Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 09 Aug 2014 19:42:21 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Probably because nobody cares, this is all old, USB, like every
hardware standard, is a disaster from a security point of view.
Covered this kind of thing back in 2012:

http://www.linuxpromagazine.com/content/download/65948/521578/version/1/file/040-041_kurt.pdf

Back when I had hair.. *sob*.

On 08/08/14 05:20 AM, Dan Carpenter wrote:
> I'm surprised we haven't had any discussion about the recent
> BadUSB articles.
> 
> http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/
>
> 
http://security.stackexchange.com/questions/64524/how-to-prevent-badusb-attacks-on-linux-desktop
> 
> We could put a popup if there is a second keyboard attached to
> check that the person controlling the existing keyboard is aware of
> the second one.
> 
> The attack looks like someone who says, "Can you copy some files
> from my USB flash drive which?" (not knowing it is infected) and
> then there is a popup, "This newly inserted USB device is trying to
> type commands, is that ok?  y/N?".
> 
> regards, dan carpenter
> 

- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJT5s39AAoJEBYNRVNeJnmT+o8QAKHYCq6eGWZgHKoqBZsRBNJz
HYzgKvRx2FzgINL+OJiob6r0VXd+1wdm+2HAn7evToR0e3kcauaQR6oLBo56f3tj
hhlvBRKK8rfeW1yN3AaGqLmUvuF5+zb4MwEF0duGlkd9AXBeQEIRr3124yZHgGf8
B1Zlda5SSvQW6Rg3JsZ3lvzeKvE4H7Vif60RVf18fEDYzteutl+X+Af1vrcID1ok
3AkUPeFweopNq3e0DORWnkbW3SfE1D7KTa1KAI2LyPEAAqWVAvqr22g1HTm/ykHE
Q3XOPm/aJPaYaHrnNbsD8a2V3+eHxRfmdwEztOn5ctW9WGrL+w2Zzx4zPM/vQXBv
QPZqwColubVqZqgW5oSSsgKPbVIxR1UU7ymiYRz+TpXpqx00KvEbXVwfRz5VUMbi
MaY0HlBYj0LG9t/+ebHewHgyUfoVq1CEFVfxFI2PZRcCmhXDKgyRjNR9SnqAj7m3
aQvmyQArqY75Rmx07VfnP4w7/xQQQ2KBoTZ/zVhV6Y7e/RGt+gAj2hMy9ElK8mTY
vtHdmeWw5TuhB/rs9sNDkEVT1WiTmaeWYWFvsQtyACqgH0zCi3WzD+4+/fgBEwYq
8O+jIhnL5wxu8IxzYXfd46vAk63CetSn74MDWhIdMHH8AYXtNunVPiTNC137Awmh
YFXm6N79F7yvgnXoyYGO
=1JVW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.