|
Date: Fri, 8 Aug 2014 06:36:12 -0700 From: Greg KH <greg@...ah.com> To: oss-security@...ts.openwall.com Subject: Re: BadUSB discussion On Fri, Aug 08, 2014 at 02:20:21PM +0300, Dan Carpenter wrote: > I'm surprised we haven't had any discussion about the recent BadUSB > articles. > > http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/ > http://security.stackexchange.com/questions/64524/how-to-prevent-badusb-attacks-on-linux-desktop > > We could put a popup if there is a second keyboard attached to check > that the person controlling the existing keyboard is aware of the second > one. "popup" where? Multi-seat machines wouldn't like that very much, as would yubikeys (as was pointed out), or a raft of other USB devices that export a keyboard device for the buttons they control (video cameras, external speakers, barcode scanners, etc.) > The attack looks like someone who says, "Can you copy some files from > my USB flash drive which?" (not knowing it is infected) and then there > is a popup, "This newly inserted USB device is trying to type commands, > is that ok? y/N?". Shoudn't we just ensure that copying "bad" files to a location they shouldn't be at is the thing to protect from instead? This isn't a USB thing explicitly at all, there have been loads of devices out there that do this type of thing for a while (can't remember the name, one is programmable to do this very thing with lots of fun scripts that come with it). Oh, and we should also ensure that if you plug in a "malformed" USB device, we don't crash the kernel, like we have in the past, hopefully all bugs there are now addressed, many thanks to Kees for that work. thanks, greg k-h
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.