LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

And why not read the media?

And why not read the media?

Posted Nov 16, 2006 10:09 UTC (Thu) by eru (subscriber, #2753)
In reply to: November: the month of kernel bugs by addw
Parent article: November: the month of kernel bugs

Just find someone who is busy enough and present them with a USB memory stick and they will probably just plug it in. It happens, the vulnerability should not be there.

Wasn't there a fairly recent report of an experiment by some security researchers who just left USB sticks lying on the street? A surprising number of people picked them up and plugged into their computers out of curiosity.

In a sense this is not at all unreasonable behavour. People think USB is just a piece of media, like a CD record, or simply a leaflet. The idea that merely reading it causes bad things to happen is counterintuitive.

I would argue that any system where you cannot safely insert a medium and mount it is seriously broken.

(Log in to post comments)

And why not read the media?

Posted Nov 16, 2006 16:59 UTC (Thu) by ghelmling (guest, #4140) [Link]

There was also the recent case of iPods infected with Windows virii by the manufacturer.

If you can compromise the point of origin for consumer devices, then you do have a potentially very large distribution network.

Of course, it would still probably be far more profitable to focus on Windows exploits than Linux exploits, given the relative size of the target audience, but the same principle applies. I agree that not being able to safely mount media is a serious problem.

And why not read the media?

Posted Nov 16, 2006 20:08 UTC (Thu) by k8to (subscriber, #15413) [Link]

Apologies in advance for my anal retentivity.

The word is viruses.

And why not read the media?

Posted Nov 29, 2006 13:57 UTC (Wed) by rwmj (subscriber, #5474) [Link]

Actually if the iPods were infected deliberately by a program that required the user to run, or ran automatically with an "autorun" mechanism, then the word would be 'trojan' or possibly 'worm' ...

Rich.

And why not read the media?

Posted Nov 16, 2006 21:11 UTC (Thu) by ballombe (subscriber, #9523) [Link]

If you plug an USB stick found on the street, a file system
vulnerability is the least of your worry. The USB stick can
be a device with whatever hidden functionality (exploding when
first plugged, transmit any bit passing throught via wifi to an
attacker, etc.).

And why not read the media?

Posted Nov 17, 2006 8:54 UTC (Fri) by eru (subscriber, #2753) [Link]

The USB stick can be a device with whatever hidden functionality (exploding when first plugged, transmit any bit passing throught via wifi to an attacker, etc.).

A good point. It actually applies to any modern solid-state media, like the various kinds of memory cards used in cameras and such, because they too are active (the system feeds elecricity in them that can run a processor etc.). So is the only kind of safe media the passive ones like tapes, diskettes and CD:s that spin in the drive and are read magnetically or optically? (And even these are not safe if file system code is buggy).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds