Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Cellphones Handhelds Security IT

Ask Slashdot: Do You Use a Smartphone At Work, Contrary to Policy? 227

Jason McNew writes: I have been in IT since the late '90s, and began a graduate degree in Cyber Security with Penn State two years ago. I have always been interested in how and why users break policies, despite being trained carefully. I have observed the same phenomena even in highly secure government facilities — I watched people take iPhones into highly sensitive government facilities on several occasions. That led me to wonder to what extent the same problem exists in the private sector: Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property. This question has become the subject of a pilot study I am doing for grad school. So, do you use a smart phone or other PED during work hours, even though you are not supposed to? Please let me know, and I will provide the results in a subsequent submission to Slashdot.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Do You Use a Smartphone At Work, Contrary to Policy?

Comments Filter:
  • No! (Score:5, Funny)

    by chinton ( 151403 ) <{moc.liamg} {ta} {todhsals-100notnihc}> on Tuesday July 21, 2015 @01:07PM (#50153635) Journal
    Of course not.

    --- Sent from my Verizon Wireless Galaxy S4

    • Re:No! (Score:5, Insightful)

      by cayenne8 ( 626475 ) on Tuesday July 21, 2015 @01:11PM (#50153655) Homepage Journal
      I've never worked at a center where smart phones and the like were Verboten. This includes different govt. facilities too. Secure ones.

      About the only policy they had, was to NOT set up or use any wireless access points, they did actively scan for these but cellphones and the like they never had a policy against them on worksite.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        They must not have been that secure. I've been in plenty of CDC and DOD buildings where smartphones are banned because they have cameras.

        • Re:No! (Score:5, Interesting)

          by homey of my owney ( 975234 ) on Tuesday July 21, 2015 @01:35PM (#50153861)
          And that you have to check them at the door... It's not voluntary compliance.
          Out of curiosity, what secure locations can you use your smartphone?
          • Re: (Score:3, Funny)

            by Anonymous Coward

            Out of curiosity, what secure locations can you use your smartphone?

            Nice try, Putin.

          • by gl4ss ( 559668 )

            "Out of curiosity, what secure locations can you use your smartphone?"

            the oval room.

            just think of the possibilities for the next clinton.

            also, just about any military base USA has, any donetsk rebel base... of course, you might want to opt to say that any location that allows anyone to have smartphones isn't secure. but that's just the way it is, people have them now and if you can't trust them to not be snapping pictures with 'em phones you can't trust them to not photocopy the shit out of the stuff either

        • Re:No! (Score:5, Insightful)

          by greggman ( 102198 ) on Tuesday July 21, 2015 @01:57PM (#50154023) Homepage

          That policy is not going to survive as people start augmenting their eyes and brains. It might be 10 or 20 or 30yrs out but it will happen. First the blind or near blind, followed maybe by soldiers, eventually just like cellphones went from military only to briefcase size to geeks only to no 15 yr old girl would be caught dead without one, so will this other stuff

          • Probably, but by that time, you'll have to give control of your implants to your employer, and they will turn them on and off at will.
            • Probably, but by that time, you'll have to give control of your implants to your employer, and they will turn them on and off at will.

              Which seems unlikely, since implants are a part of you, and the candidates for positions requiring high security tend to have other options. It's the McDonald's staff that needs to worry about such requirements.

          • That policy is not going to survive as people start augmenting their eyes and brains.

            The augmentations will be part of your medical record and evaluations. You will not be working in a secure facility if the augmentations do not abide by its rules.

        • .

          I've been in DOD buildings where people had iPhones... after they got a certified contractor to physically remove the camera sensors (and maybe the WiFi or bluetooth??). They were quite the status symbol, because you had to buy the device, and then be willing to and pay to cripple some functionality.

      • Re:No! (Score:4, Interesting)

        by StikyPad ( 445176 ) on Tuesday July 21, 2015 @01:50PM (#50153963) Homepage

        You've never worked in an actual SCIF then. There are no cameras, or devices with cameras, or recording features, allowed in those facilities.

        And yes, people bring them in all the time anyway, either accidentally or intentionally.

