×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Yet Another "People Plug In Strange USB Sticks" Story

CmdrTaco posted more than 3 years ago | from the gets-me-going dept.

Security 639

Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."

Sorry! There are no comments related to the filter you selected.

Only one way to fix this (1, Insightful)

Ant P. (974313) | more than 3 years ago | (#36611506)

Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.

Re:Only one way to fix this (5, Insightful)

arth1 (260657) | more than 3 years ago | (#36611586)

Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.

No, they won't. They'll blame the people who dropped the USB sticks, and thinking in black and white because they seem unable to do otherwise, they would think that means that they themselves are not also to blame.

Just look at how people have reacted to this spring's exploits of web sites and services. They don't blame the companies that had lax security, and they don't blame themselves for choosing idiot passwords or not cancelling services they no longer use.

Re:Only one way to fix this (0)

Anonymous Coward | more than 3 years ago | (#36611604)

RTFA, the people are not to blame here.

Re:Only one way to fix this (1)

PIBM (588930) | more than 3 years ago | (#36611748)

WTF ?

60% of the people use those randomly found USB keys in their office computer, and if the icon was official looking, 90% of them installed the applications found on it... What a good trojan attack!

Re:Only one way to fix this (0)

Anonymous Coward | more than 3 years ago | (#36611888)

The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks.

The problem is that people ARE idiots... who run an OS that trusts random USB sticks AND fail to take that into account when plugging in random USB sticks.

A non-idiot would either understand the risk or would run an OS that doesn't trust random USB sticks. These people are, in fact, idiots. QED.

Re:Only one way to fix this (1)

Anonymous Coward | more than 3 years ago | (#36611616)

You mean people will get that new computer they have been begging IT for just by plugging in a USB stick? Cool.

Re:Only one way to fix this (5, Insightful)

uncanny (954868) | more than 3 years ago | (#36611704)

Wow, i found a USB stick once on a college campus, looked like a nice one so i plugged it into a computer to see if i could find who's it was so i could return it to them. I didn't realize that i deserved having my computer fried for trying to return something. Do you put mace in your wallet so that if you drop it and someone tries to return it that it sprays them in the face?

Re:Only one way to fix this (1)

jhoegl (638955) | more than 3 years ago | (#36611784)

You mean like helping someone with a flat on the side of the road only to be robbed?

Re:Only one way to fix this (1, Interesting)

mcmonkey (96054) | more than 3 years ago | (#36611806)

Came here to post the same thing. I found a USB stick in a restaurant near a college campus. I plugged it in to see if I could identify the owner to return. Yes, I realize the dangers of accessing strange memory. Why do you think I used my computer at work rather than expose my home system?

I blame the corporate IT folks. If you don't want people using the USB ports on your computers, why do you your computers have functioning USB ports?

Re:Only one way to fix this (0)

Anonymous Coward | more than 3 years ago | (#36611906)

They have functioning USB ports because people like you would whine that they can't use their wireless mouse and keyboard. They would never be so stupid to plug in a USB stick they found on the sidewalk.

Re:Only one way to fix this (1)

Jeng (926980) | more than 3 years ago | (#36611920)

If you don't want people using the USB ports on your computers, why do you your computers have functioning USB ports?

Gotta have the USB ports functioning due to the lack of PS-2 connections on new motherboards and computers.

Re:Only one way to fix this (1)

vlm (69642) | more than 3 years ago | (#36611714)

Someone needs to start dropping USB sticks that physically destroy hardware when plugged in

I'm surprised no one in the sandbox has tried IEDs like this.. Or at least no declassified or wikileaked reports, so far. Maybe it depends on the audience, soldiers aren't dumb enough, but cube dwellers are?

Re:Only one way to fix this (1)

h4rr4r (612664) | more than 3 years ago | (#36611802)

USB sticks are kinda small for a good bang. A dvd player or another piece of portable electronics would be far better.

Re:Only one way to fix this (1)

The MAZZTer (911996) | more than 3 years ago | (#36611730)

Can't do any of that stuff without admin access, so you'll only destroy home users' computers...

Re:Only one way to fix this (1)

blueg3 (192743) | more than 3 years ago | (#36611750)

If you can figure out how to do that in USB, it's worth a lot more than teaching people a lesson about security. (I suppose you could do some of it with a trojan, but that's cheating.) Sadly, USB isn't FireWire.

