Hey Secret Service: Don't Plug Suspect USB Sticks into Random Computers

I just noticed this bit from the incredibly weird story of the Chinese woman arrested at Mar-a-Lago:

Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang's thumb drive into his computer, it immediately began to install files, a "very out-of-the-ordinary" event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich testified. The analysis is ongoing but still inconclusive, he said.

This is what passes for forensics at the Secret Service? I expect better.

EDITED TO ADD (4/9): I know this post is peripherally related to Trump. I know some readers can't help themselves from talking about broader issues surrounding Trump, Russia, and so on. Please do not comment to those posts. I will delete them as soon as I see them.

EDITED TO ADD (4/9): Ars Technica has more detail.

Posted on April 9, 2019 at 6:54 AM • 42 Comments


KaiApril 9, 2019 7:07 AM

What I'd like to know is what has been done with the secret service laptop? I hope it was immediately quarantined, investigated and either wiped or destroyed. Judging from the agent's actions initially in actually plugging the USB drive in, I'm guessing he's run a malware scan and pronounced it fit for use.

Not only has he risked infecting his machine (and potentially any other machine on the same network) but he's also risked destroying evidence on the USB.

Amateur move.

Brian HeimApril 9, 2019 7:24 AM

I am curious though, from my own stand point what IS the best method is for potentially suspect USB drives.
I have been asked to scan drives from time to time by my associates. The drives are supplied by me originally but I don't always know where they have been.

I keep the obvious settings of autorun, etc, turned off in the OS.


JWApril 9, 2019 7:25 AM

From Ars Technica article:

A Secret Service official speaking on background told Ars that the agency has strict policies over what devices can be connected to computers inside its network and that all of those policies were followed in the analysis of the malware carried by Zhang.

"No outside devices, hard drives, thumbdrives, et cetera would ever be plugged into, or could ever be plugged into, a secret service network," the official said. Instead, devices being analyzed are connected exclusively to forensic computers that are segregated from the agency network. Referring to the thumb drive confiscated from Zhang, the official said: "The agent didn’t pick it up and stick it into a Secret Service network computer to see what was on it." The agent didn't know why Ivanovich testified that the analysis was quickly halted when the connected computer became corrupted.

jbmartin6April 9, 2019 8:33 AM

Let's not rush to judgement without the details. It is possible that the official system is too annoying and cumbersome so agents use a throwaway device for quick analysis, possibly without the knowledge of higher ups. They may be quite aware of the dangers but find that doing it this way saves a lot of time dealing with false positives instead of treating every device like plutonium from the start.

parabarbarianApril 9, 2019 9:40 AM

@ Brian Heim

"I am curious though, from my own stand point what IS the best method is for potentially suspect USB drives."

I generally do that using a Linux laptop. When necessary, it is connected to a subnet that can only go outside the corporate network through a different firewall than business traffic. It is not perfect, of course, and requires some common sense but it has worked for me so far.

Phill Hallam-BakerApril 9, 2019 9:59 AM

I rather suspect that we have Chinese whispers here. And the fact that Trump is involved encourages people to believe the worst of everyone round him.

It also means that the Secret Service will be looking to make sure that whatever official statement they make is as accurate as possible which means it is likely delayed. That creates a vacuum in which unofficial sources can leak partial information that is extrapolated. Nor is the WH necessarily going to want to post rebuttals because that doesn't necessarily help, often it just means that a bad story lasts an extra day.

I have worked with the Secret Service, they do stuff by the book. So I am 99% certain that the USB drive was put into an evidence bag on site. The forensics team would want the opportunity to take fingerprints.

An agent is not going to open a tamper proof evidence bag and put the drive into their personal laptop. That makes no sense. They already expect it to have malware on it. So it is going to be plugged into a machine dedicated to forensics. And we know that the US Govt has that expertise because we know people who work for them.

The forensics machine is going to run a virtual machine and if that machine should have a trigger built in to detect attempts to erase whatever is on the USB stick. It could be a code book or the like. It could be details of a drugs deal. The forensics machine is going to have at least the features the FBI have discovered they need from decades of computer forensics and at least one drug dealer must have had the idea of putting malware on their device to delete the evidence against them.