        It's sort of an arbitrary rule, since there are a plethora of methods to exfiltrate information, and in some of those facilities, the people who work there are, in fact, trained to extract information.

        • When I worked on defense stuff, cell phones and cameras were forbidden (most people left theirs in the car). Private laptops and any other device with storage on it were outlawed as well. And the penalty for bringing it in was to have the equipment (or at least the disk) crushed; as happened to a contractor who was not aware of the rules and brought in his laptop.

          Phones didn't work anyway as we worked in TEMPEST rooms. We had internet but it was heavily controlled as well. Even so... smuggling out a
        • I assume the larger desire isn't to prevent malicious exfiltrationof data, but the malware driven, unknown, exfiltration.

        • These policies are not arbitrary. Obviously an insider could bring in whatever he wanted and leave with all kinds of information that he isn't supposed to remove. Insider threat is very, very difficult to defend against. The reason for the policy is that smart phones with wifi, Bluetooth, internet, camera, and audio recording capabilities, and can be hacked and used by adversaries to steal information, all unbeknownst to the owner, who is a "good guy. "
      • I've never worked at a center where smart phones and the like were Verboten. This includes different govt. facilities too. Secure ones.

        You haven't. Doesn't mean they don't exist.

        One friend of mine works for the government and has two cellphones for just that reason - a smart phone that he keeps in a locker at the entrance, and a dumb phone he carries with him. (And even so, when he goes into the into the 'inner sanctum' (as it were) of secure spaces, he must surrender the dumb phone.)

        Another friend works

      • Re: (Score:2, Funny)

        by Anonymous Coward

        I've never worked at a center where smart phones and the like were Verboten

        You haven't been working in Germany ...

        posting anon because of bad joke

      • I've heard of it being banned but it's rare. But just be smart, use the phone to do phone stuff - like phone calls or checking your calendar. To use them to actually have sensitive files on them or take sensitive pictures, that's stupid. On the other hand it's annoying to try to hunt down the corporate camera to take a picture when I need to, just use the phone for that. Having a policy in place though basically says "we think you're all completely untrustworthy peons, except for our execs for whom the

      • There are facilities that have shredders for hard drives and personal electronics. Those are the really secure facilities.

        If you see a "no cell phone" rule, and an employee doesn't know who runs the shredder then it's a pretend-to-be-secure facility.

    • Re:No! (Score:5, Funny)

      by Anonymous Coward on Tuesday July 21, 2015 @01:33PM (#50153851)

      I always obey the decrees of IT. Even when they prevent me from getting work done. IT knows what's bets for me.

      IT is mother IT is father.

  • Fix your Survey (Score:5, Informative)

    by Anonymous Coward on Tuesday July 21, 2015 @01:09PM (#50153649)

    Question 8. What kind of wearable smart devices do you own (check all that apply)?

    If I don't check any, I get a "! This question requires an answer." Alert.

    I guess I better go get a wearable smart device.

    (Other questions have the same problem)

    • Came here to post the same thing. I ended picking other, then typing "none" in the text field. GIGO? I quit answering questions because of that.

    • by Robyrt ( 1305217 )
      Same thing - prevented me from finishing the survey.
    • 17. I feel that restricting the use of Portable Electronic Device policy at work improves worker productivity

      18. I feel that restricting the use of Portable Electronic Device policy at work enhances my employer's security

      What do those questions even mean? "Restricting the use of PED policy"?
      • I assume they meant "a policy of restricting the use of PEDs" rather "restricting the policy on using PEDs". Somebody needs a little remedial high school English.

  • by Anonymous Coward on Tuesday July 21, 2015 @01:11PM (#50153661)

    I've worked a lot of places. I work for the government now.

    There's two classes of secure workplace. Actually secure, and pretend secure.

    Actually secure places have people who search everybody when they come in, may have thugs with guns guarding the place, have proper access controls and actual consequences. Active network monitoring. Plug something unexpected in and security shows up, not the admin. Violation of policies can result in things like jail, detention, civil liabilities, immediate termination, etc.

