"During a stop-over in Hong Kong, he finds a spare USB key in his hotel room. Curious, he inserts it into his laptop. By the time he arrives in Australia, his computer is infected."
This was the one of the infection vectors for a large flare-up between the Chinese government and a number of Australian based mining companies, all well before the Snowden leaks that have only made the world more complex.
Given the choice between frying an employee's USB / computer (small monetary loss) and allowing trade secrets to fall into the hands of competitors / customers (large monetary loss), it's not crazy to opt for the former.
Standard practice has even gone further. A colleague of mine purchases fresh laptops for when he goes overseas and then never uses them again. He doesn't even work in an industry where commercial secrets are common. I'd hope that anywhere that features security implications or commercial secrets would also act at this level.
Perhaps an innocuous version of this, which starts a high pitch whistle, would be useful in a corporate environment. Less destructive but resulting in the the same security awareness.
This wouldn't protect against things like firmware-based malware, attacks that major three-letter spy agencies could deploy when they focus on a target, but because there is no absolute security and measures need to be balanced to the threat scenario, this is a model that works pretty well.
IMO that's an overkill. Why not just use ICloak  or Tails ? They are both Linux distributions which boot from USB stick without touching hard drive, randomize MAC address and give you access to Tor and other goodies.
If your risk assessment says you're worried about AoHPs then you can't trust your computer after they've had it in their possession.
Hey, didn't an article on USB dead drops get posted yesterday?
That's a good way to start a fire and have a _large_ monetary loss on your hands.
First the total power of the USB port is ~2,5W on average and given the constraints of the device in terms of size (~ a normal USB thumb drive) you cannot realistically store this more than a second or so (e.g. 100V in 1000µF is only 10 Ws).
With 2.5W you can make things hot to touch, but for igniting anything flamable, you'd have to design some thermally decoupled element to dissipate the power, and get glowing hot (e.g. a small coil of resistance wire in a car's cigarette lighter). Unfortunately devices on a PCB are normally very well thermally coupled to said PCB, so the energy spreads fast limiting the temperature of the individual components. Also things on a PCB tend to break at much lower temperatures than what you'd need to ignite anything. Also they will already desolder themselves at ~200 degC.
Clearly some attacks are quite stealthy and difficult to characterize, but some are not, and in the 2010-era reporting about Chinese computer espionage against travelers to China many targets seemed to believe that they had confirmed the compromises.
So people could have taken a computer with some extra sensors or logging processes, a different OS than usual, and then publish the results, helping defend similarly situated others, including their own coworkers. If they believe the attacks are pervasive today, they could do this today.
Having worked at companies who actually have a high level concern over computer security, telling someone simply isn't enough. Being told is passive. Passive defence and active defence are two entirely different states of mind. Defending against an attack needs to be active and instinctual. Every time you open, close, or set down your laptop, a small part of your brain should be thinking about it. In computer security, a single failure is enough to lose control, so it's useful to have an environment that reflects that.
A simple example is being told to keep your terminal locked. This is a common rule for most workplaces but is usually met with dismal failure. One of the companies I worked at actually made a game out of leaving your terminal unlocked. I can tell you, after a few days of your colleagues kindly laughing at you returning to a screen full of Internet memes, you instinctively Ctrl + L upon standing up, even if it's to walk to the windows to look at the view.
Why is it important I lock the screen even if standing a metre away? My friend walks by whilst I'm staring at the view and invites me to [coffee|walk|game|X]. Security has already left your mind and you head off to do [X], leaving your terminal unlocked. Even worse, your screen might auto-lock in a few minutes, giving you a false sense of security when you return. Even if it was unlocked when you returned, you'd likely get back to work, not realizing your error.
Making security a game is a good way of instilling the practice. Colleagues make for cunning adversaries and make you actively defend yourself. This defence is useful against both pretend threats and real ones. Wargames are wargames for a reason.
This was unofficial but standard practice at a support center I once worked at. It was a terrible work environment for other reasons, but individual computer security was great because the new guys very rapidly learned that leaving a computer unlocked left you a prime target for background changes, YTMND pages hidden behind other windows, the Dell ctrl+alt+up thing, etc.