It is not necessarily even a USB memory stick. These days you could easily issue a spy a computer on a stick that won't release data unless the agent gives the right knock sequence.

So basically the report sounds to me like the Secret Service did exactly what they are supposed to and the USB stick caused the virtual machine to halt as it is supposed to before it could corrupt the evidence. Which is exactly what you would want in an initial test. That would spread as rumor among agents without forensic expertise who interpolated.

Denton ScratchApril 9, 2019 10:04 AM

[from Ars Technica] "and a signal detector that could scan an area for hidden cameras"

That sounds really odd; a camera (as such) doesn't normally emit signals. Perhaps they meant a signal detector that could detect - well - signals? If they're on about a wifi camera, then the signals would be wifi signals, right? Not "camera" signals.

@parabarbarian "I generally do that using a Linux laptop."

Indeed (and of course it doesn't have to be a laptop). Linux can easily be configured to not try and mount random block devices. With the device not mounted, you can then inspect the contents, and make your decision about whether you like it or not.

What surprises me is that the operative (and the agency he works for) were willing to confess to such a huge, monster bungle. They almost seem to be bragging about it. Are these people children? I mean - doesn't that mean his boss is incompetent, for hiring him? What about his boss's boss, for hiring the incompetent boss? Of course, the chain of command is recursive; as one might say, "it's turtles all the way up".

Note: I deliberately didn't mention the Commander In Chief, because orders. (Oops - now I did - sorry)

Petre Peter April 9, 2019 10:10 AM

There were no tests being done. This changes the definition of forensics

Denton ScratchApril 9, 2019 10:11 AM


I don't agree that this is any kind of sensible forensics routine. You don't allow random software to run off a random thumb drive, even on a VM. Of course, nobody cares about the throwaway VM; but the software could tamper with the evidence on the thumb drive.

Theora PetersonApril 9, 2019 10:12 AM

Isn't that how Stuxnet was installed on Iraqi computers that were used for uranium enrichment, wrecking the equipment?

CMeierApril 9, 2019 10:28 AM

@Brian Heim

"I am curious though, from my own stand point what IS the best method is for potentially suspect USB drives."

I have found that scanning suspect drives with the face of a hammer works quite well.

Seattle SipperApril 9, 2019 10:30 AM

@Denton, regarding "That sounds really odd; a camera (as such) doesn't normally emit signals."

A couple of thoughts. Most cameras today emit IR for low-light situations, so one can search for (point) sources of IR above the background levels. Most cameras have well-defined scan rates, so one can detect EMI radiation at a variety of frequencies linked to the regular scan rates. Yes, one can omit IR emitters and use non-standard scan rates, but there will be regular (repeated) frequencies related to scan rates and a sensor can search for them. There may also be unusual reflections off the lens of the camera distinct from conventional (e.g., flat) glass. Lots of simple things to search for.

Impossibly StupidApril 9, 2019 10:37 AM


This is what passes for forensics at the Secret Service? I expect better.

Why? As I've noted in other posts, there's nothing I've seen in current hiring practices that demonstrates anyone is really looking for the best and brightest talent that's available. Everything is about keyword matching and making the job of HR drones easier. It's one of the biggest technology failures that isn't being widely discussed, and the poor results go well beyond basic security issues.

@Brian Heim

I am curious though, from my own stand point what IS the best method is for potentially suspect USB drives.

First would be discarding the assumption that it actually is a USB drive rather than something like a USB Killer. It's not my area of expertise, but I assume proper forensic analysis progressively examines and exercises the hardware and software elements to see what the results are. As far as what best practices are outside a lab, I'd probably use a low-cost, disposable system like a Raspberry Pi (sans network, of course) to try and get at the data.


Let's not rush to judgement without the details.

Yeah, but it remains odd that, as @JW notes, we're getting conflicting stories regarding what actions were taken. What I'd like to see is a report about how security necessarily differs at a private resort like Mar-a-Lago compared to a more traditional Presidential "getaway" like Camp David. I have no doubt that the job of the Secret Service has gotten much more difficult in the last 10 years (thanks to the popularity of smart phones and the, uh, "culture" that surrounds them).

Vesselin BontchevApril 9, 2019 11:10 AM

Please note that the story is based on the testimony of a Secret Service agent who was, for lack of a better word, a technical dipshit. He wasn't the person analyzing the USB. He probably didn't even have a clue what the person analyzing it actually did and observed. He was the person who wrote the affidavit, so he was the one to testify - and he himself noted that he wasn't technical. So, we don't really know what has actually happened.

Note that normal flash drives don't automatically run programs from their contents since 2011. Unless the agent used a WinXP SP3 that hadn't been updated since February 2011 (this is when Windows Update introduced this change to WinXP), he wouldn't and couldn't experience auto install from a normal flash drive.

Of course, there are many "buts". For instance, the flash drive could be specially prepared to simulate an USB keyboard or mouse or other kind of HID (Human Interface Device) - the so-called "rubber ducky attack". But, in order to conduct such an attack, the attacker must not only fiddle with the firmware of the flash drive, they must also know the OS and language of the targeted victim machine.

A more likely scenario is an U3 flash drive - these have a partition that looks like a CD-ROM to the computer. And while autorun doesn't work from flash drives any more, it does work from CD-ROMs.

Of course, there are more innocent explanations, too. For instance, it could be that autoplay (not autorun) triggered when the new device was plugged in and Windows displayed the standard dialog, asking what to do with this device. You can't run automatically programs from the flash drive this way - but a non-technical agent could have very well panicked when seeing the dialog.

Basically, my point is that we don't know. There is not enough precise technical information to decide what actually happened.

Note that there are perfectly innocent explanations for the other "suspicious" things too. Having multiple SIM cards is perfectly normal for a frequent traveler. Carrying a camera detector (whatever that is) is also an excellent idea for a traveler, given the recent stories about AirBnB locations monitoring the guests with life feed cameras. And the inconsistent answers Zhang gave when questioned are also what is to be expected from a panicked tourist. An intelligence professional would have had a ready and consistent story explaining everything.

It is pointless to speculate, because we don't know the actual facts.

Mike E.April 9, 2019 11:22 AM

And as a Secret Service agent, I assume he was given at least basic level federal agent training relate to evidence handling at FLETC (or wherever the SS sends their agents), and that is NOT how you handle digital evidence. At least in the FBI, each Field Office and most RA's have a small team whose sole purpose in life is to safely ingest and analyze digital evidence in a manner that is forensically sound and the results admissible in court.

MichaelApril 9, 2019 11:30 AM

In my opinion, the safest way to deal with a suspicious USB flash/thumb drive is to insert it into a Chromebook running in Guest mode with Wi-Fi disabled. This is the safest environment most people have access to.

Next step would be to connect the Chromebook to an isolated subnet and track every outbound data packet from the computer. Then plug it into a more popular OS, again on an isolated and logged subnet.

ZHApril 9, 2019 11:36 AM

@Theora Peterson

Isn't that how Stuxnet was installed on Iraqi computers that were used for uranium enrichment, wrecking the equipment?

Ah yes, that famous cyber attack rumored to have been carried out by the Canadians and the Jordanians...

David A WilsonApril 9, 2019 3:13 PM

Plug it in, and arrest her on charges of trying to compromise a Federal network (or something similar) when things go awry.

Clive RobinsonApril 9, 2019 3:57 PM

@ Denton Scratch,

That sounds really odd; a camera (as such) doesn't normally emit signals. Perhaps they meant a signal detector that could detect - well - signals? If they're on about a wifi camera, then the signals would be wifi signals, right? Not "camera" signals.

This has been talked about on this blog in the past and I've explained it several time.

For a camera --in most cases-- to work it has to focus the image onto some kind of photo sensitive surface. Due to this the very simole physics process called "180 degree internal reflection" happens. It's the same reason you get red-eye in photographs taken with a instamatic or phone where the flash is closely located to the camera lense.

It's incredibly easy to make such a device, most low light cameras are IR sensitive which you can see on realy cheap digital cameras or mobile phones. Find an IR emitter such ad a TV remote, turn out the lights and with the camera or phone display on point the TV remote at it and press a button. If you see flashes on the screen then the camera sensor does not have an IR sensor. So you can build an IR atachment for it with a two dollar IR emmiting LED a resistor and a battery.