    Pretend secure places have polices, maybe a secure door, and no real consequences.

    • by sycodon ( 149926 )

      And Pretend Secure places usually have policies that are ill conceived, impractical, and designed to impede productivity more than maintain security.

      Since most people actually want to get things done, they'll do what's necessary.

      • And Pretend Secure places usually have policies that are ill conceived, impractical, and designed to impede productivity more than maintain security.

        Yeah, I thought about the TSA, also.

    • by gweihir ( 88907 )

      And "actually secure"still fails, because every user carries two camera-like device and quite a bit of attached storage with them. And they will put sensitive data into that storage, because it is their brain.

      The only thing that can make you really secure is if you can trust your people. No amount of threat and repression will accomplish anything that is actually secure. Your "actually secure" scenario just makes sure security does usually not get broken by accident. Mostly. And of course, many smart people

    • by Kjella ( 173770 )

      There's two classes of secure workplace. Actually secure, and pretend secure.

      I wouldn't go that far, but there's OSHA safety and Secret Service safety. Most companies have policies that exist primarily to make it hard to make accidental, ignorant or reckless breaches of security. The level of security needed to effectively protect against a malicious insider planning to do mischief is so high that most places it's not worth it, it doesn't mean the low hanging security measures are worthless. Having a bullet proof vest isn't stupid even though someone could shoot you with a bazooka.

    • by tomhath ( 637240 )

      Yup. I worked in a place where they searched briefcases and women's purses. Phones, mp3 players, etc. were left at the door. Coming out they searched again to make sure you weren't carrying any classified papers.

      The searches were mostly to stop someone from inadvertently bringing a device in and getting caught with it (it would be destroyed); you have a clearance so they trust you will try to obey the law. Of course if someone really wanted to they could smuggle something in the way Snowden did.

    • by fermion ( 181285 )
      Which is to say that if your people do not follow policy, it is because the policy is unclear. For instance, I have had friends who worked in secure places where you cell phone could not be on in the secure area. Cell phones were not an issue because if you got caught you were fired. The policy was clear. The pay was enough to attract professionals who wanted their job. So the second part is management that is willing to support and enforce policy. Workers making minimum wage would not care so much if t
  • Users don't see the risk regardless of seeing how drilled into their heads it is, and if thery are caught out on it, the nebulous punishment for violation is generally so watered down that they'll just risk it anyways. Your options are: Clear / filter electronics at a security checkpoint, much much harsher and very well known punishments ranging from termination to termination, or radio blocking to kill wireless electronics.

    • You know, it depends entirely on how they're used and what the risks are.

      I know of some actually secure facilities which are locked down, and an electronic device will get you marched out the door and told never to come back.

      But other than places like that, I've never seen any other places which even have policies on the topic. Honestly, if you're using the cellular network, the vast majority of workplaces simply aren't super duper top secret.

      If they are, then yes, you need to safeguard that. But your ave

      • by swv3752 ( 187722 )

        Yeah, exactly. My employer has policies regarding using personal devices for work: Namely password protect, don't root, and agree to remote wipe.

        You cannot use your work laptop for personal use, but as long as it does not affect your productivity, then you can use your own device at work for personal use.

        • You would agree to letting your employer remote wipe your device on their whim? Sorry, but no way in hell I'd do that. I'd my damned device, unless it's me and only me who can initiate the wipe.

          If they want a device they can remote wipe, they can pay for the damned thing.

          Otherwise on the day they decide you don't work there your phone will cease to function.

          Hell, no. My phone, not theirs.

          • " I'd my damned device, unless it's me and only me who can initiate the wipe."
            Where do you get a 100% reliable device that never ever fails?

    • by gweihir ( 88907 )

      Yeah, do that. And while you are at it, why not fire anybody smart enough to get any work done? Because these are the people that break the rules because they have to in order to get results. If nobody does any work, then nobody has any incentives to break the rules.

      What an utter fail.

