On Friday 17 October 2014 05:42:50 Peter Stuge did opine And Gene did reply: > Gene, > > Gene Heskett wrote: > > I think the point they were trying to make is that the device > > packager, who may not be the chip vendor, can put, if there is room > > in its flashrom, a short commend that would, on plugging it in, > > cause the machine to silently go out on the net and become part of a > > spam bot, or install a keylogger > > Please spend a bit of time studying that 1.1 spec you have, or > actually I would recommend that you download the 2.0 spec instead: > > http://www.usb.org/developers/docs/usb_20_070113.zip Interesting read, I will learn much I think, thank you. But I haven't finished it yet. Using okular to red what appears to be the main pdf (650 pages), it died and showed only blank but framed pages at about 150 pages into it. So I went into its menu's and set it for aggressive memory use since I have 8Gb, and this 3.16.0 kernel is a 32 bit PAE enabled build. That enabled it to display about 125 more pages, then went back to blank pages. Deciding to quit it and try acroread, it took down every bash shell on the machine when I quit it! So I rebooted, but they were not restored on the reboot, so I had to restart all of my normally used shells by hand. That takes about 20 minutes because update-manager needed a run on all 3 machines that are live on my local network on a 24/7 basis. jre/icetea & tzdata related stuff this time. > > Spend most of your time with chapters 5, 8 and 9. > > Then spend time studying the EHCI spec. It teaches how the host > controller is programmed by the operating system. > > It should become clear that what you describe just isn't possible. > > Not everything that is published (on internet or elsewhere) is > actually correct. > > > > What needs to be "fixed"? > > > > The procedure to update that firmware. > > > > > > if when it is plugged in, it goes out and installs a keylogger, now > > that is harming the user > > "goes out" is not an established term in USB. I'm afraid you're not > making any sense. > > > //Peter I have bought keys that came with an autoexec.bat that looked like it was going to install a keylogger already installed. So the threat, at least to an M$ box, is there. But thats not how this exploit was described. Maybe this is only a potential problem on an M$ box? At the least, it needs a YMMV warning. Thanks for the link Peter, it was appreciated. Now of course, its up to me to understand it since I have reached that age where short term memory is not always infallible, 80, so I have the missus make grocery lists on dead tree sheets. :) Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