If you don't care about being so covert, just use an ordinary LED tourch. Hold it against the side of your phone or camera or even upside the side of your head close to your eye facing in the direction you are looking at. With the lights out you will see any camera that is focused on your area in the same way cats-eyes in the roads work at night.

There are "bug hunter" type devices that sweep across various VHF, UHF, and microwave bands, looking for strong signals. When it finds one it stops and listens for a short while to see what type of modulation is being used. The earliest types were just receivers and would play any audio out such that either the operator could hear what was being translated or in some cases cause audio feedback so the squealing noise can be heard and used to finepoint find the bug location. Later slightly more covert devices would on finding a signal send out an audio noise burst that was actually a Gold Code or JPL ranging code and look for the autocorrelation function at the receiver. If it found one then the range to the bug could be given. With two audio signal sources the direction could also be easily given.

Some more modern devices now have a flashing light that again produces an auto corelation signal at the receiver output if an ordinarry CCTV camera is picking up the flashing.

I've designed systems that also pick up digital output such as TCP/IP packets. In order to conserve network bandwidth some cameras only send "diffetence signals" that is the current frame is compared to the last frame, and only data coresponding to a change is sent. Thus the number and timing of the data packets has a correlation with the flashing of the light.

That should have covered the basics for you.

CallMeLateForSupperApril 9, 2019 4:51 PM

@Theora Peterson
"Isn't that how Stuxnet was installed on Iraqi computers [...]"

How soon we forget; Stuxnet trashed *Iranian* centrifuges.

65535April 9, 2019 7:54 PM

I can picture the event.

SS Guy plugs the thumb drive into his laptop and autoruns start screaming by on his screen with Chinese characters and opening multiple windows.

Then there is a puff of smoke out of the computer and the screen goes black.

SS Guy: "Wow, my laptop is bricked! I think we need to analyze this..."

EstebanApril 9, 2019 8:28 PM

We should be grateful we live in a country where this is public knowledge. Plenty of places including some more advanced democratic countries would try to block reporters from the courthouse or scuttle the news for fear of embarrassment. Yes a lot of people are trying to post here their disdain of a president or a party, much like others did with the previous administration. The internet creates radicalized people who cannot think for themselves or discern the truth. But fortunately we still have the ability to learn this kind of information no matter who sits in the Oval Office.

Maxwell's DaemonApril 10, 2019 1:47 AM

@Vesselin Bontchev

I have such a stick here which appears as a CD-ROM then hands off to the 64GB (56GB usable) executing a known executable.


No, Stuxnet took control of the computers controlling the centrifuges which have critical tolerances imposed by their rotation speed and the uranium-hexafluoride gas that is being processed for enrichment. Mess with the rotation speed, especially with certain variances, and end up with trashed centrifuges and a serious industrial/radiation accident.

Givon ZirkindApril 10, 2019 5:00 AM

@Vesselin Bontchev -- The innocent explanations stop at the 4 passports. Yes, I know multi nationals. But, for a copper (investigator), there are too many odd coincidences. This needs investigation and verification. And, she was going to the pool without a bathing suit, if the news reports were accurate.

The plausible explanations stated above, aside, I am reminded of a story, years ago, that an undercover Secret Service agent called a drug dealer, repeatedly, from a public phone outside the Secret Service building. The drug dealer had a 800 with ANI. He figured out where his buyer was repeatedly calling from and shutdown. There was a move after that to educate agents better in phone tech.

meApril 10, 2019 7:04 AM

@Denton Scratch

nope, camera emits a signal, even if it's not a wifi camera.
this because it's an electric device.

we have built at school an electric wire detector, so that you can detect where an electric wire is inside a wall without destroying the wall.
super cheap device.

now if you put it near the television or any other electronic device it will light up and detect it.

