Forgot your password?
typodupeerror

Beware the iPod 'slurping' Employee 390

Posted by ScuttleMonkey
from the someone-out-there-is-going-to-outlaw-ipods-now dept.
Zoner12 writes "CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port."
This discussion has been archived. No new comments can be posted.

Beware the iPod 'slurping' Employee

Comments Filter:
  • Oops (Score:5, Funny)

    by Luigi30 (656867) on Monday February 20, 2006 @01:28AM (#14758936)
    Nothing for you to see here. Please move along. Sorry, my iPod slurped the story.
    • Re:Oops (Score:2, Funny)

      by PC-PHIX (888080) *
      Nothing for you to see here. Please move along. Sorry, my iPod slurped the story.
      --
      503 Sig Unavailable

      Perhaps for this article you meant 404 or 410, or perhaps we need

      416 Content 'slurped' by iPod

    • In other news... (Score:5, Insightful)

      by Anonymous Coward on Monday February 20, 2006 @03:02AM (#14759307)
      In other news, a carefully conducted study has revealed that the majority of retail stores are COMPLETELY UNSECURE as the majority of employees have full access to the stockrooms, and many are able to access the cash contained in cash registers!
      • And in other news, Harrison Ford had this to say: "See! All the geeks laughed at the iPod bit in Firewall, but we knew what we were doing!"
    • Oh! (Score:3, Funny)

      by cgenman (325138)
      Oh, SLURPing!

      I thought the story was about LARPing. That would have been much more terrifying.

      • Re:Oh! (Score:5, Funny)

        by The Ultimate Fartkno (756456) on Monday February 20, 2006 @11:33AM (#14761100)
        "Sir? I think Johnson's up to something."

        "Johnson? That weirdo down in IT? I *knew* he was trouble when he brought that shiny, new iPod in here! What's he doing? Slurping our corporate data?!"

        "Erm, no. He put on a cloak and wizard hat, and now he's chasing Shelley the intern around the server room yelling 'lightning bolt! lightning bolt!'"

        "Sweet Jesus... this is worse than the time we found out we had a furry in accounting. Fetch my pith helmet and tranquilizer gun."

  • Business data? (Score:5, Insightful)

    by PC-PHIX (888080) * <jonathan&pcphix,com> on Monday February 20, 2006 @01:28AM (#14758938) Homepage
    Most of the time, as an IT employee with ties to the management/accounts/administration side of things I have always had full access to company data and know exactly where to look to find what I want. The only real restrictions have been my contract/confidentiality/non-disclosure agreement.

    What I would consider much more useful is an application that can hunt .avi, .mpg and .mp3 files across the network and 'slurp' them back to my iPod...

    ..., if I used an iPod.

    • by creimer (824291) on Monday February 20, 2006 @01:47AM (#14759036) Homepage
      What I would consider much more useful is an application that can hunt .avi, .mpg and .mp3 files across the network and 'slurp' them back to my iPod.

      An application that does the opposite would probably be better: transparently offloading illegal .avi, .mpg and .mp3 from the iPod to a specific computer. An anonymous phone call to the local authorities to take a look at the computer would finish the job. Wouldn't be the first time that some high-ranking company official got caught with kiddie porn on their computer.
      • Re:Business data? (Score:4, Insightful)

        by pla (258480) on Monday February 20, 2006 @08:57AM (#14760338) Journal
        transparently offloading illegal .avi, .mpg and .mp3 from the iPod to a specific computer. An anonymous phone call to the local authorities to take a look at the computer would finish the job.

        Assuming you work in the US Windows-oriented world...

        1) Where do you work that your IT guys gave you write access to administrative shares on the domain?
        2) Do you realize that files have a concept of "owner", as well as a creation date, and that when you authenticate against the domain, a DC logs that?

        Meaning that even if you could do it, which if you can your network admins need to "spend more time with their family", you'd leave tracks even an amateur could follow straight back to you.


        Of course, similar ideas apply to the idea of an iPod sniffing around the network... Do most companies not limit "important" file access to people who actually have a reason to access those files?

