Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Nov 22, 2016 at 12:08 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote:
On Tue, 22 Nov 2016 13:00:19 +0100
Jeandet Alexis <alexis.jeandet@xxxxxxxxxxxxxx> wrote:

> Le mardi 22 novembre 2016 à 10:43 +0000, jharbold@xxxxxxxxxxx a
> écrit :
> > I have opened a bug, 1396837, in the Red Hat Bugzilla.
> > My suggestion is for all USB port to not enumerate any devices
> > plugged in while the screen is locked, even if it is password
> > protected.  I feel that the integrity of Linux has to be defended
> > against this hybrid attack.
> What about Yubikey and equivalents?

You might want to take a look at the 'usbguard' package.

I don't think everyone is likely to be happy to disable usb when
screens are locked, as there's a number of cases of things people might
want to keep going in that case.


I assume the OP's intent was for the system to ignore devices newly connected
when the screen is locked, so existing devices such as the keyboard used to
unlock the screen remain available for use.   Apple systems do something like this. 
If you connect a USB storage device to a macOS box while the screen is locked,
nothing happens.  After the  screen is unlocked, the device must be unplugged
and plugged in again before it can be used.   You can, however, connect a
USB mouse or keyboard to a macOS system that is locked and use the new USB
device to unlock the system.


There is value to an approach that everyone can use with minimal effort/disruption
even if it is only partly effective.

 
However, if you use usbguard you can just allow those specific devices
you want to have access.

Usbguard also supports policies of the form "only one keyboard can be connected
to a system" and "storage devices can't also claim to be keyboards".  



--
George N. White III <aa056@xxxxxxxxxxxxxx>
Head of St. Margarets Bay, Nova Scotia
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]
  Powered by Linux