The Honey Stick Project

There apparently is a rule-book somewhere that says “Never give a woman a gift with a cord or a handle, unless it is a purse filled with money…” The rationale is that the gesture will very likely be taken the wrong way by the recipient, possibly with thoughts of, “You expect me to do housework for the rest of my life?”

Most men only have to make this mistake once to understand the gravity of such a well-intentioned act of generosity. You can also see the effects of such a faux-pas by watching the movie “Father of the Bride” with Steve Martin, where the bride-to-be has a meltdown when the groom gives her a blender as a wedding gift. Dad had to explain to her that it was actually well-intentioned gift, with the thought that maybe someday she’d want to “blend something”…

Now consider the following gift-giving situation in the business world that was nicely documented by William Jackson at “Government Security News” in July 2007 (click HERE). A vendor called Senforce distributed a number of U3 USB drives (i.e. a specially architected type of memory stick) as a marketing give-away, which fulfilled their intended purpose with William perfectly. The intent, apparently, was to raise the awareness of how risky it is to put unknown devices into your computer. He found that the device had been configured with a “supposedly” harmless program that utilized some loopholes in the Windows architecture to demonstrate how easy it was for data to be extracted from your computer in an exploit that Senforce called “Thumbsucking”.

The USB drive, when plugged into William’s computer, sucked a number of contents from his “My Documents” folder onto the device without any warning dialogs or indications of what was happening. This fits my broad definition (in the more “active” sense) of a Honey Stick, as defined in my privacy paper (click HERE).

The demonstration worked perfectly, but I suspect it also had a double-edged sword effect. Despite the note that the recipient could “delete the contents” and re-use the device for their own purposes, Senforce apparently also clearly entertained and spelled out the possibility of using the device to pull jokes on friends or demonstrate the risks to others. This has to be a violation of some gift-giving rule in the business world. My guess is that many recipients would have become uncomfortable at the thought of a vendor not only facilitating this activity, but practically suggesting that people use it. I don’t know if Senforce got any negative feedback on this one, but I wouldn’t be surprised.
It’s one thing for a security professional to do such a demonstration, or to run a commissioned test with potentially dangerous software in a controlled environment. It’s another thing to release the device into the wild, with unknown consequences.

In comparison, the Honey Stick Project uses only passive HTML links, the same as any simple link found on every Web site. In addition, I publish a privacy policy that covers how any Personally Identifiable Information, if collected, is handled. So, there is no danger that a Honey Stick can be used in a way that causes any damage to anyone.
The relevant point here is that I think there is a fine line between a company giving away something cool and valuable to members of the public as an aide-memoire for their brand, and that same company giving away a device with an embedded booby trap that has the potential to cause a plethora of unwanted, and likely embarrassing outcomes.

Perhaps Senforce didn’t think of the potential consequences or the psychological impact on the recipients. Or, maybe they knew the risks and were just pushing the envelope.
Whatever their intent was, my belief is that you should NEVER plug an unknown device into your home or work computer. And don’t count on any help from your Anti-Virus or end-point security solutions for a while, although they will surely have a solution to this risk in the future by intercepting anything that tries to run automatically from a USB drive.
In the meantime, just tell the gift-giver “It’s my policy not to accept any gifts with USB plugs on them…”

There apparently is a rule-book somewhere that says “Never give a woman a gift with a cord or a handle, unless it is a purse filled with money…” The rationale is that the gesture will very likely be taken the wrong way by the recipient, possibly with thoughts of, “You expect me to do housework for the rest of my life?”

Most men only have to make this mistake once to understand the gravity of such a well-intentioned act of generosity. You can also see the effects of such a faux-pas by watching the movie “Father of the Bride” with Steve Martin, where the bride-to-be has a meltdown when the groom gives her a blender as a wedding gift. Dad had to explain to her that it was actually well-intentioned gift, with the thought that maybe someday she’d want to “blend something”…

Now consider the following gift-giving situation in the business world that was nicely documented by William Jackson at “Government Security News” in July 2007 (click HERE). A vendor called Senforce distributed a number of U3 USB drives (i.e. a specially architected type of memory stick) as a marketing give-away, which fulfilled their intended purpose with William perfectly. The intent, apparently, was to raise the awareness of how risky it is to put unknown devices into your computer. He found that the device had been configured with a “supposedly” harmless program that utilized some loopholes in the Windows architecture to demonstrate how easy it was for data to be extracted from your computer in an exploit that Senforce called “Thumbsucking”.

The USB drive, when plugged into William’s computer, sucked a number of contents from his “My Documents” folder onto the device without any warning dialogs or indications of what was happening. This fits my broad definition (in the more “active” sense) of a Honey Stick, as defined in my privacy paper (click HERE).

The demonstration worked perfectly, but I suspect it also had a double-edged sword effect. Despite the note that the recipient could “delete the contents” and re-use the device for their own purposes, Senforce apparently also clearly entertained and spelled out the possibility of using the device to pull jokes on friends or demonstrate the risks to others. This has to be a violation of some gift-giving rule in the business world. My guess is that many recipients would have become uncomfortable at the thought of a vendor not only facilitating this activity, but practically suggesting that people use it. I don’t know if Senforce got any negative feedback on this one, but I wouldn’t be surprised.
It’s one thing for a security professional to do such a demonstration, or to run a commissioned test with potentially dangerous software in a controlled environment. It’s another thing to release the device into the wild, with unknown consequences.

In comparison, the Honey Stick Project uses only passive HTML links, the same as any simple link found on every Web site. In addition, I publish a privacy policy that covers how any Personally Identifiable Information, if collected, is handled. So, there is no danger that a Honey Stick can be used in a way that causes any damage to anyone.
The relevant point here is that I think there is a fine line between a company giving away something cool and valuable to members of the public as an aide-memoire for their brand, and that same company giving away a device with an embedded booby trap that has the potential to cause a plethora of unwanted, and likely embarrassing outcomes.

Perhaps Senforce didn’t think of the potential consequences or the psychological impact on the recipients. Or, maybe they knew the risks and were just pushing the envelope.
Whatever their intent was, my belief is that you should NEVER plug an unknown device into your home or work computer. And don’t count on any help from your Anti-Virus or end-point security solutions for a while, although they will surely have a solution to this risk in the future by intercepting anything that tries to run automatically from a USB drive.
In the meantime, just tell the gift-giver “It’s my policy not to accept any gifts with USB plugs on them…”