USB glory holes: anonymous, offline file-sharing in public space
npr.orgAs a security guy, the idea of connecting this to my system scares the bejesus out of me. I want to point two small things out: USB device drivers are universally poorly tested, and this device could be anything. There's nothing stopping such a device from running an exploit in ring0 and taking full, instant control over your system.
For that matter there's nothing to stop this device having 240V AC across its pins
I think the term "dead drops" is better than "glory holes" but i suppose you're just a likely to get a virus no matter what its called.
To be honest, I think glory hole is a pretty accurate description.
I wouldn't put anything I value into either.
I'd like it if "Accuracy, not snark" were part of the submission title guidelines.
Remember: Always use protection.
File-sharing in such form may not be anonymous, for example one may keep a snapshot of what's on that disk, and then check again after somebody have used it. That could catch anyone wet-handed for sharing anything, albeit legal or illegal. The anonymity is not as easy to preserve as it sounds like.
Likewise some may put virus into the disk (internally or automatically due to the virus itself) which the next person may not have their computers patched and have no anti-virus installed.
Previous discussion http://news.ycombinator.com/item?id=1851088
As much harm as could obviously come from this, surely we can agree that the potential for epic mischief and shenanigans is unmatched?
If I'd discovered one of these near my house in my early teens it would've obsessed me for weeks. I'd probably have ended up learning USB debugging or something to cause further trouble ;) I see this as an absolutely massive jolt to people's natural sense of curiosity which is so often neglected in urban environments.
I don't see why this is USB when the system could work much better with WiFi - multiple users can connect to the same hub without any of them having to physically tether themselves to the spot.
And as for the potential for malware outbreaks, this is basically like a public water tap and just like we filter that water before drinking, scanning the data before using it will solve the malware problem.
The hack here is that someone got a ton of press for the cost of 5 USB drives and a gallon of cement.
As with any time when you couple your device with some random hole you should take all necessary precautions to avoid contracting a disease.
(I know this comment was intended to be largely funny, but I feel I need to point this out.) Thing is, this isn't like downloading some files, but like dropping a random PCI card into your box. By connecting this to your system, you're really ceding complete control, with effectively no way of preventing any attack from taking place. Is it likely? Not particularly, but it's definitely possible.
It's intended to be serious, I just decided to add the humorous slant to it after I started writing.
If I were to use data from these drops I'd want a junk system that I could flatten between uses dedicated to the task. Connecting random usb devices to your system is a recipe for disaster in a billion ways. Even connecting well behaved usb devices to your system with unknown data on them is fairly risky due to the poorly chosen default settings of popular operating systems like Windows.