Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Privacy

No, Spotify, You Shouldn't Have Sent Mysterious USB Drives To Journalists (techcrunch.com) 53

Zack Whittaker, writing for TechCrunch: Last week, Spotify sent a number of USB drives to reporters with a note: "Play me." It's not uncommon for reporters to receive USB drives in the post. Companies distribute USB drives all the time, including at tech conferences, often containing promotional materials or large files, such as videos that would otherwise be difficult to get into as many hands as possible. But anyone with basic security training under their hat will know to never plug in a USB drive without taking some precautions first.

Concerned but undeterred, we safely examined the contents of the drive using a disposable version of Ubuntu Linux (using a live CD) on a spare computer. We examined the drive and found it was benign. On the drive was a single audio file. "This is Alex Goldman, and you've just been hacked," the file played. The drive was just a promotion for a new Spotify podcast. Because of course it was. Jake Williams, a former NSA hacker and founder of Rendition Infosec, called the move "amazingly tone deaf" to encourage reporters into plugging in the drives to their computers.

This discussion has been archived. No new comments can be posted.

No, Spotify, You Shouldn't Have Sent Mysterious USB Drives To Journalists

Comments Filter:
  • Huh? (Score:5, Funny)

    by ceoyoyo ( 59147 ) on Monday December 23, 2019 @03:16PM (#59551308)

    Seems to me if you were a reporter and you just plugged this thing into your computer and listened to that file, it would scare the shit out of you and you might not do it again.

    • Re:Huh? (Score:4, Informative)

      by bluefoxlucid ( 723572 ) on Monday December 23, 2019 @03:18PM (#59551316) Homepage Journal

      Yeah I don't see what the problem here is. It's bad to encourage journalists to plug in random USB drives? Anyone who did that just got their hand slapped.

      • If their employer actually though of IT security, they may have a PC off network setup and ready to be cleaned and reinstalled at a moment notice.

    • Re:Huh? (Score:5, Insightful)

      by LynnwoodRooster ( 966895 ) on Monday December 23, 2019 @03:52PM (#59551488) Journal
      Apparently, not enough are aware enough to not plug in random USB drives. But they ARE sensitive enough to attack those who make their ignorance known...
    • Re:Huh? (Score:5, Interesting)

      by sjames ( 1099 ) on Monday December 23, 2019 @04:11PM (#59551558) Homepage Journal

      It does remind me of the sort of infosec training used by some corporations where they send phishing mails to their employees where the link leads to a page reminding them not to click links in an email.

      • by Pascoea ( 968200 )
        We do those regularly. There were people IN OUR I.T. DEPARTMENT that are 0 for 3. I really hope they got a stern talking to.
        • by ceoyoyo ( 59147 )

          My former university did that once. I promptly clicked on the link. When I got the followup nasty e-mail I replied that sending the phishing e-mail from the IT department's official address, through a completely legitimate university-servers-only path didn't really make it much of a test.

          • by sjames ( 1099 )

            Except it *IS* a valid test. In simulation, the bad guy got a mis-configured mail server to send you a legit looking email. You clicked and helped them widen the crack in the armor.

            • by ceoyoyo ( 59147 )

              If your institution has misconfigured e-mail servers, and misconfigured web servers that let the bad guys not only send you e-mails from that institution but also set up fake web pages on that institution's servers, well, there's not much hope, is there?

              • by sjames ( 1099 )

                So you advocate hard and crunchy outside, soft and squishy inside?

                If the bad guy manages to get control of one server, it's bad news. If he gets control of things on the other side of the DMZ, it's worse.

                • by ceoyoyo ( 59147 )

                  The issue of whether organizations should be sending around e-mails with links in them at all is separate. Personally, I don't think you should be training people to click on links in e-mail, but they do.

                  So if you're going to make a habit of sending legit e-mails with links that need to be clicked, don't make your fake phishing messages come from legit servers and link to legit addresses. Spend a few bucks and get yourself a shady server with a shady address and use that.

    • Seems to me if you were a reporter and you just plugged this thing into your computer and listened to that file, it would scare the shit out of you and you might not do it again.

      The journalists were careful and wasted time plugging in into secure disposable machine, to have their time wasted by a stupid message that doesn't apply to them and just an annoying ad.

  • what about DVD, audio cd, VHS autoplay in an non computer box?

    • I think there's a benefit to maintaining a healthy bit a paranoia even when dealing with a music box. I know a few people who won't even trust flip books.
    • Optical and Magnetic Media? What do you live in the 00's?

      Besides these "Non Computer Boxes" are just as much computers as your desktop is. Compared to a USB stick These media options are much larger and obvious packages, and prone to damage much quicker.

    • It's a good reason to buy the DVD and not the brown-ray version of a film.

    • by pnutjam ( 523990 )
      Depends, how do you feel about "The Ring" [wikipedia.org]....
  • by Pascoea ( 968200 ) on Monday December 23, 2019 @03:18PM (#59551318)
    I don't see the issue with this. If 50 of the reporters they sent a flash drive to plugged them in without thinking and got "educated" on why not to do that, isn't the world a better place?
    • I'll pick your daughter up after school, take her to a nice tour of the city in my car, them bring her back home, unharmed, in time for supper.

      That'll teach you about the security of your children ! The world will be a better place for it, right ?

