
Yet Another "People Plug in Strange USB Sticks" Story - diogenescynic
http://www.schneier.com/blog/archives/2011/06/yet_another_peo.html
======
Sandman
So the point of this article is that it's not stupid to plug in random USB
sticks you find on the street? That's what USB sticks are for? What if you
found a big slice of your favorite type of cake on a park bench, would you eat
it? You wouldn't? Why not, hell, _that's what cakes are for_.

Picking up random USB sticks and sticking them into your computer is the
equivalent of having sex with random people you meet on the street. The only
thing you can hope for if you do that is that whatever you're having as
protection is going to save you from catching something nasty. But by the time
you find out if your protection actually protected you or not, it might
already be too late.

I agree that it would be great if our systems could save us from anything and
everything malware writers can come up with. But unfortunately, they can't, so
our first line of defense should just be plain old common sense.

~~~
mikeash
I believe the point of this article is that if your system assumes that humans
aren't stupid, then your system will fail. Blaming the humans for being stupid
is no more useful than blaming rain for being wet. Shaking your head and
saying that the system is fine because it was _only_ defeated by people being
stupid ends up missing the point.

~~~
raldi
Right. If 6% of people fell for this, shame on them. But if 60% of people fell
for it, shame on the security team.

------
jberryman
Schneier seems to be mostly imagining an attack in which a USB disk is loaded
with some malware, but the USB stick could be just about anything:

<http://hackaday.com/2010/10/29/tiny-usb-business-card/>

~~~
pavel_lishin
If you work for a place where security _matters_ , your default assumption
should be, "it's unsafe".

~~~
RyanKearney
If you work at a place where security matters, then mounting external volumes
is disabled in the group policy along with auto run, installing software, and
99% of Windows tasks that aren't directly related to your job.

------
extension
My laptop has a built-in keyboard and trackpad, so why doesn't it just ask my
permission to use any USB device I plug in? I don't know if there's a way to
uniquely fingerprint a USB device, but if there is then I could tell the OS to
always trust particular devices to make it more convenient.

~~~
eridius
Why would it ask? If you didn't want the computer to access the drive, then
why did you plug it in? The mere act of plugging in a drive is a signal to the
computer that you want the drive to be made available.

Note, however, that this is NOT a signal that you want the computer to start
running arbitrary software on the drive.

~~~
jbri
And what if you've plugged in a USB keyboard at the same time as that drive?

And that USB keyboard has said "hey yes I want to run the software on this
drive"?

~~~
eridius
And how does the USB Keyboard have the permission to go ahead and launch
software on the user's behalf? It's precisely the same issue as autorun on a
thumb drive.

------
planb
While I think he's right that the OS should not automatically launch programs
of an USB stick - how many people that are curious enough to plug in the stick
would not double click "secret_documents.doc.exe"?

------
groby_b
While USB sticks are made to be plugged in, the fact remains that a machine
cannot be kept secure when an attacker gains physical access to it. (Remember
that old and outlandish notion of an "air gap" for secure machines?)

If you can plug untrusted hardware into your machine, your machine cannot be
trusted. It's not just autorun that's an issue - you've exposed your machine
to unknown forces once you plugged in an item.

Corollary: If you need to be secure, don't provide IO ports.

~~~
pavel_lishin
Or keyboards! Or monitors! Or hard-disks! Or processors!

~~~
groby_b
I realize you're being facetious, but for arguments sake:

* Keyboards do not have enough bandwidth to allow an attack unless your physical security is _incredibly_ lax.

* Monitors make a really bad attack vector, since they're not really an input device :) They are, to some extent, a possible route of filtering data out, so make sure access is indeed limited. (I.e. don't put them in front of windows :)

* HDDs are presumably (if you really care about security) inside the case only, and the case is locked. Also, hopefully hard-erased before installation.

* Even though processors make for a decent attack vector (read "Trusting Trust" by Ken Thompson, if you haven't yet), enforcing the air gap makes it very hard to actually communicate that data to the outside world.

Of course, all this depends on what level of security you want/need. Sealing
of IO ports for your home machine is fairly silly. (And if autorun is
disabled, you're probably safe plugging items in - you're most likely not a
high enough value target). But if you indeed do have items that MUST be kept
secret on your machine, batten down the (IO) hatches.

~~~
zachrose
> Keyboards do not have enough bandwidth to allow an attack unless your
> physical security is incredibly lax.

What does this mean? What's to stop someone from building a fake keyboard with
an internal USB hub that connects the original keyboards USB connection and a
thumbdrive to a normal-looking outgoing USB cable?

~~~
LaGrange
Disable all keyboard shortcuts -- text entry only in text areas. No tabbing
between controls. Keyboard shortcuts considered harmful.

Also, for the sake of completeness, randomize all on-screen forms to make it
impossible to exploit a fake mouse. Muscle memory considered harmful.

For added security, display an authorization code on the display every half an
hour, and expect the user to do a XOR with a one-time pad, then enter it on
the keyboard. Or morse-code it with the mouse.

------
derleth
From the article:

> Quit blaming the victim.

Where do we draw the line between blaming the victim and chiding people for
doing stupid things?

For example, a drunk driver is not a 'victim' in any sense, even if the only
one injured in the wreck is the driver.

OTOH, we have all those little topics that make people go insane.

Can we even debate this concept without turning this into a flamewar?

~~~
tptacek
I think you missed the whole point of the blog post, which is that it isn't
"stupid" to plug in a USB stick; it's "stupid" that the OS makes this unsafe.

~~~
palish
Is this unsafe even on OS X or Linux?

~~~
cmelbye
I believe the main issue is that the stick can be configured so that Windows
will automatically run an executable on the USB stick when it's plugged in, so
OS X and Linux wouldn't be affected by that.

~~~
palish
Sorry, to be clear, I was asking whether Linux or OS X also have the same
silly idea of "Let's execute an arbitrary program on the USB stick whenever
it's plugged in!"

I don't know the answer because I don't use Linux for day-to-day work (I work
in gamedev, whose primary platform is Windows) and I'm too poor too afford a
Macbook.

~~~
andreyf
OSX will open some newly mounted disks in Finder, but it won't automatically
execute code. This doesn't mean it's safe against malicious hardware, though.

------
dhughes
I couldn't help thinking of Family Guy skit about James Woods going "Ooo a
piece of candy!"

------
s00pcan
If I found a random USB drive on the ground I would probably format it with a
device that any malicious software isn't targeting, such as a game console.

------
johngalt
You can't blame people for shooting other people, that's what guns are for!
Shooting people are guns intended purpose. It's the clothing manufactures
fault for not making all shirts out of Kevlar. They should make it safer to be
shot.

~~~
kbutler
Feeding the troll...

Guns have uses besides shooting people.

USB sticks have no use besides being plugged into a USB port, and USB ports
have no use besides having things plugged in to them, hence it should be safe
to plug things into them.

~~~
johngalt
We are surrounded by devices that will break or do us harm if used unsafely.
Articles like this one seem to point out the obvious "why not just make it
impossible to be unsafe?" Yet this is not the case (or even a stated goal) in
any other type of system. Why is it that once computers are involved people
expect to abdicate responsibility?

Since you didn't like my analogy there are plenty of others. Would you put any
random tire on your car and expect it to transport you safely? If I put diesel
instead of gas in my car is it the station's fault because the connectors are
the same?

