Slashdot Mirror
Yet Another "People Plug In Strange USB Sticks" Story
Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."
Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.
>> The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks." Couldn't it still be a little of both?
Everyday You see me is the worst day of my life -Office Space
The OS trusts the people, the people ARE the weak link no matter how much you want to spin it.
AutoRun!
But seriously, I'd check out the data on a stick I picked up. I'm a Linux user so at least I wouldn't have the autorun issue, but a mysterious piece of software I may try running in Wine or a VM so I could just as well have fallen victim.
The problem isn't that people are idiots, but that doesn't preclude people from being idiots being a problem.
You can never make systems fully foolproof through technology, and Bruce of all people should know this.
It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.
You can add all the hooks you want to any OS you want. None of it means anything when the end user can circumvent these protections because curiosity got the best of them. The only real solution here is education of the end users so they know not to trust any little piece of plastic they find in the parking lot.
The problem isn't that people are idiots...
Seems to me this is exactly the problem.
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
But that aside, if you found a candy bar laying on the street, would you eat it?
Possibly, but certainly not one floating in a pool.
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
So it's not people being stupid, but admins being stupid. Functionality is there.
Well, I mean, I'm not going to risk MY computer to some random virus infection. Of course I'm going to use an office computer!
Support the EFF and Creative Commons. The war is coming, and they're supporting you...
Do you want to:
1) Infect your computer with another virus?
2) Look at the pictures and crap on the thing?
3) Just leave me the fuck alone, I've been using removable media all my life and I'm not going to stop now.
The only thing worse than sales people are security people. They are paranoid scizos that are given lower responsibility IT jobs to fullfill corporate checkboxes.
I suspect some of these people do it simply because they want to figure out who the owner is so they can return it. Storage devices should be untrusted. This is an OS problem, not PEBKAM.
So, for the 60% who knowingly violated the government security rules, when do we get to see "The Department of Savings announced an unexpected windfall of 30 million due to involuntary termination of employment" article?
The behavior is quite logical, once you understand what the objective is. Usually the way we look at this is from the POV of corporation/corporate IT security. They find this behavior "stupid" - it potentially harms corporate systems. But consider that an individual employee quite likely cares very little for the well being of corporate IT system or corporation in general (why - is another story). He may be interested to find out what's on the USB device (could be something valuable, you never know) and at the same time he probably wouldn't want to harm his personal computer at home. Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem. And if IT asks - 100% of the time he'll say that he did not do any such thing :)
People are not idiots, they just have their own objectives that are not very well aligned with yours.
autorun is NOT the only problem.
The most insidious thing I have seen in this department is little usb sticks that are built into advertising. When inserted, they just act like a keyboard instead of removable media. On windows, it opened up my Run dialog and typed in the URL of the site the advertiser wanted me to go to. With me logged in as an admin, just imagine what else it could have typed into that box.
Are they trying to be nice and return the stick to the owner? This is a case of being "too nice".
Is it plain curiosity?
Just chuck the thing in the electronics disposal bin.
... problem solved.
Better answer, use Group Policy to turn off AutoRun.
This is true. Employees shouldn't be able to harm the company or government computers, or expose sensitive company/government data.
Also, people who try to do that should be penalized. It doesn't have to be much, but you must raise awareness that such actions can do a lot of damage.
PlusFive Slashdot reader for Android. Can post comments.
YES, THEY ARE! As someone who worked as a security engineer, the biggest threat to the network wasn't an external threat, that is fairly easy to prevent if you know what you are doing and don't be cheap about it. It is however hard to prevent you employees from doing something dumb. Clicking on links in emails, connecting laptops to their home networks riddled with viruses, plugging in USB's that they don't know where they came from! I mean yes, you could lock down USB drives so that you can read or write to them unless they are encrypted with Bit-locker and have the key, but they will hinder productivity because Bitlocker is a pain in the ass. I mean you don't know how many computers you can log on to simply by walking up to the desk and opening the drawer which has a sticky note with the password on it. PEOPLE ARE DUMB! They will do dumb things like this it is inevitable. Your only option to try to stop it without hearing tons of bitching and adding a lot more overhead is to have all of your employees go through IT security classes involving passwords, usbs, emails, and how to use IT safely, but even then people will do something that will make you scratch your head at how.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
There is one answer that will always stop this kind of stupidity. Block up the ports with hot glue.
Non bene pro toto libertas venditur auro
Well it's not the OS's fault unless it's a Microsoft OS, then you can go ahead and blame Microsoft if you want.
This "automatic run" stuff is a crappy idea. Even MacOS doesn't do that. So yeah, it's kind of Microsoft's fault.
But people will always be stupid. They were stupid thousands of years ago, and they are stupid today. They will be stupid a thousand years from now.
You going to register all of those USBs, or pay for all those USBs you distribute to your employees?
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
I've made a comfortable living consoling the computers of owners that are stupid.
Autorun is bad..very bad!
Slashdot previously had an article discussing pointless research (which was an interesting and surprisingly two side story). But...this "study" would be an example of said (truly) pointless research.