  • by Anonymous Coward on Tuesday July 21, 2015 @01:16PM (#50153697)

    When you see people around you at work who are incompetent in your field, you assume that people throughout the organization are often incompetent in their field. When I worked in government, this wasn't uncommon. So you have a lot of rules, many of which are inconvenient to you. Since the *reasons* for the rules aren't ever published, you write off the inconvenient ones as incompetence; you don't believe they're actually any threat at all, and the punishments are sporadic-at-best, so you ignore the rule.

    Taken out of the normal corporate workplace, there are rules against phones on airplanes. For over a decade... they simply didn't matter to the plane, and it was easily observable to any traveller, as often, the person next to you wouldn't turn off a damn thing, and things worked out fine.

    The reason for the rule was that one phone a mile in the air could try to connect to hundreds of ground based towers, hosing the whole network. Since you weren't able to connect, you couldn't see that; you just used the phone. But since the *reason* for the rule wasn't really published, and the effects seemed nonexistent, people ignored the rule all the time.

    That, and holy hell, phones really aren't a security risk. People are a security risk; if someone's allowed to see the same document a thousand times, they can simply memorize it instead of taking a picture. You need to have people you trust; the government simply runs on the policy that no one can be trusted, and (often!) gets far less competent people because of that... ...which leads back to my first point, which is when you see occasional incompetence around you, you assume the rules were written by someone incompetent.

    • That, and holy hell, phones really aren't a security risk. People are a security risk; if someone's allowed to see the same document a thousand times, they can simply memorize it instead of taking a picture.

      Yeah, no way carrying a camera that can record the image of hundreds of documents in a short period or take pictures of classified equipment is a security risk.

      • by tomhath ( 637240 )
        Why bother taking pictures? Most phones can store files the same as a thumb drive
      • Again, it's not the phone that's the problem, it's the person. Now it does make espionage easier - no doubt - but there are many, many other less obtrusive (to use) devices for that purpose.

        Now the sibling post about malware on the phone which surreptitiously records audio (and/or video...though if you're not supposed to have it, it's doubtful you'll take it out in a secure area) could have implications. But, again, you're looking for a needle in a haystack if you hoping that some distributed malware will h

    • When you see people around you at work who are incompetent in your field, you assume that people throughout the organization are often incompetent in their field.

      I don't think that's a baseless assumption. I've been working in IT for a couple of decades, and I've seen the inner workings of quite a few companies, and let me tell you: For most people in most fields, they're incompetent in their field.

    • by painandgreed ( 692585 ) on Tuesday July 21, 2015 @04:18PM (#50155109)

      That, and holy hell, phones really aren't a security risk. People are a security risk; if someone's allowed to see the same document a thousand times, they can simply memorize it instead of taking a picture. You need to have people you trust; the government simply runs on the policy that no one can be trusted, and (often!) gets far less competent people because of that...

      Well, phones are considered the security risk. They do trust the people, but not the phones. A cousin of mine works on a secure military base. They used to be able to keep their phones, so long as the batteries could be taken out and be sure they were non-operative. With the iPhone and similar, they couldn't take out the battery, couldn't be sure it was off, and couldn't really tell if it was recording data whether or not or if the owner even knew about it. Thus, they banned all phones at the door. They weren't worried about somebody there as much as about somebody installing software or otherwise hacking the phone itself without the knowledge the owner. They are, after all, not really phones, but small pocket computers with wireless connections whose power is probably greater than what we worked with ten years ago as a desktop.

  • They want me on 24 hour call, but also want me to turn off the phone when I'm at their site?

    They're fucking crazy. Screw them, right in the ear.

    Seriously, does _anybody_ actually comply with such insane expectations? To those that answer yes, do you regret not paying attention in school?

  • Of all the firms I've worked at, we've allowed the use of PEDs. From the survey, it seems like the only policy possible was one that bans PEDs. I feel like the survey should specifically ask if PEDs are banned. Because my company has a policy regarding PEDs in place, but they do not ban PEDs. There are device management policies in place instead. I think the survey would benefit from making that distinction.
  • by SenatorPerry ( 46227 ) on Tuesday July 21, 2015 @01:22PM (#50153757)
    "Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property." - Citation needed.