      • Could you? She spends far too much time playing video games

      • by Pascoea ( 968200 )
        Yeah, idk, that analogy doesn't really fit. You're not testing if I'm willing to perform some stupid action. Maybe if you had come to my house and told me "I'm here to pick up your daughter" and I just sent her on her merry way without confirming who you were and why you're picking her up, that would be a more valid test.
  • by hawguy ( 1600213 ) on Monday December 23, 2019 @03:21PM (#59551340)

    I don't understand the problem -- sure, security conscious reporters aren't going to just plug it in and see what it does, but there are plenty who will, and that's probably the target audience for the security podcast. I thought they were going to say that the drives contained malware or some auto-installing application.

    • by leonbev ( 111395 )

      I would hope that most tech journalists would be smart enough to run any thumb drives they receive on an air gapped system by now. I'd only imagine how much malware they must have received from disgruntled readers in the past.

    • And now they're getting free advertising, it was a great move.
      • Although there is the axiom of "any news is good news' in PR circles, Spotify just pissed off a lot of journalist.

        Someone in Spotify's marketing dept thought this was a good idea. Yes, it got a lot of ink, but most of the ink will make Spotify look plainly stupid, because they were, in fact, stupid. If this is the level of sophistication in the podcast episodes, might as well cancel it now.

        • by Pascoea ( 968200 )

          If this is the level of sophistication in the podcast episodes, might as well cancel it now.

          Why? How many breaches are the result of end users doing something they shouldn't have, vs hackers gaining access to a system completely from the outside.

          • More useful would be something that doesn't immediately put up mental blocks in journalist's minds. Most journalists would find great skepticism in such an approach, IMHO.

            There are a lot of podcasts that deal with exactly the scenario posited by Spotify. It's neither unique, or gives a good impression.

            It was an expensive stunt, and is unlikely to have rewarded Spotify in the manner Spotify desired. PR is full of bad stunts. This was one of them.

            • by Pascoea ( 968200 )

              I was more commenting around the "level of sophistication" aspect of your post. Quite possibly I misunderstood what you meant.

              I can see ways that this stunt would backfire, and I don't doubt that some journalists may be put off by being made to look dumb...

              • We just assume that of course, when you plug in a USB drive, it can take over your entire system. Everybody knows that.

                Linux is no better than Windows. The USB can pretend to be a keyboard and pump in commands.

                You NEVER know that a USB is safe. Even if you burnt it yourself it could contain latent malware.

                It should ALWAYS be safe to plug in an unknown USB. The computer should not trust it.

                BUT THEY ALL DO.

                (The USB might fry your computer, but that is not what we are talking about here.)

                • by Pascoea ( 968200 )

                  We just assume that of course, when you plug in a USB drive, it can take over your entire system. Everybody knows that.

                  Emphasis mine. That's the problem, not everybody knows that. They should, but they don't. The rest of your post is spot on.

                  • No. Why should people need to know that? It should be safe to plug in an unknown USB into a machine. That is not rocket science.

                    If while on the road a colleague gives you a USB with important info on it is that USB safe? Are their computers safe? What is the history of he USB and everything that it has been plugged into? There is no way to know.

                    So you just plug it in and most of the time you get away with it.

            • Expensive? Seems pretty cheap to me. USB drives are a common swag item. They can be had for a few bucks apiece. Cheaper than mailing them a mug and has a lesson attached. Although it does bring up an interesting point of the thousands of people who get free usb drives as swag (or even buy them on amazon) and just assume that they are new and clean.

  • by Dallas May ( 4891515 ) on Monday December 23, 2019 @03:31PM (#59551400)

    Tone deaf, maybe, but here we are reading about it and talking about it.

    Sounds like the promotion worked perfectly.

    • I know the phrase is from TFA, but I'm not actually seeing what is "tone deaf" about this. That phrase usually applies to someone making insensitive and likely hurtful comments in a situation where they should know better - like someone making a joking reference about the possibility of a recently-deceased person being in hell rather than in heaven.

      "Inappropriate" would have fit the speaker's intent better, or perhaps "ill advised" - although, as several commenters here have already pointed out, the exercis

  • Assuming I plugged it into my Linux box, I'm not sure just how much harm it could do.

  • i would treat it like it was infected or one of those capacitor bomb things that destroys computers with a jolt of electricity, i would find the cheapest piece of junk PC or laptop that i can afford to throw away to use to plug it in first, then if nothing bad happens i will look at the contents
    • by Pascoea ( 968200 )
      Or just throw it in the trash. I assume anyone sending me a flash drive with no explanation other than a "play me" note isn't going to end well for me. Best case, it's loaded with goatse, slightly worse case, an ad for a Spotify podcast, worst case your network is on fire...
  • Maybe, just maybe we need more of these examples to show the world that a) it's a bad idea to actually plug this kind of shit in and b) see (a)

    My company sends out fake phishing mails to train the workforce (some of them are really clever) so we don't get actually phished. We should see more of this so people aren't caught with their pants down when Russia/China/Facebook/etc actually do something (intentionally|unintentionally) malicious.

  • Now that TechCrunch tested a single stick and it was safe we know all the sticks are safe. Hard to say who is the more ignorant here.
  • by sad_ ( 7868 ) on Tuesday December 24, 2019 @06:56AM (#59553266) Homepage

    "A spokesperson for Spotify did not comment. Instead, it passed our request to Sunshine Sachs, a public relations firm that works for Spotify, which would not comment on the record beyond that “all reporters received an email stating this was on the way.” "

    they should have been aware this was coming their way, as warning/announcement emails were send.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...