        Perhaps even more relevant - Would most people know what to do with something juicy? Unlike Hollywood's vision, you won't stumble across files named "fake_duplicate_set_of_books.xls" or "super_secret_corporate_takeover_plans.doc". "Real" juicy material takes a frickin' degree in accounting to make any use of... Just columns of account numbers, dates, and dollar amounts.
      • Re:Business data? (Score:3, Insightful)

        by hugzz (712021)
        An application that does the opposite would probably be better: transparently offloading illegal .avi, .mpg and .mp3 from the iPod to a specific computer. An anonymous phone call to the local authorities to take a look at the computer would finish the job. Wouldn't be the first time that some high-ranking company official got caught with kiddie porn on their computer.

        And you've got kiddie porn on your ipod, why exactly?

    • What I would consider much more useful is an application that can hunt .avi, .mpg and .mp3 files across the network and 'slurp' them back to my iPod...

      One of my former coworkers added audio/video file types to the SMS inventory list on our network. It was a simple step from there for him to build a little web front end to a database query and *pow!* instant media library.
    • Re:Business data? (Score:3, Insightful)

      by jbarr (2233)
      The only real restrictions have been my contract/confidentiality/non-disclosure agreement.
      The only real restrictions have been my good character, ethics, and morals...
  • I don't get it. (Score:4, Insightful)

    by Al Dimond (792444) on Monday February 20, 2006 @01:29AM (#14758944) Journal
    There's nothing you could do with the iPod that you couldn't do with your normal computer and any random external hard drive. And your access will be logged (or not logged) just the same as if you'd just run some normal program. What's the big deal that an iPod can do it?
    • Re:I don't get it. (Score:5, Insightful)

      by JanneM (7445) on Monday February 20, 2006 @01:38AM (#14758989) Homepage
      What's the big deal that an iPod can do it?

      There's plenty of places where running around with an external harddive would seem very suspicious (or an outright violation), but a music player is, well, just a music player, right? There's many people out there that don't have the interest in technology to really reach the conclusions that seem obvious here.

      With something like this, I'd expect to see quite a bit more attention being given not only to mp3-players, but things like cameras and mobile phones as well. "Wake-up call" is a trite, overused term, but perfectly apt.
      • Re:I don't get it. (Score:3, Insightful)

        by Danse (1026)

        There's plenty of places where running around with an external harddive would seem very suspicious (or an outright violation), but a music player is, well, just a music player, right?

        In every secure area I've been in, any sort of external data-storing device is banned, unless you are given explicit permission to bring it in, or you have the proper credentials to be allowed to bring them in on your own (which subject you to a higher level of scrutiny). So, unless the security people and system admins are

      • Re:I don't get it. (Score:5, Insightful)

        by v1 (525388) on Monday February 20, 2006 @08:52AM (#14760322) Homepage Journal
        How about a 4gb USB flash drive? Flash drives are becoming more popular than iPods, and are a heck of a lot easier to palm out of sight. They also look a lot less dangerous to most uneducated users, plugged into a USB keyboard rather than an ipod with its firewire/usb cable snaking over to the computer. As far as "sensitive data" goes, it's rarely related to its size. Anything capable of holding even a megabyte of data could easily be considered a major risk for sensitive information loss.

        The iPod is just one of the many ways for data to walk out the door. PDAs are just as bad, and are probably the most commonly accepted data storage device let in the building short of cell phones.

        All the technology does is make theft easier. It's just like the argument of guns.. it isn't the object that's dangerous, the object is only the enabler. It's the person using the object that makes it dangerous. ("guns don't kill people, people kill peope" -- "ipods don't steal company secrets, people steal company secrets")

        In other words, if you are paranoid about your employees taking an iPod into work, why on earth did you hire them for a sensitive position? Them bringing that iPod in is, for the most part, completely beyond your control. (and the iPod is just one of many dozens of vectors to worry about) Whether or not you hire them (and let them, with or without their iPod, in the door) is totally within your control. Pick your battles wisely.
        • Re:I don't get it. (Score:3, Interesting)

          by Lumpy (12016)
          ???

          Ok so what if I work for the cleaning service and watch one of your late-night employees get up and go to the bathroom. I simply get to his/her machine before the screensaver timeout and plug in. Boom in 2 minutes I have 60Gig of goodies that my employer hired me to gather from the competition.

          It certianly looks like you do not think like a security specalist as that was the first thogh on my mind. Hell a good corperate harvester could easily talk the target into letting them plug in by asking in bro
    • There's nothing you could do with the iPod that you couldn't do with your normal computer and any random external hard drive [...] What's the big deal that an iPod can do it?