As soon as they had the hypothesis that people would pick up these sticks and put them in their computer the problem was exposed. Any real leadership would just have moved to solve this problem, rather than prove that it is indeed a problem. I would hope that the "security experts" at the DoHS would ponder than an outcome of 1% and an outcome of 99% would basically be the same problem and studying the particular location on this spectrum should bear little relationship to the need to address the problem.
Where I work, all the USB ports are disabled. The most you can hope from plugging anything into them is a recharge. If you *really* need to use a USB stick, you get an encrypted one from in house and your local permissions are tweaked to allow just that model and not much else. Plus you get a very clear message that if a virus does get onto the system, you're in a world of trouble, possibly dismissal.
I want a list of atrocities done in your name - Recoil
Autorun is disabled (might not be out of the box... might need Windows Update patches). And you can disable it in any other Windows OS where it is enabled by default.... so the problem is the IT department is not properly securing their network with existing OS controls against USB sticks.
Just because it's tedious doesn't mean the admin doesn't have a responsibility to do it.
Ceci n'est pas un sig.
Don't Antivirus and other security software disable autorun on USB hardware? I know I have some program that does.
Bruce Schneier's response in a comment:
"Children are taught not to take candy from strangers. But adults are perfectly OK with using USB sticks from unknown sources..."
It's a stupid thing to teach children, too.
I don't thinks it's a stupid thing for either children or adults. Neither the OS nor the children should know what in a candy or as USB stick.
PlusFive Slashdot reader for Android. Can post comments.
Here is the registry key that I use when reinstalling Windows XP: .reg, right click and merge with my registry.
Iut the following in a text file with the extension
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Are you saying that "known" USB sticks are better? I find it far more likely that an attacker would infect a known USB stick of a targeted employee... or the USB stick would be mailed to them as "Vendor bling" It would be relatively easy to get several dozen USB sticks with "Cisco" or "Microsoft" printed on them, mail to random people with a note that says "thanks for using our products" and I'm sure 90%+ of them would get plugged strait in and considered "safe".
Even before USB based storage was on the market, people were still infecting computers with their junk. Even supposedly 'isolated' computer that had the media drives removed, and with non-worms. The only common denominator was humans doing something that was against policy. So, no - it's not the specific technology, yes- the problem is people.
I will admit that the more you limit a computer using unauthorized stuff, the less likely it is to get infected. On the other hand, it's also less useful. Balance your choices based on need, and live with the consequences.
Turn off autorun for everything on all non-entertainment machines. It was originally put in so that entertainment CDs like Disney's The Lion King (remember those?) would autoplay.
There's almost no circumstance under which you'd want to autorun anything from a USB stick or any USB peripheral. Microsoft is negligent in setting their defaults to "on", and providing a "use AutoPlay for all media and devices" checkbox.
My G'Linux OS has been configured to require admin privileges to mount any new USB storage devices; I wonder if I could do this for other USB hardware ie mice, media players, etc. This should be the standard config with a "[_] Don't ask me again." option, IMO. Especially since this arbitrary code execution exploit has been demonstrated.
USB stick autorun! http://www.theregister.co.uk/2011/06/27/mission_impossible_mouse_attack/
Have gnu, will travel.
Computers have keyboards not a single switch labelled "0" and "1" for humans to control using binary.
Humans are curious. We need to use UBS devices. It is not that hard to require confirmation before running any program from a flash drive. It is not that hard to sandbox everything and by default (deactivate-able) run a virus check on any new drives - flash, hard, or DVD, CD, or what have your.
Build technology AROUND the human, don't try to change the human to fit the machine.
excitingthingstodo.blogspot.com
To check for colon cancer? There are now USB glucose meters that accept a test strip with a drop of blood, so why not one that accepts a stool sample?
At least three times in the past year I have found USB sticks on the walkway into my building at work.
Three times I have picked them up and immediately turned them over to the security desk.
Now, that does NOT preclude someone from security being an idiot...
Would that many of you really not look to see what is on the stick? Are you really that OCD? Ok, plugging it into your office computer on the company network is irresponsible. Doing so in any sort of sensitive government office is worse. But to not look at all? Really?
Surely the more security sensitive among you are also among the geekier. Right? Are you saying you don't have a spare computer around anywhere? You can't plug the stick into some old non-internet connected junk computer to see what is there? You aren't curious enough to do so? What could possibly happen? Corrupt a spare machine with some virus? So what? Ghost the thing beforehand if it's that big of a deal. I suppose there could possibly be something on it that will actually harm the hardware. Nobody writes that kind of lowlevel malware anymore though, not unless they are working for a government attacking another government's nuclear program anyway. Even if you did run into some old hardware eating virus, with all the outdated yet perfectly usable hardware lying around these days who cares?
Personally if I had that much of a security phobia I would have a junker sitting around just for this purpose. I'd have two identical hard drives and would just copy the good unexposed OS image back and forth each time I wanted to test something I didn't trust. Fortunately I don't have this phobia. I would just wait until I got home and stick it in my desktop which runs Linux.
