The revelation that the Federal Government still relies on floppy disks for some of its business is making it the butt of some jokes this week. And although that will serve as confirmation for some people that the government is completely backward, there are actually multiple good explanations for it.
From a security standpoint, using floppy disks isn’t a bad idea at all.
The problem with USB
USB is convenient, but it’s a nasty, nasty, nasty technology. It’s not difficult at all to mangle some behind-the-scenes data that’s invisible to the user but very visible to the computer, and thus use the drive to infect a computer. The end user will never know it. Neither will your antivirus software. The details are a bit tricky, but basically you modify the USB flash drive to poison the process the computer uses to figure out whether it’s a keyboard or scanner or storage device. Exploit a buffer overflow in the USB drivers, and the computer never gets a chance to look for the bad code.
I found it humorous that Edward Snowden got data out of the NSA on USB flash drives, because the NSA made the office I work for shove epoxy into the USB ports on some of its systems to prevent people from using USB at all on them.
USB flash drives are the most convenient media to infect this way. Memory cards for digital cameras can also be infected in difficult-to-detect ways, but they present a couple fewer options.
The problem with CDs or DVDs
Incoming CDs or DVDs are less problematic from a security standpoint, except that recording them in such a way that any system can read them. So it’s possible with CDs to waste a lot of time recording and re-recording the data, chewing up tax dollars needlessly.
Let’s not talk about Zip drives.
But floppies are a nice solution. They’re 1.44 megabytes, so they don’t hold a great deal of useful data. They’re not terribly reliable, which means they won’t stick around very long, at least with readable data on them. There’s not a lot of hidden space on a floppy either, and the computer can safely examine those hidden areas without risk of infecting itself, which isn’t the case with USB.
The problem is availability. Or is it? It’s not hard to keep a floppy-equipped Pentium 4 PC hanging around in a corner somewhere to read those floppies when they come in. Those are plentiful, and since reading floppies is about all they’ll get used for, they’ll last a very long time.
The secret nobody talks about, or simply calls “legacy”
Here’s the other thing. The government is hardly the only entity that has ancient computer systems and processes hanging around. The government has old stuff, but every private-sector place I’ve worked does too. And their lifecycle management isn’t as good. Many companies flat out don’t have lifecycle management.
Reasons vary. The Navy has ships with Windows NT 4 on them because the servers get replaced when the whole ship gets refurbished, which happens every 20 years or so. A brand-new ship has a brand-new operating system on it, but it’s going to sail with that system, plus patches, for 20 years. Do the math: Windows NT 4 isn’t 20 years old yet, so there are some ships out there with something nastier than that on them.
Corporations have other reasons for having 20-year-old computer systems. The usual excuse is that some vendor went out of business and nothing else works quite right for that particular business process. There are things you can do to minimize the risks associated with doing that, and trust me, every time I interview for a job someone asks me those questions.