That was the premise of Darren Kitchen and Shannon Morse\u2019s opening keynote at this year\u2019s AusCERT conference. Attended by over 700 delegates from nine countries, they held the audience in their thrall as they discussed how the intersection of convenience and trust has enabled threat actors to break into systems and access data.Morse and Kitchen are the co-hosts of Hak5, which they say is the world\u2019s longest running infosec podcast. \u201cEverybody loves trust,\u201d said Morse. \u201cAnd the other thing everybody loves and wants to take advantage of is convenience\u201d. Morse and Kitchen decided to take advantage of this at the recent RSA Conference held in San Francisco. This is one of the largest security events in the world with over 45,000 attendees and hundreds of vendors. They did a sneaky USB drop, placing 100 of Hak5\u2019s Rubber Ducky USB devices. The Rubber Ducky is a USB device developed by Kitchen that demonstrates how trust and convenience are the tools of the hacker trade. Although it looks like a normal USB thumb-drive, the Rubber Ducky pretends to be a keyboard when connected to a computer. It emulates the Human Interface Device profile for USB devices. That means is can be programmed to type commands when connected to a computer. In a video demonstration, Kitchen showed how, in just 15 seconds, it was possible to connect a Rubber Ducky into an unlocked computer in a bank and transfer funds completely undetected. To the operating system, which is hard coded to automatically trust keyboards, it looks like someone has plugged in a keyboard and is typing. But the Rubber Ducky is executing commands programmed by its owner. And with USB drives being so convenient, it plays on the user\u2019s desire to use a device that works easily. Morse walked through the RSA Conference, depositing Rubber Duckys in attendee swag bags, at booths giving away thumb drives and other drops. The stats on how many devices were plugged in were staggering \u2013 and remember, this was at a conference filled with infosec professionals. Of the 100 drives they deposited, there were 162 executions from 62 unique IP addresses. Drives were plugged in from five different countries over a 65-day period. The payload on the devices was not damaging \u2013 it simply directed people to a website with some advice on safe USB flash drive use. When I spoke with Kitchen after the keynote address, he mentioned his revelation of this USB drop, during his AusCERT keynote, was the first the conference organisers knew of the prank. This lead Morse and Kitchen to what they called the \u201cdanger of ubiquity\u201d. As flash drives have fallen in price and become more reliable, they are still an ideal threat vector. Despite warnings and \u201cbest practice\u201d guides that instruct users to encrypt drives, not plug in strange devices and to treat these devices with a low level of trust, they continue to be a major weapon for cyber-criminals. Of course, machine-to-machine trust isn\u2019t the hacker\u2019s only weapon. Social engineering, where human trust relationships are exploited, is also part of the threat actor\u2019s arsenal. Kitchen said \u201cWe learned this as kids, to manipulate our parents. It\u2019s like a hard-coded human attack\u201d. It isn\u2019t a question of intelligence added Morse. It\u2019s that we are conditioned to behave in specific ways and it\u2019s possible for those conditioned responses to be used against us. \u201cIt means we need to change the way we think,\u201d added Morse. One of the challenges is that any of the systems we use, particularly on smartphones and tablets, are locked down and we have been trained to think they know best. And because humans rely on these devices and trust them, they can be manipulated through the trust and convenience we expect from technology today. \u201cIt\u2019s about telling the right lie,\u201d said Kitchen. Kitchen and Hak5 have not rested on his laurels. Following the success of the Rubber Ducky, he has expanded his product portfolio with the Bash Bunny (https:\/\/wiki.bashbunny.com\/#!index.md). Unlike the Rubber Ducky, which lies through using the HID interface to a computer, the Bash Bunny can emulate other interfaces such as wireless networks, gigabit Ethernet, serial and flash storage. In other words, it\u2019s better at lying and exploiting the bridge between trust and convenience.