@Theora Peterson
yes, it used windows zero day vulnerability in how windows parses link (.lnk) files

meApril 10, 2019 7:11 AM

@Denton Scratch (and anyone else that might be interested)
the idea behind detecting electric wires and metal detector is that while you usually build electronic circuits so that they are immune to noise/signals and other types of interferences. here you do exactly the opposite:
you build an "imperfect" circuit which will work differently because of interferences.
also note that the way you detect electric wires *with current flow inside them* is different on how you detect metals (metal detector). electronic circuit and phisycs behind both is different

MeApril 10, 2019 9:09 AM

@Imposibly Stupid

I would be less worried about a USB killer and more about a rubber ducky.

They take the simple step of telling the computer they are a drive AND a keyboard.

Keyboards are users, so the computer is usually set to trust them, you would need a computer set to not mount any new devices to prevent them from running rampant.

Frequent Fly On The WallApril 10, 2019 10:22 AM

Come on people, many travelers have all of those things with them when they travel. Two passports are not at all unusual. It's perfectly legal to carry cash, and under USD10k it doesn't need to be declared. Several phones and SIMs, normal where I live. The only item in that list I consider a bit unusual is that "signal detector", though I think I've seen similar devices for sale in Pantip Plaza in Bangkok, and Asian females do think about hidden cameras, and for good reason. We don't know the details of the "malware" on her thumb drive, but plugging a USB drive into a random computer in an Asian web cafe is very likely to get it infected with malware...

This smells to me like just the latest tit for tat arrest in the Huawei saga, this time of a rich but naive Chinese business woman, speaking little English, who likely fell for some silly scammy tour, promising she'd be able to get close to Trump. Her English, if any, wasn't up to suddenly being interrogated by suspicious feds during her vacation. Could you imagine being in a similar position?

Now it's China's turn again in the new game. And who will their random arrested traveler be... you or me maybe?

Vesselin BontchevApril 10, 2019 10:33 AM

@Givon Zirkind, I don't know about 4, but at one point I had 3 passports (all on the same name, of course), perfectly legitimately, all valid. One to use internally in my country, one to travel abroad privately, one to travel abroad on business (yes, we needed different passports for these two purposes; they even had different colors).

Some other observations:

  • Given how non-technical the person giving the testimony was, we don't even know whether these were indeed USB flash drives. For instance, he could have mistaken a FIDO2 authentication key for a flash drive - and when plugged in, it would have started installing drivers.
  • Yeah, SS agents are supposed to have proper training in cyber security - and some of them are very good at it. Then again, some are not. Like, you know, not recording sound during the interview, because they didn't bother to check whether it works.
  • Let us assume for a moment that Zhang was indeed a secret agent intending to cause harm by installing malware from a device looking like an USB flash drive. Do you guys seriously think that a professionally made Chinese malware would visibly install something on the machine? Like, you know, with dialog boxes an stuff? No, it would have worked silently.
  • Again, we do not know. The testimony is garbage from a technical point of view. It contains no hard facts to conclude what exactly has happened. Wait for a proper investigation and report by people more competent than the testifying agent.

    albertApril 10, 2019 12:07 PM

    @Theora Peterson, @etc.,

    Last I heard, the malware came from the Iranian vendor that built the machine control system (MCS). The MCS was isolated from the Internet. No one seem to know (or is not talking) about how it got into the vendor. Some suggest it came loaded into a thumb drive used by a Siemens tech. If Siemens did the programming, then that's a violation of Rule #2, that is, in secret projects, keep all your development in house.
    . .. . .. --- ....

    Impossibly StupidApril 11, 2019 11:03 AM


    I would be less worried about a USB killer and more about a rubber ducky.

    I wouldn't. Faking an input device relies too much on knowing the setup of the computer it gets plugged into. It's no doubt a handy little tool if you can seek out a specific target machine so that you can quickly set it up and walk away, but other USB exploits that have been discussed already make more sense if you're baiting someone. I suppose it all comes down to what the aim of the attack is/was.

    Keyboards are users, so the computer is usually set to trust them, you would need a computer set to not mount any new devices to prevent them from running rampant.

    And, honestly, that's exactly what a secure OS should be doing. Convenience often wins out, though, and there's always the issue of how secure any system can be once you, even by proxy, have physical access.

    @Frequent Fly On The Wall

    Could you imagine being in a similar position?

