Slash dot points to this story from the BBC and AP about military secrets being sold along with USB drives in Afghan bazaars. The flash drives are stolen from US military bases by Afghans working in them.
A few thoughts:
- Maybe they should pay the Afghans a little more, and then fire a few for theft, to get folks to be concerned about keeping their jobs.
- Why the hell are sensitive files being kept on flash drives? Aren’t they are on reasonably secure network servers?
- This is exactly the same issue that US businesses face. Your entire customer contact list could walk out the door a dozen times a day and you’d never know until competitors are calling on them. This is the real data security problem, not social security numbers.
The seemingly insurmountable difficulty of protecting this kind of data suggests that we are ready for a re-thinking of how we store important data. Obviously the encryption/password model isn’t working. Or at least the current implementations aren’t.
DANGER! Marketer Trying to Design A Product
Perhaps some the additional metadata fields being added to advanced file systems could be used for a OS-based encryption engine. Save a new file and the dialog box asks, in addition to the usual stuff, if the file should be encrypted and who (owner, group) should be allowed to decrypt it.
Perhaps an admin level account could require that all files going out USB ports be encrypted. Or ??
This is a real problem. I’m not technical enough to design a solution, but it seems like the current processes are hopelessly broken. Any creative engineers out there with some ideas? This could be a very popular utility.
Years ago a teen ubergeek explained the problem to me. The data has to be unencrypted to be usable, and when unencrypted for any reason, it can be stolen. Basically encryption doesn’t solve the problem since anyone who can decrypt it can also steal it. Flash drives just make it easier, they don’t create the problem any more than guns create war. So what to do? Well, encryption is a good start but the real problem is giving people more access than they need and not knowing who accessed what data. If there is a WORM log of each piece of data accessed by each user on a system and access to all data is limited to what is required, most of these types of problems will vanish. Theives will still steal, but not so often and not so easily.
Want to sell a solution? Its all about data access management and logging. If your OS is WORM and your logs are written to WORM and you have broken up your data into the smallest grains practical and track each and every access, then you are very, very rare. (You’re probably a liar.) Figure out how to set that up for companies though and you have a marketable service that will probably make you quite wealthy.