Yet Another "People Plug In Strange USB Sticks" Story

Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."

yet

[arth1]

The problem isn't that people are idiots, but that doesn't preclude people from being idiots being a problem.

You can never make systems fully foolproof through technology, and Bruce of all people should know this.
It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.

Re:Only one way to fix this

[arth1]

Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.

No, they won't. They'll blame the people who dropped the USB sticks, and thinking in black and white because they seem unable to do otherwise, they would think that means that they themselves are not also to blame.

Just look at how people have reacted to this spring's exploits of web sites and services. They don't blame the companies that had lax security, and they don't blame themselves for choosing idiot passwords or not cancelling services they no longer use.

Makes sense to me actually

[dyingtolive]

Well, I mean, I'm not going to risk MY computer to some random virus infection. Of course I'm going to use an office computer!

People are not idiots - just different motivation

[ugen]

The behavior is quite logical, once you understand what the objective is. Usually the way we look at this is from the POV of corporation/corporate IT security. They find this behavior "stupid" - it potentially harms corporate systems. But consider that an individual employee quite likely cares very little for the well being of corporate IT system or corporation in general (why - is another story). He may be interested to find out what's on the USB device (could be something valuable, you never know) and at the same time he probably wouldn't want to harm his personal computer at home. Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem. And if IT asks - 100% of the time he'll say that he did not do any such thing :)

People are not idiots, they just have their own objectives that are not very well aligned with yours.

not just autorun!

autorun is NOT the only problem.
The most insidious thing I have seen in this department is little usb sticks that are built into advertising. When inserted, they just act like a keyboard instead of removable media. On windows, it opened up my Run dialog and typed in the URL of the site the advertiser wanted me to go to. With me logged in as an admin, just imagine what else it could have typed into that box.

Re:Only one way to fix this

[uncanny]

Wow, i found a USB stick once on a college campus, looked like a nice one so i plugged it into a computer to see if i could find who's it was so i could return it to them. I didn't realize that i deserved having my computer fried for trying to return something. Do you put mace in your wallet so that if you drop it and someone tries to return it that it sprays them in the face?

Re:Windows

[fuzzyfuzzyfungus]

Unfortunately, while this does preclude the lowest form of hackers, the ones with firmware-level access can still do their thing...

The most famous example are those fuckers at U3. In order to allow the delight of having an autorunning launcher pop up and annoy you every time you pop a flash drive in, they produced a little firmware modification that causes the flash drive to show up as a composite device containing one flash drive, and one CD-ROM. Since autoplay is generally still enabled on CDs, the CD contained the payload that executed the launcher.

They, as a commercial venture, weren't truly bent on malware-style evil; but they provide a good example of how it could be done.

Re:I dunno...

[djmurdoch]

Okay, so what should you do with it? You want to return it to its owner, and examining its contents is the obvious way to find the owner.

You should be able to trust your computer to let you look at what's on a USB stick. Otherwise, you can't:

  - trust files that your colleague is giving you via USB
  - trust a USB stick distributed as a promotion
  - trust your own USB stick, if you've used it to give a presentation on someone else's computer.

Obviously, you shouldn't run programs on the stick, and you should know that lots of document formats are really programs, but you should be able to trust your computer to show you the contents without running everything on it.

Re:Only one way to fix this

[sorak]

Judging by the contents of my own key drives, there is almost never any user-identifiable information on these things. Any "I was just trying to see who's it was" argument is probably just cover for "I wanted a free key drive and didn't think to format it before I used it..."

Judging by the content of my own key drives, most people watch too much porn.

Re:No, that's a job for the police!

[prockcore]

My sister had no idea there was a second man hiding in the back seat, and just wanted to be nice

I love these stories that have details that, if the story were actually true, no one would actually know.