customs (HMRC), which caused such a furore last November. Yet, I bought this USB key in PC World, where it's sold adorned with little glittery bits as the sort of thing a giggly girl might want to hang from the lanyard of her mobile phone. Its data capacity is larger than the hard drives in any of my work PCs prior to 1999, but it could easily be something that drops out of an upmarket Christmas cracker.
When USB storage keys like this first became widespread, I began to notice that people seemed puzzled by my intensely negative reaction (with my network person's hat on) to these evil little tchotchkes. My first thought back then was that the security challenge represented by these gigabytes of drop-tolerant, low-power, non-volatile storage in a package small enough to hide under your tongue was just too scary. Wholly unexpected and so barely catered for by the main OS vendors, yet sold in every street corner sweetshop on the planet, they make a complete mockery of any promises concerning the safekeeping of data for almost any network that has a modern PC connected to it.
Since I last covered this issue, the problems have come home to roost in some rather unexpected places - for example, the market stallholders set up outside US airbases in Afghanistan, who were found to be selling second-hand USB keys once owned by their American guests in 2006 (www.pcpro.co.uk/links/161networks5). So far as that HMRC data loss is concerned, various sources who've worked inside the organisation have since told me this isn't strictly a matter of failing to control data access. Most of the Revenue's network doesn't provide any ability to write to removable storage, and those sections that are allowed to burn CDs (or write to USB keys) are all "duly authorised"; the cock-up was using internal post to send such duly authorised copies. Besides, the problem I'm most concerned about isn't this type of data loss, where a known mechanism goes wrong and is promptly reported: unnoticed leakage is a far more subtle problem. Being told that all your personal data has slipped down the back of the sorting bins is comparatively reassuring compared to not even knowing whether some dodgy geezer might have slipped all your sales contacts into his back pocket or into his mobile phone's data card hole, or onto his key ring. That's a different level of worry altogether.
The most immediate and most basic question is what should you do about it? Some of my HMRC sources talk about seeing machines whose USB ports have been filled in with epoxy paste. Actually, I don't mind that too much in principle, but the trouble is that USB is just so darned useful. If you so brutally disable the USB connections on all the machines that you're worried might present a data security problem, the workarounds you'll need to use to deal with the loss of USB peripheral interconnection ability will pile up rapidly and render the machines almost unusable. In hindsight, it's a terrible shame nobody makes USB connectors with a locking plug that would allow you to take the keys away with you and leave specific peripherals permanently connected with no open USB ports available on the PC.
