Home > Geeky, Security > Checking the ingredients of your new jump drive

Checking the ingredients of your new jump drive

February 1, 2007

Sure the snack-cake looks tasty, but millions of times a day, people flip the package over to check the ingredients.  If it contains trans-fats, they pass.  It’s a common ritual.

Consider doing the same thing when you buy a USB jump drive.  If you see “SmartDrive” or “U3” anywhere on the drive, well, it’s your funeral but I’d look for another jump drive. One clue is that some companies pay the jump drive manufacturer to be included in the capabilities of that drive’s U3 installer (accounting for an unusually low price). And although it is billed as a security feature, hackers are quite excited about the possibilities of U3, but that’s not the main problem.  Here’s what really pushes it into the “no buy” category for me – picture this:

You buy a new jump drive to carry your files around.  You plug it in, and it seems to take a lot longer to detect than other jump drives; the light flashes for a long time, your machine seems busy, but finally it says “ready”.  So you copy your presentation onto the drive, drop it in your pocket, and head off to give a presentation in another city.

When you get to the venue, you confidently plug the drive into their computer and the system says; “you need administrative access to install software on this machine, please contact your system administrator.”  You’d have been totally out of luck if by chance you hadn’t pre-emailed it to your webmail account too.  Hardly a convenience feature.

Sandisk and the U3 group deny this happens, of course, but this is only one example of several I have seen. The more I find out about U3, the more I feel inclined to mention it as a warning rather than a feature. 

  • By the way,  the U3 removal tool doesn’t always work properly, either. 
  • And you should be aware that all USB drives pose risks.  Many companies ban them altogether, for good reason.
  • If you’re travelling with a presentation, I recommend assuming your transport method won’t work.  Copy it on a jump drive, pre-email it to yourself, put it on a web page where you can find it, burn it to a CD, and bring your own laptop with the presentation on it.  Be unstoppable!

  • Webs05 has a more in-depth article about the hacking angle here: Smart Drive my ASS!!!
  1. February 2, 2007 at 10:11 | #1

    How about we state this even simpler…

    DON’T BUY A USB DRIVE WITH “U3” TECHNOLOGY OR IF IT SAYS “SMART DRIVE”!!!!!!!!

    PHEW!!  I am glad I got that off my chest.  The reason for me stating this is that I have done a fair amount of research on this topic by now, and have seen that hackers are more excited about this technology than anyone else.

    Reason being, is that U3 allows software to be installed on your jump drive.  It then allows this software to be ran from your jump drive on any computer you plug the drive into.  The purpose is that you can have this software on any computer you plug it into, without having to install the software on that system.

    Imagine having 5 pieces of software you always, use with your own settings installed on a USB drive.  This means that (at least supposedly) you can take these 5 pieces of software and settings with you to any computer and you won’t have to install it.  Just plug in the drive and away you go.

    Imagine being a hacker and getting a hold of this.  Since U3 technology installs in the background, without you knowing, a hacker could do some real damage.  They can create a script that installs itself silently on your computer without you knowing.  This script puts several files on your computer without you knowing.

    This script also deletes any knowledge of the files by editing windows file properties, registry entries, and log files (they can basically have the script do whatever they want).  So in a matter of minutes you have evil software installed that shuts down any running virus scanners and spyware checking software, and collects user names, password hashes, previously visited websites, web form data (meaning they have user names and passwords from sites you have visited), and as I stated previously…  WHATEVER THEY WANT!

    So be aware of USB drives and people wanting to plug things into your computer.  If they just have to plug in their USB drive to give you a file, tell them to email it to you.  Most virus scanners will catch bad things with their active scanning functions if you download something from email.

  2. February 2, 2007 at 10:16 | #2

    PHEW!!  I am glad I got that off my chest.

    I hope this doesn’t get it completely off your chest – it would be very interesting to see an in-depth article on your blog too.  As usual I am more personally annoyed by the support problems posed by U3 but the hacker angle has the potential to be even worse in the long run.

  3. February 2, 2007 at 10:25 | #3

    I will let you know when I got the article done, that way if you want to link to it you can…

  4. Les
    February 2, 2007 at 14:15 | #4

    I’ve been using a U3 drive for quite some time now without any issues of any kind. I mainly used it to take my browser settings to work at Ford. Ford doesn’t allow users to install software on client machines yet my U3 drive worked just fine every time I plugged it in. Which makes sense because the U3 doesn’t install any applications in the background, not even the launcher that shows up in the systray.