Yes, I know that even Linux has security holes and yes there have been viri and other attacks on it. I also know that statistics are on my side, I am probably more likely to get run over a bus where the driver was struck by lightning than to ever encounter a problem simply viewing files on a Linux machine. Also... no auto-run!
It's easy to blame Autorun for the problem. However, the only reason Autorun exists is because of idiot users. Try telling someone to insert a CD, navigate to the CD and launch setup.exe (or any other file). Better yet, try doing it over the phone. I guarantee you that a large percentage of the population can't do it. I know because I've experienced it with more people than I can count, including dentists, doctors and other "well educated" people.
I don't get it. What are those horrible thing operating system does when you plug in a USB memory? Mine shows me the files store on it, at most.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
...Because they can.
Having done customer support at locations where we had dozens of operators using our workstations, and also code development on similar systems, I've been asked numerous times why I would build in error checking for seemingly obvious operator blunders. Why indeed....because they can, and it's your responsibility to design a system than is resilient enough to not crash and burn because they screwed the pooch.
People are at all levels of understanding when it comes to computers, and everyone who designs, builds, or maintains them makes a living on those users. Embrace them and stop whining.
Just another day in Paradise
The main concern is that a USB flash drive can also register than more than just a mass storage device:
1: It can register as a keyboard and start typing in text. Ad services use this so when someone jams their device in, it autoruns and pops up a web browser. Malicious ones tend to do worse things.
2: It can register as other devices.
The problem is with the USB protocol, when in the past it just used to be a . It would be nice to have a "dumb" protocol that doesn't allow devices to read from host memory (which is why serious forensics people use a FireWire device for dumping RAM) and that is just made for mass storage devices. SCSI was nice for this... perhaps the best storage protocol for drives that might have unknown data would be FC or FCoE [1]. Optical would be ideal, as a drive couldn't overvoltage and fry the connection.
[1]: I really wish computer makers would add CNA ability to network adapters on motherboards. FCoE is an ideal protocol for a home NAS.
If you work in a government agency where people could have important information saved on a flash drive are you just supposed to destroy the drive for fear of it being infected.
As far as opening it at work I might take some precautions when opening the files but why would I open it on my home computer that has my personal information on it. Its not really the OS's fault, a government agency a normal users account should be very limited in how much access it has to network files and how much damage it can do. I don't windows popping up with a bunch of "are you sure?" prompts every time I am working with a flash drive. Besides the idiots will still just disregard the warning boxes and directly install the virus.
and at the same time he probably wouldn't want to harm his personal computer at home
You're overthinking this - they use the office computers because they find the USB sticks on the way to work.
sic transit gloria mundi
Firstly, before MS gets bashed (Oh, they did deserve bashing for not stopping it earlier) - The've released the change that stops the auto run on USB.
Second, if an ORG or CO has not implemented that change, then the fault is moved by a layer from user to 'admin/sec' and they should get the brunt.
Thirdly, to a nominal degree, if users cannot use the computer and get on with their work, including to some degree, plugging in a drive, then you have a totally broken system
Lastly, companies and orgs who have normals running as admin have bigger problems than just USB devices.
Hint; You can watch my basic vids on not running as Admin on XP for a kick off if you really don't know much about it. A high percentage of people think its not possible to run with limited rights so I made the vids to try and help anyone interested.
Skip to part 2 for the actual methods.
Part 1
http://www.youtube.com/watch?v=q6UIrdLAkFM
Part2
http://www.youtube.com/watch?v=osF6FS2KS_E
We`re all equal
How many people *REALLY* pick up a wallet or USB stick so they can find the owner and return it to them, and how many people *REALLY* pick it up because they're hoping there's something good inside that they can take (money, porn, etc.) People pretend to be honest but reality is much different.
...isn't with the user. The problem is with the Admin who allows USB devices in a government building and the security at the front door that doesn't confiscate them.
I8-D
The Register has an article claiming a security company used a mouse rigged to do something similar ... only it was installing malware.
Mind you, they said it was specifically using a windows exploit, but there's nothing to keep 'em from loading it up with exploits for multiple OSes ... dunno of the USB device can query for that sort of information or not.
Build it, and they will come^Hplain.
If you're infrastructure is running Server 2008 and your clients are running Vista or higher you can already prevent unauthorized devices from being installed via Device GUID. See here: http://msdn.microsoft.com/en-us/library/bb530324.aspx Of course, it's not completely bullet-proof but it's definitely better than letting anything be installed on any workstation.
People are not idiots, they just have their own objectives that are not very well aligned with yours.
I concluded a long time ago that really good operational security has just one fundamental objective - make doing the right (or really the desired) action the easiest action.
Crappy opsec ends up making everything hard to do with the, usually unstated, goal of making the wrong actions harder than the right actions. That usually fails because it's super hard to figure out all of the possible wrong actions ahead of time, but users will always seek the easiest possible route.
