Re: [gentoo-user] Linux USB security holes.

2017-11-09 Thread taii...@gmx.com 

You can forward your USB controllers to a VM
OR
Disable them in the BIOS

It is very easy to re-write a USB drive firmware via another virus on a 
poorly secured different computer so this doesn't really need physical 
access not that it would be difficult to simply have someone cause a 
scene and then have someone else walk by and insert a drive in to your 
laptop for a few seconds while you were distracted if you were a high 
profile target (politician, ceo, lawyer etc)

Re: [gentoo-user] Linux USB security holes.

2017-11-08 Thread Alan McKinnon 
On 08/11/2017 07:08, Dale wrote:
> Howdy,
> 
> I ran up on this link.  Is there any truth to it and should any of us
> Gentooers be worried about it?
> 
> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ 
> 
> Isn't Linux supposed to be more secure than this??



I would say the real problem is USB itself.

What is USB after all? It's a way of sticking any old random thing into
a socket and getting the computer to magically do stuff. So if the
system software then goes ahead and does stuff, it's only really
operating as designed and as spec'ed right?

Yes, those 40 holes are probably all true and quite possibly all
exploitable, and they should also be fixed. But the real problem is that
USB even exists at all.

btw, when you say "Isn't Linux supposed to be more secure than this??"
the answer is a resounding NO

The Linux=safe, Windows=notsafe delusion comes from the 90s when Windows
had no real security features at all, or even any realistic ways to
limit and control access. Linux had a Unix-style userland and kernel, so
you automatically got multi-user/multi-process with per-user
permissions. That alone, by itself, is probably the largest single
security advance in all of computing history. Everything else is icing.

There is nothing in Unix really that is "secure by design", and all von
Neumann machines are actually insecure by design


-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] Linux USB security holes.

2017-11-08 Thread Martin DiViaio 
 There's an old saying: The only secure computer is one that is locked in a 
room, unplugged. Then again, that computer is only as secure as the lock on the 
door.


On Wednesday, November 8, 2017, 1:48:43 AM EST, R0b0t1  
wrote:  
 
 On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1  wrote:
> On Wed, Nov 8, 2017 at 12:02 AM, Dale  wrote:
>> Dale wrote:
>>> Howdy,
>>>
>>> I ran up on this link.  Is there any truth to it and should any of us
>>> Gentooers be worried about it?
>>>
>>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>>>
>>> Isn't Linux supposed to be more secure than this??
>>>
>>> Dale
>>>
>>> :-)  :-)
>>>
>>
>>
>> To reply to all that posted so far.  I did see that it requires physical
>> access, like a lot of other things.  Once a person has physical access,
>> there are a number of things that can go wrong.
>>
>> It does seem to be one of those things that while possible, has anyone
>> been able to do it in the real world and even without physical access?
>> Odds are, no.
>>
>
> The most widely publicized example is STUXNET. There are also reports
> that malicious USB keys with driver-level exploits are sometimes used
> for industrial espionage.
>
> The key point being that in either case, someone is spending a lot of
> money to research and set up a plausible attack.
>
>> Still, all things considered, Linux is pretty secure.  BSD is more
>> secure from what I've read but Linux is better than windoze.
>>
>> Dale
>>
>> :-)  :-)
>>

I suppose I should add that once the basic work has been done for an
exploit like this it will have great reproducibility. But at that
level you are (usually) talking about very well funded actors, and one
should also be worried about controller-level exploits that would be
much harder to discover from an operating system.

If you can't surround your computer with trustworthy armed guards,
assume you suffer from a serious vulnerability based on the
preliminary work the article is talking about.

Rainbows and Sunshine,
    R0b0t1

Re: [gentoo-user] Linux USB security holes.

2017-11-07 Thread Dale 
R0b0t1 wrote:
> On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1  wrote:
>> On Wed, Nov 8, 2017 at 12:02 AM, Dale  wrote:
>>> Dale wrote:
 Howdy,

 I ran up on this link.  Is there any truth to it and should any of us
 Gentooers be worried about it?

 http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/

 Isn't Linux supposed to be more secure than this??

