33 comments

[ 3.3 ms ] story [ 68.3 ms ] thread
(comment deleted)
Most people would happily plug a random USB stick off the street into their computer.

Personally, I would avoid plugging in random dongles- unless my curiosity got the better of me.

This unemployed London man clearly knows his shit- he plugged the stick into a random library computer!

Get a virtual machine and let your curiosity run wild.
There have been exploits that attack the firmware of the USB microcontroller on your computer. Using a VM doesn’t protect against that.
Better to just use a disposable computer.
But what if it snow crashes you on plugin?
(comment deleted)
my first thought was to use a chrome book :) but then I thought what if it was the kind of USB that was rigged to physically break the computer...
Well then the chromebook was definitely the right choice compared to any other "non specialized in that field" computer
A Raspberry Pi or similarly-cheap board would be my choice.
Better buy an used computer. They are remarkably cheap.
or an old outdated family laptop that's several generations old and wiped clean.
I'd much sooner plug it into something like a RaspberryPi 2 (the one without a Wi-Fi chip). And maybe have it running some *BSD or some such. Something that isn't normally targeted by malware.
"The man turned over the drive to a reporter at the Sunday Mirror."

Clearly the most obvious thing to do.

He may have been paid for it.
Could have made more money at an embassy (risky), or darknet.
Maybe you don't trust the police to keep it safe. Maybe you don't trust the police to trust you and take this seriously. Maybe you'd rather have such mishaps be known than kept silent, hoping for things to get better. Then again I don't know squat about what kind of editorial line or journalistic quality the Sunday Mirror entertains.
A few years ago I found a phone in the street. It didn't have any return-to or ICE message on the homescreen so I decided to drop it into the local police station in case someone was searching for it.

What a mistake that was. Just to hand it in they wanted my name, address, contact details, statement of where and when I found it, what I had done with it since finding it... after standing-around for 10 minutes waiting for the duty officer to saunter down. What an ordeal.

Earlier this year I found another phone in a park and took it to the EE store, as it was branded as one of their phones. "Thanks mate! We'll get it back to its owner. Here, have a coffee and a bun on us for being an honest guy!"

I know which option I'd choose again in future. I don't blame the gentleman in the story for going to a paper rather than the police, especially having found something the mere possession of which could get him arrested.

remember, this is the same country whose current government wants to ban unbreakable end-to-end encryption for its citizens.

the same government that has had so many data breaches that it has its own wikipedia article. https://en.wikipedia.org/wiki/List_of_UK_government_data_los...

"...we remain vigilant to evolving threats by updating our procedures on a daily basis..."

Next on the agenda: How not to lose a usb stick with all that data on it.

Stay vigilant Heahtrow! :)

I'm intrigued by this line in the Mirror article: "There were photos of X-ray machines used by the Queen"

So I guess even the Queen has to go through the security procedures.

To prevent threats from insiders. For example, imagine one of her personal staff is blackmailed into placing a bomb in the Queen's handbag, or similar. Also, if she is flying commercially (the Royals use British Airways first class, I believe) then there is a legal requirement (Perhaps from the EU, or the CAA, and maybe also mandated by the destination's aviation authorities?) to search all passengers and X-ray their carry-on baggage, so she would not be able to exempted - remember flightcrew and even pilots have to go through screening!
1 Sunday Mirror pays for leads, might be hungry insider

2 Windows keeps a log of every USB drive ever plugged in, tracing who used that drive will be trivial IF theres ever an investigation (obviously wont be if CISO suddenly realizes his jacked pockets are empty)

Systems that deal with this level of security should have the USB ports removed / filled with epoxy. Rule one in a skiff (SCIF).
Qui bono? Is it too paranoid to think that leaks from Heathrow benefit Gatwick?
(comment deleted)