[Amorymeltzer]

>they'd throw USB sticks in the parking lot of the company they were pentesting and somebody would always put the thing into a workstation to see what as on it and get p0wned.

One of my favorite quotes is from an unnamed architect of the plan in a 2012 article about Stuxnet/the cyber attacks on Iran's nuclear program:

"It turns out there is always an idiot around who doesn't think much about the thumb drive in their hand."

[mr_mitm]

I don't think we should be calling the users idiots when we failed to make our systems secure by design. If a simple act like plugging in a thumb drive by a well-meaning user undermines the security of an entire operation, then why do we allow such a thing to happen?

Relevant: https://www.schneier.com/blog/archives/2016/10/security_desi...

[eru]

Yes. People used to laugh at the auto-play for CD-ROMs in Windows 95. But if a USB device can hijack your system, is it that different?

[pas]

Are we still at the "Bill Gates got a BSoD during the demo of USB" level?

I know that at least on Linux mounting filesystems can lead to nasty things, so there's FUSE, but ... I have no idea what distros and desktop environments do by default. And then there's all the preview/thumbnail generators and metadata parsers, ...

[eru]

One big problem with USB is that something might look like a storage device to the human eyes and hands, but it's actually a keyboard as far as the computer is concerned.

The U stands for Universal, and it's awfully convenient, but it contributes to the security nightmare.

A CD we can just passively read the bytes off, but if we want our keyboards to just work when we plug them in, then it's going to be harder to secure a supposedly dumb storage device.

[pas]

Sure, and it can be any kinds of device, and ... it can trick the OS to loading strange drivers (with juicy vulnerabilities), but that's the point. How the fuck is this still the norm? (Despite user mode driver frameworks!?)