 Dale

 :-)  :-)

>>>
>>> To reply to all that posted so far.  I did see that it requires physical
>>> access, like a lot of other things.  Once a person has physical access,
>>> there are a number of things that can go wrong.
>>>
>>> It does seem to be one of those things that while possible, has anyone
>>> been able to do it in the real world and even without physical access?
>>> Odds are, no.
>>>
>> The most widely publicized example is STUXNET. There are also reports
>> that malicious USB keys with driver-level exploits are sometimes used
>> for industrial espionage.
>>
>> The key point being that in either case, someone is spending a lot of
>> money to research and set up a plausible attack.
>>
>>> Still, all things considered, Linux is pretty secure.  BSD is more
>>> secure from what I've read but Linux is better than windoze.
>>>
>>> Dale
>>>
>>> :-)  :-)
>>>
> I suppose I should add that once the basic work has been done for an
> exploit like this it will have great reproducibility. But at that
> level you are (usually) talking about very well funded actors, and one
> should also be worried about controller-level exploits that would be
> much harder to discover from an operating system.
>
> If you can't surround your computer with trustworthy armed guards,
> assume you suffer from a serious vulnerability based on the
> preliminary work the article is talking about.
>
> Rainbows and Sunshine,
>  R0b0t1
>
>


I've considered encrypting my stuff.  I'm talking locked down from power
up all the way through.  Those who have been on this list a while and
know me, they know that would be a disaster.  If anything could go wrong
with it, it would. 

While I try to be secure, I'm not going nuts over it.  I do lock my
screen if I leave and sometimes even logout but I don't put hand
grenades and other booby traps around it.  Heck, if I did, I'd likely
trip up and hurt myself.  Ooops!!

I guess I'll just kept my top secret stuff in my head.  ;-) 

Dale

:-)  :-) 

Re: [gentoo-user] Linux USB security holes.

2017-11-07 Thread R0b0t1 
On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1  wrote:
> On Wed, Nov 8, 2017 at 12:02 AM, Dale  wrote:
>> Dale wrote:
>>> Howdy,
>>>
>>> I ran up on this link.  Is there any truth to it and should any of us
>>> Gentooers be worried about it?
>>>
>>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>>>
>>> Isn't Linux supposed to be more secure than this??
>>>
>>> Dale
>>>
>>> :-)  :-)
>>>
>>
>>
>> To reply to all that posted so far.  I did see that it requires physical
>> access, like a lot of other things.  Once a person has physical access,
>> there are a number of things that can go wrong.
>>
>> It does seem to be one of those things that while possible, has anyone
>> been able to do it in the real world and even without physical access?
>> Odds are, no.
>>
>
> The most widely publicized example is STUXNET. There are also reports
> that malicious USB keys with driver-level exploits are sometimes used
> for industrial espionage.
>
> The key point being that in either case, someone is spending a lot of
> money to research and set up a plausible attack.
>
>> Still, all things considered, Linux is pretty secure.  BSD is more
>> secure from what I've read but Linux is better than windoze.
>>
>> Dale
>>
>> :-)  :-)
>>

I suppose I should add that once the basic work has been done for an
exploit like this it will have great reproducibility. But at that
level you are (usually) talking about very well funded actors, and one
should also be worried about controller-level exploits that would be
much harder to discover from an operating system.

If you can't surround your computer with trustworthy armed guards,
assume you suffer from a serious vulnerability based on the
preliminary work the article is talking about.

Rainbows and Sunshine,
 R0b0t1

Re: [gentoo-user] Linux USB security holes.

2017-11-07 Thread R0b0t1 
On Wed, Nov 8, 2017 at 12:02 AM, Dale  wrote:
> Dale wrote:
>> Howdy,
>>
>> I ran up on this link.  Is there any truth to it and should any of us
>> Gentooers be worried about it?
>>
>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>>
>> Isn't Linux supposed to be more secure than this??
>>
>> Dale
>>
>> :-)  :-)
>>
>
>
> To reply to all that posted so far.  I did see that it requires physical
> access, like a lot of other things.  Once a person has physical access,
> there are a number of things that can go wrong.
>
> It does seem to be one of those things that while possible, has anyone
> been able to do it in the real world and even without physical access?
> Odds are, no.
>

The most widely publicized example is STUXNET. There are also reports
that malicious USB keys with driver-level exploits are sometimes used
for industrial espionage.

