iPod killers? No! Killer iPods!

The Macalope was too busy last week to give Cara Garretson’s whimsically titled piece for Network World the attention it really deserved.

Can an iPod bring down your company?

Wow! That’d be one big iPod!

You might think that having written that, Garretson would just sign off, Costanza-like, and get out of journalism on a high note. But she’s back! This week, she asks “Won’t Apple please think of the children?!”

Should Apple secure its iPods?

Well, it’s about time someone asked the difficult rhetorical questions. Network World must think iPod security is an important issue because they’ve apparently got Garretson on it full time. Hopefully Apple will soon take responsibility for all enterprise damage caused by Windows viruses and employee theft. That would be the right thing to do.*

Few corporations are likely to ban iPods in the workplace, but whether Apple and other manufacturers of MP3 players shoulder some responsibility to add security to their devices — and how effective that security would be is a growing debate.

See how this works? Network World has turned the laughable “iPod virus” story (the virus that required Linux and self-execution, remember) into a faux controversy. Check out the inset on Garretson’s story — this is their sixth piece on iPod security since the “iPod virus”. Having devoted so much time to it, they can now call it a “growing debate”.


While this unintended use of the iPod is not exclusive to Apple’s device – employees with malicious intent could steal data using any MP3 player, or any removable media for that matter – Apple has sold more than 100 million iPods, making it the obvious choice.

Really, one might be inclined to wonder why a thief would decide to spend $79 on a shuffle when a generic flash drive — one that doesn’t require you to load iTunes and Quicktime on the machine you’re trying to steal data from — with the same capacity can be had for $10.

But, in Garretson’s defense, this is white collar crime we’re talking about. So, it’s appropriate in such situations to ask, “What would Thomas Crown have used?”

One might also point out that sales of flash drives must surely dwarf sales of the iPod, but at this point you’re just trying to impose logic where none exists.

An extensive search of the iPod and iTunes sections of Apple’s Web site turned up no information about setting the devices for data transfer…

You mean like this (elapsed time to discovery: 45 seconds)?

…but did also not warn against the potential for misuse when iPods are set as such.

Also, nowhere on Apple’s web site does it say anything about how you should not throw a click-wheel iPod really, really hard at someone’s head or file a nano into a shiv and stab someone with it. Apple did at least put up a warning about not eating the original shuffle, though (true story).

Now, the Macalope knows a fair amount about the enterprise world. When employees are told that their personal laptops are not to be connected to the corporate network, what’s the alternative they’re given for taking work home?

Using a flash drive.

So, why is it that Garretson is focusing on the iPod and Apple’s supposed responsibility when it’s corporate IT shops that have enabled and often recommended the use of portable drives?

It’s interesting to note that all the quotes in the story largely contradict Garretson’s central thesis — that the iPod is the likely tool for someone to steal data from your company. Not that that stopped her from writing it or Network World for pimping the ridiculous notion that by shipping hard drives Apple is somehow responsible for data theft.

* Note: the Macalope is already on record as saying that Apple’s flip attitude toward shipping a Windows virus on some iPods was unacceptable. This is trying to make Apple responsible for an entire class of problem not of its own making.

  • […] 18 Apr 2007 iPod and enterprise security. Same as it ever was. Posted by innerdaemon under Tech journalism , iPod , Apple  DF and Macalope accuratelyidentify NetworkWorld editors as jackassess for promoting the iPod as security threat within enterprises. Of course, these are probably the same jackasses who, in an earlier era, predicted that PDAs were security disasters were waiting to happen: Corporate information technology users are increasingly relying on personal data assistants (PDAs) to check e-mail, surf the Web, and a variety of other tasks. When you use PDAs for online tasks they become just as vulnerable as desktop systems to viruses, mobile code exploits, and a variety of other threats. What should organizations do to make keep their PDA users safe from the threats of the Internet? […]

  • Ouch. There’s some bad writing out there.

  • Jack:

    My brain is trying to escape from my skull.

  • monkyhead:

    Silly Macalope, the thief wouldn’t have spent ANY money on a shuffle, for he is a thief.

    I’m having my “WWTCHU” t-shirt printed up right away.

  • DDA:

    As was noted in the comments, this is really one company trying to spread FUD to sell their product. The article does have a slight point in that someone might not think of an iPod as a portable disk whereas a thumb drive obviously has no other purpose. But to anyone really familiar with security, that is both obvious and not the “only” thing to watch out for; all those cell phones are verboten, too.

  • DB:

    As I understand it, the Zune does not support a feature as simple as disk use, so perhaps corporations should mandate the use of Zunes instead of iPods for increased security.

  • Sansa Q. Zen:

    “As I understand it, the Zune does not support a feature as simple as disk use, so perhaps corporations should mandate the use of Zunes instead of iPods for increased security.”

    …thus ensuring that work is still separated from fun!