If they can install they will and it will continue until someone starts firing people over it.
If they cannot install, prepare to get scolded when they cannot install fileshare clients, flash games, "codecs", -you name it: they'll install it if there is even the slightest chance it will let them watch something they wouldn't be able to watch without.
I sometimes have an image inside my head what it would be like if chefs would be like office workers in this regard: sharing their knives with friends and family, drag their knives into the garden, use them to poke in the sink, stir the paint etc.
I was walking past a tall wooden fence the other day, you know the kind you see outside a building site. As I walked along beside it I heard chanting coming from behind the fence further up... they were chanting numbers, or rather just one number.
"Thirteen, thirteen, thirteen, thirteen, ..." they excitedly chanted. It sounded like a small crowd, young and old; men, women and children. All of them saying the same number over and over.
As I approached I saw a small hole in the fence just big enough to look through. The hole was right where the sound appeared to be originating from.
So, with the crowd continuing to chant "... thirteen, thirteen, thirteen, thirteen" and it seeming to become more intense as I leaned down to place my eye at the hole and work out WTF was happening in there.
Just as I put my eye to the hole a small finger like that of a child poked me in the eye and the crowd stared cheered loudly and started chanting again..
"Fourteen, fourteen, fourteen..."
I went over and bought one. I looked inside, there was nothing about any scam.
Then I hear "extra! extra! 51 people scammed! extra! extra!".
On that note, using it as a pentesting device could be interesting. Perhaps just use the "beep" so the auditor can see how many people trust putting anything into their PC, then at the end cite USB killer.
Turns out there's not enough clearance in USB ports for tens of thousands of volts.
I really wanted to go much higher with the voltages, but the amount of noise this thing puts out de-focuses the camera.
(The wiring was originally done by my grandad'a brother - use a professional people...)
(that's US wiring but surely there's a UK equivalent)
This tester can simulate a 10A or 15A load and measure voltage drop, which should remain within 5% of its unloaded value (this is the recommendation in U.S. code). This can identify situations where connections are weak, or wires are too long or too thin.
It has also helped me to improve my wiring practices. It turns out that keeping voltage within 5%, under a 15A load on a 20A circuit, is pretty demanding, and a series of (say) 8 or 10 twisted connections may not meet it, if you are not careful with your technique.
The device can also test GFCI outlets by allowing some current to leak to ground. This provides an end-to-end test in situations where the GFCI is not present at the outlet.
Everything plugged into affected sockets seemed to work just fine. Even a desktop computer + monitor. We only found out because roommate was getting electric shocks from the metal PC casing.
When the place was raided by the police and the computer confiscated, the fun and games began.
The computer was never returned.
Things like not being able to stick things into the line/neutral holes unless the ground pin (which is longer) is inserted make them very safe, and the plastic lower part of the line/neutral pins to stop you accidentally touching something that will have current running through it until the plug is safely inserted is inspired.
The reason why they have fuses is so you can use ring circuits, which saves copper compared to the usual radial wiring. So its just about saving a little money.
Everyone now gets to state his favourite plug type. Bring it on!
Mine is the swiss Type J (http://www.worldstandards.eu/electricity/plugs-and-sockets/j...). Its safe, not an eyesore and very space efficient. Its safe against voltage reversal, usually has a protective shroud and the ground pin is contacting first. Well engineered, very swiss like.
Some people do, I think its an expression of culture. Its hard not to notice that the swiss and the nordic countries (especially Sweden and Norway) value a certain aesthetics. This expresses itself in many things, ranging from architecture to product design, art and the design of public spaces.
There is a reason swiss typography was big, and why nordic design is appreciated all over the world. It could only emerge from these cultural surroundings, its a mindset.
That plug is an expression of british engineering values. Its certainly a very well designed plug, but I also believe the reason why swiss and nordic products are more popular than british ones is that they are made with a different approach.
Probably those same values are also the reason why british music is so great, and why swiss music is... oh well, have you ever listened to mundart-rock? So I'm not saying X is better than Y, there are trade-offs involved.