    Since leaving Ford I’m wiped the drive of the U3 stuff simply because I have no real use for it, but I never had a problem with it and haven’t heard of any hackers successfully hacking PCs via a U3 device.

  5. February 2, 2007 at 15:04 | #5

    I wish I knew how you got that functionality, because I haven’t been able to get a single one to open up on more than one different system without being an administrator.  I think it’s because only the user that first access the drive has access to it.  So it you try using it on a different user acocunt, it doesn’t work.

    But here at the college we have had trouble with a Sandisk and a Geek Squad USB drive.

  6. james old guy
    February 5, 2007 at 10:56 | #6

    The real problem is hackers, we keep trying to defend our systems instead of attacking the hackers. Hacking is breaking and entering, plain and simple and add in theft or grand larceny to boot. No one will ever create a system that his hack proof, so maybe it is time to get tough on hackers and their supporters. I can see a time where hacking will if it hasn’t already will cause death.  This so called hacking for the greater good is a total lie, and just an excuse for justifing criminal activity.

  7. February 5, 2007 at 11:05 | #7

    Attacking or going after hackers is comparable to a WAR ON DRUGS or a WAR ON TERROR.  Every time you nab one of the offenders, a new one pops up.  There is no end to the madness. 

    And the other problem is going after hackers in other countries, because most of the hacking is probably taking place outside of the US where the hacker feels safer.

    But I guess I would rather see my tax dollars go to a War on Hackers than a War on Drugs… I’m with ya!

  8. February 5, 2007 at 11:19 | #8

    Emotionally I totally agree with serious consequences for all hackers including “white hat”, but rationally I have to recognize in the long run that leaves us more vulnerable.  Because only concerted attempts to pick a lock will reveal its flaws, and there will always be people out to do real damage, who do not care what happens to them.  The hacking equivalent of suicide bombers – actual criminals and terrorists. 

    The white-hats (whose hats are a bit tarnished in my view) at least alert us to avoid U3 technology.  Some systems really are harder to hack than others.  For instance I have heard FreeBSD is regarded as extremely difficult to hack even by hackers, so that is useful to know when building a secure system.  This is the reason I read 2600.

    Unfortunately no simple solution to this problem.

  9. Ed
    May 5, 2007 at 10:08 | #9

    An all-out “war on [white hat] hackers” is simply a ridiculus idea. That would be like a “war on the FD&C”. The FD&C warns us when our food is contaminated. The hackers warn us when Macrosloth Windoze has a gaping security hole (or, usually, hundreds :roll: ).

    Has no one ever heard the saying “don’t shoot the messenger?”?

    And to consider a “war on hackers” a more worthy cause than a “war on drugs” discredits you entirely. Drugs are responsible for thousands of deaths every year. How many people have died because someone planted a virus on their computer? In case you don’t know, the answer is: none.

  10. May 5, 2007 at 23:41 | #10

    How many people die from Marijuana?

  11. May 6, 2007 at 08:40 | #11

    How many people die from marijuana?

    I’m not sure the whole “war on drugs” comparison is apt.  Drugs are a substance; hackers are a group of people.  Within the set of all hackers are subsets – some out to do real damage, some out to scam lots of money, and some who are trying to thwart the first two by a prompting an industry deep in denial to do something about its fly hanging open.  The reaction to go after all of them throws out the ones who, while irritating, are beneficial. 

    Come to think of it, long as we’re mis-comparing hacking and medicine, black-hat hackers are like pathogens.  White-hat hackers are like a vaccine and the IT industry is like the antibodies that sometimes need to be stimulated by that vaccine. 

    OK, this is getting just silly.  ;-P

    Ed’s right, though; “drugs” do kill thousands of people every year.  Wierd thing is, they’re prescribed by doctors.

  12. May 6, 2007 at 22:00 | #12

    There was no comparison made.  I was simply making the statement up above that a “War on Hackers” would be better money spent then a “War on Drugs”.  Even though both are a complete waste of money.

    Ed’s right, though; “drugs” do kill thousands of people every year.  Wierd thing is, they’re prescribed by doctors.

    Exactly the point I was somewhat getting at with my question.

Comments are closed.