When designing a security system you'll be 100x more successful if you cater to human nature instead of trying to fight it. In this example, people want to plug in USB sticks to see what's on them happens all the time since usb sticks are the new floppy disk. So make it easy to do what they want in a safe way - give them a program to "view unknown usb drive" that disables autorun and takes any other necessary precautions like temporarily running in a read-only virutal machine.
When information is power, privacy is freedom.
Back when a 20MB USB stick was $75, I could see the reason to plug one in to try to find the owner. Now that 8GB+ sticks are conference freebies I don't see the point, especially when the majority are just used to transport Word document to and from work for people who don't know how to use Dropbox. It's very unlikely that there is irreplaceable work on a random USB stick or that the owner will suffer financial hardship because of its loss.
Support SETI@home
... is email blast a resignation letter to everyone in the address book.
now we need to go OSS in diesel cars
but I put it in a linux box with no net connection. I also have my contact info on my usb stick that I use at work. I lose things a lot and have been very grateful when somebody emailed me and said they had my stick. Now the OS autorunning sticks is a terrible idea, that is blocked at my company by domain policy (on Windows workstations).
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
If you find a wallet/purse outside of the building where you work odds are the wallet belongs to someone inside the building. So you open it up, to try and find some ID, so you can give it back to the owner. I can see the same sort of reason here. You found a USB stick, so you take it to your computer to open it up, try to find some documents, and see who the author is of the documents. Odds are, that's the owner of the USB stick and you can return their property to them.
Didn't Vista spam everyone with "are you sure?" messages every time they wanted to do anything? Adding validation prompts to operating systems will just annoy the users who are bound and determined to circumvent security.
Most newer operating systems have disabled autorun on removable media. Virus scanners can pick up a significant percentage of malware when you insert the drive. That catches a lot of it. Still, all you have to do is embed a new virus that hasn't been found by the scanning tools yet in a video of a cute kid or pictures of kittens. Half the people who insert the drive won't be able to resist the urge not only to look at it but to pass it on to the rest of the clucking hens in the office, who will put it in an email to all of their friends...
The root of the problem is that security for computers is often diametrically opposed to what makes them useful. Lock down the security too much and you can't get anything done. Open it up so it's useful and you have all sorts of vectors for attack. And, as was shown by this demonstration, the biggest vector for attack is the ID-ten-T interfacing with the computer in the first place.
I was just pointing out it was probably that AutoRun feature or at least the dialog that the test was relying on - and was probably most of the people who actually ran the software ran it through. I also made the point that I would have easily been stupid enough to run it myself even without the AutoRun dialog AND being an informed and generally cautious user. I wasn't trying to badmouth Windows - the AutoRun dialog immediately popped into my mind when I read the article is all. You're free to use whatever you like - and I'll be straight with you when I say I would switch to Windows before OSX. I don't hate Windows I just like Linux better.
It's poor security practice, but if someone drops an expensive device, there's a natural inclination to find the owner and return it.
There's also an even greater inclination to want to see if there's anything "interesting" on the device (pictures, video, music, etc). Human being are curious and voyeurs by nature.
Well, I'm sorry but I'd prefer knowing the full contents of any candy before I put it in my USB port.
Grammar nazis are to this community what excrements are to gold.
Reminds me of the "Light Grenade" from Mom and Dad Save The World.
For those not familiar, it looks like a grenade, but it says "Pick Me Up" on the side. Whoever picks it up disappears, but the grenade remains for someone else to pick up. Diabolical exploitation of human stupidity! You could wipe out entire armies with one of these.
It is easy enough to turn off in Windows 7: Just type in "autoplay" in the START menu search bar and uncheck devices that you don't want to auto play. It is a little trickier in XP:
http://techbybucky.blogspot.com/2008/01/how-to-disable-usb-and-cd-autorun.html
I'd rather have a full bottle in front of me than a full frontal lobotomy.
The problem *is* that people are ignorant. I won't say idiots as I don't think that's right - most people are smart enough in their own domains, but completely ignorant in other areas (such as computer security).
I concluded a long time ago that really good operational security has just one fundamental objective - make doing the right (or really the desired) action the easiest action.
Ergo, the solution to this kind of problem is to put a dummy machine near the entrance of your building with "Insert found USB sticks here!" written on it in big friendly letters. That'll let people satisfy their curiosity without endangering your organization.
It won't catch 100% of the idiots, but it will filter a lot of them.
Blasphemy is a human right. Blasphemophobia kills.
...why would their want to put their home systems at risk?
many of us would be out of a job. No, the right approach is to market items that address this need. USB condoms, holographically-marked trustworthy USB drives for IT departments to hand out, expoxy-on USB port adaptors that change the PC's USB port to a different connector and a range of keyboards, thumb drives and mice that use the non-standard connector.
come on people, stupidity --> profit.
Nullius in verba
I really feel for your situation. That said, I'm still going to trust people. I trust people knowing that that trust could blow up in my face at any time; that's just a risk one takes. I will continue to trust people because without trust, there is only suspicion and paranoia, and I don't really want to live in a world where paranoia rules anyway.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
My workstation has a big assed red banner when I log on saying "DO NOT STICK A USB IN ME YOU FUCKING MORON"*. So if this study was conducted at my site, or was malicious, I'd wager they'd have a few things to say to me.