    Only to the extent that it makes a semi-plausible cover story. There are so many things that were done that I can't imagine doing if I were just going for a swim at the vacation property of a leader of a foreign country. But, then, the story from the US side of things smells a bit funny, too. It's particularly newsworthy because it's all so puzzling.

    @Vesselin Bontchev

    Do you guys seriously think that a professionally made Chinese malware would visibly install something on the machine?

    Depends. If it was designed for a particular target system and was instead plugged into a different (possibly hardened) setup, it's quite possible that the host OS would start kicking out notifications. But I would agree that, if it were a spying operation of some kind, the operational security was just awful. At first blush, nobody appears to have behaved very professionally.

    1&1~=UmmApril 11, 2019 4:46 PM

    @Maxwell's Daemon:

    "No, Stuxnet took control of the computers controlling the centrifuges which have critical tolerances..."

    That's what the malware did WHEN it finally got there. However there is a lot more that went before it to get to that stage.

    The story was the journey started of on a USB drive of an international nuclear inspector (names have been suggested in the past).

    When it was realised a big fat red bull's eye had been painted on all inspectors backs the story then got changed to a USB drive bought in some down town market by an employee. Yup as old a story as the one about Methuselah with the pea and three walnut shells, and probably less true to boot.

    The truth of the story we may never know but it was on balance most probably a "human asset" be they employeed covertly by the US, Israel or another nations IC such as the UK etc who have 'native boots on the ground'.

    The simple fact is Iran was never realy the target for the US, it was the NorKs, who had rocket/nuclear technology swap going on with Iran and the US saw it as the only way in to 'The Hermit Kingdom'. The NorKs not being as stupid or as backward as various Western MSM outlets like to paint them, realised they were the real target for the US. So they pulled a very big publicity stunt by inviting in the UN nuclear inspectors to one of their sites. But made it clear to the inspectors 'no USB drives, no mobile phones/computers, absolutly no going near the control electronics, and looking but not touching of the thousands of new design of centrifuges' and pointed the finger very clearly as to why they could not touch etc. In effect the NorKs gave the US the old 'one finger salute', with a large fanfare and world publicity which the shocked Inspectors gave them.

    Proving once again the War Hawks in the US and South Korea are less than the dimmest lightbulbs in the corridor. They took it badly, and reacted badly and thus people in both high and low places all over the world sniggered whilst trying to keep straight faces. Thus confirming long before an un-named US Official said so, that the US were behind it...

    That's some of the bones of the skeleton in that cupboard, but
    there is a lot more to it than that. The story goes back several decades before and involvs a continental EU nation, a foreign student, Pakistan, Lybia and the Side effects of the Matrix Churchill enquiry into the Iraq Big Gun. Through the mind numbing stupidity of UK agencies and the elected politicians who were ministers trying badly to keep it all hidden from the public eye, lest the public learnt the reality of the very dirty arms trading the UK were not just condoning but UK Minisyers were actively complicit in, way past the eyebrows...

    1&1~=UmmApril 11, 2019 5:14 PM


    "In my opinion, the safest way to deal with a suspicious USB flash/thumb drive is to insert it into a Chromebook running in Guest mode with Wi-Fi disabled."

    There are way safer ways. I use a hardware and software solution using low cost microcontrolers, that can not be malware infected. The information is out there if you want to go down that route yourself.

    There is also interesting stuff using forensic specific OSs that run on the Raspberry Pi and similar single board embedded compitets, if higher level coding is your thing.

    Unfortunatly any 'commodity PC' and it's Commercial OS is going to be well known to state level attackers, so the use of commodity PC's irrespective of their brand of Comnercial OS is not a good idea.

    Think of it this way, you have no idea of what the tens of thousands of developers at Apple, Google, Microsoft and many other hardware / OS development organisations are doing or have done and pushed out onto PC's and Servers. Thus you have no ability 'to trust in the security sense'. Just cross your fingers and pray and 'to trust in the human way'.

    Having been around for a decade or so, all I realy see is 'The ICT_Sec Industry regressing', as previous mistakes not just discovered but solved in the past, quickly get forgoton in the relentless push forward. Thus even a new dog can use tricks of two generations before when granddad was not an old dog.

