Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 8 Aug 2014 12:40:40 -0700
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On Fri, Aug 08, 2014 at 10:27:16PM +0400, (GalaxyMaster) wrote:
> Alexey,
> 
> On Fri, Aug 08, 2014 at 09:57:49PM +0400, gremlin@...mlin.ru wrote:
> > On 08-Aug-2014 09:21:02 -0700, Greg KH wrote:
> >  > That doesn't prevent any other USB HID device from being plugged
> >  > in and instantly working. Which again, you can prevent if you
> >  > want to, but no one seems to do that...
> > 
> > Hmmm... To avoid possible confusion: that was CONFIG_USB_KBD - 
> > "USB HIDBP Keyboard (simple Boot) support", and CONFIG_USB_HID
> > was turned off.
> 
> I think Greg was referring to kernel's feature of controlling power on
> USB ports (e.g. you can just switch of power for a port and nothing you
> insert there will have a chance to work until you instruct the kernel to
> switch the port back on).

No, that is one option (note, it doesn't work for all hardware.)  I was
referring to the "authorized_default" option the USB core provides.  You
can set it to be:
	 0 - all devices plugged in are not authorized
	 1 - all devices are plugged in are automatically authorized
	-1 - all devices are plugged in are automatically authorized,
	     except for wireless USB devices, which have to be
	     explicitly authorized.

-1 is the default value.

If you set it to 0, you can look at the device, but no driver can bind
to it until you authorize it (through a sysfs file) and then it can work
properly.

Paranoid systems should set the default to 0.

The option can be changed while the kernel runs, good idea to use -1 as
a default, boot up, all needed devices are found, then set it to 0 so no
new device can be plugged in (watch out, if you unplug and then plug, it
will not work, so power spikes that cause devices to drop off the bus
and come back can be a pain.)

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.