    Just because it could be used in a particular way does not make it inevitable that it will be used that way. In a citation you need to provide solid evidence that this has occurred and that this is a risk. In cases "I" have heard it was an action of the employee in control of the PEDs that initiated the security/IP theft. In those cases that person had physical access to the assets and would simply have chosen another mechanism for theft if PEDs weren't available.
    • by nitehawk214 ( 222219 ) on Tuesday July 21, 2015 @01:55PM (#50154009)

      This appears to be one of those "conclusion first" studies, especially after seeing all the loaded questions in the survey, (which I could not complete due to the lack of n/a options). I have no confidence in OP's ability to be objective, considering his degree is in security, which relies on companies being overzealous.

    • Agreed. Any threat to security and intellectual property that is posed by PEDs is also posed by eyeballs & ears. If you don't hire trustworthy people, you're screwed no matter what policies you put in place.
    • Most PED policies refer to personal devices, not company-issued equipment.

      User-owned and -managed equipment is inherently risky. We have no auditing capability, no logs, no expectation of reasonable firewall/browser/services configuration, and no access if we suspect the device is compromised or misused.

      Granted, you have to be pretty draconian to reduce the likelihood of data exfiltration from your users. But it's at least possible with company-owned assets. Properly configured, only IT will really be able

    • Citation needed.. Sorry Hillary's private server was scrubbed and not inspected. Citation for improper communications and back room deals is not found.

      Many IT departments know data is leaking as the effect is seen. The Edward Snowden type leak is what a lot of companies are afraid of.

      The big questions are if you have secure documents and data, are they on systems isolated from open USB ports, bluetooth, etc? Is all the devices on the secure network locked down for protection from unauthorized connection

  • by Anonymous Coward on Tuesday July 21, 2015 @01:27PM (#50153809)

    ...No, I'm not one position (where I was a contractor), I got a link to a 'Policies to Follow' online document, when I clicked on the link, I got a 'You are not authorized to view this page' message. So I wasn't authorized to view the policy I was supposed to follow.

    At another position, where I was doing device support (i.e. handling all the physical devices) for my team, I tried to connect to corporate email using my company phone (obsolete, with a custom rom), I got two nasty grams from two _different_ company security groups for the connection attempts.

    So, to answer the original poster, that item they have may not be their own, and everyone at the company works around the company rules, because they should have been applied to just a section of the company (or have taken into account the differences within company areas)

  • I use my employer-issued iPhone — in full accordance with the company policies. Thank you very much for asking.

  • With reference to the section of the survey about attitudes, I don't feel any of those things. I mostly think them.
  • Threat? (Score:4, Insightful)

    by Jaime2 ( 824950 ) on Tuesday July 21, 2015 @01:37PM (#50153871)

    Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property.

    But, security is a huge threat to productivity. Is it possible that while the employees were being drilled on security, they were being held accountable for productivity and not given tools that were nearly as productive as their PEDs? For example, everyone likes to yell at the guy who's not paying attention to the meeting because he's texting, but they forget that the same technology allows you to send the on call guy to the meeting and have an 95% chance he will be able to actively participate. The alternatives are to have a second meeting or hire another tech so there is one on call and one available for the meeting.

    People immersed in security all day sometimes forget that security is about tradeoffs, not eliminating all sources of "insecurity". A good general rule is that if a security policy is being widely ignored, then it is probably not properly aligned with the organization's goals.

    • > security is a huge threat to productivity.

      Exactly this. I've seen so many companies waste time and money on ineffective overblown security measures that they should be spending actually getting the job done. Layer your security so that it stays out of the way as much as possible while still protecting what is actually important.

  • by jklovanc ( 1603149 ) on Tuesday July 21, 2015 @01:54PM (#50153993)

    I find it interesting that so many people refer to security getting in the way of productivity. What happens of all your security circumventions cause a breach that results in R&D being stolen, the system being hacked and customer personal information released, systems being taken down, etc. These can cause millions of dollars of loss. All your "producivity improvements" may be negated and much more by a breach caused by your failure to follow the rules. I think that the "my productivity is being harmed" people are too focused on their own job and refuse to see the big picture.