Re:Only one way to fix this (1)

CastrTroy (595695) | more than 3 years ago | (#36611768)

Corporations need to fill the USB drives with epoxy. People are stupid. Not only that, even if they are smart, they would rather plug it in at work, than risk plugging it in at home. Short solution is that corporations needs to have software installed on the machines that can limit what devices can be plugged into the computer. This is entirely possible. My company uses it. If people want to take work files home, they shouldn't. They should use a VPN to log into the network from home and access the files over the internet. People shouldn't have the authority to plug in random hardware.

Along the same lines as you mentioned, create a USB stick with a battery that discharge all at once upon plugging it in, frying the USB port. I'm not sure how big the batter would have to be, but it could probably be done. What happens if you short the USB power lines?

Re:Only one way to fix this (1)

cyberchondriac (456626) | more than 3 years ago | (#36611862)

You'd probably fry more than just the USB port, you might take out the 5v line in the power supply too, bringing everything to a screeching halt.

Re:Only one way to fix this (1)

socz (1057222) | more than 3 years ago | (#36611898)

maybe we're going about this all wrong. Lets start dropping USB devices (not limited to flash memory sticks) that disable key functions of PCs. Some could disable video, others sound and keyboard. When users start calling IT because of problems, it'll quickly be found out that the cause is because someone plugged in something they shouldn't have. It's both non-destructive and a learning experience. What do you think?

Re:Only one way to fix this (1)

h4rr4r (612664) | more than 3 years ago | (#36611904)

Short solution is that corporations needs to have software installed on the machines that can limit what devices can be plugged into the computer. This is entirely possible.

Can you plug in keyboards at work?
There is no reason an evil usb stick could not act as a keyboard and input the needed keystrokes to download evil software.

Shorting USB power lines will not do much, they are only 5v and 500ma. What you would want is a the biggest capacitor you could find that would fit in a usb stick. Capacitors discharge all at once, batteries do not.

Re:Only one way to fix this (1)

MikeB0Lton (962403) | more than 3 years ago | (#36611922)

The age-old epoxy solution seems so primitive these days. Just turn off the port in the BIOS and password protect it. For example, Dell provides the capability to do this centrally. If you want to get fancy, put in something like McAfee's encrypted USB solution. Even Symantec Endpoint Protection allows white listing of USB storage media.

Re:Only one way to fix this (1)

xclr8r (658786) | more than 3 years ago | (#36611774)

From an IT stand point I agree with you. From a social perspective I do not. When I hear about people doing this the #1 reason they give is.."I wanted to notify the owner that their device was found. I live in a college town where a lot of academic work is on those sticks and they get lost and the work that went into them.

They are just trying to help someone avoid double work. But as we know the road to hell is paved with good intentions.

Re:Only one way to fix this (1)

Phreakiture (547094) | more than 3 years ago | (#36611788)

I'm thinking no software at all . . . capacitor and charge pump with a usb plug, made to look like a USB storage device. Capacitor charges from power pins, then discharges to power and data pins. All this happens while the user is still going "What's wrong with this thing?"

The problem, of course, is that destroying hardware doesn't accomplish much that is of value. Collecting data is far more useful.

Re:Only one way to fix this (1)

asdfhwerufj (2322056) | more than 3 years ago | (#36611798)

The USB sticks need to physically hurt the people when they plug them in. Using a mild electrical shock or something.

Re:Only one way to fix this (1)

VortexCortex (1117377) | more than 3 years ago | (#36611800)

Already exists. Small USB drive enclosure bombs that use the power pins to ignite a small quantity of black powder / blasting cap & plastic explosive. Certain to at least maim an individual considering the proximity of their hand to the explosives. I've not seen any instance of this in any World Police countries, yet...

Dropping a few hundred of these in a city would spread a decent amount of terror. You'd only be able to do it once, the public would learn not to trust the USB drives they find.

Honestly, you couldn't pay me to plug ANYTHING into my computer that I didn't purchase from a store, and even then I'm wary of the device's packaging & specifically avoid repackaged items from stores like Fry's (even if they are discounted).

