Re: [gentoo-user] Linux USB security holes.
You can forward your USB controllers to a VM OR Disable them in the BIOS It is very easy to re-write a USB drive firmware via another virus on a poorly secured different computer so this doesn't really need physical access not that it would be difficult to simply have someone cause a scene and then have someone else walk by and insert a drive in to your laptop for a few seconds while you were distracted if you were a high profile target (politician, ceo, lawyer etc)
Re: [gentoo-user] Linux USB security holes.
On 08/11/2017 07:08, Dale wrote: > Howdy, > > I ran up on this link. Is there any truth to it and should any of us > Gentooers be worried about it? > > http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ > > Isn't Linux supposed to be more secure than this?? I would say the real problem is USB itself. What is USB after all? It's a way of sticking any old random thing into a socket and getting the computer to magically do stuff. So if the system software then goes ahead and does stuff, it's only really operating as designed and as spec'ed right? Yes, those 40 holes are probably all true and quite possibly all exploitable, and they should also be fixed. But the real problem is that USB even exists at all. btw, when you say "Isn't Linux supposed to be more secure than this??" the answer is a resounding NO The Linux=safe, Windows=notsafe delusion comes from the 90s when Windows had no real security features at all, or even any realistic ways to limit and control access. Linux had a Unix-style userland and kernel, so you automatically got multi-user/multi-process with per-user permissions. That alone, by itself, is probably the largest single security advance in all of computing history. Everything else is icing. There is nothing in Unix really that is "secure by design", and all von Neumann machines are actually insecure by design -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Linux USB security holes.
There's an old saying: The only secure computer is one that is locked in a room, unplugged. Then again, that computer is only as secure as the lock on the door. On Wednesday, November 8, 2017, 1:48:43 AM EST, R0b0t1wrote: On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1 wrote: > On Wed, Nov 8, 2017 at 12:02 AM, Dale wrote: >> Dale wrote: >>> Howdy, >>> >>> I ran up on this link. Is there any truth to it and should any of us >>> Gentooers be worried about it? >>> >>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ >>> >>> Isn't Linux supposed to be more secure than this?? >>> >>> Dale >>> >>> :-) :-) >>> >> >> >> To reply to all that posted so far. I did see that it requires physical >> access, like a lot of other things. Once a person has physical access, >> there are a number of things that can go wrong. >> >> It does seem to be one of those things that while possible, has anyone >> been able to do it in the real world and even without physical access? >> Odds are, no. >> > > The most widely publicized example is STUXNET. There are also reports > that malicious USB keys with driver-level exploits are sometimes used > for industrial espionage. > > The key point being that in either case, someone is spending a lot of > money to research and set up a plausible attack. > >> Still, all things considered, Linux is pretty secure. BSD is more >> secure from what I've read but Linux is better than windoze. >> >> Dale >> >> :-) :-) >> I suppose I should add that once the basic work has been done for an exploit like this it will have great reproducibility. But at that level you are (usually) talking about very well funded actors, and one should also be worried about controller-level exploits that would be much harder to discover from an operating system. If you can't surround your computer with trustworthy armed guards, assume you suffer from a serious vulnerability based on the preliminary work the article is talking about. Rainbows and Sunshine, R0b0t1
Re: [gentoo-user] Linux USB security holes.
R0b0t1 wrote: > On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1wrote: >> On Wed, Nov 8, 2017 at 12:02 AM, Dale wrote: >>> Dale wrote: Howdy, I ran up on this link. Is there any truth to it and should any of us Gentooers be worried about it? http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ Isn't Linux supposed to be more secure than this?? Dale :-) :-) >>> >>> To reply to all that posted so far. I did see that it requires physical >>> access, like a lot of other things. Once a person has physical access, >>> there are a number of things that can go wrong. >>> >>> It does seem to be one of those things that while possible, has anyone >>> been able to do it in the real world and even without physical access? >>> Odds are, no. >>> >> The most widely publicized example is STUXNET. There are also reports >> that malicious USB keys with driver-level exploits are sometimes used >> for industrial espionage. >> >> The key point being that in either case, someone is spending a lot of >> money to research and set up a plausible attack. >> >>> Still, all things considered, Linux is pretty secure. BSD is more >>> secure from what I've read but Linux is better than windoze. >>> >>> Dale >>> >>> :-) :-) >>> > I suppose I should add that once the basic work has been done for an > exploit like this it will have great reproducibility. But at that > level you are (usually) talking about very well funded actors, and one > should also be worried about controller-level exploits that would be > much harder to discover from an operating system. > > If you can't surround your computer with trustworthy armed guards, > assume you suffer from a serious vulnerability based on the > preliminary work the article is talking about. > > Rainbows and Sunshine, > R0b0t1 > > I've considered encrypting my stuff. I'm talking locked down from power up all the way through. Those who have been on this list a while and know me, they know that would be a disaster. If anything could go wrong with it, it would. While I try to be secure, I'm not going nuts over it. I do lock my screen if I leave and sometimes even logout but I don't put hand grenades and other booby traps around it. Heck, if I did, I'd likely trip up and hurt myself. Ooops!! I guess I'll just kept my top secret stuff in my head. ;-) Dale :-) :-)
Re: [gentoo-user] Linux USB security holes.