      Because an iPod is a hard drive disguised as a music player, which may help you get past less-than-competent physical security in ways that you couldn't with a pure hard drive.

    • Even though they are equivalent, an iPod is a lot less suspicious than an external hard drive. Companies which rely on physical security only need to take notice and consider whether they should implement some sort of access log.
      • Re:I don't get it. (Score:4, Insightful)

        by Fnkmaster (89084) on Monday February 20, 2006 @02:23AM (#14759180)
        I see people running around with solid state USB keychain devices all the time. A large number of people at my university seem to have them. They are no more or less suspicion inducing than an iPod. A large, clunky external USB harddrive might be suspicious, but that's irrelevant.

        The point is that any device that plugs into the USB port is a real threat, and this needs to be dealt with in corporate networks by assuming that any mounted USB drive of any sort is presumed to contain malicious code.
    • "What's the big deal that an iPod can do it?"

      Didn't you know? iPods are magical!

      Seriously though - there's nothing special about it - the same thing could be done with a flash drive or a CD burner.

      The only thing special about it that I can see is maybe the app runs on the iPod and does it automatically for you. But I don't see how that's much different from running a simple VB app that does the same thing. . . I think one of the /. editors is just trying to conjure up some hatred of Apple.

      • Re:I don't get it. (Score:3, Informative)

        by Fred_A (10934)
        The program doesn't run from the iPod, the iPod doesn't do the scanning. Yo actually have to mount the iPod and run a Windows only Python program which then scans the machine/network and copies data to the iPod.

        In other words it's nothing very exciting (although this is a "limited" version of the program, there's no mention of what more the complete version does). The main point is that the iPod looks more innocuous than a plain external disk as everyone has pointed out.

        Maybe if some kind of "autorun" file
    • by pkhuong (686673) on Monday February 20, 2006 @02:09AM (#14759126) Homepage
      USB and Firewire allow devices to peek/poke through (physical) memory at will. With the iPod, we have a device that's:

      1. Can be attached to a computer without being suspect
      2. Can run Linux with programs of your choice
      3. Has a built-in mass storage system

      Any open USB/Firewire port is a potentially huge threat to your whole system's security. If you look here: http://www.cansecwest.com/resources.html [cansecwest.com], you'll find a pretty detailed presentation on using iPodLinux to hack a computer (kill an X Window screensaver, here) through firewire, and another less detailed one on other DMA-attack vectors (PCMCIA and USB, mostly, iirc). So while it looks like this attack only uses characteristics 1 and 3 of the iPod, the second one is where the money's at (and requires a much larger investment).

      Fill those ports with cement!
      • USB and Firewire allow devices to peek/poke through (physical) memory at will.

        I'm pretty sure the functionality you describe is only available to Firewire devices, not USB devices, because only Firewire devices can initiate peer-to-peer DMA transfers.

        I am, however, waiting for auto-0wning Firewire dongles to turn up on the underground/import market...

    • Hell, you can do this without ANY on-site hardware. Almost any company will let you connect to the outside world, so just SCP to your home machine and upload like crazy. They won't be able to tell what you're uploading, but if anyone DOES ask, just have a bunch of music on your workstation that you "brought from home and then lost in a drive crash".
  • In other news... (Score:4, Insightful)

    by Anonymous Coward on Monday February 20, 2006 @01:30AM (#14758945)
    Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before. Treat your employees well and they won't feel the need to screw you.
    • Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before.

      The problem is that given the iPod's popularity it does not draw any attention. Even if someone notices that it is plugged in the thief may be able to dodge suspicion with a simple "I need to charge it".

      Treat your employees well and they won't feel the need to screw you.

      That is naive. Industrial / Commercial espionage happens. Greedy, self-centered, immoral
  • Thanks Abe (Score:5, Funny)

    by Mrs. Grundy (680212) on Monday February 20, 2006 @01:30AM (#14758950) Homepage
    We can all give Abe Usher the bird for offering management a reason to prohibit iPods a work. Thanks Abe--you're off my Christmas Card list.
    • by VampireByte (447578) on Monday February 20, 2006 @02:18AM (#14759165) Homepage
      Two employers ago, the company's president walked by my desk and noticed I was listening to an iPod. The song playing at that moment was "Cake and Sodomy" by Marilyn Manson, which was unfortunate because the gentleman picked up my iPod to look at it before I had a chance to change to a song with a less offensive title. As he picked it up he said "I just bought one of these for my son for Christmas" and then I noticed the shock in his eyes when he saw the words on the LCD screen... then he said "Hmmm" and sat the iPod back on my desk and walked away without saying another word.

