> This seems apocryphal. Its trivial to disable USB for a mass storage (or all devices) via things like group policy or other security controls. Or disable the controller.
The question is - where do you stop? The controller could be re-enabled from a lower level, etc. The rabbit hole goes very deep. Sometimes it's best to just take control of the physical layer and call it a day.
> Those USB ports aren't perfect boxes, the epoxy would just run out all over the place.
Epoxy putty would work pretty well, and it's widely available.
There's also value in being able to visually inspect it and say "Yep, that USB port's disabled" versus digging through EFI settings.
Every motherboard is going to have that option in a slightly different place, but if you can put epoxy in one USB port you're pretty well set for any piece of hardware.
This scales to ${number_of_devices_you_can_see}. A hundred or more? Easier to manage remotely. You're also likely to have a very limited number of models in that case.
One thing to keep in mind is that the kind of place which cares about things this much tends to be the kind of place which can hire staff — and it's a lot cheaper to hire technicians who can verify that epoxy plug than the security engineers who can confirm that you've done everything right in software.
Consider another instance of the problem: verifying that your webcam isn't being used to spy on you. Since a surprising number of hardware designers were negligent and made that software controllable it is orders of magnitude easier to simply deploy a piece of tape than try to prove that malware hasn't disabled the status LED:
How much skill and diligence does it take to confirm that you have disabled the controller using each manufacturer's interface (if they even have one documented), that there isn't some way to re-enable it later (or that something like a sleep/resume cycle didn't reset the controller), and that all of that continues to be true for every subsequent configuration change or software/firmware update?
I would suggest that any organization with this level of risk would be better off paying someone $15/hour to check the ports along with the rest of their physical status checks and put the security engineers in charge of other improvements with a higher return.
The thing is, if you manage those things remotely, so can an attacker. I imagine it would not be impossible for a sufficiently skilled and determined attacker to remotely re-enable the USB ports.
If you are paranoid enough or have actual reason to believe somebody would want to invade your network, epoxy is one way you can be really certain no one can hijack your network via an infected USB flash drive.
EDIT: Of course, if gluing the USB ports shut is all you do stop attackers, I am pretty much begging for trouble. And as somebody pointed out, disconnecting the USB ports from the main board, possibly disabling the pins is probably a better idea, as well as disabling the USB controller in firmware and locking the BIOS / setup, if it is part of a ... let's say comprehensive approach to securing your network.
> Sometimes it's best to just take control of the physical layer and call it a day.
If you want to stop your every day user from plugging in USB drives then this is probably all you need to do.
In a scenario where you're concerned about insider threats with even a minimal level of computing knowledge, you have to lock down the BIOS and the OS layer as well.
"Oh the IT guy put epoxy in the USB ports, guess I'll just take the case off and plug into the USB ports on the motherboard"
You can also cut the traces or epoxy the internally ports as well. It's not hard. It's just about what level of threat do you want live with. I imagine you could always defeat this by cutting through the epoxy or gently sanding the board to put probes directly on the traces, but then again security is all about depth.
I have a friend that worked at LLNL and she used to talk about secured laptops having their USB ports epoxied and the traces physically cut on the camera and microphones to help secure them. I think even the wifi and bluetooth were disabled as well.
After hearing these stories, it made me chuckle at Zuckerberg's masking tape.
Well, of course this doesn't give you a get out of jail free card. You still have to pay attention to the other layers in the stack. This is only about paying attention (or not) to the physical layer directly (as opposed to handling physical security indirectly in higher layers).
Yeah i should have suspected. Have not set foot back there in ages though. Thinking about it i guess schools may be some of the most hostile computing environments in civilian life.
Or to put it another way: "ensuring you've secured all hardware and software exploits in your stack from top to bottom" vs "epoxy and focus on network exploits". Don't knock physical security.
