Last Updated on April 19, 2023 by Dave Farquhar
The revelation that the Federal Government still relies on floppy disks for some of its business is making it the butt of some jokes this week. And although that will serve as confirmation for some people that the government is completely backward, there are actually multiple good explanations for it.
From a security standpoint, using floppy disks isn’t a bad idea at all.
The problem with USB
USB is convenient, but it’s a nasty, nasty, nasty technology from a security standpoint. It’s not difficult at all to mangle some behind-the-scenes data that’s invisible to the user but very visible to the computer, and thus use the drive to infect a computer. The end user will never know it. Neither will your antivirus software. The details are a bit tricky, but basically you modify the USB flash drive to poison the process the computer uses to figure out whether it’s a keyboard or scanner or storage device. Exploit a buffer overflow in the USB drivers, and the computer never gets a chance to look for the bad code.
I found it ironic that Edward Snowden exfiltrated data from the NSA on USB flash drives, because the NSA made the office I worked for at the time shove epoxy into the USB ports on some of its systems to prevent people from using USB at all on them.
USB flash drives are the most convenient media to infect this way. Memory cards for digital cameras can also be infected in difficult-to-detect ways, but they present a couple fewer options.
The problem with CDs or DVDs
Incoming CDs or DVDs are less problematic from a security standpoint, except for recording them in such a way that any system can read them. So it’s possible with CDs to waste a lot of time recording and re-recording the data, chewing up tax dollars needlessly.
Let’s not talk about Zip drives.
Floppies
But floppies are a nice solution. They’re 1.44 megabytes, or a shade more if you know my tricks, so they don’t hold a great deal of useful data. There’s not a lot of hidden space on a floppy either, and the computer can safely examine those hidden areas without risk of infecting itself, which isn’t the case with USB.
The problem is availability. Or is it? It’s not hard to keep a floppy-equipped Pentium 4 PC hanging around in a corner somewhere to read those floppies when they come in. Those are plentiful, and since reading floppies is about all they’ll get used for, they’ll last a very long time. And then you can do the same for other disk formats, up to and including 8-inch floppies, which are surprisingly reliable.
The secret nobody talks about, or simply calls “legacy”
Here’s the other thing. The government is hardly the only entity that has ancient computer systems and processes hanging around. The government has old stuff, but every private-sector place I’ve worked does too. And their lifecycle management isn’t as good. Many companies flat out don’t have lifecycle management.
Reasons vary. The Navy had ships with Windows NT 4 on them well into the 21st century because the servers get replaced when the whole ship gets refurbished, which happens every 20 years or so. A brand-new ship has a brand-new operating system on it, but it’s going to sail with that system, plus patches, for 20 years. The government is paying for extended maintenance, and an obsolete Microsoft operating system that’s getting updates applied is more secure than what you find in the private sector, where the success rate applying updates is much lower than 100 percent on current operating systems, and they may or may not be paying to get updates on their old systems. Yes, here’s a dirty secret. Private enterprises have Windows 2000, or even NT4, still hanging around too.
Corporations have other reasons for having 20-year-old computer systems. The usual excuse is that some vendor went out of business and nothing else works quite right for that particular business process. There are things you can do to minimize the risks associated with doing that, and trust me, every time I interview for a job someone asks me those questions.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
Cleaning yesterday revealed two boxes of ten 5-1/4″ that were*over* 20 years old. I guess the Navy can laugh at *me*.