P
Paul
Paul said:
s/OTP/OTG
OTG = On The Go
Helps to sound them out, before posting
Paul
BadUSB security flaw (massive undetectible USB reprogramming vulnerability)
s/OTP/OTG
OTG = On The Go
Helps to sound them out, before posting
Paul
M
Mike Barnes
John said:
That could be because if the OS were to ask first, the user would have
no way of answering.
S
Shadow
I plugged a USB Sony camera into my PC, and it installed a
load of crap. Had to restore from a backup.
I have all autoruns turned OFF.
Windows XP updated to SP3. Probably that's why I noticed it, I
don't have the latest "security patches".
[]'s
G
Gene E. Bloch
Let's hope that Ron doesn't see your edit command
J
John Hasler
Gene said:
Mike said:
The point is that there is no good reason for it to accept any keyboards
after the first without getting permission from the user. The few users
who intentionally connect a second keyboard will know what to do.
P
Paul
Gene said:Let's hope that Ron doesn't see your edit command
Yes, it probably should have been s/OTP/OTG/g or something
Somewhere, a secret agent is trying to break our "code"
Paul
W
William Unruh
And from what I read, they can reporgram the flash drive to present
itself as a keyboard to the computer, and the firmware can then type in
commands to your machine.
W
William Unruh
The firmware is always run. autorun is for running programs in the
memory of the flash drive. Firmware is for running the base
instractions of the device and is always run. That as I understand it is
why this is considered such a serious problem.
W
William Unruh
But since the OS has no way of knowing this is a bugged device, why
would it refuse, eg to connect a keyboard?
The OS would need a HUGE list of the devices, and the firmware could
simply pretend to be one of them. The only way the OS knows what the
characteristics is of the device is by saking the firmware to report.
J
J. P. Gilliver (John)
bob mullen said:
(I always rate less anything written by anyone who uses the word
"dubbed" [other than when describing a knighting!], but let's assume
that's just the journalist.)
The size of that list has a whiff of FUD-spreading about it.
While not denying that some may be reprogrammable, I very much doubt all
are: certainly I'd be surprised if, say, the USB hub or card reader I
might buy at the poundshop/99p store would have such.
That's not to say - especially if your tinfoil hat is in good order -
that the _non_-reprogrammable firmware in such devices might not have
been _manufactured_ with such in it - though I personally don't think
I'm going to worry about it yet.
J
J. P. Gilliver (John)
Vanguard and cranky were talking about the autorun option; I agree withWilliam Unruh said:
them that this should be _off by default_, maybe with a one-time prompt
for the first time the user inserts something with an autorun.
[Actually, the one-time could offer "disable", "always allow (not
recommended)", and "always ask".]
Turning off autorun will not, I'm pretty sure, stop a keyboard being
recognised.
[]
1. True (or not, see 2), but something else (a camera, card reader, ...)??? It is a keyboard. What harm could there be in a keyboard?
could present itself as two devices - what you think it is, _and_ a
keyboard, and then "type" things into the computer.
2. Even a keyboard could (in theory!) have its controller hacked to do
more than you expect (such as type more than you are typing).
J
J. P. Gilliver (John)
Gene Wirchenko said:
Indeed; it would be better with tickboxes (default off of course). (The
multilevel you describe done with indents, the indented ones being
greyed out until the top one is enabled.)
Note: Gene is very unusual - actually, I'd say possibly unique! - in
posting posts that _don't_ have any extra (and IMO spurious) blank lines
at the end! (I think even my software adds one [before the separator I
mean]!)
M
Mike Barnes
John said:
Oh, I thought the point was that the first keyboard and mouse should be
accepted automatically, so I gave what I thought was a plausible reason
for that.
But let's say that subsequent keyboards and mice (mouses?) required
confirmation from the user. Now, my bluetooth dongle suddenly stops
communicating with my keyboard and mouse. So I get a replacement. What next?
Just playing devil's advocate. I hope there's a good answer.
J
J. P. Gilliver (John)
In message <[email protected]>, Mike Barnes
the acceptance came from the new keyboard.
But then it occurred to me that whatever the system prompts for, any
black had pseudo-keyboard could send - i. e. it could appear as a second
keyboard, then "type" a Y!
The way round that would be for the OS to say "a second keyboard has
been detected - type # on it to enable it", where # was _a random key_
(and the OS only looked at the _first_ key sent from any such to stop it
just sending all of them). But that sounds too complex.
I like playing devil's advocate too, and the challenge you raised! I
think my answer works. (Especially if it prompted for a combination.)
I was going to say that it still would be prompting the user, even if
the acceptance came from the new keyboard.
But then it occurred to me that whatever the system prompts for, any
black had pseudo-keyboard could send - i. e. it could appear as a second
keyboard, then "type" a Y!
The way round that would be for the OS to say "a second keyboard has
been detected - type # on it to enable it", where # was _a random key_
(and the OS only looked at the _first_ key sent from any such to stop it
just sending all of them). But that sounds too complex.
I like playing devil's advocate too, and the challenge you raised! I
think my answer works. (Especially if it prompted for a combination.)
J
John Hasler
William said:
Because it already connected to one keyboard when it booted.
J
John Hasler
Mike said:
You reboot.
J
John Hasler
Mike said:
But of course if you are using Bluetooth to connect your keyboard you
oviously don't care about security anyway.
D
David W. Hodgins
A usb controller is a pci device, so has dma access.
Regards, Dave Hodgins
J
John Hasler
David said:
A controller does. A device plugged into it does not, any more than
does a device at the other end of an ethernet cable.
P
pjp
What about these "U3" USB devices? Seems to me I returned an external
hard disk because it would automatically install some type of device
driver to control encoding backup data to the disk using the software
included on the disk when purchased. There was also some kind of
partition on the drive would show as a cd drive presumably so it
couldn't be written to. Windows would automatically load a driver off
this "cd" regardless of the "Auto Insert" setting.