It's a shame, sometimes you can't even trust devices that come from the factory (USB Picture-frame trojans). My G'Linux OS has been configured to require admin privileges for any new USB devices. This should be the standard config with a "[_] Don't ask me again." option, IMO. Especially since this arbitrary code execution exploit has been demonstrated. [youtube.com]

Re:Only one way to fix this (0)

Anonymous Coward | more than 3 years ago | (#36611832)

That would only work if the user account had admin access and had autorun enabled. If I found a USB stick, sure I'd plug it into my PC without the slightest worry. Format that sucker and hey, I've got a free USB stick.

Re:Only one way to fix this (1)

Anonymous Coward | more than 3 years ago | (#36611858)

Someone needs to start dropping USB sticks that physically destroy hardware when plugged in. Overclock video cards 30%. Issue ATA nuke commands. Scribble over optical drive firmware. Flash the BIOS with a LMOS bootloader. Maybe then people will realise that You Do Not Fucking Do This.

Seriously?

I hope you never lose your wallet, or if you do, someone will probably throw it in the trash instead of trying to do the right thing and help find it's rightful owner.

hrmmph.. (2)

Slack0ff (590042) | more than 3 years ago | (#36611512)

>> The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks." Couldn't it still be a little of both?

Re:hrmmph.. (1)

Robert Zenz (1680268) | more than 3 years ago | (#36611674)

You're right, the problem is that people (read: IT-Stuff) trusts an OS which trusts random USB-Sticks OR are too dumb to configure it correct.

Car analogy (0)

Anonymous Coward | more than 3 years ago | (#36611740)

If someone found a random car part in the parking lot, then broke their car when they tried installing it, should we blame the car?

"The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."

No, it's completely the user. Why shouldn't the OS trust what the user does who has physical access?

No... (3, Insightful)

Anonymous Coward | more than 3 years ago | (#36611518)

The OS trusts the people, the people ARE the weak link no matter how much you want to spin it.

Re:No... (1)

Gideon Wells (1412675) | more than 3 years ago | (#36611664)

I agree in part.

A chain is only as strong as the weakest link. I've seen it with family members with Windows once that "Do you really want to do this?" box was added. It conditioned them that any little thing they did was going to pop it up so they were even more careless.

Basically this is what it will come down to. You either educate the users or you develop the computer equivalent of a TSA screening to shield the system from idiotic users. It comes down to how much you want to penalize (time wasted or otherwise) stupid behavior to make it not worth the hassle to attempt.

Re:No... (1)

Oligonicella (659917) | more than 3 years ago | (#36611786)

If you want a machine you can make perform in the manner you want it to, you have to have an OS that trusts you. It would irritate the hell out of me to be asked "Is this a device you trust?" every damned time I use one.

Windows (4, Insightful)

Kagetsuki (1620613) | more than 3 years ago | (#36611526)

AutoRun!

But seriously, I'd check out the data on a stick I picked up. I'm a Linux user so at least I wouldn't have the autorun issue, but a mysterious piece of software I may try running in Wine or a VM so I could just as well have fallen victim.

Re:Windows (0)

Anonymous Coward | more than 3 years ago | (#36611606)

Yeah, Autorun is the problem.

I should be able to examine any volume without compromising my system. If I go checking out exe's, then I'm on my own.

Re:Windows (2)

jader3rd (2222716) | more than 3 years ago | (#36611760)

Maybe you shouldn't be on your own. What if there was a super easy way to tell the OS that this removable media is not from a trusted source. Then any executable that runs from it is run in a sandbox that's destroyed when the removable media is removed.

Re:Windows (1)

yarnosh (2055818) | more than 3 years ago | (#36611886)

Simpler solution would just not allow anything to execute on such media. This can be accomplished in Linux and OS X. Though there's no quick and easy GUI for it.

Re:Windows (2)

gstoddart (321705) | more than 3 years ago | (#36611608)

But seriously, I'd check out the data on a stick I picked up. I'm a Linux user so at least I wouldn't have the autorun issue, but a mysterious piece of software I may try running in Wine or a VM so I could just as well have fallen victim.

I couldn't agree with this more ... I've always hated the fact that Microsoft (in their on-going attempt to pander to drooling idiots) has set it up by default so that it will pretty much run anything that comes near it, without asking the user or any level of assumption that this could be a bad idea.

