On Thu, Oct 16, 2014 at 08:18:26PM -0400, Gene Heskett wrote: > On Thursday 16 October 2014 18:28:16 Greg KH did opine > And Gene did reply: > > On Thu, Oct 16, 2014 at 06:12:48PM -0400, Gene Heskett wrote: > > > Is there a move afoot to write a checker utility that determines if > > > the usb device its pointed at is vulnerable, and can therefore be > > > reliably blacklisted? > > > > What do you mean by a "vulnerable" USB device? > > Thanks for the reply, Greg. > > There is an exploitable error in the usb hardware/firmware, one that > nearly 100% of the devices have. No there isn't, it's a specific design of the device, we have had devices like this since the 1990's. This is nothing new at all, and nothing that is a problem. > No one ever gave security a seconds thought when writing the usb std. As one who helped write a tiny portion of the spec, that's not true at all. If you have specifics, I would be glad to discuss them. > As described it is both hardware and firmware that will need to be > addressed for an effective fix. What needs to be "fixed"? > See: > > <http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/> > > for an explanation much better than I seem to be doing. It went live > yesterday. The only thing that is "new" is the fact that some people thought that the firmware of a USB device could not be changed to work like something else. Again, that's never been true, and is nothing that "hurts" the operating system. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
