Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Aug 2014 20:09:53 +0400
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On 08-Aug-2014 08:18:21 -0700, Greg KH wrote:

 >> That means, every device after being detected by the system must
 >> be explicitly activated by some human activity. Yes, users may
 >> and, most likely, will be fooled to do that (as they are fooled
 >> to connect the attacker's device), but this activation will at
 >> least make the use of untrusted devices more difficult.
 > How can I activate a USB keyboard (the only input device attached
 > to the system), with the USB keyboard that I plugged into it?

I've mentioned this issue in the message you've replied to.
Possible solution could be whitelisting physical ports, but...

 > Again, fix the real problem here, if there is one, don't try
 > to throw "is this device ok to use" dialogs up, they just annoy
 > people and don't do anything.

"Yes, yes, yes..." without reading the message. I know that.

 > Oh, and if you want, you can disable all USB devices on your
 > Linux system by default, and only "authorize" them explicitly
 > if you programatically think they should be enabled.  We have
 > had support in the kernel for that for years now, but very few
 > people actually use it.

I've faced that only once, and my solution was straightforward:
those two servers were running a kernel built with only basic
USB HID support (keyboard+mouse, IIRC) and without module load
support. That appeared to be quite enough.

 > So the tools to do this are already there, why aren't you using
 > them? :)

You could guess: sometimes I'm developing USB devices and have to
test them. That formed a good habit of connecting my devices to a
hub instead of directly to BB :-)


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.