Yes, computers confused people for a bunch of years ... but running any old binary that comes along is stupid. Merely plugging in a USB drive should not really be a vector for automatic execution of arbitrary code.

In fact, the default to be to NOT run it ... but, everybody is so enthralled with their autorun.exe that they seem to think it's a good idea.

Re:Windows (1)

EvanED (569694) | more than 3 years ago | (#36611688)

I've always hated the fact that Microsoft (in their on-going attempt to pander to drooling idiots) has set it up by default so that it will pretty much run anything that comes near it, without asking the user or any level of assumption that this could be a bad idea.

You mean "had". It hasn't been the case that you'd autorun stuff from something you plug in under a default configuration for years; MS changed the settings with the release of Vista.

Now, you could still make a USB stick that fakes a mouse/keyboard and probably selects the right thing from the autoplay dialog (huge different from autorun btw) that pops up, but I don't think I know of an OS that won't just work if you plug in a keyboard or mouse. You could just as easily make a USB stick that opens up a terminal and runs 'rm -rf ~'; that really is a case where the wide deployment of Windows means that a uniform attack vector is much much eaiser. But as for the fundamental problem, there's... not really much of anything you can do there.

Re:Windows (1)

vlm (69642) | more than 3 years ago | (#36611780)

but I don't think I know of an OS that won't just work if you plug in a keyboard or mouse. You could just as easily make a USB stick that opens up a terminal and runs 'rm -rf ~';

Windows key, up arrow, up arrow, enter, "run something nasty.exe", enter, "boom"

Re:Windows (0)

Anonymous Coward | more than 3 years ago | (#36611654)

In Windows 7, autorun is disabled by default for removable media.
And there's an update [microsoft.com] for Windows XP to make it have the same behavior.

not just autorun! (5, Interesting)

Anonymous Coward | more than 3 years ago | (#36611656)

autorun is NOT the only problem.
The most insidious thing I have seen in this department is little usb sticks that are built into advertising. When inserted, they just act like a keyboard instead of removable media. On windows, it opened up my Run dialog and typed in the URL of the site the advertiser wanted me to go to. With me logged in as an admin, just imagine what else it could have typed into that box.

Re:not just autorun! (1)

KhabaLox (1906148) | more than 3 years ago | (#36611736)

That's pretty clever. Insidious, but clever.

Re:not just autorun! (1)

h4rr4r (612664) | more than 3 years ago | (#36611762)

DO NOT PLUG IN UNKNOWN HARDWARE.

A usb device can be anything not just mass storage. Also, do not fucking log in as admin.

Re:Windows (3, Insightful)

wvmarle (1070040) | more than 3 years ago | (#36611678)

It would be great to have a sandbox option to run such software. I'd also be curious what's on a found USB key. And wondering what that .exe would be doing.

Best solution may be if software run from an external and thus untrusted source (like a USB key) would be automatically sandboxed, and running into its own environment, separated from the rest of the OS. If it tries to do anything bad, just kill it, finish. Then we can satisfy our natural curiousity, while still being protected from anything nasty that may be done.

This could also be a solution to make autorun useful AND safe.

Re:Windows (1)

chemicaldave (1776600) | more than 3 years ago | (#36611732)

AutoRun was removed from USB sticks in Windows XP and above.

Not Just Windows, Linux too. (1)

VortexCortex (1117377) | more than 3 years ago | (#36611896)

My G'Linux OS has been configured to require admin privileges to mount any new USB storage devices; I wonder if I could do this for other USB hardware ie mice, media players, etc. This should be the standard config with a "[_] Don't ask me again." option, IMO. Especially since this arbitrary code execution exploit has been demonstrated. [youtube.com]

yet (5, Insightful)

arth1 (260657) | more than 3 years ago | (#36611528)

The problem isn't that people are idiots, but that doesn't preclude people from being idiots being a problem.

You can never make systems fully foolproof through technology, and Bruce of all people should know this.
It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.

Re:yet (2)

ColdWetDog (752185) | more than 3 years ago | (#36611650)

It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.

And nature has a several million year head start on engineers.

Who do you think is going to win this game?

Re:yet (2)

KhabaLox (1906148) | more than 3 years ago | (#36611758)

Well, if it were legal for engineers incorporate electroshock feedback then we might have a fair contest.

