[ISN] BBC bans use of non-MS PDAs

From: InfoSec News (isnat_private)
Date: Thu Jan 31 2002 - 02:15:03 PST

  • Next message: InfoSec News: "[ISN] Payback time! How to catch a hacker"

    http://www.theregister.co.uk/content/54/23882.html
    
    By John Lettice
    Posted: 30/01/2002 at 13:31 GMT
    
    The BBC IT department has evidently taken the Microsoft shilling, in
    some style. Our sources informed us a while back that the company is
    spending a total of 61 million on Windows upgrades for approximately
    24,000 desktops, and now an internal memo leaked to NTK reveals that
    it has banned staff from using any non-Microsoft PDA with company
    machines.
    
    So BBC staffers using Palms and Psions (Psion, incidentally, is based
    not a molotov cocktail's throw from Beeb HQ) can deem themselves
    security threats, and have until summer of next year to switch or stop
    using them with the company kit.
    
    The BBC is actually standardising on PocketPC 2002, claiming that all
    other PDA platforms are insecure. Microsoft does indeed publicise the
    security features of of PocketPC 2002, and there is, sort of, a real
    security issue for IT departments when it comes to PDAs. But it's
    actually a lot more about BOFH control-freakery than it is really
    about security.
    
    Historically, PDAs have overwhelmingly been owned by individual staff,
    rather than issued by the employer, and as connectivity has got better
    the staff have more and more started to sync their PDA files with
    those on their desktop machines. And they're also starting to copy
    sensitive company files to them so they can work at home and on the
    move, so the corporate crown jewels are walking out the door in
    people's pockets, and the devices aren't even adequately passworded.
    
    Or at least that's what MIS, its paranoia fuelled by 'anytime,
    anywhere' propaganda, thinks. The reality of course is that maybe 1
    per cent of relentlessly anal-retentive corporate PDA users regularly
    sync substantial quantities of data between their PDA and their
    company desktop. Mostly, people keep a few phone numbers, diary, some
    notes, maybe pick up some email remotely (clue here about how
    sensitive data gets out of building without legs or pockets being
    involved at all), and if they've got company documents they want to
    work on, they print them out, shove them on a disk, email to
    themselves and work on a portable and/or home PC.
    
    What is it anyway, you may ask, that people have access to on the
    corporate network that is both sensitive and likely to be receptive to
    fitting onto and working on via a PDA? There really is not a lot that
    staff would innocently transfer then accidentally leak or lose, and if
    they deliberately want to steal and leak company data, they'll get it
    out of the building without the assistance of a blacklisted PDA
    anyway.
    
    As we've said before, the headaches IT departments are having with
    PDAs are almost entirely self-inflicted. The propaganda says you can
    use your PDA to log onto the corporate network and work on your (or
    actually, not your) files, anytime, anywhere (VPN support is a big
    Microsoft checkmark for PocketPC 2002), so if the IT department buys
    into that, it then has to consider where its data is going. And it has
    to consider how it can control data on PDAs that it doesn't own, and
    doesn't necessarily support.
    
    So it has to outlaw them. Then it has to issue company PDAs to the
    people who 'need' them. It has to support them, of course, so before
    you can say total cost of ownership it's shelling out several thousand
    bucks per PDA, per annum, while simultanteously panicking about the
    amount of data that might be escaping.
    
    If it had just left people to buy their own PDAs, if it had not gone
    for the full-on VPN trip, it wouldn't have cost it anything. And if it
    had done some sensible things concerning data security such as
    implementing sensible access restrictions, or maybe (revolutionary!)  
    using thin clients to ensure that data remotely accessed remained on
    the corporate servers, then life might well be simpler and a whole lot
    cheaper. But there's kit out there we don't control, and we can't have
    that, can we?
    
    A couple of readers have asked us to encourage you all to email the
    BBC complaining about the ban. We are of course happy to oblige, and
    you can do that here
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 06:05:55 PST