  • Molar:

    You can put “files” on the Zune the same way you can “transfer tunes” between iPods. You change the extension to .jpg.

    This devilish bit of cleverness so befuddles the sophisticated anti-transfer technologies that it will then let you move the files, er, I mean PICTURES anywhere you want.

    Then you change the extension back and Boom.

  • Nick:

    “… at this point you’re just trying to impose logic where none exists.”


    I liked their graphic of an iPod with a symbol of a skull and crossbones on the screen to make it look like a container for toxic chemicals:


    Warning: misuse of iPod could result in injury or death. Do not inhale. Keep away from naked flames.

    Apple does make such dangerous products. As Rob Enderle asked, “Is it just me, or did anyone else see the launch of Apple’s new iPhone as a security nightmare in the making?”

    And I don’t think Apple has ever been taken to task for not warning that customers are advised that strong language may be in use in some songs.

  • matt:

    Macalope, you just don´t get it!

    And this is what you don´t get: Sensitive data is HUGE! Like 20 gigabyte HUGE! So you simply cannot use some dumb flash drive to steal data but you must use an iPod or other harddisk based player.
    Now why should you use an iPod and not some generic crap? – Well, because an iPod is omnipresent and EVERYBODY just knows these can only be used to play stolen MP3s or DRMd AACs. So NOBODY would ever suspect you were stealing sensitive corporate data instead of MP3s when you connect your iPod to the companies computer.

    Got it? I think, in this case you´re completely off track and this damn fine lady is onto sth big!


  • Blain:

    You’ll love this. There’s a way to get zunes to mount for disk use, and in doing so, allowing simple renames to negate any of the DRM. Send any song you like, unlocked, as a jpg.

    In true MS fashion, it’s an undocumented registry key edit, and is nice and awkward and not at all straightforward, and makes their ‘security’ completely neutered.

  • John Muir:

    Blain: … and that is the reason that writing articles about MS security problems is just plain old boring compared to conjecture about imagined Apple ones.

    When the world is eventually off Windows as its main — or even noticeable — platform, I have this eerie feeling that the era of the 1990’s ~ whenever, will be noted in tech history circles as the one where the world went mad. The dregs of tech journalism such ring just too true of apologetic logic-warping dictatorial propaganda under a watchful totalitarian regime. “Quick, everybody, blame The Great Satan iPod!!” It’s a shame, because so many crimes happen *every single day* thanks to MS’s total disregard for security at all but the sarcastic level.

    This isn’t just me imagining a world full of Macs for a second, but a point about Windows itself. Standardising the planet on that thing: it’s just madness. No wonder we see the prolonged side effects where people warp their minds back on themselves to justify the fact as somehow gracious and market ordained. As good for free-choice as the Middle East’s stranglehold on oil!!

    Something UNIX based needs to end this little age. Come on Linux. Not that I’ll be using your wares, but the Windows bastions of this world need you more than they’ll ever know…

    (Oh but do stay off our iPods!)

  • John Muir:

    Oh, I forgot:

    “Can an iPod bring down your company?”

    Yes, if by iPod you mean a match, and by company you mean one doused from wall to wall with copious splashes of gasoline. A warning though: someone still has to strike the match.

    “Should Apple secure its iPods?”

    Well, keeping matches away from offices doused in gas is probably a good idea. But how about just not running an explosive workplace? Wasn’t there that time when someone’s glasses set fire to one of your subsidiaries? Might even be able to save a bit on medical fees for all of those employees being suffocated by the nauseous fumes.

    But hell yeah, damn you Apple! With your shiny, unintelligible, non-commodities wares! That the people love you now is just proof that you are a sorcerer!

  • Karen:

    But you can already lock down Windows to prevent the use of the USB ports. My own employer does this, and it seems to me that this is the most sensible measure rather than requiring the manufacturers of every sort of flash drive and MP3 player having to build in some strange sort of security to prevent their use in disk mode when attached to a machine with “secret” information.

    Besides, here in the UK the worst security lapses are generally caused by employees leaving unsecured data on their laptops, and leaving those laptops in cars – where they make an inviting target for thieves.

  • GaryP:

    Hilarious stuff, this piece.

    The company I work at disabled the USB ports. It’s a prudent measure, and simple to do. So is there some reason no other companies can do this, or are the tech ‘journalists’ just not well-versed enough in the tech field to actually know this one?

  • Scatterling:

    > BLAIN: “allowing simple renames to negate any of the DRM. Send any song you like, unlocked, as a jpg”

    The link states that the registry mod does not negate DRM. As undesirable as the Zune is, this is not one of its foibles.

  • Nick:


    > The link states that the registry mod does not negate DRM. As undesirable as the Zune is, this is not one of its foibles.

    That’s not what Blain’s link said. It said: “This technique will not bypass any DRM on any protected files.”