Reminds me of a favorite recording of Dizzy Gillespie playing with his band at Montreux. It's a pretty reserved audience, and Dizzy, who was renowned for having a lively interchange with his audiences, said while introducing vibe player Milt Jackson:
"So far, you are a typical Swiss audience. Of course, a Swiss audience might not be the greatest audience in the world. But they will do until the real thing comes along."
The last was said mirthfully, pausing to emphasize each word, and the audience chuckles good-naturedly, knowing their limitations.
Looking at plugs, I suspect that many get round this by making the housing of the plug much more firmly attached to the cable.
OP is talking about the failure mode when you pull the cable out of the plug - the live and neutral cables are shorter and tighter and will fail first, leaving the earth wire to fail last.
edit: now that I think of it, Schuko plugs of the install-yourself kind where you can attach cable with a screwdriver (not solid plastic with the cable) are done so that the earth cable is longer than L/N are inside the casing.
(It was probably more useful 20 or more years ago, before moulded plugs were common.)
However, it is very unusual if the cable comes loose from the plug casing.
See http://www.netonnet.se/ItemImages/koppla-och-anslut/el/el-ka... and http://media.conrad.com/medias/global/ce/9000_9999/9400/9440... The first one there is the most common plug here actually.
The problem with British plugs though is the rectangular pins. Mechanically, it's simpler to get a good large contact surface area with a circular pin in a circular socket. You do sometimes come across UK sockets which have been slightly damaged and get hot because the contact resistance is no longer negligible.
Of course, there's no guarantee what your reward will be, and they maybe aren't the safest.
You can also trick it by doing a sort of dance with te plug where you partially force in the ground, then one live, then you spin it and put the other one in.
The day we have USB wall sockets can't come soon enough.
Same in Australia, of course you can still go off an buy and Apple Laptop charger with no ground.
The relevant Australian Standard (AS/NZ 3820, I think?) tells you an electrical appliance doesn't need to have an earth pin if it's double insulated, which the MacBook charger, and the stick blender in my kitchen, amongst others, are.
Source: I'm certified for Electrical Test & Tag in Australia.
Personally, I'm not too bothered either way. I don't find either any more or less annoying as they're both pretty bulky, unless you're using Europlugs, which lack most of the benefits of Schuko plugs.
Still nothing compares in its awfulness to North American plugs. Aussie plugs are similar, but they had the good sense to tilt the prongs at an angle to give the plug better mechanical stability.
Being able to plug them in ungrounded Euro sockets is handy, but also makes them less safe.
I do not now if modern UK homes are still wired like this.
In modern times the individual fuse still makes it safer, but it is also one of the reasons UK plugs are so large and clunky.
And while our plugs may be clunky, I kind of prefer them to the wobbly, spark emitting two-pin plugs that I seem to come across in the US...
India (and other places) still use the older standard, BS 546. That's also used for things like theatre lighting in the UK.
There have been other stories of "contagious" hardware damage in the past, like the infamous ZIP drive "click of death", but that HD is the first one I've seen personally.
Usual story: replacement part is about £0.50 and I could replace it in the lab, but postage for one part is £4.
Might see if I can get one as a sample, or from the Far East with 'free shipping'.
Many moons ago, I worked in the education sector and some smart kid ran a paper stapler up a keyboard lead, leaving it full of metal staples. The power short blew an axial fuse on the motherboard. The next user encountered a 'dead keyboard', so they swapped it for the one on the next desk..repeat 6 times before someone realised the fault was travelling with the keyboard...
Turns out this is a very old idea. :-)
If the TSA or foreign equivalent border security want to scan your devices, it's their look-out.
Jokes aside... it would be interesting to see what would happen if someone had such nerve.
When they ask you to hand over all personal electronics, point to it and say "that's dangerous".
If, subsequently, they want to know why you were carrying it ... it was so you could fry the USB port of your own laptop if you thought someone had snuck some hardware-level malware into it.
