On Thu, May 14, 2026 at 11:18:41PM -0400, Stefan Monnier wrote: > > Charge-only cables are also in demand as a security measure for people > > wishing to safely charge devices on randomĀ¹ USB ports found out in > > the world. > > Indeed. I wish my USB cables came with a little switch to control > whether to connect the data wires or not (would beat the hell out of > trying to remember which cables are power-only and which aren't). > > > In an ideal world you plug your device into a USB port and if whatever > > it is connected to wants to do anything other than negotiate charging > > then positive action has to be taken by you. But, software has bugs and > > some people want a second level of defence. > > Not just bugs: I don't know of any OS out there that is even designed to > behave like you describe: they all automatically accept to recognize the > other end as whichever device (or set of devices) it claims to be. > > > In the other direction, infiltration has been done by leaving USB sticks > > on the floor of the car park and hoping some employee plugs one in to > > see what's on it. Some workplaces physically disable USB ports on their > > computers because of things like that. > > Indeed. It may look like a harmless USB key, but it may decide to tell > your machine that it's a keyboard+mouse+wificard and start sending made > up keyboard/mouse events and whatnot. > > To bring this discussion back to Debian: does someone here know of a way > to configure Debian so it asks for explicit confirmation before > accepting new USB devices?
I fear you'll have to run with a big harvester through your udev rules. OTOH, it makes sense -- there are other pluggable thingies besides USB. A web search with "hardened" and "udev" doesn't turn up much for me, but I'd try this approach. Cheers -- t
signature.asc
Description: PGP signature