"Just look at how people have reacted to this spring's exploits of web sites and services...they don't blame themselves for choosing idiot passwords or not cancelling services they no longer use."
Really, do people believe that the ends justify the means as long as we're showing vulnerabilities lulzsec style? I mean even following that logic doesn't give you props. Exploiting stupid, or simply thoughtless, behavior just means you aren't clever enough to crack effective solutions and are targeting low hanging fruit like a gimped monkey.
*Color is correct, but the wording might be paraphrased
Only from Vista onwards. Although it is possible to disable autorun in XP, it has to be done on every individual station - you can't do it via group policy.
According to KB 967715 it can be done in 2000/XP/2003 and newer via GPO's in the domain.
"A plan fiendishly clever in its intricacies"- Homer Simpson
What can you do with something that looks alot like a flash drive? Anything you can type into a computer. http://hak5.org/episodes/episode-709
Jeez. I'm so glad I live in New York. People are nice here!
http://www.acetonestudio.com
People are conditioned to think that USB drives aren't dangerous because 99% of the their experiences with them aren't dangerous. They are just harmless devices to store your files on.
When they see one on the ground, they will think it is that someone lost their files and they would like to see who it belongs to. It is stupid to expect people not to do this and the security should be designed around that. You don't go against human nature
Obvious bullshit story is obvious.
bullshit. we all know the only thing cops are good for is writing speeding tickets.
If the people deploying Windows in the organization knew what the hell they were doing, plugging in a USB key would do squat.
Joe (picks up stick in parking lot): Hmm, I could use an extra one of these. (tosses in desk drawer)
(next week)Sally: Hey Joe, I've got to bring some files to a meeting at the customer site. Got a spare stick?
Joe: Sure, Sally, use this one.
Now between them Joe and Sally have not only infected their own network, but also their customer's. No amount of user training provided to Sally and the customer would have been sufficient to stop this - only the OS is in a position to save the day here.
People are inherently unreliable - machines shouldn't be.
You know what? Fuck that. I'm not going to let the fact that there are bad people out there make me live my life in fear. For every robber/rapist/murderer out there, there are probably between a hundred and a thousand people who just need a few minutes of your time to help with a flat tire. I'll take my chances. The world has *not* changed. You've allowed the media and a tragic event to convince you that the world has changed. There have always been bad people. There have always been good people. There have always been the vast majority of people who are just going to get along. I choose how I live my life, not some asshole who thinks a gun makes him powerful.
Doesn't mean be stupid. If the news is reporting a "Flat tire robber", maybe you want to adjust your behavior for a while, but in general I'm going to help people who need help. I've lived my life that way for 37 years and I'm not changing it now. I've lived in downtown New Orleans. I spent a year in Iraq. The bad guys haven't made me bitter and fearful yet, I'm not going to let them do it now.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
No seriously. People still plug unknown cocks they've just found in a bar into themselves (and the other way around, but that simile doesn't work as well - all I'm trying to say is, this is a gender neutral metaphor). And the viruses you can get from that are way more dangerous than anything your computer can get.
That virus fried their centrifuges and delay the Iran nuke a couple years.
...what would you do?
Until they do that, then yes, it is theoretically safe to return wallets. Cyber attackers have been dropping poisoned media for years, but people haven't learned.
Same here. Everyone you bump in asks "Hey! You got a problem or what?"
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Consider the scale of this problem, and then consider the percentage of people who may do this that do NOT read this here on /. or elsewhere, before calling people 'dumb' or 'stupid'. Not everyone prone to doing so will even learn of this study. If this issue really matters, companies will take steps to warn employees about sticking random USBs in their computers. Otherwise, it's just a matter of time before something very bad happens, and then there will be consequences. If there are consequences, then realization happens. Otherwise, this will keep happening.
The more you know, the more you have to say and the more you should listen.
question is, do you need usb sticks much at the company at all? and yes, why not? those few that need might get one that is company-locked. it's rather important to make sure nothing gets in AND nothing gets out. usb sticks are the most easy way to steal data from a company without any trace. same reason we don't have cd burners in our companies systems, except on demand.
This story tells me that more women need to carry firearms or pepper spray.
Gamingmuseum.com: Give your 3D accelerator a rest.
I'm going to disagree with that.
Filthy, filthy copyrapists!
People looking to steal something don't say "Oh that poor old lady just forgot to close her door it would be unsportsmanlike to rob her" and then go crack into a bank vault. Instead they take that old lady for everything she has.
The polite, responsible thing to do would be to inform the vulnerable person about the problem. The issue here is that the computer security industry/community has been pointing these flaws out for over a decade and it hasn't made a single difference. No one is listening so some people are trying a different approach. No one listens when you say "Someone can hack your server and steal customer data." but they sure as hell get the point when someone steals the data.
