Slashdot Mirror
Yet Another "People Plug In Strange USB Sticks" Story
Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."
>> The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks." Couldn't it still be a little of both?
Everyday You see me is the worst day of my life -Office Space
The OS trusts the people, the people ARE the weak link no matter how much you want to spin it.
AutoRun!
But seriously, I'd check out the data on a stick I picked up. I'm a Linux user so at least I wouldn't have the autorun issue, but a mysterious piece of software I may try running in Wine or a VM so I could just as well have fallen victim.
The problem isn't that people are idiots, but that doesn't preclude people from being idiots being a problem.
You can never make systems fully foolproof through technology, and Bruce of all people should know this.
It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.
You can add all the hooks you want to any OS you want. None of it means anything when the end user can circumvent these protections because curiosity got the best of them. The only real solution here is education of the end users so they know not to trust any little piece of plastic they find in the parking lot.
But that aside, if you found a candy bar laying on the street, would you eat it?
Possibly, but certainly not one floating in a pool.
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.
No, they won't. They'll blame the people who dropped the USB sticks, and thinking in black and white because they seem unable to do otherwise, they would think that means that they themselves are not also to blame.
Just look at how people have reacted to this spring's exploits of web sites and services. They don't blame the companies that had lax security, and they don't blame themselves for choosing idiot passwords or not cancelling services they no longer use.
Well, I mean, I'm not going to risk MY computer to some random virus infection. Of course I'm going to use an office computer!
Support the EFF and Creative Commons. The war is coming, and they're supporting you...
My thoughts exactly. The OS shouldn't have to realize if a USB stick is legit and belongs there... people should realize you don't pick up a stick in a parking lot and put it in your computer, which may or may not hold for-your-eyes only information. It's like telling an adult they shouldn't pick up a syringe in a park and stick it in their arm.
Grammar nazis are to this community what excrements are to gold.
no, problem is admins not having turned on the correct settings to making it impossible for users to be stupid. they will only do once something big happens.
The behavior is quite logical, once you understand what the objective is. Usually the way we look at this is from the POV of corporation/corporate IT security. They find this behavior "stupid" - it potentially harms corporate systems. But consider that an individual employee quite likely cares very little for the well being of corporate IT system or corporation in general (why - is another story). He may be interested to find out what's on the USB device (could be something valuable, you never know) and at the same time he probably wouldn't want to harm his personal computer at home. Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem. And if IT asks - 100% of the time he'll say that he did not do any such thing :)
People are not idiots, they just have their own objectives that are not very well aligned with yours.
autorun is NOT the only problem.
The most insidious thing I have seen in this department is little usb sticks that are built into advertising. When inserted, they just act like a keyboard instead of removable media. On windows, it opened up my Run dialog and typed in the URL of the site the advertiser wanted me to go to. With me logged in as an admin, just imagine what else it could have typed into that box.
Wow, i found a USB stick once on a college campus, looked like a nice one so i plugged it into a computer to see if i could find who's it was so i could return it to them. I didn't realize that i deserved having my computer fried for trying to return something. Do you put mace in your wallet so that if you drop it and someone tries to return it that it sprays them in the face?
I've made a comfortable living consoling the computers of owners that are stupid.
Even before USB based storage was on the market, people were still infecting computers with their junk. Even supposedly 'isolated' computer that had the media drives removed, and with non-worms. The only common denominator was humans doing something that was against policy. So, no - it's not the specific technology, yes- the problem is people.
I will admit that the more you limit a computer using unauthorized stuff, the less likely it is to get infected. On the other hand, it's also less useful. Balance your choices based on need, and live with the consequences.
The way to fix this problem, is to start dropping pistols with nipples attached to the end. That would thin the herd.
Because USB is the electrical slut. People need to be able to plug in keyboards and mice, this means there are going to be usb ports that are open. A user can simply put a usb hub in and get some more ports. Even if you disable USB mass storage there is no reason an evil USB stick could not act as a keyboard and using keystrokes download evil software.
To check for colon cancer? There are now USB glucose meters that accept a test strip with a drop of blood, so why not one that accepts a stool sample?
Anyone who uses that as an excuse not to help someone with a flat should drop out of the human race entirely.
Eh, USB isn't dangerous enough to bother nuking the warranty on your hardware. Any recent corporate IT-box will let you disable USB ports(sometimes even selectively) in the BIOS, and it isn't rocket science to order the OS to ignore some or all USB device classes.
