Picking up random USB sticks and sticking them into your computer is the equivalent of having sex with random people you meet on the street. The only thing you can hope for if you do that is that whatever you're having as protection is going to save you from catching something nasty. But by the time you find out if your protection actually protected you or not, it might already be too late.
I agree that it would be great if our systems could save us from anything and everything malware writers can come up with. But unfortunately, they can't, so our first line of defense should just be plain old common sense.
I work part-time at a reception desk (the computer has access to nothing important). The assumption seems to be that found USB sticks are suspicious, but they actually show up quite frequently. People lose their USB stick--usually in one of the lab computers. The overwhelming majority seem to be personal drives that people have lost. Often there are obviously non-confidential files ("Econ101Paper.odt") on the drive, and it's easy to contact the owner to let them know where they can find their lost drive.
The average user simply doesn't see USB sticks as malicious (recall how much pain it took until people generally recognized unknown email attachments as dangerous!) and is occasionally exposed to lost USB sticks that they can helpfully return. This is a problem that will not be fixed by user education, except perhaps in secure facilities where USB devices are prohibited completely.
USB drives, on the other hand, have not been around for very long. When you plug in an evil USB stick, nothing bad happens. Maybe in a few years someone buys some shit with your credit card, and your bank has to send you a new one. That's about it, though, and that negative consequence isn't enough to override the curiosity intrinsic in humanity. So people find USB drives and plug them in, just because they are curious for a glimpse into other peoples' lives. See also: tabloids.
It's rationality that stops one from not eating the cake. One's physical and emotional "sense" wil tell one to eat the damn thing (if it looks good!). Similarly, unknown USB sticks should be used rationally.
I can't tell if that's an awful analogy because people do it all the time, or a brilliant analogy, because unless you do it safely you will eventually catch something nasty.
Note, however, that this is NOT a signal that you want the computer to start running arbitrary software on the drive.
Another example: the computer: "The user entered 'rm -rf doc', I delete ./doc/", and the user: "I want to get rid of 'Documents/' for the 23rd time today and execute 'rm -rf doc<tab>'".
The discrepancy between "do what I say" and "do what I mean" is part of where security lives. In the above cases, that would be a virus scanner and your favourite *nix command line trash utility, respectively. Other examples can easily be imagined. Just because a user tells you to do something doesn't mean they want you to do it.
And that USB keyboard has said "hey yes I want to run the software on this drive"?
All an attacker would have to do is find the ID of a device that you have used in the past.
If you can plug untrusted hardware into your machine, your machine cannot be trusted. It's not just autorun that's an issue - you've exposed your machine to unknown forces once you plugged in an item.
Corollary: If you need to be secure, don't provide IO ports.
I don't have a real wrapped up conclusion here, except to say that if these quite security conscious organizations that pay close attention to these issues have found it a pain to implement IO restricted general desk PC's, it's no wonder at all that most private organizations are having trouble.
* Keyboards do not have enough bandwidth to allow an attack unless your physical security is incredibly lax.
* Monitors make a really bad attack vector, since they're not really an input device :) They are, to some extent, a possible route of filtering data out, so make sure access is indeed limited. (I.e. don't put them in front of windows :)
* HDDs are presumably (if you really care about security) inside the case only, and the case is locked. Also, hopefully hard-erased before installation.
* Even though processors make for a decent attack vector (read "Trusting Trust" by Ken Thompson, if you haven't yet), enforcing the air gap makes it very hard to actually communicate that data to the outside world.
Of course, all this depends on what level of security you want/need. Sealing of IO ports for your home machine is fairly silly. (And if autorun is disabled, you're probably safe plugging items in - you're most likely not a high enough value target). But if you indeed do have items that MUST be kept secret on your machine, batten down the (IO) hatches.
What does this mean? What's to stop someone from building a fake keyboard with an internal USB hub that connects the original keyboards USB connection and a thumbdrive to a normal-looking outgoing USB cable?
Also, for the sake of completeness, randomize all on-screen forms to make it impossible to exploit a fake mouse. Muscle memory considered harmful.
For added security, display an authorization code on the display every half an hour, and expect the user to do a XOR with a one-time pad, then enter it on the keyboard. Or morse-code it with the mouse.
> Quit blaming the victim.
Where do we draw the line between blaming the victim and chiding people for doing stupid things?
For example, a drunk driver is not a 'victim' in any sense, even if the only one injured in the wreck is the driver.
OTOH, we have all those little topics that make people go insane.
Can we even debate this concept without turning this into a flamewar?
Worth repeating: they can read ANY page in RAM. Including those which contain user key hashes, session hashes and any password which happens to be stored in clear in memory.
While OS can protect process' memory from all other processes, the DMA is one level closer to the metal. No matter what OS you're running, plugging random devices to your system means the game is over.
(1) HW virtualization mitigates some of these risks: I'm not familiar with the details of it. But since most of the machines are running without the HW virtualization still, they are still vulnerable.
edited for formatting
There are vectors beyond "autorun" for attacking machines with USB devices (for instance, automatically mounting filesystems exposes the filesystem to malicious block inputs) but these are squarely in the OS's bailiwick.
It's also much harder to reliably launch an attack from, but in the case of a targeted attack where the OS is known it wouldn't be too difficult to come up with something that could sneak some nasties in with a low chance of detection.
I don't know the answer because I don't use Linux for day-to-day work (I work in gamedev, whose primary platform is Windows) and I'm too poor too afford a Macbook.
Do we think there are no vulnerabilities in the USB code, the drivers for any particular USB device, filesystems, or any other pieces of code a USB device can invoke? I am very doubtful.
> The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.
The entire point is that it shouldn't be considered "stupid" to plug in a USB drive. As he says more than once: that's what they're for.
That they plugged it into a corporate network prior to checking elsewhere first is, yes, stupid. And people need to be taught better about things like that - Stuxnet wouldn't have been half the threat if people didn't plug things into business computers without taking precautions. That they plugged it into a computer is not.
50% is a start.
Guns have uses besides shooting people.
USB sticks have no use besides being plugged into a USB port, and USB ports have no use besides having things plugged in to them, hence it should be safe to plug things into them.
Since you didn't like my analogy there are plenty of others. Would you put any random tire on your car and expect it to transport you safely? If I put diesel instead of gas in my car is it the station's fault because the connectors are the same?