I agree that what they did was illegal and wrong(ish) but I can also see why there are people getting frustrated when the powers-that-be don't listen until something bites them in the ass.
The moral of the story: It's OK to plug in a random USB stick into your computer if it is Halloween.
At night I drink myself to sleep and pretend I don't care that you're not here with me
Is there any kind of device that can be used to ensure you are only presented with a mass storage drive?
I'm thinking of something like a small adapter where you plug the USB "drive" in one end and the other in to your computer. The device could intercept and reprocess the communication so that anything that is not a standard drive would not get through. That would be nice to have because these days you never know what hardware is really in a seemingly standard looking USB drive. At the rate things are going we might need something like this built in to motherboards.
Also, I actually bought a couple of genuine Sandisk 1gb "U3" flash drives a while back at Microcenter. When inserted on a Windows XP machine it presented itself as both a standard drive AND a CD drive - that autoruns some useless preloaded windows software. (In some work environments just letting it run this hopefully harmless but unauthorized software would be enough to get someone in trouble.) Actually had to download and run a special program just to remove this garbage, and it wipes the flash drive in the process. So yes, even a legitimate commercial flash drive can be hiding stuff.
Would you 'plug' into a blowup doll you found on the street? What about a dildo? Not likely but I suspect people still do it. Let the users who find these peripherals be the judge of whether they expose their 'hardware' to these risks...
You are aware that everyone who wants to sell you food has to go through a rather complicated ordeal to be allowed to do just that? Not to mention the frequent and unannounced inspections?
Please use a different analogy, that one doesn't hold a drop of water.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The worst thing that someone could put into a USB stick would be some C4 with a detonator wired across the 5V lines......
If I am not in a hurry I stop for random strangers whom I can help, because sometime we each need a little extra help. I also legally carry a concealed weapon (hand gun) with me, because as we all know, people are fucked up.
It's sort-of people, yes they're idiots. But the bigger problem is an OS that assumes that any random removable-media drive is safe and that it should automatically execute programs on it when it detects new media in it. Instead the OS should assume that removable-media drives are not safe and that programs on inserted media are not to be run without the user doing something special to make them run.
On my Linux systems the OS doesn't auto-run programs on removable media at all. And I have it set to normally mount removable-media drives as "no execute" so programs on them simply can't be run without the user first copying them elsewhere and then setting the execute bit, or alternatively remounting the media with execute permissions enabled. Either way they have to do something pretty deliberate, and your average idiot isn't going to clear that bar. Windows offers at least the "no AutoRun" option, and it's easy enough to set it (flipping that setting on a new Windows installation is almost reflex for me by now), the only thing Windows doesn't offer is a "no execute" option for mounted media (and I'm sure it has it, just not obviously exposed in the UI).
No, it's completely the user. Why shouldn't the OS trust what the user does who has physical access?
Because more than the user has physical access first of all. It's really not very hard to discreetly plug something in to a computer without the user noticing. Especially in a corporate environment.
And on the other hand, I've stopped to help scores of people. I've lost count, maybe 50-60? I've never had anything other than heartfelt and genuine thanks and offers of money and ...other things.
I drove one lady and her 5 year old granddaughter 50 miles to the nearest town in the middle of August and they both looked like they were approaching heat stroke. I should have let the police handle that? By the time the cops got there, they'd have ridden into town in an ambulance.
I repaired an old guy's alternator for him and jump started his car and got him back on the road with instructions to visit a mechanic asap. He didn't have money for a tow truck. Do you think that a police officer would have been able to help him?
In short, your cynical attitude is pretty fucked up. I understand your fear, based on your experience, but realize that the stats say exactly the opposite of what you're saying. Most people are good people. The price of being a cynical bastard is living a constant state of fear, which would suck in itself, and the fact that if you ever need help and other people have the same attitude, you're fucked.
I'd rather take the risk of a situation turning bad. If I see you on the side of the road, I'll stop and help. I'd appreciate the favor being returned, but won't hold it against you if not.
Of course it wasn't we can't call in armed individuals every time someone needs a little bit of help.
Yes there are people that will take advantage of you, but they can just as easily break into your home. Hopefully they are the vast minority.
We can't live our lives not helping anyone just in case we may get hurt, what a sad world that would be. We need a society that it is the norm to help out others making people who have no consideration for others (like the rapists) as rare as possible, teaching our children through our actions to consider, respect and help others.
You know what? Fuck that. [...] The bad guys haven't made me bitter and fearful yet, I'm not going to let them do it now.
You speak truth.
I love these stories that have details that, if the story were actually true, no one would actually know.
In a machine onto which you can quickly blast a fresh new os image, not plugged into the network... why not? Check it out, see what's on it. If it's dirty, 60 seconds in the microwave, then into the trash. If it's clean, free USB thumb drive!
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
stupid slashdot, need delete option!
You bring a valid point, but I think that the root of this the problem is education: most people don't know that malicious software can spread from simply plugging in a USB key.
