On Friday 17 October 2014 05:23:10 Greg KH did opine And Gene did reply: > On Fri, Oct 17, 2014 at 05:01:51AM -0400, Gene Heskett wrote: > > On Friday 17 October 2014 03:48:48 Greg KH did opine > > > > And Gene did reply: > > > On Thu, Oct 16, 2014 at 08:18:26PM -0400, Gene Heskett wrote: > > > > On Thursday 16 October 2014 18:28:16 Greg KH did opine > > > > > > > > And Gene did reply: > > > > > On Thu, Oct 16, 2014 at 06:12:48PM -0400, Gene Heskett wrote: > > > > > > Is there a move afoot to write a checker utility that > > > > > > determines if the usb device its pointed at is vulnerable, > > > > > > and can therefore be reliably blacklisted? > > > > > > > > > > What do you mean by a "vulnerable" USB device? > > > > > > > > Thanks for the reply, Greg. > > > > > > > > There is an exploitable error in the usb hardware/firmware, one > > > > that nearly 100% of the devices have. > > > > > > No there isn't, it's a specific design of the device, we have had > > > devices like this since the 1990's. This is nothing new at all, > > > and nothing that is a problem. > > > > > > > No one ever gave security a seconds thought when writing the usb > > > > std. > > > > > > As one who helped write a tiny portion of the spec, that's not true > > > at all. If you have specifics, I would be glad to discuss them. > > > > I have a copy of the 1.1 specs, before they put it behind a paywall. > > I am glad you did have a small hand in it, thanks. > > There is no "paywall" for USB specs. All specs are "backwards > compatible", so the latest 3.0 spec has all of the 1.1 stuff in it as > well. It's just more stuff to wade through :) > I last looked about a year ago. The only link google could find was behind a $25,000 paywall because you had to join the consortium to access it. I was upset. OTOH I am not even the dot at the end of a sentence in the grand scheme of monetizing something. I'd be grateful for a URL to the pdf. > > > > As described it is both hardware and firmware that will need to > > > > be addressed for an effective fix. > > > > > > What needs to be "fixed"? > > > > The procedure to update that firmware. > > That's vendor-specific, and again, isn't a big deal at all. I even > helped create the spec that allows that to happen in a standard way. > Linux supports that quite well. > > > > > See: > > > > > > > > <http://www.wired.com/2014/10/code-published-for-unfixable-usb-at > > > > tack /> > > > > > > > > for an explanation much better than I seem to be doing. It went > > > > live yesterday. > > > > > > The only thing that is "new" is the fact that some people thought > > > that the firmware of a USB device could not be changed to work > > > like something else. Again, that's never been true, and is > > > nothing that "hurts" the operating system. > > > > Agreed, but if when it is plugged in, it goes out and installs a > > keylogger, > > Wait, how can a USB device "install a keylogger"? If that happens, > then that is a bug in the kernel. And yes, we did have a few bugs in > that area in the past, specifically we fixed them over the past year, > but that's a totally different thing than allowing the firmware of a > device to be changed. Good, someone saw the possibilities then. Thanks. > > > now that is harming the user even if the code to do it is 100% > > nicely written legal code. > > Again, there should never be a way for a USB device to arbitrarily > execute code on your processor. That's not part of the USB spec, and > does not happen on Linux at all. If it does, please let us know and it > will be fixed. So far, none of the "BadUSB" stuff actually does this, > so that is not an issue. > Good. > Beware of the press around this issue, it's very confusing, and > incorrect. This has been discussed in detail on the oss-security > mailing list a few months ago if you are interested and want to go read > the archives. Not at 05:30 local time, but perhaps later today. > thanks, > > greg k-h Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
