Tiny USB business card

If you're interested in some of the security implications of this there were a few related talks from DEFCON18:<p>* <a href="https://www.defcon.org/html/links/dc-archives/dc-18-archive.html#Crenshaw" rel="nofollow">https://www.defcon.org/html/links/dc-archives/dc-18-archive....</a><p>* <a href="https://www.defcon.org/html/links/dc-archives/dc-18-archive.html#Elkins" rel="nofollow">https://www.defcon.org/html/links/dc-archives/dc-18-archive....</a><p>* <a href="https://www.defcon.org/html/links/dc-archives/dc-18-archive.html#Honeywell" rel="nofollow">https://www.defcon.org/html/links/dc-archives/dc-18-archive....</a><p>The upshot is that anything with a USB connector can be any device it wants to be--you have to trust any hardware you plug into your machine.

This made me realize that USB keys are not only dangerous because of Windows auto-run.<p>They could also emulate USB HUB with keyboard/mouse to send input required to run exploit off the drive and click through all UAC warnings.

I would take a pass on adding his information -<p><pre><code> Stuxnet was first detected in June by a security firm based in Belarus, but may have been circulating since 2009. Unlike most viruses, the worm targets systems that are traditionally not connected to the internet for security reasons. Instead it infects Windows machines via USB keys - commonly used to move files around - infected with malware.</code></pre>

First off, I think this is super cool. It's a novel and interesting take on a very boring but necessary concept, and he's taken the time to get the design looking nice as well -- he could easily have just soldered an attiny to a USB connector, and that wouldn't have had the same charm.<p>Secondly, it seems the security implications are very slightly more severe than one might think. The card only activates when you press caps lock three times. This means it must be able to receive key presses, as well as to send them. From my understanding of his description, keyboard HID devices which support the boot protocol profile also receive notification of key presses (<a href="http://frank.circleofcurrent.com/cache/usbbusinesscard_details.htm" rel="nofollow">http://frank.circleofcurrent.com/cache/usbbusinesscard_detai...</a> and search 'boot protocol'). So in theory this could record everything you typed, as well as do destructive things to your computer. And of course storage is not an issue as it's likely that the host is connected to the Internet.<p>It seems borderline paranoid to think like this w.r.t. someone's business card, though.

The actual page:<p><a href="http://www.frank-zhao.com/card/" rel="nofollow">http://www.frank-zhao.com/card/</a>

Anybody know how much these things cost once you order them in bulk?<p>Apparently you can get those business-card CDs for under a buck each if you order over a thousand. More sane quantities will probably run you $3/each.

In case anyone is interested, here's essentially the same idea from months ago:<p><a href="http://news.ycombinator.com/item?id=1435640" rel="nofollow">http://news.ycombinator.com/item?id=1435640</a><p>There was significant discussion from an even earlier submission: <a href="http://news.ycombinator.com/item?id=1377651" rel="nofollow">http://news.ycombinator.com/item?id=1377651</a><p>It was also submitted again, but with no discussion: <a href="http://news.ycombinator.com/item?id=1383888" rel="nofollow">http://news.ycombinator.com/item?id=1383888</a>

This is a slightly older card with a lot more interesting stuff on it than a text file:<p><a href="http://t4f.org/en/projects/business-card" rel="nofollow">http://t4f.org/en/projects/business-card</a>