
Teardown of USB Fan Reveals Journalists’ Lack of Opsec - oedmarap
https://hackaday.com/2018/07/11/teardown-of-usb-fan-reveals-journalists-lack-of-opsec/
======
kilo_bravo_3
Title: TEARDOWN OF USB FAN REVEALS JOURNALISTS’ LACK OF OPSEC

Content: "The real story here is that accomplished journalists would be
grateful for a random USB device given to them by a foreign government. There
is every indication this journalist actually plugged this USB fan into his
computer. But even if he went the safe route and opted to use a USB battery or
a cable with data lines disconnected to protect against malware, I’m sure
others didn’t take precautions. Out of 2500 journalists at the Singapore
summit, some unquestionably plugged this threat into their computer."

Question: What is the indication that the journalist actually plugged this USB
fan into his computer?

Reality: there is no evidence of any journalist plugging in the USB fan.

Conclusion: YAZWPSRAAS (yet another zer0cool wannabe posting self-righteous
articles about security)

~~~
geofft
Exactly - the photo shows the fan _in the plastic bag_ , the evidence is it
was not used!

Also, " _The journalist who started this whole mess by posting the image of
the USB fan drive on Twitter_ " how is posting the image on Twitter starting a
mess?

This is a bad article with a blatant disregard for fact, and I've flagged it.

------
zerocrates
Seems like a strange headline... the _teardown_ apparently didn't "reveal"
anything unexpected at all.

"Lack of opsec" is still all fine and good as a comment about this story, but
this article is implying (really, more than implying) that they actually found
something hidden in the fan.

~~~
zantana
Agreed. Based on the headline I was expecting the journalist had inadvertently
revealed some data about which they weren't intending to.

------
ballenf
A physical switch on all ports that are sometimes used for power-only,
disconnecting data lines, would be worthwhile for many people.

Or just train people to use power banks for USB-powered accessories instead of
their computers.

~~~
jpindar
There are cables and adapters that don't have the data lines connected, they
are sometimes called USB condoms.

~~~
beamatronic
I would expect them to be made of clear plastic for easy visual confirmation

~~~
monocasa
That just makes me want to design a fake USB condom that looks legit. Maybe
modulating the data over the power cables using ICs implanted in the
connector...

------
acomjean
I guess the downside of having “one port” for power/ stoarage and peripherals,
is that you really can’t know what’s going to happen when you plug a device
in.

It’s almost like you want a dialog box approving what the usb device can do.
But nobody really wants that.

Convenience over security.

~~~
jgibson
Android already does this. When you plug in you get a notification with
options for \- Charging only (with direction selection if your phone supports
it) \- USB media protocol \- USB flash storage

~~~
dawnerd
That’s assuming the software can’t be exploited.

------
badrabbit
Alternative headline: Teardown of USB fan reveals systems were engineered
without taking into account the need for user-friendly security

¯\\_(ツ)_/¯

Can't have opsec if you don't know "op"(how a system operates and is meant to
be operated) or or "sec".

------
pinebox
Teardown of article on USB Fan teardown reveals lack of teardown

------
sctb
Recent discussion:
[https://news.ycombinator.com/item?id=17459041](https://news.ycombinator.com/item?id=17459041).

------
lainga
Is OPSEC covered in modern journalism degrees?