The key point being that in either case, someone is spending a lot of
money to research and set up a plausible attack.

> Still, all things considered, Linux is pretty secure.  BSD is more
> secure from what I've read but Linux is better than windoze.
>
> Dale
>
> :-)  :-)
>

Re: [gentoo-user] Linux USB security holes.

2017-11-07 Thread Dale 
Dale wrote:
> Howdy,
>
> I ran up on this link.  Is there any truth to it and should any of us
> Gentooers be worried about it?
>
> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ 
>
> Isn't Linux supposed to be more secure than this??
>
> Dale
>
> :-)  :-) 
>


To reply to all that posted so far.  I did see that it requires physical
access, like a lot of other things.  Once a person has physical access,
there are a number of things that can go wrong. 

It does seem to be one of those things that while possible, has anyone
been able to do it in the real world and even without physical access? 
Odds are, no. 

Still, all things considered, Linux is pretty secure.  BSD is more
secure from what I've read but Linux is better than windoze. 

Dale

:-)  :-) 

Re: [gentoo-user] Linux USB security holes.

2017-11-07 Thread J. Roeleveld 
On 8 November 2017 06:08:21 GMT+01:00, Dale  wrote:
>Howdy,
>
>I ran up on this link.  Is there any truth to it and should any of us
>Gentooers be worried about it?
>
>http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ 
>
>Isn't Linux supposed to be more secure than this??
>
>Dale
>
>:-)  :-) 

From what I read, you need physical access.
And I am not certain what you need to do to the firmware on the USB device to 
trigger this.

--
Joost 
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [gentoo-user] Linux USB security holes.

2017-11-07 Thread R0b0t1 
On Tue, Nov 7, 2017 at 11:08 PM, Dale  wrote:
> Howdy,
>
> I ran up on this link.  Is there any truth to it and should any of us
> Gentooers be worried about it?
>
> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>
> Isn't Linux supposed to be more secure than this??
>

In theory. There was no comment on the existence of such bugs in the
Windows driver stack, but they likely exist. However, note:

"The impact is quite limited, all the bugs require physical access to
trigger," said Konovalov. "Most of them are denial-of-service, except
for a few that might be potentially exploitable to execute code in the
kernel."

Which is typically what one should expect from bugs discovered by fuzzing.

These are issues which should be fixed, but keep in mind that there
has been (and still is) lots of kernel development that focuses on
isolating the kernel from itself. The reporting of these bugs will
likely be used to make those mechanisms even better.


To compare, here is an "exploit" discovered in a monitor:
https://github.com/RedBalloonShenanigans/MonitorDarkly.

The prerequisites include having debug access to the monitor's
controller. Personally I am surprised this was presented at DefCon as
it does not really seem appropriate. At least the articles covering
the code should be reworded - it's exploiting the monitor almost the
same way you can exploit a car by driving it.

More and more security releases are starting to look like the above,
as the researchers and authors clamor for notability, which is
increasingly hard to find. I think the article you found strikes a
middle ground - the exploits are relevant in practice, but take a lot
of work to use.

Cheers,
 R0b0t1

Re: [gentoo-user] Linux USB security holes.

2017-11-07 Thread Adam Carter 
On Wed, Nov 8, 2017 at 4:08 PM, Dale  wrote:

> Howdy,
>
> I ran up on this link.  Is there any truth to it and should any of us
> Gentooers be worried about it?
>

Its sensible to think of anything that's been assigned a CVE number as
real.

>
> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>
> Isn't Linux supposed to be more secure than this??


It is what it is.

[gentoo-user] Linux USB security holes.

2017-11-07 Thread Dale 
Howdy,

I ran up on this link.  Is there any truth to it and should any of us
Gentooers be worried about it?

http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ 

Isn't Linux supposed to be more secure than this??

Dale

:-)  :-)