Re:yet (1)

gstoddart (321705) | more than 3 years ago | (#36611716)

You can never make systems fully foolproof through technology, and Bruce of all people should know this.
It's the goal of the engineers to build better foolproof equipment, and it's the goal of nature to build better fools.

But, surely government employees and contractors have been through some training that tells them to be careful with stuff like this. They get told to be careful and suspicious because they have sensitive data ... but when DHS throws a bunch of USB sticks into a parking lot, these same people plug it into a government computer.

This isn't Bruce Schneier saying "OMG, these people are idiots" ... this is a test that DHS themselves did which re-affirmed that people are always going to be the weak link in security. I'm still amazed at the extent to which people who should know better still act like complete idiots in the face of something like this.

Bruce is just reporting on this, and the linked article is just pointing to a story on Bloomberg. And, yes, sadly nature is way ahead of the curve on the creation of fools.

Good idea. (0)

Anonymous Coward | more than 3 years ago | (#36611532)

Firewall too tough? Get localhost access today.

OS trust not really the issue. (3, Insightful)

kermyt (99494) | more than 3 years ago | (#36611536)

You can add all the hooks you want to any OS you want. None of it means anything when the end user can circumvent these protections because curiosity got the best of them. The only real solution here is education of the end users so they know not to trust any little piece of plastic they find in the parking lot.

Re:OS trust not really the issue. (1)

chemicaldave (1776600) | more than 3 years ago | (#36611668)

OS trust definitely is an issue. It's exactly why Microsoft got rid of USB autorun [sophos.com] without user permission.

Granted that won't stop users from running programs, opening files, etc., but it's a start.

I dunno... (1, Insightful)

mswhippingboy (754599) | more than 3 years ago | (#36611542)

The problem isn't that people are idiots...

Seems to me this is exactly the problem.

Re:I dunno... (2, Insightful)

creat3d (1489345) | more than 3 years ago | (#36611624)

My thoughts exactly. The OS shouldn't have to realize if a USB stick is legit and belongs there... people should realize you don't pick up a stick in a parking lot and put it in your computer, which may or may not hold for-your-eyes only information. It's like telling an adult they shouldn't pick up a syringe in a park and stick it in their arm.

Re:I dunno... (2)

davepermen (998198) | more than 3 years ago | (#36611640)

no, problem is admins not having turned on the correct settings to making it impossible for users to be stupid. they will only do once something big happens.

Re:I dunno... (1)

chemicaldave (1776600) | more than 3 years ago | (#36611684)

I'm sure you've never plugged in an unknown USB device, but for the other 99.9% of people, it will probably happen. That doesn't make them idiots.

Re:I dunno... (0)

Anonymous Coward | more than 3 years ago | (#36611890)

Idiots? No.

Idiots would plug a random thumb drive into their own computer.

Smart and cheap mofos will test a random thumb drive by plugging it in to someone else's computer.

Something thing not enough SysAdmins get is that most people lives don't revolve around the desktop PC sitting on their office desk. If it gets a virus or starts serving malware because they opened that cool sounding screen saver, why the fuck should they care? It's *your* problem, not theirs.

If you think that makes them idiots, think again. They're simply offloading costs and risks onto someone else.

Yet Another "People Plug In Strange USB Sticks" St (-1)

Anonymous Coward | more than 3 years ago | (#36611550)

No, people ARE idiots. How much do you have to goof-proof an OS? There are ways for somebody, who is not necessarily very tech-saavy to see what's on a USB stick without allowing it to execute. But that aside, if you found a candy bar laying on the street, would you eat it?

Re:Yet Another "People Plug In Strange USB Sticks" (2)

mswhippingboy (754599) | more than 3 years ago | (#36611582)

But that aside, if you found a candy bar laying on the street, would you eat it?

Possibly, but certainly not one floating in a pool.

Re:Yet Another "People Plug In Strange USB Sticks" (1)

Noughmad (1044096) | more than 3 years ago | (#36611870)

Bruce Schneier's response in a comment:

"Children are taught not to take candy from strangers. But adults are perfectly OK with using USB sticks from unknown sources..."
It's a stupid thing to teach children, too.