    • Security is needed, but so is productivity. Neither is valuable without the other.

      I worked for a company that got breached and had stuff stolen. Their security was overblown and cumbersome, and not layered properly. They tried to secure their entire network, instead of properly layering things, and thus a hack that should have been trivial was not. Had they properly layered their network so the general employee work could happen fluidly, and people could get their jobs done without giving away the keys

  • First, you need a lot more in-depth. Run the survey by people who do this for a living. You are missing a lot of information. Look for what would be the next question and try to determine if you have any biases in your research.

    For example, my company's personal device policy is based on safety more then security. I work for an EPC company and people jinking with devices while working in a construction site might put an eye out (literally) or worse. Let alone accidentally dropping a cellphone from a great h

  • People ignore so many policies because there are too many policies as it is. It's just like idea that we've all committed a half dozen felonies before lunch. The policies cover too much, there are too many of them, and too often they are justified with breathless language about security and/or safety.

    And most of them aren't even remotely about their claim to be protecting security or safety, they're about creating and/or protecting power centers and fiefdoms and obtaining control over people.

    At the end of

    • by gweihir ( 88907 )

      Very much this. Also, people want to get work done, and are in fact obligated to do so. If IT security is standing in their way, then they work around it. This is a well-known (to people that actually have a clue, many in IT security do not) "insecurity caused by security measures" effect. Example: People cannot sent email with encrypted data. Hence they send sensitive stuff unencrypted and most still gets past the scanners. That, of course, makes things worse. Or "passwords must be changed every 4 weeks".

    • by jedidiah ( 1196 )

      People also ignore policy because they understand it and realize that it's stupid. My personal favorite is avoiding Internet Exploder. I've seen colleagues out of action for days because of stuff injected into their systems from apparently quite legitimate websites.

      Now in the bigger corps I can see reason for extra rules. They seek to reduce any task to the level where it only requires a trained monkey. So you end up with nothing but trained monkeys. You don't want those kinds of users thinking for themsel

  • When I'm not provide any work phones, my smartphone is my work phone. Which works out because most of the security people I've talked to say just don't take pictures of things on site.
  • Asking people to comply is a dumb policy and doesn't work. It's the facility's responsibility to maintain security. At the Pentagon, for instance, you can barely get a cell signal once you're in the walls because the building materials block the signals. There are a few spots where you can get a reliable signal, but for the most part if you're not by a window(and there aren't many), you're basically not getting access. On top of that rather natural effect, they sweep for broadcast wifi signals and such
    • by Lumpy ( 12016 )

      It is not hard to faraday cage security areas. The problem is when management are too damn cheap to actually put in place real security.

      Hell I have been to places that had "high security" and actually had installed FAKE security cameras because the real stuff was too expensive.

      • But that doesn't stop the phone from recording, or disable the camera and microphone. Or wifi (to break into private networks within the cage).

        • by Lumpy ( 12016 )

          If you have wifi inside the cage, your security and IT directors need to be fired.
          A single security sticker over the phone cameras solve the phone recording problem, That's what we did when I worked in a high security area. if your sticker was not perfectly intact when you checked out you lost your phone. Security took it and you never got it back. and you are lucky if you are not arrested.

          • I'd rather just not bring the phone in the first place.

            Back when I did this sort of thing, cell phones were only owned by doctors and hedge fund managers.

  • I work for several customers where it might be a thing to forbid smartphones, but they do not, essentially because they understand that such a prohibition would do more harm than good. IT security by Authoritarianism (forbid everything risky) basically always fails. Either it does not achieve its security goals or it kills productivity. The former is the typical thing in the private sector, the second is what typically happens in government.

  • How else can I send photos of the secret prototypes back to mother Russia?

  • Sure, I'll give you my name and tell you I violated company policy. That can't end badly.

    • (but seriously) my company issues smart phones as work phones, so there's no issue with using them. As long as you're not using them for pr0n.