On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1wrote: > On Wed, Nov 8, 2017 at 12:02 AM, Dale wrote: >> Dale wrote: >>> Howdy, >>> >>> I ran up on this link. Is there any truth to it and should any of us >>> Gentooers be worried about it? >>> >>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ >>> >>> Isn't Linux supposed to be more secure than this?? >>> >>> Dale >>> >>> :-) :-) >>> >> >> >> To reply to all that posted so far. I did see that it requires physical >> access, like a lot of other things. Once a person has physical access, >> there are a number of things that can go wrong. >> >> It does seem to be one of those things that while possible, has anyone >> been able to do it in the real world and even without physical access? >> Odds are, no. >> > > The most widely publicized example is STUXNET. There are also reports > that malicious USB keys with driver-level exploits are sometimes used > for industrial espionage. > > The key point being that in either case, someone is spending a lot of > money to research and set up a plausible attack. > >> Still, all things considered, Linux is pretty secure. BSD is more >> secure from what I've read but Linux is better than windoze. >> >> Dale >> >> :-) :-) >> I suppose I should add that once the basic work has been done for an exploit like this it will have great reproducibility. But at that level you are (usually) talking about very well funded actors, and one should also be worried about controller-level exploits that would be much harder to discover from an operating system. If you can't surround your computer with trustworthy armed guards, assume you suffer from a serious vulnerability based on the preliminary work the article is talking about. Rainbows and Sunshine, R0b0t1
Re: [gentoo-user] Linux USB security holes.
On Wed, Nov 8, 2017 at 12:02 AM, Dalewrote: > Dale wrote: >> Howdy, >> >> I ran up on this link. Is there any truth to it and should any of us >> Gentooers be worried about it? >> >> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ >> >> Isn't Linux supposed to be more secure than this?? >> >> Dale >> >> :-) :-) >> > > > To reply to all that posted so far. I did see that it requires physical > access, like a lot of other things. Once a person has physical access, > there are a number of things that can go wrong. > > It does seem to be one of those things that while possible, has anyone > been able to do it in the real world and even without physical access? > Odds are, no. > The most widely publicized example is STUXNET. There are also reports that malicious USB keys with driver-level exploits are sometimes used for industrial espionage. The key point being that in either case, someone is spending a lot of money to research and set up a plausible attack. > Still, all things considered, Linux is pretty secure. BSD is more > secure from what I've read but Linux is better than windoze. > > Dale > > :-) :-) >
Re: [gentoo-user] Linux USB security holes.
Dale wrote: > Howdy, > > I ran up on this link. Is there any truth to it and should any of us > Gentooers be worried about it? > > http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ > > Isn't Linux supposed to be more secure than this?? > > Dale > > :-) :-) > To reply to all that posted so far. I did see that it requires physical access, like a lot of other things. Once a person has physical access, there are a number of things that can go wrong. It does seem to be one of those things that while possible, has anyone been able to do it in the real world and even without physical access? Odds are, no. Still, all things considered, Linux is pretty secure. BSD is more secure from what I've read but Linux is better than windoze. Dale :-) :-)
Re: [gentoo-user] Linux USB security holes.
On 8 November 2017 06:08:21 GMT+01:00, Dalewrote: >Howdy, > >I ran up on this link. Is there any truth to it and should any of us >Gentooers be worried about it? > >http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ > >Isn't Linux supposed to be more secure than this?? > >Dale > >:-) :-) From what I read, you need physical access. And I am not certain what you need to do to the firmware on the USB device to trigger this. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] Linux USB security holes.
On Tue, Nov 7, 2017 at 11:08 PM, Dalewrote: > Howdy, > > I ran up on this link. Is there any truth to it and should any of us > Gentooers be worried about it? > > http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ > > Isn't Linux supposed to be more secure than this?? > In theory. There was no comment on the existence of such bugs in the Windows driver stack, but they likely exist. However, note: "The impact is quite limited, all the bugs require physical access to trigger," said Konovalov. "Most of them are denial-of-service, except for a few that might be potentially exploitable to execute code in the kernel." Which is typically what one should expect from bugs discovered by fuzzing. These are issues which should be fixed, but keep in mind that there has been (and still is) lots of kernel development that focuses on isolating the kernel from itself. The reporting of these bugs will likely be used to make those mechanisms even better. To compare, here is an "exploit" discovered in a monitor: https://github.com/RedBalloonShenanigans/MonitorDarkly. The prerequisites include having debug access to the monitor's controller. Personally I am surprised this was presented at DefCon as it does not really seem appropriate. At least the articles covering the code should be reworded - it's exploiting the monitor almost the same way you can exploit a car by driving it. More and more security releases are starting to look like the above, as the researchers and authors clamor for notability, which is increasingly hard to find. I think the article you found strikes a middle ground - the exploits are relevant in practice, but take a lot of work to use. Cheers, R0b0t1
Re: [gentoo-user] Linux USB security holes.
On Wed, Nov 8, 2017 at 4:08 PM, Dalewrote: > Howdy, > > I ran up on this link. Is there any truth to it and should any of us > Gentooers be worried about it? > Its sensible to think of anything that's been assigned a CVE number as real. > > http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ > > Isn't Linux supposed to be more secure than this?? It is what it is.
[gentoo-user] Linux USB security holes.
Howdy, I ran up on this link. Is there any truth to it and should any of us Gentooers be worried about it? http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ Isn't Linux supposed to be more secure than this?? Dale :-) :-)