I don't thinks it's a stupid thing for either children or adults. Neither the OS nor the children should know what in a candy or as USB stick.

The problem isn't JUST that people are idiots (0)

Anonymous Coward | more than 3 years ago | (#36611560)

but also that the OS trusts random USB sticks.

Only 60%? (0)

Anonymous Coward | more than 3 years ago | (#36611568)

I found a random USB stick in my car about 3 years ago; I still haven't plugged it in.

You COULD deny foreign usb sticks in your company (1)

davepermen (998198) | more than 3 years ago | (#36611596)

So it's not people being stupid, but admins being stupid. Functionality is there.

Re:You COULD deny foreign usb sticks in your compa (0)

Anonymous Coward | more than 3 years ago | (#36611662)

Only from Vista onwards. Although it is possible to disable autorun in XP, it has to be done on every individual station - you can't do it via group policy.

Re:You COULD deny foreign usb sticks in your compa (1)

KhabaLox (1906148) | more than 3 years ago | (#36611814)

Just because it's tedious doesn't mean the admin doesn't have a responsibility to do it.

Re:You COULD deny foreign usb sticks in your compa (1)

Noughmad (1044096) | more than 3 years ago | (#36611708)

This is true. Employees shouldn't be able to harm the company or government computers, or expose sensitive company/government data.

Also, people who try to do that should be penalized. It doesn't have to be much, but you must raise awareness that such actions can do a lot of damage.

Re:You COULD deny foreign usb sticks in your compa (0)

Anonymous Coward | more than 3 years ago | (#36611712)

Yes, but remember that most USB sticks are actually useful. Banning all USB sticks because somebody might pick up one with that somebody dropped in a parking lot is pretty stupid. Should we also ban all baggage from airplanes because somebody might pick up a strange bag in a parking lot and try to bring it on a plane?

dom

Re:You COULD deny foreign usb sticks in your compa (1)

gubers33 (1302099) | more than 3 years ago | (#36611764)

You going to register all of those USBs, or pay for all those USBs you distribute to your employees?

Hold down the shift key before inserting USB stick (0)

Anonymous Coward | more than 3 years ago | (#36611602)

... problem solved.

Re:Hold down the shift key before inserting USB st (1)

mattgoldey (753976) | more than 3 years ago | (#36611690)

... problem solved.

Better answer, use Group Policy to turn off AutoRun.

Makes sense to me actually (5, Funny)

dyingtolive (1393037) | more than 3 years ago | (#36611612)

Well, I mean, I'm not going to risk MY computer to some random virus infection. Of course I'm going to use an office computer!

Re:Makes sense to me actually (1)

dingen (958134) | more than 3 years ago | (#36611682)

That's exactly what I was thinking. I wouldn't insert some random device into my own laptop, but I wouldn't hesitate a second to plug it into a computer at work. The worst thing that could happen is IT gets me a new PC. Actually, that's the best case scenario.

Re:Makes sense to me actually (1)

carlosap (1068042) | more than 3 years ago | (#36611706)

Yes everybody thinks like that :D. Just call tech support, my computer is broke, and maybe with luck you get another one. This is interesting because only tech guys are thinking in that usb problems, while the rest of the people is thinking I get a new usb lets try in my computer at work, if its works yeah its mine.

Re:Makes sense to me actually (2)

staryc (852301) | more than 3 years ago | (#36611860)

Of course I wouldn't risk MY computer or MY work computer. I would just use the separate box I have set up for these sorts of situations that may lead to malicious behavior. More and more people have extra computers just laying around for this type of thing, right? It's 2011!

I SEE YOUR INSERTING REMOVABLE MEDIA (1)

Anonymous Coward | more than 3 years ago | (#36611614)

Do you want to:

1) Infect your computer with another virus?
2) Look at the pictures and crap on the thing?
3) Just leave me the fuck alone, I've been using removable media all my life and I'm not going to stop now.

The only thing worse than sales people are security people. They are paranoid scizos that are given lower responsibility IT jobs to fullfill corporate checkboxes.

Re:I SEE YOUR INSERTING REMOVABLE MEDIA (1)

Anonymous Coward | more than 3 years ago | (#36611776)

Why would anyone crap on the USB stick?