      A few weeks later, after the Christmas holiday, I saw the president and asked if his son liked his iPod. He said "I decided to return it and got him something else." At first I felt like a heel because I probably caused him to go home and dig through his children's CD collections, confiscate those not meeting his approval and give them a stern lecture. But then it occurred to me that his kids are rich brats and I might have caused them some grief! Buwah hahaha! I felt so happy when I chose to Think Different.

      Thanks Apple, your iPod filled me with holiday cheer.
  • heh (Score:2, Funny)

    by bLindmOnkey (744643)
    iSpy
  • by Barbarian (9467) on Monday February 20, 2006 @01:33AM (#14758967)
    Despite what the article says, a special program isn't needed. All that is needed is for someone to mount the ipod as a disk drive and run a batch file. It could be as simple as one line calling xcopy for each file type (pdf, doc, etc.) running a loop from A to Z for the drives.
    • "All that is needed is for someone to mount the ipod as a disk drive"

      Actually you don't even need an iPod at all - ANY storage device would do just fine -- flash drive, portable hard drive, camera, cellphone (I think SOME cellphones have some sort of storage functionality through bluetooth so if the PC has bluetooth you might be able to transfer the data to your phone), non-iPod MP3 players. . .

      Hell, if the files are small enough you could just e-mail them - many Web e-mail services allow up to 10MB or

    • Sure you could; but, how is that headline grabbing? Where is the sensationalism? Yellow journalism at its best ...
  • Just plug it in? (Score:3, Insightful)

    by ejdmoo (193585) on Monday February 20, 2006 @01:34AM (#14758969)
    An insider threat would only need to plug the iPod into a computer's USB port. ...not only that, the threat would have to have access to said files. Granted, it's an insider threat, but I fail to see the significance here.

    Isn't this just:
    1. Search for files containing "Confidential" or "sensitive" or "budget" or "payroll"
    2. Copy to iPod

    ? Because I can do that pretty easily and more accurately than software.

    Also, why the hell does everything have to have "pod" in the name? Now it's cool? Why can't people coin cool terms anymore??
  • What business needs to allow its employees access to a USB port?

    I'm not saying none do... but I work in a b2b company and we don't need it.
    • It's actually pretty easy for a company to prevent employees from writing to mass storage devices with XP SP2: Change one registry key [microsoft.com] on every machine... simple stuff with an Active Directory environment.

      More significantly though, this kind of thing really makes a case for Microsoft's Rights Management Services technology... even if you were able to copy the physical documents onto an iPod, they'd be completely useless to you outside the organization because they're encrypted, and only by talking to the RM
      • All this Rights Management stuff is good but what about all the stuff you CANT protect that way.

        Let me know when someone has come up with a way to protect C/C++ code (reference the windows source leak, the HL2 source leak etc) with this kind of technology...
  • by Oyume (464420) <jdshaffer@gmaPERIODil.com minus punct> on Monday February 20, 2006 @01:37AM (#14758980)
    iSuck

    Thank you, I'll be here all week!
    Jds
  • Quick... (Score:3, Funny)

    by mrhandstand (233183) on Monday February 20, 2006 @01:38AM (#14758985) Journal
    /. the download site!!! If we crush the site and burnup the download bandwidth, I'll be able to keep using my iPod at work! Oh wait....
  • by GaryPatterson (852699) on Monday February 20, 2006 @01:39AM (#14758995)
    I work in a ... large... company (one of the top Fortune ones) and there was a global mandate last year to lock all USB access for data storage devices unless users can make a special case.

    That means that USB keys, iPods, plug-in hard drives and so on not only fail to work here, but they generate a little message to the IT department.

    Some users, like our media guys, need this access for their work (in this case, digital camera images), and they have an exemption.

    This lockdown removes the possibility for portable storage device-based data copying.

    Of course, I can always stay late, take the PC apart, remove the hard drive, take it home and copy it, come in early the next day and re-install it. But that's just naughty.

    My point is that IT security policies can easily stop this sort of issue, and most large companies are already doing this.
    • Many corporate geared computers have little sensors to report on when the cases have been opened. So, really, to be really paranoid, you'd have to find the sensor on your particular PC, then figure out how to get at the hard drive without triggering it.

