Yet Another "People Plug In Strange USB Sticks" Story 639
Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."
Only one way to fix this (Score:1, Insightful)
Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.
No... (Score:3, Insightful)
The OS trusts the people, the people ARE the weak link no matter how much you want to spin it.
Windows (Score:5, Insightful)
AutoRun!
But seriously, I'd check out the data on a stick I picked up. I'm a Linux user so at least I wouldn't have the autorun issue, but a mysterious piece of software I may try running in Wine or a VM so I could just as well have fallen victim.
yet (Score:5, Insightful)
The problem isn't that people are idiots, but that doesn't preclude people from being idiots being a problem.
You can never make systems fully foolproof through technology, and Bruce of all people should know this.
It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.
OS trust not really the issue. (Score:4, Insightful)
I dunno... (Score:2, Insightful)
The problem isn't that people are idiots...
Seems to me this is exactly the problem.
Re:Only one way to fix this (Score:5, Insightful)
Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.
No, they won't. They'll blame the people who dropped the USB sticks, and thinking in black and white because they seem unable to do otherwise, they would think that means that they themselves are not also to blame.
Just look at how people have reacted to this spring's exploits of web sites and services. They don't blame the companies that had lax security, and they don't blame themselves for choosing idiot passwords or not cancelling services they no longer use.
Re:I dunno... (Score:2, Insightful)
People are not idiots - just different motivation (Score:5, Insightful)
The behavior is quite logical, once you understand what the objective is. Usually the way we look at this is from the POV of corporation/corporate IT security. They find this behavior "stupid" - it potentially harms corporate systems. But consider that an individual employee quite likely cares very little for the well being of corporate IT system or corporation in general (why - is another story). He may be interested to find out what's on the USB device (could be something valuable, you never know) and at the same time he probably wouldn't want to harm his personal computer at home. Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem. And if IT asks - 100% of the time he'll say that he did not do any such thing :)
People are not idiots, they just have their own objectives that are not very well aligned with yours.
Re:Windows (Score:4, Insightful)
It would be great to have a sandbox option to run such software. I'd also be curious what's on a found USB key. And wondering what that .exe would be doing.
Best solution may be if software run from an external and thus untrusted source (like a USB key) would be automatically sandboxed, and running into its own environment, separated from the rest of the OS. If it tries to do anything bad, just kill it, finish. Then we can satisfy our natural curiousity, while still being protected from anything nasty that may be done.
This could also be a solution to make autorun useful AND safe.
Re:Only one way to fix this (Score:5, Insightful)
Re:Only one way to fix this (Score:3, Insightful)
Re:not just autorun! (Score:3, Insightful)
Re:Dumb story (Score:5, Insightful)
Part 1
http://www.youtube.com/watch?v=q6UIrdLAkFM [youtube.com]
Part2
http://www.youtube.com/watch?v=osF6FS2KS_E [youtube.com]
Rule #1 -- If you're going to narrate a video, get a personality. Seriously, I had to turn it off after the first minute because it was so boring.
Re:Only one way to fix this (Score:4, Insightful)
It's a
Re:Only one way to fix this (Score:5, Insightful)
No surprise people plug found sticks in work PCs.. (Score:3, Insightful)
Re:No, that's a job for the police! (Score:5, Insightful)
I really feel for your situation. That said, I'm still going to trust people. I trust people knowing that that trust could blow up in my face at any time; that's just a risk one takes. I will continue to trust people because without trust, there is only suspicion and paranoia, and I don't really want to live in a world where paranoia rules anyway.
Re:I dunno... (Score:5, Insightful)
Okay, so what should you do with it? You want to return it to its owner, and examining its contents is the obvious way to find the owner.
You should be able to trust your computer to let you look at what's on a USB stick. Otherwise, you can't:
- trust files that your colleague is giving you via USB
- trust a USB stick distributed as a promotion
- trust your own USB stick, if you've used it to give a presentation on someone else's computer.
Obviously, you shouldn't run programs on the stick, and you should know that lots of document formats are really programs, but you should be able to trust your computer to show you the contents without running everything on it.
Re:No, that's a job for the police! (Score:3, Insightful)
Re:No, that's a job for the police! (Score:5, Insightful)
You know what? Fuck that. I'm not going to let the fact that there are bad people out there make me live my life in fear. For every robber/rapist/murderer out there, there are probably between a hundred and a thousand people who just need a few minutes of your time to help with a flat tire. I'll take my chances. The world has *not* changed. You've allowed the media and a tragic event to convince you that the world has changed. There have always been bad people. There have always been good people. There have always been the vast majority of people who are just going to get along. I choose how I live my life, not some asshole who thinks a gun makes him powerful.
Doesn't mean be stupid. If the news is reporting a "Flat tire robber", maybe you want to adjust your behavior for a while, but in general I'm going to help people who need help. I've lived my life that way for 37 years and I'm not changing it now. I've lived in downtown New Orleans. I spent a year in Iraq. The bad guys haven't made me bitter and fearful yet, I'm not going to let them do it now.
Re:Only one way to fix this (Score:5, Insightful)
Guns and sledgehammers don't reveal their owners as a strong potential consequence of use. Hitting something with a hammer isn't going to tell you whose hammer it is. Opening "resume.doc" on a USB stick is likely to net you not only a name, but an address, e-mail, and phone number.
Re:not just autorun! (Score:5, Insightful)
I'll see your "clever" and raise you a "completely terrifying". I'm ashamed that it never occurred to me that something in a USB flash drive form factor wouldn't be a flash drive. I just got done lecturing a coworker about SQL injection, but I would've been utterly vulnerable to a "USB injection" attack up until 5 minutes ago.
Re:No, that's a job for the police! (Score:5, Insightful)
I love these stories that have details that, if the story were actually true, no one would actually know.