Not PEBKAM (1)

ilo.v (1445373) | more than 3 years ago | (#36611634)

I suspect some of these people do it simply because they want to figure out who the owner is so they can return it. Storage devices should be untrusted. This is an OS problem, not PEBKAM.

Re:Not PEBKAM (1)

ilo.v (1445373) | more than 3 years ago | (#36611666)

Typo. PEBCAM (Problem exists between chair and machine)

A question (1)

Anonymous Coward | more than 3 years ago | (#36611638)

So, for the 60% who knowingly violated the government security rules, when do we get to see "The Department of Savings announced an unexpected windfall of 30 million due to involuntary termination of employment" article?

People should know better... (0)

Anonymous Coward | more than 3 years ago | (#36611642)

...than to stick strange devices into their ports.

But, then, to each his or her own I guess.

People are not idiots - just different motivation (5, Insightful)

ugen (93902) | more than 3 years ago | (#36611644)

The behavior is quite logical, once you understand what the objective is. Usually the way we look at this is from the POV of corporation/corporate IT security. They find this behavior "stupid" - it potentially harms corporate systems. But consider that an individual employee quite likely cares very little for the well being of corporate IT system or corporation in general (why - is another story). He may be interested to find out what's on the USB device (could be something valuable, you never know) and at the same time he probably wouldn't want to harm his personal computer at home. Hence - using it at work, where if this turns out to be something nasty - it's someone elses problem. And if IT asks - 100% of the time he'll say that he did not do any such thing :)

People are not idiots, they just have their own objectives that are not very well aligned with yours.

People are nosy (0)

Anonymous Coward | more than 3 years ago | (#36611648)

Am I the only one that finds a CD on the ground in a parking lot, inspects it, then pops it into my CD player to see what music is there? I think people plug in the found USB sticks out of curiosity. Maybe there is some good stuff there, maybe there is important data and they want to return it to the owner? I agree with those that blame Autorun for this being a problem. If it's just about browsing the files and directories it shouldn't be a big deal. Running strange executable files is pretty stupid, but just seeing what is there can be pretty compelling.

I'd like to know Why people stick them in... (1)

archer, the (887288) | more than 3 years ago | (#36611686)

Are they trying to be nice and return the stick to the owner? This is a case of being "too nice".

Is it plain curiosity?

Just chuck the thing in the electronics disposal bin.

Re:I'd like to know Why people stick them in... (0)

Anonymous Coward | more than 3 years ago | (#36611804)

Are they trying to be nice and return the stick to the owner? This is a case of being "too nice".

Too nice? If you found someone's wallet on the floor, would you just chuck it away or would you try and locate the owner?

If the former then I'm glad that I don't know you.

PEOPLE ARE IDIOTS! (0)

spitek (942062) | more than 3 years ago | (#36611700)

But I still understand what your getting at. It's like this. Problem #1: People are idiots Fix: There is none Problem #2: Admins and companies are lax with Security Policy. Fix: You let me know what it is after you overcome laziness, apathy and budgets. So someone was like, I'm sick of all this nonsense what can be done to actually fix this? Well like was pointed out, the functionality is all ready there in most endpoint security solutions. Revert to Fix #2. This is not the OS's job, it's the peoples job. I bet the poster is for the nanny state as well.

Tape water filled syringes to the USB sticks (0)

Anonymous Coward | more than 3 years ago | (#36611728)

See how many of them then get the message... and how many of them shoot up on water.

The problem isn't that people are idiots? (1)

gubers33 (1302099) | more than 3 years ago | (#36611738)

YES, THEY ARE! As someone who worked as a security engineer, the biggest threat to the network wasn't an external threat, that is fairly easy to prevent if you know what you are doing and don't be cheap about it. It is however hard to prevent you employees from doing something dumb. Clicking on links in emails, connecting laptops to their home networks riddled with viruses, plugging in USB's that they don't know where they came from! I mean yes, you could lock down USB drives so that you can read or write to them unless they are encrypted with Bit-locker and have the key, but they will hinder productivity because Bitlocker is a pain in the ass. I mean you don't know how many computers you can log on to simply by walking up to the desk and opening the drawer which has a sticky note with the password on it. PEOPLE ARE DUMB! They will do dumb things like this it is inevitable. Your only option to try to stop it without hearing tons of bitching and adding a lot more overhead is to have all of your employees go through IT security classes involving passwords, usbs, emails, and how to use IT safely, but even then people will do something that will make you scratch your head at how.