      A relative works for a company where IP is a sensitive issue, and the phone they issue him has no camera. Which, as I understand, is becoming harder and harder to find these days.

  • Whenever I talk about security, I find that I often need to point out that security is not an absolute thing. It's not as though things are either secure or insecure. Security is a practice of making access difficult and risky for unauthorized people, in proportion to the importance of what's being protected, while also making access easy and safe for authorized people, in proportion to the importance that they have access. You can "secure" the contents of a computer by shredding the drive, or filling it

  • You might as well ask Do you text while driving?
    It amounts to the same thing.
    Personal convenience over following the rules.

  • by RobinH ( 124750 ) on Tuesday July 21, 2015 @03:27PM (#50154755) Homepage

    When I used to go to automotive plants, they'd search your bags and you weren't allowed to bring cameras in. Once everyone got a cell phone with a camera, they just gave up.

    When we had our first kid (2008) they'd look at you a bit snarky if you had a cell phone in the hospital. By the time we had our third kid, there were medical interns texting in the surgical room (it was a C-section). Nobody batted an eye if you had a cell phone, though the signs were still up. In my doctor's office, he uses some kind of program to manage all the patient medical files, and there's a terminal (it's a Mac actually) in every examination room. He leaves it logged in even though there are theoretically steep penalties for violating patient confidentiality. Just looking at the screen you can see his whole schedule for the day. When he comes in, he doesn't have to type a password or anything to start entering data about my visit. Devices like insulin pumps are known to allow wireless connections without authentication, and even if there was authentication, let's face it, it's probably broken.

    Not long ago I was doing searches for industrial equipment manufacturer names on Shodan [] and ended up connected to one of those big wind turbines, somewhere in the middle of the US. No authentication. It was a monitoring dashboard and I didn't poke around, just closed it, but there were suspicious links/buttons on there to access the industrial controls, such as the PLC.

    There are so many vectors: web browsing, phishing, thumb drives and phones brought in from the outside, pwnies, wireless, executives taking laptops home or even to China, spoofed OS updates, hardware infected as the point of manufacturing, and those are just some of the ones we know about. There is no real security.

  • One company I occasionally do contract work for seems to have solved this by designing their new engineering office building to be constructed mostly of steel, including metal slats as sun shades on the windows. As a result, it's damn near impossible to connect to a mobile phone network while inside.

  • My company issued phone is a smart phone. I don't have a "desk phone". If I did, it would connect to our Asterisk box, not directly to a POTS line. We have WiFi all over the building, both a RADIUS-authenticated SSID and one for less secure stuff that just has a shared WPA password. Some things are only available via the wired Ethernet. What keeps us more secure than banning smartphones is hiring people who wouldn't steal and sell the company's source code and proprietary information.

    A targeted threat that broke into an employee's phone then connected to the firewalled WiFi then got past the firewall and into the rest of the systems is really complex. It'd probably actually be simpler to target the developers' VMs where the source code lives.

  • Three parts to my post here. Part 1: WHAT do people (often) do that's against security policy. Part 2: WHY do people (or at least, me, and people I know) do it. Part 3: Soapbox ("wot I think"), aka why I think this type of policy is silly and what I'd do differently.

    Part 1: The "what"

    - (Obvious, since it's in TFS) Using your smartphone/tablet while at your desk, assuming that's disallowed by policy.
    - Bypassing the firewall/proxy at work by routing through a remote server or VPN, using, e.g. stunnel, OpenVPN, or whatever else can be hacked up (worst case, build a website that accepts a remote webpage as a URL and tunnels all the resources through it).
    - Installing/running software, whether it shows up in Add/Remove programs or not, that isn't explicitly approved by IT management. Example: portable apps, VB Scripts, Java class files or JARs, .NET IL, etc. often fly "under the radar" of programs that try to detect and prevent the installation of unauthorized software.

    Part 2: The "why" (from the perspective of employees)

    - People who want to "get work done", but need to access information out there on the intarwebz that happens to be blocked by an arbitrary and capricious firewall program, will acquire code, programs, or even just plain *knowledge* from remote third-parties, will do so using either proxy-bypassing, tunneling, or third-party Internet connections (like the 3G/4G data connection on their phone).

