[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] BBC bans use of non-MS PDAs
From:       InfoSec News <isn () c4i ! org>
Date:       2002-01-31 10:15:03
[Download RAW message or body]

http://www.theregister.co.uk/content/54/23882.html

By John Lettice
Posted: 30/01/2002 at 13:31 GMT

The BBC IT department has evidently taken the Microsoft shilling, in
some style. Our sources informed us a while back that the company is
spending a total of £61 million on Windows upgrades for approximately
24,000 desktops, and now an internal memo leaked to NTK reveals that
it has banned staff from using any non-Microsoft PDA with company
machines.

So BBC staffers using Palms and Psions (Psion, incidentally, is based
not a molotov cocktail's throw from Beeb HQ) can deem themselves
security threats, and have until summer of next year to switch or stop
using them with the company kit.

The BBC is actually standardising on PocketPC 2002, claiming that all
other PDA platforms are insecure. Microsoft does indeed publicise the
security features of of PocketPC 2002, and there is, sort of, a real
security issue for IT departments when it comes to PDAs. But it's
actually a lot more about BOFH control-freakery than it is really
about security.

Historically, PDAs have overwhelmingly been owned by individual staff,
rather than issued by the employer, and as connectivity has got better
the staff have more and more started to sync their PDA files with
those on their desktop machines. And they're also starting to copy
sensitive company files to them so they can work at home and on the
move, so the corporate crown jewels are walking out the door in
people's pockets, and the devices aren't even adequately passworded.

Or at least that's what MIS, its paranoia fuelled by 'anytime,
anywhere' propaganda, thinks. The reality of course is that maybe 1
per cent of relentlessly anal-retentive corporate PDA users regularly
sync substantial quantities of data between their PDA and their
company desktop. Mostly, people keep a few phone numbers, diary, some
notes, maybe pick up some email remotely (clue here about how
sensitive data gets out of building without legs or pockets being
involved at all), and if they've got company documents they want to
work on, they print them out, shove them on a disk, email to
themselves and work on a portable and/or home PC.

What is it anyway, you may ask, that people have access to on the
corporate network that is both sensitive and likely to be receptive to
fitting onto and working on via a PDA? There really is not a lot that
staff would innocently transfer then accidentally leak or lose, and if
they deliberately want to steal and leak company data, they'll get it
out of the building without the assistance of a blacklisted PDA
anyway.

As we've said before, the headaches IT departments are having with
PDAs are almost entirely self-inflicted. The propaganda says you can
use your PDA to log onto the corporate network and work on your (or
actually, not your) files, anytime, anywhere (VPN support is a big
Microsoft checkmark for PocketPC 2002), so if the IT department buys
into that, it then has to consider where its data is going. And it has
to consider how it can control data on PDAs that it doesn't own, and
doesn't necessarily support.

So it has to outlaw them. Then it has to issue company PDAs to the
people who 'need' them. It has to support them, of course, so before
you can say total cost of ownership it's shelling out several thousand
bucks per PDA, per annum, while simultanteously panicking about the
amount of data that might be escaping.

If it had just left people to buy their own PDAs, if it had not gone
for the full-on VPN trip, it wouldn't have cost it anything. And if it
had done some sensible things concerning data security such as
implementing sensible access restrictions, or maybe (revolutionary!)  
using thin clients to ensure that data remotely accessed remained on
the corporate servers, then life might well be simpler and a whole lot
cheaper. But there's kit out there we don't control, and we can't have
that, can we?

A couple of readers have asked us to encourage you all to email the
BBC complaining about the ban. We are of course happy to oblige, and
you can do that here



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]