    The point about the Zune is that it puts DRM on *un*-protected files when they are “squirted”. This hack will allow a Zune user to send an ordinary unprotected music file to another Zune user, without the Zune realizing it is one and slapping DRM on it. It’s been done:


    Of course, both the sender and the receiver would have to have Zunes, and they’d both have to be hacked in the manner described. And, really, why bother? If someone really want to swap music files, it’d be a darn sight easier for him to hand his friend his copy of themacalopesingsjohnnymathis.mp3 or whatever on a USB thumb drive or a CD.

  • Tyler:

    This is hilarious! What next… danger, danger the popularity of iPod may force IT depts to dump PCs for Macs? Oh, the horror!

    Anyway, where I work turning off USB ports would then disable Blackberry sync usage right? Thankfully we in a Mac only dept. and IT leaves us alone.

  • I especially liked all the supposed problems she comes up with with no actual suggested solutions. Maybe she should have just told Apple to do security Microsoft style: “You are about to download sensitive corporate information. Cancel or Allow?”

  • Blain:

    Agreed. Yes, it’s always been a case of sensationalism. Dog bites man is not a news story. Man bites dog is. A story of ‘People die in car accidents, so reduce your speed to 55MPH’ would not only be a nonstory to some, but would tell readers something they don’t want to hear. So goes a ‘Employers, lock down your computers and give employees less ways to goof off.’ Especially since an iPod hooked up implies an inside job, compared to someone stealing a laptop, which has been the bigger threat by far.

    I did mean negate in terms of not having Zune retroactively apply DRM, yes. Although I suppose, if you are squirted a DRMed song, this allows you to make backup copies, so you can get your three plays over and over again. I don’t know how you could easily override the 3 days clause, however. Probably in mucking about with date settings.

    Yes, it is roundabout and much more a hassle than a $10 memory stick, but it 1) can be done again and again with no expended hardware (IE, nothing given away) and 2) gets several panties in a bunch.

  • This is obviously a terrible piece of journalism.

    But there exists a huge, real problem in companies with controlling their data and removable storage.

    The problem isn’t so much an employee downloading data and selling it or taking it with them to new employers. While that’s a risk, in reality it very rarely happens and there isn’t anything a company can really do about if they want that data to be available to employees that need to work with it. A malicious employee doesn’t need to use an iPod when they have high-speed Internet access, a CD or DVD burner, or essentially any physical access to a computer with access to the data.

    The problem is an employee putting this data on a removal storage device and then losing the device. “Now where did I leave that tiny, convenient, cheap, seemingly disposable device that can hold millions of dollars worth of internal data and customer information? Oh well, I’ll just buy another one for $10 at Target and download the info again tomorrow.”

    There’s no good solution to this. Information that can be accessed by a human can be copied. The copy can be transfered — intentionally or not — to unauthorized parties.

    Laptop hard drives can be encrypted. Desktop and server hard drives can be encrypted. Network communications can be encrypted. Removable storage can be encrypted or disallowed, but then employees can’t take data home and they can’t share data with legitimate third-parties (such as business partners or customers).

    So, the problem is complex and there’s no panacea. That can and does make for interesting journalism, but not from a hack like Cara Garretson.

  • Hmmmph. All the data I want I can get from the internet. Who needs an iPod for that?

    Heck, anybody who wants just about any piece of data can find it. It’s just a matter of patience and good searching.

    Sure security is a problem. Maybe if we put all those DRM guys to work on it, they could work on securing something useful. Not that my Bananarama collection isn’t vital, but national security could take precedence under extenuating circumstances.

  • Not worth worrying about:

    I am pretty sure that anyone writing such rediculous articles are working for MS and trying to get people to buy the Zune. In fact most of the people Microsoft owns as subsidiary companies just help create more turmoil over very trivial circumstances.

    If you’re gonna steal data you don’t need 20Gigs of space, Information is typically text after you take it out of databases and it compresses down nicely.

    In fact any good hacker will just connect out from the Corporate network through port 80 to his SSH server (That’s right putting up a service on a different port) it to his/her house or onto a server they own.

    It’s not all that tricky, people just creating false claims to reduce sales is what this is all about.

  • GadgetGav:

    Maybe the Macalope could look into what the connection is between Cara Garretson and “startup security company NextSentry”… There has to be one. Even the other writers for Network World can see it. Here’s what Paul McNamara had to say:
    “Coffee pots will go first in most offices, of course, at least those that don’t already forbid the music players on goof-off grounds. And, yes, NextSentry sells products designed to among other things stop what it calls “pocket fraud” enabled by iPods, other MP3 players and small USB storage devices.
    Make what you will of the headline grab, but here is NextSentry’s pitch to a Network World reporter”

    Seems to me that Garretson is just taking everything NextSentry feeds her and putting it out as a reported story that she’s investigating.

  • Hmm! Garretson was reporting on NextSentry almost a year ago.

    Most likely it’s just laziness.

  • “iPod slurping”


    If you used that phrase 10 years ago people would’ve been very scared of the future.

Leave a Comment