Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Lot of People Carelessly Plug In Random USB Drives Into Their Computers (vice.com)

Posted by msmash on from the human-habits dept.

An anonymous reader writes: Scientists have proven that a lot of people will carelessly plug in a USB drive found on the ground, exposing themselves to potential infections from malware. The researchers dropped 297 USB flash drives on a university campus and saw that in 48% of the cases, people picked them up, plugged them in, and opened files from the drive on their computers. Should such people be mocked? Would you plug in a USB drive that you found on the ground? Bruce Schneier, an American cryptographer, computer security and privacy specialist makes a good point: People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.

13 of 391 comments (clear)

  1. People are stupid by JustAnotherOldGuy · · Score: 2, Insightful

    People are stupid, film at 11.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re: People are stupid by bugs2squash · · Score: 3, Insightful

      So buy the small drive and print 64GB on the outside.

      --
      Nullius in verba
    2. Re:People are stupid by green1 · · Score: 3, Insightful

      Does your screwdriver jump up off your workbench and randomly start unscrewing things without asking first?

      The problem isn't that you can run harmful code off a storage device, that's a know problem with an easy solution (don't be a moron). The problem is that the computer will AUTOMATICALLY run harmful code off a storage device by default unless you've done something to prevent it.

      As long as a computer does what I ask it to, I can know what risks I'm taking, but if I can't even know if a USB stick is harmful until after it has done the harm, that's incredibly poor design.

    3. Re:People are stupid by AK+Marc · · Score: 3, Insightful

      You put 10 spread around the parking lot with the name/logo of the company, or a competitor (or try both and see which hits best), and someone will "be nice" and try to see whose it is to return it, or something like that. The real reason scams don't work as well as they should is that scammers prey on the weak (419 scams), rather than preying on the good people.

      And the people here claim that nothing can be hardened against USB. It could look like a memory stick, but have a keylogger that loads as a HID (often allowed for all), and has a USB-powered 3G modem for calling home and sending the keystrokes. Just blocking USB-loaded software won't do any good when you run into an attacker smarter than you.

      --
      Learn to love Alaska
  2. Re:The chance of getting juicy selfies are a lot h by Mr+D+from+63 · · Score: 4, Insightful

    My guess is a fair amount of people open them just in an attempt to ID the owner so they can return it.

  3. OS designers, not the customers are stupid. by gurps_npc · · Score: 5, Insightful

    1) Given: People will take a random USB stick and plug it into a computer.

    2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.

    The minimal convenience of having auto-run for USB drives is far over-ridden by the huge security leak.

    Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.

    --
    excitingthingstodo.blogspot.com
    1. Re:OS designers, not the customers are stupid. by Anonymous Coward · · Score: 2, Insightful

      USB drives can be set to short circuit a motherboard.

      Conclusion: Don't plug unknown USB drives into your computer.

  4. Can't blame "people"; it's the industry's failing by Anonymous Coward · · Score: 3, Insightful

    This isn't just the OS; you can easily diddle USB devices with malware in their firmware that then diddles the host in ways that doesn't require an obviously too trusting OS such as the most popular one that continues in this manner well after the idea has been well and truly discredited.

    In other words, "we", the people that design and make the hardware and the software and so on, keep on making promises we know are false to "users": "No training needed", "this OS is user friendly", "this hardware will do what you tell it to", and so on, and so forth. It's the industry that's at fault because all that "stupid stuff" the users do, we keep on telling them that it's quite right and go ahead... right up until we chastise them for having fallen for a scam or a virus or whatever. "Sure you can do that", 'but now the box is bleeping angrily', "don't do that then." Worst pavlov training ever.

    So no, you really cannot blame "people" for this, nor "users". It's the engineers and perhaps moreso the companies employing the engineers.

  5. What kind of dumb OS... by Pfhorrest · · Score: 3, Insightful

    What kind of dumb OS autoruns anything off of any volume the moment it's connected without any request from the user?

    Oh right, Windows. Well, there's your problem.

    --
    -Forrest Cameranesi, Geek of all Trades
    "I am Sam. Sam I am. I do not like trolls, flames, or spam."
  6. Re:Is this still true? by Anonymous Coward · · Score: 3, Insightful

    A security n00b I see. You assume that it'll detect as storage and automatically run some executable. It's not hard to make a USB stick recognize as a keyboard and then have it start running commands, including opening a web browser and downloading anything needed to compromise your system. Never forget what can be done with a simple keyboard.

    Besides, Windows doesn't autorun anything, it pops up a dialog and asks the user what they want to do.

  7. Re:disable auto-run by Tuidjy · · Score: 3, Insightful

    The problem is that the USB drive can identify as a different kind of device, like a keyboard, run commands, download and install software, and even interact with the security modal screens.

    --
    No good deed goes unpunished...
  8. Re:People are stupid [Not] by Tablizer · · Score: 3, Insightful

    No, the people are NOT stupid.

    Logically a data drive should have data and only data from the computer's perspective, and not run any executables or scripts on it without first explicitly asking. It should be designed that way from the start. That's how Vulcans would design it.

    The fact that it's so easy for hackers to bypass what SHOULD be normal and expected is a failure of the technology and/or standards, NOT of consumers.

    --
    Table-ized A.I.
  9. Re:Is this still true? by lgw · · Score: 4, Insightful

    Bit of a bootstrapping issue there. When you plug in your first mouse or keyboard, what would you use to click "yes"?

    --
    Socialism: a lie told by totalitarians and believed by fools.