The main problem(outside of environments where "Security" is taken seriously enough that IT has carte blanche to do whatever they deem necessary) is that USB mass storage devices are So. Damn. Useful. In my Admin-hat capacity, I could disable access to USB mass storage devices for everybody in about ten minutes. I would then have just about enough time to slip out and start drinking heavily before the lynch mob assembled...
As for shorting them, USB ports are supposed to gracefully detect overcurrent conditions and modest voltage excursions and cut power to the port rather than die horribly. How well they will actually do so is very much a "your mileage may vary" matter. Some, if a damaged cable or device shorts them, will pop up a polite message, disable the port briefly, and then be ready for another try as soon as the fault clears. Some need a reboot, and I'm sure that some blow a tiny SMT fuse or just burn a trace...
People are not idiots, they just have their own objectives that are not very well aligned with yours.
I concluded a long time ago that really good operational security has just one fundamental objective - make doing the right (or really the desired) action the easiest action.
Crappy opsec ends up making everything hard to do with the, usually unstated, goal of making the wrong actions harder than the right actions. That usually fails because it's super hard to figure out all of the possible wrong actions ahead of time, but users will always seek the easiest possible route.
When designing a security system you'll be 100x more successful if you cater to human nature instead of trying to fight it. In this example, people want to plug in USB sticks to see what's on them happens all the time since usb sticks are the new floppy disk. So make it easy to do what they want in a safe way - give them a program to "view unknown usb drive" that disables autorun and takes any other necessary precautions like temporarily running in a read-only virutal machine.
When information is power, privacy is freedom.
I worked for the USG and the computer would not let you connect a USB drive that wasn't owned by that agency (and all the USB drives were encrypted to NIST standards), or read or write a CD/DVD.
Unless the USB stick exploits bugs in the USB drivers (which are hugely complex and run at the kernel level) in which case you're hosed the instant you plug it in, autorun or not.
I read the internet for the articles.
but I put it in a linux box with no net connection. I also have my contact info on my usb stick that I use at work. I lose things a lot and have been very grateful when somebody emailed me and said they had my stick. Now the OS autorunning sticks is a terrible idea, that is blocked at my company by domain policy (on Windows workstations).
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
If you find a wallet/purse outside of the building where you work odds are the wallet belongs to someone inside the building. So you open it up, to try and find some ID, so you can give it back to the owner. I can see the same sort of reason here. You found a USB stick, so you take it to your computer to open it up, try to find some documents, and see who the author is of the documents. Odds are, that's the owner of the USB stick and you can return their property to them.
Part 1
http://www.youtube.com/watch?v=q6UIrdLAkFM
Part2
http://www.youtube.com/watch?v=osF6FS2KS_E
Rule #1 -- If you're going to narrate a video, get a personality. Seriously, I had to turn it off after the first minute because it was so boring.
Considering that what you propose is near impossible, I am going to side with them. Imagine this, on the inside of the USB stick there are a bunch of caps charging from the 5v line and discharging onto the data lines. So how do you avoid running that "malware"?
The easiest way to do that is to stop and help someone with a flat.
... conundrum.
It's a
And despite attitudes like that, people still wonder why those Nazis in corporate IT do things like disallowing USB mass storage devices, filtering HTTP traffic through a proxy, etc.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
A lot of governments and corporations block Dropbox and the like as these services are hosted in the USA. Patriot act strikes again.
It is easy enough to turn off in Windows 7: Just type in "autoplay" in the START menu search bar and uncheck devices that you don't want to auto play. It is a little trickier in XP:
http://techbybucky.blogspot.com/2008/01/how-to-disable-usb-and-cd-autorun.html
I'd rather have a full bottle in front of me than a full frontal lobotomy.
...why would their want to put their home systems at risk?
I really feel for your situation. That said, I'm still going to trust people. I trust people knowing that that trust could blow up in my face at any time; that's just a risk one takes. I will continue to trust people because without trust, there is only suspicion and paranoia, and I don't really want to live in a world where paranoia rules anyway.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Only from Vista onwards. Although it is possible to disable autorun in XP, it has to be done on every individual station - you can't do it via group policy.
According to KB 967715 it can be done in 2000/XP/2003 and newer via GPO's in the domain.
"A plan fiendishly clever in its intricacies"- Homer Simpson
Jeez. I'm so glad I live in New York. People are nice here!
http://www.acetonestudio.com
Okay, so what should you do with it? You want to return it to its owner, and examining its contents is the obvious way to find the owner.