      Email/http/ftp/ssh/vpn are also options, but that's rather easy to monitor for abnormally large amounts of data.
  • by Anonymous Coward on Monday February 20, 2006 @01:41AM (#14759002)
    This is nothing new whatsoever.

    Back in high school, I used a floppy and a couple batch files to grab .pwl files off the Windows 98 boxes for cracking at home.

    Man, I wish I knew it was called "pod-slurping" back then, I would have been WAYYYY cooler.
  • by SuperBanana (662181) on Monday February 20, 2006 @01:42AM (#14759011)

    CNET: "Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod and can search corporate networks for files likely to contain business-critical data."

    Actual article: "I've created an application (slurp.exe) that demonstrates this concept. When the program is run from an iPod, it can very quickly copy data files off of a PC and on to an iPod."

    Am I reading it correctly that CNet doesn't understand the difference between launching an executeable stored on an external media device, and somehow running it "on" the media device? Am I the only one who thinks Mr. Usher could have been clearer, but intentionally wasn't? Or that both are playing it as "plug an ipod in, instantly hack a machine", like in the movies where magical devices "hack" systems?

    It's sensationalist bullshit- all admins would need to do is set up windows to not permit mounting removeable media drives/USB mass storage devices. Or control what executables are permitted to be launched. I'm sure an expert Windows sysadmin could name half a dozen MORE system/domain level ways to stop this dead in its tracks. It strikes me as a distinct non-issue for any company with a properly managed/secured windows network. But hey, that doesn't stop CNet from crying "the sky is falling, the sky is falling!"

    "Security consultant releases overblown vulnerability with a confusing and/or misleading description to generate hits to his website, more at 11"...

  • Why are stories like this always linked to the iPod? A USB key or portable hard drive could do the same thing. All this will do is keep people from using iPod's at work. If you're that paranoid and don't trust your employees (a bad sign to begin with), lock down the USB ports on their computers, or prevent additional drives from mounting. But don't pin crap like this on the iPod.
  • by GrahamCox (741991) on Monday February 20, 2006 @01:46AM (#14759034) Homepage
    The REAL story here is that he has created an APPLICATION for the iPod, according to the FA. How did he do that? Apple closely guards the iPod SDKs and as far as I know have never released them to third party developers.

    Maybe he went into Apple and "slurped" the SDKs using his application.... oh wait.
    • Actually, you can install linux on an iPod and run all kinds of apps. I was able to play Doom on my Nano as well as video.
    • Here's what I'm betting actually happened. This guy wrote a program that does some basic and not-very-remarkable parsing of Word files on C: and copies whatever it finds to the iPod. Then he used Windows Auto-run to automatically execute it when the iPod was plugged in. Ooooh, wow, impressive.

      Even if you were able to create a program that actually ran on the iPod's operating system, which by all indications, you can't, that program certainly wouldn't have access to the files of a computer it was connecte
      • Simple security measures like disabling auto-run and limiting executable permissions to a specific set of programs would nip this "vulnerability" in the bud.

        That's true, but Sony and the other record companies wouldn't like that, because then their root k, oops, DRM software wouldn't work anymore.
      • Removable devices shouldn't be able to use atuorun to do anything by themselves in XP. The autorun.inf is handled differently for removable devices. XP will read the autorun.inf if one is present in the root directory of a CD or a USB device, but won't actually execute commands on the removable device.

        For example, you can make an autorun.inf on a USB device that points to an icon buried inside folders when the device is mounted. (XP will see the autorun and run the (apparently non-destructive) "icon=" line.
    • Erm, no, the real story is that he created a windows executable you can store on an ipod and it got reported as being "run on the ipod".
  • Physical access (Score:5, Interesting)

    by ian_mackereth (889101) on Monday February 20, 2006 @01:48AM (#14759039) Journal
    At one time, I'd've pointed out the difficulty of getting unauthorised physical access to a PC's USB port in any sort of secured environment.

    Then a friend went to his local bank branch to get a personal loan. His salary records were all on his USB memory device (he works for an ISP who really try to avoid paper if they can)and he was allowed to plug his mempory card in to the loan officer's PC and run Acrobat to show her the documents.

    Yep, on a bank PC, inside the firewall, with a USB stick of completely unkown provenance.

    I bet their IT security guys would've had a fit, if they'd known!