Permanent answer (1)

AG the other (1169501) | more than 3 years ago | (#36611744)

There is one answer that will always stop this kind of stupidity. Block up the ports with hot glue.

No, it's not the OS's fault (1)

erroneus (253617) | more than 3 years ago | (#36611752)

Well it's not the OS's fault unless it's a Microsoft OS, then you can go ahead and blame Microsoft if you want.

This "automatic run" stuff is a crappy idea. Even MacOS doesn't do that. So yeah, it's kind of Microsoft's fault.

But people will always be stupid. They were stupid thousands of years ago, and they are stupid today. They will be stupid a thousand years from now.

You Can't Fix Stupid (2)

LifesABeach (234436) | more than 3 years ago | (#36611770)

I've made a comfortable living consoling the computers of owners that are stupid.

People are curious (1)

MpVpRb (1423381) | more than 3 years ago | (#36611778)

Autorun is bad..very bad!

3rd option: DoHS is dumb idiots (1)

barchibald (207846) | more than 3 years ago | (#36611790)

Slashdot previously had an article discussing pointless research (which was an interesting and surprisingly two side story). But...this "study" would be an example of said (truly) pointless research.

As soon as they had the hypothesis that people would pick up these sticks and put them in their computer the problem was exposed. Any real leadership would just have moved to solve this problem, rather than prove that it is indeed a problem. I would hope that the "security experts" at the DoHS would ponder than an outcome of 1% and an outcome of 99% would basically be the same problem and studying the particular location on this spectrum should bear little relationship to the need to address the problem.

The IT department are idiots (1)

clickclickdrone (964164) | more than 3 years ago | (#36611794)

Where I work, all the USB ports are disabled. The most you can hope from plugging anything into them is a recharge. If you *really* need to use a USB stick, you get an encrypted one from in house and your local permissions are tweaked to allow just that model and not much else. Plus you get a very clear message that if a virus does get onto the system, you're in a world of trouble, possibly dismissal.

Windows 7 does not trust random USB sticks (1)

The MAZZTer (911996) | more than 3 years ago | (#36611796)

Autorun is disabled (might not be out of the box... might need Windows Update patches). And you can disable it in any other Windows OS where it is enabled by default.... so the problem is the IT department is not properly securing their network with existing OS controls against USB sticks.

But (1)

rossdee (243626) | more than 3 years ago | (#36611830)

Don't Antivirus and other security software disable autorun on USB hardware? I know I have some program that does.

Script to turn off Autorun in XP (1)

h1q (2042122) | more than 3 years ago | (#36611876)

Here is the registry key that I use when reinstalling Windows XP:
Iut the following in a text file with the extension .reg, right click and merge with my registry.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

so? (1)

Charliemopps (1157495) | more than 3 years ago | (#36611880)

Are you saying that "known" USB sticks are better? I find it far more likely that an attacker would infect a known USB stick of a targeted employee... or the USB stick would be mailed to them as "Vendor bling" It would be relatively easy to get several dozen USB sticks with "Cisco" or "Microsoft" printed on them, mail to random people with a note that says "thanks for using our products" and I'm sure 90%+ of them would get plugged strait in and considered "safe".

No, the problem really is people. (2)

meerling (1487879) | more than 3 years ago | (#36611882)

Even before USB based storage was on the market, people were still infecting computers with their junk. Even supposedly 'isolated' computer that had the media drives removed, and with non-worms. The only common denominator was humans doing something that was against policy. So, no - it's not the specific technology, yes- the problem is people.

I will admit that the more you limit a computer using unauthorized stuff, the less likely it is to get infected. On the other hand, it's also less useful. Balance your choices based on need, and live with the consequences.

Why is autorun enabled? (1)

Animats (122034) | more than 3 years ago | (#36611892)

Turn off autorun for everything on all non-entertainment machines. It was originally put in so that entertainment CDs like Disney's The Lion King (remember those?) would autoplay.

There's almost no circumstance under which you'd want to autorun anything from a USB stick or any USB peripheral. Microsoft is negligent in setting their defaults to "on", and providing a "use AutoPlay for all media and devices" checkbox.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?