Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 08 Aug 2014 09:56:34 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On 08/08/2014 07:58 AM, Florian Weimer wrote:
> On 08/08/2014 01:20 PM, Dan Carpenter wrote:
>> We could put a popup if there is a second keyboard attached to check
>> that the person controlling the existing keyboard is aware of the second
>> one.
> 
> Wouldn't this make using Yubikeys quite inconvenient?

It sure would.

And if the popup were modal/blocking (i.e. if it refused to connect the
new device until the user agreed to it), which is the safest approach on
a single-seat system, it causes another issue: if the user's HID devices
are failing, and they're plugging in a new keyboard specifically to work
around their failed hardware, there would be no way to dismiss the
popup/grant permissions on the new device.

You could have a more nuanced approach, though, to improve things at
least for a machine used regularly.

For example, you could register keyboards by serial number with the
system, and have an allowlist that wouldn't cause modal blocking.  This
would handle the yubikey case, and potentially also the failing HID
case, if the user had cleared the secondary kbd before the primary failed.

You could also avoid the popup if the system doesn't detect *any* actual
HID device plugged in, to solve the problem of a machine that booted
with no devices available.

But please remember that a second keyboard is only one vector of attack.
 There are other user-interface devices and other system hardware that
can be emulated by a sufficiently devious USB device.

The same thing goes, of course, for PCI devices, disks, CPUs,
expressCards (or whatever they're called today), firewire, RAM, etc. all
of which are becoming more hot-pluggable on modern hardware.

A well-thought-out system-wide policy of what to do on device hotplug
might be useful, with a set of standard profiles (single-seat personal
desktop (laptop), server, multi-seat desktop) to encourage sane behavior
by default.  I have no idea what form such a policy might take, though.

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.