[dundee] Securing data on devices you don’t own

Rick Moynihan rick.moynihan at gmail.com
Fri Sep 10 09:36:33 UTC 2010


On 10 September 2010 09:41, Robert Ladyman <it at file-away.co.uk> wrote:
>> On 8 September 2010 16:46, Robert Ladyman <it at file-away.co.uk> wrote:
>
> Note that I'm not connected with this company in any way, in case people think
> I'm biased: the article has interesting issues for corporate data-control in
> general (ignoring their "New Network Architecture" - what they are doing is
> just border-less networking, really) and for considering when drawing up a
> User Requirements Specification for a new system.

Yes, I do see the parallels with borderless networking...  And I can
totally see why companies might want to deploy this kind of software
for compliance reasons.  My objections are more to do with the
completely misleading and almost fraudulent language used to describe
what they're doing...  For example they claim to have built these
techniques on a "trust nothing" principle, but really they are
trusting everything... they trust that the client is thin, that the VM
is bubbled properly, that the device will nuke the data when asked,
that their employees are trustworthy and obedient etc...

>> Rendering on a thin client *is* data leaving the server...  Also if
>> you don't own a thin client, how do you know it's really thin, and not
>> just copying all the data it views?
>
> That depends how thin your client is - think dumb old serial terminal: also,
> rendering the data is not necessarily the same, nor as useful as, the data -
> try searching for text in a rendered PDF file, for instance (you cannot, it's
> a bit-image). If you are streaming an image of the O/S to a distant device
> (e.g. via VNC) and there are no local facilities available, that is thin-
> client-enough (you can never stop a screen-capture, but that is not the issue:
> you are wanting to protect information from being upon a possibly stolen
> device). Some data always leaves the server, but data is not necessarily
> information.

This is just an inconvenience though... and it certainly helps prevent
well meaning employees from performing certain types of unsafe
practices.  But to assume that data can't be converted back into
information is asking for trouble.  For example an attacker can run
OCR software over the screendumps...  As images are pixel perfect and
written in standard display fonts, this is easily done.  It's also
possible for an attacker to script interactions with the server over
VNC.

> You make it a contractual / URS issue when you select the device(s) / permit
> it access to your systems. It's the first line of that section: "The thin
> device pattern constrains access by limiting the type of device used to access
> the data". In other words, although you do not own the device, you manage its
> access by ensuring that it is of a class that can be managed (although you
> cannot impose device-kill on a device that is not owned by the organisation,
> you can enforce encryption, etc.). The management of mobile devices (which is
> really what they are worried about here) is awkward but possible.

Again this assumes all employees and devices are subservient to the IT
policy, and doesn't protect against attackers or compromised devices.
 The claim that documents protect themselves regardless of location is
also false, as the document wont protect itself if it's on a client
that's not subservient to remote wipe instructions.

Like I said, I totally understand the reasons people implement these
systems, and how they can help reduce information flow; my objection
is with the almost criminally misleading language used by the vendors
to sell them; misleading corporations into becoming potentially more
careless with our information.

R.

... Waiting on fireman finux to extinguish the flames :-) ...



More information about the dundee mailing list