Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Aug 2014 08:18:21 -0700
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On Fri, Aug 08, 2014 at 07:00:00PM +0400, gremlin@...mlin.ru wrote:
> That means, every device after being detected by the system must
> be explicitly activated by some human activity. Yes, users may
> and, most likely, will be fooled to do that (as they are fooled
> to connect the attacker's device), but this activation will at
> least make the use of untrusted devices more difficult.

How can I activate a USB keyboard (the only input device attached to the
system), with the USB keyboard that I plugged into it?

Fun times...

Again, fix the real problem here, if there is one, don't try to throw
"is this device ok to use" dialogs up, they just annoy people and don't
do anything.

Oh, and if you want, you can disable all USB devices on your Linux
system by default, and only "authorize" them explicitly if you
programatically think they should be enabled.  We have had support in
the kernel for that for years now, but very few people actually use it.

So the tools to do this are already there, why aren't you using them? :)

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.