    Things might be moving ever faster but forward progress appears to be somewhat absent in way too many places.

    I won't go into the economics of why we are in this mess, but there is no sign that the market in oh so many places actually wants to change...

    1&1~=UmmApril 11, 2019 7:07 PM

    @Givon Zirkind:

    "she was going to the pool without a bathing suit, if the news reports were accurate."

    I'm guessing you don't stay in a lot of hotels with all the extra amenities?

    Usually the "pool" is part of a "spar" etc.

    One of the first things I do on checking in and know I have free time in my schedule is "go look see" what they have got, pick up any freeby stuff and check who I see to book for a service, and find out other things by idle chatter such as when things will be busy etc. Call it 'scoping out the place or 'getting the lie of the land'.

    It's something lots of women do, especially if they are shy or come from parts of the world with a substantially different culture.

    Another thing women do frequently is not let their significant others know what they are upto. Either at the time or in the future, as it's not their business to know unless they are control freaks in which case that's a suicide run relationship. Thus they do as I do 'pay in cash' rather than charge to the room or put on a credit card etc. So often I will drop in immediatly after breakfast on the way back to my room and make an appointment and pay there and then, so no I don't have my swimming costume or gym bag with me.

    Trust me when I say this is quite normal behaviour in hotels and actually means very little if anything.

    Thus I suspect the SS team sent their 'usefull idiot' to do the paper work and ink in their name with the judiciary. Thus if it blows up, the old 'Wasn't me boss, I thought you said the big boss said the guy was competent? that's why we sent him' fast deflection technique up the chain of command comes into immediate play.

    When in the military one of the first things you learn to do is metaphorically 'step smartly backwards', when ever any one says 'Any volunteers?' that way 'the dozy lumpen' pay the price of not paying attention.

    The second is how to make any problem apear to have come from a couple of steps up the command chain, then offer a solution to your boss. Your boss does not want problems especially with their boss, if you make the problems magicaly disapear then you are 'golden'.

    Gunter KönigsmannApril 11, 2019 7:39 PM

    If you carried a stick that copied data to the victim's computer why would you program the malware in a way that it opens a window that tells it is copying data? How else would the agent have found out that this were happening?

    DaveApril 12, 2019 8:39 AM

    The thought that there is no practical way to defend from a device impersonating a keyboard is wrong. The solution is to lock the screen when any keyboard is detected and let the user decide whether they want to unlock it (as Penteract Disguised-Keyboard Detector does). That would have protected the computer in this case. Unless it had autoplay on, but that's unlikely as Windows 10 has it off by default.

    wileyApril 12, 2019 3:49 PM


    That wouldn't have necessarily protected the computer. Advanced malware is capable of using exploits against the USB class drivers (rare) or filesystem driver (more common). That would not be possible to avoid without completely disabling USB devices or significantly hardening the operating system. The ACTUAL solution here (which I'm surprised no one has mentioned) is to create an image (bitwise forensic copy) of the USB device using a hardware write blocker, and analyze the image on an airgapped computer. It's not like it's difficult to do. That's STANDARD digital forensics.

    DaveApril 14, 2019 1:52 AM

    If the the device was using a file system exploit, would the agent be alerted to the file transfers?

    DennisApril 15, 2019 3:42 AM

    @Vesselin Bontchev

    wrote, "It is pointless to speculate, because we don't know the actual facts."

    By principle, most facts remain buried. While there is little way of knowing beside educated gestimations, occasionally they surface a little. Stories like these are way too dependent on third party info that the true event gets lost or tangled thru words of mouth.

    hooodathunkitApril 16, 2019 6:04 PM

    RF & camera detector.
    Start at $9.95 and are used in movie theatres all the time. Wideband, low sensitivity detector hums or vibrates (with optional vibration for $30 models) and detects cameras' lenses looking for back-reflection.

    Don't know if that's what the woman was caught with, but still interesting even if it's a relatively common or easy to get item.

    wileyApril 16, 2019 10:51 PM


    No, generally not. A filesystem exploit would usually give the attacker ring 0 (fully privileged, above root) access.

    Leave a comment

    Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

    Sidebar photo of Bruce Schneier by Joe MacInnis.

    Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.