    Often, people will perceive the monolithic "IT" organization as opaque, impenetrable, overly bureaucratic, and taking way too much time, money and resources to acquire the software needed, permit the actions needed, whitelist the knowledge sites needed, etc. in order for people to get work done. They may also have the idea (real or perceived) that the IT organization would actually prohibit the action they're trying to take, but they may feel that their decision is actually in the company's best interests.

    They may (or may not) go through their own vetting process of the knowledge/software they are acquiring in order to determine if it is malicious or not, and once satisfied, they may implement it under the nose of IT. They might be doing this because they feel that the IT organization is being overly cautious or needlessly paranoid or poorly informed about the knowledge/software/code they are acquiring, and, given a limited amount of time and budget, they need to get their work done or they will be on the hook for not having it done when the deadline hits. I'll assign this category of activity the term "skunkworks" for the sake of brevity, with the general idea that these activities are actively beneficial to the organization, come with a low risk, generally have very little impact on IT infrastructure, and very high upside for the company.

    - People who want to participate in social networking, banking, personal email, etc. in cases where these services are blocked from their work computer, will often access them from a personal device, OR from the work device after taking the measures mentioned above. They are not willing to leave the work area in order to tell their spouse to order pizza tonight, order tickets to a baseball game, or check if they'll overdraw their checking account by stopping by the store tonight. This might also extend to watching a short Youtube video for pleasure, e.g. if you remember a meme and want to share it with a coworker because a conversation you had made you think of it.

    They may feel that their actions are harmless to the company and benefit them, and are unwilling to give up this freedom for the sake of the company, because they need to live their lives and can't work eight hours straight like a robot without interruptions from real life. After all, even if they adhered strictly to the policy, they would have to spend a lot of time temporarily out of the office to handle these issues; the issues don't go away just because the employee is compliant with policy - their pr

  • The powers that be have decided that certain sites shouldn't be accessable on our work systems, like Google Docs. So, naturally when I get orders to do something from management and the instructions are on Google Docs, management start looking at each other like a bunch of fools who just realized that they told me to do something and then banned me from being allowed to have the documents they told me to use to do it.

    When faced with management stupidity, a phone is a pretty handy option.

  • Well ignoring government facilities where lives are on the line and which don't pay well anyway, shadow IT is a way of life in most of the free world. IT policies are usually insane in most large Wall St. operations. It has been a game amongst many users to figure out how quickly we can circumvent some lame heavy handed rule from on-high. IT either works with us, or it works orthogonal to us, but either way what we want done gets done.

    Finally I'm in a place where IT doesn't get in my way, and I don't have t

  • Increasingly with current not to mention future technological advances our devices are extensions and augmentations of our brain more and more directly. So expecting a person to not have those devices or have them turned off is effectively asking them to do a partial lobotomy and to decrease their effectiveness. This is increasingly going to be seen as an old fashioned and quite short sighted affront and rightly so.

  • Most parts of the building are smartphone 'ok' but there are labs that are not. Outside the labs are cubbies with keylocks. You're supposed to put your phone in a cubby... The times i've violated the rule were purely accidental where someone has dragged me away from my desk to help them with something and the excursion ends up in one of the labs and I forget that my phone is in my pocket.. I've never taken the phone out of my pocket to use it though it did ring once causing everyone to look over and mock
  • > I have always been interested in how and why users break policies,
    > despite being trained carefully.

    Well this is a different question than topic subject about mobile devices. They break it because they can I guess.

    > I watched people take iPhones into highly sensitive government facilities on several occasions.

    They were not as highly sensitive then. If they were there would be actually some guards at the doors searching people to prohibit bringing in devices such as smartphones.

    It is quite easy -

  • At the company I work for, smart phone use at work is actively encouraged. A large part of this is because some of what my company does is develop smart phone apps, so we're encouraged to use the devices in order to be more familiar with them.

"The pyramid is opening!" "Which one?" "The one with the ever-widening hole in it!" -- The Firesign Theatre