Perhaps more and better training from the company IT dept. would be helpful in educating these people. Ignorance isn't a valid defense, granted, but it's a reality that most IT dept. have to live with.
For non-techy types, there isn't an easy or obvious way to view/wipe the contents of a USB stick without first plugging it into your computer. Sandboxing and VMs are not Joe the Plumber-type applications. If Windows and Macs had a built-in USB sandbox feature that IT could turn on, it would make things much easier.
Or again, better education from the IT dept. asking users to bring them found USB drives for identification and if they can't find the owner, they can wipe it and give it back to the person who found it.
~Syberz
without trust, there is only suspicion and paranoia, and I don't really want to live in a world where paranoia rules anyway.
Agreed.
Really, do people believe that the ends justify the means as long as we're showing vulnerabilities lulzsec style? I mean even following that logic doesn't give you props. Exploiting stupid, or simply thoughtless, behavior just means you aren't clever enough to crack effective solutions and are targeting low hanging fruit like a gimped monkey.
didn't, they can't wash all blame off themselves because LulzSec was also in the wrong.
Err. Let's try this again. My fault for not closing a quote tag correctly.
Really, do people believe that the ends justify the means as long as we're showing vulnerabilities lulzsec style? I mean even following that logic doesn't give you props. Exploiting stupid, or simply thoughtless, behavior just means you aren't clever enough to crack effective solutions and are targeting low hanging fruit like a gimped monkey.
No, that was exactly my point, which went WHOOOSH over your head: Just because A is wrong doesn't mean that B can't be wrong too.
There's enough blame to go around - just because Lulzsec did something wrong doesn't mean that the companies and end-users didn't, they can't wash all blame off themselves because LulzSec was also in the wrong.
Bullshit. I do not believe you. You are just repeating urban legends and trying to spread FEAR.
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
I usually trust people, too. But I carry a loaded .45 just in case I run into one who can't be trusted.
Yea, though I walk through the valley of the shadow of death, I will fear no evil: for I'm the meanest sonofabitch in the valley.
Nobody can afford to be nice anymore. The world has changed.
No it has not changed. World was never as nice as people like to think it was. Men have been attacking, raping and murdering defenseless women since the dawn of time and all other manner of evil went on all the time, none of it is new
Just peoples perceptions have changed, mainly due to the monster called the news media, because that can only make a real living out of bad news and keeping people afraid
Heh, it didn't really go over my head so much as I worded my response improperly. Blame, as I apply the word, can only be assigned to a party that deliberately left themselves open. They've got to know better first. It remains to be seen if that is the case for all the targets we've been reading about.
Even my own statement has limits though. I don't care if my bank didn't know better; they have a responsibility above and beyond an ordinary business to keep my information and finances secure. Sony falls under this aegis. The Neverwinter Nights forum though? Not so much.
You are mistakenly assuming every flat tire leads to a rape, and murder. That's not the case. Very few end in such evil, but by stopping to help, you are rolling the dice.
It seems to me that OSes should pop up a dialog when a USB device is plugged in, that displays what features the device is advertising, and allows you to OK each service you want accessible from that device on that OS, signing them so that you never get prompted for them again in the future. Should be extremely easy to add to any modern OS, as the OS already has to enumerate the features anyway. This would also mean that if your Android device got compromised and a special driver was installed that turned it into a stealth interface device when you plugged it into your PC, the PC would alert you that a new feature was detected, and did you want to enable it....
Except that this isn't a "safe way." As other people have pointed out, what looks like a USB thumbdrive may not in fact present itself to your system as a mass storage device. It can be an HID device and get automatically installed and take over your system; this works even in Linux. Tricking up such a device is not hard for somebody with some hardware chops. There is *NO SAFE WAY* to insert a malicious USB device into your system.
I'm sure you can just turn off autorun on the corporate build rather than going to all that trouble.
and if you live your life without rolling a few dice, you are probably going to end up a very old, very boring person.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
These are both problems. One is mostly fixable by relatively simple technology. The other is not really fixable, except by rather drastic means. Which problem do you suppose we should try to fix?
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
It will also almost guarantee that the found harmless sticks will be harmfull from now on.
Rethinking email
Unless that stick tells the OS it is a keyboard, of course.
Rethinking email
So find the cheapest, most obsolete computer you have. You don't want to short circuit your best computer.
Ok. got it.
Disconnect anything corruptible (hard-discs, USB drives, etc.) from the computer.
Well, I guess I can unplug the cassette player.
Disconnect any networks from your computer, you don't want any hacker software on the USB to bring the "men in black" knocking on your door.
No network plugs...
Boot from a live CD.
Where do you put a CD on a TRS-80?
We have a story of an AC about a single instance modded informative. We have an incident involving a pair of serial killers (raped and killed 12 people remember) being shot with a hunting rifle, yet the closest stories google can find are a snopes false granny story and a real robbery incident with a handgun (described by the NRA, who should know, as "among the more dramatic"), so somehow the story of shooting two serial killers doesn't fit in. Now, there are lots of people reading Slashdot, and it's possible that this is a true story, but there is no way it should be modded up without at least an account name to back it up. The advice given is extremely dangerous. If people stop helping each other then the "bad people will win".