If you tell them NOT TO DO IT and they go ahead and do it, I find it hard to see how a court could convict you of wilfully damaging their forensic equipment.
(To the extent there's any social engineering involved, it simply relies on the tendency of police to ignore or discount unsolicited information from members of the public who are under suspicion.)
Note that they won't be sticking the device in a laptop or desktop PC; specialist forensic imaging machines are used by law enforcement to duplicate data storage devices and maintain a legal chain of evidence. Oops.
So, there's nothing about USB that makes people especially deserving of punishment if they go using strange ones; there's a base level of societal trust required for the abstraction of a "side-effect-free data storage object" to exist in the first place.
To say otherwise is similar to purposefully driving the wrong way down the road and getting into a 28-car pile-up, and then saying that this is a lesson in how cars are inherently dangerous and people should avoid driving near strangers. The security mindset can only make you so safe; at some point, you have to trust that strangers aren't trying to kill you in order to be able to live your life.
(Though, in this case, you could just avoid all physical peripherals and ask the person to email you the file instead. At least all you can get from that is a virus.)
Of course I'm joking with my approval for installing boobytrapped dead drops - but the point is, connecting to a random thumbdrive sticking out of a wall sounds like a dumbest computer-related idea ever.
I've often wondered what percentage of those dirt-cheap UBS devices sold on eBay are actually trojan horses. Provide a basic functional USB hub at a cut-rate price, but exploit the access to your customer's PC for nefarious purposes. Seems like an easy crime to perpetrate.
Can a simple device be created that we can plug any USB into and simply receive an indication its safe and its capacity? How hard can this be?
* There is a device called a 'USB Condom' but it's only for charging purposes, and completely restricts data access.
The old school version required a portable generator. Miniaturization at its finest!
Looks like I'm stocking up on Raspberry Pi-s to deal with my curiosity from now on...
Besides, pretty much anything can be characterised as "a way" to increase security awareness, up to and including murder of the victim. The victim's friends and family will be a lot more wary of whatever did the murder - the goal of 'security awareness' has been increased. But "a way" is not the same as "a good way".
Say you replace the contents of one of those bright-coloured sticky sweet liquors with a similarly-coloured cleaning fluid? Then leave it in your liquor cabinet, "to teach people to not touch your stuff". I'm not even sure that's legal.
I once heard a story of someone storing their concentrated GHB (a drug, clear liquid), in a vodka bottle. If someone had accidentally poured themselves a shot of that, the consequences would have been pretty bad.
On a similar note, I'm not sure about the US, but in the Netherlands, it's actually illegal to booby-trap your own home. If an intruder gets hurt, you're liable. I don't think this law exists to protect burglars, but instead it is to protect well-intentioned unlucky people from "accidents" caused by terrible and idiotic "security" measures.
Makes me think about the car-alarm in Snow Crash, which delivered a fatal several thousand volts to whoever tried to open it without a key (or maybe it was a flame-thrower, I forgot).
This is called the Castle doctrine, and in the US it varies on a state-by-state basis. I'm not sure if it would cover "booby-traps" or not, since technically you are protecting yourself from an intruder.
In this case the bad device you control is a truly malicious payload whose damage can be measured in dollars.
Won't even be able to charge it after anything happen to that port.
But I don't understand the excerpt about the guy writing number 129 on a USB stick and stuff. Why would he plug it in his laptop if he knew it would burn it? And if it was intential, aren't there easier ways to burn it? Thanks for explaining...
Highly unlikely that 129 people in a row respond like that though...
More likely is that someone destroys the USB device in anger, dismantles it, is too shocked to do anything, doesn't interpret the number as a counter, or doesn't want to ruin other people's computer. And, of course, that many people in a row stealing a USB device from a backpack is already unlikely in itself.
I think every other non-optical port on your computer is just as susceptible to electrical attack. The only real difference is that USB provides its own power.
This is a human delivery mechanism for a physical attack.
You could make a DVI cable that was covertly a water hose, but that's not a DVI problem.
Lesson is not to use/touch the USB stuffs not belongs to you. Good moral story for 2nd grader.