Re: BadUSB discussion

[gremlin () gremlin ru]

On 08-Aug-2014 08:18:21 -0700, Greg KH wrote:

> > That means, every device after being detected by the system must
> > be explicitly activated by some human activity. Yes, users may
> > and, most likely, will be fooled to do that (as they are fooled
> > to connect the attacker's device), but this activation will at
> > least make the use of untrusted devices more difficult.
> How can I activate a USB keyboard (the only input device attached
> to the system), with the USB keyboard that I plugged into it?

I've mentioned this issue in the message you've replied to.
Possible solution could be whitelisting physical ports, but...

> Again, fix the real problem here, if there is one, don't try
> to throw "is this device ok to use" dialogs up, they just annoy
> people and don't do anything.

"Yes, yes, yes..." without reading the message. I know that.

> Oh, and if you want, you can disable all USB devices on your
> Linux system by default, and only "authorize" them explicitly
> if you programatically think they should be enabled.  We have
> had support in the kernel for that for years now, but very few
> people actually use it.

I've faced that only once, and my solution was straightforward:
those two servers were running a kernel built with only basic
USB HID support (keyboard+mouse, IIRC) and without module load
support. That appeared to be quite enough.

> So the tools to do this are already there, why aren't you using
> them? :)

You could guess: sometimes I'm developing USB devices and have to
test them. That formed a good habit of connecting my devices to a
hub instead of directly to BB :-)


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net