    • Re:Physical access (Score:5, Interesting)

      by Anonymous Coward on Monday February 20, 2006 @02:12AM (#14759140)
      As an IT guy in a bank, I have to say that if you thought that banks somehow had better security than the grocery store across the street, you were merely fooling yourself.

      Fact 1: for the system to work, people have have to have access to the core financial applications.
      Fact 2: people are stupid.
      Fact 3: much (most?) hacking involves social hacking as opposed to trying to "break in" to a financial institution.

      Connect the dots.

      'Course, there is no way you could get anywhere trying to break into our organization through the front door, but sadly, a low-tech backdoor approach like this would probably work great.
    • > Yep, on a bank PC, inside the firewall, with a USB stick of completely unkown provenance. I bet their IT security guys would've had a fit, if they'd known!

      I would argue that their IT "security" guys should probably have been fired then, for not disabling the USB port from within Windows. It's a simple Windows permission and can be done on a standalone workstation or through the entire network in Active Directory.
    • It may be that their computers don't have any special access in particular. I work for a university and, of course, we have detailed financial and personal information on employees and students. Most people don't have access to it (including me) but of course people like our finance people need it. So you get at their computer, you get the info right? No, it's all stored on a mainframe over in the computer centre. They access it via a very archaic text interface over an encrypted link. Their computers aren'
    • it is entorely possible that the bank system will not run any unknown executables, i know of security suites going as far back as windows 95 which would only allow certain applications to be run and from certain disks.
  • by Robber Baron (112304) on Monday February 20, 2006 @01:49AM (#14759040) Homepage
    Eyeballs and a brain work too.
    Sooner you're going to have to trust your employees with your sensitive or confidential information, otherwise they're not going to be able to do their jobs. So maybe employers should...oh I don't know...hire employees that are trustworthy? Oh and quit treating them like felons...that way they won't be tempted to live up to your expectations!

    I worry more about users losing their damn USB drives than using them to steal.
    • Unfortunately, not all employees come with a nice big sticker that say "I'm trustworthy" or "Don't touch me with a twenty foot pole" on them. But in general, I agree. At some point you have to acknowledge that no matter what you do, employees could steal information easily enough if they really wanted to, be it by memory, usb drive, or even "forgetting" to shred important documents. You just have to take precautions to discourage the bad ones, and trust the rest.
    • Oh and quit treating them like felons...that way they won't be tempted to live up to your expectations!

      True. But no matter WHAT you do, there will always be that one assclown whom you cannot please. And who may walk out with your stuff.

  • by ip_freely_2000 (577249) on Monday February 20, 2006 @01:50AM (#14759046)

    I can use more disk space so I can watch Ashlee Simpson videos while I slurp data off the corporate network.
  • MY iAudio X5 can steal corprate secrets *AND* play Ogg/Flac formats!
  • Watch, we're going to find out that Abe Usher works for Creative.
  • by Alpha_Traveller (685367) * on Monday February 20, 2006 @02:03AM (#14759097) Homepage Journal
    ...from work...But *I* have created an application that prevents sensationalist articles by CNET and applications written by Abe Usher from being run or seen on my employers network! SO THERE!
  • stealing 100 megabytes

    It's not stealing because when you copy someone else's data, you do not take that data away from them. They still have the data after you have copied it.

  • Anyone suprised? (Score:5, Insightful)

    by el_womble (779715) on Monday February 20, 2006 @02:10AM (#14759129) Homepage
    Dual proc machine, with vast amounts of storage and an innocent ubiquity is used as a corporate weapon. Next they'll be telling me that personal laptops can be used to sniff corporate networks, or that viruses can be transfered on floppy disk, and that restricted documents have been printed out, and 'sneaked' through the front door.

    Any company with a decent security model will be able to recognise a user who's file browsing habits are irregular, and classified documents shouldn't be kept in a public repository on a LAN anyway.
  • CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port.
    Who gives a fuck? Oh wait... I know this one... people who dont know crap about security.
    If your network services are secure, then its secure. If its not, then deal with !that!.
    If your worried about peop
  • let them (Score:2, Insightful)

    by TLouden (677335)
    If your network is so insecure, you ought to fix that. It isn't the applications (or hardware) that we should be upset about, but the flaws which they highlight.
  • by La Camiseta (59684) <me@nathanclayton.com> on Monday February 20, 2006 @02:31AM (#14759203) Homepage Journal
    http://www.sharp-ideas.net.nyud.net:8080/download/ slurp.zip [nyud.net]

    ^- The Coralized version of the software.
  • by constantnormal (512494) on Monday February 20, 2006 @02:40AM (#14759241)
    as has already been pointed out, any flash drive or external hard drive could be used.