You should be able to trust your computer to let you look at what's on a USB stick. Otherwise, you can't:
- trust files that your colleague is giving you via USB
- trust a USB stick distributed as a promotion
- trust your own USB stick, if you've used it to give a presentation on someone else's computer.
Obviously, you shouldn't run programs on the stick, and you should know that lots of document formats are really programs, but you should be able to trust your computer to show you the contents without running everything on it.
People are conditioned to think that USB drives aren't dangerous because 99% of the their experiences with them aren't dangerous. They are just harmless devices to store your files on.
When they see one on the ground, they will think it is that someone lost their files and they would like to see who it belongs to. It is stupid to expect people not to do this and the security should be designed around that. You don't go against human nature
1) They picked up USB Sticks laying on the ground. I dunno about them, but my mommy always said I shouldn't do that. And she was right in this case!
2) They put this USB stick into their office computer INSTEAD OF informing their security department (ok, that is an assumption, if they did and their CSO said "go ahead", he's not only an idiot but he should be fired. Out of a howitzer).
3) They executed software on a foreign USB stick they found on the ground. Aside of the question why they had the privileges to actually do any damage, who in his sane mind would do such a thing?
Yes, the people are to blame here. Who else?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Obvious bullshit story is obvious.
Joe (picks up stick in parking lot): Hmm, I could use an extra one of these. (tosses in desk drawer)
(next week)Sally: Hey Joe, I've got to bring some files to a meeting at the customer site. Got a spare stick?
Joe: Sure, Sally, use this one.
Now between them Joe and Sally have not only infected their own network, but also their customer's. No amount of user training provided to Sally and the customer would have been sufficient to stop this - only the OS is in a position to save the day here.
People are inherently unreliable - machines shouldn't be.
You know what? Fuck that. I'm not going to let the fact that there are bad people out there make me live my life in fear. For every robber/rapist/murderer out there, there are probably between a hundred and a thousand people who just need a few minutes of your time to help with a flat tire. I'll take my chances. The world has *not* changed. You've allowed the media and a tragic event to convince you that the world has changed. There have always been bad people. There have always been good people. There have always been the vast majority of people who are just going to get along. I choose how I live my life, not some asshole who thinks a gun makes him powerful.
Doesn't mean be stupid. If the news is reporting a "Flat tire robber", maybe you want to adjust your behavior for a while, but in general I'm going to help people who need help. I've lived my life that way for 37 years and I'm not changing it now. I've lived in downtown New Orleans. I spent a year in Iraq. The bad guys haven't made me bitter and fearful yet, I'm not going to let them do it now.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
No harm can come to a computer from having the 5v lines get shorted to D+ or D-.
Having a high voltage boost circuit and enough capacitor to do serious damage would result in a physically HUGE stick.
If you short +5v and ground, most USB host chipsets have current limiters and soft-breakers built-in.
retrorocket.o not found, launch anyway?
rm -rf /lib/modules/$kernelnumber/kernel/drivers/usb/storage/*
Or put the the USB storage driver in /etc/modules/blacklist (I prefer this method, since I doesn't require any extra effort on kernel upgrades, but our IA guy wants teh drivers completely gone, so we do the first)
On Windows I don't know the procedure, but I definitely know you can do it. DOD disables USB storage (but not all USB devices) on every computer it owns. It's a pretty trivial procedure in Linux, and not any harder in Windows; and your keyboard and mouse still work just fine.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Same here. Everyone you bump in asks "Hey! You got a problem or what?"
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Guns and sledgehammers don't reveal their owners as a strong potential consequence of use. Hitting something with a hammer isn't going to tell you whose hammer it is. Opening "resume.doc" on a USB stick is likely to net you not only a name, but an address, e-mail, and phone number.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Here's the thing: If you take a random usb drive and plug it in your personal computer, the more immediate consequences of the act are limited to your computer and those in your local network (your family's computers, presumably). If you're a government employee and you plug in a random pen drive into your work computer, any and all data in your government office network is at risk. The level of paranoia that should be applied in each situation is different.
These are not solutions. USB devices come in more than just Storage flavors. What if I design my usb "key" to instruct the host machine that I am a "sound card" and I abuse a sound card driver bug?
Sounds crazy right? Except that exact behavior has been done on none other than: Linux.