Now, to the original AC, and assuming that this was a true story; Please think again about how you say what you say. Your sister may have made a misjudgement, but you have to come to terms with that and realise that what she did was the right thing and most of what happened to her was bad luck. There are ways she could have been more careful; but in the end everybody has to get involved, we have to take some risk and 99.9% of the time it works out fine. If we don't do that then horrible things happen:
It's not enough to just say "call the cops". There aren't enough cops to investigate every possible strange situation, they won't be able to come reliably if they to. Call the cops means that most of the time people will do nothing. Worse, we end up with a passive society of afraid people who can't act on their own and expect "the authorities" to do everything for them. And even worse, with media hysteria stories like this, we get a culture where those that intervene are considered abnormal or even begin to believe they will get into trouble. You say:
The world has changed. If you are nice, you will be taken advantage of by those who aren't.
Yes; according to the US Department of Justice, the world has changed; it's much safer than it used to be.
Instead, we have to teach people a bit of a different lesson. Be extremely careful about interactions which are initiated by the other side. Make a visible call to a friend; give the license plate and description of the car that you are going to help. Single women don't help groups of men on their own without first making a call. Single men (who are actually most subject to violence) are careful too. Use judgement. But in the end, most of the time you just have to take some risk in life.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Here's a thought:
Call the police *and* stop to help the guy.
We need a read-only mounting of a stick that can run software. I'd use it to bring anti-virus software (et cetera) over to computers I want to repair. If I can update it with the last anti-virus signature file on a good machine and then safely bring it over to the sick machine, running all kinds of portable software there. I'd also like to be able to boot from a stick — for the same purpose.
So we need a read-only button on the stick to guarantee the stick doesn't get infected from the sick computer. Does this exist?
I can do this with a CD or DVD, but a stick is more convenient.
I18N == Intergalacticization
Thank you, Encyclopedia Brown!
actually, i'd go so far as to say that the problem is the insufferable bastards that felt the need to create a malicious USB device. If you really wanted to get pedantic about it.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
The last flash drive I brought from transcend had some autorun software on it that was trying to sign me up for a lifetime warranty. My antivirus did notice the autorun and put a stop to it and then I just formatted the thing.
sadly the world has always been like this.
so long as there's more than 10000 people in the world, the 0.01% chance is guaranteed to happen at least once.
Anyone knows how to configure a USB port to accept only mass storage devices? (no autorun of course) Linux solution is enough for me (lol)
Not necessarily; it could be a filtering hub, watching all traffic that passes through it and dropping all packets from any device that identifies itself as any type other than mass storage. Think of it as a USB firewall.
BRB, off to file my patent.
My U3 drive had a portable version of skype on it that would ping their server even if there was no account configured. IT noticed it right away, and deactivated my LAN connection.
The helpdesk was waiting for my call as the manager of the PC end of the IT dept made his way across the plant to my desk.
Fortunately I did not install it, or have it configured with a login, or even know it was there, otherwise it would not have been pretty!
This is especially galling to me; I have a book out that I encourage folks to share, but it's only in PDF form. The only people who are going to open it are ignorant of the fact that it could contain a virus, even though it doesn't.
Why don't you release it in more formats, like .epub and other reader-friendly extensions? To my knowledge, they can't execute arbitrary code on their own like .pdf and .doc can. My e-book reader app (FBReader) on my phone can't handle PDF, and it's how I do most of my reading these days.
This is assuming that by "have a book out" you mean you authored or published a work.
For optimal comment enjoyment, take red pill now.
Hey at least the office system is properly backed up right? :)
I wouldn't say it hasn't made a difference. It's just that security is a never-ending job. It's not a problem that you "solve", any more than most other human problems. It's a problem that you have to continuously harp on, while trying to improve it from the technical side as well. And aside from infrequent anecdotes, I'm not aware of any studies indicating that throwing peoples information out in the clear is more effective than notifying companies.
Many of the flaws that were exploited were so basic, and have been known about for many years, that it's inconceivable that any serious thought was put into security. Yes, security a continuous process, but if you haven't even bothered to address the basics, then you are certainly to blame when someone takes advantage of that.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Interestingly, I worked for a government department back in the mid-90s, and idly one day worked out how I'd go about untraceably diverting the multiple billions they oversaw to overseas accounts etc. Part of the anonymizing would have been to have the entire thing launch from an appropriately-named EXE on a floppy disk dropped casually in the waiting area or one one of their desks, and labeled "Social Work data". The office SWs at the time were notorious for having about the same computer-savvy as roadkill, so they'd be unlikely to make the connection between the disk and the month-later financial disaster. Particularly if the disk got overwritten with actual SW data in the process, and the worm erased itself retroactively from the first dozen computers it infected.
I see the idea of leaving a mislabeled item of media lying around where an unsuspecting administrative worker could introduce it to the corporate network hasn't lost any of its appeal. Social engineering strikes again.