

Federal agency destroyed computers, keyboards, mice over virus fear - wikiburner
http://www.foxnews.com/politics/2013/07/10/us-agency-destroys-computers/

======
cbhl
"Among them was the apparent assumption that a computer mouse can carry a
virus."

Hypothetically, this is true -- if you disassemble the right kind of mouse,
put in a USB hub and a USB flash drive with malware. But surely you could
simply test the hardware with a known good installation (say, off a Live CD)
to figure out if that was the case?

~~~
mindcrime
_Hypothetically, this is true -- if you disassemble the right kind of mouse,
put in a USB hub and a USB flash drive with malware._

It's not hypothetical. A friend of mine has created an USB based pen-test tool
based on this very idea. The early prototype idea was to open up a mouse,
splice a USB hub into the USB connection, then attach an "Arduino like"
Teensy[1] to it such that, when the mouse was connected, in addition to the
mouse being detected and registered by the host machine, it would also detect
and install a new keyboard. The Teensy could then dump it's payload as
anything that could be typed on a physical keyboard (subject to the memory
limitations of the board).

He's now doing a Kickstarter campaign to manufacture and sell the things,
which he calls The Glitch[2]. You can see pictures on the Kickstarter page, of
the Glitch embedded in a generic mouse.

[1]: [http://www.pjrc.com/teensy/](http://www.pjrc.com/teensy/)

[2]: [http://www.kickstarter.com/projects/1186217328/the-
glitch](http://www.kickstarter.com/projects/1186217328/the-glitch)

~~~
rdl
I don't think you actually need to do the keyboard thing.

You should be able to use "accessibility" features to bring up a soft keyboard
(or just cut and paste from known things) to run the entire attack as a
normal-appearing HID mouse, which just happens to be evil. No need to
reconnect via a hub; you could do the whole thing within a mouse controller.
Bonus points if you can manage to fit all the logic in the same
processor/memory the thing includes by default, or something which looks like
the same physical package and thus passes a non-destructive open-device
analysis.

(which is kind of terrifying if you think about it; almost no one checks the
provenance of "dumb" devices like mice. Keyboards sometimes get a tiny bit
more scrutiny due to hardware keyloggers inside inline, but that's about it.)

The ultimate solution is a trusted supply chain and equipment which is tamper-
evident, non-counterfeitable, and which can securely attest to intactness and
provenance; x9.9 pinpads and hsms. But no one does that for general purpose
hardware.

~~~
akira2501
Except the mouse doesn't know exactly where it is on the screen, or how it's
concept of CPI (counts per inch) relates to pixels on the screen.

~~~
rdl
That's a pain, but I think I could work around it by observing the human's use
of the mouse for a while; there are some known actions (let's restrict to
Windows), like clicking on start menu and some other stuff. By watching and
calibrating, you could get a good idea what to do. You also might know a lot
about the target environment; maybe they have totally standardized
configurations including mouse speed, display size, etc.

The environment I'm thinking about is something like a SCADA control system
for, say, a centrifuge cascade :)

------
badmadrad
This doesn't surprise me. Government agencies tend to hire people based
primarily on the fact the individual has a top secret clearance. This
drastically cuts the talent pool and allows people that have gamed the system
to get the job. Sometimes legitimate experience is cast aside for the mere
fact a person has a clearance. I know so many people that because they have a
clearance have a cushy 6 figure job with a great title. I've talked to people
that are System Admins and Analysts and I can tell they have no idea what they
are doing. They got the job because they knew somebody, embellished their
resume, and have a clearance.

------
mifreewil
These are the people that take the money out of your paycheck each week. Don't
know whether it's gross incompetence or cronyism to buy new equipment from a
contractor.

~~~
mpyne
I wasn't aware that the EDA was the IRS. Learn something new every day I
guess.

~~~
coldtea
He means they are paid by our taxes -- not that they collect them directly.

Snark FAIL.

~~~
mpyne
I know what he meant, otherwise snark wouldn't have been necessary.

He's basically saying that because there was one CIO somewhere, anywhere, in
the Federal government that it's appropriate to tar every military and civil
servant with that same 'idiot' brush.

I mean, I'm assuming you would be offended if someone said that all computer
hackers have my own personal morals, so it seems wise to only blame people for
what they actually do, not their seventh-order relationships to other people.

~~~
greendata
It's not about being offended. It's about theft and corruption. All these
agencies are taking away our income and squandering it through incompetence,
cronyism, and worthless spy programs and military adventurism. If the
"computer hackers" were stealing 30% our collective income and wasting it I'd
be very angry about them too.

~~~
mpyne
If the worst thing a Federal agency does to the taxpayers in a day is waste a
computer keyboard, they're still far in the black compared to the rest. True
story.

Besides, you're talking about an issue which afflicts essentially all large
organizations. Have you never received a small part from a retailer wrapped in
waaaaaay too much packing material?

~~~
greendata
Military adventurism, overly harsh sentencing, and illegally spying on our own
citizens are not simply wasting a day at the keyboard. They are actively
harming all of us.

I'm not just talking about an issue that affects large organizations. I have
never feared imprisonment from Apple, MSFT, or Amazon. I have never made
involuntary payments to any of them. Steve Ballmer can't stop and frisk me for
weapons on the street b/c he fears for his safety. Sure big companies have
waste and inefficiency, but it's at a much lower level than the federal
government.

------
aidos
Is this for real? Man, $823,000 + $688,000 for a cybersecurity contractor to
do 6 months work. I'm in the wrong industry.

The report:
[http://www.oig.doc.gov/OIGPublications/OIG-13-027-A.pdf](http://www.oig.doc.gov/OIGPublications/OIG-13-027-A.pdf)

~~~
VladRussian2
such numbers make me wonder - is it just idiocy of bureaucrats or we're
talking kickbacks here. For example, in Russia government contracts have 75%
kickback, so that explains it there. What is the explanation here in the US?

>I'm in the wrong industry.

it is not about industry. In any industry you can have government as a client.

~~~
wikiburner
We don't have kickbacks in the U.S.

Only sales commissions and lobbyist fees.

------
anujabro
$2.7mm in damages over 6 malware infected parts. That escalated quickly.

Where do they get the rationale for the Mice and Keyboards?!

~~~
yen223
A paranoid, incompetent IT team plus an opportunistic "cybersecurity"
contractor.

~~~
patio11
If the brief for the contract includes "We believe we may have been
compromised by a nation state. Check for us." then checking keyboards and mice
is totally reasonable. Some of them incorporate user-upgradable firmware.
Given this, turning the keyboard/mouse into an "advanced persistent threat" is
an exercise trivially within the capability of garden-variety security
consultants. (Ballpark cost: $20k if you get everything scratchbuilt the first
time, assuming you've separately rooted one machine to infect the peripheral.)

Nation states can be presumed to have access to garden-variety security
consultants, and more elaborate tricks besides.

~~~
mechanical_fish
Yes, even I fell for the "but it's only a stupid mouse!" spin on this story,
and I've been shopping for embedded processors recently so you'd think I would
know better.

If it has a USB port, it contains a tiny computer. One which is probably more
powerful than the Commodore PET I learned computing with. Not that you need
that much power to log keystrokes.

Those of us who were brought up in the 20th century can no longer trust our
intuition about where computers might be hiding.

------
banachtarski
It's like when Egypt killed herds of pigs to mitigate the "swine flu"

------
paulrademacher
I keep a can of Raid on my desk in case I find a bug in the software.

