Photo Kiosks Infecting Customers' USB Devices

The Risky Biz blog brings news that Big W, a subsidiary of Woolworths, has Windows-based Fuji photo kiosks in at least some of its stores that don't run antivirus software, and are therefore spreading infections, such as Trojan-Poison-36, via customers' USB storage devices. Here is the account of the original reporter. "It's not just the lack of AV that's the problem... it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers' USB devices as read-only? Why allow the kiosks to write to them at all? It would be interesting to find out which company — Fuji, Big W, or even some other third party — is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning."

Every input is bad...

[maweki]

Did they not learn this in programming school? Does not every programming tutorial and system administrator handbook start with this?
The first thing I learned (fortunately not the hard way) was, that, nevermind the specs, input is allways malformed, user input doubly so...

System Administration 101

Windows autorun viruses are like vuvuzelas.

[ivucica]

Windows autorun viruses: Annoying if you use Windows, easy to ignore if you don't.
Vuvuzelas: Annoying if you watch soccer, easy to ignore if you don't.

Re:Read-only switch for USB sticks?

[Tim+C]

I've seen them, but that's not the point - the point is that the kiosk itself should be mounting the stick as read-only regardless of how the stick itself is configured. There should be absolutely no way for the kiosk to write to the stick; otherwise you risk an error (or something malicious, as in this case) wiping out the customer's data or (again, as in this case) potentially infecting their machine.