See: CVE-2011-0712
It's none of your business whose it is. Hand it to your IT-Security. First of all, they have the means to test whether it's evil (and if they're not, at least you get a good laugh out of it when they spread the infection), and they should definitely learn QUICKLY about it if some "evil dude" distributes USB keys on the sidewalk in front of your company. Second, if it was really lost by someone important and contains sensitive files, what are you going to do? Worse, what if these files somehow end up where they shouldn't and they find out that you found that stick and didn't hand it in, guess who will be the first suspect even if you didn't sell the files? And finally, It-Sec not only has the means but also the responsibility to deal with such a case. And didn't you always want to see the CSO fold your boss into a nice little napkin for losing critical files?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
People looking to steal something don't say "Oh that poor old lady just forgot to close her door it would be unsportsmanlike to rob her" and then go crack into a bank vault. Instead they take that old lady for everything she has.
The polite, responsible thing to do would be to inform the vulnerable person about the problem. The issue here is that the computer security industry/community has been pointing these flaws out for over a decade and it hasn't made a single difference. No one is listening so some people are trying a different approach. No one listens when you say "Someone can hack your server and steal customer data." but they sure as hell get the point when someone steals the data.
I agree that what they did was illegal and wrong(ish) but I can also see why there are people getting frustrated when the powers-that-be don't listen until something bites them in the ass.
Again, FTFA: "And if the drive or CD had an official logo on it, 90% were installed."
The USER installed the crap! The system is helpless against PEBKAC.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Is there any kind of device that can be used to ensure you are only presented with a mass storage drive?
I'm thinking of something like a small adapter where you plug the USB "drive" in one end and the other in to your computer. The device could intercept and reprocess the communication so that anything that is not a standard drive would not get through. That would be nice to have because these days you never know what hardware is really in a seemingly standard looking USB drive. At the rate things are going we might need something like this built in to motherboards.
Also, I actually bought a couple of genuine Sandisk 1gb "U3" flash drives a while back at Microcenter. When inserted on a Windows XP machine it presented itself as both a standard drive AND a CD drive - that autoruns some useless preloaded windows software. (In some work environments just letting it run this hopefully harmless but unauthorized software would be enough to get someone in trouble.) Actually had to download and run a special program just to remove this garbage, and it wipes the flash drive in the process. So yes, even a legitimate commercial flash drive can be hiding stuff.
Judging by the contents of my own key drives, there is almost never any user-identifiable information on these things. Any "I was just trying to see who's it was" argument is probably just cover for "I wanted a free key drive and didn't think to format it before I used it..."
Judging by the content of my own key drives, most people watch too much porn.
IN my life, I ahve misplaced my wallet twice, and my wife left her purse behind once.
IN all three case, the items where mailed to us from people who happened to find them.
Overall most people are decent people who intend to do the right thing. Crime statistics also reflect that.
The Kruger Dunning explains most post on
I love these stories that have details that, if the story were actually true, no one would actually know.
Really, do people believe that the ends justify the means as long as we're showing vulnerabilities lulzsec style? I mean even following that logic doesn't give you props. Exploiting stupid, or simply thoughtless, behavior just means you aren't clever enough to crack effective solutions and are targeting low hanging fruit like a gimped monkey.
didn't, they can't wash all blame off themselves because LulzSec was also in the wrong.
Well aside from the fact that I dont usually loose medical devices on the street... How about a more fitting analogy. You are in the parking lot and see a wallet that looks like it has fallen out of someones pocket. Now do you open the wallet to see whats inside? Most people would probably say YES, for a multitude of reasons. But uhoh! the wallet was full of ANTHRAX! and you are now dead.
How was the person supposed to have any idea that a seemingly harmless wallet would have such a negative consequence? A syringe on the ground on the other hand is most likely medical waste. There are very few situations where a person would willingly pick that up, much less stick it in themselves.
As a potential lottery winner, I totally support tax cuts for the wealthy
Also, people who get mugged don't blame themselves. Had they stayed in door it wouldn't have happened.
It's more like people walking drunk through a bad neighborhood at night wearing a Rolex and with their wallet sticking visibly out of their pocket. That the pickpocket or mugger is to blame doesn't preclude that they too are to blame for being reckless.
Again, there's enough blame to go around. The moral dualism that many people (and especially Americans) are raised with has to go. Just because X is wrong doesn't imply that Y is right.
It seems to me that OSes should pop up a dialog when a USB device is plugged in, that displays what features the device is advertising, and allows you to OK each service you want accessible from that device on that OS, signing them so that you never get prompted for them again in the future. Should be extremely easy to add to any modern OS, as the OS already has to enumerate the features anyway. This would also mean that if your Android device got compromised and a special driver was installed that turned it into a stealth interface device when you plugged it into your PC, the PC would alert you that a new feature was detected, and did you want to enable it....