The MoD has today admitted to losing a couple of USB sticks a month, averaged over the last 4 years. I don't suppose their stats would be exceptional compared to other organisations of comparable size, though of course they are likely to be held up for specific attention because of the nature of some of the data which might have been on some of those sticks. Nor do the figures distinguish between 'lost' and 'stolen' - and I must admit, I've lost more than one USB stick since I've had the option of using them.
However, it did make me wonder about a couple of things.
First, how hard would it be for a computer to default to encrypting the data written to a USB-attached drive?
Second, given that there is no shortage of USB sticks which offer encryption as an option, why isn't their use more prevalent?
What do you think? From your own experience, what (if anything) inhibits you from encrypting the data when you use a USB stick? (Answers welcome via the comment function).
Let me start the ball rolling with a couple of obvious possible answers:
1 - "duh... if I write something to a USB stick it's because I want to pass it quickly and conveniently to someone else... why would I encrypt that?"
2 - "I don't care... I've never put anything on a USB stick which I considered to be secret - in fact, there isn't even any secret stuff on my computer anyway..."
Over to you...
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}
Unfortunately I think the reason you don't encrypt USB data is the traditional glacial pace at which CESG has certified CAPS approved products for government use. The attitude has tended to be that it's better not to offer any approved products at all for government use, than to simplify - and reduce the cost of - the accreditation process. Time for a shake-up in the west country so that some common sense can be applied to the products approval process.
Posted by Toby Stevens on July 18, 2008 at 07:53 PM GMT+00:00 #
I don't typically encrypt USB stick data because I transfer data between computer platforms and often the only supported platform for the default tools is windows :-(
Posted by Ezra Simeloff on July 19, 2008 at 03:02 AM GMT+00:00 #
Nothing in the news.bbc article, nor on Radio 4's PM programme yesterday, said anything about whether the sticks were encrypted or not. BeCrypt is CESG Approved, so I'd hope that any SECRET sticks (at the very least) were protected with it.
I'm expecting to be keeping a close ear to Radio 4 this week (especially the Today Programme), as this is where I'd expect the full details to emerge - there or in the House, anyway.
Posted by Dave Walker on July 19, 2008 at 08:19 AM GMT+00:00 #
I have not yet used a USB stick, but considering the state of affairs today, I wouldn’t mind if it defaulted to encrypting data if I were to use one. Why not? Even if I think I don’t have secrets, as they say, one man’s junk is another man’s treasure. Why take the risk?
Posted by Carolyn on July 19, 2008 at 08:55 AM GMT+00:00 #
Thanks folks - Ez... great to hear from you!!!
I think the point about 'approved products' is a fascinating one. It suggests one of those perverse outcomes where people end up using 'no security' rather than 'some security' because the 'some security' mechanism has not been approved. That, in turn, suggests a very strange risk/threat model.
Ez - your point about cross-platform interoperability is a good one; for all Microsoft's steps towards greater openness around CardSpace, in many areas of technical interoperability we are still dealing with a monoculture and the drawbacks that is bound to introduce.
Posted by Robin Wilton on July 19, 2008 at 10:14 AM GMT+00:00 #
Robin, why don't you introduce the fact in Japan ? ---- Recently, most of "public" comapnaies in Japan prohibit using USB memory to protect "compromise"..... Once a teacher of an elementary school lost USB memory which kept students' test scores, Japanese newspaper introduced the fact at the top page as the "very seriouse compromise", then the principal, who was the boss of the teacher, was interviewed by lots of media and bowed in apology.
Posted by shita on July 20, 2008 at 03:04 AM GMT+00:00 #
Shitamichi-san, many thanks for your comment.
Yes, the Japanese case is interesting for a couple of cultural reasons: first, I think it is revealing that a ban on the use of USB sticks is considered worthwhile in Japan. I wonder if such a policy would be thought enforceable in public sector bodies elsewhere.
Second, I long for the day when a senior UK public figure bows in apology for a mistake...
Posted by Robin Wilton on July 20, 2008 at 03:12 PM GMT+00:00 #