    Or a thieving employee could burn a CD or DVD.

    Or use a cellphone to store sensitive info, transferred from a PC via the Bluetooth connection used to support a wireless mouse.

    The only real defense against employee theft is restricting access to sensitive data and minimizing the number of untrustworthy employees. That's the best that can be done.
  • I'm confused. Is this about a program that's on an iPod, executed by the computer into which the iPod has been plugged (which is what I think) or is it a way for an iPod to actually be executing its own code and somehow access the network through the USB port? (which seems REALLY clever and dangerous but extremely unlikely).

    Both the article and the summary are poorly written in any event.
  • A couple of days ago someone posted about having seen the new Harrison Ford movie FireWall [imdb.com]. The poster noted Ford supposedly downloads thousands of accounts into an iPod. It looks like this story is a teaser for the movie.

    "Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive business data and download them,"

    I couldn't be bother to see such a movie. Harrison Ford playing the righteous man who just isn't going to take anymore and singlehan

  • Devices that plug into a USB port and contain storage are potential vectors for stealing corporate data.

  • by smash (1351)
    But Microsoft keep telling me that plug and play, zero configuration, etc is a good thing?? :D

    Seriously though, in a corporate environment, USB ports, autoconfiguration, etc *should* be disabled (yes yes, we live in reality, not fairyland where that would be feasible).

    Another case for DRM? If the ipod owner doesn't have the PC's (secure, in-built) private key, he can't read the company data... he'd have to steal the entire PC.

    Alternatively encryption such as that included with Win2k (tied to the user

  • TFA on CNET must be poorly worded.

    Could somebody please explain to me how a program running on the iPod is suddenly going to become a USB host and then communicate with the (previously) host computer (which could be a Mac, PC clone, or anything with a USB port) to search for files even locally, let alone figure out which network protocols are installed so it can enumerate file servers on the network and the files which they contain.

    Most likely this "program" is just an .exe or its equivalent living on t

  • Take for example the little bluetooth dongle I have sitting in the back of my PC, I use it with my palm Lifedrive, and a VNC client to remote into my desktop from nearly anywhere in the house, or in reasonable range outside.

    with a hop, skip and a jump... at home I have Palm VNC over TCP/IP over Bluetooth to the Windows box, network connection shared to the Linux box, which is running DVArchive (a ReplayTV emulator) in a Java VM, which uses HTTP/UPnP to connect to my ReplayTV DVR, and I can change TV channel
  • brilliant (Score:3, Insightful)

    by Lord Ender (156273) on Monday February 20, 2006 @08:49AM (#14760308) Homepage
    This article is about as insightful as "Knives Can Stab People!"
  • What a dumbass. (Score:4, Interesting)

    by kin_korn_karn (466864) on Monday February 20, 2006 @09:52AM (#14760563) Homepage
    Why in the hell do people do shit like this and PUBLICIZE it? All it does is give geeks a bad name and make a 'threat' out of anyone who carries an iPod or other digital music player.

    I'm all for the freedom to write software like this but shit, you have to be smart about it.
  • by King_TJ (85913) on Monday February 20, 2006 @01:11PM (#14761836) Journal
    There are always going to be stealthy removeable drive type devices out there that someone can sneak in and out of a company easily and copy files onto. The iPod is just a popular target because millions have been sold and most people are aware of them.

    The *real* question is, why would employees have access to file shares on servers containing important documents they weren't supposed to have? If your business throws everything on shares that all users have read (or read/write) access to, they deserve what they get for not implementing some sort of security policy for the shares.

    If you're an I.T. person who has full access anyway due to the nature of your job, again - so what? You're already able to burn the stuff off to DVDs at night and sneak them home or download them remotely over your corporate VPN or ??? The point is, companies have to place trust in their people to various extents. If they hired you as a sysadmin, they should have already done the background checking and everything else before hiring you - and believe you can be trusted. If you violate that trust - you screwed them, plain and simple. Implementing some sort of "no Ipod allowed!" policy won't prevent that.

Your computer account is overdrawn. Please see Big Brother.

Working...