> The controller could be re-enabled from a lower level, etc
In a managed environment you could do it via the BIOS trivially, which is most likely locked as well. I mean, glueing the ports is especially stupid. You can chip glue off with your fingers or a key. If you're doing physical things to the PC, you'd most likely just remove the USB header from the mb and call it a day. Pop-open the case the case, remove it, bend down the pins, or cut it and go about your business. Messing with stuff that takes 60 minutes to cure is ridiculous. Ignoring the OS security policy is ridiculous. Ignoring BIOS controls is ridiculous. Ignoring how security is handled in managed environments is ridiculous.
It would take two minutes for a stoned teenager to pop-open the case and plug in his own USB connector into the header in this scenario. Less time for a determined attacker.
I imagine some middle-manager asshole asked for a piece of plastic to block the panel to make it 'look nice and remind people they're blocked' and some paper-pusher took it as "OMG THEY GLUED THE PORTS TO STOP HACKERS" He was just ignorant of how IT security is really done.
I think its obvious HN is mostly web-devs, not sysadmins or security people if stuff like this is widely believed and comments contrary to it get instant 'disagree downvotes.' If you think the NSA and the DoD just glue ports instead of doing real security, then I don't know what to say here.
Rather than immediately assuming you know more than the people who implemented this, try to consider why someone who is theoretically smart would want to do this. Also consider that most organizations implement multiple layers of security, adding another layer of security can't hurt here.
> In a managed environment you could do it via the BIOS trivially, which is most likely locked as well.
The BIOS may still not be low-level enough. There is nothing preventing a buggy xhci controller, chipset, BIOS, etc, from being exploited by a rogue USB device. It would be prudent to disable USB in the BIOS AND physically disable the ports somehow.
> Pop-open the case the case, remove it, bend down the pins, or cut it and go about your business. Messing with stuff that takes 60 minutes to cure is ridiculous.
You do not need epoxy to fully cure, you only need it to reach a point where the viscosity is high enough that enough of it won't drain out of the USB port when you turn the computer on its side. This can easily be under 5 minutes, depending on the type of epoxy and you could even trivially avoid that wait time by putting a piece of tape over the epoxied port. It may also even be cheaper to implement, since you can pay someone minimum wage to fill ports with epoxy, but it takes a slightly higher skill level to do work inside of computer cases. Additionally, it's easier to visually verify that all USB ports are epoxied than it is to verify that all internal USB connectors have been disconnected. Additionally, consider that many motherboards have rear USB ports directly soldered onto the motherboard, which would take far more effort and skill to disconnect than it would to just fill the port with epoxy.
> It would take two minutes for a stoned teenager to pop-open the case and plug in his own USB connector into the header in this scenario. Less time for a determined attacker.
An attacker who has broken into the government building is not the person who this is intended to guard from. It is intended to guard from employees accidentally inserting compromised USB devices into their computers. If the attacker is opening your computer case, they have many more options than USB ports for delivering an exploit payload. Though it's also very likely that these cases are also physically locked and have case intrusion detection enabled. Not that those protections are particularly difficult to get around either. This may also even help IT avoid support phone calls from users saying "hey, how come my USB port doesn't work?" where epoxy in the ports shows some serious intent.
Additionally, in the case of a real attacker who has physically entered the building, and intends to deliver their payload by flash drive: formerly they could just waltz by some computer, pop a drive in, and walk away. Now they'd need to at the very least open the case, which at the very least makes it take slightly longer for them to deliver their payload, and is much more likely to draw suspicion.
Yeah, the curing time can vary from 1 minute (or even less) to several hours, depending on epoxy type. Now mix it with some filler to make putty (or just buy epoxy putty ready to use) and even the curing time is no longer critical.
Anyway, you know the discussion has gone down the rathole when you're debating the relative merits of epoxy recipes for securing computers. :)
The question is - where do you stop? The controller could be re-enabled from a lower level, etc. The rabbit hole goes very deep. Sometimes it's best to just take control of the physical layer and call it a day.
> Those USB ports aren't perfect boxes, the epoxy would just run out all over the place.
Epoxy putty would work pretty well, and it's widely available.