On 03/14/2011 11:41:09 AM, Kay Sievers wrote:
> On Mon, Mar 14, 2011 at 17:33, Harald Hoyer <harald@xxxxxxxxxx>
> > Oh! You don't want to do this... Won't this allow ordinary users to
> flash a new
> > firmware, opening some security issues here?
> Do we really don't want that? Locally logged-in users could put glue
> in the tray too. :)
Has this been thought through?
Glue in the tray is a simple denial of service attack,
and one that affects but a single system component.
Flashing firmware, in theory at least, opens the door to
installing malware right into the firmware and enables
all sorts of ugly possibilities starting with malware that
runs before the boot process even gets going,
can't be detected by scanning the drive, and can't be removed by
wiping the hard drive and power cycling. It sounds scary if
an ordinary user, especially one not sitting next to
the box, can install such malware without any other
sort of privilege escalation.
Karl <kop@xxxxxxxx>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
--
To unsubscribe from this list: send the line "unsubscribe linux-hotplug" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
